djvu | b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34

Analysis

max time kernel
62s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-06-2022 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exe
Size

6.3MB
MD5

18744d81b074ea24f489b58b430b7d9c
SHA1

d36bf939a4cf6ed710ff083306b8e3e20ed9e437
SHA256

b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34
SHA512

442936e022d224af2439fe66c88bd8b0cbd322d4070468eee4da91b1dc48360553fdb7a3bc6ef6a1da595931f607b79eb7a5fb10ea68431f19a3f1ff081422d1

Score

10^/10

djvu onlylogger redline socelars chris media26 aspackv2 discovery evasion infostealer loader ransomware spyware stealer suricata themida trojan

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

redline

Botnet

media26

91.121.67.60:23325

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

chris

194.104.136.5:46013

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

djvu

http://zfko.org/test3/get.php

Attributes

extension
.rrcc
offline_id
k2oZMtQS0H2U97b2eKTMJpROwYzEzq6KcWbdOut1
payload_url
http://zerit.top/dl/build2.exe
http://zfko.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-5JlAL7HXIu Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0492JIjdm

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/25080-381-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/25080-384-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/25080-380-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies Windows Defender Real-time Protection settings 3 TTPs 14 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

Tue22144d94096209a.exeTue2245eb2d48.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Tue22144d94096209a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Tue2245eb2d48.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Tue22144d94096209a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Tue22144d94096209a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Tue2245eb2d48.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Tue2245eb2d48.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Tue2245eb2d48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Tue22144d94096209a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Tue22144d94096209a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Tue2245eb2d48.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Tue22144d94096209a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Tue2245eb2d48.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Tue2245eb2d48.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Tue22144d94096209a.exe

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 624 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	624	rundll32.exe

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4068-268-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/1424-273-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4068-271-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1424-270-0x0000000000000000-mapping.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22a2f1d85288dc91e.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22a2f1d85288dc91e.exe	family_socelars

suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata

OnlyLogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2980-293-0x0000000000660000-0x00000000006AC000-memory.dmp	family_onlylogger
behavioral2/memory/2980-294-0x0000000000400000-0x000000000058E000-memory.dmp	family_onlylogger
behavioral2/memory/2980-328-0x0000000000400000-0x000000000058E000-memory.dmp	family_onlylogger

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libstdc++-6.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 25 IoCs

Processes:

setup_installer.exesetup_install.exeTue22144d94096209a.exeTue224a0143b0.exeTue22a2f1d85288dc91e.exeTue2205061ee61ad04c.exeTue2263f1213b8.exeTue226c9cdaf9c30.exeTue2219d4accf267990e.exesvchost.exeTue228807612bf5523.exeTue22dead8ba66.exeTue22b6a0b5545.exeTue2245eb2d48.exeTue2292ee0712429810.exeTue2237a96e0403e640d.exeConhost.exeTue22d3a6e3489d.exeTue22edcc71bba.exeTue2237a96e0403e640d.tmpTue2237a96e0403e640d.exeTue2237a96e0403e640d.tmpTue2292ee0712429810.exeTue228807612bf5523.exe4Fu3A1SB1_CAFNp.Exe

pid	process
3764	setup_installer.exe
4552	setup_install.exe
2884	Tue22144d94096209a.exe
4184	Tue224a0143b0.exe
4668	Tue22a2f1d85288dc91e.exe
3260	Tue2205061ee61ad04c.exe
3640	Tue2263f1213b8.exe
2980	Tue226c9cdaf9c30.exe
4980	Tue2219d4accf267990e.exe
4132	svchost.exe
3840	Tue228807612bf5523.exe
4240	Tue22dead8ba66.exe
3408	Tue22b6a0b5545.exe
1040	Tue2245eb2d48.exe
4960	Tue2292ee0712429810.exe
1900	Tue2237a96e0403e640d.exe
1820	Conhost.exe
2332	Tue22d3a6e3489d.exe
4432	Tue22edcc71bba.exe
2996	Tue2237a96e0403e640d.tmp
4936	Tue2237a96e0403e640d.exe
1428	Tue2237a96e0403e640d.tmp
4068	Tue2292ee0712429810.exe
1424	Tue228807612bf5523.exe
4608	4Fu3A1SB1_CAFNp.Exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exesetup_installer.exeTue2205061ee61ad04c.exeTue2237a96e0403e640d.tmpmshta.exeTue2219d4accf267990e.exemshta.exe4Fu3A1SB1_CAFNp.ExeTue22144d94096209a.exemshta.exeTue2245eb2d48.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Tue2205061ee61ad04c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Tue2237a96e0403e640d.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Tue2219d4accf267990e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	4Fu3A1SB1_CAFNp.Exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Tue22144d94096209a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Tue2245eb2d48.exe

Loads dropped DLL 11 IoCs

Processes:

setup_install.exeTue2237a96e0403e640d.tmpTue2237a96e0403e640d.tmpWerFault.exemsiexec.exe

pid	process
4552	setup_install.exe
4552	setup_install.exe
4552	setup_install.exe
4552	setup_install.exe
4552	setup_install.exe
4552	setup_install.exe
2996	Tue2237a96e0403e640d.tmp
1428	Tue2237a96e0403e640d.tmp
448	WerFault.exe
3992	msiexec.exe
3992	msiexec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1272-367-0x0000000000400000-0x00000000006DF000-memory.dmp	themida
behavioral2/memory/1732-368-0x0000000000A60000-0x00000000013D1000-memory.dmp	themida
behavioral2/memory/1732-374-0x0000000000A60000-0x00000000013D1000-memory.dmp	themida
behavioral2/memory/1732-375-0x0000000000A60000-0x00000000013D1000-memory.dmp	themida
behavioral2/memory/1732-376-0x0000000000A60000-0x00000000013D1000-memory.dmp	themida
behavioral2/memory/1732-377-0x0000000000A60000-0x00000000013D1000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

93 ipinfo.io
283 api.2ip.ua
65 ipinfo.io
74 freegeoip.app
282 api.2ip.ua
293 ipinfo.io
294 ipinfo.io
18 ip-api.com
64 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
93	ipinfo.io
283	api.2ip.ua
65	ipinfo.io
74	freegeoip.app
282	api.2ip.ua
293	ipinfo.io
294	ipinfo.io
18	ip-api.com
64	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue228409ba5788.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue228409ba5788.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Tue2292ee0712429810.exeTue228807612bf5523.exe

description	pid	process	target process
PID 4960 set thread context of 4068	4960	Tue2292ee0712429810.exe	Tue2292ee0712429810.exe
PID 3840 set thread context of 1424	3840	Tue228807612bf5523.exe	Tue228807612bf5523.exe

