Analysis
-
max time kernel
108s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
15-03-2022 14:22
Static task
static1
Behavioral task
behavioral1
Sample
f92c41e49e5e9726f48e0577a82640935870c07c5551f0aa7a833d79180a3a12.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
f92c41e49e5e9726f48e0577a82640935870c07c5551f0aa7a833d79180a3a12.exe
Resource
win10v2004-20220310-en
General
-
Target
f92c41e49e5e9726f48e0577a82640935870c07c5551f0aa7a833d79180a3a12.exe
-
Size
3.9MB
-
MD5
85a1a5ff3b3bd02ba45c5d11ad7338fe
-
SHA1
f27bf668ec434eec52454913e50e7ecb43821880
-
SHA256
f92c41e49e5e9726f48e0577a82640935870c07c5551f0aa7a833d79180a3a12
-
SHA512
132a47426b034ec4446152d43d4e01d4e5c426d447782b36caee7b3a8176990737b51ae22fc947853bca26b2609547ed58f8f21c9a46ae8f4015d10dceaddaaa
Malware Config
Extracted
vidar
39.4
933
https://sergeevih43.tumblr.com/
-
profile_id
933
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
redline
da da
86.107.197.196:63065
-
auth_value
9b1654b30797c210c85bd0890936a5b9
Extracted
vidar
50.9
1177
https://ieji.de/@sam7al
https://busshi.moe/@sam0al
-
profile_id
1177
Extracted
redline
ruz876
185.215.113.7:5186
-
auth_value
4750f6742a496bbe74a981d51e7680ad
Extracted
redline
filinnn1
5.45.77.29:2495
-
auth_value
da347df57c88b125ede510dbe7fcc0f4
Extracted
redline
ruzki14_03
176.122.23.55:11768
-
auth_value
13b742acfe493b01c5301781c98d3fbe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rUNdlL32.eXedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 2148 rUNdlL32.eXe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 10 IoCs
Processes:
resource yara_rule C:\Users\Admin\Documents\w3uu_tXP0lENRWVzkxjVPRVU.exe family_redline behavioral2/memory/692-250-0x0000000000470000-0x0000000000490000-memory.dmp family_redline C:\Users\Admin\Documents\w3uu_tXP0lENRWVzkxjVPRVU.exe family_redline behavioral2/memory/1456-271-0x00000000002D0000-0x0000000000455000-memory.dmp family_redline behavioral2/memory/3336-285-0x0000000000DA0000-0x0000000000F25000-memory.dmp family_redline behavioral2/memory/3336-287-0x0000000000DA0000-0x0000000000F25000-memory.dmp family_redline behavioral2/memory/1456-268-0x00000000002D0000-0x0000000000455000-memory.dmp family_redline behavioral2/memory/4456-362-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/2376-361-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1964-360-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2696-216-0x00000000020E0000-0x000000000217D000-memory.dmp family_vidar behavioral2/memory/2696-222-0x0000000000400000-0x00000000004B7000-memory.dmp family_vidar behavioral2/memory/3844-284-0x0000000000DD0000-0x000000000115C000-memory.dmp family_vidar behavioral2/memory/3844-286-0x0000000000DD0000-0x000000000115C000-memory.dmp family_vidar behavioral2/memory/3844-289-0x0000000000DD0000-0x000000000115C000-memory.dmp family_vidar behavioral2/memory/3844-288-0x0000000000DD0000-0x000000000115C000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\setup_install.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\setup_install.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 2 IoCs
Processes:
schtasks.exeflow pid process 229 3724 schtasks.exe 232 3724 schtasks.exe -
Downloads MZ/PE file
-
Executes dropped EXE 47 IoCs
Processes:
setup_installer.exesetup_install.exesahiba_4.exesahiba_1.exesahiba_2.exesahiba_3.exesahiba_10.exesahiba_6.exesahiba_5.exesahiba_7.exesahiba_9.exesahiba_8.exesahiba_5.tmpsahiba_1.exejfiag3g_gg.exejfiag3g_gg.exe3kgAh8CzmmJSYseD5vX3fGDo.exeOEVFnpz4FkRF18boyAsNY06q.exe2waDZQ9qkAINOlucHvfWQdVc.exew3uu_tXP0lENRWVzkxjVPRVU.exe_GKVO71Pc67ar5UBWuhCNMks.exeWerFault.exeCvcil0oU_rXUzquVmt8oq_YE.exe0RuP0BblTEtv44BiOtHYafMh.exeKrWEUdPJRLWeNmfUJkDou2K6.exekpTnpI6x6EYGA2APeppcnW5T.exeF_ZFgZYib7zDpuFr4BPJ4BZL.exeRu7CR094PaWBrp6qu_PHfq3d.exeenvIb15B2O8gfFZCGZXw1_44.exe6_RZVyMPHgwk0lEyKPMWAMAh.exeauoUfxYoVmqxa9uQcKd5ypAl.exey1KuPIgGmh89uRzzkhIrt_AX.exexB17P_ncPDiqBlTAsex4JlC3.exeOXVD9h7TrbJ5bsvBu92xDbQM.exebKcpqv_EHCJa1EWv9LLp8mNN.exeIj4SkpboDOCd5Oi0F38b9TrM.exeInstall.exeWerFault.exeInstall.exesahiba_9.exesahiba_9.exeb344bfae-0803-4921-a4ef-42cf0e3bcfa5.exesahiba_9.exeSta.exe.pif1f1dc9b7-f6e2-44de-b5f9-7a01070ee0d5.exeAdvancedRun.exeAdvancedRun.exepid process 3784 setup_installer.exe 5020 setup_install.exe 1760 sahiba_4.exe 1892 sahiba_1.exe 1744 sahiba_2.exe 2696 sahiba_3.exe 3844 sahiba_10.exe 3624 sahiba_6.exe 3732 sahiba_5.exe 3724 sahiba_7.exe 3756 sahiba_9.exe 3128 sahiba_8.exe 3288 sahiba_5.tmp 3556 sahiba_1.exe 3424 jfiag3g_gg.exe 1912 jfiag3g_gg.exe 2472 3kgAh8CzmmJSYseD5vX3fGDo.exe 4928 OEVFnpz4FkRF18boyAsNY06q.exe 1968 2waDZQ9qkAINOlucHvfWQdVc.exe 692 w3uu_tXP0lENRWVzkxjVPRVU.exe 4164 _GKVO71Pc67ar5UBWuhCNMks.exe 3432 WerFault.exe 2500 Cvcil0oU_rXUzquVmt8oq_YE.exe 3784 0RuP0BblTEtv44BiOtHYafMh.exe 5044 KrWEUdPJRLWeNmfUJkDou2K6.exe 3036 kpTnpI6x6EYGA2APeppcnW5T.exe 3224 F_ZFgZYib7zDpuFr4BPJ4BZL.exe 3800 Ru7CR094PaWBrp6qu_PHfq3d.exe 1880 envIb15B2O8gfFZCGZXw1_44.exe 2536 6_RZVyMPHgwk0lEyKPMWAMAh.exe 3844 auoUfxYoVmqxa9uQcKd5ypAl.exe 1456 y1KuPIgGmh89uRzzkhIrt_AX.exe 3336 xB17P_ncPDiqBlTAsex4JlC3.exe 1352 OXVD9h7TrbJ5bsvBu92xDbQM.exe 1600 bKcpqv_EHCJa1EWv9LLp8mNN.exe 5108 Ij4SkpboDOCd5Oi0F38b9TrM.exe 2460 Install.exe 2548 WerFault.exe 1452 Install.exe 3088 sahiba_9.exe 5008 sahiba_9.exe 3680 b344bfae-0803-4921-a4ef-42cf0e3bcfa5.exe 3472 sahiba_9.exe 4804 Sta.exe.pif 4940 1f1dc9b7-f6e2-44de-b5f9-7a01070ee0d5.exe 2312 AdvancedRun.exe 2960 AdvancedRun.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx -
Checks BIOS information in registry 2 TTPs 7 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Ru7CR094PaWBrp6qu_PHfq3d.exeWerFault.exeInstall.exe0RuP0BblTEtv44BiOtHYafMh.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Ru7CR094PaWBrp6qu_PHfq3d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0RuP0BblTEtv44BiOtHYafMh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0RuP0BblTEtv44BiOtHYafMh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Ru7CR094PaWBrp6qu_PHfq3d.exe -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
