glupteba | 077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd

Target

71E2CF4709767EAB8E0E6DCD8F19D37C.exe
Size

5.2MB
MD5

71e2cf4709767eab8e0e6dcd8f19d37c
SHA1

0641acedc06c13a17d94968e3237c4d9533fc0b9
SHA256

077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
SHA512

686cae3db08ad1c7beaf13758a74cae4eb4084d152be49510c11a13010cbb27a1407657fab57d0d732648e91e21862c0604a9ad789e55bcac803fc7be6b4b675

Score

10^/10

glupteba metasploit raccoon smokeloader vidar xloader ec33 aspackv2 backdoor discovery dropper evasion loader persistence rat stealer themida trojan

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ec33

http://www.chaturvedi.fyi/ec33/

Decoy

ride-hard.net

westindiesofficial.com

technewcomer.com

anwen.ink

smarthumanresource.com

aspenhillgetaway.com

westinventures.com

sercomp.pro

fitwoop.com

advertisingviews.site

stinato.com

kidsfundshoes.com

xaufuture.com

emaildesktophelp.com

hey-events.com

v-j9.com

eurekabox.net

export-rice.net

arcadems.com

thejackparker.com

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2992-391-0x0000000005320000-0x0000000005C46000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7136	4780	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6856	4780	rundll32.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 5652 created 5284	5652	WerFault.exe	Mon00f61d292f523.exe
PID 1284 created 3124	1284	WerFault.exe	Mon001af0f6251.exe
PID 5388 created 5192	5388	WerFault.exe	Conhost.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/5192-245-0x0000000002960000-0x00000000029FD000-memory.dmp	family_vidar
behavioral1/memory/4468-517-0x0000000004AF0000-0x0000000004B8D000-memory.dmp	family_vidar

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\test.exe	xloader
C:\Users\Admin\AppData\Local\Temp\test.exe	xloader
behavioral1/memory/6632-389-0x00000000007A0000-0x00000000007C8000-memory.dmp	xloader

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libstdc++-6.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 42 IoCs

Processes:

setup_install.exeMon0015a1e17ea5.exeMon001af0f6251.exeMon000d7b2b59b9.exeMon00e8b91b250904.exeMon00a4b905d6fcf0a9.exeMon00b1849cf0bf91e9.exeMon00f61d292f523.exeMon0001207aa1161f.exeMon00271bbb5e.exeMon000d7b2b59b9.exeLzmwAqmV.exeChrome 5.exetest.exe1.exe2.exe3.exeVIGQHJT5LMB0JEGPl0genJv9.exesDbiv_e0ZoGYV3PVpEqe5E09.exetp17_LSkjfbMicXDUnppZnJQ.exe8KqPriRPhIbRG7eenpKgtgvL.exeTn91o84LOI8cnNRixe2rXcOR.exeConhost.exeafNJlb0cYR2LMgMJ3XNFTEJn.exeDkwFDsOVzGvo0PJgjUgOk_3U.exeG38iph3gAodkb0wB8s7noBoI.exeytS5P1d9a5WNrgY4z6opiZxP.exeBxxrcQ4obeV59QLatAibbJ4g.exeMcrV8pZn_TsVaUu6K7xK60Es.exeAmica.exe.comtYPQGMdbK231Qm6gMm2r7p98.exepBfEyaIveDq6UFiHlTKcP_CI.exe_hFKqdAtO9q8_9AHq57E32wj.exevOBkr8DiJlv_rbiGtnE8fkXN.exehTol3Nqyzs78hgNGu8yKmbxr.exeyeMa4a6zrXVCcKv4n3O7Ul2w.exeQ7ZZH3n7tS9kmxri0EsotRV6.exe26_VzY28GEA3fr8Sz8Ep6X88.exe3OCvL9JauLyUuKenuJauDbgM.exem4IY3cfAsQBTjQjc2ZZsCbjJ.exeOatF7GDFcFuinPTAgVvDxyzD.exe_r5AkMSO1d5k5rLqGkRhc9EG.exe

pid	process
4552	setup_install.exe
3636	Mon0015a1e17ea5.exe
3124	Mon001af0f6251.exe
3148	Mon000d7b2b59b9.exe
5176	Mon00e8b91b250904.exe
5192	Mon00a4b905d6fcf0a9.exe
5184	Mon00b1849cf0bf91e9.exe
5284	Mon00f61d292f523.exe
5296	Mon0001207aa1161f.exe
5304	Mon00271bbb5e.exe
5752	Mon000d7b2b59b9.exe
1848	LzmwAqmV.exe
5764	Chrome 5.exe
5804	test.exe
4484	1.exe
1896	2.exe
3788	3.exe
3172	VIGQHJT5LMB0JEGPl0genJv9.exe
4576	sDbiv_e0ZoGYV3PVpEqe5E09.exe
1880	tp17_LSkjfbMicXDUnppZnJQ.exe
5196	8KqPriRPhIbRG7eenpKgtgvL.exe
5680	Tn91o84LOI8cnNRixe2rXcOR.exe
5192	Conhost.exe
5688	afNJlb0cYR2LMgMJ3XNFTEJn.exe
2992	DkwFDsOVzGvo0PJgjUgOk_3U.exe
3896	G38iph3gAodkb0wB8s7noBoI.exe
5644	ytS5P1d9a5WNrgY4z6opiZxP.exe
3576	BxxrcQ4obeV59QLatAibbJ4g.exe
2544	McrV8pZn_TsVaUu6K7xK60Es.exe
4164	Amica.exe.com
4792	tYPQGMdbK231Qm6gMm2r7p98.exe
4224	pBfEyaIveDq6UFiHlTKcP_CI.exe
4908	_hFKqdAtO9q8_9AHq57E32wj.exe
4400	vOBkr8DiJlv_rbiGtnE8fkXN.exe
3836	hTol3Nqyzs78hgNGu8yKmbxr.exe
4468	yeMa4a6zrXVCcKv4n3O7Ul2w.exe
1144	Q7ZZH3n7tS9kmxri0EsotRV6.exe
2920	26_VzY28GEA3fr8Sz8Ep6X88.exe
3992	3OCvL9JauLyUuKenuJauDbgM.exe
4772	m4IY3cfAsQBTjQjc2ZZsCbjJ.exe
6192	OatF7GDFcFuinPTAgVvDxyzD.exe
6348	_r5AkMSO1d5k5rLqGkRhc9EG.exe

Loads dropped DLL 8 IoCs

Processes:

setup_install.exe

pid	process
4552	setup_install.exe
4552	setup_install.exe
4552	setup_install.exe
4552	setup_install.exe
4552	setup_install.exe
4552	setup_install.exe
4552	setup_install.exe
4552	setup_install.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\afNJlb0cYR2LMgMJ3XNFTEJn.exe	themida
C:\Users\Admin\Documents\Tn91o84LOI8cnNRixe2rXcOR.exe	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Mon00b1849cf0bf91e9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Mon00b1849cf0bf91e9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Mon00b1849cf0bf91e9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
2 ipinfo.io
30 ipinfo.io
51 ipinfo.io
127 ipinfo.io

flow	ioc
2	ip-api.com
2	ipinfo.io
30	ipinfo.io
51	ipinfo.io
127	ipinfo.io

Drops file in Program Files directory 6 IoCs

Processes:

tp17_LSkjfbMicXDUnppZnJQ.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	tp17_LSkjfbMicXDUnppZnJQ.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst1.exe	tp17_LSkjfbMicXDUnppZnJQ.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	tp17_LSkjfbMicXDUnppZnJQ.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	tp17_LSkjfbMicXDUnppZnJQ.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	tp17_LSkjfbMicXDUnppZnJQ.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	tp17_LSkjfbMicXDUnppZnJQ.exe

Drops file in Windows directory 9 IoCs

Processes:

