Overview

overview

10

Static

static

3

winprofile

windows7-x64

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    245s
  • max time network
    257s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2024 22:47

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-18T22:52:06Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win7-20240221-en/instance_10-dirty.qcow2\"}"
Report Analysis Logs

General

  • Target

    78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe

  • Size

    3.3MB

  • MD5

    1e00263c4dbad7dbb9cca4b918ec62be

  • SHA1

    3de8769c5c9363eb7ad81e5327419b82b22d9b2e

  • SHA256

    78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88

  • SHA512

    9dee743fdbb19fab638b4a6047708e65e23e9c0c8347d15d9c31f008af8b9546aef6416838abbe09b81d92ce7b8d514de49e11939c431fb2e617299531270409

  • SSDEEP

    49152:xXmM3+IVJiicn3HpKoQyvf7+FagF+Iw5laSMuL:KdVjnac8VU

Score
10/10
gluptebasectopratstealczgratdiscoverydropperevasionloaderpersistenceratrootkitspywarestealerthemidatrojan

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Signatures

  • Detect ZGRat V1 3 IoCs
  • Detects Arechclient2 RAT 1 IoCs

    Arechclient2.

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 14 IoCs
  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Windows security bypass 2 TTPs 48 IoCs
    evasiontrojan
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Modifies boot configuration data using bcdedit 14 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 4 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 7 IoCs
  • Executes dropped EXE 25 IoCs
  • Loads dropped DLL 53 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Registers COM server for autorun 1 TTPs 14 IoCs
    persistence
  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Windows security modification 2 TTPs 8 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 15 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 26 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 15 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe
    "C:\Users\Admin\AppData\Local\Temp\78aa2a004e9732e8885518ed8b8a5fca9ad1f6a354f0593be978ea531ebf5a88.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Users\Admin\Pictures\nWiD3Z1XYXpGAzzD9VqNWAi0.exe
        "C:\Users\Admin\Pictures\nWiD3Z1XYXpGAzzD9VqNWAi0.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Users\Admin\AppData\Local\Temp\u218.0.exe
          "C:\Users\Admin\AppData\Local\Temp\u218.0.exe"
          4⤵
          • Executes dropped EXE
          PID:1336
        • C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
          "C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:1316
          • C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
            C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2792
            • C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
              C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:2164
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\SysWOW64\cmd.exe
                7⤵
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:1488
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  8⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:2844
        • C:\Users\Admin\AppData\Local\Temp\u218.1.exe
          "C:\Users\Admin\AppData\Local\Temp\u218.1.exe"
          4⤵
          • Blocklisted process makes network request
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:976
          • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
            "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
            5⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1444
      • C:\Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe
        "C:\Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1968
        • C:\Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe
          "C:\Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe"
          4⤵
          • Windows security bypass
          • Executes dropped EXE
          • Loads dropped DLL
          • Windows security modification
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:1976
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            5⤵
              PID:1868
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                6⤵
                • Modifies Windows Firewall
                • Modifies data under HKEY_USERS
                PID:1880
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe
              5⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Manipulates WinMon driver.
              • Manipulates WinMonFS driver.
              • Drops file in Windows directory
              • Modifies data under HKEY_USERS
              • Modifies system certificate store
              • Suspicious use of AdjustPrivilegeToken
              PID:1324
              • C:\Windows\system32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                6⤵
                • Creates scheduled task(s)
                PID:1496
              • C:\Windows\system32\schtasks.exe
                schtasks /delete /tn ScheduledUpdate /f
                6⤵
                  PID:2128
                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:616
                • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                  "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Modifies system certificate store
                  PID:696
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1392
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2384
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2136
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2172
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:900
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:804
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:592
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1520
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1920
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2620
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2392
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -timeout 0
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:752
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
                    7⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2992
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\Sysnative\bcdedit.exe /v
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:368
                • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                  6⤵
                  • Executes dropped EXE
                  PID:1764
                • C:\Windows\system32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  6⤵
                  • Creates scheduled task(s)
                  PID:804
                • C:\Windows\windefender.exe
                  "C:\Windows\windefender.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:2104
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                    7⤵
                      PID:1744
                      • C:\Windows\SysWOW64\sc.exe
                        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                        8⤵
                        • Launches sc.exe
                        PID:2304
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    6⤵
                    • Executes dropped EXE
                    PID:1996
            • C:\Users\Admin\Pictures\Eg3CbaPfPvlHomvqcshBcOpb.exe
              "C:\Users\Admin\Pictures\Eg3CbaPfPvlHomvqcshBcOpb.exe"
              3⤵
              • Modifies firewall policy service
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Drops file in System32 directory
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:2116
            • C:\Users\Admin\Pictures\RzhzprthKDuW4ueMbFyqs795.exe
              "C:\Users\Admin\Pictures\RzhzprthKDuW4ueMbFyqs795.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2236
              • C:\Users\Admin\Pictures\RzhzprthKDuW4ueMbFyqs795.exe
                "C:\Users\Admin\Pictures\RzhzprthKDuW4ueMbFyqs795.exe"
                4⤵
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Adds Run key to start application
                • Checks for VirtualBox DLLs, possible anti-VM trick
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                PID:588
                • C:\Windows\system32\cmd.exe
                  C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                  5⤵
                    PID:2860
                    • C:\Windows\system32\netsh.exe
                      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      • Modifies data under HKEY_USERS
                      PID:752
              • C:\Users\Admin\Pictures\4o87nTIv9I7pHUjJ8mV2Aynj.exe
                "C:\Users\Admin\Pictures\4o87nTIv9I7pHUjJ8mV2Aynj.exe"
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:2412
                • C:\Users\Admin\AppData\Local\Temp\7zS7B09.tmp\Install.exe
                  .\Install.exe /sQwdidHh "385118" /S
                  4⤵
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Enumerates system info in registry
                  • Suspicious use of WriteProcessMemory
                  PID:2660
                  • C:\Windows\SysWOW64\forfiles.exe
                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                    5⤵
                      PID:1364
                      • C:\Windows\SysWOW64\cmd.exe
                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        6⤵
                          PID:2592
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                            7⤵
                            • Drops file in System32 directory
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:808
                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                              8⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1544
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 22:50:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\sFueCBO.exe\" em /jWsite_idhmH 385118 /S" /V1 /F
                        5⤵
                        • Drops file in Windows directory
                        • Creates scheduled task(s)
                        PID:2872
                  • C:\Users\Admin\Pictures\7yX7bPXAhwiqyCUH1kmdVYvP.exe
                    "C:\Users\Admin\Pictures\7yX7bPXAhwiqyCUH1kmdVYvP.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Adds Run key to start application
                    PID:1944
                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
                      4⤵
                      • Executes dropped EXE
                      PID:2556
                      • C:\Windows\system32\msiexec.exe
                        "msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"
                        5⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:564
                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe
                        "ce_7.14.2_windows_x86_64.exe" /S /v"/qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt"
                        5⤵
                        • Executes dropped EXE
                        PID:2208
              • C:\Windows\system32\makecab.exe
                "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240418224807.log C:\Windows\Logs\CBS\CbsPersist_20240418224807.cab
                1⤵
                • Drops file in Windows directory
                PID:2040
              • C:\Windows\system32\taskeng.exe
                taskeng.exe {B07BA213-5105-4C21-8133-25BC25B5EA7D} S-1-5-18:NT AUTHORITY\System:Service:
                1⤵
                  PID:1772
                  • C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\sFueCBO.exe
                    C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\sFueCBO.exe em /jWsite_idhmH 385118 /S
                    2⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    PID:2060
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /CREATE /TN "gbaVgHMcz" /SC once /ST 13:22:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                      3⤵
                      • Creates scheduled task(s)
                      PID:2628
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /run /I /tn "gbaVgHMcz"
                      3⤵
                        PID:2536
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /DELETE /F /TN "gbaVgHMcz"
                        3⤵
                          PID:2212
                        • C:\Windows\SysWOW64\forfiles.exe
                          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                          3⤵
                            PID:2172
                            • C:\Windows\SysWOW64\cmd.exe
                              /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                              4⤵
                                PID:2592
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                  5⤵
                                  • Drops file in System32 directory
                                  • Modifies data under HKEY_USERS
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1048
                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                    "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                    6⤵
                                      PID:2856
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
                                3⤵
                                  PID:1552
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
                                    4⤵
                                    • Windows security bypass
                                    PID:1760
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
                                  3⤵
                                    PID:768
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
                                      4⤵
                                      • Windows security bypass
                                      PID:2544
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
                                    3⤵
                                      PID:976
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                          PID:2324
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
                                        3⤵
                                          PID:2332
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
                                            4⤵
                                              PID:320
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /C copy nul "C:\Windows\Temp\ofqvFcNvzeRditbz\cgGBtPpW\ZnnFvSSLsnAqujjF.wsf"
                                            3⤵
                                              PID:1580
                                            • C:\Windows\SysWOW64\wscript.exe
                                              wscript "C:\Windows\Temp\ofqvFcNvzeRditbz\cgGBtPpW\ZnnFvSSLsnAqujjF.wsf"
                                              3⤵
                                              • Modifies data under HKEY_USERS
                                              PID:2584
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                • Windows security bypass