setup_installer.exesahiba_1.exesahiba_7.exeInstall.exeIj4SkpboDOCd5Oi0F38b9TrM.exeenvIb15B2O8gfFZCGZXw1_44.exeauoUfxYoVmqxa9uQcKd5ypAl.exef92c41e49e5e9726f48e0577a82640935870c07c5551f0aa7a833d79180a3a12.exeKrWEUdPJRLWeNmfUJkDou2K6.exeOEVFnpz4FkRF18boyAsNY06q.exekpTnpI6x6EYGA2APeppcnW5T.exeAdvancedRun.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation setup_installer.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation sahiba_1.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation sahiba_7.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation Ij4SkpboDOCd5Oi0F38b9TrM.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation envIb15B2O8gfFZCGZXw1_44.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation auoUfxYoVmqxa9uQcKd5ypAl.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation f92c41e49e5e9726f48e0577a82640935870c07c5551f0aa7a833d79180a3a12.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation KrWEUdPJRLWeNmfUJkDou2K6.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation OEVFnpz4FkRF18boyAsNY06q.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation kpTnpI6x6EYGA2APeppcnW5T.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation AdvancedRun.exe -
Loads dropped DLL 24 IoCs
Processes:
setup_install.exesahiba_5.tmpsahiba_2.exerundll32.exe_GKVO71Pc67ar5UBWuhCNMks.exeenvIb15B2O8gfFZCGZXw1_44.exeauoUfxYoVmqxa9uQcKd5ypAl.exepid process 5020 setup_install.exe 5020 setup_install.exe 5020 setup_install.exe 5020 setup_install.exe 5020 setup_install.exe 5020 setup_install.exe 5020 setup_install.exe 3288 sahiba_5.tmp 1744 sahiba_2.exe 392 rundll32.exe 4164 _GKVO71Pc67ar5UBWuhCNMks.exe 1880 envIb15B2O8gfFZCGZXw1_44.exe 4164 _GKVO71Pc67ar5UBWuhCNMks.exe 3844 auoUfxYoVmqxa9uQcKd5ypAl.exe 1880 envIb15B2O8gfFZCGZXw1_44.exe 3844 auoUfxYoVmqxa9uQcKd5ypAl.exe 4164 _GKVO71Pc67ar5UBWuhCNMks.exe 4164 _GKVO71Pc67ar5UBWuhCNMks.exe 4164 _GKVO71Pc67ar5UBWuhCNMks.exe 4164 _GKVO71Pc67ar5UBWuhCNMks.exe 4164 _GKVO71Pc67ar5UBWuhCNMks.exe 4164 _GKVO71Pc67ar5UBWuhCNMks.exe 4164 _GKVO71Pc67ar5UBWuhCNMks.exe 4164 _GKVO71Pc67ar5UBWuhCNMks.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
0RuP0BblTEtv44BiOtHYafMh.exeRu7CR094PaWBrp6qu_PHfq3d.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0RuP0BblTEtv44BiOtHYafMh.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ru7CR094PaWBrp6qu_PHfq3d.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 ipinfo.io 29 ipinfo.io 30 ip-api.com 179 ipinfo.io 180 ipinfo.io -
Drops file in System32 directory 1 IoCs
Processes:
Install.exedescription ioc process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
auoUfxYoVmqxa9uQcKd5ypAl.exey1KuPIgGmh89uRzzkhIrt_AX.exexB17P_ncPDiqBlTAsex4JlC3.exepid process 3844 auoUfxYoVmqxa9uQcKd5ypAl.exe 1456 y1KuPIgGmh89uRzzkhIrt_AX.exe 3336 xB17P_ncPDiqBlTAsex4JlC3.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Ru7CR094PaWBrp6qu_PHfq3d.exe0RuP0BblTEtv44BiOtHYafMh.exeWerFault.exesahiba_9.exedescription pid process target process PID 3800 set thread context of 2376 3800 Ru7CR094PaWBrp6qu_PHfq3d.exe AppLaunch.exe PID 3784 set thread context of 1964 3784 0RuP0BblTEtv44BiOtHYafMh.exe AppLaunch.exe PID 3432 set thread context of 4456 3432 WerFault.exe AppLaunch.exe PID 3756 set thread context of 3472 3756 sahiba_9.exe sahiba_9.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\66i2OKv6hdBe9X5H5.raw svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 14 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3792 392 WerFault.exe rundll32.exe 3504 2696 WerFault.exe sahiba_3.exe 2464 3036 WerFault.exe kpTnpI6x6EYGA2APeppcnW5T.exe 1800 3224 WerFault.exe F_ZFgZYib7zDpuFr4BPJ4BZL.exe 4272 3224 WerFault.exe F_ZFgZYib7zDpuFr4BPJ4BZL.exe 1300 3036 WerFault.exe kpTnpI6x6EYGA2APeppcnW5T.exe 2420 3036 WerFault.exe kpTnpI6x6EYGA2APeppcnW5T.exe 3000 3036 WerFault.exe kpTnpI6x6EYGA2APeppcnW5T.exe 4292 3036 WerFault.exe kpTnpI6x6EYGA2APeppcnW5T.exe 1292 3036 WerFault.exe kpTnpI6x6EYGA2APeppcnW5T.exe 3936 3036 WerFault.exe kpTnpI6x6EYGA2APeppcnW5T.exe 4588 3036 WerFault.exe kpTnpI6x6EYGA2APeppcnW5T.exe 2548 3036 WerFault.exe kpTnpI6x6EYGA2APeppcnW5T.exe 3832 4440 WerFault.exe Sta.exe.pif -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
sahiba_2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sahiba_2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sahiba_2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sahiba_2.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
envIb15B2O8gfFZCGZXw1_44.exeauoUfxYoVmqxa9uQcKd5ypAl.exe_GKVO71Pc67ar5UBWuhCNMks.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 envIb15B2O8gfFZCGZXw1_44.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString envIb15B2O8gfFZCGZXw1_44.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 auoUfxYoVmqxa9uQcKd5ypAl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString auoUfxYoVmqxa9uQcKd5ypAl.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 _GKVO71Pc67ar5UBWuhCNMks.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString _GKVO71Pc67ar5UBWuhCNMks.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1724 schtasks.exe 3724 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 620 timeout.exe 4580 timeout.exe 4268 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 3492 tasklist.exe 2164 tasklist.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 3556 taskkill.exe 3720 taskkill.exe 3000 taskkill.exe -
Processes:
sahiba_3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 sahiba_3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e sahiba_3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jfiag3g_gg.exesahiba_2.exepid process 1912 jfiag3g_gg.exe 1912 jfiag3g_gg.exe 1744 sahiba_2.exe 1744 sahiba_2.exe 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 3048 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3048 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
sahiba_2.exepid process 1744 sahiba_2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
sahiba_6.exesahiba_10.exeOEVFnpz4FkRF18boyAsNY06q.exexB17P_ncPDiqBlTAsex4JlC3.exey1KuPIgGmh89uRzzkhIrt_AX.exeIj4SkpboDOCd5Oi0F38b9TrM.exedescription pid process Token: SeDebugPrivilege 3624 sahiba_6.exe Token: SeDebugPrivilege 3844 sahiba_10.exe Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeDebugPrivilege 4928 OEVFnpz4FkRF18boyAsNY06q.exe Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeDebugPrivilege 3336 xB17P_ncPDiqBlTAsex4JlC3.exe Token: SeDebugPrivilege 1456 y1KuPIgGmh89uRzzkhIrt_AX.exe Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeShutdownPrivilege 3048 Token: SeCreatePagefilePrivilege 3048 Token: SeDebugPrivilege 5108 Ij4SkpboDOCd5Oi0F38b9TrM.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