Drops file in Program Files directory 3 IoCs

Processes:

Tue2237a96e0403e640d.tmp

description	ioc	process
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Tue2237a96e0403e640d.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-QO7VD.tmp	Tue2237a96e0403e640d.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Tue2237a96e0403e640d.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5000	4552	WerFault.exe	setup_install.exe
4680	2980	WerFault.exe	Tue226c9cdaf9c30.exe
4820	448	WerFault.exe	rundll32.exe
3732	2980	WerFault.exe	Tue226c9cdaf9c30.exe
1076	2980	WerFault.exe	Tue226c9cdaf9c30.exe
4708	2980	WerFault.exe	Tue226c9cdaf9c30.exe
4632	2980	WerFault.exe	Tue226c9cdaf9c30.exe
4732	2980	WerFault.exe	Tue226c9cdaf9c30.exe
3552	2980	WerFault.exe	Tue226c9cdaf9c30.exe
520	2980	WerFault.exe	Tue226c9cdaf9c30.exe
4032	2980	WerFault.exe	Tue226c9cdaf9c30.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Tue22d3a6e3489d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue22d3a6e3489d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue22d3a6e3489d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue22d3a6e3489d.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2724 taskkill.exe
4708 taskkill.exe

pid	process
2724	taskkill.exe
4708	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Tue22a2f1d85288dc91e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Tue22a2f1d85288dc91e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Tue22a2f1d85288dc91e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Tue22a2f1d85288dc91e.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	Tue22a2f1d85288dc91e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	Tue22a2f1d85288dc91e.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 37 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeTue22144d94096209a.exeTue22d3a6e3489d.exeTue2245eb2d48.exe

pid	process
4636	powershell.exe
4636	powershell.exe
4332	powershell.exe
4332	powershell.exe
4636	powershell.exe
4636	powershell.exe
4332	powershell.exe
4332	powershell.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2884	Tue22144d94096209a.exe
2332	Tue22d3a6e3489d.exe
2332	Tue22d3a6e3489d.exe
1040	Tue2245eb2d48.exe
1040	Tue2245eb2d48.exe
1040	Tue2245eb2d48.exe
1040	Tue2245eb2d48.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Tue22d3a6e3489d.exe

pid process

2332 Tue22d3a6e3489d.exe

pid	process
2332	Tue22d3a6e3489d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Tue22a2f1d85288dc91e.exeTue224a0143b0.exepowershell.exepowershell.exeWerFault.exeWerFault.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeAssignPrimaryTokenPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeLockMemoryPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeIncreaseQuotaPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeMachineAccountPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeTcbPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeSecurityPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeTakeOwnershipPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeLoadDriverPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeSystemProfilePrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeSystemtimePrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeProfSingleProcessPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeIncBasePriorityPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeCreatePagefilePrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeCreatePermanentPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeBackupPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeRestorePrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeShutdownPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeDebugPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeAuditPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeSystemEnvironmentPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeChangeNotifyPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeRemoteShutdownPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeUndockPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeSyncAgentPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeEnableDelegationPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeManageVolumePrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeImpersonatePrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: SeCreateGlobalPrivilege	4668	Tue22a2f1d85288dc91e.exe
Token: 31	4668	Tue22a2f1d85288dc91e.exe
Token: 32	4668	Tue22a2f1d85288dc91e.exe
Token: 33	4668	Tue22a2f1d85288dc91e.exe
Token: 34	4668	Tue22a2f1d85288dc91e.exe
Token: 35	4668	Tue22a2f1d85288dc91e.exe
Token: SeDebugPrivilege	4184	Tue224a0143b0.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	4240	WerFault.exe
Token: SeDebugPrivilege	4708	WerFault.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeShutdownPrivilege	2848
Token: SeCreatePagefilePrivilege	2848
Token: SeShutdownPrivilege	2848
Token: SeCreatePagefilePrivilege	2848
Token: SeShutdownPrivilege	2848
Token: SeCreatePagefilePrivilege	2848
Token: SeShutdownPrivilege	2848
Token: SeCreatePagefilePrivilege	2848
Token: SeShutdownPrivilege	2848
Token: SeCreatePagefilePrivilege	2848
Token: SeShutdownPrivilege	2848
Token: SeCreatePagefilePrivilege	2848
Token: SeShutdownPrivilege	2848
Token: SeCreatePagefilePrivilege	2848
Token: SeShutdownPrivilege	2848
Token: SeCreatePagefilePrivilege	2848
Token: SeShutdownPrivilege	2848
Token: SeCreatePagefilePrivilege	2848
Token: SeShutdownPrivilege	2848
Token: SeCreatePagefilePrivilege	2848
Token: SeShutdownPrivilege	2848
Token: SeCreatePagefilePrivilege	2848
Token: SeShutdownPrivilege	2848
Token: SeCreatePagefilePrivilege	2848

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

svchost.exeTue2237a96e0403e640d.tmp

pid	process
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
1428	Tue2237a96e0403e640d.tmp