SystemSettings.exeUserOOBEBroker.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	SystemSettings.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5856	5284	WerFault.exe	Mon00f61d292f523.exe
1672	3124	WerFault.exe	Mon001af0f6251.exe
1880	5192	WerFault.exe	Mon00a4b905d6fcf0a9.exe
7112	5644	WerFault.exe	ytS5P1d9a5WNrgY4z6opiZxP.exe
6168	3576	WerFault.exe	BxxrcQ4obeV59QLatAibbJ4g.exe
6200	4468	WerFault.exe	yeMa4a6zrXVCcKv4n3O7Ul2w.exe
2536	5196	WerFault.exe	8KqPriRPhIbRG7eenpKgtgvL.exe
5360	2544	WerFault.exe	McrV8pZn_TsVaUu6K7xK60Es.exe
7120	3084	WerFault.exe	_r5AkMSO1d5k5rLqGkRhc9EG.exe
4432	1148	WerFault.exe	rundll32.exe
772	7064	WerFault.exe	4949573.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SystemSettings.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID	SystemSettings.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tp17_LSkjfbMicXDUnppZnJQ.exeSystemSettings.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	tp17_LSkjfbMicXDUnppZnJQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	tp17_LSkjfbMicXDUnppZnJQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tp17_LSkjfbMicXDUnppZnJQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	tp17_LSkjfbMicXDUnppZnJQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	tp17_LSkjfbMicXDUnppZnJQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	tp17_LSkjfbMicXDUnppZnJQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	tp17_LSkjfbMicXDUnppZnJQ.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5012 schtasks.exe
1648 schtasks.exe
1148 schtasks.exe

pid	process
5012	schtasks.exe
1648	schtasks.exe
1148	schtasks.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exetp17_LSkjfbMicXDUnppZnJQ.exeSystemSettings.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	tp17_LSkjfbMicXDUnppZnJQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	tp17_LSkjfbMicXDUnppZnJQ.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

6944 taskkill.exe

pid	process
6944	taskkill.exe

Modifies data under HKEY_USERS 40 IoCs

Processes:

sihclient.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5936 PING.EXE

pid	process
5936	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exepowershell.exeMon00271bbb5e.exeWerFault.exetp17_LSkjfbMicXDUnppZnJQ.exetest.exe

pid	process
5856	WerFault.exe
5856	WerFault.exe
500	powershell.exe
500	powershell.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
5304	Mon00271bbb5e.exe
1672	WerFault.exe
1672	WerFault.exe
1880	tp17_LSkjfbMicXDUnppZnJQ.exe
1880	tp17_LSkjfbMicXDUnppZnJQ.exe
500	powershell.exe
5804	test.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

test.exe

pid process

5804 test.exe

pid	process
5804	test.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Mon0015a1e17ea5.exeMon00e8b91b250904.exeWerFault.exepowershell.exe2.exetest.exe

description	pid	process
Token: SeDebugPrivilege	3636	Mon0015a1e17ea5.exe
Token: SeDebugPrivilege	5176	Mon00e8b91b250904.exe
Token: SeRestorePrivilege	5856	WerFault.exe
Token: SeBackupPrivilege	5856	WerFault.exe
Token: SeBackupPrivilege	5856	WerFault.exe
Token: SeDebugPrivilege	500	powershell.exe
Token: SeDebugPrivilege	1896	2.exe
Token: SeDebugPrivilege	5804	test.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SystemSettings.exe

pid process

4776 SystemSettings.exe

pid	process
4776	SystemSettings.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

71E2CF4709767EAB8E0E6DCD8F19D37C.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeMon000d7b2b59b9.exeMon00b1849cf0bf91e9.exeWerFault.exe

description	pid	process	target process
PID 3888 wrote to memory of 4552	3888	71E2CF4709767EAB8E0E6DCD8F19D37C.exe	setup_install.exe
PID 3888 wrote to memory of 4552	3888	71E2CF4709767EAB8E0E6DCD8F19D37C.exe	setup_install.exe
PID 3888 wrote to memory of 4552	3888	71E2CF4709767EAB8E0E6DCD8F19D37C.exe	setup_install.exe
PID 4552 wrote to memory of 3756	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 3756	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 3756	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4468	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4468	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4468	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4476	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4476	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4476	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 3764	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 3764	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 3764	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 592	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 592	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 592	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 804	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 804	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 804	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4532	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4532	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4532	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4724	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4724	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4724	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 2968	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 2968	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 2968	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 504	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 504	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 504	4552	setup_install.exe	cmd.exe
PID 504 wrote to memory of 3636	504	cmd.exe	Mon0015a1e17ea5.exe
PID 504 wrote to memory of 3636	504	cmd.exe	Mon0015a1e17ea5.exe
PID 4468 wrote to memory of 3148	4468	cmd.exe	Mon000d7b2b59b9.exe
PID 4468 wrote to memory of 3148	4468	cmd.exe	Mon000d7b2b59b9.exe
PID 4468 wrote to memory of 3148	4468	cmd.exe	Mon000d7b2b59b9.exe
PID 4476 wrote to memory of 3124	4476	cmd.exe	Mon001af0f6251.exe
PID 4476 wrote to memory of 3124	4476	cmd.exe	Mon001af0f6251.exe
PID 4476 wrote to memory of 3124	4476	cmd.exe	Mon001af0f6251.exe
PID 4724 wrote to memory of 5176	4724	cmd.exe	Mon00e8b91b250904.exe
PID 4724 wrote to memory of 5176	4724	cmd.exe	Mon00e8b91b250904.exe
PID 592 wrote to memory of 5192	592	cmd.exe	Mon00a4b905d6fcf0a9.exe
PID 592 wrote to memory of 5192	592	cmd.exe	Mon00a4b905d6fcf0a9.exe
PID 592 wrote to memory of 5192	592	cmd.exe	Mon00a4b905d6fcf0a9.exe
PID 2968 wrote to memory of 5184	2968	cmd.exe	Mon00b1849cf0bf91e9.exe
PID 2968 wrote to memory of 5184	2968	cmd.exe	Mon00b1849cf0bf91e9.exe
PID 2968 wrote to memory of 5184	2968	cmd.exe	Mon00b1849cf0bf91e9.exe
PID 804 wrote to memory of 5284	804	cmd.exe	Mon00f61d292f523.exe
PID 804 wrote to memory of 5284	804	cmd.exe	Mon00f61d292f523.exe
PID 804 wrote to memory of 5284	804	cmd.exe	Mon00f61d292f523.exe
PID 3764 wrote to memory of 5296	3764	cmd.exe	Mon0001207aa1161f.exe
PID 3764 wrote to memory of 5296	3764	cmd.exe	Mon0001207aa1161f.exe
PID 4532 wrote to memory of 5304	4532	cmd.exe	Mon00271bbb5e.exe
PID 4532 wrote to memory of 5304	4532	cmd.exe	Mon00271bbb5e.exe
PID 4532 wrote to memory of 5304	4532	cmd.exe	Mon00271bbb5e.exe
PID 3148 wrote to memory of 5752	3148	Mon000d7b2b59b9.exe	Mon000d7b2b59b9.exe
PID 3148 wrote to memory of 5752	3148	Mon000d7b2b59b9.exe	Mon000d7b2b59b9.exe
PID 3148 wrote to memory of 5752	3148	Mon000d7b2b59b9.exe	Mon000d7b2b59b9.exe
PID 5184 wrote to memory of 5764	5184	Mon00b1849cf0bf91e9.exe	Chrome 5.exe
PID 5184 wrote to memory of 5764	5184	Mon00b1849cf0bf91e9.exe	Chrome 5.exe
PID 5184 wrote to memory of 5764	5184	Mon00b1849cf0bf91e9.exe	Chrome 5.exe
PID 5652 wrote to memory of 5284	5652	WerFault.exe	Mon00f61d292f523.exe

C:\Users\Admin\AppData\Local\Temp\71E2CF4709767EAB8E0E6DCD8F19D37C.exe
"C:\Users\Admin\AppData\Local\Temp\71E2CF4709767EAB8E0E6DCD8F19D37C.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:3756
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon000d7b2b59b9.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon000d7b2b59b9.exe
      Mon000d7b2b59b9.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3148
    - - C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon000d7b2b59b9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon000d7b2b59b9.exe" -a
        5⤵
        Executes dropped EXE
        
        PID:5752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon001af0f6251.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon001af0f6251.exe
      Mon001af0f6251.exe
      4⤵
      Executes dropped EXE
      PID:3124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 260
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon0001207aa1161f.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon0001207aa1161f.exe
      Mon0001207aa1161f.exe
      4⤵
      Executes dropped EXE
      PID:5296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00a4b905d6fcf0a9.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00a4b905d6fcf0a9.exe
      Mon00a4b905d6fcf0a9.exe
      4⤵
      Executes dropped EXE
      PID:5192
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 256
        5⤵
        Program crash
        
        PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00f61d292f523.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00f61d292f523.exe
      Mon00f61d292f523.exe
      4⤵
      Executes dropped EXE
      PID:5284
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 300
        5⤵
        Drops file in Windows directory
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00271bbb5e.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00271bbb5e.exe
      Mon00271bbb5e.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5304
    - - C:\Users\Admin\Documents\McrV8pZn_TsVaUu6K7xK60Es.exe
        