                                                PID:1084
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
                                                4⤵
                                                • Windows security bypass
                                                PID:1928
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                • Windows security bypass
                                                PID:896
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
                                                4⤵
                                                • Windows security bypass
                                                PID:844
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                • Windows security bypass
                                                PID:948
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
                                                4⤵
                                                • Windows security bypass
                                                PID:2556
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                • Windows security bypass
                                                PID:2964
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
                                                4⤵
                                                • Windows security bypass
                                                PID:2316
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                • Windows security bypass
                                                PID:2480
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
                                                4⤵
                                                • Windows security bypass
                                                PID:2780
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                • Windows security bypass
                                                PID:1336
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:64
                                                4⤵
                                                • Windows security bypass
                                                PID:472
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                • Windows security bypass
                                                PID:2648
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                4⤵
                                                • Windows security bypass
                                                PID:2452
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                • Windows security bypass
                                                PID:2640
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:64
                                                4⤵
                                                • Windows security bypass
                                                PID:772
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                • Windows security bypass
                                                PID:2008
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
                                                4⤵
                                                • Windows security bypass
                                                PID:2100
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                  PID:268
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                    PID:3060
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
                                                    4⤵
                                                      PID:860
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
                                                      4⤵
                                                        PID:2676
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
                                                        4⤵
                                                          PID:1568
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
                                                          4⤵
                                                            PID:2752
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
                                                            4⤵
                                                              PID:1548
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                                PID:1644
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
                                                                4⤵
                                                                  PID:1228
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
                                                                  4⤵
                                                                    PID:1612
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:32
                                                                    4⤵
                                                                      PID:1152
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:64
                                                                      4⤵
                                                                        PID:1340
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                        4⤵
                                                                          PID:2544
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                          4⤵
                                                                            PID:1988
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:32
                                                                            4⤵
                                                                              PID:580
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:64
                                                                              4⤵
                                                                                PID:1284
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
                                                                                4⤵
                                                                                  PID:2764
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
                                                                                  4⤵
                                                                                    PID:2012
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 13:23:09 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\CUdetjK.exe\" XT /kNsite_idbsq 385118 /S" /V1 /F
                                                                                  3⤵
                                                                                  • Drops file in Windows directory
                                                                                  • Creates scheduled task(s)
                                                                                  PID:1084
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /run /I /tn "BAnwxolbGpCzXNxkj"
                                                                                  3⤵
                                                                                    PID:3012
                                                                                • C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\CUdetjK.exe
                                                                                  C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\CUdetjK.exe XT /kNsite_idbsq 385118 /S
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:2900
                                                                              • C:\Windows\system32\taskeng.exe
                                                                                taskeng.exe {61AA9AB5-4E98-4339-96D9-68EF38696924} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
                                                                                1⤵
                                                                                  PID:1964
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                    2⤵
                                                                                    • Drops file in System32 directory
                                                                                    PID:1652
                                                                                • C:\Windows\system32\conhost.exe
                                                                                  \??\C:\Windows\system32\conhost.exe "203462384520694511121674682573-59992902-838402070-10282334942102251667920709872"
                                                                                  1⤵
                                                                                    PID:752
                                                                                  • C:\Windows\system32\conhost.exe
                                                                                    \??\C:\Windows\system32\conhost.exe "-1982076386-8675732021045358854-1483696871-20723256251992020119727035630-1888522332"
                                                                                    1⤵
                                                                                      PID:1552
                                                                                    • C:\Windows\system32\conhost.exe
                                                                                      \??\C:\Windows\system32\conhost.exe "541776750-1527155537-17951485294426705191882601671-1973188620-1403114785-1991592361"
                                                                                      1⤵
                                                                                        PID:2324
                                                                                      • C:\Windows\system32\conhost.exe
                                                                                        \??\C:\Windows\system32\conhost.exe "-1454516518-12690284671813860376-644918360-9932794281372920940-1608276515-1658595344"
                                                                                        1⤵
                                                                                          PID:2792
                                                                                        • C:\Windows\system32\msiexec.exe
                                                                                          C:\Windows\system32\msiexec.exe /V
                                                                                          1⤵
                                                                                          • Blocklisted process makes network request
                                                                                          • Registers COM server for autorun
                                                                                          • Enumerates connected drives
                                                                                          • Drops file in Program Files directory
                                                                                          • Drops file in Windows directory
                                                                                          • Modifies data under HKEY_USERS
                                                                                          • Modifies registry class
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2648
                                                                                          • C:\Windows\system32\MsiExec.exe
                                                                                            C:\Windows\system32\MsiExec.exe -Embedding 1C17C1A7F538DFDF991874E991D0D9AA
                                                                                            2⤵
                                                                                            • Loads dropped DLL
                                                                                            PID:876
                                                                                          • C:\Windows\system32\MsiExec.exe
                                                                                            C:\Windows\system32\MsiExec.exe -Embedding 722E34B6BB27570E54E1DD9658435C24 M Global\MSI0000
                                                                                            2⤵
                                                                                            • Drops file in Drivers directory
                                                                                            • Loads dropped DLL
                                                                                            • Drops file in System32 directory
                                                                                            • Drops file in Windows directory
                                                                                            • Modifies data under HKEY_USERS
                                                                                            PID:1032
                                                                                          • C:\Windows\syswow64\MsiExec.exe
                                                                                            C:\Windows\syswow64\MsiExec.exe -Embedding E98947DECF2095C6C100262927A51456 M Global\MSI0000
                                                                                            2⤵
                                                                                              PID:2616
                                                                                          • C:\Windows\system32\LogonUI.exe
                                                                                            "LogonUI.exe" /flags:0x0
                                                                                            1⤵
                                                                                              PID:2460
                                                                                            • C:\Windows\windefender.exe
                                                                                              C:\Windows\windefender.exe
                                                                                              1⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:2328
                                                                                            • C:\Windows\system32\LogonUI.exe
                                                                                              "LogonUI.exe" /flags:0x1
                                                                                              1⤵
                                                                                                PID:3000