Sta.exe.pifpid process 4804 Sta.exe.pif 3048 3048 4804 Sta.exe.pif 4804 Sta.exe.pif 3048 3048 -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Sta.exe.pifpid process 4804 Sta.exe.pif 4804 Sta.exe.pif 4804 Sta.exe.pif -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f92c41e49e5e9726f48e0577a82640935870c07c5551f0aa7a833d79180a3a12.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4828 wrote to memory of 3784 4828 f92c41e49e5e9726f48e0577a82640935870c07c5551f0aa7a833d79180a3a12.exe setup_installer.exe PID 4828 wrote to memory of 3784 4828 f92c41e49e5e9726f48e0577a82640935870c07c5551f0aa7a833d79180a3a12.exe setup_installer.exe PID 4828 wrote to memory of 3784 4828 f92c41e49e5e9726f48e0577a82640935870c07c5551f0aa7a833d79180a3a12.exe setup_installer.exe PID 3784 wrote to memory of 5020 3784 setup_installer.exe setup_install.exe PID 3784 wrote to memory of 5020 3784 setup_installer.exe setup_install.exe PID 3784 wrote to memory of 5020 3784 setup_installer.exe setup_install.exe PID 5020 wrote to memory of 1628 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 1628 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 1628 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 556 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 556 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 556 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 620 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 620 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 620 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 872 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 872 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 872 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 444 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 444 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 444 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 804 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 804 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 804 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 1120 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 1120 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 1120 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 3828 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 3828 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 3828 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 1612 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 1612 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 1612 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 1352 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 1352 5020 setup_install.exe cmd.exe PID 5020 wrote to memory of 1352 5020 setup_install.exe cmd.exe PID 872 wrote to memory of 1760 872 cmd.exe sahiba_4.exe PID 872 wrote to memory of 1760 872 cmd.exe sahiba_4.exe PID 872 wrote to memory of 1760 872 cmd.exe sahiba_4.exe PID 1628 wrote to memory of 1892 1628 cmd.exe sahiba_1.exe PID 1628 wrote to memory of 1892 1628 cmd.exe sahiba_1.exe PID 1628 wrote to memory of 1892 1628 cmd.exe sahiba_1.exe PID 556 wrote to memory of 1744 556 cmd.exe sahiba_2.exe PID 556 wrote to memory of 1744 556 cmd.exe sahiba_2.exe PID 556 wrote to memory of 1744 556 cmd.exe sahiba_2.exe PID 620 wrote to memory of 2696 620 cmd.exe sahiba_3.exe PID 620 wrote to memory of 2696 620 cmd.exe sahiba_3.exe PID 620 wrote to memory of 2696 620 cmd.exe sahiba_3.exe PID 1352 wrote to memory of 3844 1352 cmd.exe sahiba_10.exe PID 1352 wrote to memory of 3844 1352 cmd.exe sahiba_10.exe PID 804 wrote to memory of 3624 804 cmd.exe sahiba_6.exe PID 804 wrote to memory of 3624 804 cmd.exe sahiba_6.exe PID 1120 wrote to memory of 3724 1120 cmd.exe sahiba_7.exe PID 1120 wrote to memory of 3724 1120 cmd.exe sahiba_7.exe PID 1120 wrote to memory of 3724 1120 cmd.exe sahiba_7.exe PID 444 wrote to memory of 3732 444 cmd.exe sahiba_5.exe PID 444 wrote to memory of 3732 444 cmd.exe sahiba_5.exe PID 444 wrote to memory of 3732 444 cmd.exe sahiba_5.exe PID 1612 wrote to memory of 3756 1612 cmd.exe sahiba_9.exe PID 1612 wrote to memory of 3756 1612 cmd.exe sahiba_9.exe PID 1612 wrote to memory of 3756 1612 cmd.exe sahiba_9.exe PID 3828 wrote to memory of 3128 3828 cmd.exe sahiba_8.exe PID 3828 wrote to memory of 3128 3828 cmd.exe sahiba_8.exe PID 3828 wrote to memory of 3128 3828 cmd.exe sahiba_8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f92c41e49e5e9726f48e0577a82640935870c07c5551f0aa7a833d79180a3a12.exe"C:\Users\Admin\AppData\Local\Temp\f92c41e49e5e9726f48e0577a82640935870c07c5551f0aa7a833d79180a3a12.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_1.exesahiba_1.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_1.exe"C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_1.exe" -a6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_3.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_3.exesahiba_3.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 10326⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_2.exesahiba_2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_5.exesahiba_5.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-QB7KB.tmp\sahiba_5.tmp"C:\Users\Admin\AppData\Local\Temp\is-QB7KB.tmp\sahiba_5.tmp" /SL5="$C0090,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_5.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_4.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_4.exesahiba_4.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_10.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_10.exesahiba_10.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_9.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_9.exesahiba_9.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_9.exeC:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_9.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_9.exeC:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_9.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_9.exeC:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_9.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_9.exeC:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_9.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_8.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_8.exesahiba_8.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_7.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_7.exesahiba_7.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Documents\2waDZQ9qkAINOlucHvfWQdVc.exe"C:\Users\Admin\Documents\2waDZQ9qkAINOlucHvfWQdVc.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\2waDZQ9qkAINOlucHvfWQdVc.exe"C:\Users\Admin\Documents\2waDZQ9qkAINOlucHvfWQdVc.exe"7⤵
