dcrat | 02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef

Analysis

max time kernel
134s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2022 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe
Size

5.5MB
MD5

b89e1c694a9b7d2dfe7556220fc5c4b8
SHA1

7d63890f00ddc391797279d2eb68de1a746f4b3b
SHA256

02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef
SHA512

71cae5f99596325ca6cf2675c7f00c130d48d25fdda08ae1c3a0a3ca34a839b41c04087f4bee5fb170260ecd42233712abc7d2ccd00b352b629c6c992f1c54a7
SSDEEP

98304:H2mfSTVQzk+x/cX4gmva9miyobp84qJGANGozaclJejWpdjOGfJ0InK+:7Sp+x/cX/dmiyq84gE9c6KpdXfmIj

Malware Config

Extracted

Family

privateloader

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://vipsofts.xyz/files/mega.bmp

Extracted

Family

djvu

http://acacaca.org/test3/get.php

http://acacaca.org/lancer/get.php

Attributes

extension
.aamv
offline_id
MyudhIExJux2oRQXw95TT1oAPu7mvqRMzxr1eet1
payload_url
http://rgyui.top/dl/build2.exe

http://acacaca.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-4Xcf4IX21n Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0564Jhyjd

rsa_pubkey.plain

Extracted

Family

redline

Botnet

ruzki17

176.113.115.146:9582

Attributes

auth_value
255dbca556006216f06e94f8237bdb0a

Extracted

Family

redline

Botnet

@forceddd_lzt

5.182.36.101:31305

Attributes

auth_value
91ffc3d776bc56b5c410d1adf5648512

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detected Djvu ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3384-190-0x0000000002330000-0x000000000244B000-memory.dmp	family_djvu
behavioral2/memory/60404-195-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/60404-196-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/60404-193-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/60404-201-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/60404-241-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/60404-245-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4832-269-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4832-270-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4832-274-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4832-312-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4180-352-0x00000000022E0000-0x00000000023FB000-memory.dmp	family_djvu
behavioral2/memory/1744-354-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1744-360-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1332-232-0x0000000000480000-0x0000000000489000-memory.dmp	family_smokeloader
behavioral2/memory/1332-281-0x0000000000480000-0x0000000000489000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

jfoQwtytnL1zZvk7fAPFGVdZ.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jfoQwtytnL1zZvk7fAPFGVdZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jfoQwtytnL1zZvk7fAPFGVdZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jfoQwtytnL1zZvk7fAPFGVdZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jfoQwtytnL1zZvk7fAPFGVdZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	jfoQwtytnL1zZvk7fAPFGVdZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	jfoQwtytnL1zZvk7fAPFGVdZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jfoQwtytnL1zZvk7fAPFGVdZ.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/111296-208-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/123224-214-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

cy28MdLgGDMU7xY0Ke76Al6L.exeN1f3qIXjmueaul5apQ3FO3ay.exegtAkiBRba2FheTNuDByM87b_.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cy28MdLgGDMU7xY0Ke76Al6L.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	N1f3qIXjmueaul5apQ3FO3ay.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	gtAkiBRba2FheTNuDByM87b_.exe

Downloads MZ/PE file

Executes dropped EXE 47 IoCs

Processes:

kfcN2KneQfj64N9Oba9PI8OK.exeYRUjJGW2qktiqn7xsGw0BAyq.exeOrD9qXJz5cYCqOyez9PkaoER.exe3twl9VjmPdYZ_t1_29x7jRwe.exeIj27bKyq_GEVltrW0K1KhSfi.exegJVOpB9AqwtaS0WS68fWnueb.exeHEb3RN4L4Nl9sCsApoNSDKmd.exeN1f3qIXjmueaul5apQ3FO3ay.exegtAkiBRba2FheTNuDByM87b_.execy28MdLgGDMU7xY0Ke76Al6L.exeOrD9qXJz5cYCqOyez9PkaoER.exejfoQwtytnL1zZvk7fAPFGVdZ.exeOrD9qXJz5cYCqOyez9PkaoER.exeOrD9qXJz5cYCqOyez9PkaoER.exebuild2.exebuild2.exebuild3.exeABE1.exeAE34.exeABE1.exeB2C8.exeABE1.exeABE1.exemstsca.exebuild2.exebuild2.exebuild3.exePWvlTr08hFjvrjW7hNrke3q_.exee0lTZS6oOnImWeZ2Ksh4zYSo.exeaFoE9uddObdp4sGWtwdTksa9.exeryaJD0hrwTkbOxBW40FgfxGO.exeGwrcwRvV4f74bWChpNlOBseV.exe09uXYhKaMVXvEMu9wKKPxFAg.exe99sr700Rdh5JRn6iW1ivjxCX.exeSCHz6fyptSYu6xu29soKpgdx.exeXtGS0GCqM4vir_l82C18UUJx.exe7DGqgRnvs5xiMlVVMVa66T95.exeeCdVk5jk9IVBYqxmYpePG65B.exefp0O9TTlQDE9heunLCoT1ok5.exe99sr700Rdh5JRn6iW1ivjxCX.tmpB2C8.exefp0O9TTlQDE9heunLCoT1ok5.exeServer.exeAdblock.execrashpad_handler.exeAdblockInstaller.exeAdblockInstaller.tmp

pid	process
1176	kfcN2KneQfj64N9Oba9PI8OK.exe
1332	YRUjJGW2qktiqn7xsGw0BAyq.exe
3384	OrD9qXJz5cYCqOyez9PkaoER.exe
3520	3twl9VjmPdYZ_t1_29x7jRwe.exe
3640	Ij27bKyq_GEVltrW0K1KhSfi.exe
5064	gJVOpB9AqwtaS0WS68fWnueb.exe
3764	HEb3RN4L4Nl9sCsApoNSDKmd.exe
3004	N1f3qIXjmueaul5apQ3FO3ay.exe
1740	gtAkiBRba2FheTNuDByM87b_.exe
3732	cy28MdLgGDMU7xY0Ke76Al6L.exe
60404	OrD9qXJz5cYCqOyez9PkaoER.exe
123280	jfoQwtytnL1zZvk7fAPFGVdZ.exe
123824	OrD9qXJz5cYCqOyez9PkaoER.exe
4832	OrD9qXJz5cYCqOyez9PkaoER.exe
616	build2.exe
4216	build2.exe
3820	build3.exe
4180	ABE1.exe
1292	AE34.exe
1744	ABE1.exe
4536	B2C8.exe
5260	ABE1.exe
5320	ABE1.exe
5552	mstsca.exe
5680	build2.exe
5724	build2.exe
5796	build3.exe
8948	PWvlTr08hFjvrjW7hNrke3q_.exe
8920	e0lTZS6oOnImWeZ2Ksh4zYSo.exe
8980	aFoE9uddObdp4sGWtwdTksa9.exe
9008	ryaJD0hrwTkbOxBW40FgfxGO.exe
9040	GwrcwRvV4f74bWChpNlOBseV.exe
9064	09uXYhKaMVXvEMu9wKKPxFAg.exe
9156	99sr700Rdh5JRn6iW1ivjxCX.exe
9136	SCHz6fyptSYu6xu29soKpgdx.exe
9120	XtGS0GCqM4vir_l82C18UUJx.exe
9168	7DGqgRnvs5xiMlVVMVa66T95.exe
9100	eCdVk5jk9IVBYqxmYpePG65B.exe
9248	fp0O9TTlQDE9heunLCoT1ok5.exe
9784	99sr700Rdh5JRn6iW1ivjxCX.tmp
9992	B2C8.exe
10352	fp0O9TTlQDE9heunLCoT1ok5.exe
10496	Server.exe
10864	Adblock.exe
10960	crashpad_handler.exe
11520	AdblockInstaller.exe
11660	AdblockInstaller.tmp

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

15244 netsh.exe
11836 netsh.exe

pid	process
15244	netsh.exe
11836	netsh.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Minor Policy\kfcN2KneQfj64N9Oba9PI8OK.exe	vmprotect
C:\Users\Admin\Pictures\Minor Policy\kfcN2KneQfj64N9Oba9PI8OK.exe	vmprotect
behavioral2/memory/1176-165-0x0000000140000000-0x0000000140606000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cy28MdLgGDMU7xY0Ke76Al6L.exeN1f3qIXjmueaul5apQ3FO3ay.exegtAkiBRba2FheTNuDByM87b_.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cy28MdLgGDMU7xY0Ke76Al6L.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	N1f3qIXjmueaul5apQ3FO3ay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	N1f3qIXjmueaul5apQ3FO3ay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gtAkiBRba2FheTNuDByM87b_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gtAkiBRba2FheTNuDByM87b_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cy28MdLgGDMU7xY0Ke76Al6L.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exejfoQwtytnL1zZvk7fAPFGVdZ.exeOrD9qXJz5cYCqOyez9PkaoER.exeAdblock.exeaFoE9uddObdp4sGWtwdTksa9.exe99sr700Rdh5JRn6iW1ivjxCX.tmpIj27bKyq_GEVltrW0K1KhSfi.exebuild2.exeB2C8.exeABE1.exee0lTZS6oOnImWeZ2Ksh4zYSo.exe3twl9VjmPdYZ_t1_29x7jRwe.exeOrD9qXJz5cYCqOyez9PkaoER.exeABE1.exebuild2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	jfoQwtytnL1zZvk7fAPFGVdZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	OrD9qXJz5cYCqOyez9PkaoER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Adblock.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	aFoE9uddObdp4sGWtwdTksa9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	99sr700Rdh5JRn6iW1ivjxCX.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Ij27bKyq_GEVltrW0K1KhSfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	B2C8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ABE1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	e0lTZS6oOnImWeZ2Ksh4zYSo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	3twl9VjmPdYZ_t1_29x7jRwe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	OrD9qXJz5cYCqOyez9PkaoER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ABE1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	build2.exe

Drops startup file 1 IoCs

Processes:

Adblock.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adblock Fast.lnk Adblock.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adblock Fast.lnk	Adblock.exe

Loads dropped DLL 22 IoCs

Processes:

rundll32.exerundll32.exebuild2.exeregsvr32.exebuild2.exe99sr700Rdh5JRn6iW1ivjxCX.tmprundll32.exeB2C8.exeAdblock.exeAdblockInstaller.tmp

pid	process
71632	rundll32.exe
71632	rundll32.exe
2696	rundll32.exe
2696	rundll32.exe
4216	build2.exe
4216	build2.exe
212	regsvr32.exe
5724	build2.exe
5724	build2.exe
9784	99sr700Rdh5JRn6iW1ivjxCX.tmp
10432	rundll32.exe
10432	rundll32.exe
9992	B2C8.exe
9992	B2C8.exe
9992	B2C8.exe
10864	Adblock.exe
10864	Adblock.exe
10864	Adblock.exe
10864	Adblock.exe
10864	Adblock.exe
10864	Adblock.exe
11660	AdblockInstaller.tmp

