glupteba | 3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

Analysis

max time kernel
92s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2022 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WW14.exe
Size

351KB
MD5

312ad3b67a1f3a75637ea9297df1cedb
SHA1

7d922b102a52241d28f1451d3542db12b0265b75
SHA256

3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
SHA512

848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515
SSDEEP

6144:N/qVYZEPD78jA9aNGY9i81SV2K2d6Or989IwfvyvbAxXUt:NeYZ+8d3S5yc

Score

10^/10

glupteba nymaim privateloader redline smokeloader 2 backdoor discovery dropper evasion infostealer loader main persistence spyware stealer themida trojan vmprotect

Malware Config

Extracted

Family

privateloader

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

redline

Botnet

116.203.187.3:14916

Attributes

auth_value
1c0b2a7d9265a0bd7186c9687fe62c4e

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/404-199-0x0000000000AB0000-0x0000000000AB9000-memory.dmp	family_smokeloader

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

WW14.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WW14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WW14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	WW14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	WW14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	WW14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	WW14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WW14.exe

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2024-204-0x0000000000B80000-0x00000000019DC000-memory.dmp	family_redline
behavioral2/memory/2024-207-0x0000000000B80000-0x00000000019DC000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3348 created 856 3348 svchost.exe 6VxOHqoOJZPGM0xSo2gx8hTT.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

U3LdxS8Xd6kFGApwuueK7bQb.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ U3LdxS8Xd6kFGApwuueK7bQb.exe
Downloads MZ/PE file

description	pid	process	target process
PID 3348 created 856	3348	svchost.exe	6VxOHqoOJZPGM0xSo2gx8hTT.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	U3LdxS8Xd6kFGApwuueK7bQb.exe

Executes dropped EXE 19 IoCs

Processes:

x3lizVDf3EAyXsOsOCyclre9.exeoAKmVAYE18Y3cyyHbTsBaqvR.exe6VxOHqoOJZPGM0xSo2gx8hTT.exeoaiOjU68Fuu9Ukjqbvx90k1d.exeaQyuH1RbVJkSd6jdmm7AbB8t.exeU3LdxS8Xd6kFGApwuueK7bQb.exe_4twfxAWOSftRXBUIAPTOX3x.exeFxQXNZJgkRb_16RrHPRnKAf7.exeHxgsP2D3lwpa2ZOjps489MOg.exet0wfPvYgnVs4ApyBnBQtNIlK.exeis-1BRJU.tmpccsearcher.exeInstall.exeSystem.exeInstall.exe6VxOHqoOJZPGM0xSo2gx8hTT.exeDue.exe.pifCerulea.exe.pifcsrss.exe

pid	process
2976	x3lizVDf3EAyXsOsOCyclre9.exe
1396	oAKmVAYE18Y3cyyHbTsBaqvR.exe
856	6VxOHqoOJZPGM0xSo2gx8hTT.exe
2804	oaiOjU68Fuu9Ukjqbvx90k1d.exe
404	aQyuH1RbVJkSd6jdmm7AbB8t.exe
2024	U3LdxS8Xd6kFGApwuueK7bQb.exe
5060	_4twfxAWOSftRXBUIAPTOX3x.exe
1432	FxQXNZJgkRb_16RrHPRnKAf7.exe
396	HxgsP2D3lwpa2ZOjps489MOg.exe
424	t0wfPvYgnVs4ApyBnBQtNIlK.exe
216	is-1BRJU.tmp
1188	ccsearcher.exe
4892	Install.exe
4356	System.exe
4680	Install.exe
4360	6VxOHqoOJZPGM0xSo2gx8hTT.exe
1492	Due.exe.pif
4160	Cerulea.exe.pif
3612	csrss.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4728 netsh.exe

pid	process
4728	netsh.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\_4twfxAWOSftRXBUIAPTOX3x.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\_4twfxAWOSftRXBUIAPTOX3x.exe	vmprotect
behavioral2/memory/5060-173-0x0000000140000000-0x00000001406A2000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

U3LdxS8Xd6kFGApwuueK7bQb.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	U3LdxS8Xd6kFGApwuueK7bQb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	U3LdxS8Xd6kFGApwuueK7bQb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccsearcher.exeInstall.exeWW14.exeoaiOjU68Fuu9Ukjqbvx90k1d.exeoAKmVAYE18Y3cyyHbTsBaqvR.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ccsearcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WW14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	oaiOjU68Fuu9Ukjqbvx90k1d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	oAKmVAYE18Y3cyyHbTsBaqvR.exe

Loads dropped DLL 2 IoCs

Processes:

is-1BRJU.tmpregsvr32.exe

pid process

216 is-1BRJU.tmp
4852 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
216	is-1BRJU.tmp
4852	regsvr32.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\U3LdxS8Xd6kFGApwuueK7bQb.exe	themida
behavioral2/memory/2024-204-0x0000000000B80000-0x00000000019DC000-memory.dmp	themida
C:\Users\Admin\Pictures\Adobe Films\U3LdxS8Xd6kFGApwuueK7bQb.exe	themida
behavioral2/memory/2024-207-0x0000000000B80000-0x00000000019DC000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HxgsP2D3lwpa2ZOjps489MOg.exeFxQXNZJgkRb_16RrHPRnKAf7.exe6VxOHqoOJZPGM0xSo2gx8hTT.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	HxgsP2D3lwpa2ZOjps489MOg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	HxgsP2D3lwpa2ZOjps489MOg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	FxQXNZJgkRb_16RrHPRnKAf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	FxQXNZJgkRb_16RrHPRnKAf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	6VxOHqoOJZPGM0xSo2gx8hTT.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

U3LdxS8Xd6kFGApwuueK7bQb.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	U3LdxS8Xd6kFGApwuueK7bQb.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ipinfo.io
94 ip-api.com
7 ipinfo.io
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

U3LdxS8Xd6kFGApwuueK7bQb.exe

pid process

2024 U3LdxS8Xd6kFGApwuueK7bQb.exe

flow	ioc
8	ipinfo.io
94	ip-api.com
7	ipinfo.io

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

pid	process
2024	U3LdxS8Xd6kFGApwuueK7bQb.exe

Drops file in Program Files directory 12 IoCs

Processes:

is-1BRJU.tmp

description	ioc	process
File created	C:\Program Files (x86)\ccSearcher\is-RAAJ2.tmp	is-1BRJU.tmp
File created	C:\Program Files (x86)\ccSearcher\is-FDS92.tmp	is-1BRJU.tmp
File created	C:\Program Files (x86)\ccSearcher\is-R6SR8.tmp	is-1BRJU.tmp
File opened for modification	C:\Program Files (x86)\ccSearcher\unins000.dat	is-1BRJU.tmp
File created	C:\Program Files (x86)\ccSearcher\is-Q703H.tmp	is-1BRJU.tmp
File created	C:\Program Files (x86)\ccSearcher\is-I8UIL.tmp	is-1BRJU.tmp
File created	C:\Program Files (x86)\ccSearcher\is-M01D0.tmp	is-1BRJU.tmp
File created	C:\Program Files (x86)\ccSearcher\is-ONUFM.tmp	is-1BRJU.tmp
File opened for modification	C:\Program Files (x86)\ccSearcher\ccsearcher.exe	is-1BRJU.tmp
File created	C:\Program Files (x86)\ccSearcher\unins000.dat	is-1BRJU.tmp
File created	C:\Program Files (x86)\ccSearcher\is-VV59R.tmp	is-1BRJU.tmp
File created	C:\Program Files (x86)\ccSearcher\is-88DNV.tmp	is-1BRJU.tmp

Drops file in Windows directory 3 IoCs

Processes:

6VxOHqoOJZPGM0xSo2gx8hTT.exegpupdate.exe

description	ioc	process
File opened for modification	C:\Windows\rss	6VxOHqoOJZPGM0xSo2gx8hTT.exe
File created	C:\Windows\rss\csrss.exe	6VxOHqoOJZPGM0xSo2gx8hTT.exe
File created	C:\Windows\Tasks\bLXuWMXHELROJPPOrg.job	gpupdate.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1284 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1284	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aQyuH1RbVJkSd6jdmm7AbB8t.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aQyuH1RbVJkSd6jdmm7AbB8t.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aQyuH1RbVJkSd6jdmm7AbB8t.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aQyuH1RbVJkSd6jdmm7AbB8t.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1804 schtasks.exe
3288 schtasks.exe
1468 schtasks.exe
3472 schtasks.exe
3376 schtasks.exe
2392 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4644 tasklist.exe
4304 tasklist.exe

pid	process
1804	schtasks.exe
3288	schtasks.exe
1468	schtasks.exe
3472	schtasks.exe
3376	schtasks.exe
2392	schtasks.exe

pid	process
4644	tasklist.exe
4304	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2332 taskkill.exe

pid	process
2332	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

6VxOHqoOJZPGM0xSo2gx8hTT.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	6VxOHqoOJZPGM0xSo2gx8hTT.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2664 PING.EXE
1860 PING.EXE

pid	process
2664	PING.EXE
1860	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WW14.exeU3LdxS8Xd6kFGApwuueK7bQb.exeaQyuH1RbVJkSd6jdmm7AbB8t.exe

pid	process
4024	WW14.exe
4024	WW14.exe
2024	U3LdxS8Xd6kFGApwuueK7bQb.exe
2024	U3LdxS8Xd6kFGApwuueK7bQb.exe
404	aQyuH1RbVJkSd6jdmm7AbB8t.exe
404	aQyuH1RbVJkSd6jdmm7AbB8t.exe
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3068
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

aQyuH1RbVJkSd6jdmm7AbB8t.exe

pid process

404 aQyuH1RbVJkSd6jdmm7AbB8t.exe

pid	process
3068

pid	process
404	aQyuH1RbVJkSd6jdmm7AbB8t.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

taskkill.exe6VxOHqoOJZPGM0xSo2gx8hTT.exetasklist.exesvchost.exereg.exepowershell.EXEU3LdxS8Xd6kFGApwuueK7bQb.exe

description	pid	process
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeDebugPrivilege	2332	taskkill.exe
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeDebugPrivilege	856	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Token: SeImpersonatePrivilege	856	6VxOHqoOJZPGM0xSo2gx8hTT.exe
Token: SeDebugPrivilege	4644	tasklist.exe
Token: SeTcbPrivilege	3348	svchost.exe
Token: SeTcbPrivilege	3348	svchost.exe
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeDebugPrivilege	4304	reg.exe
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeDebugPrivilege	2852	powershell.EXE
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeDebugPrivilege	2024	U3LdxS8Xd6kFGApwuueK7bQb.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