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

svchost.exe

pid	process
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1916 wrote to memory of 3764	1916	B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exe	setup_installer.exe
PID 1916 wrote to memory of 3764	1916	B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exe	setup_installer.exe
PID 1916 wrote to memory of 3764	1916	B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exe	setup_installer.exe
PID 3764 wrote to memory of 4552	3764	setup_installer.exe	setup_install.exe
PID 3764 wrote to memory of 4552	3764	setup_installer.exe	setup_install.exe
PID 3764 wrote to memory of 4552	3764	setup_installer.exe	setup_install.exe
PID 4552 wrote to memory of 4316	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4316	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4316	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4244	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4244	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4244	4552	setup_install.exe	cmd.exe
PID 4316 wrote to memory of 4332	4316	cmd.exe	powershell.exe
PID 4316 wrote to memory of 4332	4316	cmd.exe	powershell.exe
PID 4316 wrote to memory of 4332	4316	cmd.exe	powershell.exe
PID 4244 wrote to memory of 4636	4244	cmd.exe	powershell.exe
PID 4244 wrote to memory of 4636	4244	cmd.exe	powershell.exe
PID 4244 wrote to memory of 4636	4244	cmd.exe	powershell.exe
PID 4552 wrote to memory of 840	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 840	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 840	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 5068	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 5068	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 5068	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 1552	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 1552	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 1552	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 2336	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 2336	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 2336	4552	setup_install.exe	cmd.exe
PID 1552 wrote to memory of 2884	1552	cmd.exe	Tue22144d94096209a.exe
PID 1552 wrote to memory of 2884	1552	cmd.exe	Tue22144d94096209a.exe
PID 1552 wrote to memory of 2884	1552	cmd.exe	Tue22144d94096209a.exe
PID 840 wrote to memory of 4668	840	cmd.exe	Tue22a2f1d85288dc91e.exe
PID 840 wrote to memory of 4668	840	cmd.exe	Tue22a2f1d85288dc91e.exe
PID 840 wrote to memory of 4668	840	cmd.exe	Tue22a2f1d85288dc91e.exe
PID 5068 wrote to memory of 4184	5068	cmd.exe	Tue224a0143b0.exe
PID 5068 wrote to memory of 4184	5068	cmd.exe	Tue224a0143b0.exe
PID 4552 wrote to memory of 5064	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 5064	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 5064	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4732	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4732	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4732	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 3752	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 3752	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 3752	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 316	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 316	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 316	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 3400	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 3400	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 3400	4552	setup_install.exe	cmd.exe
PID 2336 wrote to memory of 3260	2336	cmd.exe	Tue2205061ee61ad04c.exe
PID 2336 wrote to memory of 3260	2336	cmd.exe	Tue2205061ee61ad04c.exe
PID 2336 wrote to memory of 3260	2336	cmd.exe	Tue2205061ee61ad04c.exe
PID 4552 wrote to memory of 4568	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4568	4552	setup_install.exe	cmd.exe
PID 4552 wrote to memory of 4568	4552	setup_install.exe	cmd.exe
PID 5064 wrote to memory of 3640	5064	cmd.exe	Tue2263f1213b8.exe
PID 5064 wrote to memory of 3640	5064	cmd.exe	Tue2263f1213b8.exe
PID 4552 wrote to memory of 3732	4552	setup_install.exe	WerFault.exe
PID 4552 wrote to memory of 3732	4552	setup_install.exe	WerFault.exe
PID 4552 wrote to memory of 3732	4552	setup_install.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exe
"C:\Users\Admin\AppData\Local\Temp\B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3764

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue22a2f1d85288dc91e.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22a2f1d85288dc91e.exe
Tue22a2f1d85288dc91e.exe
5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:868

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue224a0143b0.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue224a0143b0.exe
Tue224a0143b0.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue22144d94096209a.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22144d94096209a.exe
Tue22144d94096209a.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2884

C:\Users\Admin\Pictures\Adobe Films\forto.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\forto.exe.exe"
6⤵
PID:3992

C:\Users\Admin\Pictures\Adobe Films\ematic.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\ematic.bmp.exe"
6⤵
PID:1732

C:\Users\Admin\Pictures\Adobe Films\mixinte0701.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\mixinte0701.bmp.exe"
6⤵
PID:940

C:\Users\Admin\Pictures\Adobe Films\file5.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\file5.exe.exe"
6⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\852959081-idinaxui.exe
"C:\Users\Admin\AppData\Local\Temp\852959081-idinaxui.exe"
7⤵
PID:34060

C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe"
6⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer_ovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer_ovl.exe
7⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
8⤵
PID:7128

C:\Users\Admin\Pictures\Adobe Films\new.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\new.bmp.exe"
6⤵
PID:1820

C:\Users\Admin\Pictures\Adobe Films\cript.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\cript.bmp.exe"
6⤵
PID:3404

C:\Users\Admin\Pictures\Adobe Films\TrdngAnlzr649.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\TrdngAnlzr649.exe.exe"
6⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\A5GHG.exe
"C:\Users\Admin\AppData\Local\Temp\A5GHG.exe"
7⤵
PID:26268

C:\Users\Admin\AppData\Local\Temp\88C26.exe
"C:\Users\Admin\AppData\Local\Temp\88C26.exe"
7⤵
PID:29852

C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe"
6⤵
PID:3852

C:\Users\Admin\Pictures\Adobe Films\file4.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\file4.exe.exe"
6⤵
PID:4204

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgeAgentprovidersvc\ufTACssBPEf.vbe"
7⤵
PID:6656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bridgeAgentprovidersvc\9dD4GQAjna1zcUgQQLiZzYvdoz.bat" "
8⤵
PID:16852

C:\Users\Admin\Pictures\Adobe Films\AfFqfqY.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\AfFqfqY.exe.exe"
6⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c HajsdiEUeyhauefhKJAsnvnbAJKSdjhwiueiuwUHQWIr8
7⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Puo.doc
7⤵
PID:29392

C:\Users\Admin\Pictures\Adobe Films\real0802.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\real0802.bmp.exe"
6⤵
PID:4228

C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe"
6⤵
PID:956

C:\Users\Admin\Pictures\Adobe Films\Fenix.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Fenix.bmp.exe"
6⤵
PID:1272

C:\Users\Admin\Pictures\Adobe Films\hg45iugniu5hgi54hgui45.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\hg45iugniu5hgi54hgui45.bmp.exe"
6⤵
PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
7⤵
PID:29432

C:\Users\Admin\Pictures\Adobe Films\Ghyg9tU0PQn3.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Ghyg9tU0PQn3.bmp.exe"
6⤵
PID:5028

C:\Users\Admin\Pictures\Adobe Films\sowale.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\sowale.bmp.exe"
6⤵
PID:2360

C:\Users\Admin\Pictures\Adobe Films\test30206.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test30206.bmp.exe"
6⤵
PID:4180

C:\Users\Admin\Pictures\Adobe Films\test30206.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test30206.bmp.exe"
7⤵
PID:25080

C:\Users\Admin\Pictures\Adobe Films\zaebalidelete2_crypted.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\zaebalidelete2_crypted.bmp.exe"
6⤵
PID:872

C:\Users\Admin\Pictures\Adobe Films\file1.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\file1.exe.exe"
6⤵
PID:1096

C:\Users\Admin\Pictures\Adobe Films\SearchApp.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\SearchApp.exe.exe"
6⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue2263f1213b8.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2263f1213b8.exe
Tue2263f1213b8.exe
5⤵
- Executes dropped EXE
PID:3640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Dzpafigaxd.vbs"
6⤵
PID:4204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Qekdqa.exe'
7⤵
PID:60

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dzpafigaxd.vbs"
6⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe
"C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"
7⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
6⤵
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
7⤵
PID:3388

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qneuc.vbs"
7⤵
PID:3984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\
8⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue228409ba5788.exe
4⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue228409ba5788.exe
Tue228409ba5788.exe
5⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue2205061ee61ad04c.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2205061ee61ad04c.exe
Tue2205061ee61ad04c.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue226c9cdaf9c30.exe /mixone
4⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue226c9cdaf9c30.exe
Tue226c9cdaf9c30.exe /mixone
5⤵
- Executes dropped EXE
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 624
6⤵
- Program crash
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 660
6⤵
- Program crash
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 652
6⤵
- Program crash
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 636
6⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 756
6⤵
- Program crash
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 868
6⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1052
6⤵
- Program crash
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1060
6⤵
- Program crash
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1340
6⤵
- Program crash
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue22dead8ba66.exe
4⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22dead8ba66.exe
Tue22dead8ba66.exe
5⤵
- Executes dropped EXE
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue228807612bf5523.exe
4⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue228807612bf5523.exe
Tue228807612bf5523.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3840