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

123396 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
123396	icacls.exe

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Minor Policy\N1f3qIXjmueaul5apQ3FO3ay.exe	themida
C:\Users\Admin\Pictures\Minor Policy\gtAkiBRba2FheTNuDByM87b_.exe	themida
C:\Users\Admin\Pictures\Minor Policy\gtAkiBRba2FheTNuDByM87b_.exe	themida
C:\Users\Admin\Pictures\Minor Policy\N1f3qIXjmueaul5apQ3FO3ay.exe	themida
behavioral2/memory/1740-168-0x0000000000400000-0x0000000000BB6000-memory.dmp	themida
C:\Users\Admin\Pictures\Minor Policy\cy28MdLgGDMU7xY0Ke76Al6L.exe	themida
C:\Users\Admin\Pictures\Minor Policy\cy28MdLgGDMU7xY0Ke76Al6L.exe	themida
behavioral2/memory/3004-171-0x0000000000400000-0x0000000000C05000-memory.dmp	themida
behavioral2/memory/3732-174-0x0000000000400000-0x0000000000BBD000-memory.dmp	themida
behavioral2/memory/1740-180-0x0000000000400000-0x0000000000BB6000-memory.dmp	themida
behavioral2/memory/3732-181-0x0000000000400000-0x0000000000BBD000-memory.dmp	themida
behavioral2/memory/1740-185-0x0000000000400000-0x0000000000BB6000-memory.dmp	themida
behavioral2/memory/1740-182-0x0000000000400000-0x0000000000BB6000-memory.dmp	themida
behavioral2/memory/3004-179-0x0000000000400000-0x0000000000C05000-memory.dmp	themida
behavioral2/memory/3732-178-0x0000000000400000-0x0000000000BBD000-memory.dmp	themida
behavioral2/memory/3004-175-0x0000000000400000-0x0000000000C05000-memory.dmp	themida
behavioral2/memory/3732-176-0x0000000000400000-0x0000000000BBD000-memory.dmp	themida
behavioral2/memory/1740-221-0x0000000000400000-0x0000000000BB6000-memory.dmp	themida
behavioral2/memory/3004-226-0x0000000000400000-0x0000000000C05000-memory.dmp	themida
behavioral2/memory/3732-227-0x0000000000400000-0x0000000000BBD000-memory.dmp	themida
behavioral2/memory/1740-292-0x0000000000400000-0x0000000000BB6000-memory.dmp	themida
behavioral2/memory/3732-295-0x0000000000400000-0x0000000000BBD000-memory.dmp	themida
behavioral2/memory/3004-303-0x0000000000400000-0x0000000000C05000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OrD9qXJz5cYCqOyez9PkaoER.exeryaJD0hrwTkbOxBW40FgfxGO.exeSCHz6fyptSYu6xu29soKpgdx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f92a1f4f-cece-4257-bdbd-3726873a3c75\\OrD9qXJz5cYCqOyez9PkaoER.exe\" --AutoStart"	OrD9qXJz5cYCqOyez9PkaoER.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ryaJD0hrwTkbOxBW40FgfxGO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ryaJD0hrwTkbOxBW40FgfxGO.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	SCHz6fyptSYu6xu29soKpgdx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	SCHz6fyptSYu6xu29soKpgdx.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cy28MdLgGDMU7xY0Ke76Al6L.exegtAkiBRba2FheTNuDByM87b_.exeN1f3qIXjmueaul5apQ3FO3ay.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cy28MdLgGDMU7xY0Ke76Al6L.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gtAkiBRba2FheTNuDByM87b_.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	N1f3qIXjmueaul5apQ3FO3ay.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
145	ipinfo.io
206	api.2ip.ua
208	api.2ip.ua
101	ipinfo.io
102	api.2ip.ua
103	api.2ip.ua
144	ipinfo.io
229	api.2ip.ua
10	ipinfo.io
11	ipinfo.io
100	ipinfo.io
232	api.2ip.ua

Drops file in System32 directory 4 IoCs

Processes:

02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe
File opened for modification	C:\Windows\System32\GroupPolicy	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

N1f3qIXjmueaul5apQ3FO3ay.execy28MdLgGDMU7xY0Ke76Al6L.exegtAkiBRba2FheTNuDByM87b_.exe

pid process

3004 N1f3qIXjmueaul5apQ3FO3ay.exe
3732 cy28MdLgGDMU7xY0Ke76Al6L.exe
1740 gtAkiBRba2FheTNuDByM87b_.exe

pid	process
3004	N1f3qIXjmueaul5apQ3FO3ay.exe
3732	cy28MdLgGDMU7xY0Ke76Al6L.exe
1740	gtAkiBRba2FheTNuDByM87b_.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

OrD9qXJz5cYCqOyez9PkaoER.exegJVOpB9AqwtaS0WS68fWnueb.exeHEb3RN4L4Nl9sCsApoNSDKmd.exeOrD9qXJz5cYCqOyez9PkaoER.exebuild2.exeABE1.exeABE1.exebuild2.exeB2C8.exefp0O9TTlQDE9heunLCoT1ok5.exeXtGS0GCqM4vir_l82C18UUJx.exe

description	pid	process	target process
PID 3384 set thread context of 60404	3384	OrD9qXJz5cYCqOyez9PkaoER.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 5064 set thread context of 111296	5064	gJVOpB9AqwtaS0WS68fWnueb.exe	AppLaunch.exe
PID 3764 set thread context of 123224	3764	HEb3RN4L4Nl9sCsApoNSDKmd.exe	AppLaunch.exe
PID 123824 set thread context of 4832	123824	OrD9qXJz5cYCqOyez9PkaoER.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 616 set thread context of 4216	616	build2.exe	build2.exe
PID 4180 set thread context of 1744	4180	ABE1.exe	ABE1.exe
PID 5260 set thread context of 5320	5260	ABE1.exe	ABE1.exe
PID 5680 set thread context of 5724	5680	build2.exe	build2.exe
PID 4536 set thread context of 9992	4536	B2C8.exe	B2C8.exe
PID 9248 set thread context of 10352	9248	fp0O9TTlQDE9heunLCoT1ok5.exe	fp0O9TTlQDE9heunLCoT1ok5.exe
PID 9120 set thread context of 11716	9120	XtGS0GCqM4vir_l82C18UUJx.exe	InstallUtil.exe

Drops file in Program Files directory 2 IoCs

Processes:

Ij27bKyq_GEVltrW0K1KhSfi.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Ij27bKyq_GEVltrW0K1KhSfi.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Ij27bKyq_GEVltrW0K1KhSfi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
54960	1176	WerFault.exe	kfcN2KneQfj64N9Oba9PI8OK.exe
10244	9100	WerFault.exe	eCdVk5jk9IVBYqxmYpePG65B.exe
10416	9040	WerFault.exe	GwrcwRvV4f74bWChpNlOBseV.exe
10636	8920	WerFault.exe	e0lTZS6oOnImWeZ2Ksh4zYSo.exe
10760	9040	WerFault.exe	GwrcwRvV4f74bWChpNlOBseV.exe
10832	9040	WerFault.exe	GwrcwRvV4f74bWChpNlOBseV.exe
10940	9040	WerFault.exe	GwrcwRvV4f74bWChpNlOBseV.exe
11112	9040	WerFault.exe	GwrcwRvV4f74bWChpNlOBseV.exe
11312	9040	WerFault.exe	GwrcwRvV4f74bWChpNlOBseV.exe
11464	9040	WerFault.exe	GwrcwRvV4f74bWChpNlOBseV.exe
12036	9040	WerFault.exe	GwrcwRvV4f74bWChpNlOBseV.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

YRUjJGW2qktiqn7xsGw0BAyq.exeAE34.exefp0O9TTlQDE9heunLCoT1ok5.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	YRUjJGW2qktiqn7xsGw0BAyq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AE34.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AE34.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fp0O9TTlQDE9heunLCoT1ok5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	YRUjJGW2qktiqn7xsGw0BAyq.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AE34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fp0O9TTlQDE9heunLCoT1ok5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fp0O9TTlQDE9heunLCoT1ok5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	YRUjJGW2qktiqn7xsGw0BAyq.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exebuild2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

123308 schtasks.exe
123344 schtasks.exe
2360 schtasks.exe
5628 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4092 timeout.exe
10780 timeout.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

12700 tasklist.exe
13048 tasklist.exe
14708 tasklist.exe
14840 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

12356 ipconfig.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

640 taskkill.exe
10584 taskkill.exe
10612 taskkill.exe
12560 taskkill.exe
12616 taskkill.exe

pid	process
123308	schtasks.exe
123344	schtasks.exe
2360	schtasks.exe
5628	schtasks.exe

pid	process
4092	timeout.exe
10780	timeout.exe

pid	process
12700	tasklist.exe
13048	tasklist.exe
14708	tasklist.exe
14840	tasklist.exe

pid	process
12356	ipconfig.exe

pid	process
640	taskkill.exe
10584	taskkill.exe
10612	taskkill.exe
12560	taskkill.exe
12616	taskkill.exe

Modifies registry class 3 IoCs

Processes:

02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe3twl9VjmPdYZ_t1_29x7jRwe.exeaFoE9uddObdp4sGWtwdTksa9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	3twl9VjmPdYZ_t1_29x7jRwe.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	aFoE9uddObdp4sGWtwdTksa9.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

11488 reg.exe
14796 reg.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

14996 PING.EXE
15104 PING.EXE

pid	process
11488	reg.exe
14796	reg.exe

pid	process
14996	PING.EXE
15104	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exeN1f3qIXjmueaul5apQ3FO3ay.execy28MdLgGDMU7xY0Ke76Al6L.exegtAkiBRba2FheTNuDByM87b_.exeOrD9qXJz5cYCqOyez9PkaoER.exeYRUjJGW2qktiqn7xsGw0BAyq.exejfoQwtytnL1zZvk7fAPFGVdZ.exeAppLaunch.exeOrD9qXJz5cYCqOyez9PkaoER.exe

pid	process
3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe
3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe
3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe
3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe
3004	N1f3qIXjmueaul5apQ3FO3ay.exe
3004	N1f3qIXjmueaul5apQ3FO3ay.exe
3732	cy28MdLgGDMU7xY0Ke76Al6L.exe
3732	cy28MdLgGDMU7xY0Ke76Al6L.exe
1740	gtAkiBRba2FheTNuDByM87b_.exe
1740	gtAkiBRba2FheTNuDByM87b_.exe
60404	OrD9qXJz5cYCqOyez9PkaoER.exe
60404	OrD9qXJz5cYCqOyez9PkaoER.exe
1332	YRUjJGW2qktiqn7xsGw0BAyq.exe
1332	YRUjJGW2qktiqn7xsGw0BAyq.exe
1740	gtAkiBRba2FheTNuDByM87b_.exe
1740	gtAkiBRba2FheTNuDByM87b_.exe
3732	cy28MdLgGDMU7xY0Ke76Al6L.exe
3732	cy28MdLgGDMU7xY0Ke76Al6L.exe
123280	jfoQwtytnL1zZvk7fAPFGVdZ.exe
123280	jfoQwtytnL1zZvk7fAPFGVdZ.exe
123280	jfoQwtytnL1zZvk7fAPFGVdZ.exe
123280	jfoQwtytnL1zZvk7fAPFGVdZ.exe
123280	jfoQwtytnL1zZvk7fAPFGVdZ.exe
123280	jfoQwtytnL1zZvk7fAPFGVdZ.exe
123280	jfoQwtytnL1zZvk7fAPFGVdZ.exe
123280	jfoQwtytnL1zZvk7fAPFGVdZ.exe
111296	AppLaunch.exe
111296	AppLaunch.exe
2596
2596
2596
2596
4832	OrD9qXJz5cYCqOyez9PkaoER.exe
4832	OrD9qXJz5cYCqOyez9PkaoER.exe
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
1740	gtAkiBRba2FheTNuDByM87b_.exe
2596
2596
3732	cy28MdLgGDMU7xY0Ke76Al6L.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2596
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

YRUjJGW2qktiqn7xsGw0BAyq.exeAE34.exefp0O9TTlQDE9heunLCoT1ok5.exe

pid process

1332 YRUjJGW2qktiqn7xsGw0BAyq.exe
2596
2596
2596
2596
1292 AE34.exe
10352 fp0O9TTlQDE9heunLCoT1ok5.exe

pid	process
2596

pid	process
1332	YRUjJGW2qktiqn7xsGw0BAyq.exe
2596
2596
2596
2596
1292	AE34.exe
10352	fp0O9TTlQDE9heunLCoT1ok5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

gtAkiBRba2FheTNuDByM87b_.exeN1f3qIXjmueaul5apQ3FO3ay.execy28MdLgGDMU7xY0Ke76Al6L.exeAppLaunch.exetaskkill.exeB2C8.exepowershell.exee0lTZS6oOnImWeZ2Ksh4zYSo.exe

description	pid	process
Token: SeDebugPrivilege	1740	gtAkiBRba2FheTNuDByM87b_.exe
Token: SeDebugPrivilege	3004	N1f3qIXjmueaul5apQ3FO3ay.exe
Token: SeDebugPrivilege	3732	cy28MdLgGDMU7xY0Ke76Al6L.exe
Token: SeDebugPrivilege	111296	AppLaunch.exe
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeDebugPrivilege	4536	B2C8.exe
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeDebugPrivilege	5440	powershell.exe
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeDebugPrivilege	8920	e0lTZS6oOnImWeZ2Ksh4zYSo.exe
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