-
C:\Users\Admin\Documents\w3uu_tXP0lENRWVzkxjVPRVU.exe"C:\Users\Admin\Documents\w3uu_tXP0lENRWVzkxjVPRVU.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\kpTnpI6x6EYGA2APeppcnW5T.exe"C:\Users\Admin\Documents\kpTnpI6x6EYGA2APeppcnW5T.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 4527⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 6327⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 6607⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 7447⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 12247⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 12327⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 12167⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 12807⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "kpTnpI6x6EYGA2APeppcnW5T.exe" /f & erase "C:\Users\Admin\Documents\kpTnpI6x6EYGA2APeppcnW5T.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "kpTnpI6x6EYGA2APeppcnW5T.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 11207⤵
- Executes dropped EXE
- Program crash
-
C:\Users\Admin\Documents\xB17P_ncPDiqBlTAsex4JlC3.exe"C:\Users\Admin\Documents\xB17P_ncPDiqBlTAsex4JlC3.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\OXVD9h7TrbJ5bsvBu92xDbQM.exe"C:\Users\Admin\Documents\OXVD9h7TrbJ5bsvBu92xDbQM.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS4C82.tmp\Install.exe.\Install.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS6B93.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gMthEUObP" /SC once /ST 08:14:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gMthEUObP"9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gMthEUObP"9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 15:46:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\TXDWXMI.exe\" j6 /site_id 525403 /S" /V1 /F9⤵
- Blocklisted process makes network request
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\auoUfxYoVmqxa9uQcKd5ypAl.exe"C:\Users\Admin\Documents\auoUfxYoVmqxa9uQcKd5ypAl.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im auoUfxYoVmqxa9uQcKd5ypAl.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\auoUfxYoVmqxa9uQcKd5ypAl.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im auoUfxYoVmqxa9uQcKd5ypAl.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\6_RZVyMPHgwk0lEyKPMWAMAh.exe"C:\Users\Admin\Documents\6_RZVyMPHgwk0lEyKPMWAMAh.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\6_RZVyMPHgwk0lEyKPMWAMAh.exe7⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 08⤵
-
C:\Users\Admin\Documents\envIb15B2O8gfFZCGZXw1_44.exe"C:\Users\Admin\Documents\envIb15B2O8gfFZCGZXw1_44.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im envIb15B2O8gfFZCGZXw1_44.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\envIb15B2O8gfFZCGZXw1_44.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im envIb15B2O8gfFZCGZXw1_44.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\y1KuPIgGmh89uRzzkhIrt_AX.exe"C:\Users\Admin\Documents\y1KuPIgGmh89uRzzkhIrt_AX.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\Ru7CR094PaWBrp6qu_PHfq3d.exe"C:\Users\Admin\Documents\Ru7CR094PaWBrp6qu_PHfq3d.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Users\Admin\Documents\F_ZFgZYib7zDpuFr4BPJ4BZL.exe"C:\Users\Admin\Documents\F_ZFgZYib7zDpuFr4BPJ4BZL.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 4407⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 4807⤵
- Program crash
-
C:\Users\Admin\Documents\KrWEUdPJRLWeNmfUJkDou2K6.exe"C:\Users\Admin\Documents\KrWEUdPJRLWeNmfUJkDou2K6.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Detto.xla7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"9⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"9⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"9⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"9⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^wtwRMqjYMlcblhfrOaJNpOohYASICCRoGRaYHSofIqwzkvtDhVASceYjWNSjoDvlzhRaVdvWpzypNPwCvgcGwZMDTye$" Hai.xla9⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pifSta.exe.pif V9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pif10⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pif10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 44811⤵
- Program crash
-
C:\Users\Admin\Documents\0RuP0BblTEtv44BiOtHYafMh.exe"C:\Users\Admin\Documents\0RuP0BblTEtv44BiOtHYafMh.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Users\Admin\Documents\Cvcil0oU_rXUzquVmt8oq_YE.exe"C:\Users\Admin\Documents\Cvcil0oU_rXUzquVmt8oq_YE.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\PM9sxIyKGP3ZLIQac3mqZ1uI.exe"C:\Users\Admin\Documents\PM9sxIyKGP3ZLIQac3mqZ1uI.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Users\Admin\Documents\_GKVO71Pc67ar5UBWuhCNMks.exe"C:\Users\Admin\Documents\_GKVO71Pc67ar5UBWuhCNMks.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Users\Admin\Documents\OEVFnpz4FkRF18boyAsNY06q.exe"C:\Users\Admin\Documents\OEVFnpz4FkRF18boyAsNY06q.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b344bfae-0803-4921-a4ef-42cf0e3bcfa5.exe"C:\Users\Admin\AppData\Local\Temp\b344bfae-0803-4921-a4ef-42cf0e3bcfa5.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\3kgAh8CzmmJSYseD5vX3fGDo.exe"C:\Users\Admin\Documents\3kgAh8CzmmJSYseD5vX3fGDo.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e39974eb-71d4-4162-a67c-d8e571eb5e6b\1f1dc9b7-f6e2-44de-b5f9-7a01070ee0d5.exe"C:\Users\Admin\AppData\Local\Temp\e39974eb-71d4-4162-a67c-d8e571eb5e6b\1f1dc9b7-f6e2-44de-b5f9-7a01070ee0d5.exe" /o /c "Windows-Defender" /r7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e39974eb-71d4-4162-a67c-d8e571eb5e6b\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\e39974eb-71d4-4162-a67c-d8e571eb5e6b\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e39974eb-71d4-4162-a67c-d8e571eb5e6b\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\e39974eb-71d4-4162-a67c-d8e571eb5e6b\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\e39974eb-71d4-4162-a67c-d8e571eb5e6b\AdvancedRun.exe" /SpecialRun 4101d8 23128⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\3kgAh8CzmmJSYseD5vX3fGDo.exe" -Force7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension "exe" -Force7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\3kgAh8CzmmJSYseD5vX3fGDo.exe" -Force7⤵