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue228807612bf5523.exe
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue228807612bf5523.exe
6⤵
- Executes dropped EXE
PID:1424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue2292ee0712429810.exe
4⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2292ee0712429810.exe
Tue2292ee0712429810.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4960

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2292ee0712429810.exe
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2292ee0712429810.exe
6⤵
- Executes dropped EXE
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue22d3a6e3489d.exe
4⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22d3a6e3489d.exe
Tue22d3a6e3489d.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue22edcc71bba.exe
4⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22edcc71bba.exe
Tue22edcc71bba.exe
5⤵
- Executes dropped EXE
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue2237a96e0403e640d.exe
4⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2237a96e0403e640d.exe
Tue2237a96e0403e640d.exe
5⤵
- Executes dropped EXE
PID:1900

C:\Users\Admin\AppData\Local\Temp\is-TSDOI.tmp\Tue2237a96e0403e640d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TSDOI.tmp\Tue2237a96e0403e640d.tmp" /SL5="$10202,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2237a96e0403e640d.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:2996

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2237a96e0403e640d.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2237a96e0403e640d.exe" /SILENT
7⤵
- Executes dropped EXE
PID:4936

C:\Users\Admin\AppData\Local\Temp\is-FQ3DK.tmp\Tue2237a96e0403e640d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FQ3DK.tmp\Tue2237a96e0403e640d.tmp" /SL5="$30116,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2237a96e0403e640d.exe" /SILENT
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue2245eb2d48.exe
4⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue2219d4accf267990e.exe
4⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue22b6a0b5545.exe
4⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 632
4⤵
- Program crash
PID:5000

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22b6a0b5545.exe
Tue22b6a0b5545.exe
1⤵
- Executes dropped EXE
PID:3408

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRipT: CLose ( CReAtEoBJeCt ( "WScRIPT.Shell"). RUN ("cmd /r TYpE ""C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2205061ee61ad04c.exe"" > 4Fu3A1SB1_CAFNp.Exe&& sTaRt 4Fu3A1SB1_cAFNP.exE /pPb2ikIChQDWh~KJ&iF """"== """" for %r in ( ""C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2205061ee61ad04c.exe"") do taskkill -f -im ""%~nXr""" , 0 , TrUe ))
1⤵
- Checks computer location settings
PID:2432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r TYpE "C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2205061ee61ad04c.exe" > 4Fu3A1SB1_CAFNp.Exe&& sTaRt 4Fu3A1SB1_cAFNP.exE /pPb2ikIChQDWh~KJ&iF ""== "" for %r in ("C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2205061ee61ad04c.exe") do taskkill -f -im "%~nXr"
2⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\4Fu3A1SB1_CAFNp.Exe
4Fu3A1SB1_cAFNP.exE /pPb2ikIChQDWh~KJ
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4608

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRipT: CLose ( CReAtEoBJeCt ( "WScRIPT.Shell"). RUN ("cmd /r TYpE ""C:\Users\Admin\AppData\Local\Temp\4Fu3A1SB1_CAFNp.Exe"" > 4Fu3A1SB1_CAFNp.Exe&& sTaRt 4Fu3A1SB1_cAFNP.exE /pPb2ikIChQDWh~KJ&iF ""/pPb2ikIChQDWh~KJ""== """" for %r in ( ""C:\Users\Admin\AppData\Local\Temp\4Fu3A1SB1_CAFNp.Exe"") do taskkill -f -im ""%~nXr""" , 0 , TrUe ))
4⤵
- Checks computer location settings
PID:4988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r TYpE "C:\Users\Admin\AppData\Local\Temp\4Fu3A1SB1_CAFNp.Exe" > 4Fu3A1SB1_CAFNp.Exe&& sTaRt 4Fu3A1SB1_cAFNP.exE /pPb2ikIChQDWh~KJ&iF "/pPb2ikIChQDWh~KJ"== "" for %r in ("C:\Users\Admin\AppData\Local\Temp\4Fu3A1SB1_CAFNp.Exe") do taskkill -f -im "%~nXr"
5⤵
PID:2460

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIPT: ClosE ( CReatEOBJEct ("WscriPt.SHELL" ).rUN ( "CMD.EXe /C ECHO rC:\Users\Admin\AppData\Local\TempBOof>uoTuWf2q.CG & EChO | seT /P = ""MZ"" > RBBUWjU7.Li & COPy /y /b RBBuwjU7.LI + 0~Ik.oV +VBCZC4.w +KyWiKKZ1.OIa+LBiF.4 + 5SX2KT3E.MWw + YAdS_9A.B + UoTUWf2q.cG YSY53.7 & StaRT msiexec.exe -y .\YSY53.7 ", 0 ,tRue ))
4⤵
- Checks computer location settings
PID:1920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ECHO rC:\Users\Admin\AppData\Local\TempBOof>uoTuWf2q.CG & EChO | seT /P = "MZ" > RBBUWjU7.Li & COPy /y /b RBBuwjU7.LI + 0~Ik.oV+VBCZC4.w +KyWiKKZ1.OIa+LBiF.4 + 5SX2KT3E.MWw + YAdS_9A.B+UoTUWf2q.cG YSY53.7 &StaRT msiexec.exe -y .\YSY53.7
5⤵
PID:844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Executes dropped EXE
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EChO "
6⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>RBBUWjU7.Li"
6⤵
PID:4648

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y .\YSY53.7
6⤵
- Loads dropped DLL
PID:3992

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -im "Tue2205061ee61ad04c.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2245eb2d48.exe
Tue2245eb2d48.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1040

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2219d4accf267990e.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2219d4accf267990e.exe" -u
1⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2219d4accf267990e.exe
Tue2219d4accf267990e.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4552 -ip 4552
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2980 -ip 2980
1⤵
PID:4744

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4696

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 600
3⤵
- Program crash
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 448 -ip 448
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2980 -ip 2980
1⤵
PID:4576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2980 -ip 2980
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2980 -ip 2980
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2980 -ip 2980
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2980 -ip 2980
1⤵
- Loads dropped DLL
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2980 -ip 2980
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2980 -ip 2980
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2980 -ip 2980
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 940 -ip 940
1⤵
PID:33748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue2292ee0712429810.exe.log
Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Fu3A1SB1_CAFNp.Exe
Filesize
2.0MB