        "C:\Users\Admin\Documents\McrV8pZn_TsVaUu6K7xK60Es.exe"
        5⤵
        Executes dropped EXE
        
        PID:2544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 288
        6⤵
        Program crash
        
        PID:5360
    - - C:\Users\Admin\Documents\G38iph3gAodkb0wB8s7noBoI.exe
        
        "C:\Users\Admin\Documents\G38iph3gAodkb0wB8s7noBoI.exe"
        5⤵
        Executes dropped EXE
        
        PID:3896
    - - C:\Users\Admin\Documents\DkwFDsOVzGvo0PJgjUgOk_3U.exe
        
        "C:\Users\Admin\Documents\DkwFDsOVzGvo0PJgjUgOk_3U.exe"
        5⤵
        Executes dropped EXE
        
        PID:2992
    - - C:\Users\Admin\Documents\ytS5P1d9a5WNrgY4z6opiZxP.exe
        
        "C:\Users\Admin\Documents\ytS5P1d9a5WNrgY4z6opiZxP.exe"
        5⤵
        Executes dropped EXE
        
        PID:5644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 280
        6⤵
        Program crash
        
        PID:7112
    - - C:\Users\Admin\Documents\bhfd3eMDr2suvun_JEs_lAZm.exe
        
        "C:\Users\Admin\Documents\bhfd3eMDr2suvun_JEs_lAZm.exe"
        5⤵
        
        PID:5192
    - - C:\Users\Admin\Documents\BxxrcQ4obeV59QLatAibbJ4g.exe
        
        "C:\Users\Admin\Documents\BxxrcQ4obeV59QLatAibbJ4g.exe"
        5⤵
        Executes dropped EXE
        
        PID:3576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 276
        6⤵
        Program crash
        
        PID:6168
    - - C:\Users\Admin\Documents\Tn91o84LOI8cnNRixe2rXcOR.exe
        
        "C:\Users\Admin\Documents\Tn91o84LOI8cnNRixe2rXcOR.exe"
        5⤵
        Executes dropped EXE
        
        PID:5680
    - - C:\Users\Admin\Documents\8KqPriRPhIbRG7eenpKgtgvL.exe
        
        "C:\Users\Admin\Documents\8KqPriRPhIbRG7eenpKgtgvL.exe"
        5⤵
        Executes dropped EXE
        
        PID:5196
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5196 -s 272
        6⤵
        Program crash
        
        PID:2536
    - - C:\Users\Admin\Documents\afNJlb0cYR2LMgMJ3XNFTEJn.exe
        
        "C:\Users\Admin\Documents\afNJlb0cYR2LMgMJ3XNFTEJn.exe"
        5⤵
        Executes dropped EXE
        
        PID:5688
    - - C:\Users\Admin\Documents\tp17_LSkjfbMicXDUnppZnJQ.exe
        
        "C:\Users\Admin\Documents\tp17_LSkjfbMicXDUnppZnJQ.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
      - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
        6⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:4640
      - C:\Program Files (x86)\Company\NewProduct\inst1.exe
        
        "C:\Program Files (x86)\Company\NewProduct\inst1.exe"
        6⤵
        
        PID:2332
      - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        6⤵
        
        PID:1692
      - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
        6⤵
        
        PID:7104
    - - C:\Users\Admin\Documents\sDbiv_e0ZoGYV3PVpEqe5E09.exe
        
        "C:\Users\Admin\Documents\sDbiv_e0ZoGYV3PVpEqe5E09.exe"
        5⤵
        Executes dropped EXE
        
        PID:4576
    - - C:\Users\Admin\Documents\VIGQHJT5LMB0JEGPl0genJv9.exe
        
        "C:\Users\Admin\Documents\VIGQHJT5LMB0JEGPl0genJv9.exe"
        5⤵
        Executes dropped EXE
        
        PID:3172
      - C:\Users\Admin\Documents\VIGQHJT5LMB0JEGPl0genJv9.exe
        
        "C:\Users\Admin\Documents\VIGQHJT5LMB0JEGPl0genJv9.exe"
        6⤵
        
        PID:6456
    - - C:\Users\Admin\Documents\pBfEyaIveDq6UFiHlTKcP_CI.exe
        
        "C:\Users\Admin\Documents\pBfEyaIveDq6UFiHlTKcP_CI.exe"
        5⤵
        Executes dropped EXE
        
        PID:4224
    - - C:\Users\Admin\Documents\tYPQGMdbK231Qm6gMm2r7p98.exe
        
        "C:\Users\Admin\Documents\tYPQGMdbK231Qm6gMm2r7p98.exe"
        5⤵
        Executes dropped EXE
        
        PID:4792
      - C:\Users\Admin\AppData\Roaming\3326938.exe
        
        "C:\Users\Admin\AppData\Roaming\3326938.exe"
        6⤵
        
        PID:5456
      - C:\Users\Admin\AppData\Roaming\1573476.exe
        
        "C:\Users\Admin\AppData\Roaming\1573476.exe"
        6⤵
        
        PID:6936
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:2092
      - C:\Users\Admin\AppData\Roaming\1268129.exe
        
        "C:\Users\Admin\AppData\Roaming\1268129.exe"
        6⤵
        
        PID:6548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:6256
      - C:\Users\Admin\AppData\Roaming\4949573.exe
        
        "C:\Users\Admin\AppData\Roaming\4949573.exe"
        6⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 1708
        7⤵
        Program crash
        
        PID:772
    - - C:\Users\Admin\Documents\vOBkr8DiJlv_rbiGtnE8fkXN.exe
        
        "C:\Users\Admin\Documents\vOBkr8DiJlv_rbiGtnE8fkXN.exe"
        5⤵
        Executes dropped EXE
        
        PID:4400
      - C:\Users\Admin\Documents\vOBkr8DiJlv_rbiGtnE8fkXN.exe
        
        "C:\Users\Admin\Documents\vOBkr8DiJlv_rbiGtnE8fkXN.exe"
        6⤵
        
        PID:4848
      - C:\Users\Admin\Documents\vOBkr8DiJlv_rbiGtnE8fkXN.exe
        
        "C:\Users\Admin\Documents\vOBkr8DiJlv_rbiGtnE8fkXN.exe"
        6⤵
        
        PID:4192
      - C:\Users\Admin\Documents\vOBkr8DiJlv_rbiGtnE8fkXN.exe
        
        "C:\Users\Admin\Documents\vOBkr8DiJlv_rbiGtnE8fkXN.exe"
        6⤵
        
        PID:5252
    - - C:\Users\Admin\Documents\Q7ZZH3n7tS9kmxri0EsotRV6.exe
        
        "C:\Users\Admin\Documents\Q7ZZH3n7tS9kmxri0EsotRV6.exe"
        5⤵
        Executes dropped EXE
        
        PID:1144
    - - C:\Users\Admin\Documents\26_VzY28GEA3fr8Sz8Ep6X88.exe
        
        "C:\Users\Admin\Documents\26_VzY28GEA3fr8Sz8Ep6X88.exe"
        5⤵
        Executes dropped EXE
        
        PID:2920
    - - C:\Users\Admin\Documents\m4IY3cfAsQBTjQjc2ZZsCbjJ.exe
        
        "C:\Users\Admin\Documents\m4IY3cfAsQBTjQjc2ZZsCbjJ.exe"
        5⤵
        Executes dropped EXE
        
        PID:4772
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\Documents\m4IY3cfAsQBTjQjc2ZZsCbjJ.exe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if """" == """" for %W iN ( ""C:\Users\Admin\Documents\m4IY3cfAsQBTjQjc2ZZsCbjJ.exe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
        6⤵
        
        PID:6872
    - - C:\Users\Admin\Documents\3OCvL9JauLyUuKenuJauDbgM.exe
        
        "C:\Users\Admin\Documents\3OCvL9JauLyUuKenuJauDbgM.exe"
        5⤵
        Executes dropped EXE
        
        PID:3992
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5012
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:1648
    - - C:\Users\Admin\Documents\hTol3Nqyzs78hgNGu8yKmbxr.exe
        
        "C:\Users\Admin\Documents\hTol3Nqyzs78hgNGu8yKmbxr.exe"
        5⤵
        Executes dropped EXE
        