Due.exe.pifCerulea.exe.pif

pid	process
1492	Due.exe.pif
3068
3068
1492	Due.exe.pif
1492	Due.exe.pif
3068
3068
4160	Cerulea.exe.pif
3068
3068
4160	Cerulea.exe.pif
4160	Cerulea.exe.pif
3068
3068
3068
3068
3068
3068

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Due.exe.pifCerulea.exe.pif

pid process

1492 Due.exe.pif
1492 Due.exe.pif
1492 Due.exe.pif
4160 Cerulea.exe.pif
4160 Cerulea.exe.pif
4160 Cerulea.exe.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WW14.exeHxgsP2D3lwpa2ZOjps489MOg.exex3lizVDf3EAyXsOsOCyclre9.exeFxQXNZJgkRb_16RrHPRnKAf7.exeoaiOjU68Fuu9Ukjqbvx90k1d.exeis-1BRJU.tmpt0wfPvYgnVs4ApyBnBQtNIlK.exeoAKmVAYE18Y3cyyHbTsBaqvR.exeInstall.execmd.execmd.execcsearcher.exe

description	pid	process	target process
PID 4024 wrote to memory of 2976	4024	WW14.exe	x3lizVDf3EAyXsOsOCyclre9.exe
PID 4024 wrote to memory of 2976	4024	WW14.exe	x3lizVDf3EAyXsOsOCyclre9.exe
PID 4024 wrote to memory of 2976	4024	WW14.exe	x3lizVDf3EAyXsOsOCyclre9.exe
PID 4024 wrote to memory of 1396	4024	WW14.exe	oAKmVAYE18Y3cyyHbTsBaqvR.exe
PID 4024 wrote to memory of 1396	4024	WW14.exe	oAKmVAYE18Y3cyyHbTsBaqvR.exe
PID 4024 wrote to memory of 856	4024	WW14.exe	6VxOHqoOJZPGM0xSo2gx8hTT.exe
PID 4024 wrote to memory of 856	4024	WW14.exe	6VxOHqoOJZPGM0xSo2gx8hTT.exe
PID 4024 wrote to memory of 856	4024	WW14.exe	6VxOHqoOJZPGM0xSo2gx8hTT.exe
PID 4024 wrote to memory of 2804	4024	WW14.exe	oaiOjU68Fuu9Ukjqbvx90k1d.exe
PID 4024 wrote to memory of 2804	4024	WW14.exe	oaiOjU68Fuu9Ukjqbvx90k1d.exe
PID 4024 wrote to memory of 2804	4024	WW14.exe	oaiOjU68Fuu9Ukjqbvx90k1d.exe
PID 4024 wrote to memory of 2024	4024	WW14.exe	U3LdxS8Xd6kFGApwuueK7bQb.exe
PID 4024 wrote to memory of 2024	4024	WW14.exe	U3LdxS8Xd6kFGApwuueK7bQb.exe
PID 4024 wrote to memory of 2024	4024	WW14.exe	U3LdxS8Xd6kFGApwuueK7bQb.exe
PID 4024 wrote to memory of 404	4024	WW14.exe	aQyuH1RbVJkSd6jdmm7AbB8t.exe
PID 4024 wrote to memory of 404	4024	WW14.exe	aQyuH1RbVJkSd6jdmm7AbB8t.exe
PID 4024 wrote to memory of 404	4024	WW14.exe	aQyuH1RbVJkSd6jdmm7AbB8t.exe
PID 4024 wrote to memory of 1432	4024	WW14.exe	FxQXNZJgkRb_16RrHPRnKAf7.exe
PID 4024 wrote to memory of 1432	4024	WW14.exe	FxQXNZJgkRb_16RrHPRnKAf7.exe
PID 4024 wrote to memory of 1432	4024	WW14.exe	FxQXNZJgkRb_16RrHPRnKAf7.exe
PID 4024 wrote to memory of 424	4024	WW14.exe	t0wfPvYgnVs4ApyBnBQtNIlK.exe
PID 4024 wrote to memory of 424	4024	WW14.exe	t0wfPvYgnVs4ApyBnBQtNIlK.exe
PID 4024 wrote to memory of 424	4024	WW14.exe	t0wfPvYgnVs4ApyBnBQtNIlK.exe
PID 4024 wrote to memory of 5060	4024	WW14.exe	_4twfxAWOSftRXBUIAPTOX3x.exe
PID 4024 wrote to memory of 5060	4024	WW14.exe	_4twfxAWOSftRXBUIAPTOX3x.exe
PID 4024 wrote to memory of 396	4024	WW14.exe	HxgsP2D3lwpa2ZOjps489MOg.exe
PID 4024 wrote to memory of 396	4024	WW14.exe	HxgsP2D3lwpa2ZOjps489MOg.exe
PID 4024 wrote to memory of 396	4024	WW14.exe	HxgsP2D3lwpa2ZOjps489MOg.exe
PID 396 wrote to memory of 340	396	HxgsP2D3lwpa2ZOjps489MOg.exe	WerFault.exe
PID 396 wrote to memory of 340	396	HxgsP2D3lwpa2ZOjps489MOg.exe	WerFault.exe
PID 396 wrote to memory of 340	396	HxgsP2D3lwpa2ZOjps489MOg.exe	WerFault.exe
PID 2976 wrote to memory of 216	2976	x3lizVDf3EAyXsOsOCyclre9.exe	is-1BRJU.tmp
PID 2976 wrote to memory of 216	2976	x3lizVDf3EAyXsOsOCyclre9.exe	is-1BRJU.tmp
PID 2976 wrote to memory of 216	2976	x3lizVDf3EAyXsOsOCyclre9.exe	is-1BRJU.tmp
PID 1432 wrote to memory of 2664	1432	FxQXNZJgkRb_16RrHPRnKAf7.exe	PING.EXE
PID 1432 wrote to memory of 2664	1432	FxQXNZJgkRb_16RrHPRnKAf7.exe	PING.EXE
PID 1432 wrote to memory of 2664	1432	FxQXNZJgkRb_16RrHPRnKAf7.exe	PING.EXE
PID 2804 wrote to memory of 4852	2804	oaiOjU68Fuu9Ukjqbvx90k1d.exe	regsvr32.exe
PID 2804 wrote to memory of 4852	2804	oaiOjU68Fuu9Ukjqbvx90k1d.exe	regsvr32.exe
PID 2804 wrote to memory of 4852	2804	oaiOjU68Fuu9Ukjqbvx90k1d.exe	regsvr32.exe
PID 216 wrote to memory of 1188	216	is-1BRJU.tmp	ccsearcher.exe
PID 216 wrote to memory of 1188	216	is-1BRJU.tmp	ccsearcher.exe
PID 216 wrote to memory of 1188	216	is-1BRJU.tmp	ccsearcher.exe
PID 1432 wrote to memory of 4632	1432	FxQXNZJgkRb_16RrHPRnKAf7.exe	cmd.exe
PID 1432 wrote to memory of 4632	1432	FxQXNZJgkRb_16RrHPRnKAf7.exe	cmd.exe
PID 1432 wrote to memory of 4632	1432	FxQXNZJgkRb_16RrHPRnKAf7.exe	cmd.exe
PID 396 wrote to memory of 4116	396	HxgsP2D3lwpa2ZOjps489MOg.exe	cmd.exe
PID 396 wrote to memory of 4116	396	HxgsP2D3lwpa2ZOjps489MOg.exe	cmd.exe
PID 396 wrote to memory of 4116	396	HxgsP2D3lwpa2ZOjps489MOg.exe	cmd.exe
PID 424 wrote to memory of 4892	424	t0wfPvYgnVs4ApyBnBQtNIlK.exe	Install.exe
PID 424 wrote to memory of 4892	424	t0wfPvYgnVs4ApyBnBQtNIlK.exe	Install.exe
PID 424 wrote to memory of 4892	424	t0wfPvYgnVs4ApyBnBQtNIlK.exe	Install.exe
PID 1396 wrote to memory of 4356	1396	oAKmVAYE18Y3cyyHbTsBaqvR.exe	System.exe
PID 1396 wrote to memory of 4356	1396	oAKmVAYE18Y3cyyHbTsBaqvR.exe	System.exe
PID 4892 wrote to memory of 4680	4892	Install.exe	Install.exe
PID 4892 wrote to memory of 4680	4892	Install.exe	Install.exe
PID 4892 wrote to memory of 4680	4892	Install.exe	Install.exe
PID 4632 wrote to memory of 2684	4632	cmd.exe	cmd.exe
PID 4632 wrote to memory of 2684	4632	cmd.exe	cmd.exe
PID 4632 wrote to memory of 2684	4632	cmd.exe	cmd.exe
PID 4116 wrote to memory of 2848	4116	cmd.exe	cmd.exe
PID 4116 wrote to memory of 2848	4116	cmd.exe	cmd.exe
PID 4116 wrote to memory of 2848	4116	cmd.exe	cmd.exe
PID 1188 wrote to memory of 3344	1188	ccsearcher.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\WW14.exe
"C:\Users\Admin\AppData\Local\Temp\WW14.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\Pictures\Adobe Films\FxQXNZJgkRb_16RrHPRnKAf7.exe
"C:\Users\Admin\Pictures\Adobe Films\FxQXNZJgkRb_16RrHPRnKAf7.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\WerFault.exe
WerFault.exe //////
3⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Scioglie.dotx & ping -n 5 localhost
3⤵
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:2684