MD5
19829fb3e9b8e5acb30d04f5a3159f0d

SHA1
f5ebffa0e80d449476eb1804a6844dbdd5eaec02

SHA256
052f16a4a692f15a47e607dc42f3d6a735a15d02eee3c0cc64f1db7fc2c4eec9

SHA512
b4e11926fa04cdd1a6b12c3fc31b21b8de2be674dc76dfbe564b0e8c1984462067d4280aa71e53393ce4c6b036211749683b84fe27a84688e3bd835ab66e9d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Fu3A1SB1_CAFNp.Exe
Filesize
2.0MB

MD5
19829fb3e9b8e5acb30d04f5a3159f0d

SHA1
f5ebffa0e80d449476eb1804a6844dbdd5eaec02

SHA256
052f16a4a692f15a47e607dc42f3d6a735a15d02eee3c0cc64f1db7fc2c4eec9

SHA512
b4e11926fa04cdd1a6b12c3fc31b21b8de2be674dc76dfbe564b0e8c1984462067d4280aa71e53393ce4c6b036211749683b84fe27a84688e3bd835ab66e9d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2205061ee61ad04c.exe
Filesize
2.0MB

MD5
19829fb3e9b8e5acb30d04f5a3159f0d

SHA1
f5ebffa0e80d449476eb1804a6844dbdd5eaec02

SHA256
052f16a4a692f15a47e607dc42f3d6a735a15d02eee3c0cc64f1db7fc2c4eec9

SHA512
b4e11926fa04cdd1a6b12c3fc31b21b8de2be674dc76dfbe564b0e8c1984462067d4280aa71e53393ce4c6b036211749683b84fe27a84688e3bd835ab66e9d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2205061ee61ad04c.exe
Filesize
2.0MB

MD5
19829fb3e9b8e5acb30d04f5a3159f0d

SHA1
f5ebffa0e80d449476eb1804a6844dbdd5eaec02

SHA256
052f16a4a692f15a47e607dc42f3d6a735a15d02eee3c0cc64f1db7fc2c4eec9

SHA512
b4e11926fa04cdd1a6b12c3fc31b21b8de2be674dc76dfbe564b0e8c1984462067d4280aa71e53393ce4c6b036211749683b84fe27a84688e3bd835ab66e9d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22144d94096209a.exe
Filesize
125KB

MD5
6843ec0e740bdad4d0ba1dbe6e3a1610

SHA1
9666f20f23ecd7b0f90e057c602cc4413a52d5a3

SHA256
4bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a

SHA512
112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22144d94096209a.exe
Filesize
125KB

MD5
6843ec0e740bdad4d0ba1dbe6e3a1610

SHA1
9666f20f23ecd7b0f90e057c602cc4413a52d5a3

SHA256
4bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a

SHA512
112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2219d4accf267990e.exe
Filesize
89KB

MD5
03137e005bdf813088f651d5b2b53e5d

SHA1
0aa1fb7e5fc80bed261c805e15ee4e3709564258

SHA256
258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

SHA512
23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2219d4accf267990e.exe
Filesize
89KB

MD5
03137e005bdf813088f651d5b2b53e5d

SHA1
0aa1fb7e5fc80bed261c805e15ee4e3709564258

SHA256
258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

SHA512
23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2219d4accf267990e.exe
Filesize
89KB

MD5
03137e005bdf813088f651d5b2b53e5d

SHA1
0aa1fb7e5fc80bed261c805e15ee4e3709564258

SHA256
258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

SHA512
23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2237a96e0403e640d.exe
Filesize
379KB

MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2237a96e0403e640d.exe
Filesize
379KB

MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2237a96e0403e640d.exe
Filesize
379KB

MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2245eb2d48.exe
Filesize
126KB

MD5
003a0cbabbb448d4bac487ad389f9119

SHA1
5e84f0b2823a84f86dd37181117652093b470893

SHA256
5c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380

SHA512
53f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2245eb2d48.exe
Filesize
126KB

MD5
003a0cbabbb448d4bac487ad389f9119

SHA1
5e84f0b2823a84f86dd37181117652093b470893

SHA256
5c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380

SHA512
53f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue224a0143b0.exe
Filesize
8KB

MD5
c8dc59b999863c9f4caf49718283fdfc

SHA1
6f3c65ba58243d8630ea107037ee043b29465a7c

SHA256
eb2beb14afe375a6b1fadafea434d8648a63e68a27b6b5923ecfdac40318e1cb

SHA512
3535c8084747cb5b27da6c0840df374a462eb04b11f6882a1bec79d07afc84b77d9e22c155dd71a7fac9e560fdd191fdc486f5309c41d60e4c13580ae0ae4850

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue224a0143b0.exe
Filesize
8KB

MD5
c8dc59b999863c9f4caf49718283fdfc

SHA1
6f3c65ba58243d8630ea107037ee043b29465a7c

SHA256
eb2beb14afe375a6b1fadafea434d8648a63e68a27b6b5923ecfdac40318e1cb

SHA512
3535c8084747cb5b27da6c0840df374a462eb04b11f6882a1bec79d07afc84b77d9e22c155dd71a7fac9e560fdd191fdc486f5309c41d60e4c13580ae0ae4850

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2263f1213b8.exe
Filesize
973KB

MD5
6639386657759bdac5f11fd8b599e353

SHA1
16947be5f1d997fc36f838a4ae2d53637971e51c

SHA256
5a9a3c1a7abfcf03bc270126a2a438713a1927cdfa92e6c8c72d7443ceee2eb8

SHA512
ba67c59b89230572f43795f56cf9d057640c3941d49439d7a684256000897ab423cf1a935cd03d67f45dfcf26f0c7a90e433bbab8aefcc8a7eb5ccd999cb20c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2263f1213b8.exe
Filesize
973KB

MD5
6639386657759bdac5f11fd8b599e353

SHA1
16947be5f1d997fc36f838a4ae2d53637971e51c

SHA256
5a9a3c1a7abfcf03bc270126a2a438713a1927cdfa92e6c8c72d7443ceee2eb8

SHA512
ba67c59b89230572f43795f56cf9d057640c3941d49439d7a684256000897ab423cf1a935cd03d67f45dfcf26f0c7a90e433bbab8aefcc8a7eb5ccd999cb20c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue226c9cdaf9c30.exe
Filesize
362KB

MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue226c9cdaf9c30.exe
Filesize
362KB

MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue228409ba5788.exe
Filesize
846KB