                                                                                              Network

                                                                                              MITRE ATT&CK Enterprise v15

                                                                                              Reconnaissance

                                                                                              Resource Development

                                                                                              Initial Access

                                                                                              Execution

                                                                                              Command and Scripting Interpreter

                                                                                              1
                                                                                              T1059

                                                                                              Scheduled Task/Job

                                                                                              1
                                                                                              T1053

                                                                                              Persistence

                                                                                              Boot or Logon Autostart Execution

                                                                                              2
                                                                                              T1547

                                                                                              Registry Run Keys / Startup Folder

                                                                                              2
                                                                                              T1547.001

                                                                                              Create or Modify System Process

                                                                                              2
                                                                                              T1543

                                                                                              Windows Service

                                                                                              2
                                                                                              T1543.003

                                                                                              Scheduled Task/Job

                                                                                              1
                                                                                              T1053

                                                                                              Privilege Escalation

                                                                                              Boot or Logon Autostart Execution

                                                                                              2
                                                                                              T1547

                                                                                              Registry Run Keys / Startup Folder

                                                                                              2
                                                                                              T1547.001

                                                                                              Create or Modify System Process

                                                                                              2
                                                                                              T1543

                                                                                              Windows Service

                                                                                              2
                                                                                              T1543.003

                                                                                              Scheduled Task/Job

                                                                                              1
                                                                                              T1053

                                                                                              Defense Evasion

                                                                                              Impair Defenses

                                                                                              4
                                                                                              T1562

                                                                                              Disable or Modify System Firewall

                                                                                              1
                                                                                              T1562.004

                                                                                              Disable or Modify Tools

                                                                                              2
                                                                                              T1562.001

                                                                                              Modify Registry

                                                                                              5
                                                                                              T1112

                                                                                              Subvert Trust Controls

                                                                                              1
                                                                                              T1553

                                                                                              Install Root Certificate

                                                                                              1
                                                                                              T1553.004

                                                                                              Virtualization/Sandbox Evasion

                                                                                              1
                                                                                              T1497

                                                                                              Credential Access

                                                                                              Unsecured Credentials

                                                                                              2
                                                                                              T1552

                                                                                              Credentials In Files

                                                                                              2
                                                                                              T1552.001

                                                                                              Discovery

                                                                                              Peripheral Device Discovery

                                                                                              2
                                                                                              T1120

                                                                                              Query Registry

                                                                                              7
                                                                                              T1012

                                                                                              System Information Discovery

                                                                                              7
                                                                                              T1082

                                                                                              Virtualization/Sandbox Evasion

                                                                                              1
                                                                                              T1497

                                                                                              Lateral Movement

                                                                                              Collection

                                                                                              Data from Local System

                                                                                              2
                                                                                              T1005

                                                                                              Command and Control

                                                                                              Web Service

                                                                                              1
                                                                                              T1102

                                                                                              Exfiltration

                                                                                              Impact

                                                                                              Replay Monitor

                                                                                              Loading Replay Monitor...