        PID:3836
    - - C:\Users\Admin\Documents\yeMa4a6zrXVCcKv4n3O7Ul2w.exe
        
        "C:\Users\Admin\Documents\yeMa4a6zrXVCcKv4n3O7Ul2w.exe"
        5⤵
        Executes dropped EXE
        
        PID:4468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 276
        6⤵
        Program crash
        
        PID:6200
    - - C:\Users\Admin\Documents\_hFKqdAtO9q8_9AHq57E32wj.exe
        
        "C:\Users\Admin\Documents\_hFKqdAtO9q8_9AHq57E32wj.exe"
        5⤵
        Executes dropped EXE
        
        PID:4908
      - C:\Users\Admin\Documents\_hFKqdAtO9q8_9AHq57E32wj.exe
        
        C:\Users\Admin\Documents\_hFKqdAtO9q8_9AHq57E32wj.exe
        6⤵
        
        PID:5128
    - - C:\Users\Admin\Documents\OatF7GDFcFuinPTAgVvDxyzD.exe
        
        "C:\Users\Admin\Documents\OatF7GDFcFuinPTAgVvDxyzD.exe"
        5⤵
        Executes dropped EXE
        
        PID:6192
    - - C:\Users\Admin\Documents\_r5AkMSO1d5k5rLqGkRhc9EG.exe
        
        "C:\Users\Admin\Documents\_r5AkMSO1d5k5rLqGkRhc9EG.exe"
        5⤵
        Executes dropped EXE
        
        PID:6348
      - C:\Users\Admin\Documents\_r5AkMSO1d5k5rLqGkRhc9EG.exe
        
        "C:\Users\Admin\Documents\_r5AkMSO1d5k5rLqGkRhc9EG.exe" -q
        6⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1000
        7⤵
        Program crash
        
        PID:7120
    - - C:\Users\Admin\Documents\CkOQ363Dt3qWcVbPnBHNp_oF.exe
        
        "C:\Users\Admin\Documents\CkOQ363Dt3qWcVbPnBHNp_oF.exe"
        5⤵
        
        PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00e8b91b250904.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00e8b91b250904.exe
      Mon00e8b91b250904.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon0015a1e17ea5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:504
  - - C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon0015a1e17ea5.exe
      Mon0015a1e17ea5.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3636
    - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        5⤵
        Executes dropped EXE
        
        PID:1848
      - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        6⤵
        Executes dropped EXE
        
        PID:5764
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        
        PID:5920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        7⤵
        
        PID:3548
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        8⤵
        Creates scheduled task(s)
        
        PID:1148
      - C:\Users\Admin\AppData\Local\Temp\test.exe
        
        "C:\Users\Admin\AppData\Local\Temp\test.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5804
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        6⤵
        Executes dropped EXE
        
        PID:4484
      - C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
      - C:\Users\Admin\AppData\Local\Temp\3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3.exe"
        6⤵
        Executes dropped EXE
        
        PID:3788
      - C:\Users\Admin\AppData\Local\Temp\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4.exe"
        6⤵
        
        PID:6256
      - C:\Users\Admin\AppData\Local\Temp\6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6.exe"
        6⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6.exe" -a
        7⤵
        
        PID:6868
      - C:\Users\Admin\AppData\Local\Temp\7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7.exe"
        6⤵
        
        PID:6496
      - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        6⤵
        
        PID:4192
      - C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        6⤵
        
        PID:6972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon00b1849cf0bf91e9.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00b1849cf0bf91e9.exe
      Mon00b1849cf0bf91e9.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5184
    - - C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        5⤵
        
        PID:5764
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Sfaldavano.xls
        5⤵
        
        PID:5832
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^fARmmICHAETEVIAiewsqLILJhRoBwBFrurUNyycHHdHtUkLfezrMoLJHPojHmwGYYPnRONeXFJaxqGOwySnHnTVxzjYWSOiGKIutNTBfsuin$" Serravano.xls
        7⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
        
        Amica.exe.com Y
        7⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
        8⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
        9⤵
        
        PID:7140
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
        10⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
        11⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
        12⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amica.exe.com Y
        13⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping YJTUIPJF -n 30
        7⤵
        Runs ping.exe
        
        PID:5936

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4776

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv yKasnM7UgUqICmWI3CBItg.0.2
1⤵
- Modifies data under HKEY_USERS
PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5284 -ip 5284
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:6044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3124 -ip 3124
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5192 -ip 5192
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5388

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4592

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4224 -ip 4224
1⤵
PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5644 -ip 5644
1⤵
PID:6492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5196 -ip 5196
1⤵
PID:6708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3576 -ip 3576
1⤵
PID:6772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4468 -ip 4468
1⤵
PID:6836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
1⤵
PID:6632
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  PID:6252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2992 -ip 2992
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2340 -ip 2340
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2108 -ip 2108
1⤵
PID:2104

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 652 -p 1896 -ip 1896
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3788 -ip 3788
1⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe" /SILENT
1⤵
PID:6600
- C:\Users\Admin\AppData\Local\Temp\is-KVFO9.tmp\5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KVFO9.tmp\5.tmp" /SL5="$3037E,140785,56832,C:\Users\Admin\AppData\Local\Temp\5.exe" /SILENT
  2⤵
  PID:5876
- - C:\Users\Admin\AppData\Local\Temp\is-PL81V.tmp\postback.exe
    "C:\Users\Admin\AppData\Local\Temp\is-PL81V.tmp\postback.exe" ss1
    3⤵
    PID:1600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
PID:5192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2544 -ip 2544
1⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
1⤵
PID:5720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\Documents\m4IY3cfAsQBTjQjc2ZZsCbjJ.exe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""=="" for %W iN ( "C:\Users\Admin\Documents\m4IY3cfAsQBTjQjc2ZZsCbjJ.exe") do taskkill -IM "%~nXW" -f
1⤵
PID:4432
- C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe
  WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9
  2⤵
  PID:4736
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""-PifOcLbay~PF~N8a_e9RyKpu9 "" == """" for %W iN ( ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
    3⤵
    PID:5732
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if "-PifOcLbay~PF~N8a_e9RyKpu9 "=="" for %W iN ( "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe") do taskkill -IM "%~nXW" -f
      4⤵
      PID:3684
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" ~IWm4Wh.I,nKhkoYTFE
    3⤵
    PID:5080
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -IM "m4IY3cfAsQBTjQjc2ZZsCbjJ.exe" -f
  2⤵
  - Kills process with taskkill
  PID:6944

C:\Users\Admin\AppData\Local\Temp\is-KFOUU.tmp\5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KFOUU.tmp\5.tmp" /SL5="$600D0,140785,56832,C:\Users\Admin\AppData\Local\Temp\5.exe"
1⤵
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5192 -ip 5192
1⤵
PID:4712

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:2108

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3084 -ip 3084
1⤵
PID:7036

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:1148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 456
  2⤵
  - Program crash
  PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1148 -ip 1148
1⤵
PID:5672

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:3076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3976

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a29855 /state1:0x41c64e6d
1⤵
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 7064 -ip 7064
1⤵
PID:2912

C:\Windows\system32\bootim.exe
bootim.exe /startpage:1
1⤵
PID:5580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5
37c58eb6a1c177de7a43e41645f18f29

SHA1
98f9c679096c73df78863977a02f90907c799d8d

SHA256
6e870d628f0e25fd4229d2d97f649523829773838443dbc3b3ef4f8b53d8ea3a

SHA512
68f8ff8020bc414b2371ea34f9afa5a01cdf5876e819751e7250e853be6f0aa7ce874663b15f390ccfe39f23c4342630fe698006164f0805d73b6bd3ab15c20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

MD5
37c58eb6a1c177de7a43e41645f18f29

SHA1
98f9c679096c73df78863977a02f90907c799d8d

SHA256
6e870d628f0e25fd4229d2d97f649523829773838443dbc3b3ef4f8b53d8ea3a

SHA512
68f8ff8020bc414b2371ea34f9afa5a01cdf5876e819751e7250e853be6f0aa7ce874663b15f390ccfe39f23c4342630fe698006164f0805d73b6bd3ab15c20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

MD5
9a3fe714eeef66e4705be33659183eda

SHA1
9c0a5b8e70d2d9eba71409b77af725b1dc3be26b

SHA256
b82aa0fa294ce7acfbfaee6d3d1fbe9a122601e4bdd1c3425d3c3d4e738585bc

SHA512
1cbc562025224208e4e5ed366fd9c3b0ae458501566c8420b63245aed4d8d3327c41ba42bf36d64d06c65fb1078dad42d506612cb35b9ec1410e49f6b822bca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