MD5
c9e0bf7a99131848fc562b7b512359e1

SHA1
add6942e0e243ccc1b2dc80b3a986385556cc578

SHA256
45ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b

SHA512
87a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue228409ba5788.exe
Filesize
846KB

MD5
c9e0bf7a99131848fc562b7b512359e1

SHA1
add6942e0e243ccc1b2dc80b3a986385556cc578

SHA256
45ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b

SHA512
87a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue228807612bf5523.exe
Filesize
390KB

MD5
83be628244555ddba5d7ab7252a10898

SHA1
7a8f6875211737c844fdd14ba9999e9da672de20

SHA256
e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f

SHA512
0c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue228807612bf5523.exe
Filesize
390KB

MD5
83be628244555ddba5d7ab7252a10898

SHA1
7a8f6875211737c844fdd14ba9999e9da672de20

SHA256
e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f

SHA512
0c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue228807612bf5523.exe
Filesize
390KB

MD5
83be628244555ddba5d7ab7252a10898

SHA1
7a8f6875211737c844fdd14ba9999e9da672de20

SHA256
e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f

SHA512
0c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2292ee0712429810.exe
Filesize
401KB

MD5
199dd8b65aa03e11f7eb6346506d3fd2

SHA1
a04261608dabc8d394dfea558fcaeb216f6335ea

SHA256
6d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13

SHA512
0d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2292ee0712429810.exe
Filesize
401KB

MD5
199dd8b65aa03e11f7eb6346506d3fd2

SHA1
a04261608dabc8d394dfea558fcaeb216f6335ea

SHA256
6d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13

SHA512
0d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue2292ee0712429810.exe
Filesize
401KB

MD5
199dd8b65aa03e11f7eb6346506d3fd2

SHA1
a04261608dabc8d394dfea558fcaeb216f6335ea

SHA256
6d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13

SHA512
0d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22a2f1d85288dc91e.exe
Filesize
1.4MB

MD5
5810fe95f7fb43baf96de0e35f814d6c

SHA1
696118263629f3cdf300934ebc3499d1c14e0233

SHA256
45904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9

SHA512
832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22a2f1d85288dc91e.exe
Filesize
1.4MB

MD5
5810fe95f7fb43baf96de0e35f814d6c

SHA1
696118263629f3cdf300934ebc3499d1c14e0233

SHA256
45904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9

SHA512
832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22b6a0b5545.exe
Filesize
1.3MB

MD5
bdbbf4f034c9f43e4ab00002eb78b990

SHA1
99c655c40434d634691ea1d189b5883f34890179

SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22b6a0b5545.exe
Filesize
1.3MB

MD5
bdbbf4f034c9f43e4ab00002eb78b990

SHA1
99c655c40434d634691ea1d189b5883f34890179

SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22d3a6e3489d.exe
Filesize
185KB

MD5
19af34e9d7f5a9306965060a87d8a231

SHA1
600dd79e2b8cc7078766bf6e6e06b24a9d05d1d6

SHA256
bef82ff6a4d16f8900dc465a02be91ff5495e8deb1157306edc27482910e613f

SHA512
7b7f3d9ca14d4c2fb111ec30a8fc51f280192d0909e5194835af6b2bda0ede02ebe90f1b371c437bd1fbbad0222813010eb85fd6e7a7046c0ea3b28433f41d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22d3a6e3489d.exe
Filesize
185KB

MD5
19af34e9d7f5a9306965060a87d8a231

SHA1
600dd79e2b8cc7078766bf6e6e06b24a9d05d1d6

SHA256
bef82ff6a4d16f8900dc465a02be91ff5495e8deb1157306edc27482910e613f

SHA512
7b7f3d9ca14d4c2fb111ec30a8fc51f280192d0909e5194835af6b2bda0ede02ebe90f1b371c437bd1fbbad0222813010eb85fd6e7a7046c0ea3b28433f41d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22dead8ba66.exe
Filesize
71KB

MD5
d60a08a6456074f895e9f8338ea19515

SHA1
9547c405520a033bd479a0d20c056a1fdacf18af

SHA256
d12662f643b6daf1cfca3b45633eb2bf92c7928dbd0670718e5d57d24fb851e0

SHA512
b6cbd259e84826ccd2c99c7a66d90f1c2201d625eea6adcd37205e8adf4383ae44306ae1df682fb81b7e38c18bce017a69fba5141702263e4d480b4a30106c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22dead8ba66.exe
Filesize
71KB

MD5
d60a08a6456074f895e9f8338ea19515

SHA1
9547c405520a033bd479a0d20c056a1fdacf18af

SHA256
d12662f643b6daf1cfca3b45633eb2bf92c7928dbd0670718e5d57d24fb851e0

SHA512
b6cbd259e84826ccd2c99c7a66d90f1c2201d625eea6adcd37205e8adf4383ae44306ae1df682fb81b7e38c18bce017a69fba5141702263e4d480b4a30106c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22edcc71bba.exe
Filesize
356KB

MD5
b0fd76652f3d965fd81746f95cd1e01a

SHA1
2dac168abd6d9593167e1c033267b75ac57eac4a

SHA256
2dc4c04f4e7a059f9b0d2c01a56b503f12cce58382d5f4b9aee433af2c144507

SHA512
3994548f900678647bf2bed2d6e946ff129c0c0e052008028b6e7fc958d3ef0bdb9ad377a665072b04b0c845d81e62aa138fc25fdac5215bb13024dae7e6bfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\Tue22edcc71bba.exe
Filesize
356KB

MD5
b0fd76652f3d965fd81746f95cd1e01a

SHA1
2dac168abd6d9593167e1c033267b75ac57eac4a

SHA256
2dc4c04f4e7a059f9b0d2c01a56b503f12cce58382d5f4b9aee433af2c144507

SHA512
3994548f900678647bf2bed2d6e946ff129c0c0e052008028b6e7fc958d3ef0bdb9ad377a665072b04b0c845d81e62aa138fc25fdac5215bb13024dae7e6bfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\setup_install.exe
Filesize
2.1MB

MD5
151ad0c08a1d21a0ca492ed2ef4df48c

SHA1
07d3115f315dd5babbacb749906a68585156d1b8

SHA256
9dbd3f620bac8b8cb76c428b97e7c385f443e6bc2d478d9ef86b177fdaf3f322

SHA512
ce1663f908950a5ef22e5379dee98716e87b9a8b68d7d6883781660ba9b67864c4d4574ac5dd4b9ee1d167435aeb7195e7823b80d179fab651d5015da523108c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BEDC686\setup_install.exe
Filesize
2.1MB