                                                                                              Downloads

                                                                                              • C:\Config.Msi\f790514.rbs
                                                                                                Filesize

                                                                                                893KB

                                                                                                MD5

                                                                                                87a0db68588f824f1adbe84a935cf58a

                                                                                                SHA1

                                                                                                fb33a5054e140f547e0ad964805154d9fe61c32a

                                                                                                SHA256

                                                                                                24dbac61bb08a2e3dd8ff2f28f643207197fae8e9fbc8180e686477d7a096efa

                                                                                                SHA512

                                                                                                93e0a9477c5c99d55be944eb9cc669b9f96636af2909d273141516a92c642073f914f6c33b9562424c5c88e9abcb8a7379e015641cb0b635e1db9cfe750b4cf2

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C
                                                                                                Filesize

                                                                                                579B

                                                                                                MD5

                                                                                                f55da450a5fb287e1e0f0dcc965756ca

                                                                                                SHA1

                                                                                                7e04de896a3e666d00e687d33ffad93be83d349e

                                                                                                SHA256

                                                                                                31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

                                                                                                SHA512

                                                                                                19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                                                                                                Filesize

                                                                                                68KB

                                                                                                MD5

                                                                                                29f65ba8e88c063813cc50a4ea544e93

                                                                                                SHA1

                                                                                                05a7040d5c127e68c25d81cc51271ffb8bef3568

                                                                                                SHA256

                                                                                                1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

                                                                                                SHA512

                                                                                                e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
                                                                                                Filesize

                                                                                                252B

                                                                                                MD5

                                                                                                64325c94277baf404d9c8f2448d354d3

                                                                                                SHA1

                                                                                                c4382b8e1f45f8e524d712e136ae2046a97f4b08

                                                                                                SHA256

                                                                                                c8f37c2786402ed236b16e2a0821e59a88a133839a1d4f6b5834ab393d9d77ba

                                                                                                SHA512

                                                                                                613e9be9b0dbd7b76e4419e2613b9346c452d92945f9730e11c7834f329301fc842442ae1fd49fb3f3fe259c25ec00cc16f3e8d3ee11f3d9daea300fd6facb66

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                Filesize

                                                                                                344B

                                                                                                MD5

                                                                                                7710037550d223d57f429f2ee1fbacd6

                                                                                                SHA1

                                                                                                fa951d3b6913dcb8dce97817064bd691b67029f2

                                                                                                SHA256

                                                                                                4b8b7fe46d212a22b32988d8db1e11eb368f07b35da861e9985a0efce19e463d

                                                                                                SHA512

                                                                                                93db15affc17718b757db16f6b5cccf47753de7c8416e640026fb05ab7ba30c5640f49bb73921c46dc7e5fe37f701157519f52b4755f27da3b2ec989a8821109

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                Filesize

                                                                                                344B

                                                                                                MD5

                                                                                                8b87b71bad131c517193e9e82a051c65

                                                                                                SHA1

                                                                                                4f1674a3a4f18675262c97de90e9a652e8be66e7

                                                                                                SHA256

                                                                                                c7aaf07d21096882050faed465eb3215bfda8cbd837e45ec8b89e4797bf53050

                                                                                                SHA512

                                                                                                d8b6d791dffbeaa167d5f2d2c5990529653b9f78a37afcfa4c14c5e67fb19258f251a643e9aa8d5158a0e894b06e1e6c05926299431d4262d8bc754c2e33fd54

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                Filesize

                                                                                                344B

                                                                                                MD5

                                                                                                4a91a99a92ca30b851826618054092fb

                                                                                                SHA1

                                                                                                58f2d961cd5cdde08f7524550d3176f56f15b313

                                                                                                SHA256

                                                                                                4d7df662990bf1fa0aa0b04a7fac725a3a56002d708850a4dc63b41b01c44704

                                                                                                SHA512

                                                                                                e0f4fda454bd6a9fc9f7955bf5dfe8439c568e15db59fe2538b24d7341363b917ce9ebc9c28341bfa1e23df98b967367e192924b28b4c0a68a706456b82857d7

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                Filesize

                                                                                                344B

                                                                                                MD5

                                                                                                df8c52baa360b337e9ec27a44e492396

                                                                                                SHA1

                                                                                                a96b0a1b49a64139bf3656a8e5f71b8a0dfb1739

                                                                                                SHA256

                                                                                                92fd439bbf16c060be098e0aae62bfd7bfa891d77429d30c413af2a179104cf2

                                                                                                SHA512

                                                                                                9e4a17ff3f919a7f6e1882caee127fa90f63d41f3053b40a06e4eb920a2a13abd3360f3d1e604c7f183e2e010e5e037a1b0cf04b8d6f7cc45b97798c46706933

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\bc5a16429b969030a00931a912ea760b7142040cd6caa90f2a646358beabd092\c3a51667159e48bd9362655730c61669.tmp
                                                                                                Filesize