-
C:\Users\Admin\Documents\3kgAh8CzmmJSYseD5vX3fGDo.exe"C:\Users\Admin\Documents\3kgAh8CzmmJSYseD5vX3fGDo.exe"7⤵
-
C:\Users\Admin\Documents\Ij4SkpboDOCd5Oi0F38b9TrM.exe"C:\Users\Admin\Documents\Ij4SkpboDOCd5Oi0F38b9TrM.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 457⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 458⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Ztfglzprim.exe"C:\Users\Admin\AppData\Local\Temp\Ztfglzprim.exe"7⤵
-
C:\Users\Admin\Documents\Ij4SkpboDOCd5Oi0F38b9TrM.exeC:\Users\Admin\Documents\Ij4SkpboDOCd5Oi0F38b9TrM.exe7⤵
-
C:\Users\Admin\Documents\bKcpqv_EHCJa1EWv9LLp8mNN.exe"C:\Users\Admin\Documents\bKcpqv_EHCJa1EWv9LLp8mNN.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_6.exesahiba_6.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2696 -ip 26961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 392 -ip 3921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3036 -ip 30361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1600 -ip 16001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2500 -ip 25001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3224 -ip 32241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2500 -ip 25001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1600 -ip 16001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3036 -ip 30361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3224 -ip 32241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3036 -ip 30361⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3036 -ip 30361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3036 -ip 30361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3036 -ip 30361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3036 -ip 30361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3036 -ip 30361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3036 -ip 30361⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\TXDWXMI.exeC:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\TXDWXMI.exe j6 /site_id 525403 /S1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QMuGxDzxU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QMuGxDzxU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhmfbgEUeceU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhmfbgEUeceU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iTBLcazoBHNRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iTBLcazoBHNRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rYNYBiCjmUUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rYNYBiCjmUUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hnkumIqTRwUxQLVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hnkumIqTRwUxQLVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\RHdUtmclRPrQNqWD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\RHdUtmclRPrQNqWD\" /t REG_DWORD /d 0 /reg:64;"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4440 -ip 44401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Modify Registry
4Disabling Security Tools
3Bypass User Account Control
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_1.exeMD5
b65276c9e9864815be738ec102f747d4
SHA17b2d710d28b7584a402015b381200af16929a71a
SHA2563f8b6c43ac0c4fa103b16d2c1db4f6b7bb5d6976e1f7618c7530be2f1470f193
SHA51271af45c98057b59ee1e9c1aaf79b9b25bb2e30c2087d310d107f9bdd02da8a857babcb976456a326f37e1b35b074451878aa83a85b69b4df0db18cdb2ca3f54b
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_1.exeMD5
b65276c9e9864815be738ec102f747d4
SHA17b2d710d28b7584a402015b381200af16929a71a
SHA2563f8b6c43ac0c4fa103b16d2c1db4f6b7bb5d6976e1f7618c7530be2f1470f193
SHA51271af45c98057b59ee1e9c1aaf79b9b25bb2e30c2087d310d107f9bdd02da8a857babcb976456a326f37e1b35b074451878aa83a85b69b4df0db18cdb2ca3f54b
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_1.txtMD5
b65276c9e9864815be738ec102f747d4
SHA17b2d710d28b7584a402015b381200af16929a71a
SHA2563f8b6c43ac0c4fa103b16d2c1db4f6b7bb5d6976e1f7618c7530be2f1470f193
SHA51271af45c98057b59ee1e9c1aaf79b9b25bb2e30c2087d310d107f9bdd02da8a857babcb976456a326f37e1b35b074451878aa83a85b69b4df0db18cdb2ca3f54b
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_10.exeMD5
15f026de10ed9719180b4ac9cf013060
SHA1126d2fb521d710c93747f30bc4744f920d6543b9
SHA256d5bb1038daf71c40429b13628305b5d10b868325346ca7c611c1dd4f14754636
SHA5125856e492fc68ca7b08ac1fce869ade70a00e790d31f4402e1cd49ff3aee93f3a9dd618cc45288a36f4e32af0debb1f289b8f8f20541cd16bb0754b436891a2e4
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_10.txtMD5
15f026de10ed9719180b4ac9cf013060
SHA1126d2fb521d710c93747f30bc4744f920d6543b9
SHA256d5bb1038daf71c40429b13628305b5d10b868325346ca7c611c1dd4f14754636
SHA5125856e492fc68ca7b08ac1fce869ade70a00e790d31f4402e1cd49ff3aee93f3a9dd618cc45288a36f4e32af0debb1f289b8f8f20541cd16bb0754b436891a2e4
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_2.exeMD5
f24528f915dcd78517baf75519bd8f37
SHA1539cdc98a3fd0fb7b0ea520c013adf0e76ef66e2
SHA2560c6c8e8c2d4a6d4bc2302b8ccc897345556c64b5e0eb231604a969949038cc51
SHA51202c720950466fcbee6d7e6a8facab959c6915a0e5f813c2a932e0bf3eddb8f890ab71843705e632dd9f8b6bcb769604a7a7c40a752c7f518ee628301489ed61e
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_2.txtMD5
f24528f915dcd78517baf75519bd8f37
SHA1539cdc98a3fd0fb7b0ea520c013adf0e76ef66e2
SHA2560c6c8e8c2d4a6d4bc2302b8ccc897345556c64b5e0eb231604a969949038cc51
SHA51202c720950466fcbee6d7e6a8facab959c6915a0e5f813c2a932e0bf3eddb8f890ab71843705e632dd9f8b6bcb769604a7a7c40a752c7f518ee628301489ed61e
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_3.exeMD5
8b8eacc94e94182f764a2707a4fd7b3c
SHA1fb50832681474ad6a813e61b3d23232d508902f6
SHA2561618f410ce4362f38a8c1bc5081f550fa9431f7dea93710f06bd6978ef8b1215
SHA5123567d258389fddcc6156ece44454ea6e11d36ab8fff960a41610de6f9701599a9e8ef85caf9a24088d90087f04d86d27ef14d4e692154127ad793315ebebbb8e
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_3.txtMD5
8b8eacc94e94182f764a2707a4fd7b3c
SHA1fb50832681474ad6a813e61b3d23232d508902f6
SHA2561618f410ce4362f38a8c1bc5081f550fa9431f7dea93710f06bd6978ef8b1215
SHA5123567d258389fddcc6156ece44454ea6e11d36ab8fff960a41610de6f9701599a9e8ef85caf9a24088d90087f04d86d27ef14d4e692154127ad793315ebebbb8e
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_4.exeMD5
5668cb771643274ba2c375ec6403c266
SHA1dd78b03428b99368906fe62fc46aaaf1db07a8b9
SHA256d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384