MD5
9a3fe714eeef66e4705be33659183eda

SHA1
9c0a5b8e70d2d9eba71409b77af725b1dc3be26b

SHA256
b82aa0fa294ce7acfbfaee6d3d1fbe9a122601e4bdd1c3425d3c3d4e738585bc

SHA512
1cbc562025224208e4e5ed366fd9c3b0ae458501566c8420b63245aed4d8d3327c41ba42bf36d64d06c65fb1078dad42d506612cb35b9ec1410e49f6b822bca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

MD5
7e2725a7416c6d970eac283dee30438c

SHA1
c9bcb54697e3e58bc59e70217fa24c698166208d

SHA256
47ad11e0129bc7c5203c95e64484e8b75fbd9acd64971278f5bd5c68089e1508

SHA512
3c6b6542c1675c79a4c94c5919ae13a3abed69a802ea74455c0be0766425755b453d7e0676a5a2bf6a73c7ac96cae60ab86c9b4b05d9528cffd475a9480ebe7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

MD5
7e2725a7416c6d970eac283dee30438c

SHA1
c9bcb54697e3e58bc59e70217fa24c698166208d

SHA256
47ad11e0129bc7c5203c95e64484e8b75fbd9acd64971278f5bd5c68089e1508

SHA512
3c6b6542c1675c79a4c94c5919ae13a3abed69a802ea74455c0be0766425755b453d7e0676a5a2bf6a73c7ac96cae60ab86c9b4b05d9528cffd475a9480ebe7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon0001207aa1161f.exe

MD5
57d883f2e96dccb2ca2867cb858151f8

SHA1
09e0fcd15cc69bcd6a9ef2928c4054d754b1aaa3

SHA256
c1dc7829e850ff7189e993b6f2bd3b00d56f3ec062da364e8698fd39e79f0072

SHA512
2235866e39dccc8cd524592f6f0b514878bf0c5ad13ee95bd01508766eb789528394bf329faee481d81e3fe389664fb5673d214d478cda58f4293bfe58ba4012

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon0001207aa1161f.exe

MD5
57d883f2e96dccb2ca2867cb858151f8

SHA1
09e0fcd15cc69bcd6a9ef2928c4054d754b1aaa3

SHA256
c1dc7829e850ff7189e993b6f2bd3b00d56f3ec062da364e8698fd39e79f0072

SHA512
2235866e39dccc8cd524592f6f0b514878bf0c5ad13ee95bd01508766eb789528394bf329faee481d81e3fe389664fb5673d214d478cda58f4293bfe58ba4012

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon000d7b2b59b9.exe

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon000d7b2b59b9.exe

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon000d7b2b59b9.exe

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon0015a1e17ea5.exe

MD5
408f2c9252ad66429a8d5401f1833db3

SHA1
3829d2d03a728ecd59b38cc189525220a60c05db

SHA256
890db580fac738971bc7c714735ff6f1f2ee31edccd7881044da3e98452af664

SHA512
d4c89dfd928023b9f4380808b27e032342d2a85963b95bbed3191cc03b455dbc6f5ffecf29828a53b1d9011b3881f1cda9d15d269a2cbcbd4be5c993bcd9643b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon0015a1e17ea5.exe

MD5
408f2c9252ad66429a8d5401f1833db3

SHA1
3829d2d03a728ecd59b38cc189525220a60c05db

SHA256
890db580fac738971bc7c714735ff6f1f2ee31edccd7881044da3e98452af664

SHA512
d4c89dfd928023b9f4380808b27e032342d2a85963b95bbed3191cc03b455dbc6f5ffecf29828a53b1d9011b3881f1cda9d15d269a2cbcbd4be5c993bcd9643b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon001af0f6251.exe

MD5
7de877618ab2337aa32901030365b2ff

SHA1
adb006662ec67e244d2d9c935460c656c3d47435

SHA256
989079a8616a9e5c4f77c0e86b89d170dc7b8c4bf23768111f8e0d60e2c29da7

SHA512
b7f9b402baad41e8e9df1db856b2273b64dd603b6c5bae147979fbff215af79b1d261cdd89f0eb050c7ef3db820bb0207decd58fbc7f9a8d4ffb179133a7c8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon001af0f6251.exe

MD5
7de877618ab2337aa32901030365b2ff

SHA1
adb006662ec67e244d2d9c935460c656c3d47435

SHA256
989079a8616a9e5c4f77c0e86b89d170dc7b8c4bf23768111f8e0d60e2c29da7

SHA512
b7f9b402baad41e8e9df1db856b2273b64dd603b6c5bae147979fbff215af79b1d261cdd89f0eb050c7ef3db820bb0207decd58fbc7f9a8d4ffb179133a7c8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00271bbb5e.exe

MD5
df80b76857b74ae1b2ada8efb2a730ee

SHA1
5653be57533c6eb058fed4963a25a676488ef832

SHA256
5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd

SHA512
060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00271bbb5e.exe

MD5
df80b76857b74ae1b2ada8efb2a730ee

SHA1
5653be57533c6eb058fed4963a25a676488ef832

SHA256
5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd

SHA512
060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00a4b905d6fcf0a9.exe

MD5
6dba60503ea60560826fe5a12dced3e9

SHA1
7bb04d508e970701dc2945ed42fe96dbb083ec33

SHA256
8d49f82aaa8eb3dfa5c7d7dffd7efb9dd6b776ef08b8b8c5afc6cb8ab0743865

SHA512
837c0f0dc70386ce1d143332e4d273750f64dd7f8be5b4ce79aa39628ceebf27d01e447ed0b9ec6064c6ba9dbaa13a64631c2e136ec99d27c0f4a25681053ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00a4b905d6fcf0a9.exe

MD5
6dba60503ea60560826fe5a12dced3e9

SHA1
7bb04d508e970701dc2945ed42fe96dbb083ec33

SHA256
8d49f82aaa8eb3dfa5c7d7dffd7efb9dd6b776ef08b8b8c5afc6cb8ab0743865

SHA512
837c0f0dc70386ce1d143332e4d273750f64dd7f8be5b4ce79aa39628ceebf27d01e447ed0b9ec6064c6ba9dbaa13a64631c2e136ec99d27c0f4a25681053ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00b1849cf0bf91e9.exe

MD5
5f0617b7287c5f217e89b9407284736e

SHA1
64db3f9ceedda486648db13b4ed87e868c9192ca

SHA256
b0560993c8b7df45ede6031471dee138a335c428dd16454570ffa1b66175aa2a

SHA512
6367d9f5749260b326328f2ca455cbb22fc4696f44e61fab7616e39471742afbce26b69ed3ffb27f4d9cad7b643a50b54aea5f33892f0422d331ca76b6ea05b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00b1849cf0bf91e9.exe

MD5
5f0617b7287c5f217e89b9407284736e

SHA1
64db3f9ceedda486648db13b4ed87e868c9192ca

SHA256
b0560993c8b7df45ede6031471dee138a335c428dd16454570ffa1b66175aa2a

SHA512
6367d9f5749260b326328f2ca455cbb22fc4696f44e61fab7616e39471742afbce26b69ed3ffb27f4d9cad7b643a50b54aea5f33892f0422d331ca76b6ea05b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00e8b91b250904.exe

MD5
cda12ae37191467d0a7d151664ed74aa

SHA1
2625b2e142c848092aa4a51584143ab7ed7d33d2

SHA256
1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e

SHA512
77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00e8b91b250904.exe

MD5
cda12ae37191467d0a7d151664ed74aa

SHA1
2625b2e142c848092aa4a51584143ab7ed7d33d2

SHA256
1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e

SHA512
77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00f61d292f523.exe

MD5
d23c06e25b4bd295e821274472263572

SHA1
9ad295ec3853dc465ae77f9479f8c4f76e2748b8

SHA256
f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c

SHA512
122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\Mon00f61d292f523.exe

MD5
d23c06e25b4bd295e821274472263572

SHA1
9ad295ec3853dc465ae77f9479f8c4f76e2748b8

SHA256
f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c

SHA512
122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libcurlpp.dll

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libcurlpp.dll

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libstdc++-6.dll

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libstdc++-6.dll

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\setup_install.exe

MD5
f69dc484a152f3e9f551fb34fbf15604

SHA1
414ff10cdf2642172c0ec9cd28612a41facb95a9

SHA256
031461d720fc1807aaf0ddb8410fc9cc7b154aac6f585f28d73ebf77d8093e82

SHA512
ebb6a154d3b95be2d956ef738640709ecc56a80280adc32efcc029c844cf6aa97ef223b4b7602701358bc36fcac7af49ba37962aa5068a70b70b002e4a33013e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03F5A993\setup_install.exe