99sr700Rdh5JRn6iW1ivjxCX.tmpAdblock.exe

pid process

9784 99sr700Rdh5JRn6iW1ivjxCX.tmp
10864 Adblock.exe
2596
2596
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Adblock.exe

pid process

10864 Adblock.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Adblock.exe

pid process

10864 Adblock.exe
10864 Adblock.exe
10864 Adblock.exe
10864 Adblock.exe

pid	process
9784	99sr700Rdh5JRn6iW1ivjxCX.tmp
10864	Adblock.exe
2596
2596

pid	process
10864	Adblock.exe

pid	process
10864	Adblock.exe
10864	Adblock.exe
10864	Adblock.exe
10864	Adblock.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe3twl9VjmPdYZ_t1_29x7jRwe.exeOrD9qXJz5cYCqOyez9PkaoER.execontrol.exegJVOpB9AqwtaS0WS68fWnueb.exeHEb3RN4L4Nl9sCsApoNSDKmd.exeIj27bKyq_GEVltrW0K1KhSfi.exe

description	pid	process	target process
PID 3060 wrote to memory of 1332	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	YRUjJGW2qktiqn7xsGw0BAyq.exe
PID 3060 wrote to memory of 1332	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	YRUjJGW2qktiqn7xsGw0BAyq.exe
PID 3060 wrote to memory of 1332	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	YRUjJGW2qktiqn7xsGw0BAyq.exe
PID 3060 wrote to memory of 3384	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 3060 wrote to memory of 3384	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 3060 wrote to memory of 3384	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 3060 wrote to memory of 1176	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	kfcN2KneQfj64N9Oba9PI8OK.exe
PID 3060 wrote to memory of 1176	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	kfcN2KneQfj64N9Oba9PI8OK.exe
PID 3060 wrote to memory of 3520	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	3twl9VjmPdYZ_t1_29x7jRwe.exe
PID 3060 wrote to memory of 3520	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	3twl9VjmPdYZ_t1_29x7jRwe.exe
PID 3060 wrote to memory of 3520	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	3twl9VjmPdYZ_t1_29x7jRwe.exe
PID 3060 wrote to memory of 3640	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	Ij27bKyq_GEVltrW0K1KhSfi.exe
PID 3060 wrote to memory of 3640	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	Ij27bKyq_GEVltrW0K1KhSfi.exe
PID 3060 wrote to memory of 3640	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	Ij27bKyq_GEVltrW0K1KhSfi.exe
PID 3060 wrote to memory of 5064	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	gJVOpB9AqwtaS0WS68fWnueb.exe
PID 3060 wrote to memory of 5064	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	gJVOpB9AqwtaS0WS68fWnueb.exe
PID 3060 wrote to memory of 5064	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	gJVOpB9AqwtaS0WS68fWnueb.exe
PID 3060 wrote to memory of 3764	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	HEb3RN4L4Nl9sCsApoNSDKmd.exe
PID 3060 wrote to memory of 3764	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	HEb3RN4L4Nl9sCsApoNSDKmd.exe
PID 3060 wrote to memory of 3764	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	HEb3RN4L4Nl9sCsApoNSDKmd.exe
PID 3060 wrote to memory of 3004	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	N1f3qIXjmueaul5apQ3FO3ay.exe
PID 3060 wrote to memory of 3004	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	N1f3qIXjmueaul5apQ3FO3ay.exe
PID 3060 wrote to memory of 3004	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	N1f3qIXjmueaul5apQ3FO3ay.exe
PID 3060 wrote to memory of 1740	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	gtAkiBRba2FheTNuDByM87b_.exe
PID 3060 wrote to memory of 1740	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	gtAkiBRba2FheTNuDByM87b_.exe
PID 3060 wrote to memory of 1740	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	gtAkiBRba2FheTNuDByM87b_.exe
PID 3060 wrote to memory of 3732	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	cy28MdLgGDMU7xY0Ke76Al6L.exe
PID 3060 wrote to memory of 3732	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	cy28MdLgGDMU7xY0Ke76Al6L.exe
PID 3060 wrote to memory of 3732	3060	02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe	cy28MdLgGDMU7xY0Ke76Al6L.exe
PID 3520 wrote to memory of 23184	3520	3twl9VjmPdYZ_t1_29x7jRwe.exe	control.exe
PID 3520 wrote to memory of 23184	3520	3twl9VjmPdYZ_t1_29x7jRwe.exe	control.exe
PID 3520 wrote to memory of 23184	3520	3twl9VjmPdYZ_t1_29x7jRwe.exe	control.exe
PID 3384 wrote to memory of 60404	3384	OrD9qXJz5cYCqOyez9PkaoER.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 3384 wrote to memory of 60404	3384	OrD9qXJz5cYCqOyez9PkaoER.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 3384 wrote to memory of 60404	3384	OrD9qXJz5cYCqOyez9PkaoER.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 3384 wrote to memory of 60404	3384	OrD9qXJz5cYCqOyez9PkaoER.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 3384 wrote to memory of 60404	3384	OrD9qXJz5cYCqOyez9PkaoER.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 3384 wrote to memory of 60404	3384	OrD9qXJz5cYCqOyez9PkaoER.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 3384 wrote to memory of 60404	3384	OrD9qXJz5cYCqOyez9PkaoER.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 3384 wrote to memory of 60404	3384	OrD9qXJz5cYCqOyez9PkaoER.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 3384 wrote to memory of 60404	3384	OrD9qXJz5cYCqOyez9PkaoER.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 3384 wrote to memory of 60404	3384	OrD9qXJz5cYCqOyez9PkaoER.exe	OrD9qXJz5cYCqOyez9PkaoER.exe
PID 23184 wrote to memory of 71632	23184	control.exe	rundll32.exe
PID 23184 wrote to memory of 71632	23184	control.exe	rundll32.exe
PID 23184 wrote to memory of 71632	23184	control.exe	rundll32.exe
PID 5064 wrote to memory of 111296	5064	gJVOpB9AqwtaS0WS68fWnueb.exe	AppLaunch.exe
PID 5064 wrote to memory of 111296	5064	gJVOpB9AqwtaS0WS68fWnueb.exe	AppLaunch.exe
PID 5064 wrote to memory of 111296	5064	gJVOpB9AqwtaS0WS68fWnueb.exe	AppLaunch.exe
PID 5064 wrote to memory of 111296	5064	gJVOpB9AqwtaS0WS68fWnueb.exe	AppLaunch.exe
PID 5064 wrote to memory of 111296	5064	gJVOpB9AqwtaS0WS68fWnueb.exe	AppLaunch.exe
PID 3764 wrote to memory of 123224	3764	HEb3RN4L4Nl9sCsApoNSDKmd.exe	AppLaunch.exe
PID 3764 wrote to memory of 123224	3764	HEb3RN4L4Nl9sCsApoNSDKmd.exe	AppLaunch.exe
PID 3764 wrote to memory of 123224	3764	HEb3RN4L4Nl9sCsApoNSDKmd.exe	AppLaunch.exe
PID 3764 wrote to memory of 123224	3764	HEb3RN4L4Nl9sCsApoNSDKmd.exe	AppLaunch.exe
PID 3764 wrote to memory of 123224	3764	HEb3RN4L4Nl9sCsApoNSDKmd.exe	AppLaunch.exe
PID 3640 wrote to memory of 123280	3640	Ij27bKyq_GEVltrW0K1KhSfi.exe	jfoQwtytnL1zZvk7fAPFGVdZ.exe
PID 3640 wrote to memory of 123280	3640	Ij27bKyq_GEVltrW0K1KhSfi.exe	jfoQwtytnL1zZvk7fAPFGVdZ.exe
PID 3640 wrote to memory of 123280	3640	Ij27bKyq_GEVltrW0K1KhSfi.exe	jfoQwtytnL1zZvk7fAPFGVdZ.exe
PID 3640 wrote to memory of 123308	3640	Ij27bKyq_GEVltrW0K1KhSfi.exe	schtasks.exe
PID 3640 wrote to memory of 123308	3640	Ij27bKyq_GEVltrW0K1KhSfi.exe	schtasks.exe
PID 3640 wrote to memory of 123308	3640	Ij27bKyq_GEVltrW0K1KhSfi.exe	schtasks.exe
PID 3640 wrote to memory of 123344	3640	Ij27bKyq_GEVltrW0K1KhSfi.exe	schtasks.exe
PID 3640 wrote to memory of 123344	3640	Ij27bKyq_GEVltrW0K1KhSfi.exe	schtasks.exe
PID 3640 wrote to memory of 123344	3640	Ij27bKyq_GEVltrW0K1KhSfi.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe
"C:\Users\Admin\AppData\Local\Temp\02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\Pictures\Minor Policy\Ij27bKyq_GEVltrW0K1KhSfi.exe
"C:\Users\Admin\Pictures\Minor Policy\Ij27bKyq_GEVltrW0K1KhSfi.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3640

C:\Users\Admin\Documents\jfoQwtytnL1zZvk7fAPFGVdZ.exe
"C:\Users\Admin\Documents\jfoQwtytnL1zZvk7fAPFGVdZ.exe"
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:123280

C:\Users\Admin\Pictures\Adobe Films\e0lTZS6oOnImWeZ2Ksh4zYSo.exe
"C:\Users\Admin\Pictures\Adobe Films\e0lTZS6oOnImWeZ2Ksh4zYSo.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:8920

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
5⤵
- Executes dropped EXE
PID:10496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8920 -s 1360
5⤵
- Program crash
PID:10636

C:\Users\Admin\Pictures\Adobe Films\7DGqgRnvs5xiMlVVMVa66T95.exe
"C:\Users\Admin\Pictures\Adobe Films\7DGqgRnvs5xiMlVVMVa66T95.exe"
4⤵
- Executes dropped EXE
PID:9168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
5⤵
PID:12804

C:\Users\Admin\Pictures\Adobe Films\99sr700Rdh5JRn6iW1ivjxCX.exe
"C:\Users\Admin\Pictures\Adobe Films\99sr700Rdh5JRn6iW1ivjxCX.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
4⤵
- Executes dropped EXE
PID:9156

C:\Users\Admin\AppData\Local\Temp\is-T0P9U.tmp\99sr700Rdh5JRn6iW1ivjxCX.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T0P9U.tmp\99sr700Rdh5JRn6iW1ivjxCX.tmp" /SL5="$10200,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\99sr700Rdh5JRn6iW1ivjxCX.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:9784

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe
6⤵
- Kills process with taskkill
PID:10584

C:\Users\Admin\Programs\Adblock\Adblock.exe
"C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=4b401a7f1663694492 --downloadDate=2022-09-20T17:20:31 --distId=marketator --pid=747
6⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:10864

C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
C:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\35ee69b2-4759-43af-e0b7-9b8987f20d5a.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\35ee69b2-4759-43af-e0b7-9b8987f20d5a.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\35ee69b2-4759-43af-e0b7-9b8987f20d5a.run\__sentry-breadcrumb2" --initial-client-data=0x3f4,0x3f8,0x3fc,0x3d0,0x3c8,0x7ff7889cbc80,0x7ff7889cbca0,0x7ff7889cbcb8
7⤵
- Executes dropped EXE
PID:10960

C:\Users\Admin\AppData\Local\Temp\Update-9243dd6c-8798-4c5f-b420-223657f2c233\AdblockInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Update-9243dd6c-8798-4c5f-b420-223657f2c233\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
7⤵
- Executes dropped EXE
PID:11520

C:\Users\Admin\AppData\Local\Temp\is-U3COJ.tmp\AdblockInstaller.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U3COJ.tmp\AdblockInstaller.tmp" /SL5="$D006C,15557677,792064,C:\Users\Admin\AppData\Local\Temp\Update-9243dd6c-8798-4c5f-b420-223657f2c233\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:11660