SHA512135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_4.txtMD5
5668cb771643274ba2c375ec6403c266
SHA1dd78b03428b99368906fe62fc46aaaf1db07a8b9
SHA256d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384
SHA512135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_5.exeMD5
8c4df9d37195987ede03bf8adb495686
SHA1010626025ca791720f85984a842c893b78f439d2
SHA2565207c76c2e29a2f9951dc4697199a89fdd9516a324f4df7fa04184c3942cc185
SHA5128fcb279c27682e13ec716e250c9d87cd3d9447b6376e4e6b97e8a283994c02eeac112f2e2c60d4e6316ece5e11fd992cd06efa48c72ee7b0c306b16347698655
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_5.txtMD5
8c4df9d37195987ede03bf8adb495686
SHA1010626025ca791720f85984a842c893b78f439d2
SHA2565207c76c2e29a2f9951dc4697199a89fdd9516a324f4df7fa04184c3942cc185
SHA5128fcb279c27682e13ec716e250c9d87cd3d9447b6376e4e6b97e8a283994c02eeac112f2e2c60d4e6316ece5e11fd992cd06efa48c72ee7b0c306b16347698655
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_6.exeMD5
16c9dde1611731ebe9effd1facec9839
SHA1e5d43d3bfc8fdf9b99e7ae6ee1f820a79909e9b0
SHA2560eeb59191283964857f15bfab13ce4824ff63017334d9b4c70ef038b682b995e
SHA5122d59e2081f9fd4c5593116384b5735f818f6d175855f43448b4fa4938953d3bd394165fa2248b975f3baf921990008972f0faea1d813d23e50b7bff1b0e8ac00
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_6.txtMD5
16c9dde1611731ebe9effd1facec9839
SHA1e5d43d3bfc8fdf9b99e7ae6ee1f820a79909e9b0
SHA2560eeb59191283964857f15bfab13ce4824ff63017334d9b4c70ef038b682b995e
SHA5122d59e2081f9fd4c5593116384b5735f818f6d175855f43448b4fa4938953d3bd394165fa2248b975f3baf921990008972f0faea1d813d23e50b7bff1b0e8ac00
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_7.exeMD5
f8fdccdc4cc17f6781497d69742aeb58
SHA1026edf00ad6a4f77a99a8100060184caeb9a58ba
SHA25697f751d8e067a8ff661e6f4cb0eb7cd3033abdb89d5e87e50581e011ff4f4144
SHA512ee4969810435ab43fd7fe1cfc42667544cdb9766dacca2258cc4a860983b6477a9c8c74e6e41ef6230a89fd016f8f044eb83ca5e96796a6375dacd28e7254ac1
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_7.txtMD5
f8fdccdc4cc17f6781497d69742aeb58
SHA1026edf00ad6a4f77a99a8100060184caeb9a58ba
SHA25697f751d8e067a8ff661e6f4cb0eb7cd3033abdb89d5e87e50581e011ff4f4144
SHA512ee4969810435ab43fd7fe1cfc42667544cdb9766dacca2258cc4a860983b6477a9c8c74e6e41ef6230a89fd016f8f044eb83ca5e96796a6375dacd28e7254ac1
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_8.exeMD5
40d042adff8729d9af2cb5028beba33e
SHA1f24526c84966f1a67eb459f3eecb62ec95f94f29
SHA256a41c0b4f13c1ca772261a32d17ae0911a8df2df3554ccbf736438dd76cbdae20
SHA51204db7a0f430b1e399175d94cca8b93bc1a814f309e10ab4e271fe13dbe63e8088d10a1717c1360813a5b816d51769fd6d2821101783802f7f976b8a49012f960
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_8.txtMD5
40d042adff8729d9af2cb5028beba33e
SHA1f24526c84966f1a67eb459f3eecb62ec95f94f29
SHA256a41c0b4f13c1ca772261a32d17ae0911a8df2df3554ccbf736438dd76cbdae20
SHA51204db7a0f430b1e399175d94cca8b93bc1a814f309e10ab4e271fe13dbe63e8088d10a1717c1360813a5b816d51769fd6d2821101783802f7f976b8a49012f960
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_9.exeMD5
941888d7dc7810199fc9d7fe45b29947
SHA15f384b58763b8d3035a158d6d8d55e001af61c34
SHA256d883da922360a751ea8b780ac7b3a5aedc4b09258fdd2c156bfa60593885071c
SHA5129d0acb24f66115f48a320841f66d1b9efa483f78684d11724541ce650701ac88cf82b5624bae362d036a42b2f177e3d3819926e0bf297502853e5d62302c7967
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\sahiba_9.txtMD5
941888d7dc7810199fc9d7fe45b29947
SHA15f384b58763b8d3035a158d6d8d55e001af61c34
SHA256d883da922360a751ea8b780ac7b3a5aedc4b09258fdd2c156bfa60593885071c
SHA5129d0acb24f66115f48a320841f66d1b9efa483f78684d11724541ce650701ac88cf82b5624bae362d036a42b2f177e3d3819926e0bf297502853e5d62302c7967
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\setup_install.exeMD5
5b1cfdacff93439669125b1aca14eb08
SHA1f128e8671ef76ab48393f5171c1175d6e5a0beeb
SHA2568f371da14f97d05f82215b72b7e651aac33bb539681547d6d431a959ac254466
SHA512956b43a2fd78dace5f7b34b4fb2079d9cdeb98f9b23c0d06b6a47fd992b4b9514f98c52cd5bad5fb2cd99c1987bf09dc839dd0ca3d45e983338509f2d956b440
-
C:\Users\Admin\AppData\Local\Temp\7zS8CE5649D\setup_install.exeMD5
5b1cfdacff93439669125b1aca14eb08
SHA1f128e8671ef76ab48393f5171c1175d6e5a0beeb
SHA2568f371da14f97d05f82215b72b7e651aac33bb539681547d6d431a959ac254466
SHA512956b43a2fd78dace5f7b34b4fb2079d9cdeb98f9b23c0d06b6a47fd992b4b9514f98c52cd5bad5fb2cd99c1987bf09dc839dd0ca3d45e983338509f2d956b440
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
13abe7637d904829fbb37ecda44a1670
SHA1de26b60d2c0b1660220caf3f4a11dfabaa0e7b9f
SHA2567a20b34c0f9b516007d40a570eafb782028c5613138e8b9697ca398b0b3420d6
SHA5126e02ca1282f3d1bbbb684046eb5dcef412366a0ed2276c1f22d2f16b978647c0e35a8d728a0349f022295b0aba30139b2b8bb75b92aa5fdcc18aae9dcf357d77
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
7f7c75db900d8b8cd21c7a93721a6142
SHA1c8b86e62a8479a4e6b958d2917c60dccef8c033f
SHA256e7ea471d02218191b90911b15cc9991eab28a1047a914c784966ecd182bd499c
SHA512907a8c6fe0ee3c96aefbbe3c8a5a4e6e2095b8fea421c7fff7b16a9e1668a9ca81d5b20522eae19f951ad1a5d46aeb1f974428daf67290233c2b472e10cc439a
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
7f7c75db900d8b8cd21c7a93721a6142
SHA1c8b86e62a8479a4e6b958d2917c60dccef8c033f
SHA256e7ea471d02218191b90911b15cc9991eab28a1047a914c784966ecd182bd499c
SHA512907a8c6fe0ee3c96aefbbe3c8a5a4e6e2095b8fea421c7fff7b16a9e1668a9ca81d5b20522eae19f951ad1a5d46aeb1f974428daf67290233c2b472e10cc439a
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
588c34ef3764fe9b55a638daca22e7cf
SHA125d0a1427a6fb482d7a3ed74f440fb867c4efc04
SHA2566716fe8f7e588e4c076abed3bc4c1d486265ad43ca6eb3daeb90c83968474084
SHA512779efc03a22e04bacb7af225d197cd798cf8cb7f261cd3f7eb88e7d6066cf63d15458dfb6bc9bb726fda1a2cc006a13821cd46cbd23bcf4e575cef150c0b6cfd
-
C:\Users\Admin\AppData\Local\Temp\is-JUPIV.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\is-QB7KB.tmp\sahiba_5.tmpMD5
ace50bc58251a21ff708c2a45b166905
SHA13acac0fbed800fe76722b781b7add2cbb7510849
SHA256af5dd65e23533ed506a34f3a98f1255fccb480c88615ed7cfd0c157fb3f21f9d
SHA512b484af4387dc5f149b785db515521e10f6a9047cd838130f45745dac000c822766a163c8e988d3763a1a79e93b7436c8cb0ba5cb38e175b8e49b523677746514
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
77e16d021d55f3effba9d8eb2b3ae843
SHA1af36325b024edd18cdea74ab6a54aa4d5d0cae83
SHA256ab5e7ae7b1b93464bb1dd0aeb0777295de479e6fd434cd273d44d30aadcb0a85