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
5⤵
PID:2384

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
5⤵
- Enumerates processes with tasklist
PID:4304

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
5⤵
PID:908

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ADdplGVVqpGnaqXIFZmmBkxyGqaTctYBQVZNHPeoBgnHsSLCLukOMEDfpkClheAVkyIbwlwPXdXhMMNOgPogTp$" Angolo.dotx
5⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cerulea.exe.pif
Cerulea.exe.pif y
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4160

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cerulea.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cerulea.exe.pif
6⤵
PID:420

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Runs ping.exe
PID:1860

C:\Users\Admin\Pictures\Adobe Films\oAKmVAYE18Y3cyyHbTsBaqvR.exe
"C:\Users\Admin\Pictures\Adobe Films\oAKmVAYE18Y3cyyHbTsBaqvR.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.exe"
3⤵
- Executes dropped EXE
PID:4356

C:\Users\Admin\Pictures\Adobe Films\_4twfxAWOSftRXBUIAPTOX3x.exe
"C:\Users\Admin\Pictures\Adobe Films\_4twfxAWOSftRXBUIAPTOX3x.exe"
2⤵
- Executes dropped EXE
PID:5060

C:\Users\Admin\Pictures\Adobe Films\HxgsP2D3lwpa2ZOjps489MOg.exe
"C:\Users\Admin\Pictures\Adobe Films\HxgsP2D3lwpa2ZOjps489MOg.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\WerFault.exe
WerFault.exe //////
3⤵
PID:340

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Talismani.accdr & ping -n 5 localhost
3⤵
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:2848

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ivocosdUNOOmhqDOlanePlnnkXfQzSPcPrHfepSAzsORwFAyYjxmknXXYJpkeAAUZzJpahLwAXJbvGbGvlRindlsuKdaZGnTQTSIVsMKAaYhPmAsjDPSIzvJparIXaeTmPG$" Stupore.accdr
5⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Due.exe.pif
Due.exe.pif F
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1492

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Due.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Due.exe.pif Films\HxgsP2D3lwpa2ZOjps489MOg.exe"
6⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Due.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Due.exe.pif Films\HxgsP2D3lwpa2ZOjps489MOg.exe"
6⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Due.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Due.exe.pif Films\HxgsP2D3lwpa2ZOjps489MOg.exe"
6⤵
PID:2412

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Runs ping.exe
PID:2664

C:\Users\Admin\Pictures\Adobe Films\6VxOHqoOJZPGM0xSo2gx8hTT.exe
"C:\Users\Admin\Pictures\Adobe Films\6VxOHqoOJZPGM0xSo2gx8hTT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Users\Admin\Pictures\Adobe Films\6VxOHqoOJZPGM0xSo2gx8hTT.exe
"C:\Users\Admin\Pictures\Adobe Films\6VxOHqoOJZPGM0xSo2gx8hTT.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:3288

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4728

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Executes dropped EXE
PID:3612

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:2392

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:4744

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:4936

C:\Windows\SysWOW64\sc.exe
sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:1284

C:\Users\Admin\Pictures\Adobe Films\t0wfPvYgnVs4ApyBnBQtNIlK.exe
"C:\Users\Admin\Pictures\Adobe Films\t0wfPvYgnVs4ApyBnBQtNIlK.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:424

C:\Users\Admin\AppData\Local\Temp\7zS4B03.tmp\Install.exe
.\Install.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\Pictures\Adobe Films\U3LdxS8Xd6kFGApwuueK7bQb.exe
"C:\Users\Admin\Pictures\Adobe Films\U3LdxS8Xd6kFGApwuueK7bQb.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Users\Admin\AppData\Local\Temp\Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Updater.exe"
3⤵
PID:4924

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
4⤵
- Creates scheduled task(s)
PID:3288

C:\Users\Admin\AppData\Local\Temp\mnr.exe
"C:\Users\Admin\AppData\Local\Temp\mnr.exe"
3⤵
PID:4740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACAAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
4⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
3⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
3⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
"C:\Users\Admin\AppData\Local\Temp\Csatu.exe"
3⤵
PID:744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
4⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
PID:3728

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
PID:4624

C:\Users\Admin\Pictures\Adobe Films\oaiOjU68Fuu9Ukjqbvx90k1d.exe
"C:\Users\Admin\Pictures\Adobe Films\oaiOjU68Fuu9Ukjqbvx90k1d.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /U .\dJ9D2LWF.S5p /S
3⤵
- Loads dropped DLL
PID:4852

C:\Users\Admin\Pictures\Adobe Films\x3lizVDf3EAyXsOsOCyclre9.exe
"C:\Users\Admin\Pictures\Adobe Films\x3lizVDf3EAyXsOsOCyclre9.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\is-0BVQM.tmp\is-1BRJU.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0BVQM.tmp\is-1BRJU.tmp" /SL4 $50120 "C:\Users\Admin\Pictures\Adobe Films\x3lizVDf3EAyXsOsOCyclre9.exe" 2324125 52736
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\Pictures\Adobe Films\aQyuH1RbVJkSd6jdmm7AbB8t.exe
"C:\Users\Admin\Pictures\Adobe Films\aQyuH1RbVJkSd6jdmm7AbB8t.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:404

C:\Program Files (x86)\ccSearcher\ccsearcher.exe
"C:\Program Files (x86)\ccSearcher\ccsearcher.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "ccsearcher.exe" /f & erase "C:\Program Files (x86)\ccSearcher\ccsearcher.exe" & exit
2⤵
PID:3344

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "ccsearcher.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Users\Admin\AppData\Local\Temp\7zS5E8B.tmp\Install.exe
.\Install.exe /S /site_id "525403"
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:4680

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
2⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
3⤵
PID:3480

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
4⤵
PID:3728

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
4⤵
PID:1568

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
2⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
3⤵
PID:4200

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3452

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
4⤵
PID:3928

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gibvwWZtr" /SC once /ST 01:11:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:3472

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gibvwWZtr"
2⤵
PID:4952

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gibvwWZtr"
2⤵
PID:2648

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bLXuWMXHELROJPPOrg" /SC once /ST 12:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\RdvvSiPACVxqMayqN\hXiwYqDltwttUeA\KiOuoZt.exe\" pt /site_id 525403 /S" /V1 /F
2⤵
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:3312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4588

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\RdvvSiPACVxqMayqN\hXiwYqDltwttUeA\KiOuoZt.exe
C:\Users\Admin\AppData\Local\Temp\RdvvSiPACVxqMayqN\hXiwYqDltwttUeA\KiOuoZt.exe pt /site_id 525403 /S
1⤵
PID:5008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:204

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:376

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:420

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:4988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KceVwVtLnRAU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KceVwVtLnRAU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KoeseVBucaUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KoeseVBucaUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZzaAGOAwfCyZC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZzaAGOAwfCyZC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gkCyudauXbDPMYfSfkR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gkCyudauXbDPMYfSfkR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mkCKkSfyU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mkCKkSfyU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\IIbxZePqwWrXbTVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\IIbxZePqwWrXbTVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\RdvvSiPACVxqMayqN\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\RdvvSiPACVxqMayqN\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\tJaegEOdqFVREuLZ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\tJaegEOdqFVREuLZ\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KceVwVtLnRAU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KceVwVtLnRAU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KceVwVtLnRAU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KoeseVBucaUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3492

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KoeseVBucaUn" /t REG_DWORD /d 0 /reg:64
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZzaAGOAwfCyZC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZzaAGOAwfCyZC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gkCyudauXbDPMYfSfkR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1436

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gkCyudauXbDPMYfSfkR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3292

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mkCKkSfyU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:204

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mkCKkSfyU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\IIbxZePqwWrXbTVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\IIbxZePqwWrXbTVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\RdvvSiPACVxqMayqN /t REG_DWORD /d 0 /reg:32
3⤵
PID:4240

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\RdvvSiPACVxqMayqN /t REG_DWORD /d 0 /reg:64
3⤵
PID:748

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\tJaegEOdqFVREuLZ /t REG_DWORD /d 0 /reg:32
3⤵
PID:3548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\tJaegEOdqFVREuLZ /t REG_DWORD /d 0 /reg:64
3⤵
PID:3888