C:\Users\Admin\Programs\Adblock\DnsService.exe
"C:\Users\Admin\Programs\Adblock\DnsService.exe" -remove
9⤵
PID:12024

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /flushdns
9⤵
- Gathers network information
PID:12356

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe
9⤵
- Kills process with taskkill
PID:12560

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im MassiveEngine.exe
9⤵
- Kills process with taskkill
PID:12616

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"
9⤵
PID:13112

C:\Windows\system32\reg.exe
reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f
10⤵
PID:14688

C:\Users\Admin\Programs\Adblock\Adblock.exe
"C:\Users\Admin\Programs\Adblock\Adblock.exe" --update --autorun --installerSessionId=4b401a7f1663694503 --downloadDate=2022-09-20T17:21:40 --distId=marketator
9⤵
PID:13104

C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
C:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\423d3292-9bd1-4b6a-9c6f-96eb4c835e1c.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\423d3292-9bd1-4b6a-9c6f-96eb4c835e1c.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\423d3292-9bd1-4b6a-9c6f-96eb4c835e1c.run\__sentry-breadcrumb2" --initial-client-data=0x3d8,0x3dc,0x3e0,0x3b4,0x3e4,0x7ff66678bdd0,0x7ff66678bdf0,0x7ff66678be08
10⤵
PID:14640

C:\Windows\system32\netsh.exe
C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE
10⤵
- Modifies Windows Firewall
PID:15244

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -install
10⤵
PID:15380

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -start
10⤵
PID:15412

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"
9⤵
PID:14752

C:\Windows\system32\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f
10⤵
- Modifies registry key
PID:14796

C:\Windows\system32\netsh.exe
C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE
7⤵
- Modifies Windows Firewall
PID:11836

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -install
7⤵
PID:12016

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -start
7⤵
PID:12088

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"
6⤵
PID:11008

C:\Windows\system32\reg.exe
reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f
7⤵
PID:11272

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"
6⤵
PID:11404

C:\Windows\system32\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f
7⤵
- Modifies registry key
PID:11488

C:\Users\Admin\Pictures\Adobe Films\SCHz6fyptSYu6xu29soKpgdx.exe
"C:\Users\Admin\Pictures\Adobe Films\SCHz6fyptSYu6xu29soKpgdx.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:9136

C:\Windows\SysWOW64\robocopy.exe
robocopy 8927387376487263745672673846276374982938486273568279384982384972834
5⤵
PID:9760

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Provide.accdt & ping -n 5 localhost
5⤵
PID:11564

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:11648

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
7⤵
PID:12708

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
7⤵
- Enumerates processes with tasklist
PID:12700

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
7⤵
- Enumerates processes with tasklist
PID:13048

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
7⤵
PID:13064

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^NpDypcc$" Corner.accdt
7⤵
PID:14804

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quite.exe.pif
Quite.exe.pif r
7⤵
PID:14972

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
6⤵
- Runs ping.exe
PID:14996

C:\Users\Admin\Pictures\Adobe Films\XtGS0GCqM4vir_l82C18UUJx.exe
"C:\Users\Admin\Pictures\Adobe Films\XtGS0GCqM4vir_l82C18UUJx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:9120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
PID:11716

C:\Users\Admin\Pictures\Adobe Films\eCdVk5jk9IVBYqxmYpePG65B.exe
"C:\Users\Admin\Pictures\Adobe Films\eCdVk5jk9IVBYqxmYpePG65B.exe"
4⤵
- Executes dropped EXE
PID:9100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 9100 -s 424
5⤵
- Program crash
PID:10244

C:\Users\Admin\Pictures\Adobe Films\09uXYhKaMVXvEMu9wKKPxFAg.exe
"C:\Users\Admin\Pictures\Adobe Films\09uXYhKaMVXvEMu9wKKPxFAg.exe"
4⤵
- Executes dropped EXE
PID:9064

C:\Users\Admin\Pictures\Adobe Films\GwrcwRvV4f74bWChpNlOBseV.exe
"C:\Users\Admin\Pictures\Adobe Films\GwrcwRvV4f74bWChpNlOBseV.exe"
4⤵
- Executes dropped EXE
PID:9040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9040 -s 452
5⤵
- Program crash
PID:10416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9040 -s 764
5⤵
- Program crash
PID:10760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9040 -s 772
5⤵
- Program crash
PID:10832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9040 -s 812
5⤵
- Program crash
PID:10940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9040 -s 820
5⤵
- Program crash
PID:11112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9040 -s 984
5⤵
- Program crash
PID:11312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9040 -s 1012
5⤵
- Program crash
PID:11464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9040 -s 1356
5⤵
- Program crash
PID:12036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\6ZnRbczRFhaWJmkNYlYwTuOrTr\Cleaner.exe"
5⤵
PID:12208

C:\Users\Admin\AppData\Local\Temp\6ZnRbczRFhaWJmkNYlYwTuOrTr\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\6ZnRbczRFhaWJmkNYlYwTuOrTr\Cleaner.exe"
6⤵
PID:12348

C:\Users\Admin\Pictures\Adobe Films\ryaJD0hrwTkbOxBW40FgfxGO.exe
"C:\Users\Admin\Pictures\Adobe Films\ryaJD0hrwTkbOxBW40FgfxGO.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:9008

C:\Windows\SysWOW64\robocopy.exe
robocopy 8927387376487263745672673846276374982938486273568279384982384972834
5⤵
PID:9708

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Its.ppsm & ping -n 5 localhost
5⤵
PID:11592

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:11732

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
7⤵
- Enumerates processes with tasklist
PID:14708

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
7⤵
PID:14720

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
7⤵
- Enumerates processes with tasklist
PID:14840

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
7⤵
PID:14860

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^PZfwNaaV$" Dealers.ppsm
7⤵
PID:15044

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Caps.exe.pif
Caps.exe.pif U
7⤵
PID:15084

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
6⤵
- Runs ping.exe
PID:15104

C:\Users\Admin\Pictures\Adobe Films\aFoE9uddObdp4sGWtwdTksa9.exe
"C:\Users\Admin\Pictures\Adobe Films\aFoE9uddObdp4sGWtwdTksa9.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:8980

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ElR1.CPL",
5⤵
PID:10068

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ElR1.CPL",
6⤵
- Loads dropped DLL
PID:10432

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ElR1.CPL",
7⤵
PID:12464

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\ElR1.CPL",
8⤵
PID:12484

C:\Users\Admin\Pictures\Adobe Films\PWvlTr08hFjvrjW7hNrke3q_.exe
"C:\Users\Admin\Pictures\Adobe Films\PWvlTr08hFjvrjW7hNrke3q_.exe"
4⤵
- Executes dropped EXE
PID:8948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
5⤵
PID:12728

C:\Users\Admin\Pictures\Adobe Films\fp0O9TTlQDE9heunLCoT1ok5.exe
"C:\Users\Admin\Pictures\Adobe Films\fp0O9TTlQDE9heunLCoT1ok5.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:9248

C:\Users\Admin\Pictures\Adobe Films\fp0O9TTlQDE9heunLCoT1ok5.exe
"C:\Users\Admin\Pictures\Adobe Films\fp0O9TTlQDE9heunLCoT1ok5.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:10352

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:123308

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:123344

C:\Users\Admin\Pictures\Minor Policy\OrD9qXJz5cYCqOyez9PkaoER.exe
"C:\Users\Admin\Pictures\Minor Policy\OrD9qXJz5cYCqOyez9PkaoER.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3384

C:\Users\Admin\Pictures\Minor Policy\OrD9qXJz5cYCqOyez9PkaoER.exe
"C:\Users\Admin\Pictures\Minor Policy\OrD9qXJz5cYCqOyez9PkaoER.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:60404

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f92a1f4f-cece-4257-bdbd-3726873a3c75" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:123396

C:\Users\Admin\Pictures\Minor Policy\OrD9qXJz5cYCqOyez9PkaoER.exe
"C:\Users\Admin\Pictures\Minor Policy\OrD9qXJz5cYCqOyez9PkaoER.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:123824

C:\Users\Admin\Pictures\Minor Policy\OrD9qXJz5cYCqOyez9PkaoER.exe
"C:\Users\Admin\Pictures\Minor Policy\OrD9qXJz5cYCqOyez9PkaoER.exe" --Admin IsNotAutoStart IsNotTask
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4832

C:\Users\Admin\AppData\Local\0d41a588-7ba8-412d-a165-ff160f8e9f77\build2.exe
"C:\Users\Admin\AppData\Local\0d41a588-7ba8-412d-a165-ff160f8e9f77\build2.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:616

C:\Users\Admin\AppData\Local\0d41a588-7ba8-412d-a165-ff160f8e9f77\build2.exe
"C:\Users\Admin\AppData\Local\0d41a588-7ba8-412d-a165-ff160f8e9f77\build2.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:4216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" C/c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\0d41a588-7ba8-412d-a165-ff160f8e9f77\build2.exe" & del C:\PrograData\*.dll & exit
8⤵
PID:4384

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
9⤵
- Delays execution with timeout.exe
PID:4092

C:\Users\Admin\AppData\Local\0d41a588-7ba8-412d-a165-ff160f8e9f77\build3.exe
"C:\Users\Admin\AppData\Local\0d41a588-7ba8-412d-a165-ff160f8e9f77\build3.exe"
6⤵
- Executes dropped EXE
PID:3820

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:2360

C:\Users\Admin\Pictures\Minor Policy\kfcN2KneQfj64N9Oba9PI8OK.exe
"C:\Users\Admin\Pictures\Minor Policy\kfcN2KneQfj64N9Oba9PI8OK.exe"
2⤵
- Executes dropped EXE
PID:1176

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1176 -s 424
3⤵
- Program crash
PID:54960

C:\Users\Admin\Pictures\Minor Policy\3twl9VjmPdYZ_t1_29x7jRwe.exe
"C:\Users\Admin\Pictures\Minor Policy\3twl9VjmPdYZ_t1_29x7jRwe.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ElR1.CPL",
3⤵
- Suspicious use of WriteProcessMemory
PID:23184

C:\Users\Admin\Pictures\Minor Policy\YRUjJGW2qktiqn7xsGw0BAyq.exe
"C:\Users\Admin\Pictures\Minor Policy\YRUjJGW2qktiqn7xsGw0BAyq.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1332

C:\Users\Admin\Pictures\Minor Policy\HEb3RN4L4Nl9sCsApoNSDKmd.exe
"C:\Users\Admin\Pictures\Minor Policy\HEb3RN4L4Nl9sCsApoNSDKmd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:123224

C:\Users\Admin\Pictures\Minor Policy\gJVOpB9AqwtaS0WS68fWnueb.exe
"C:\Users\Admin\Pictures\Minor Policy\gJVOpB9AqwtaS0WS68fWnueb.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:111296

C:\Users\Admin\Pictures\Minor Policy\gtAkiBRba2FheTNuDByM87b_.exe
"C:\Users\Admin\Pictures\Minor Policy\gtAkiBRba2FheTNuDByM87b_.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Users\Admin\Pictures\Minor Policy\N1f3qIXjmueaul5apQ3FO3ay.exe
"C:\Users\Admin\Pictures\Minor Policy\N1f3qIXjmueaul5apQ3FO3ay.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Users\Admin\Pictures\Minor Policy\cy28MdLgGDMU7xY0Ke76Al6L.exe
"C:\Users\Admin\Pictures\Minor Policy\cy28MdLgGDMU7xY0Ke76Al6L.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4964

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 1176 -ip 1176
1⤵
PID:37984

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ElR1.CPL",
1⤵
- Loads dropped DLL
PID:71632

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ElR1.CPL",
2⤵
PID:628

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\ElR1.CPL",
3⤵
- Loads dropped DLL
PID:2696

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AAD6.dll
1⤵
PID:4508

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\AAD6.dll
2⤵
- Loads dropped DLL
PID:212

C:\Users\Admin\AppData\Local\Temp\ABE1.exe
C:\Users\Admin\AppData\Local\Temp\ABE1.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4180