SHA51262dbc57c4eb2d1e42e863a49699151232326e673f0e451dda8271945d1a5ed904dde70618a8c6cae02318967cf9bb3700550a4076dd2bfe3fdba71b3096365c5
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
77e16d021d55f3effba9d8eb2b3ae843
SHA1af36325b024edd18cdea74ab6a54aa4d5d0cae83
SHA256ab5e7ae7b1b93464bb1dd0aeb0777295de479e6fd434cd273d44d30aadcb0a85
SHA51262dbc57c4eb2d1e42e863a49699151232326e673f0e451dda8271945d1a5ed904dde70618a8c6cae02318967cf9bb3700550a4076dd2bfe3fdba71b3096365c5
-
C:\Users\Admin\Documents\0RuP0BblTEtv44BiOtHYafMh.exeMD5
d9d234650890d448658abc6676ef69e3
SHA1ea3d91cd83dbb5a0a3129bf357c721f00100fd50
SHA25613fca03273f3b826c395b3b814004a58e2b85486a570acc1396f21a3291f73bc
SHA512e815f3b4946d0c4eb2f7a4f3f13d109275806e04a180801a803765b6f542963257d0a7d6394647d08c9f821ba495f53028670b02685a9b59c3468aa8720337e7
-
C:\Users\Admin\Documents\2waDZQ9qkAINOlucHvfWQdVc.exeMD5
f0be39f541a9b482e195f22b64224809
SHA1495407cb59bad6c7f47dc69735f8443372172ae2
SHA2563f4cc1d487be099747ccfca64f5808ea835a1fd977d14b01cf16df25c1fb937a
SHA512ec645c0a8bb02fca810fb69aa0d51ec8cd4338dba3237d863d9d0d8a69b54350d698eb485f64674d7ecbaff0e0a608bc05e226bc3c373a965fe03b7aca4b31dd
-
C:\Users\Admin\Documents\2waDZQ9qkAINOlucHvfWQdVc.exeMD5
f0be39f541a9b482e195f22b64224809
SHA1495407cb59bad6c7f47dc69735f8443372172ae2
SHA2563f4cc1d487be099747ccfca64f5808ea835a1fd977d14b01cf16df25c1fb937a
SHA512ec645c0a8bb02fca810fb69aa0d51ec8cd4338dba3237d863d9d0d8a69b54350d698eb485f64674d7ecbaff0e0a608bc05e226bc3c373a965fe03b7aca4b31dd
-
C:\Users\Admin\Documents\3kgAh8CzmmJSYseD5vX3fGDo.exeMD5
304b7e2d2d2e9ffff3770abeb23de897
SHA18e11b6d6912be3ad8d21cde689c7221dbc8d6b87
SHA2569fec043150b71d67a2c256ee27f179192802319bb79b107858c54d1571275f99
SHA51286a69db2c5a6480d09c644d5442da5565ad2207d1bd2c291c433de2975531ada26681d9888079eef32df7f482ce9d80d30ebbbe1c8af961fb983e5917838eb2a
-
C:\Users\Admin\Documents\3kgAh8CzmmJSYseD5vX3fGDo.exeMD5
304b7e2d2d2e9ffff3770abeb23de897
SHA18e11b6d6912be3ad8d21cde689c7221dbc8d6b87
SHA2569fec043150b71d67a2c256ee27f179192802319bb79b107858c54d1571275f99
SHA51286a69db2c5a6480d09c644d5442da5565ad2207d1bd2c291c433de2975531ada26681d9888079eef32df7f482ce9d80d30ebbbe1c8af961fb983e5917838eb2a
-
C:\Users\Admin\Documents\Cvcil0oU_rXUzquVmt8oq_YE.exeMD5
b9b573643e3ebfd3b2ad5a9c086eb71d
SHA17496bc83c0414e7f57912f8d8db81a3d48f313cc
SHA25646f52f9d3e5a836fa62d821aec8408e8110138496fdcd445be79a95b30a07557
SHA51272d465bf57a70fe818a3bef6ad7ff98a7ff7cf54a667e835381e3a72f7eedd8a0c8d40d536f2ade12ca4e70a18a6339b97c598534d54a18fa5a820cef171e374
-
C:\Users\Admin\Documents\KrWEUdPJRLWeNmfUJkDou2K6.exeMD5
d7f42fad55e84ab59664980f6c196ae8
SHA18923443c74e7973e7738f9b402c8e6e75707663a
SHA2567cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6
SHA5129d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f
-
C:\Users\Admin\Documents\KrWEUdPJRLWeNmfUJkDou2K6.exeMD5
d7f42fad55e84ab59664980f6c196ae8
SHA18923443c74e7973e7738f9b402c8e6e75707663a
SHA2567cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6
SHA5129d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f
-
C:\Users\Admin\Documents\OEVFnpz4FkRF18boyAsNY06q.exeMD5
c46e915ab565a47cdb47fe6e95b51210
SHA1bf3243a62533aaa6fd57ff29fbbeba81e0c697e8
SHA25678cca6d72e3c337405bbb8f419ae83859c014920d4c015178a92ec62991f961d
SHA5122c81b0ea3b5c1c33784ddc4e24fc23f50d5e2e10d92d764e81f550c2bf091213d6c2f5ddb77081b13fc988afb8dce8f630276c2434902036ba0002e72d4c8ab9
-
C:\Users\Admin\Documents\OEVFnpz4FkRF18boyAsNY06q.exeMD5
c46e915ab565a47cdb47fe6e95b51210
SHA1bf3243a62533aaa6fd57ff29fbbeba81e0c697e8
SHA25678cca6d72e3c337405bbb8f419ae83859c014920d4c015178a92ec62991f961d
SHA5122c81b0ea3b5c1c33784ddc4e24fc23f50d5e2e10d92d764e81f550c2bf091213d6c2f5ddb77081b13fc988afb8dce8f630276c2434902036ba0002e72d4c8ab9
-
C:\Users\Admin\Documents\PM9sxIyKGP3ZLIQac3mqZ1uI.exeMD5
c262d3db835d27fdf85504b01cbd70c4
SHA193970f2981eca2d6c0faf493e29145880245ef15
SHA256ea823c1cca7ae38dbc9d488c2a0cc9221501b67444e47537ae98e9cf3c4c04d8
SHA5127e7af3e808908f666366a4bdac68fb5acc571c8ff96b86359f877790019ed4694fcfae4f11df95de95663ac727a1ca3d2bc36692bc78d5ed14b2eba8d21cf4ea
-
C:\Users\Admin\Documents\_GKVO71Pc67ar5UBWuhCNMks.exeMD5
a472f871bc99d5b6e4d15acadcb33133
SHA190e6395fae93941bcc6f403f488425df65ed9915
SHA2568259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246
SHA5124e09ba57c4a6d0b83e623f319f5323b019c087a11ef449e92ccd7cbd0d9bd7fad210f8cd89cfab99664a9485b45793ea3eef93995a25d72e4b0cfa2a34546c62
-
C:\Users\Admin\Documents\kpTnpI6x6EYGA2APeppcnW5T.exeMD5
8446d7818c5a7fff6839fe4be176f88e
SHA1b094ebde855d752565f9fce2ddfb93b264060904
SHA256c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652
SHA512f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d
-
C:\Users\Admin\Documents\w3uu_tXP0lENRWVzkxjVPRVU.exeMD5
00e43a3bfd4f821d13329209ab4875e7
SHA13a6648e1f23684d2ffe2e5af683761c184537a1e
SHA256354a014aac7be2159294631afdc5a0683edd91ec8b7c9b34d3548b2227a047f2
SHA5122c018312976ce2d0b5e5cf12b5e5daa3773507042fceab0ab4a88f38db53cc3a99063cc6455412cd93b308a2fcdd6b777f0c56c8b1b1686bab942464867a4c62
-
C:\Users\Admin\Documents\w3uu_tXP0lENRWVzkxjVPRVU.exeMD5
00e43a3bfd4f821d13329209ab4875e7
SHA13a6648e1f23684d2ffe2e5af683761c184537a1e
SHA256354a014aac7be2159294631afdc5a0683edd91ec8b7c9b34d3548b2227a047f2
SHA5122c018312976ce2d0b5e5cf12b5e5daa3773507042fceab0ab4a88f38db53cc3a99063cc6455412cd93b308a2fcdd6b777f0c56c8b1b1686bab942464867a4c62
-
memory/692-259-0x0000000072BE0000-0x0000000073390000-memory.dmpFilesize
7.7MB
-
memory/692-250-0x0000000000470000-0x0000000000490000-memory.dmpFilesize
128KB
-
memory/1452-381-0x0000000010000000-0x0000000010D56000-memory.dmpFilesize
13.3MB
-
memory/1456-268-0x00000000002D0000-0x0000000000455000-memory.dmpFilesize
1.5MB
-
memory/1456-279-0x0000000076E00000-0x0000000077015000-memory.dmpFilesize
2.1MB
-
memory/1456-263-0x0000000002DE0000-0x0000000002E26000-memory.dmpFilesize
280KB
-
memory/1456-311-0x00000000744F0000-0x0000000074579000-memory.dmpFilesize
548KB
-
memory/1456-272-0x0000000001280000-0x0000000001281000-memory.dmpFilesize
4KB
-
memory/1456-271-0x00000000002D0000-0x0000000000455000-memory.dmpFilesize
1.5MB
-
memory/1456-275-0x0000000001320000-0x0000000001321000-memory.dmpFilesize
4KB
-
memory/1744-220-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/1744-207-0x00000000006D8000-0x00000000006E9000-memory.dmpFilesize
68KB
-
memory/1744-218-0x00000000004E0000-0x00000000004E9000-memory.dmpFilesize
36KB
-