MD5
151ad0c08a1d21a0ca492ed2ef4df48c

SHA1
07d3115f315dd5babbacb749906a68585156d1b8

SHA256
9dbd3f620bac8b8cb76c428b97e7c385f443e6bc2d478d9ef86b177fdaf3f322

SHA512
ce1663f908950a5ef22e5379dee98716e87b9a8b68d7d6883781660ba9b67864c4d4574ac5dd4b9ee1d167435aeb7195e7823b80d179fab651d5015da523108c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBBUWjU7.Li
Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B34S6.tmp\idp.dll
Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FQ3DK.tmp\Tue2237a96e0403e640d.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FQ3DK.tmp\Tue2237a96e0403e640d.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I1M6E.tmp\idp.dll
Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TSDOI.tmp\Tue2237a96e0403e640d.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TSDOI.tmp\Tue2237a96e0403e640d.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
6.2MB

MD5
1d6c3d9abb0bc744862f637c063b7b79

SHA1
6fd00f7591818fa52dc00d0683a2db1ac64d307b

SHA256
00b66d6580571a2d656a3592d90e4e27fc0fb639e99938bace317891ca769207

SHA512
a598be3f82ae8e624ec487417293a30a09c77c50ae9b9ec9d4b7c93c16ba80a8815ad387f3d1b2d29c297680578d6d0f3f4edf333bde77efdfcde71b31ffd38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
6.2MB

MD5
1d6c3d9abb0bc744862f637c063b7b79

SHA1
6fd00f7591818fa52dc00d0683a2db1ac64d307b

SHA256
00b66d6580571a2d656a3592d90e4e27fc0fb639e99938bace317891ca769207

SHA512
a598be3f82ae8e624ec487417293a30a09c77c50ae9b9ec9d4b7c93c16ba80a8815ad387f3d1b2d29c297680578d6d0f3f4edf333bde77efdfcde71b31ffd38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dat
Filesize
557KB

MD5
6ae0b51959eec1d47f4caa7772f01f48

SHA1
eb797704b1a33aea85824c3da2054d48b225bac7

SHA256
ecdfa028928da8df647ece7e7037bc4d492b82ff1870cc05cf982449f2c41786

SHA512
06e837c237ba4bbf766fd1fc429b90ea2093734dfa93ad3be4e961ef7cfc7ba70429b4e91e59b1ec276bb037b4ede0e0fa5d33875596f53065c5c25d1b8f3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
52KB

MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
52KB

MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
memory/60-344-0x0000000000000000-mapping.dmp

Download
memory/316-186-0x0000000000000000-mapping.dmp

Download
memory/384-212-0x0000000000000000-mapping.dmp

Download
memory/448-302-0x0000000000000000-mapping.dmp

Download
memory/840-164-0x0000000000000000-mapping.dmp

Download
memory/844-315-0x0000000000000000-mapping.dmp

Download
memory/868-282-0x0000000000000000-mapping.dmp

Download
memory/1040-325-0x0000000003890000-0x0000000003A50000-memory.dmp

Filesize
1.8MB

Download
memory/1040-232-0x0000000000000000-mapping.dmp

Download
memory/1256-203-0x0000000000000000-mapping.dmp

Download
memory/1272-367-0x0000000000400000-0x00000000006DF000-memory.dmp

Filesize
2.9MB

Download
memory/1424-273-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1424-270-0x0000000000000000-mapping.dmp

Download
memory/1424-278-0x0000000005BA0000-0x00000000061B8000-memory.dmp

Filesize
6.1MB

Download
memory/1424-280-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/1428-263-0x0000000000000000-mapping.dmp

Download
memory/1552-168-0x0000000000000000-mapping.dmp

Download
memory/1732-376-0x0000000000A60000-0x00000000013D1000-memory.dmp

Filesize
9.4MB

Download
memory/1732-374-0x0000000000A60000-0x00000000013D1000-memory.dmp

Filesize
9.4MB

Download
memory/1732-377-0x0000000000A60000-0x00000000013D1000-memory.dmp

Filesize
9.4MB

Download
memory/1732-368-0x0000000000A60000-0x00000000013D1000-memory.dmp

Filesize
9.4MB

Download
memory/1732-375-0x0000000000A60000-0x00000000013D1000-memory.dmp

Filesize
9.4MB

Download
memory/1820-239-0x0000000000000000-mapping.dmp

Download
memory/1900-243-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1900-261-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1900-249-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1900-237-0x0000000000000000-mapping.dmp

Download
memory/1920-312-0x0000000000000000-mapping.dmp

Download
memory/2112-345-0x0000000000000000-mapping.dmp

Download
memory/2332-319-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2332-240-0x0000000000000000-mapping.dmp

Download
memory/2332-326-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2332-314-0x0000000003010000-0x0000000003019000-memory.dmp

Filesize
36KB

Download
memory/2332-313-0x0000000003000000-0x0000000003008000-memory.dmp

Filesize
32KB

Download
memory/2336-170-0x0000000000000000-mapping.dmp

Download
memory/2432-230-0x0000000000000000-mapping.dmp

Download
memory/2460-291-0x0000000000000000-mapping.dmp

Download
memory/2724-292-0x0000000000000000-mapping.dmp

Download
memory/2884-311-0x0000000004370000-0x0000000004530000-memory.dmp

Filesize
1.8MB

Download
memory/2884-171-0x0000000000000000-mapping.dmp

Download
memory/2884-330-0x0000000004370000-0x0000000004530000-memory.dmp

Filesize
1.8MB

Download
memory/2980-290-0x0000000000832000-0x000000000085D000-memory.dmp

Filesize
172KB

Download
memory/2980-294-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2980-293-0x0000000000660000-0x00000000006AC000-memory.dmp

Filesize
304KB

Download
memory/2980-328-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2980-327-0x0000000000832000-0x000000000085D000-memory.dmp

Filesize
172KB

Download
memory/2980-199-0x0000000000000000-mapping.dmp

Download
memory/2996-248-0x0000000000000000-mapping.dmp

Download
memory/3256-217-0x0000000000000000-mapping.dmp

Download
memory/3260-190-0x0000000000000000-mapping.dmp

Download
memory/3388-347-0x0000000000000000-mapping.dmp

Download
memory/3400-188-0x0000000000000000-mapping.dmp

Download
memory/3408-214-0x0000000000000000-mapping.dmp

Download
memory/3640-226-0x00007FFA8D230000-0x00007FFA8DCF1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-208-0x00000000009C0000-0x0000000000AB8000-memory.dmp