C:\Users\Admin\AppData\Local\Temp\ABE1.exe
C:\Users\Admin\AppData\Local\Temp\ABE1.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:1744

C:\Users\Admin\AppData\Local\Temp\ABE1.exe
"C:\Users\Admin\AppData\Local\Temp\ABE1.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5260

C:\Users\Admin\AppData\Local\Temp\ABE1.exe
"C:\Users\Admin\AppData\Local\Temp\ABE1.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:5320

C:\Users\Admin\AppData\Local\a9d92c28-df46-4e4f-b246-166acab2a15a\build2.exe
"C:\Users\Admin\AppData\Local\a9d92c28-df46-4e4f-b246-166acab2a15a\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5680

C:\Users\Admin\AppData\Local\a9d92c28-df46-4e4f-b246-166acab2a15a\build2.exe
"C:\Users\Admin\AppData\Local\a9d92c28-df46-4e4f-b246-166acab2a15a\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:5724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" C/c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\a9d92c28-df46-4e4f-b246-166acab2a15a\build2.exe" & del C:\PrograData\*.dll & exit
7⤵
PID:9524

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
PID:10612

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:10780

C:\Users\Admin\AppData\Local\a9d92c28-df46-4e4f-b246-166acab2a15a\build3.exe
"C:\Users\Admin\AppData\Local\a9d92c28-df46-4e4f-b246-166acab2a15a\build3.exe"
5⤵
- Executes dropped EXE
PID:5796

C:\Users\Admin\AppData\Local\Temp\AE34.exe
C:\Users\Admin\AppData\Local\Temp\AE34.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1292

C:\Users\Admin\AppData\Local\Temp\B2C8.exe
C:\Users\Admin\AppData\Local\Temp\B2C8.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5440

C:\Users\Admin\AppData\Local\Temp\B2C8.exe
C:\Users\Admin\AppData\Local\Temp\B2C8.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:9992

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:5152

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5288

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:5552

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:5628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 9100 -ip 9100
1⤵
PID:10016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 9040 -ip 9040
1⤵
PID:10272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 8920 -ip 8920
1⤵
PID:10572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 9040 -ip 9040
1⤵
PID:10744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 9040 -ip 9040
1⤵
PID:10812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 9040 -ip 9040
1⤵
PID:10912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 9040 -ip 9040
1⤵
PID:11076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 9040 -ip 9040
1⤵
PID:11260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 9040 -ip 9040
1⤵
PID:11436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 9040 -ip 9040
1⤵
PID:11964

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe
1⤵
PID:12100

C:\Users\Admin\AppData\Local\Temp\A2C7.exe
C:\Users\Admin\AppData\Local\Temp\A2C7.exe
1⤵
PID:15172

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe
1⤵
PID:15428

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:15512

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:15548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
1c626eac6241b02b0082a76f150a3a8a

SHA1
b7c0c6ae1d3d5a2beaf4c4f3744cac6285f04858

SHA256
412116af67c3a894bee8821158ee91447ca6cfe0d5b43d0524e6c5af5defaf69

SHA512
8550f0ec9a9c5f152a3b5eb49a91084d3201589373b8d381233926f1ac34bd0c276fa1e3c9da75bd8297f417d9f566f4bf6b882107c7255522f745e6d446802a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
300B

MD5
bf034518c3427206cc85465dc2e296e5

SHA1
ef3d8f548ad3c26e08fa41f2a74e68707cfc3d3a

SHA256
e5da797df9533a2fcae7a6aa79f2b9872c8f227dd1c901c91014c7a9fa82ff7e

SHA512
c307eaf605bd02e03f25b58fa38ff8e59f4fb5672ef6cb5270c8bdb004bca56e47450777bfb7662797ffb18ab409cde66df4536510bc5a435cc945e662bddb78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
db738db03f56e46d8e7be3358ad82135

SHA1
99e633eb7f52641426929bd0f717474010fef038

SHA256
c1141c99181cfcf50ba71dbed0746ad9619dc996d45059ccf2bb86a7dbde9e64

SHA512
42fbb7763574a28eaa66b4cf804dc92281f3598fee2225fc82fec008720e5e57e39cc8daf251307b2880893b49837c283cf96ab9729e6d175939e50875a49c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
1fcc58bae65fc521ddbfafce6c6757e9

SHA1
4a83d2bb007ecd4cd0c866b26d320e1c44808c3e

SHA256
aa53eec30f15dfa529e08f753468ab3428627e51523d92f21980b992393ebab3

SHA512
2a37f73c05b1aa64781464a0a027d61a5605481eb7342e071bc3b920eb7feef2c4b0496172761f718955be33ee33cf7dc4ebda1d72253c0785c9b4cdfc0500f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\98E4B9E09258E3C5F565FA64983EE15B
Filesize
1KB

MD5
57bb5688a88816c1a5efba82e85b6b95

SHA1
bb1bcea5991611c49f4398f53dee2d16f2482ff1

SHA256
4e664398db33fb64b66887efc21555fca6310dd66ac68dbf50dc3185ef2dcfc7

SHA512
49621c39417b15dab14739f93f965d0024e18eccdea83d7c41bfda6f194b2dd5aadc1dc89028b78320e0848bb4cbc58ca325a605ba4f52b10830957545f42737

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_811809BE12AFE5624F00A379DF595152
Filesize
278B

MD5
1439fcf2a7ea2385a3a473ea166e6623

SHA1
be92c63ddd84b52175a38b1118754d60e1c62b2e

SHA256
257b3cc0cc890ccca84db288b6fbb991cd152585fa3e7e24364215f2d4bec0fb

SHA512
1fcb0b3dde8718530bb0e034c73fe26162e08ec5c21aa013a380102ebf037093dc0b022511bb56141e37ac84b591f6405738c6558597ddbcdda2203b59365c2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
Filesize
1KB

MD5
20217582de91f124962d52f645c0727b

SHA1
94a5a316aa1884b4ce2b14d9159e8cdf69b157d7

SHA256
8e350393bd306fc5fa9356227b1985bb8ca0b1aff493742cfb367f72c90b891a

SHA512
e8c0ae7cc577de9936035a6445f1961b9a7090ebabc99c9fadddfe7a87e2245a09895d818fb59942a5b5aeaeda02cb11029d74006c61e065b5288178a2475d3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
48e98893438d04fa64bb49bbdafbf960

SHA1
e28578281fc80cb97275a94aa0e9da0db8285b87

SHA256
2ad261d743636a48688f1d3a1a9def925c6a7642db3dea12b8c23e5aac46719d

SHA512
9eb1160e51ce79e0a7055a053ac5f25d2ff8d7277f8af146c188a1bd24deddd12df219aeb410f072b26ccaa114b88d7680d474c86736a0ab3187ec7ee08c73b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0081C45C8F81A550E9B702EAB56EAFB
Filesize
1KB

MD5
8f4d923906bb76080a5b5e593e097bf6

SHA1
1a7405e2d20df906e886ff109c68987e02c4d385

SHA256
c7f4710ce533096e43d5038e6bb05e7ae6e4f11580c143a99be5d03f45bdbce5

SHA512
680d205e14b346c7c3818e79dc15fdf70497feb8e83d86119c60ea64e4912d699c727fce5bbbd1473606b13b1414bdf7300eb2145236f8de569c9f217f046479

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
751996db02c57a09e972183f7390efc0

SHA1
76b4db70cf0641a12b57225128d92789af5b9297

SHA256
792836880022bf849fd4faf300232c155118e611084f989530bae5975cb3b4c4

SHA512
4ebaedee76db1188d41c670956495993d4534cd0f1d63b5d81b2407ca0f4be362c0e5fc50c93a8dd127c27141817d00098c170310a3347a1a5cc1599a256bedd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CD39ADF7806918A174DD06515F1280A5
Filesize
345B

MD5
e64248d126a4a0e6de4e05611cfff496

SHA1
0b32de2430e0b515ddf69063a9345db8206278c3

SHA256
be6cf6ad79a11e48cbf4276341d5bcb5393d1371c5fed63bf8d2919c4448d8f2

SHA512
a4520c90b8864d1470d24235d457161d333828b4d914ff82e67adf6df88aab7e066883be8c0063e4b71bff13a1b62b591728cdf0a79b6b0aea7f55072afd474d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D724B3F5A6871DAF5F4468FFA71D8DD1_FF32884F8DC5A43F93B5306FE6CD82D6
Filesize
472B

MD5
aaf25e6c07f74485f5d2b07e4284e53f

SHA1
da078defff7265963fdc271ca8a458a601c41253

SHA256
5e9ec0c40000bce3bafa8fb209437b973aa2677ec60c3e27049a9a038ff3b2fa

SHA512
9970e3694a703e3510d893fe80ce1453cb1f2dc26a1056fac881511660bd603b74a4ee585b83f02da21a9759284f0c7322d9eb8bda37c1fa6daa39974bb911e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
4feb1548d04ed1aad7ad3dec8589192a

SHA1
3cc32bef46a42eb0246abee2c1b296e3ffd0a5fd

SHA256
715f89e4cfd0183fef89673c3170b3d7e0e83bdf760df57d8e3d588916b6f479

SHA512
ec6a378f812703cfac2d8aec7a2bc8dd132a637b62677188733faa5a0cd3f9e692a565484d6f8b6dccfb27a489eaedc6f738971bbf3ff65eedc807bdb59beea3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
1cc2d3a0f7a6faa450dab293e2c1d3af

SHA1
33d933d7df1bddb38eb315b911b2a46b09884bc1

SHA256
44786d831f43369375a383fb0b168e034869ce05ae1b3d47ad7312af58edf486

SHA512
31f6765ebf9819036b015a70b5f58ec47fe346d4ce2960b3c4b6d8406e0e78830b3e1c3790181e4a9ce08e5053f194b41301b24ee7cbfbb1f1b6fe306ab4d60a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
192B

MD5
3337b96805a30a664f5496e6cb8eb1ca

SHA1
09c61a35a49cd3dfa847eef73f9d0f1958116be1

SHA256
ff5e31dbd2facafecb4f939dc31986b8e188b3af5c7aaaee6501fdd4ac31c5a9

SHA512
6fae12f0da29a070d20ad18a188abd7f5ae7f5d76b358309e500e318de71a8bde9022ec1e9cd7bd8f61a060f25875851d19acd2bd22cf86f1f69eb7f058ea2f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
830d2a786f3dcd62c09a071c796e5907

SHA1
4d434d2ba38eec283fc5dfb9eb33f03ee97ab2a3

SHA256
fd930fccc28b199c5ffed528cfc7265d29555ce773c79dd9754a0a1513f45b0c

SHA512
a16c38c0c654e3fb9dd1308e8b1ecbaf1ac21e70dafc2a4fbee75988f6ba9b9491ee955520cf0dd3fa9e30ccc2667f743e56eea6891481c09fa0fb9be1b2e7fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
408B

MD5
3f217cb75b0796967be281d4534be8db

SHA1
928d7ce66973f352368553725c7d933466435f65

SHA256
edafda19dacd893f5c3c612cd313343122728b9b74233bac9db3f46b3b4f3215

SHA512
7f4632b7da89f92d45b718e1272a4bc68805999b30f5cbf23f0791e5e8d3d12b1e97048e433dd251647c0f0e0b9b90b76d78ee95235082ca2cf04b1fbacd42ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\98E4B9E09258E3C5F565FA64983EE15B
Filesize
540B

MD5
b6ad7e878bdf62fa6384811703a8786a

SHA1
c267669c634041b51c60ac1711a79a2296a8db9f

SHA256
91095f61ff6f153f62d979583a3bd55bff9a3a2fdc8410ba0e1b21681b539063

SHA512
fe61d24f4a4e559a8298ed187165f0ff18b4a5a4afe51428676ea3d6386ba677d8867ab07a1abda1bbae3748f68f248b2c5ef6578749cd6f4e4152389e49657e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_811809BE12AFE5624F00A379DF595152
Filesize
396B