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gjEEjhlLK" /SC once /ST 01:08:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:1468

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gjEEjhlLK"
2⤵
PID:4864

C:\Users\Admin\AppData\Roaming\mnr.exe
C:\Users\Admin\AppData\Roaming\mnr.exe
1⤵
PID:4468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3748

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
- Drops file in Windows directory
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4372

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ccSearcher\ccsearcher.exe
Filesize
4.3MB

MD5
0545f55b7f65691c450919ee98e9c6b8

SHA1
c8f38ecdc90a4ce2b18f19f15a4e379a721d9a0f

SHA256
8338b9f05765b0ddb973eaf84159868e6a1389a0172ea70fd32e30f39cf2b3e8

SHA512
c9228888265f3bbdf846c5fb3b210ad85a494040bd28cd46f225b728d77b77c0a4a6428dfc1d724486ba955a75de1eabae4b6df64552a26318a6de0ab21b92a6

Download Submit
C:\Program Files (x86)\ccSearcher\ccsearcher.exe
Filesize
4.3MB

MD5
0545f55b7f65691c450919ee98e9c6b8

SHA1
c8f38ecdc90a4ce2b18f19f15a4e379a721d9a0f

SHA256
8338b9f05765b0ddb973eaf84159868e6a1389a0172ea70fd32e30f39cf2b3e8

SHA512
c9228888265f3bbdf846c5fb3b210ad85a494040bd28cd46f225b728d77b77c0a4a6428dfc1d724486ba955a75de1eabae4b6df64552a26318a6de0ab21b92a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B03.tmp\Install.exe
Filesize
6.3MB

MD5
1c839d640b616f5f773c3ea56e86754b

SHA1
4877d30b6571672d48e80febcc6464eaccd24da8

SHA256
2583dfd5993119f713e27f835aec6471f12155e79e4e40f2dd478510f7111377

SHA512
80da4b96ffe6a6e4a5159aa7fc2db4718398298ccb34292da349a9513f1f1e8dc8a7936f2f23c4ce56a84beb411b93c7680c47c766fd1670062ba2a162236340

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B03.tmp\Install.exe
Filesize
6.3MB

MD5
1c839d640b616f5f773c3ea56e86754b

SHA1
4877d30b6571672d48e80febcc6464eaccd24da8

SHA256
2583dfd5993119f713e27f835aec6471f12155e79e4e40f2dd478510f7111377

SHA512
80da4b96ffe6a6e4a5159aa7fc2db4718398298ccb34292da349a9513f1f1e8dc8a7936f2f23c4ce56a84beb411b93c7680c47c766fd1670062ba2a162236340

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5E8B.tmp\Install.exe
Filesize
6.9MB

MD5
bb002948a8365aba4181298a0a92e97f

SHA1
085064564b390c2d5f5f85ee0f4dea43a585fb24

SHA256
b3d0f1c29c27d97cdc35119d090e8fb0e3af1dd0c0b80288212319db59e86e47

SHA512
2e5604b13e68e4db5a464b03c37e2882e0f4c414bd6d0b5853bc5ffe9d4bccba6697faed03c2f3f9e70dfece7f63a72175daf12bf40f471bb3f5e0f2acd3e615

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5E8B.tmp\Install.exe
Filesize
6.9MB

MD5
bb002948a8365aba4181298a0a92e97f

SHA1
085064564b390c2d5f5f85ee0f4dea43a585fb24

SHA256
b3d0f1c29c27d97cdc35119d090e8fb0e3af1dd0c0b80288212319db59e86e47

SHA512
2e5604b13e68e4db5a464b03c37e2882e0f4c414bd6d0b5853bc5ffe9d4bccba6697faed03c2f3f9e70dfece7f63a72175daf12bf40f471bb3f5e0f2acd3e615

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Angolo.dotx
Filesize
924KB

MD5
fdf607410948139c22068fb8af8d5821

SHA1
90c1a1979cf5a5a9b6b0576499c0bdd6cd13dadb

SHA256
9b3e8ec7b9ba04b515023cc3d0b2b636292d3cb1f8788b23cf82aa797ed9a80b

SHA512
9b7eeeb3c9d5287123b53340f22a9b9e66c2bd81044f3af4e80fd30fb7b232dd6506d492e300911d54c2f33764cd04ca1efa4f19b6165022fd6ba974c1a488a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Braccio.dotx
Filesize
1.1MB

MD5
7ae1048184e9a8a2f40ef77ad38a526b

SHA1
b6e343aa10043016df9c3c8c4794df958d5bb153

SHA256
27702845d310f80831b593003299adc381fb1bf389e2cb29ab0679112e1aa7d8

SHA512
9cb22240a10adbb8a88f754f1aef348424d019f1b364f5e65f63bf960e48a5c67f33a2abc235d7d71649c3a2884dcd2442e63b6af879f4f9964e23cbec1e8e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cerulea.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cerulea.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Due.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Due.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Scioglie.dotx
Filesize
13KB

MD5
40d7dbb9d120955e3b5ab55edbb01252

SHA1
3c0e3bdd0fe3e70c46d2a737e32b5532ab88f79f

SHA256
3acd939d37499fb50f3b64e49ae6c23a2b72173672df912b86824f24c84d9871

SHA512
e1270f708b2a8bce5ae16bea153df0d2e41f1fa4d2dc3da9bb975553df81fdd2df110037adfff4254f8924aa7b3f57ab633347030f4482f65b62c9c38a679d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sia.accdr
Filesize
1.0MB

MD5
bbaf2ff4bc0a2c679aa667a341837d14

SHA1
e78a4508ddc35c1e833c51586b97afd05573187b

SHA256
ff3cfef5681c8af26f660021427e0dcf88889029619c43c2da84cbb3f362427f

SHA512
08aca1aa89c5b10566f784f64c3feff02aa8b23b53e35cfdc8fee1af56e279582dae4fa8a4b2c0b491808e991ea8909e537437c1194563e3a15d6fe4c9eb4795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stupore.accdr
Filesize
924KB

MD5
0db448269b4615951c8755e361c9ad56

SHA1
21d7ef714e7bf0acb7df28589bd79abfcbf93628

SHA256
98d986c5f130b34cfd5be118a66113b301e363938ca9feb324f35262c08dd161

SHA512
03180ba969c1f6ba5e1609a9ee9231bf3b359edd29ef7f3c20046b60cb13c8ba8edac75000c4c062b3108408b3668792dc3ad2380378494be2800252f193292e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talismani.accdr
Filesize
7KB

MD5
61200087a052e51dc85e3cb13014c1b5

SHA1
88868b04f90da46f2a45b70a73fb166a59fd3935

SHA256
0d92ccdc2dce79147269478fd7bd8a951b4fb8c09ceb4da9ba05ce965af38e28

SHA512
f9039a3aa54b1a2cd5f80660c5436c403b3a94d97209c072b70f98fd9df4f433c94a4f90e19fb294abd217ec136c2f8f44bc452564ea5a0ef9e918c1447a5045

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.exe
Filesize
32KB

MD5
8b97ca695de1e91772754b24d7d74222

SHA1
236734263cdc668c2e224716d203598f26ca0602

SHA256
db81d7dbc1f98461a826025755644a3780e981e9a6e153bbf64abee5635810e4

SHA512
0152412759fc684047e6ee745e5310c75203e9e78a636d8a5c6a4392bd9e531ab3019e28bcb9cd2244f7cc71277c596c354bc76d02e270fed667a3fead70ee5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\System.exe
Filesize
32KB

MD5
8b97ca695de1e91772754b24d7d74222

SHA1
236734263cdc668c2e224716d203598f26ca0602

SHA256
db81d7dbc1f98461a826025755644a3780e981e9a6e153bbf64abee5635810e4

SHA512
0152412759fc684047e6ee745e5310c75203e9e78a636d8a5c6a4392bd9e531ab3019e28bcb9cd2244f7cc71277c596c354bc76d02e270fed667a3fead70ee5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mLib.vb
Filesize
20KB

MD5
80e5402f25971dca1bd3823193b2a268

SHA1
c961d2701580781058c475872c4c057e241ad10f

SHA256
0c59c476386f314fc6565d62068269951ca89ece0f24047fff68270f6a2faef1

SHA512
adce8ba1a645501c555bf2202f6b0e8d181b0d09b91de38e1d414c450f8bc75e40a3edc3d504f775a849ca4a81111a1bba4d039348960a1f65cdce9b735a4bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll
Filesize
3.5MB

MD5
b7c32c8e7d21aa9b79470037227eba43

SHA1
38d719b10ca035cee65162c1a44e2c62123d41b4

SHA256
99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23

SHA512
d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll
Filesize
3.5MB

MD5
b7c32c8e7d21aa9b79470037227eba43

SHA1
38d719b10ca035cee65162c1a44e2c62123d41b4

SHA256
99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23

SHA512
d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll
Filesize
876KB

MD5
736443b08b5a52b6958f001e8200be71

SHA1
e56ddc8476aef0d3482c99c5bfaf0f57458b2576

SHA256
da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4

SHA512
9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll
Filesize
876KB

MD5
736443b08b5a52b6958f001e8200be71

SHA1
e56ddc8476aef0d3482c99c5bfaf0f57458b2576

SHA256
da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4

SHA512
9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll
Filesize
668KB

MD5
36e1c3814bde3418ba3d38517954cb7c

SHA1
495e1ba5b0b442e70124d33daa6fea4e3e5931b0

SHA256
b34edd252f46dd881e79cfd274777fe5e90943d511c8e002aeca0528d7f3b4b1

SHA512
df7b608c51a782ad5cdfd753577a3dcacf4e2515ac02ce9e35b3cbc543895862844e8adcaff983b1348884085cf7427c33a67acc5ce48fe656f5b2083d0813b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll
Filesize
668KB