MD5
f69dc484a152f3e9f551fb34fbf15604

SHA1
414ff10cdf2642172c0ec9cd28612a41facb95a9

SHA256
031461d720fc1807aaf0ddb8410fc9cc7b154aac6f585f28d73ebf77d8093e82

SHA512
ebb6a154d3b95be2d956ef738640709ecc56a80280adc32efcc029c844cf6aa97ef223b4b7602701358bc36fcac7af49ba37962aa5068a70b70b002e4a33013e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dov.xls

MD5
890c973b9a423247c7b86a08afbe4c72

SHA1
64f7b204ca243b824b5c6dbe06e15293a22220ed

SHA256
94a77409b420387daab07e7475fe2dc25e62c3793c5fdd04b304bb378ce95280

SHA512
51ecc4e1b547323e2cae3bdbd5ca341afa3550f819f02fc691bb0737ebbd79b6594fdf637654bb2ebae35b4811caa78d52d72403a0ab5989c0217dd7b6589913

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Serravano.xls

MD5
bb57f693db1599698d76a13dcb0c9667

SHA1
4992bca0f7f057b6d367e8c3bd81bb58c1a8777c

SHA256
ee03c7b20e7c8eeef401ee2a7de867e8a151d4472c9947cde7f21d011f5196a8

SHA512
cf8b2252ba7787312c0e8f72a68ff05dbb23582263c11e66959cd6a7f25cde25e9a33b5078f5cc8840554edc3d6c0b3e7229ba0e8727799e29b128f560cfd950

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sfaldavano.xls

MD5
26ebbe10f1e4b7581ee0137b3263c744

SHA1
7f5b7949216744cbe8cde40f8b4762224cce8cc0

SHA256
376c16f256225ebadc257dab804c5bfbc1dde251a7aea7b55239d30261098495

SHA512
48014f2f9de728f0d5af3b072a11552e798e6de07f86ed2ff6448b7ac3dbacf582801ee128a175d17df2be9e0d7c27caf6dc455b4b4f5786868567aa41a4f8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5
2fcf862bbccf6e27732fbd41e0f07977

SHA1
306ff7ca2418628e14fa293fdbdc069508da150d

SHA256
b3c5e36f9aa05f6af9a685e32fe3e979a92ce5c96d5be130e7145b62c3948650

SHA512
b3bc3e3f3fb63f08c5c15a3c767d555ec310addfb2f7a4cc85882f847833c80ac758fdf1a71e80b8be78b673f17fb38946ac18034551e925840c6bb57ca6b498

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5
2fcf862bbccf6e27732fbd41e0f07977

SHA1
306ff7ca2418628e14fa293fdbdc069508da150d

SHA256
b3c5e36f9aa05f6af9a685e32fe3e979a92ce5c96d5be130e7145b62c3948650

SHA512
b3bc3e3f3fb63f08c5c15a3c767d555ec310addfb2f7a4cc85882f847833c80ac758fdf1a71e80b8be78b673f17fb38946ac18034551e925840c6bb57ca6b498

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

MD5
9efb46ac666bf0cd1b417f69e58151d5

SHA1
79cf36a9cc63bded573593a0aa93bad550d10e30

SHA256
fe1f35c815222d77527faddd4b99c9a697b2fb8fe27cd45c50b5f6ca499cce63

SHA512
33188085909fea6fc6f646a5e8cd217abbe07cdf1ddbf48d7099b8992a6ef8cab8536606d4f6eb77bb18ad0e71d9c1287ce5855c6f436a1eb13ed6639c2e959a

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

MD5
9efb46ac666bf0cd1b417f69e58151d5

SHA1
79cf36a9cc63bded573593a0aa93bad550d10e30

SHA256
fe1f35c815222d77527faddd4b99c9a697b2fb8fe27cd45c50b5f6ca499cce63

SHA512
33188085909fea6fc6f646a5e8cd217abbe07cdf1ddbf48d7099b8992a6ef8cab8536606d4f6eb77bb18ad0e71d9c1287ce5855c6f436a1eb13ed6639c2e959a

Download Submit
C:\Users\Admin\Documents\8KqPriRPhIbRG7eenpKgtgvL.exe

MD5
2adf8ab189b9a8cdfdd7b368e6fa29d0

SHA1
7e9e9eec8cf84291703cc69752fc13ca19408bac

SHA256
a04f87d376498c78629d44f3c05aa91b69c38c168b827eeb56d77fc14187ad99

SHA512
3106632043b14e666059d74a72470a73a8367824b01aadba8a7cf564137f7a4459be4669732c7e38cef19a420d9812426405064b196a13449ec75e1ad940349f

Download Submit
C:\Users\Admin\Documents\8KqPriRPhIbRG7eenpKgtgvL.exe

MD5
2adf8ab189b9a8cdfdd7b368e6fa29d0

SHA1
7e9e9eec8cf84291703cc69752fc13ca19408bac

SHA256
a04f87d376498c78629d44f3c05aa91b69c38c168b827eeb56d77fc14187ad99

SHA512
3106632043b14e666059d74a72470a73a8367824b01aadba8a7cf564137f7a4459be4669732c7e38cef19a420d9812426405064b196a13449ec75e1ad940349f

Download Submit
C:\Users\Admin\Documents\DkwFDsOVzGvo0PJgjUgOk_3U.exe

MD5
bbfa73f5dc7f0d888a0d731842789bc6

SHA1
4296b8152197dc85cccfe4398b78f53716db9c45

SHA256
98c781b3fd15d6c7c7624aa1a0c93910dd5d19722a1d9b8cb1c7b9673d311090

SHA512
2d371862311f7eca74a5207ad660af372ff66c3298681852a7691ef085923f5b28943e55c0ac61c071a4f8df58e97764cf988d59f08d4020cdf8466545f94c78

Download Submit
C:\Users\Admin\Documents\DkwFDsOVzGvo0PJgjUgOk_3U.exe

MD5
bbfa73f5dc7f0d888a0d731842789bc6

SHA1
4296b8152197dc85cccfe4398b78f53716db9c45

SHA256
98c781b3fd15d6c7c7624aa1a0c93910dd5d19722a1d9b8cb1c7b9673d311090

SHA512
2d371862311f7eca74a5207ad660af372ff66c3298681852a7691ef085923f5b28943e55c0ac61c071a4f8df58e97764cf988d59f08d4020cdf8466545f94c78

Download Submit
C:\Users\Admin\Documents\Tn91o84LOI8cnNRixe2rXcOR.exe

MD5
e2af17f1d20afd1631901b14406d6cb6

SHA1
2d1e32062f5ac13bf0b4c54d657a9df5eab15705

SHA256
236edbc38a401870df9dc0f41957aef6999ded33b13fa3a85ed9d28d5b3cc619

SHA512
39ae68844d0fb99a986db3a4446b90228508abd33929a9919d5d267299fae786bc3f57aff6e7eb219424900fe1d25e02c4a3373e6a5ed14ed38e53e843b39c95

Download Submit
C:\Users\Admin\Documents\VIGQHJT5LMB0JEGPl0genJv9.exe

MD5
c23ef86e3c6fac62234a1b4f1c550bff

SHA1
c69221f2f61dee18b401f57b30d53fa01080aa38

SHA256
4c1193d1c9d066f646907ef8778da9f1b713b88cb94d9fa773d771b9612605fa

SHA512
ca00cfe508fb4d44f3e6fb35c0a753538e354a75a2e51f335a02d05fa704cc6283d9acf733fdae98ceaf24bbb13b559e3caa9ee8e5e4a16e7ff5d1f8deded9e8

Download Submit
C:\Users\Admin\Documents\VIGQHJT5LMB0JEGPl0genJv9.exe

MD5
c23ef86e3c6fac62234a1b4f1c550bff

SHA1
c69221f2f61dee18b401f57b30d53fa01080aa38

SHA256
4c1193d1c9d066f646907ef8778da9f1b713b88cb94d9fa773d771b9612605fa

SHA512
ca00cfe508fb4d44f3e6fb35c0a753538e354a75a2e51f335a02d05fa704cc6283d9acf733fdae98ceaf24bbb13b559e3caa9ee8e5e4a16e7ff5d1f8deded9e8