Filesize
992KB

Download
memory/3640-194-0x0000000000000000-mapping.dmp

Download
memory/3640-287-0x00007FFA8D230000-0x00007FFA8DCF1000-memory.dmp

Filesize
10.8MB

Download
memory/3732-197-0x0000000000000000-mapping.dmp

Download
memory/3752-183-0x0000000000000000-mapping.dmp

Download
memory/3764-130-0x0000000000000000-mapping.dmp

Download
memory/3840-238-0x0000000005130000-0x000000000514E000-memory.dmp

Filesize
120KB

Download
memory/3840-227-0x0000000005160000-0x00000000051D6000-memory.dmp

Filesize
472KB

Download
memory/3840-211-0x0000000000000000-mapping.dmp

Download
memory/3840-225-0x0000000000940000-0x00000000009A8000-memory.dmp

Filesize
416KB

Download
memory/3840-253-0x0000000005940000-0x0000000005EE4000-memory.dmp

Filesize
5.6MB

Download
memory/3936-222-0x0000000000000000-mapping.dmp

Download
memory/3992-336-0x0000000003510000-0x00000000035A9000-memory.dmp

Filesize
612KB

Download
memory/3992-335-0x0000000003460000-0x000000000350D000-memory.dmp

Filesize
692KB

Download
memory/3992-322-0x0000000000000000-mapping.dmp

Download
memory/3992-324-0x0000000002AD0000-0x0000000002E8B000-memory.dmp

Filesize
3.7MB

Download
memory/3992-255-0x0000000000000000-mapping.dmp

Download
memory/4068-281-0x0000000005210000-0x000000000524C000-memory.dmp

Filesize
240KB

Download
memory/4068-268-0x0000000000000000-mapping.dmp

Download
memory/4068-271-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4068-279-0x00000000051B0000-0x00000000051C2000-memory.dmp

Filesize
72KB

Download
memory/4132-202-0x0000000000000000-mapping.dmp

Download
memory/4184-195-0x00007FFA8D230000-0x00007FFA8DCF1000-memory.dmp

Filesize
10.8MB

Download
memory/4184-283-0x00007FFA8D230000-0x00007FFA8DCF1000-memory.dmp

Filesize
10.8MB

Download
memory/4184-181-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/4184-174-0x0000000000000000-mapping.dmp

Download
memory/4204-340-0x0000000000000000-mapping.dmp

Download
memory/4240-219-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/4240-213-0x0000000000000000-mapping.dmp

Download
memory/4240-228-0x00007FFA8D230000-0x00007FFA8DCF1000-memory.dmp

Filesize
10.8MB

Download
memory/4240-250-0x00007FFA8D230000-0x00007FFA8DCF1000-memory.dmp

Filesize
10.8MB

Download
memory/4244-161-0x0000000000000000-mapping.dmp

Download
memory/4316-160-0x0000000000000000-mapping.dmp

Download
memory/4332-196-0x00000000052A0000-0x00000000058C8000-memory.dmp

Filesize
6.2MB

Download
memory/4332-303-0x0000000007560000-0x000000000756A000-memory.dmp

Filesize
40KB

Download
memory/4332-162-0x0000000000000000-mapping.dmp

Download
memory/4332-298-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/4332-299-0x0000000007B50000-0x00000000081CA000-memory.dmp

Filesize
6.5MB

Download
memory/4332-296-0x000000006C620000-0x000000006C66C000-memory.dmp

Filesize
304KB

Download
memory/4332-300-0x00000000074F0000-0x000000000750A000-memory.dmp

Filesize
104KB

Download
memory/4432-329-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4432-309-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4432-308-0x0000000000590000-0x00000000005DA000-memory.dmp

Filesize
296KB

Download
memory/4432-241-0x0000000000000000-mapping.dmp

Download
memory/4432-307-0x00000000007B3000-0x00000000007DD000-memory.dmp

Filesize
168KB

Download
memory/4520-341-0x0000000000000000-mapping.dmp

Download
memory/4552-272-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4552-151-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4552-276-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4552-133-0x0000000000000000-mapping.dmp

Download
memory/4552-148-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4552-147-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4552-149-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4552-153-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4552-156-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4552-158-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4552-152-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4552-150-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4552-154-0x0000000000F10000-0x0000000000F9F000-memory.dmp

Filesize
572KB

Download
memory/4552-155-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4552-267-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4552-269-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4552-157-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4552-159-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4568-191-0x0000000000000000-mapping.dmp

Download
memory/4608-284-0x0000000000000000-mapping.dmp

Download
memory/4636-323-0x0000000007E60000-0x0000000007E68000-memory.dmp

Filesize
32KB

Download
memory/4636-310-0x0000000007DB0000-0x0000000007E46000-memory.dmp

Filesize
600KB

Download
memory/4636-223-0x00000000060B0000-0x00000000060D2000-memory.dmp

Filesize
136KB

Download
memory/4636-297-0x000000006C620000-0x000000006C66C000-memory.dmp

Filesize
304KB

Download
memory/4636-320-0x0000000007D70000-0x0000000007D7E000-memory.dmp

Filesize
56KB

Download
memory/4636-321-0x0000000007E70000-0x0000000007E8A000-memory.dmp

Filesize
104KB

Download
memory/4636-229-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/4636-184-0x0000000003280000-0x00000000032B6000-memory.dmp

Filesize
216KB

Download
memory/4636-163-0x0000000000000000-mapping.dmp

Download
memory/4636-231-0x0000000006330000-0x0000000006396000-memory.dmp

Filesize
408KB

Download
memory/4636-262-0x0000000006820000-0x000000000683E000-memory.dmp

Filesize
120KB

Download
memory/4636-295-0x0000000006DE0000-0x0000000006E12000-memory.dmp

Filesize
200KB

Download
memory/4648-317-0x0000000000000000-mapping.dmp

Download
memory/4668-173-0x0000000000000000-mapping.dmp

Download
memory/4680-316-0x0000000000000000-mapping.dmp

Download
memory/4708-289-0x0000000000000000-mapping.dmp

Download
memory/4732-180-0x0000000000000000-mapping.dmp

Download
memory/4812-209-0x0000000000000000-mapping.dmp

Download
memory/4936-260-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4936-258-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4936-331-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4936-305-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4936-256-0x0000000000000000-mapping.dmp

Download
memory/4960-236-0x0000000000D50000-0x0000000000DBA000-memory.dmp

Filesize
424KB

Download
memory/4960-233-0x0000000000000000-mapping.dmp

Download
memory/4980-200-0x0000000000000000-mapping.dmp

Download
memory/4988-288-0x0000000000000000-mapping.dmp

Download
memory/5036-343-0x0000000140000000-mapping.dmp

Download
memory/5036-342-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/5064-176-0x0000000000000000-mapping.dmp

Download
memory/5068-166-0x0000000000000000-mapping.dmp

Download
memory/25080-381-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/25080-384-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/25080-380-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download