                                                                                                1KB

                                                                                                MD5

                                                                                                f8c5e31cba52f5870127b810dc1fb36d

                                                                                                SHA1

                                                                                                0475b1826078af96e53c766ebfe8b139a6b9bfb4

                                                                                                SHA256

                                                                                                ca7db1e72cd9b94d17dd6ae6b343182402ad962d15e391e560104087c05aefba

                                                                                                SHA512

                                                                                                ff943b62f9cbb1dd5b3ee935b4691da0f79499d0cce076483e0b25fec094857aaf556f796a2dbc5340d0726394733af564265ff9726dfd64dca40cac86f11904

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\2f9c501d
                                                                                                Filesize

                                                                                                5.9MB

                                                                                                MD5

                                                                                                dcc26dd014bad9eafa9066d3781b615d

                                                                                                SHA1

                                                                                                b0cb8621ca58a196ac73bed4e525deacfaf2d836

                                                                                                SHA256

                                                                                                69502ffc7e2b8946d420e682cd1421f58a17f489590f761c580ce2a4feb74ae3

                                                                                                SHA512

                                                                                                5a7804fdebe09aada86e327899fa7ce6830c26c426d398dd72ef68121c33e59c2572709a725f43d6f1d31c52e7b4ea10b2128d00d530a00ef9db9a8efef204e3

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\393e504f
                                                                                                Filesize

                                                                                                1.4MB

                                                                                                MD5

                                                                                                cda7648dc1b35d8c3b7bbbe65cd3d2e9

                                                                                                SHA1

                                                                                                c94a9b4d675adb5de095bf0e303528b55a1c4a24

                                                                                                SHA256

                                                                                                a171c7715855e855a7aa577ef947930333b5722bd847ed537cd2b7c959a65335

                                                                                                SHA512

                                                                                                b76bf79de517784d9807405903e0015a3df3058329dd0896bc005e4d189695dbd69700ba8b304e431fed6c364ed661caff956be15e3bf9f67e544f220b6c9241

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Cab5090.tmp
                                                                                                Filesize

                                                                                                65KB

                                                                                                MD5

                                                                                                ac05d27423a85adc1622c714f2cb6184

                                                                                                SHA1

                                                                                                b0fe2b1abddb97837ea0195be70ab2ff14d43198

                                                                                                SHA256

                                                                                                c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                                                                                                SHA512

                                                                                                6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Cab898C.tmp
                                                                                                Filesize

                                                                                                29KB

                                                                                                MD5

                                                                                                d59a6b36c5a94916241a3ead50222b6f

                                                                                                SHA1

                                                                                                e274e9486d318c383bc4b9812844ba56f0cff3c6

                                                                                                SHA256

                                                                                                a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

                                                                                                SHA512

                                                                                                17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
                                                                                                Filesize

                                                                                                8.3MB

                                                                                                MD5

                                                                                                fd2727132edd0b59fa33733daa11d9ef

                                                                                                SHA1

                                                                                                63e36198d90c4c2b9b09dd6786b82aba5f03d29a

                                                                                                SHA256

                                                                                                3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

                                                                                                SHA512

                                                                                                3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
                                                                                                Filesize

                                                                                                492KB

                                                                                                MD5

                                                                                                fafbf2197151d5ce947872a4b0bcbe16

                                                                                                SHA1

                                                                                                a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

                                                                                                SHA256

                                                                                                feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

                                                                                                SHA512

                                                                                                acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Tar51CD.tmp
                                                                                                Filesize

                                                                                                171KB

                                                                                                MD5

                                                                                                9c0c641c06238516f27941aa1166d427

                                                                                                SHA1

                                                                                                64cd549fb8cf014fcd9312aa7a5b023847b6c977

                                                                                                SHA256

                                                                                                4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                                                                                                SHA512

                                                                                                936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Tar52AD.tmp
                                                                                                Filesize

                                                                                                177KB

                                                                                                MD5

                                                                                                435a9ac180383f9fa094131b173a2f7b

                                                                                                SHA1

                                                                                                76944ea657a9db94f9a4bef38f88c46ed4166983

                                                                                                SHA256

                                                                                                67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

                                                                                                SHA512

                                                                                                1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Tar89BE.tmp
                                                                                                Filesize

                                                                                                81KB

                                                                                                MD5

                                                                                                b13f51572f55a2d31ed9f266d581e9ea

                                                                                                SHA1

                                                                                                7eef3111b878e159e520f34410ad87adecf0ca92

                                                                                                SHA256

                                                                                                725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

                                                                                                SHA512

                                                                                                f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UIxMarketPlugin.dll
                                                                                                Filesize

                                                                                                1.6MB

                                                                                                MD5

                                                                                                8f75e17a8bf3de6e22e77b5586f8a869

                                                                                                SHA1

                                                                                                e0bf196cfc19a8772e003b9058bdc211b419b261

                                                                                                SHA256

                                                                                                5f10a9fdcac32e93b1cebc365868ee3266f80c2734524b4aa7b6ea54e123f985

                                                                                                SHA512

                                                                                                5a1e78613ad90cb0dc855d8a935b136722749889b66d4d8fc0f52438f0a4f4c8c31fbb981e9c6a13ffb2cc2b77fe0747204b63a91c6fff4646eed915387c8d7d

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
                                                                                                Filesize

                                                                                                2.4MB

                                                                                                MD5

                                                                                                9fb4770ced09aae3b437c1c6eb6d7334

                                                                                                SHA1

                                                                                                fe54b31b0db8665aa5b22bed147e8295afc88a03

                                                                                                SHA256

                                                                                                a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

                                                                                                SHA512

                                                                                                140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\somebody.rtf
                                                                                                Filesize