MD5
dbb62bdea891fbd03e35c12409e76a61

SHA1
1b1e5f0ec525586165ffe5d3e35e5d2144eb8841

SHA256
fd27f0b32d9bcd3818f4c4e1de773ecff06d0f77b744b3233f5b046d28bd7f93

SHA512
886290f707f4a2943381b6eb90c533d07c41e579c9780a6378cb977daf1c29233948abdf93ae09c2d0a2312db061c5635aac4ba41308c3a7302ff9f732f8353b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
Filesize
492B

MD5
2a7294474ab3c58edc8fe1bc6ba0c844

SHA1
6b5e74588b7c947bdb1627a87ed16f0222b69ae5

SHA256
2224f8e99597feb08689d1fa0aa39083be17fbb083e62c89db94bf09fd7bc9cf

SHA512
849477e780a8c1b64e89a82b87924af90f66666ebcadc10ade942400dd6d78aa6c55e36dd29b53c3708e7f7657116f1c0ec99f7128e047be9518f6174115f79b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
baf3cd36e62e2938aaef1e452eaca5c1

SHA1
062bbf325135904cfc1b1f75b318f9a73331e145

SHA256
59b76d79bd162f5ff330e0dfe734fefa3262024717a314d6cad61fd931c9381c

SHA512
62c24ed15d1ea2f39dd51667620a5f5317f3df56d3031df8dac2a420402bda19753cd0eed642d7893600578bf4e9f38b8f046de266d86430af33cbf0a6f039fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0081C45C8F81A550E9B702EAB56EAFB
Filesize
532B

MD5
5e6162a8efb8ec611cb2a04190236fa6

SHA1
61aee8b182d33024f65f737e19a3bf69513a2b23

SHA256
161028dca9ca6b78ac0cf98b460855f3cc730998e11af90fe213978f7438fa3d

SHA512
51f27fc8969b8dc9f0e6f36fc685f4a24234d8b48594c32164e095a78ed7a9d493b65ea8eb9404f8b6950e2593ca985c2068b6f3288aa9ef585088006e076e51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
3a832815950d247e687e28f5cecd461e

SHA1
3068906a8f35cabf08c9be425c7fc8a799c0a0a2

SHA256
c8e01c0641b27d5acae45e2cd6ac4c643a79bbafa1cd427273323befb073cee2

SHA512
f5b3c142d326f7a9d6aaf407fe8f21809e0f88d12b7c7ebc9ffbbfaa91aa6405b842fe52ab7ddb3548a020bed3ec6f8251107cde21fb2d31b28edc659be2ef78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CD39ADF7806918A174DD06515F1280A5
Filesize
548B

MD5
b56e9ea6727d7f19ff9f0373e529f86b

SHA1
7cfdbe1d13bfc7837188d75ee37c5d68b8ffd745

SHA256
47643c390f5c9b7de55f02f7be744b9e2a6ae2e15b5ac3b01fa2a3729ab2b729

SHA512
f0dbd84154ebf73ce3d6fe1dffa60a3f86595e206a2060b53d9ea1ebfc29d6f046b9b0f4d71b80faa6227414646cb17277638e6171eee0fa23f3e75e041fa19e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D724B3F5A6871DAF5F4468FFA71D8DD1_FF32884F8DC5A43F93B5306FE6CD82D6
Filesize
434B

MD5
0ef2625e2b89b536d7d9359550e78956

SHA1
1f7ca20db031b1db9d84b67f48a18b59dc33fc98

SHA256
edefc3825cd0baadd8a033b794c461cf2534a7a8cbd01e25b1ceec6f34794eba

SHA512
7a9728b4acb4f63ae53994ef47814b4b32e330f642e9ed88e54eacde73118b813c167d4bbf8fe80f0706fcf05ee50537ecc64fccabb6c322f30739cac4a0d273

Download Submit
C:\Users\Admin\AppData\Local\0d41a588-7ba8-412d-a165-ff160f8e9f77\build2.exe
Filesize
246KB

MD5
4e08ecaa075b90f30327bf200d23130b

SHA1
f7b67a7abbe3815bd758933f7c4712bd4d4ec4b2

SHA256
6c11af0bbd346329224255d38a07fb9db5828881d3520ab4623c7a5fc09ecd47

SHA512
e7deeafe000b034cd4d71776cd1285e33d295a830f3459506dd7332e8c1c61b43ec2fdc406c22ba5262aa62a795421492f7e54602bfe08102b8b2a000d150bb7

Download Submit
C:\Users\Admin\AppData\Local\0d41a588-7ba8-412d-a165-ff160f8e9f77\build2.exe
Filesize
246KB

MD5
4e08ecaa075b90f30327bf200d23130b

SHA1
f7b67a7abbe3815bd758933f7c4712bd4d4ec4b2

SHA256
6c11af0bbd346329224255d38a07fb9db5828881d3520ab4623c7a5fc09ecd47

SHA512
e7deeafe000b034cd4d71776cd1285e33d295a830f3459506dd7332e8c1c61b43ec2fdc406c22ba5262aa62a795421492f7e54602bfe08102b8b2a000d150bb7

Download Submit
C:\Users\Admin\AppData\Local\0d41a588-7ba8-412d-a165-ff160f8e9f77\build2.exe
Filesize
246KB

MD5
4e08ecaa075b90f30327bf200d23130b

SHA1
f7b67a7abbe3815bd758933f7c4712bd4d4ec4b2

SHA256
6c11af0bbd346329224255d38a07fb9db5828881d3520ab4623c7a5fc09ecd47

SHA512
e7deeafe000b034cd4d71776cd1285e33d295a830f3459506dd7332e8c1c61b43ec2fdc406c22ba5262aa62a795421492f7e54602bfe08102b8b2a000d150bb7

Download Submit
C:\Users\Admin\AppData\Local\0d41a588-7ba8-412d-a165-ff160f8e9f77\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\0d41a588-7ba8-412d-a165-ff160f8e9f77\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ElR1.CPL
Filesize
1.7MB

MD5
239641aac7c2401413d4d7475cb83e59

SHA1
955bc610fe8fe76f660c0596cbe9791c5dfe5ee1

SHA256
cf3dba8a52a217fbdaa2b8cd3aae73bb3abc817fc58031843e7ca7c506a22243

SHA512
cb00804f9c4ac8612ea1bce86dc1c57c64789eed06d96109dcf166dbb6dc313b273971056a7d893f6b049ba9b08d98163dc642e551aef8468c36309fb6e0ac5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\elR1.cpl
Filesize
1.7MB

MD5
239641aac7c2401413d4d7475cb83e59

SHA1
955bc610fe8fe76f660c0596cbe9791c5dfe5ee1

SHA256
cf3dba8a52a217fbdaa2b8cd3aae73bb3abc817fc58031843e7ca7c506a22243

SHA512
cb00804f9c4ac8612ea1bce86dc1c57c64789eed06d96109dcf166dbb6dc313b273971056a7d893f6b049ba9b08d98163dc642e551aef8468c36309fb6e0ac5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\elR1.cpl
Filesize
1.7MB

MD5
239641aac7c2401413d4d7475cb83e59

SHA1
955bc610fe8fe76f660c0596cbe9791c5dfe5ee1

SHA256
cf3dba8a52a217fbdaa2b8cd3aae73bb3abc817fc58031843e7ca7c506a22243

SHA512
cb00804f9c4ac8612ea1bce86dc1c57c64789eed06d96109dcf166dbb6dc313b273971056a7d893f6b049ba9b08d98163dc642e551aef8468c36309fb6e0ac5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\elR1.cpl
Filesize
1.7MB

MD5
239641aac7c2401413d4d7475cb83e59

SHA1
955bc610fe8fe76f660c0596cbe9791c5dfe5ee1

SHA256
cf3dba8a52a217fbdaa2b8cd3aae73bb3abc817fc58031843e7ca7c506a22243

SHA512
cb00804f9c4ac8612ea1bce86dc1c57c64789eed06d96109dcf166dbb6dc313b273971056a7d893f6b049ba9b08d98163dc642e551aef8468c36309fb6e0ac5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\elR1.cpl
Filesize
1.7MB

MD5
239641aac7c2401413d4d7475cb83e59

SHA1
955bc610fe8fe76f660c0596cbe9791c5dfe5ee1

SHA256
cf3dba8a52a217fbdaa2b8cd3aae73bb3abc817fc58031843e7ca7c506a22243

SHA512
cb00804f9c4ac8612ea1bce86dc1c57c64789eed06d96109dcf166dbb6dc313b273971056a7d893f6b049ba9b08d98163dc642e551aef8468c36309fb6e0ac5d

Download Submit
C:\Users\Admin\AppData\Local\f92a1f4f-cece-4257-bdbd-3726873a3c75\OrD9qXJz5cYCqOyez9PkaoER.exe
Filesize
665KB

MD5
7e6d1661d1c2fa6b5a2eca7363d67822

SHA1
148f749372274c71a0556c2dd8b0d0380931d055

SHA256
3c348abcbf25b56ed0b1036f7e943e9241fa98345658150c974645fe5170b7bc

SHA512
c9ab00228b60a8626e5598bb57498a75360f10c35315b07b0049585f847a4c92066b3d240c760a143bf70091ec44bcb98e410d7345a908b7ba252e95f442b640

Download Submit
C:\Users\Admin\Documents\jfoQwtytnL1zZvk7fAPFGVdZ.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\Documents\jfoQwtytnL1zZvk7fAPFGVdZ.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\Pictures\Minor Policy\3twl9VjmPdYZ_t1_29x7jRwe.exe
Filesize
1.6MB

MD5
dc92d2de326f086d6f575cf2bc798e86

SHA1
ff8e30f18f19368594a5de490c809f57e01a5458

SHA256
cd2910243c380dc7f1b9c7a54f3bf3cf02304ee2f8c65195ae0210db56649400

SHA512
b7a77986373ee4ee4c8b852d943f548d29ff14aac23332e883db0f9bbcb42c6c1ff8624fb1fe8af42dd27f44e6c424cbc5ac7283615d5e6216d5247528f29b3c

Download Submit
C:\Users\Admin\Pictures\Minor Policy\3twl9VjmPdYZ_t1_29x7jRwe.exe
Filesize
1.6MB

MD5
dc92d2de326f086d6f575cf2bc798e86

SHA1
ff8e30f18f19368594a5de490c809f57e01a5458

SHA256
cd2910243c380dc7f1b9c7a54f3bf3cf02304ee2f8c65195ae0210db56649400

SHA512
b7a77986373ee4ee4c8b852d943f548d29ff14aac23332e883db0f9bbcb42c6c1ff8624fb1fe8af42dd27f44e6c424cbc5ac7283615d5e6216d5247528f29b3c

Download Submit
C:\Users\Admin\Pictures\Minor Policy\HEb3RN4L4Nl9sCsApoNSDKmd.exe
Filesize
2.6MB

MD5
7bc7d60e8178d0a04a756200675f0ece

SHA1
a5cab5575a499e8bcf96cdbd5bca5af5f167cf9d

SHA256
fb0816b55ce0416b43f909bd41ec2083d8b1715b0765c04cd09eac6ef5c804e5

SHA512
5042f8c126a3ff911177e3ac5643a4626f9e85e1b0d009a356e543420446fe751921377dc1436e23b40b8f90ab96ad0e23af5d001f3c6eaf31fb758cafa4c424

Download Submit
C:\Users\Admin\Pictures\Minor Policy\HEb3RN4L4Nl9sCsApoNSDKmd.exe
Filesize
2.6MB

MD5
7bc7d60e8178d0a04a756200675f0ece

SHA1
a5cab5575a499e8bcf96cdbd5bca5af5f167cf9d

SHA256
fb0816b55ce0416b43f909bd41ec2083d8b1715b0765c04cd09eac6ef5c804e5

SHA512
5042f8c126a3ff911177e3ac5643a4626f9e85e1b0d009a356e543420446fe751921377dc1436e23b40b8f90ab96ad0e23af5d001f3c6eaf31fb758cafa4c424

Download Submit
C:\Users\Admin\Pictures\Minor Policy\Ij27bKyq_GEVltrW0K1KhSfi.exe
Filesize
400KB