MD5
36e1c3814bde3418ba3d38517954cb7c

SHA1
495e1ba5b0b442e70124d33daa6fea4e3e5931b0

SHA256
b34edd252f46dd881e79cfd274777fe5e90943d511c8e002aeca0528d7f3b4b1

SHA512
df7b608c51a782ad5cdfd753577a3dcacf4e2515ac02ce9e35b3cbc543895862844e8adcaff983b1348884085cf7427c33a67acc5ce48fe656f5b2083d0813b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll
Filesize
668KB

MD5
36e1c3814bde3418ba3d38517954cb7c

SHA1
495e1ba5b0b442e70124d33daa6fea4e3e5931b0

SHA256
b34edd252f46dd881e79cfd274777fe5e90943d511c8e002aeca0528d7f3b4b1

SHA512
df7b608c51a782ad5cdfd753577a3dcacf4e2515ac02ce9e35b3cbc543895862844e8adcaff983b1348884085cf7427c33a67acc5ce48fe656f5b2083d0813b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll
Filesize
938KB

MD5
d92e59b71bf8a0d827597ed95b2eca42

SHA1
cfc49ff29eddb7127fbed166a8a1e740ea3dfb9a

SHA256
b6ef5cb4c093431f3e73c53e66df33d08237ba46d457d119a2c4dcae582314e3

SHA512
be65e003a498e753b08912d697e9b4d8a28828581c17d1e8e20880372a81030ce18610eeff230c8880e68a831041075bb2ebffcf318d29ebf58bc856fac3df04

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll
Filesize
938KB

MD5
d92e59b71bf8a0d827597ed95b2eca42

SHA1
cfc49ff29eddb7127fbed166a8a1e740ea3dfb9a

SHA256
b6ef5cb4c093431f3e73c53e66df33d08237ba46d457d119a2c4dcae582314e3

SHA512
be65e003a498e753b08912d697e9b4d8a28828581c17d1e8e20880372a81030ce18610eeff230c8880e68a831041075bb2ebffcf318d29ebf58bc856fac3df04

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll
Filesize
95KB

MD5
7cdbaca31739500aefc06dd85a8558ff

SHA1
adc36ec6a3cdc7e57a1b706c820e382627f6cb90

SHA256
0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb

SHA512
6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll
Filesize
95KB

MD5
7cdbaca31739500aefc06dd85a8558ff

SHA1
adc36ec6a3cdc7e57a1b706c820e382627f6cb90

SHA256
0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb

SHA512
6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll
Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll
Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
Filesize
4.3MB

MD5
b764505e47f4e40c90c016467d8d3087

SHA1
b6ef999e0b00b80abfbdad9a1601b832db1339ce

SHA256
0fa11b44efaf2bcfa5fdb8d9e7eb8b06dbf2ea8e5f5637902a2726acfa5b3b3f

SHA512
bda1993fc7378d28bcc0e644133348348528e8866bc277111e23e7540d27996353410dc5fab307f8f31aa12dc2e9ea1d9d192346d1f7efc3d50999590690dd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
Filesize
4.3MB

MD5
b764505e47f4e40c90c016467d8d3087

SHA1
b6ef999e0b00b80abfbdad9a1601b832db1339ce

SHA256
0fa11b44efaf2bcfa5fdb8d9e7eb8b06dbf2ea8e5f5637902a2726acfa5b3b3f

SHA512
bda1993fc7378d28bcc0e644133348348528e8866bc277111e23e7540d27996353410dc5fab307f8f31aa12dc2e9ea1d9d192346d1f7efc3d50999590690dd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll
Filesize
135KB

MD5
f08b1f044c68770c190daf1eb1f3157e

SHA1
f94103a542459d60434f9ddb6b5f45b11eae2923

SHA256
1d0278386f8922bdf4808861e6e901541ad23cc6337bb022c78dc05915202f27

SHA512
0667416a7515cd845e96d2ad26ca676cffd2d1c9f0449ff05455e8cf6a7ab595d3f972785d051f45332c04f1c0b576726f645e3669122608a4f374e984ba161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll
Filesize
135KB

MD5
f08b1f044c68770c190daf1eb1f3157e

SHA1
f94103a542459d60434f9ddb6b5f45b11eae2923

SHA256
1d0278386f8922bdf4808861e6e901541ad23cc6337bb022c78dc05915202f27

SHA512
0667416a7515cd845e96d2ad26ca676cffd2d1c9f0449ff05455e8cf6a7ab595d3f972785d051f45332c04f1c0b576726f645e3669122608a4f374e984ba161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dJ9D2LWF.S5p
Filesize
1.6MB

MD5
e6781bda7dd3b349110478bde0c43310

SHA1
4377ca545d3ee074a1eab1a49a7a776c491116ee

SHA256
238db1d122a2d06ca95ebe9f56b6e1a7f528bdf7f42ba947ec0fbf511ecfb39d

SHA512
f92cfe07a5f227550c656740af6ed37358bcee33faa58075c7d7be4cb61f265fa6b3642a9752bf0fc416cb47a8063f9a2fe052b31f0aa952495ecdd0d7e64475

Download Submit
C:\Users\Admin\AppData\Local\Temp\dJ9D2LWf.S5p
Filesize
1.6MB

MD5
e6781bda7dd3b349110478bde0c43310

SHA1
4377ca545d3ee074a1eab1a49a7a776c491116ee

SHA256
238db1d122a2d06ca95ebe9f56b6e1a7f528bdf7f42ba947ec0fbf511ecfb39d

SHA512
f92cfe07a5f227550c656740af6ed37358bcee33faa58075c7d7be4cb61f265fa6b3642a9752bf0fc416cb47a8063f9a2fe052b31f0aa952495ecdd0d7e64475

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0BVQM.tmp\is-1BRJU.tmp
Filesize
658KB

MD5
fec7bff4c36a4303ade51e3ed704e708

SHA1
487c0f4af67e56a661b9f1d99515ff080db968c3

SHA256
0414eeff52f63cb32e508fe22c54aedb399e7a6baaab94a81081073dbe78c75f

SHA512
1267a0b954f3315b067883ff6ae8d599166ccfe35f1c7770e29f5f66a13650d4e1ae7f04c0b48e3da0875fb6c7127892f4a6ecd6214f43f6beb5013f55fe94d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0BVQM.tmp\is-1BRJU.tmp
Filesize
658KB

MD5
fec7bff4c36a4303ade51e3ed704e708

SHA1
487c0f4af67e56a661b9f1d99515ff080db968c3

SHA256
0414eeff52f63cb32e508fe22c54aedb399e7a6baaab94a81081073dbe78c75f

SHA512
1267a0b954f3315b067883ff6ae8d599166ccfe35f1c7770e29f5f66a13650d4e1ae7f04c0b48e3da0875fb6c7127892f4a6ecd6214f43f6beb5013f55fe94d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MUBGN.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6VxOHqoOJZPGM0xSo2gx8hTT.exe
Filesize
4.1MB

MD5
7e1cfaf5e71b2ffe2e0ea6a17c22d111

SHA1
ce1b85590d3d86e667ee79f71070f3988679f79e

SHA256
ef48417a56d2c3f7ee5acf5061d4edb24db3dcd3250801e4fc68580fe287e76a

SHA512
9acb36d58a52b1e458a4db6b680757d62a59d2c4cdc929d5efb42461242191006842586c3732d1f19e5ec34d35661734f22e0696c6df5cc074dc3d33d50cb439

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6VxOHqoOJZPGM0xSo2gx8hTT.exe
Filesize
4.1MB

MD5
7e1cfaf5e71b2ffe2e0ea6a17c22d111

SHA1
ce1b85590d3d86e667ee79f71070f3988679f79e

SHA256
ef48417a56d2c3f7ee5acf5061d4edb24db3dcd3250801e4fc68580fe287e76a

SHA512
9acb36d58a52b1e458a4db6b680757d62a59d2c4cdc929d5efb42461242191006842586c3732d1f19e5ec34d35661734f22e0696c6df5cc074dc3d33d50cb439

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6VxOHqoOJZPGM0xSo2gx8hTT.exe
Filesize
4.1MB

MD5
7e1cfaf5e71b2ffe2e0ea6a17c22d111

SHA1
ce1b85590d3d86e667ee79f71070f3988679f79e

SHA256
ef48417a56d2c3f7ee5acf5061d4edb24db3dcd3250801e4fc68580fe287e76a

SHA512
9acb36d58a52b1e458a4db6b680757d62a59d2c4cdc929d5efb42461242191006842586c3732d1f19e5ec34d35661734f22e0696c6df5cc074dc3d33d50cb439

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FxQXNZJgkRb_16RrHPRnKAf7.exe
Filesize
956KB