                                                                                                24KB

                                                                                                MD5

                                                                                                ff36ebcf134c8846aea77446867e5bc6

                                                                                                SHA1

                                                                                                53fdf2c0bec711e377edb4f97cd147728fb568f6

                                                                                                SHA256

                                                                                                e1c256e5a7f17cb64740223084009f37bddccc49b05e881133412057689b04e9

                                                                                                SHA512

                                                                                                b07d5065dd39843c8c7bdfccdd8d39f44b1ce9fe100a2fcf7210549ea1d46bcac54080cf91eff0a05360b26233c542daabdbd5d3f096a5bf0e366583ddb29ec1

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\spawn.xml
                                                                                                Filesize

                                                                                                1.3MB

                                                                                                MD5

                                                                                                2d8de35aa00138b2bfc4fb0fc3d0f58b

                                                                                                SHA1

                                                                                                28c2d84e01815702c230da456aaa17c7d2519186

                                                                                                SHA256

                                                                                                19340e9202db71d8010563c8b8d325cbef5d8448a8df2ad730e74a5a46e36dac

                                                                                                SHA512

                                                                                                378116bc71de9f968aaef6ca27944e341a9a825a92831f5834c396160581f5e3656d3b6d1c2a304a65a74c0dd9ca0c50fb0e0016b6174d1fab68909ea1c95128

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\_isD7FD.tmp
                                                                                                Filesize

                                                                                                1KB

                                                                                                MD5

                                                                                                9bcd3291daba5a496ef2d8b5bd084641

                                                                                                SHA1

                                                                                                2d21278f834244edd85ffdd14b70beed842d253b

                                                                                                SHA256

                                                                                                68d3b84ffdb232331de3571ca1adfcef53a0b921cba6fe1e6960eb7144b2b639

                                                                                                SHA512

                                                                                                d8375d3d0ebec313824dacb0b2214dc0a9ed8edbca095fd219f07bc960707c1e6b53d46ad8d7951a6c2c769179bd58a4c50a8d5f266d992b4507917bfc1a7f49

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
                                                                                                Filesize

                                                                                                2KB

                                                                                                MD5

                                                                                                4dd34524633cd4bdc27353ab8aa63162

                                                                                                SHA1

                                                                                                bf79c0dc11b9e21f67279763eeb4d9d612c2dd25

                                                                                                SHA256

                                                                                                9550017b1ebf2a085110fc562670581e0a0cb433859cd457c63e68c951e01155

                                                                                                SHA512

                                                                                                11f221f58edd2ea51b334fa07e0e27bd245dd23012aa5e8b26764a1df370aa068cd1a061a894fa932a62eeef5ed5858cf17e3bd2d2044a88ca0e22f2b3e8285f

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
                                                                                                Filesize

                                                                                                3KB

                                                                                                MD5

                                                                                                0892a034b51395da833cad99be174d1c

                                                                                                SHA1

                                                                                                08b5cdde6d029c9b92be89cdfe2587eb7b82dcfa

                                                                                                SHA256

                                                                                                cb2925ec7677a857faac944cb791268022846d3f8bfb6ac1557f2aed1c107e8d

                                                                                                SHA512

                                                                                                01aab7964966a79dafa7bae34f7db6d78129c599fb326902683caf3b31e88dd8eb12e66eca15ed72157a59a823d06e6bdd66673915da5f296f1e5375756b9fbb

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
                                                                                                Filesize

                                                                                                5.3MB

                                                                                                MD5

                                                                                                1afff8d5352aecef2ecd47ffa02d7f7d

                                                                                                SHA1

                                                                                                8b115b84efdb3a1b87f750d35822b2609e665bef

                                                                                                SHA256

                                                                                                c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

                                                                                                SHA512

                                                                                                e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\osloader.exe
                                                                                                Filesize

                                                                                                591KB

                                                                                                MD5

                                                                                                e2f68dc7fbd6e0bf031ca3809a739346

                                                                                                SHA1

                                                                                                9c35494898e65c8a62887f28e04c0359ab6f63f5

                                                                                                SHA256

                                                                                                b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

                                                                                                SHA512

                                                                                                26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp27CE.tmp
                                                                                                Filesize

                                                                                                20KB

                                                                                                MD5

                                                                                                c9ff7748d8fcef4cf84a5501e996a641

                                                                                                SHA1

                                                                                                02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

                                                                                                SHA256

                                                                                                4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

                                                                                                SHA512

                                                                                                d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\u218.0.exe
                                                                                                Filesize

                                                                                                306KB

                                                                                                MD5

                                                                                                9e7bd4e6b0220bbb8c4068a02939e692

                                                                                                SHA1

                                                                                                92b8c83e84d6823bf4cf5238f368c27e5243241d

                                                                                                SHA256

                                                                                                a547ce72c56e28616970d53b15e05cf4532a20384cae7a72b8428789a48028ef

                                                                                                SHA512

                                                                                                7c1a0dcdcbeb988679ad24cbef85bd0b3f6c6c41c8699d506be3a1d6b0542fff0f6ec85eb53fe98278f787cd108771e2d168e2a9080327706edc629c41f57522

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\{AE0CC176-7BB4-4148-8D28-968651829072}\0x0409.ini
                                                                                                Filesize

                                                                                                21KB

                                                                                                MD5

                                                                                                be345d0260ae12c5f2f337b17e07c217

                                                                                                SHA1

                                                                                                0976ba0982fe34f1c35a0974f6178e15c238ed7b

                                                                                                SHA256

                                                                                                e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

                                                                                                SHA512

                                                                                                77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\~D7FA.tmp
                                                                                                Filesize

                                                                                                5KB

                                                                                                MD5

                                                                                                b2403c034d0c2c07070ba6b062c48533

                                                                                                SHA1

                                                                                                93e3c85774ec538076dbb8a3861a7b5528e51b43

                                                                                                SHA256

                                                                                                4a2d804078cc2018e07ce42591cc5fbf0885208fcbf936083251335cb60d27a4

                                                                                                SHA512

                                                                                                a268a5a4e49c60b6c8ca2052f8f1915aff84d48b1fbb96f744848abbf75c109a730b1a77541c48fc31c201ac431055bcd7ae3477ba03adb40d69aa5e01c0d0fa