Download Submit
C:\Users\Admin\Documents\afNJlb0cYR2LMgMJ3XNFTEJn.exe

MD5
2392a549af84c78752fe20467ef3a85e

SHA1
9b52b250f1473d95ed85a75cb42e7e8f2a7f47a0

SHA256
b992cac67e87108ccd7b9a8b38efcdf464a2bf258c731ac9b5f12bf86fc80c2d

SHA512
becf4ae8e5ad8ec777355d00c5e5c4d78b046c3d4d025aea3a7437956d02e8330c135066d3a42279a370a08d04556e375eca33bf7d69a9a0137d2ce895b17411

Download Submit
C:\Users\Admin\Documents\bhfd3eMDr2suvun_JEs_lAZm.exe

MD5
c7ccbd62c259a382501ff67408594011

SHA1
c1dca912e6c63e3730f261a3b4ba86dec0acd5f3

SHA256
8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437

SHA512
5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b

Download Submit
C:\Users\Admin\Documents\sDbiv_e0ZoGYV3PVpEqe5E09.exe

MD5
c06d807e7287add5d460530e3d87648c

SHA1
d288550f1e35ba9406886906920f1afe7c965f71

SHA256
d5855e6292d04c6ab247c1b550168cde3d4a73831ed792cf15c1d0c650137e3d

SHA512
592b4cafe1d1060f8f05f54832e9c0f4baeb29c91dc9912f2f6f63819d96b766ae888c1483c5fc6b6c14093f8fd85ff03b4b76cc2910472740339a0305a5a20b

Download Submit
C:\Users\Admin\Documents\sDbiv_e0ZoGYV3PVpEqe5E09.exe

MD5
c06d807e7287add5d460530e3d87648c

SHA1
d288550f1e35ba9406886906920f1afe7c965f71

SHA256
d5855e6292d04c6ab247c1b550168cde3d4a73831ed792cf15c1d0c650137e3d

SHA512
592b4cafe1d1060f8f05f54832e9c0f4baeb29c91dc9912f2f6f63819d96b766ae888c1483c5fc6b6c14093f8fd85ff03b4b76cc2910472740339a0305a5a20b

Download Submit
C:\Users\Admin\Documents\tp17_LSkjfbMicXDUnppZnJQ.exe

MD5
99642bb0d53a58dc13c60377e0e72fc8

SHA1
642097936f27ed8bc7506cd41a8522a681c25d88

SHA256
62f716d99538e84b8ce94b368d64500d2b0a98f84e714635fd40aba1d4807745

SHA512
968d52d78106b8303ba8786c7cf51e5364dbe81191d796d73ed9358e9edbc0e86c0529abfb213b33f7ccb6dc38ceae7aa0369966091778838f123987f900bbc4

Download Submit
C:\Users\Admin\Documents\tp17_LSkjfbMicXDUnppZnJQ.exe

MD5
99642bb0d53a58dc13c60377e0e72fc8

SHA1
642097936f27ed8bc7506cd41a8522a681c25d88

SHA256
62f716d99538e84b8ce94b368d64500d2b0a98f84e714635fd40aba1d4807745

SHA512
968d52d78106b8303ba8786c7cf51e5364dbe81191d796d73ed9358e9edbc0e86c0529abfb213b33f7ccb6dc38ceae7aa0369966091778838f123987f900bbc4

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

MD5
a1016423071a3b60559a284cf8f1eac6

SHA1
23c16221e153ccda4b26ab3dbdf5d6abf2cbe28d

SHA256
66d330693a82ee50136be12b81dd915da5a9841a402d02db27dd9dc41112d8bb

SHA512
36a4e05b1deca7e93a284a652b7ccf362f2b72a96e1113e88be957f67e51210cdd6fd03947a403071ff1dbbaf3ab24fc2834ab75a6492b54695aa22b691d715a

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

MD5
a34fdd127f20a5810dbfc2666ff71cbc

SHA1
d34f9d4d305e4fc53f9c9b6de00502e930dc3bf6

SHA256
cfe4b22bb92de48c04bb6aa328989b9524b8dee900961005ad7588f4f81ac337

SHA512
91647932dabd8dcc557c2870b53123bfdc4472179bbeb6a005d4a5968492253c962adf30649ed6131f35af16eff6f874d8c57a6886f6e7496e615bb319e407d8

Download Submit
memory/500-243-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/500-261-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/500-216-0x0000000006890000-0x0000000006891000-memory.dmp

Filesize
4KB

Download
memory/500-221-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/500-411-0x0000000006895000-0x0000000006897000-memory.dmp

Filesize
8KB

Download
memory/500-214-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/500-223-0x0000000006892000-0x0000000006893000-memory.dmp

Filesize
4KB

Download
memory/500-482-0x000000007FA80000-0x000000007FA81000-memory.dmp

Filesize
4KB

Download
memory/500-257-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/500-230-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/500-226-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

Filesize
4KB

Download
memory/500-227-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/500-228-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/500-229-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/500-233-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

Filesize
4KB

Download
memory/504-187-0x0000000000000000-mapping.dmp

Download
memory/592-176-0x0000000000000000-mapping.dmp

Download
memory/804-178-0x0000000000000000-mapping.dmp

Download
memory/1144-321-0x0000000000000000-mapping.dmp

Download
memory/1144-510-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/1692-381-0x00000000006E0000-0x00000000006E3000-memory.dmp

Filesize
12KB

Download
memory/1848-241-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1848-235-0x0000000000000000-mapping.dmp

Download
memory/1880-284-0x0000000000000000-mapping.dmp

Download
memory/1896-265-0x0000000000000000-mapping.dmp

Download
memory/1896-273-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1896-283-0x000000001B940000-0x000000001B942000-memory.dmp

Filesize
8KB

Download
memory/2332-386-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2332-417-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/2340-392-0x0000000004BC0000-0x0000000004CC6000-memory.dmp

Filesize
1.0MB

Download
memory/2340-374-0x0000000000000000-mapping.dmp

Download
memory/2544-451-0x0000000003F80000-0x0000000003FAF000-memory.dmp

Filesize
188KB

Download
memory/2544-293-0x0000000000000000-mapping.dmp

Download
memory/2920-487-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2920-324-0x0000000000000000-mapping.dmp

Download
memory/2968-185-0x0000000000000000-mapping.dmp

Download
memory/2992-391-0x0000000005320000-0x0000000005C46000-memory.dmp

Filesize
9.1MB

Download
memory/2992-289-0x0000000000000000-mapping.dmp

Download
memory/3124-191-0x0000000000000000-mapping.dmp

Download
memory/3124-232-0x00000000026C0000-0x00000000026C9000-memory.dmp

Filesize
36KB

Download
memory/3132-394-0x0000000002E90000-0x0000000002EA6000-memory.dmp

Filesize
88KB

Download
memory/3132-514-0x000000000FD50000-0x000000000FE76000-memory.dmp

Filesize
1.1MB

Download
memory/3148-190-0x0000000000000000-mapping.dmp

Download
memory/3172-281-0x0000000000000000-mapping.dmp

Download
memory/3172-352-0x0000000004980000-0x000000000498A000-memory.dmp

Filesize
40KB

Download
memory/3576-340-0x0000000002EE0000-0x0000000002EE9000-memory.dmp

Filesize
36KB

Download
memory/3576-292-0x0000000000000000-mapping.dmp

Download
memory/3636-188-0x0000000000000000-mapping.dmp

Download
memory/3636-224-0x0000000000F70000-0x0000000000F72000-memory.dmp

Filesize
8KB

Download
memory/3636-209-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3756-169-0x0000000000000000-mapping.dmp

Download
memory/3764-174-0x0000000000000000-mapping.dmp

Download
memory/3788-275-0x0000000000000000-mapping.dmp

Download
memory/3788-421-0x0000000004090000-0x00000000040BF000-memory.dmp

Filesize
188KB

Download
memory/3836-319-0x0000000000000000-mapping.dmp

Download
memory/3836-550-0x00000205BD340000-0x00000205BD342000-memory.dmp

Filesize
8KB

Download
memory/3896-476-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3896-291-0x0000000000000000-mapping.dmp

Download
memory/3992-323-0x0000000000000000-mapping.dmp

Download
memory/4164-296-0x0000000000000000-mapping.dmp

Download
memory/4192-467-0x0000000005270000-0x00000000054F6000-memory.dmp

Filesize
2.5MB

Download
memory/4224-305-0x0000000000000000-mapping.dmp

Download
memory/4224-361-0x00000000049E0000-0x0000000004A2A000-memory.dmp

Filesize
296KB

Download
memory/4400-330-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4400-348-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/4400-341-0x0000000005C50000-0x0000000005C51000-memory.dmp