MD5
9519c85c644869f182927d93e8e25a33

SHA1
eadc9026e041f7013056f80e068ecf95940ea060

SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

Download Submit
C:\Users\Admin\Pictures\Minor Policy\Ij27bKyq_GEVltrW0K1KhSfi.exe
Filesize
400KB

MD5
9519c85c644869f182927d93e8e25a33

SHA1
eadc9026e041f7013056f80e068ecf95940ea060

SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

Download Submit
C:\Users\Admin\Pictures\Minor Policy\N1f3qIXjmueaul5apQ3FO3ay.exe
Filesize
2.9MB

MD5
8d4be2f5f13cb1ac37633b8234ef7c81

SHA1
c20b5f2ea9751ea3d45398bf537c44901c1eef50

SHA256
0b4d04bdb49a1ed4e29fc5bbdea6ece0929b32f3ffb70e8310113b902f15ac3c

SHA512
b96588920695177da6e9ada58f22ed6774ee110b22520e7a67a259fffb1b6b4de5d191726457a24f5a78da4fe9f41dfd5f2b2c281ef2ee15d4be5337a433bc4a

Download Submit
C:\Users\Admin\Pictures\Minor Policy\N1f3qIXjmueaul5apQ3FO3ay.exe
Filesize
2.9MB

MD5
8d4be2f5f13cb1ac37633b8234ef7c81

SHA1
c20b5f2ea9751ea3d45398bf537c44901c1eef50

SHA256
0b4d04bdb49a1ed4e29fc5bbdea6ece0929b32f3ffb70e8310113b902f15ac3c

SHA512
b96588920695177da6e9ada58f22ed6774ee110b22520e7a67a259fffb1b6b4de5d191726457a24f5a78da4fe9f41dfd5f2b2c281ef2ee15d4be5337a433bc4a

Download Submit
C:\Users\Admin\Pictures\Minor Policy\OrD9qXJz5cYCqOyez9PkaoER.exe
Filesize
665KB

MD5
7e6d1661d1c2fa6b5a2eca7363d67822

SHA1
148f749372274c71a0556c2dd8b0d0380931d055

SHA256
3c348abcbf25b56ed0b1036f7e943e9241fa98345658150c974645fe5170b7bc

SHA512
c9ab00228b60a8626e5598bb57498a75360f10c35315b07b0049585f847a4c92066b3d240c760a143bf70091ec44bcb98e410d7345a908b7ba252e95f442b640

Download Submit
C:\Users\Admin\Pictures\Minor Policy\OrD9qXJz5cYCqOyez9PkaoER.exe
Filesize
665KB

MD5
7e6d1661d1c2fa6b5a2eca7363d67822

SHA1
148f749372274c71a0556c2dd8b0d0380931d055

SHA256
3c348abcbf25b56ed0b1036f7e943e9241fa98345658150c974645fe5170b7bc

SHA512
c9ab00228b60a8626e5598bb57498a75360f10c35315b07b0049585f847a4c92066b3d240c760a143bf70091ec44bcb98e410d7345a908b7ba252e95f442b640

Download Submit
C:\Users\Admin\Pictures\Minor Policy\OrD9qXJz5cYCqOyez9PkaoER.exe
Filesize
665KB

MD5
7e6d1661d1c2fa6b5a2eca7363d67822

SHA1
148f749372274c71a0556c2dd8b0d0380931d055

SHA256
3c348abcbf25b56ed0b1036f7e943e9241fa98345658150c974645fe5170b7bc

SHA512
c9ab00228b60a8626e5598bb57498a75360f10c35315b07b0049585f847a4c92066b3d240c760a143bf70091ec44bcb98e410d7345a908b7ba252e95f442b640

Download Submit
C:\Users\Admin\Pictures\Minor Policy\OrD9qXJz5cYCqOyez9PkaoER.exe
Filesize
665KB

MD5
7e6d1661d1c2fa6b5a2eca7363d67822

SHA1
148f749372274c71a0556c2dd8b0d0380931d055

SHA256
3c348abcbf25b56ed0b1036f7e943e9241fa98345658150c974645fe5170b7bc

SHA512
c9ab00228b60a8626e5598bb57498a75360f10c35315b07b0049585f847a4c92066b3d240c760a143bf70091ec44bcb98e410d7345a908b7ba252e95f442b640

Download Submit
C:\Users\Admin\Pictures\Minor Policy\OrD9qXJz5cYCqOyez9PkaoER.exe
Filesize
665KB

MD5
7e6d1661d1c2fa6b5a2eca7363d67822

SHA1
148f749372274c71a0556c2dd8b0d0380931d055

SHA256
3c348abcbf25b56ed0b1036f7e943e9241fa98345658150c974645fe5170b7bc

SHA512
c9ab00228b60a8626e5598bb57498a75360f10c35315b07b0049585f847a4c92066b3d240c760a143bf70091ec44bcb98e410d7345a908b7ba252e95f442b640

Download Submit
C:\Users\Admin\Pictures\Minor Policy\YRUjJGW2qktiqn7xsGw0BAyq.exe
Filesize
274KB

MD5
04c17a46451549dc481f45b161322744

SHA1
6a69b46336de2bbdce5d58396a5f41adc6747ab3

SHA256
cd5ea97075885b74547285f69cfc20191c13f669cec2b9b1274674260fd228af

SHA512
84fa7deb9b08488772f976048b7c83537c34cad75cde1cede3c2a4ff5226248c702e6b50a418fc0bac7ac6f05f995c6f434e3e58ba43196dc86c4d6b8e57e029

Download Submit
C:\Users\Admin\Pictures\Minor Policy\YRUjJGW2qktiqn7xsGw0BAyq.exe
Filesize
274KB

MD5
04c17a46451549dc481f45b161322744

SHA1
6a69b46336de2bbdce5d58396a5f41adc6747ab3

SHA256
cd5ea97075885b74547285f69cfc20191c13f669cec2b9b1274674260fd228af

SHA512
84fa7deb9b08488772f976048b7c83537c34cad75cde1cede3c2a4ff5226248c702e6b50a418fc0bac7ac6f05f995c6f434e3e58ba43196dc86c4d6b8e57e029

Download Submit
C:\Users\Admin\Pictures\Minor Policy\cy28MdLgGDMU7xY0Ke76Al6L.exe
Filesize
2.8MB

MD5
798329fec74c27855f9aa3280bc62e60

SHA1
79b3c001db159891b45977789e055d98c83a8994

SHA256
d34d9744eb3ebc420cb831db1cf6ebd51c8ac7d1952d83d4dc192a9d57d906b2

SHA512
93effa121dcd5f639790b5745508e3d0b17cc1dfa985926e4a9efa01f4fa15f385572c6252b7948c9a089dbbfee264f084e10e444c3cddeafc4cc7cf2f0991b6

Download Submit
C:\Users\Admin\Pictures\Minor Policy\cy28MdLgGDMU7xY0Ke76Al6L.exe
Filesize
2.8MB

MD5
798329fec74c27855f9aa3280bc62e60

SHA1
79b3c001db159891b45977789e055d98c83a8994

SHA256
d34d9744eb3ebc420cb831db1cf6ebd51c8ac7d1952d83d4dc192a9d57d906b2

SHA512
93effa121dcd5f639790b5745508e3d0b17cc1dfa985926e4a9efa01f4fa15f385572c6252b7948c9a089dbbfee264f084e10e444c3cddeafc4cc7cf2f0991b6

Download Submit
C:\Users\Admin\Pictures\Minor Policy\gJVOpB9AqwtaS0WS68fWnueb.exe
Filesize
2.6MB

MD5
3949afafd6b2d55bbd470f0813b073ba

SHA1
587a38bc3d6b3983ba2a939b3d3000185c10a4ec

SHA256
01ce83b7e32196986dd84e14bbd522894c8af24af182471f88601337da1fcfab

SHA512
f11b73b43709b42bcb2091992bb5a49a56f0516abb75abbec91fae3c75d98eadf1d57c7c0cdfda19dce67958415126f4cb62ed8e7f498b6b6732313d653ce02a

Download Submit
C:\Users\Admin\Pictures\Minor Policy\gJVOpB9AqwtaS0WS68fWnueb.exe
Filesize
2.6MB

MD5
3949afafd6b2d55bbd470f0813b073ba

SHA1
587a38bc3d6b3983ba2a939b3d3000185c10a4ec

SHA256
01ce83b7e32196986dd84e14bbd522894c8af24af182471f88601337da1fcfab

SHA512
f11b73b43709b42bcb2091992bb5a49a56f0516abb75abbec91fae3c75d98eadf1d57c7c0cdfda19dce67958415126f4cb62ed8e7f498b6b6732313d653ce02a

Download Submit
C:\Users\Admin\Pictures\Minor Policy\gtAkiBRba2FheTNuDByM87b_.exe
Filesize
2.8MB

MD5
5c2e2d2013567a6f66fb9628647e2032

SHA1
49a538c91bd048fa965a7aba149dc877fd7e3468

SHA256
8489216ba6ebef2beae044f188cf01114cc8d91546fe6a00ccb8651558990925

SHA512
007bbdb6b34bc09e65eb224855dd8e0f4de14fe670d7e853f057846b13aa79aca3d866c79ec2a21a92c79ca04cb8dbd7b91f889689b2f977081572201332f191

Download Submit
C:\Users\Admin\Pictures\Minor Policy\gtAkiBRba2FheTNuDByM87b_.exe
Filesize
2.8MB

MD5
5c2e2d2013567a6f66fb9628647e2032

SHA1
49a538c91bd048fa965a7aba149dc877fd7e3468

SHA256
8489216ba6ebef2beae044f188cf01114cc8d91546fe6a00ccb8651558990925

SHA512
007bbdb6b34bc09e65eb224855dd8e0f4de14fe670d7e853f057846b13aa79aca3d866c79ec2a21a92c79ca04cb8dbd7b91f889689b2f977081572201332f191

Download Submit
C:\Users\Admin\Pictures\Minor Policy\kfcN2KneQfj64N9Oba9PI8OK.exe
Filesize
3.5MB

MD5
3ef1efcd53897047ad9df7308cc61508

SHA1
103e7cc7c508ceaaad664d48213f3d152e6d6bc6

SHA256
3d39fd3cfbe7b34f275f5b37b74fc9de1ebec01429b35b25cc536d5b481e341e

SHA512
25081415d7d1a402af233161e8461094ab89b610aaf8f486b85b64a37838b506d846e2927a7f97383e6ffe89d9291b77ddcc735857ac21aee118c22c972e69b4

Download Submit
C:\Users\Admin\Pictures\Minor Policy\kfcN2KneQfj64N9Oba9PI8OK.exe
Filesize
3.5MB

MD5
3ef1efcd53897047ad9df7308cc61508

SHA1
103e7cc7c508ceaaad664d48213f3d152e6d6bc6

SHA256
3d39fd3cfbe7b34f275f5b37b74fc9de1ebec01429b35b25cc536d5b481e341e

SHA512
25081415d7d1a402af233161e8461094ab89b610aaf8f486b85b64a37838b506d846e2927a7f97383e6ffe89d9291b77ddcc735857ac21aee118c22c972e69b4

Download Submit
memory/212-348-0x0000000000000000-mapping.dmp

Download
memory/616-311-0x00000000020B0000-0x00000000020F7000-memory.dmp

Filesize
284KB

Download
memory/616-309-0x00000000007E8000-0x0000000000812000-memory.dmp

Filesize
168KB

Download
memory/616-300-0x0000000000000000-mapping.dmp

Download
memory/628-285-0x0000000000000000-mapping.dmp

Download
memory/640-340-0x0000000000000000-mapping.dmp

Download
memory/1176-165-0x0000000140000000-0x0000000140606000-memory.dmp

Filesize
6.0MB

Download
memory/1176-139-0x0000000000000000-mapping.dmp

Download
memory/1292-350-0x0000000000000000-mapping.dmp

Download
memory/1292-362-0x0000000000779000-0x0000000000789000-memory.dmp

Filesize
64KB

Download
memory/1332-235-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1332-232-0x0000000000480000-0x0000000000489000-memory.dmp