memory/1744-217-0x00000000006D8000-0x00000000006E9000-memory.dmpFilesize
68KB
-
memory/1880-299-0x000000000051D000-0x0000000000589000-memory.dmpFilesize
432KB
-
memory/1964-360-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1968-258-0x0000000000070000-0x0000000000158000-memory.dmpFilesize
928KB
-
memory/1968-260-0x0000000072BE0000-0x0000000073390000-memory.dmpFilesize
7.7MB
-
memory/2376-361-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2472-251-0x0000000000C90000-0x0000000000D60000-memory.dmpFilesize
832KB
-
memory/2472-267-0x0000000005570000-0x000000000560C000-memory.dmpFilesize
624KB
-
memory/2472-247-0x0000000072BE0000-0x0000000073390000-memory.dmpFilesize
7.7MB
-
memory/2696-216-0x00000000020E0000-0x000000000217D000-memory.dmpFilesize
628KB
-
memory/2696-222-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2696-215-0x0000000000658000-0x00000000006BD000-memory.dmpFilesize
404KB
-
memory/2696-208-0x0000000000658000-0x00000000006BD000-memory.dmpFilesize
404KB
-
memory/3036-291-0x00000000005CD000-0x00000000005F4000-memory.dmpFilesize
156KB
-
memory/3048-226-0x0000000002930000-0x0000000002945000-memory.dmpFilesize
84KB
-
memory/3128-213-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/3128-225-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/3128-230-0x0000000004AA2000-0x0000000004AA3000-memory.dmpFilesize
4KB
-
memory/3128-231-0x0000000004AA3000-0x0000000004AA4000-memory.dmpFilesize
4KB
-
memory/3128-232-0x0000000004AB0000-0x0000000005054000-memory.dmpFilesize
5.6MB
-
memory/3128-233-0x0000000004AA4000-0x0000000004AA6000-memory.dmpFilesize
8KB
-
memory/3128-214-0x0000000001F70000-0x0000000001F9F000-memory.dmpFilesize
188KB
-
memory/3128-236-0x0000000005060000-0x0000000005678000-memory.dmpFilesize
6.1MB
-
memory/3128-237-0x0000000005680000-0x0000000005692000-memory.dmpFilesize
72KB
-
memory/3128-219-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/3128-221-0x0000000072BE0000-0x0000000073390000-memory.dmpFilesize
7.7MB
-
memory/3128-238-0x00000000056A0000-0x00000000056DC000-memory.dmpFilesize
240KB
-
memory/3288-201-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/3336-269-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/3336-312-0x00000000744F0000-0x0000000074579000-memory.dmpFilesize
548KB
-
memory/3336-277-0x0000000000D80000-0x0000000000D81000-memory.dmpFilesize
4KB
-
memory/3336-287-0x0000000000DA0000-0x0000000000F25000-memory.dmpFilesize
1.5MB
-
memory/3336-283-0x00000000027A0000-0x00000000027E6000-memory.dmpFilesize
280KB
-
memory/3336-285-0x0000000000DA0000-0x0000000000F25000-memory.dmpFilesize
1.5MB
-
memory/3336-278-0x0000000076E00000-0x0000000077015000-memory.dmpFilesize
2.1MB
-
memory/3432-290-0x0000000000AC0000-0x0000000000B20000-memory.dmpFilesize
384KB
-
memory/3624-187-0x0000000000950000-0x0000000000980000-memory.dmpFilesize
192KB
-
memory/3624-199-0x00007FFB488D0000-0x00007FFB49391000-memory.dmpFilesize
10.8MB
-
memory/3624-204-0x000000001B4F0000-0x000000001B4F2000-memory.dmpFilesize
8KB
-
memory/3732-200-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3732-185-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3756-229-0x0000000005250000-0x00000000052C6000-memory.dmpFilesize
472KB
-
memory/3756-234-0x0000000002E50000-0x0000000002EC6000-memory.dmpFilesize
472KB
-
memory/3756-235-0x0000000002EB0000-0x0000000002ECE000-memory.dmpFilesize
120KB
-
memory/3756-202-0x0000000072BE0000-0x0000000073390000-memory.dmpFilesize
7.7MB
-
memory/3756-206-0x00000000009F0000-0x0000000000A56000-memory.dmpFilesize
408KB
-
memory/3784-303-0x0000000000400000-0x00000000007E1000-memory.dmpFilesize
3.9MB
-
memory/3784-310-0x0000000000400000-0x00000000007E1000-memory.dmpFilesize
3.9MB
-
memory/3784-315-0x0000000000400000-0x00000000007E1000-memory.dmpFilesize
3.9MB
-
memory/3800-316-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3800-313-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3800-306-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3844-198-0x00007FFB488D0000-0x00007FFB49391000-memory.dmpFilesize
10.8MB
-
memory/3844-276-0x00000000011E0000-0x00000000011E2000-memory.dmpFilesize
8KB
-
memory/3844-274-0x0000000002F60000-0x0000000002FA9000-memory.dmpFilesize
292KB
-
memory/3844-273-0x00000000011C0000-0x00000000011C2000-memory.dmpFilesize
8KB
-
memory/3844-288-0x0000000000DD0000-0x000000000115C000-memory.dmpFilesize
3.5MB
-
memory/3844-289-0x0000000000DD0000-0x000000000115C000-memory.dmpFilesize
3.5MB
-
memory/3844-203-0x0000000002590000-0x0000000002592000-memory.dmpFilesize
8KB
-
memory/3844-183-0x00000000004F0000-0x0000000000522000-memory.dmpFilesize
200KB
-
memory/3844-284-0x0000000000DD0000-0x000000000115C000-memory.dmpFilesize
3.5MB
-
memory/3844-286-0x0000000000DD0000-0x000000000115C000-memory.dmpFilesize
3.5MB
-
memory/4456-362-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4928-282-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/4928-261-0x0000000072BE0000-0x0000000073390000-memory.dmpFilesize
7.7MB
-
memory/4928-257-0x0000000000270000-0x000000000029E000-memory.dmpFilesize
184KB
-
memory/5020-156-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/5020-159-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/5020-150-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/5020-151-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/5020-152-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/5020-153-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/5020-154-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/5020-155-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/5020-192-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/5020-194-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/5020-157-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/5020-195-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/5020-160-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/5020-161-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/5020-158-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/5020-162-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/5020-163-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/5020-190-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/5020-193-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/5108-280-0x0000000072BE0000-0x0000000073390000-memory.dmpFilesize
7.7MB
-
memory/5108-281-0x0000000000E60000-0x0000000000E74000-memory.dmpFilesize
80KB