Filesize
4KB

Download
memory/4400-367-0x00000000056A0000-0x0000000005C46000-memory.dmp

Filesize
5.6MB

Download
memory/4400-303-0x0000000000000000-mapping.dmp

Download
memory/4468-320-0x0000000000000000-mapping.dmp

Download
memory/4468-170-0x0000000000000000-mapping.dmp

Download
memory/4468-517-0x0000000004AF0000-0x0000000004B8D000-memory.dmp

Filesize
628KB

Download
memory/4476-172-0x0000000000000000-mapping.dmp

Download
memory/4484-496-0x000000001B180000-0x000000001B182000-memory.dmp

Filesize
8KB

Download
memory/4484-267-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/4484-299-0x0000000002250000-0x000000000226C000-memory.dmp

Filesize
112KB

Download
memory/4484-258-0x0000000000000000-mapping.dmp

Download
memory/4532-180-0x0000000000000000-mapping.dmp

Download
memory/4552-167-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4552-166-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4552-165-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4552-146-0x0000000000000000-mapping.dmp

Download
memory/4552-168-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4552-164-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4552-163-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4552-162-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4576-282-0x0000000000000000-mapping.dmp

Download
memory/4576-302-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/4576-327-0x0000000000C30000-0x0000000000C42000-memory.dmp

Filesize
72KB

Download
memory/4724-182-0x0000000000000000-mapping.dmp

Download
memory/4772-322-0x0000000000000000-mapping.dmp

Download
memory/4776-266-0x000002313C330000-0x000002313C331000-memory.dmp

Filesize
4KB

Download
memory/4776-331-0x000002313C330000-0x000002313C331000-memory.dmp

Filesize
4KB

Download
memory/4776-315-0x000002313C330000-0x000002313C331000-memory.dmp

Filesize
4KB

Download
memory/4776-334-0x000002313C330000-0x000002313C331000-memory.dmp

Filesize
4KB

Download
memory/4776-279-0x000002313C330000-0x000002313C331000-memory.dmp

Filesize
4KB

Download
memory/4776-294-0x000002313C330000-0x000002313C331000-memory.dmp

Filesize
4KB

Download
memory/4776-264-0x000002313C330000-0x000002313C331000-memory.dmp

Filesize
4KB

Download
memory/4776-269-0x000002313C330000-0x000002313C331000-memory.dmp

Filesize
4KB

Download
memory/4776-280-0x000002313C330000-0x000002313C331000-memory.dmp

Filesize
4KB

Download
memory/4776-325-0x000002313C330000-0x000002313C331000-memory.dmp

Filesize
4KB

Download
memory/4792-358-0x0000000001600000-0x0000000001602000-memory.dmp

Filesize
8KB

Download
memory/4792-350-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/4792-363-0x0000000001540000-0x000000000155E000-memory.dmp

Filesize
120KB

Download
memory/4792-304-0x0000000000000000-mapping.dmp

Download
memory/4792-329-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/4908-369-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/4908-398-0x00000000058A0000-0x0000000005916000-memory.dmp

Filesize
472KB

Download
memory/4908-318-0x0000000000000000-mapping.dmp

Download
memory/5128-539-0x00000000058F0000-0x0000000005E96000-memory.dmp

Filesize
5.6MB

Download
memory/5136-240-0x0000000000000000-mapping.dmp

Download
memory/5176-217-0x00000000015B0000-0x00000000015CC000-memory.dmp

Filesize
112KB

Download
memory/5176-225-0x000000001BE10000-0x000000001BE12000-memory.dmp

Filesize
8KB

Download
memory/5176-212-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/5176-192-0x0000000000000000-mapping.dmp

Download
memory/5184-198-0x0000000000000000-mapping.dmp

Download
memory/5192-245-0x0000000002960000-0x00000000029FD000-memory.dmp

Filesize
628KB

Download
memory/5192-193-0x0000000000000000-mapping.dmp

Download
memory/5192-372-0x00000000049E0000-0x0000000004A0F000-memory.dmp

Filesize
188KB

Download
memory/5192-288-0x0000000000000000-mapping.dmp

Download
memory/5196-285-0x0000000000000000-mapping.dmp

Download
memory/5196-365-0x00000000049E0000-0x0000000004A6F000-memory.dmp

Filesize
572KB

Download
memory/5284-215-0x0000000004890000-0x00000000048BF000-memory.dmp

Filesize
188KB

Download
memory/5284-199-0x0000000000000000-mapping.dmp

Download
memory/5296-200-0x0000000000000000-mapping.dmp

Download
memory/5304-201-0x0000000000000000-mapping.dmp

Download
memory/5304-231-0x0000000003CF0000-0x0000000003E2F000-memory.dmp

Filesize
1.2MB

Download
memory/5456-554-0x0000000000EC0000-0x0000000000EC2000-memory.dmp

Filesize
8KB

Download
memory/5480-440-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/5644-290-0x0000000000000000-mapping.dmp

Download
memory/5644-333-0x0000000002EF0000-0x0000000002F20000-memory.dmp

Filesize
192KB

Download
memory/5680-500-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/5680-286-0x0000000000000000-mapping.dmp

Download
memory/5688-457-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/5688-287-0x0000000000000000-mapping.dmp

Download
memory/5752-218-0x0000000000000000-mapping.dmp

Download
memory/5764-349-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/5764-219-0x0000000000000000-mapping.dmp

Download
memory/5764-249-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/5764-346-0x000000001C740000-0x000000001C742000-memory.dmp

Filesize
8KB

Download
memory/5764-343-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/5764-246-0x0000000000000000-mapping.dmp

Download
memory/5804-250-0x0000000000000000-mapping.dmp

Download
memory/5804-317-0x0000000001190000-0x00000000014E6000-memory.dmp

Filesize
3.3MB

Download
memory/5804-337-0x0000000001060000-0x0000000001070000-memory.dmp

Filesize
64KB

Download
memory/5832-222-0x0000000000000000-mapping.dmp

Download
memory/5876-471-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/5936-268-0x0000000000000000-mapping.dmp

Download
memory/5936-316-0x0000000000000000-mapping.dmp

Download
memory/6192-446-0x000001A6403F0000-0x000001A6404D4000-memory.dmp

Filesize
912KB

Download
memory/6192-462-0x000001A640640000-0x000001A6407A1000-memory.dmp

Filesize
1.4MB

Download
memory/6192-326-0x0000000000000000-mapping.dmp

Download
memory/6256-353-0x00000183E19D0000-0x00000183E19D2000-memory.dmp

Filesize
8KB

Download
memory/6256-339-0x00000183C71C0000-0x00000183C71C1000-memory.dmp

Filesize
4KB

Download
memory/6256-523-0x00000183E19D2000-0x00000183E19D4000-memory.dmp

Filesize
8KB

Download
memory/6256-406-0x00000183E19D5000-0x00000183E19D7000-memory.dmp

Filesize
8KB

Download
memory/6256-402-0x00000183E19D4000-0x00000183E19D5000-memory.dmp

Filesize
4KB

Download
memory/6256-328-0x0000000000000000-mapping.dmp

Download
memory/6256-356-0x00000183C75E0000-0x00000183C75EB000-memory.dmp

Filesize
44KB

Download
memory/6348-332-0x0000000000000000-mapping.dmp

Download
memory/6456-344-0x0000000000000000-mapping.dmp

Download
memory/6456-351-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6496-505-0x0000018EE8430000-0x0000018EE8591000-memory.dmp

Filesize
1.4MB

Download
memory/6600-427-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6632-373-0x0000000000000000-mapping.dmp

Download
memory/6632-433-0x00000000034D0000-0x0000000003826000-memory.dmp

Filesize
3.3MB

Download
memory/6632-383-0x0000000000DF0000-0x0000000000E4D000-memory.dmp

Filesize
372KB

Download
memory/6632-389-0x00000000007A0000-0x00000000007C8000-memory.dmp

Filesize
160KB

Download
memory/6872-357-0x0000000000000000-mapping.dmp

Download
memory/6972-364-0x0000000000000000-mapping.dmp

Download
memory/6972-379-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/7104-492-0x00000205D2890000-0x00000205D29F1000-memory.dmp

Filesize
1.4MB

Download
memory/7104-371-0x0000000000000000-mapping.dmp

Download