MD5
007b8a13e7a06cb79c0b6dcd1b622fe3

SHA1
4f29a9c3dc89b558ce2856f86a0195b83e77c799

SHA256
c8c29747de0e8294d559a19e183e9ad6fd4c738a6e99bbf2f46f8dc1a3b7d05b

SHA512
bca742866fe7457d3ae5cefb8ff4fa9a49a3ea4ad6772f708d53e5f2527cd386098956507edc19613269388ff00f25ce9920f94eb08be449f342b4b742c6f18b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HxgsP2D3lwpa2ZOjps489MOg.exe
Filesize
934KB

MD5
d57358dc5a8f0319a808e9e4ff7edaf1

SHA1
331dfc86cb6b588f2f55e9524ed134209234be0a

SHA256
61942e005f67064ee8c7919dcdd3a4f847f089a2dfe8c77cf7a8ec2d263ff775

SHA512
fb9b9a71a77178e0821466ef492376e7c67d354a80f2c6ba4b0046cc10580f8b27a1c6bcdbf35aa940b63737850cc7f160f1a0b9227cfaa9aa6f4eed184e5b62

Download Submit
C:\Users\Admin\Pictures\Adobe Films\U3LdxS8Xd6kFGApwuueK7bQb.exe
Filesize
5.7MB

MD5
3772f923f08c925ad5f894d3a21e5d7d

SHA1
bcd6cc5034f1d4d194dd358a772fdfc5e03371ab

SHA256
0e63b13097c8e9ed9f0fe06c7972be1beb8890e6e7640584be1afd5740276307

SHA512
20a421ac32a930e3c1426209e66e640ddde54ac635ea56e2ef02f77ce4db0d2b7147949c1c1052f96c7a7c67a4a9d03ecb070e3c3104d45f2fc9d5c6a5c9eb36

Download Submit
C:\Users\Admin\Pictures\Adobe Films\U3LdxS8Xd6kFGApwuueK7bQb.exe
Filesize
5.7MB

MD5
3772f923f08c925ad5f894d3a21e5d7d

SHA1
bcd6cc5034f1d4d194dd358a772fdfc5e03371ab

SHA256
0e63b13097c8e9ed9f0fe06c7972be1beb8890e6e7640584be1afd5740276307

SHA512
20a421ac32a930e3c1426209e66e640ddde54ac635ea56e2ef02f77ce4db0d2b7147949c1c1052f96c7a7c67a4a9d03ecb070e3c3104d45f2fc9d5c6a5c9eb36

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_4twfxAWOSftRXBUIAPTOX3x.exe
Filesize
3.8MB

MD5
77d8df4427c8b1a28c8d2591a9c92a70

SHA1
9a0e1ca712f93f4ab30b162f5c9b04d9c825f1f9

SHA256
00cbd7c3427b9d2e960bd1d3fb04d3897a7c53486b52e5c42f0c2c6678a63762

SHA512
8204c35c4b4aa6a15c4d32d8600d0792e21296af633fc0ab45141abdfd7bcf0fb9b96a972f7734e01ca0ee9002d0e730f6380c5593ed0ca5e534c7c48ed83b98

Download Submit
C:\Users\Admin\Pictures\Adobe Films\_4twfxAWOSftRXBUIAPTOX3x.exe
Filesize
3.8MB

MD5
77d8df4427c8b1a28c8d2591a9c92a70

SHA1
9a0e1ca712f93f4ab30b162f5c9b04d9c825f1f9

SHA256
00cbd7c3427b9d2e960bd1d3fb04d3897a7c53486b52e5c42f0c2c6678a63762

SHA512
8204c35c4b4aa6a15c4d32d8600d0792e21296af633fc0ab45141abdfd7bcf0fb9b96a972f7734e01ca0ee9002d0e730f6380c5593ed0ca5e534c7c48ed83b98

Download Submit
C:\Users\Admin\Pictures\Adobe Films\aQyuH1RbVJkSd6jdmm7AbB8t.exe
Filesize
311KB

MD5
6eab6699b3c628e440c68a50b521bb2c

SHA1
789cd7ba45bb77fc111d962bd0ba5db91b20c605

SHA256
aa7b7835ba8f47e09a87b57437d97f6c62d61ebe909071d0a3d62f9780fdb603

SHA512
8cc5d9bd776f0b7ec3e2f8e0bcbf574043b22bd9ae6ab3b92f4effd47ee96adddcf03bfd4dab94da1090986bf6ca7d56cedd992542daf5198fdc91181b6088f9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\aQyuH1RbVJkSd6jdmm7AbB8t.exe
Filesize
311KB

MD5
6eab6699b3c628e440c68a50b521bb2c

SHA1
789cd7ba45bb77fc111d962bd0ba5db91b20c605

SHA256
aa7b7835ba8f47e09a87b57437d97f6c62d61ebe909071d0a3d62f9780fdb603

SHA512
8cc5d9bd776f0b7ec3e2f8e0bcbf574043b22bd9ae6ab3b92f4effd47ee96adddcf03bfd4dab94da1090986bf6ca7d56cedd992542daf5198fdc91181b6088f9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\oAKmVAYE18Y3cyyHbTsBaqvR.exe
Filesize
859KB

MD5
c385d359140d34dbfd9c8b0fd61630cf

SHA1
579287991e41cc9be05d928a44dff09069bf4e0d

SHA256
311f57a006abd7d319bec7dec2b591280a573a039223a48f62ba95da028857a2

SHA512
d44743feb5d9042df55149889e96816ec8b631af326c81e8546cc68f87e08ff54c38d4f2f81d7815e103c5b7bbd1f511fa2dd13bddb561e2d2e3cd7b3f3e5871

Download Submit
C:\Users\Admin\Pictures\Adobe Films\oAKmVAYE18Y3cyyHbTsBaqvR.exe
Filesize
859KB

MD5
c385d359140d34dbfd9c8b0fd61630cf

SHA1
579287991e41cc9be05d928a44dff09069bf4e0d

SHA256
311f57a006abd7d319bec7dec2b591280a573a039223a48f62ba95da028857a2

SHA512
d44743feb5d9042df55149889e96816ec8b631af326c81e8546cc68f87e08ff54c38d4f2f81d7815e103c5b7bbd1f511fa2dd13bddb561e2d2e3cd7b3f3e5871

Download Submit
C:\Users\Admin\Pictures\Adobe Films\oaiOjU68Fuu9Ukjqbvx90k1d.exe
Filesize
1.4MB

MD5
47d8824241636f9895d127858b55401f

SHA1
c3ec120e33e0723fbe509dcbf08e1605986b43d6

SHA256
eda1406b045f2bbcbfa4f46b5995b995afe5ebc81eb17fb04907d29c00eb484f

SHA512
b023a708cf205739e1873eaca901abed1d76c82e45ad014cc2bb9638c36f1eff6fe6586dc92b36c695b414733e13bb482c5dd5cd719ad6396dfce6141cca3d08

Download Submit
C:\Users\Admin\Pictures\Adobe Films\oaiOjU68Fuu9Ukjqbvx90k1d.exe
Filesize
1.4MB

MD5
47d8824241636f9895d127858b55401f

SHA1
c3ec120e33e0723fbe509dcbf08e1605986b43d6

SHA256
eda1406b045f2bbcbfa4f46b5995b995afe5ebc81eb17fb04907d29c00eb484f

SHA512
b023a708cf205739e1873eaca901abed1d76c82e45ad014cc2bb9638c36f1eff6fe6586dc92b36c695b414733e13bb482c5dd5cd719ad6396dfce6141cca3d08

Download Submit
C:\Users\Admin\Pictures\Adobe Films\t0wfPvYgnVs4ApyBnBQtNIlK.exe
Filesize
7.3MB

MD5
a88886010a058f2b1253f72756225eb7

SHA1
97379e74c1f648b494a77cdae80c116aadf113e3

SHA256
dcd7b0ba256de34627e0658c4ed3bcb9e4b054b79244e28f37b0acfab8eb3cd1

SHA512
bd17c2817da6bc77c2d8ad0beeefe22e90ef46c95ff6263748b3dbf8ebede13df7e5e1d6bd51554c1f6d4c7fc02f8ca115bcd9519df051588aa79b43e780f54e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\t0wfPvYgnVs4ApyBnBQtNIlK.exe
Filesize
7.3MB

MD5
a88886010a058f2b1253f72756225eb7

SHA1
97379e74c1f648b494a77cdae80c116aadf113e3

SHA256
dcd7b0ba256de34627e0658c4ed3bcb9e4b054b79244e28f37b0acfab8eb3cd1

SHA512
bd17c2817da6bc77c2d8ad0beeefe22e90ef46c95ff6263748b3dbf8ebede13df7e5e1d6bd51554c1f6d4c7fc02f8ca115bcd9519df051588aa79b43e780f54e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\x3lizVDf3EAyXsOsOCyclre9.exe
Filesize
2.5MB

MD5
d33f5c381c8a2dc544c313355ba4eb64

SHA1
a342afff06633cacdb904c28ec7b78a8bfd559fd

SHA256
e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d

SHA512
77bd9d3a35129c392db6976279c32216e35e174a658fa03660b6a874391e3d048f640546eef2094fe5498d495726359581ba2c2a81775f66a23eeec397157417

Download Submit
C:\Users\Admin\Pictures\Adobe Films\x3lizVDf3EAyXsOsOCyclre9.exe
Filesize
2.5MB