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\Pictures\nWiD3Z1XYXpGAzzD9VqNWAi0.exe
                                                                                                Filesize

                                                                                                412KB

                                                                                                MD5

                                                                                                de80642fb2f8899376ddd32843483e69

                                                                                                SHA1

                                                                                                607ba145e991b4e105d1dadb14fe2ac4b9263582

                                                                                                SHA256

                                                                                                9e3c984d86db667bc29a0b19ca3d5fe5298d1e57ffe935d26ab8903cdc795d96

                                                                                                SHA512

                                                                                                1a2f413b9bee069706f2b639f11cfe65bd6b503c9f81c5ec370d514ad2132c8eb558d4f985234089b2496c094b7ac71e61b2b7c620f1a297b22b4111a6488a66

                                                                                                Download Submit
                                                                                              • C:\Windows\Installer\MSIB74B.tmp
                                                                                                Filesize

                                                                                                195KB

                                                                                                MD5

                                                                                                4298cfa3dab9867af517722fe69b1333

                                                                                                SHA1

                                                                                                ab4809f8c9282e599aa64a8ca9900b09b98e0425

                                                                                                SHA256

                                                                                                cedff33eba97e81df4248a087441b1cd9877fa63aded5d357f601302ae6d9cf8

                                                                                                SHA512

                                                                                                37b6830886e210c9ca20cc6699f50389937edc2e558165d0e8aa3786e7dd971096bbf6c0f3e36aa8ddd7433e02155de04e23b929e5e846f8fe5586b08a596d3b

                                                                                                Download Submit
                                                                                              • C:\Windows\Installer\f790510.msi
                                                                                                Filesize

                                                                                                101.9MB

                                                                                                MD5

                                                                                                a198248d82bcfe0548af2dd8b5d234c9

                                                                                                SHA1

                                                                                                b48db4ee1171682510b7f9768a119da78937f0bd

                                                                                                SHA256

                                                                                                5e4fd3d3aa4666014213cd384da90d59bcd77bc7ae7fedcb6951e9c4945fc0fb

                                                                                                SHA512

                                                                                                ebff424004dccf67613e3caa5a04d6865f581125cec31539d86d9bc89e89a0571f979c1a877d651bbcb63aa4cc1c6569cc6af64d69dd0a9b0ddde28b0e24d878

                                                                                                Download Submit
                                                                                              • C:\Windows\System32\DRVSTORE\VBoxDrv_B8F73A07F6EAC225F4EF78BAAC74D227A152D39D\VBoxDrv.sys
                                                                                                Filesize

                                                                                                1013KB

                                                                                                MD5

                                                                                                321ccdb9223b0801846b9ad131ac4d81

                                                                                                SHA1

                                                                                                ac8fb0fc82a8c30b57962fe5d869fda534053404

                                                                                                SHA256

                                                                                                05045c57480d3d5996e10a60393e799647c4ddaf6ede5f712d520c2a2841d43b

                                                                                                SHA512

                                                                                                75b5cfd1dfe7da31f8988e2e76ca4ad21784acf9fc26a2593e567eb7e54036026c5249695614f8f1b53873fa9bf82e864b609d2f863717b8363189de7284754a

                                                                                                Download Submit
                                                                                              • C:\Windows\System32\GroupPolicy\gpt.ini
                                                                                                Filesize

                                                                                                127B

                                                                                                MD5

                                                                                                8ef9853d1881c5fe4d681bfb31282a01

                                                                                                SHA1

                                                                                                a05609065520e4b4e553784c566430ad9736f19f

                                                                                                SHA256

                                                                                                9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

                                                                                                SHA512

                                                                                                5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

                                                                                                Download Submit
                                                                                              • \Users\Admin\AppData\Local\Temp\7zS7B09.tmp\Install.exe
                                                                                                Filesize

                                                                                                6.8MB

                                                                                                MD5

                                                                                                e77964e011d8880eae95422769249ca4

                                                                                                SHA1

                                                                                                8e15d7c4b7812a1da6c91738c7178adf0ff3200f

                                                                                                SHA256

                                                                                                f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50

                                                                                                SHA512

                                                                                                8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade

                                                                                                Download Submit
                                                                                              • \Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
                                                                                                Filesize

                                                                                                14.7MB

                                                                                                MD5

                                                                                                6955715b6ff15bdc153a2431cc395cca

                                                                                                SHA1

                                                                                                272e1eec66a1871b300484b2200b507a4abe5420

                                                                                                SHA256

                                                                                                a6d40169be9c151e9e6c86fe53d2bac3b4c2ddb41c0b650d961f8328939b4761

                                                                                                SHA512

                                                                                                cf82d27d7010be69ab1c288fef9d820905407c8018e2a91f3c39a0eda5e9378e0ff04d077520d556d46d7a9cb0a3a640d15a10ad4090e482be3c83930836019d

                                                                                                Download Submit
                                                                                              • \Users\Admin\AppData\Local\Temp\Zqicom_beta\relay.dll
                                                                                                Filesize

                                                                                                1.5MB

                                                                                                MD5

                                                                                                7d2f87123e63950159fb2c724e55bdab

                                                                                                SHA1

                                                                                                360f304a6311080e1fead8591cb4659a8d135f2d

                                                                                                SHA256

                                                                                                b3483bb771948ed8d3f76faaa3606c8ef72e3d2d355eaa652877e21e0651aa9a

                                                                                                SHA512

                                                                                                6cb8d27ebcfdf9e472c0a6fff86e6f4ec604b8f0f21c197ba6d5b76b703296c10c8d7c4fb6b082c7e77f5c35d364bcffd76ae54137e2c8944c1ea7bb9e2e5f08