Filesize
36KB

Download
memory/1332-137-0x0000000000000000-mapping.dmp

Download
memory/1332-281-0x0000000000480000-0x0000000000489000-memory.dmp

Filesize
36KB

Download
memory/1332-231-0x0000000000588000-0x0000000000598000-memory.dmp

Filesize
64KB

Download
memory/1332-275-0x0000000000588000-0x0000000000598000-memory.dmp

Filesize
64KB

Download
memory/1332-280-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1740-234-0x0000000006F30000-0x0000000006F96000-memory.dmp

Filesize
408KB

Download
memory/1740-155-0x0000000000000000-mapping.dmp

Download
memory/1740-202-0x0000000006120000-0x000000000615C000-memory.dmp

Filesize
240KB

Download
memory/1740-199-0x0000000005FD0000-0x00000000060DA000-memory.dmp

Filesize
1.0MB

Download
memory/1740-198-0x0000000005910000-0x0000000005F28000-memory.dmp

Filesize
6.1MB

Download
memory/1740-180-0x0000000000400000-0x0000000000BB6000-memory.dmp

Filesize
7.7MB

Download
memory/1740-221-0x0000000000400000-0x0000000000BB6000-memory.dmp

Filesize
7.7MB

Download
memory/1740-292-0x0000000000400000-0x0000000000BB6000-memory.dmp

Filesize
7.7MB

Download
memory/1740-293-0x0000000077520000-0x00000000776C3000-memory.dmp

Filesize
1.6MB

Download
memory/1740-230-0x0000000077520000-0x00000000776C3000-memory.dmp

Filesize
1.6MB

Download
memory/1740-182-0x0000000000400000-0x0000000000BB6000-memory.dmp

Filesize
7.7MB

Download
memory/1740-185-0x0000000000400000-0x0000000000BB6000-memory.dmp

Filesize
7.7MB

Download
memory/1740-168-0x0000000000400000-0x0000000000BB6000-memory.dmp

Filesize
7.7MB

Download
memory/1740-186-0x0000000077520000-0x00000000776C3000-memory.dmp

Filesize
1.6MB

Download
memory/1744-360-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1744-353-0x0000000000000000-mapping.dmp

Download
memory/1744-354-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2360-317-0x0000000000000000-mapping.dmp

Download
memory/2696-342-0x0000000003130000-0x00000000031EF000-memory.dmp

Filesize
764KB

Download
memory/2696-286-0x0000000000000000-mapping.dmp

Download
memory/2696-297-0x0000000002D50000-0x0000000002ECF000-memory.dmp

Filesize
1.5MB

Download
memory/2696-346-0x0000000003000000-0x0000000003127000-memory.dmp

Filesize
1.2MB

Download
memory/2696-343-0x00000000031F0000-0x0000000003299000-memory.dmp

Filesize
676KB

Download
memory/2696-289-0x0000000002910000-0x0000000002AC9000-memory.dmp

Filesize
1.7MB

Download
memory/2696-298-0x0000000003000000-0x0000000003127000-memory.dmp

Filesize
1.2MB

Download
memory/3004-171-0x0000000000400000-0x0000000000C05000-memory.dmp

Filesize
8.0MB

Download
memory/3004-183-0x0000000077520000-0x00000000776C3000-memory.dmp

Filesize
1.6MB

Download
memory/3004-188-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/3004-228-0x0000000077520000-0x00000000776C3000-memory.dmp

Filesize
1.6MB

Download
memory/3004-226-0x0000000000400000-0x0000000000C05000-memory.dmp

Filesize
8.0MB

Download
memory/3004-154-0x0000000000000000-mapping.dmp

Download
memory/3004-304-0x0000000077520000-0x00000000776C3000-memory.dmp

Filesize
1.6MB

Download
memory/3004-303-0x0000000000400000-0x0000000000C05000-memory.dmp

Filesize
8.0MB

Download
memory/3004-175-0x0000000000400000-0x0000000000C05000-memory.dmp

Filesize
8.0MB

Download
memory/3004-179-0x0000000000400000-0x0000000000C05000-memory.dmp

Filesize
8.0MB

Download
memory/3004-200-0x0000000006150000-0x0000000006162000-memory.dmp

Filesize
72KB

Download
memory/3060-158-0x0000000000300000-0x0000000000DA5000-memory.dmp

Filesize
10.6MB

Download
memory/3060-135-0x0000000000300000-0x0000000000DA5000-memory.dmp

Filesize
10.6MB

Download
memory/3060-132-0x0000000000300000-0x0000000000DA5000-memory.dmp

Filesize
10.6MB

Download
memory/3060-177-0x0000000000300000-0x0000000000DA5000-memory.dmp

Filesize
10.6MB

Download
memory/3060-136-0x0000000000300000-0x0000000000DA5000-memory.dmp

Filesize
10.6MB

Download
memory/3384-189-0x0000000002299000-0x000000000232B000-memory.dmp

Filesize
584KB

Download
memory/3384-138-0x0000000000000000-mapping.dmp

Download
memory/3384-190-0x0000000002330000-0x000000000244B000-memory.dmp

Filesize
1.1MB

Download
memory/3520-140-0x0000000000000000-mapping.dmp

Download
memory/3640-141-0x0000000000000000-mapping.dmp

Download
memory/3732-178-0x0000000000400000-0x0000000000BBD000-memory.dmp

Filesize
7.7MB

Download
memory/3732-291-0x00000000075D0000-0x0000000007AFC000-memory.dmp

Filesize
5.2MB

Download
memory/3732-181-0x0000000000400000-0x0000000000BBD000-memory.dmp

Filesize
7.7MB

Download
memory/3732-174-0x0000000000400000-0x0000000000BBD000-memory.dmp

Filesize
7.7MB

Download
memory/3732-290-0x0000000007400000-0x00000000075C2000-memory.dmp

Filesize
1.8MB

Download
memory/3732-157-0x0000000000000000-mapping.dmp

Download
memory/3732-176-0x0000000000400000-0x0000000000BBD000-memory.dmp

Filesize
7.7MB

Download
memory/3732-229-0x0000000077520000-0x00000000776C3000-memory.dmp

Filesize
1.6MB

Download
memory/3732-295-0x0000000000400000-0x0000000000BBD000-memory.dmp

Filesize
7.7MB

Download
memory/3732-191-0x0000000005830000-0x00000000058C2000-memory.dmp

Filesize
584KB

Download
memory/3732-296-0x0000000077520000-0x00000000776C3000-memory.dmp

Filesize
1.6MB

Download
memory/3732-184-0x0000000077520000-0x00000000776C3000-memory.dmp

Filesize
1.6MB

Download
memory/3732-227-0x0000000000400000-0x0000000000BBD000-memory.dmp

Filesize
7.7MB

Download
memory/3764-143-0x0000000000000000-mapping.dmp

Download
memory/3820-314-0x0000000000000000-mapping.dmp

Download
memory/4092-341-0x0000000000000000-mapping.dmp

Download
memory/4180-349-0x0000000000000000-mapping.dmp

Download
memory/4180-351-0x0000000002241000-0x00000000022D2000-memory.dmp

Filesize
580KB

Download
memory/4180-352-0x00000000022E0000-0x00000000023FB000-memory.dmp

Filesize
1.1MB

Download
memory/4216-313-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4216-305-0x0000000000000000-mapping.dmp

Download
memory/4216-339-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4216-318-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4216-306-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4216-310-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4216-308-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4384-338-0x0000000000000000-mapping.dmp

Download
memory/4508-347-0x0000000000000000-mapping.dmp

Download
memory/4536-358-0x0000000000E30000-0x0000000001210000-memory.dmp

Filesize
3.9MB

Download
memory/4536-355-0x0000000000000000-mapping.dmp

Download
memory/4832-312-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4832-266-0x0000000000000000-mapping.dmp

Download
memory/4832-269-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4832-270-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4832-274-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5064-142-0x0000000000000000-mapping.dmp

Download
memory/5152-361-0x0000000001200000-0x0000000001275000-memory.dmp

Filesize
468KB

Download
memory/5152-359-0x0000000000000000-mapping.dmp

Download
memory/5260-366-0x0000000000000000-mapping.dmp

Download
memory/5288-368-0x0000000000000000-mapping.dmp

Download
memory/5320-371-0x0000000000000000-mapping.dmp

Download
memory/5440-380-0x0000000000000000-mapping.dmp

Download
memory/5628-389-0x0000000000000000-mapping.dmp

Download
memory/5680-390-0x0000000000000000-mapping.dmp

Download
memory/5724-396-0x0000000000000000-mapping.dmp

Download
memory/5796-402-0x0000000000000000-mapping.dmp

Download
memory/8920-421-0x0000000000000000-mapping.dmp

Download
memory/8948-422-0x0000000000000000-mapping.dmp

Download
memory/8980-423-0x0000000000000000-mapping.dmp

Download
memory/9008-424-0x0000000000000000-mapping.dmp

Download
memory/9040-425-0x0000000000000000-mapping.dmp

Download
memory/9064-426-0x0000000000000000-mapping.dmp

Download
memory/9100-427-0x0000000000000000-mapping.dmp

Download
memory/9120-428-0x0000000000000000-mapping.dmp

Download
memory/9136-429-0x0000000000000000-mapping.dmp

Download
memory/9156-430-0x0000000000000000-mapping.dmp

Download
memory/9168-431-0x0000000000000000-mapping.dmp

Download
memory/9248-433-0x0000000000000000-mapping.dmp

Download
memory/9524-439-0x0000000000000000-mapping.dmp

Download
memory/9708-443-0x0000000000000000-mapping.dmp

Download
memory/9760-445-0x0000000000000000-mapping.dmp

Download
memory/9784-447-0x0000000000000000-mapping.dmp

Download
memory/9992-449-0x0000000000000000-mapping.dmp

Download
memory/10068-450-0x0000000000000000-mapping.dmp

Download
memory/10352-456-0x0000000000000000-mapping.dmp

Download
memory/23184-187-0x0000000000000000-mapping.dmp

Download
memory/60404-192-0x0000000000000000-mapping.dmp

Download
memory/60404-195-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/60404-196-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/60404-193-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/60404-201-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/60404-241-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/60404-245-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/71632-243-0x0000000003210000-0x0000000003337000-memory.dmp

Filesize
1.2MB

Download
memory/71632-206-0x0000000002B20000-0x0000000002CD9000-memory.dmp

Filesize
1.7MB

Download
memory/71632-282-0x0000000003400000-0x00000000034A9000-memory.dmp

Filesize
676KB

Download
memory/71632-299-0x0000000003210000-0x0000000003337000-memory.dmp

Filesize
1.2MB

Download
memory/71632-273-0x0000000003340000-0x00000000033FF000-memory.dmp

Filesize
764KB

Download
memory/71632-197-0x0000000000000000-mapping.dmp

Download
memory/71632-242-0x0000000002F60000-0x00000000030DF000-memory.dmp

Filesize
1.5MB

Download
memory/111296-247-0x0000000005D10000-0x0000000005D86000-memory.dmp

Filesize
472KB

Download
memory/111296-207-0x0000000000000000-mapping.dmp

Download
memory/111296-208-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/111296-248-0x0000000006380000-0x00000000063D0000-memory.dmp

Filesize
320KB

Download
memory/123224-214-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/123224-213-0x0000000000000000-mapping.dmp

Download
memory/123280-236-0x0000000003F80000-0x00000000041D4000-memory.dmp

Filesize
2.3MB

Download
memory/123280-294-0x0000000003F80000-0x00000000041D4000-memory.dmp

Filesize
2.3MB

Download
memory/123280-219-0x0000000000000000-mapping.dmp

Download
memory/123308-220-0x0000000000000000-mapping.dmp

Download
memory/123344-224-0x0000000000000000-mapping.dmp

Download
memory/123396-225-0x0000000000000000-mapping.dmp

Download
memory/123824-244-0x0000000000000000-mapping.dmp

Download
memory/123824-265-0x00000000006BF000-0x0000000000751000-memory.dmp

Filesize
584KB

Download