MD5
d33f5c381c8a2dc544c313355ba4eb64

SHA1
a342afff06633cacdb904c28ec7b78a8bfd559fd

SHA256
e40f0c222b4e696c27be11d5250c3763f04e5c4e7f1525becd1ec11b333b4c5d

SHA512
77bd9d3a35129c392db6976279c32216e35e174a658fa03660b6a874391e3d048f640546eef2094fe5498d495726359581ba2c2a81775f66a23eeec397157417

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
7e1cfaf5e71b2ffe2e0ea6a17c22d111

SHA1
ce1b85590d3d86e667ee79f71070f3988679f79e

SHA256
ef48417a56d2c3f7ee5acf5061d4edb24db3dcd3250801e4fc68580fe287e76a

SHA512
9acb36d58a52b1e458a4db6b680757d62a59d2c4cdc929d5efb42461242191006842586c3732d1f19e5ec34d35661734f22e0696c6df5cc074dc3d33d50cb439

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
7e1cfaf5e71b2ffe2e0ea6a17c22d111

SHA1
ce1b85590d3d86e667ee79f71070f3988679f79e

SHA256
ef48417a56d2c3f7ee5acf5061d4edb24db3dcd3250801e4fc68580fe287e76a

SHA512
9acb36d58a52b1e458a4db6b680757d62a59d2c4cdc929d5efb42461242191006842586c3732d1f19e5ec34d35661734f22e0696c6df5cc074dc3d33d50cb439

Download Submit
memory/216-168-0x0000000000000000-mapping.dmp

Download
memory/340-167-0x0000000000000000-mapping.dmp

Download
memory/396-145-0x0000000000000000-mapping.dmp

Download
memory/404-199-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

Filesize
36KB

Download
memory/404-222-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/404-196-0x0000000000B88000-0x0000000000B98000-memory.dmp

Filesize
64KB

Download
memory/404-200-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/404-141-0x0000000000000000-mapping.dmp

Download
memory/424-143-0x0000000000000000-mapping.dmp

Download
memory/744-357-0x0000000000000000-mapping.dmp

Download
memory/744-362-0x0000000000BC0000-0x0000000000E3E000-memory.dmp

Filesize
2.5MB

Download
memory/856-230-0x0000000004C2A000-0x0000000005013000-memory.dmp

Filesize
3.9MB

Download
memory/856-229-0x0000000005020000-0x0000000005896000-memory.dmp

Filesize
8.5MB

Download
memory/856-138-0x0000000000000000-mapping.dmp

Download
memory/856-257-0x0000000000400000-0x0000000002F67000-memory.dmp

Filesize
43.4MB

Download
memory/856-231-0x0000000000400000-0x0000000002F67000-memory.dmp

Filesize
43.4MB

Download
memory/908-265-0x0000000000000000-mapping.dmp

Download
memory/1188-227-0x0000000000400000-0x000000000164C000-memory.dmp

Filesize
18.3MB

Download
memory/1188-212-0x0000000000400000-0x000000000164C000-memory.dmp

Filesize
18.3MB

Download
memory/1188-193-0x0000000000400000-0x000000000164C000-memory.dmp

Filesize
18.3MB

Download
memory/1188-178-0x0000000000000000-mapping.dmp

Download
memory/1284-330-0x0000000000000000-mapping.dmp

Download
memory/1396-137-0x0000000000000000-mapping.dmp

Download
memory/1432-142-0x0000000000000000-mapping.dmp

Download
memory/1492-252-0x0000000000000000-mapping.dmp

Download
memory/1568-240-0x0000000000000000-mapping.dmp

Download
memory/1804-303-0x0000000000000000-mapping.dmp

Download
memory/1860-277-0x0000000000000000-mapping.dmp

Download
memory/1924-272-0x0000000000000000-mapping.dmp

Download
memory/2024-269-0x0000000007D30000-0x0000000007EF2000-memory.dmp

Filesize
1.8MB

Download
memory/2024-207-0x0000000000B80000-0x00000000019DC000-memory.dmp

Filesize
14.4MB

Download
memory/2024-206-0x0000000077990000-0x0000000077B33000-memory.dmp

Filesize
1.6MB

Download
memory/2024-204-0x0000000000B80000-0x00000000019DC000-memory.dmp

Filesize
14.4MB

Download
memory/2024-270-0x0000000008430000-0x000000000895C000-memory.dmp

Filesize
5.2MB

Download
memory/2024-215-0x0000000006660000-0x0000000006C78000-memory.dmp

Filesize
6.1MB

Download
memory/2024-268-0x0000000007410000-0x000000000742E000-memory.dmp

Filesize
120KB

Download
memory/2024-267-0x0000000007780000-0x0000000007D24000-memory.dmp

Filesize
5.6MB

Download
memory/2024-217-0x00000000060F0000-0x0000000006102000-memory.dmp

Filesize
72KB

Download
memory/2024-219-0x0000000006220000-0x000000000632A000-memory.dmp

Filesize
1.0MB

Download
memory/2024-251-0x0000000077990000-0x0000000077B33000-memory.dmp

Filesize
1.6MB

Download
memory/2024-140-0x0000000000000000-mapping.dmp

Download
memory/2024-266-0x0000000007130000-0x00000000071C2000-memory.dmp

Filesize
584KB

Download
memory/2024-236-0x0000000000B80000-0x00000000019DC000-memory.dmp

Filesize
14.4MB

Download
memory/2024-282-0x0000000007610000-0x0000000007660000-memory.dmp

Filesize
320KB

Download
memory/2024-263-0x0000000007000000-0x0000000007076000-memory.dmp

Filesize
472KB

Download
memory/2024-223-0x0000000006150000-0x000000000618C000-memory.dmp

Filesize
240KB

Download
memory/2024-261-0x00000000064B0000-0x0000000006516000-memory.dmp

Filesize
408KB

Download
memory/2024-164-0x0000000000B80000-0x00000000019DC000-memory.dmp

Filesize
14.4MB

Download
memory/2332-233-0x0000000000000000-mapping.dmp

Download
memory/2384-246-0x0000000000000000-mapping.dmp

Download
memory/2392-295-0x0000000000000000-mapping.dmp

Download
memory/2412-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-291-0x0000000000000000-mapping.dmp

Download
memory/2664-262-0x0000000000000000-mapping.dmp

Download
memory/2664-170-0x0000000000000000-mapping.dmp

Download
memory/2684-224-0x0000000000000000-mapping.dmp

Download
memory/2804-139-0x0000000000000000-mapping.dmp

Download
memory/2848-225-0x0000000000000000-mapping.dmp

Download
memory/2852-283-0x00000214E7FE0000-0x00000214E8002000-memory.dmp

Filesize
136KB

Download
memory/2852-284-0x00007FFCEFBB0000-0x00007FFCF0671000-memory.dmp

Filesize
10.8MB

Download
memory/2852-286-0x00007FFCEFBB0000-0x00007FFCF0671000-memory.dmp

Filesize
10.8MB

Download
memory/2976-136-0x0000000000000000-mapping.dmp

Download
memory/2976-162-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2976-169-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2976-228-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3288-280-0x0000000000000000-mapping.dmp

Download
memory/3304-387-0x0000000000000000-mapping.dmp

Download
memory/3312-285-0x0000000000000000-mapping.dmp

Download
memory/3344-226-0x0000000000000000-mapping.dmp

Download
memory/3376-293-0x0000000000000000-mapping.dmp

Download
memory/3452-239-0x0000000000000000-mapping.dmp

Download
memory/3472-242-0x0000000000000000-mapping.dmp

Download
memory/3480-235-0x0000000000000000-mapping.dmp

Download
memory/3612-302-0x0000000000400000-0x0000000002F67000-memory.dmp

Filesize
43.4MB

Download
memory/3612-287-0x0000000000000000-mapping.dmp

Download
memory/3612-300-0x0000000005100000-0x00000000054E9000-memory.dmp

Filesize
3.9MB

Download
memory/3612-292-0x0000000005100000-0x00000000054E9000-memory.dmp

Filesize
3.9MB

Download
memory/3612-294-0x0000000000400000-0x0000000002F67000-memory.dmp

Filesize
43.4MB

Download
memory/3728-238-0x0000000000000000-mapping.dmp

Download
memory/3928-241-0x0000000000000000-mapping.dmp

Download
memory/4024-185-0x0000000003930000-0x0000000003B84000-memory.dmp

Filesize
2.3MB

Download
memory/4024-135-0x0000000003930000-0x0000000003B84000-memory.dmp

Filesize
2.3MB

Download
memory/4084-234-0x0000000000000000-mapping.dmp

Download
memory/4116-183-0x0000000000000000-mapping.dmp

Download
memory/4160-275-0x0000000000000000-mapping.dmp

Download
memory/4172-232-0x0000000000000000-mapping.dmp

Download
memory/4200-237-0x0000000000000000-mapping.dmp

Download
memory/4216-296-0x0000000000000000-mapping.dmp

Download
memory/4304-264-0x0000000000000000-mapping.dmp

Download
memory/4356-218-0x00007FFCEFBB0000-0x00007FFCF0671000-memory.dmp

Filesize
10.8MB

Download
memory/4356-201-0x0000000000000000-mapping.dmp

Download
memory/4356-205-0x000001B35EB20000-0x000001B35EB2C000-memory.dmp

Filesize
48KB

Download
memory/4356-255-0x00007FFCEFBB0000-0x00007FFCF0671000-memory.dmp

Filesize
10.8MB

Download
memory/4360-250-0x0000000000000000-mapping.dmp

Download
memory/4360-290-0x0000000000400000-0x0000000002F67000-memory.dmp

Filesize
43.4MB

Download
memory/4360-271-0x0000000004CAE000-0x0000000005097000-memory.dmp

Filesize
3.9MB

Download
memory/4360-279-0x0000000000400000-0x0000000002F67000-memory.dmp

Filesize
43.4MB

Download
memory/4468-432-0x00007FFCF0A30000-0x00007FFCF0ADA000-memory.dmp

Filesize
680KB

Download
memory/4468-434-0x00007FFD09470000-0x00007FFD09482000-memory.dmp

Filesize
72KB

Download
memory/4468-433-0x00007FFD0C760000-0x00007FFD0C7FE000-memory.dmp

Filesize
632KB

Download
memory/4468-435-0x00007FFCF0970000-0x00007FFCF0A2D000-memory.dmp

Filesize
756KB

Download
memory/4468-437-0x00007FFCEFBB0000-0x00007FFCF0671000-memory.dmp

Filesize
10.8MB

Download
memory/4468-436-0x00007FFD0C0A0000-0x00007FFD0C241000-memory.dmp

Filesize
1.6MB

Download
memory/4628-388-0x0000000000000000-mapping.dmp

Download
memory/4632-182-0x0000000000000000-mapping.dmp

Download
memory/4644-243-0x0000000000000000-mapping.dmp

Download
memory/4656-244-0x0000000000000000-mapping.dmp

Download
memory/4680-213-0x0000000018600000-0x0000000018BB1000-memory.dmp

Filesize
5.7MB

Download
memory/4680-209-0x0000000000000000-mapping.dmp

Download
memory/4728-281-0x0000000000000000-mapping.dmp

Download
memory/4740-344-0x0000000002E50000-0x0000000002E92000-memory.dmp

Filesize
264KB

Download
memory/4740-332-0x0000000000000000-mapping.dmp

Download
memory/4740-374-0x00007FFCEFBB0000-0x00007FFCF0671000-memory.dmp

Filesize
10.8MB

Download
memory/4740-371-0x00007FFCFFFD0000-0x00007FFCFFFE9000-memory.dmp

Filesize
100KB

Download
memory/4740-364-0x00007FF783340000-0x00007FF783458000-memory.dmp

Filesize
1.1MB

Download
memory/4740-345-0x00007FFD0C0A0000-0x00007FFD0C241000-memory.dmp

Filesize
1.6MB

Download
memory/4740-349-0x00007FFCEFBB0000-0x00007FFCF0671000-memory.dmp

Filesize
10.8MB

Download
memory/4740-368-0x00007FFCEE460000-0x00007FFCEE5AE000-memory.dmp

Filesize
1.3MB

Download
memory/4740-355-0x00007FFD0C910000-0x00007FFD0C93B000-memory.dmp

Filesize
172KB

Download
memory/4740-336-0x00007FFCF0A30000-0x00007FFCF0ADA000-memory.dmp

Filesize
680KB

Download
memory/4740-337-0x00007FFD0C760000-0x00007FFD0C7FE000-memory.dmp

Filesize
632KB

Download
memory/4740-339-0x00007FFD09470000-0x00007FFD09482000-memory.dmp

Filesize
72KB

Download
memory/4740-342-0x00007FF783340000-0x00007FF783458000-memory.dmp

Filesize
1.1MB

Download
memory/4740-343-0x00007FFCF0970000-0x00007FFCF0A2D000-memory.dmp

Filesize
756KB

Download
memory/4740-397-0x00007FFD0BE00000-0x00007FFD0BE27000-memory.dmp

Filesize
156KB

Download
memory/4744-297-0x0000000000000000-mapping.dmp

Download
memory/4780-348-0x00007FFCF0A30000-0x00007FFCF0ADA000-memory.dmp

Filesize
680KB

Download
memory/4780-352-0x00007FFD09470000-0x00007FFD09482000-memory.dmp

Filesize
72KB

Download
memory/4780-376-0x00007FFCFFFD0000-0x00007FFCFFFE9000-memory.dmp

Filesize
100KB

Download
memory/4780-346-0x00007FF6E1B50000-0x00007FF6E1C68000-memory.dmp

Filesize
1.1MB

Download
memory/4780-366-0x00007FFD0C910000-0x00007FFD0C93B000-memory.dmp

Filesize
172KB

Download
memory/4780-354-0x00007FFCF0970000-0x00007FFCF0A2D000-memory.dmp

Filesize
756KB

Download
memory/4780-356-0x00007FFD0C0A0000-0x00007FFD0C241000-memory.dmp

Filesize
1.6MB

Download
memory/4780-335-0x0000000000000000-mapping.dmp

Download
memory/4780-358-0x00007FFCEFBB0000-0x00007FFCF0671000-memory.dmp

Filesize
10.8MB

Download
memory/4780-375-0x00007FFCEE460000-0x00007FFCEE5AE000-memory.dmp

Filesize
1.3MB

Download
memory/4780-373-0x00007FF6E1B50000-0x00007FF6E1C68000-memory.dmp

Filesize
1.1MB

Download
memory/4780-361-0x0000000002DC0000-0x0000000002E02000-memory.dmp

Filesize
264KB

Download
memory/4780-350-0x00007FFD0C760000-0x00007FFD0C7FE000-memory.dmp

Filesize
632KB

Download
memory/4780-399-0x00007FFD0BE00000-0x00007FFD0BE27000-memory.dmp

Filesize
156KB

Download
memory/4852-247-0x0000000002E40000-0x0000000002EFB000-memory.dmp

Filesize
748KB

Download
memory/4852-258-0x0000000002F00000-0x0000000002FA7000-memory.dmp

Filesize
668KB

Download
memory/4852-191-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4852-177-0x0000000000000000-mapping.dmp

Download
memory/4852-208-0x0000000001260000-0x0000000001266000-memory.dmp

Filesize
24KB

Download
memory/4892-184-0x0000000000000000-mapping.dmp

Download
memory/4900-323-0x0000000000820000-0x0000000000C6C000-memory.dmp

Filesize
4.3MB

Download
memory/4900-321-0x0000000073EF0000-0x0000000073FB1000-memory.dmp

Filesize
772KB

Download
memory/4900-329-0x0000000000820000-0x0000000000C6C000-memory.dmp

Filesize
4.3MB

Download
memory/4900-327-0x0000000073940000-0x0000000073A02000-memory.dmp

Filesize
776KB

Download
memory/4900-322-0x0000000073EC0000-0x0000000073EEA000-memory.dmp

Filesize
168KB

Download
memory/4900-328-0x0000000073EC0000-0x0000000073EEA000-memory.dmp

Filesize
168KB

Download
memory/4900-325-0x0000000073A10000-0x0000000073D11000-memory.dmp

Filesize
3.0MB

Download
memory/4900-324-0x0000000073EF0000-0x0000000073FB1000-memory.dmp

Filesize
772KB

Download
memory/4924-340-0x00000000001A0000-0x000000000065C000-memory.dmp

Filesize
4.7MB

Download
memory/4924-331-0x0000000000000000-mapping.dmp

Download
memory/4936-326-0x0000000000000000-mapping.dmp

Download
memory/4952-248-0x0000000000000000-mapping.dmp

Download
memory/5008-383-0x0000000016AA0000-0x0000000017051000-memory.dmp

Filesize
5.7MB

Download
memory/5060-144-0x0000000000000000-mapping.dmp

Download
memory/5060-173-0x0000000140000000-0x00000001406A2000-memory.dmp

Filesize
6.6MB

Download
memory/5116-360-0x00007FFD0C760000-0x00007FFD0C7FE000-memory.dmp

Filesize
632KB

Download
memory/5116-363-0x00007FFD09470000-0x00007FFD09482000-memory.dmp

Filesize
72KB

Download
memory/5116-379-0x00007FFCEE460000-0x00007FFCEE5AE000-memory.dmp

Filesize
1.3MB

Download
memory/5116-369-0x0000000003020000-0x0000000003062000-memory.dmp

Filesize
264KB

Download
memory/5116-404-0x00007FFD0BE00000-0x00007FFD0BE27000-memory.dmp

Filesize
156KB

Download
memory/5116-365-0x00007FF694230000-0x00007FF694348000-memory.dmp

Filesize
1.1MB

Download
memory/5116-377-0x00007FFD0C910000-0x00007FFD0C93B000-memory.dmp

Filesize
172KB

Download
memory/5116-359-0x00007FFCF0A30000-0x00007FFCF0ADA000-memory.dmp

Filesize
680KB

Download
memory/5116-380-0x00007FFCFFFD0000-0x00007FFCFFFE9000-memory.dmp

Filesize
100KB

Download
memory/5116-372-0x00007FFCEFBB0000-0x00007FFCF0671000-memory.dmp

Filesize
10.8MB

Download
memory/5116-367-0x00007FFCF0970000-0x00007FFCF0A2D000-memory.dmp

Filesize
756KB

Download
memory/5116-370-0x00007FFD0C0A0000-0x00007FFD0C241000-memory.dmp

Filesize
1.6MB

Download
memory/5116-378-0x00007FF694230000-0x00007FF694348000-memory.dmp

Filesize
1.1MB

Download
memory/5116-347-0x0000000000000000-mapping.dmp

Download