                                                                                                Download Submit
                                                                                              • \Users\Admin\AppData\Local\Temp\u218.1.exe
                                                                                                Filesize

                                                                                                4.6MB

                                                                                                MD5

                                                                                                397926927bca55be4a77839b1c44de6e

                                                                                                SHA1

                                                                                                e10f3434ef3021c399dbba047832f02b3c898dbd

                                                                                                SHA256

                                                                                                4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

                                                                                                SHA512

                                                                                                cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

                                                                                                Download Submit
                                                                                              • \Users\Admin\Pictures\4o87nTIv9I7pHUjJ8mV2Aynj.exe
                                                                                                Filesize

                                                                                                6.5MB

                                                                                                MD5

                                                                                                5d5da0738299d8893b79a6c926765e5f

                                                                                                SHA1

                                                                                                b05c2cfd30ca1c163cb829b7e7e5ea2d6c57d1d1

                                                                                                SHA256

                                                                                                53c80bee05d28fe65ab0ae6459753fe7b804c0b68b85faaf828576687ef28ca3

                                                                                                SHA512

                                                                                                d9fffe943131e71762f5e2e1ad3d23053069f0f028054be9ec2c8491a6812adadacbf099ab8fa79ca9916ceda14ccaedfe4a0e1e5235871a97145ef77d7b0b26

                                                                                                Download Submit
                                                                                              • \Users\Admin\Pictures\Eg3CbaPfPvlHomvqcshBcOpb.exe
                                                                                                Filesize

                                                                                                3.8MB

                                                                                                MD5

                                                                                                193692e1cf957eef7e6cf2f6bc74be86

                                                                                                SHA1

                                                                                                9d1f849b57c96ca71f0f90c73de97fa912b691d7

                                                                                                SHA256

                                                                                                fcc22a367ed0a8d8de94f5159ab12c32606f97326b832eb47327b7707ba457a6

                                                                                                SHA512

                                                                                                d0bcad2b98e5efc9c767f9a6ad87a6d62638131753bff22b21b883d90c23be17b65594b6d8c4510b255f28806b2a1dc2a01fc0e2138c3146d6e64abcd4a37697

                                                                                                Download Submit
                                                                                              • \Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe
                                                                                                Filesize

                                                                                                4.2MB

                                                                                                MD5

                                                                                                1842fc317e5a1d69802a698ae55c38f2

                                                                                                SHA1

                                                                                                151e6beea179734ac936b9a09553694497ac25b5

                                                                                                SHA256

                                                                                                3a28b148d121751482a29d954aeed15f8ae208f86cd3ed6b819c5c5c842e0cf9

                                                                                                SHA512

                                                                                                c625d83b286c3e704f43ec80a4fed5c91bba6929c1c89e23bdc642d8778ea063507b578a7ef74368c815f4baf03fc1a8edfb4b3d9449619c3651a8cf33b139c2

                                                                                                Download Submit
                                                                                              • memory/588-540-0x0000000003250000-0x0000000003648000-memory.dmp
                                                                                                Filesize

                                                                                                4.0MB

                                                                                                Download
                                                                                              • memory/588-627-0x0000000003250000-0x0000000003648000-memory.dmp
                                                                                                Filesize

                                                                                                4.0MB

                                                                                                Download
                                                                                              • memory/588-623-0x0000000000400000-0x0000000003009000-memory.dmp
                                                                                                Filesize

                                                                                                44.0MB

                                                                                                Download
                                                                                              • memory/588-653-0x0000000000400000-0x0000000003009000-memory.dmp
                                                                                                Filesize

                                                                                                44.0MB

                                                                                                Download
                                                                                              • memory/808-545-0x000000006F480000-0x000000006FA2B000-memory.dmp
                                                                                                Filesize

                                                                                                5.7MB

                                                                                                Download
                                                                                              • memory/976-569-0x0000000000400000-0x00000000008AD000-memory.dmp
                                                                                                Filesize

                                                                                                4.7MB

                                                                                                Download
                                                                                              • memory/976-555-0x0000000000400000-0x00000000008AD000-memory.dmp
                                                                                                Filesize

                                                                                                4.7MB

                                                                                                Download
                                                                                              • memory/1028-10-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                Filesize

                                                                                                32KB

                                                                                                Download
                                                                                              • memory/1028-2-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                Filesize

                                                                                                32KB

                                                                                                Download
                                                                                              • memory/1028-3-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                Filesize

                                                                                                32KB

                                                                                                Download
                                                                                              • memory/1028-637-0x0000000008AC0000-0x00000000095A2000-memory.dmp
                                                                                                Filesize

                                                                                                10.9MB

                                                                                                Download
                                                                                              • memory/1028-287-0x0000000008AC0000-0x00000000095A2000-memory.dmp
                                                                                                Filesize

                                                                                                10.9MB

                                                                                                Download
                                                                                              • memory/1028-4-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                Filesize

                                                                                                32KB

                                                                                                Download
                                                                                              • memory/1028-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
                                                                                                Filesize

                                                                                                4KB

                                                                                                Download
                                                                                              • memory/1028-6-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                Filesize

                                                                                                32KB

                                                                                                Download
                                                                                              • memory/1028-8-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                Filesize

                                                                                                32KB

                                                                                                Download
                                                                                              • memory/1028-0-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                Filesize

                                                                                                32KB

                                                                                                Download
                                                                                              • memory/1048-671-0x000000006E830000-0x000000006EDDB000-memory.dmp
                                                                                                Filesize

                                                                                                5.7MB

                                                                                                Download
                                                                                              • memory/1048-674-0x000000006E830000-0x000000006EDDB000-memory.dmp
                                                                                                Filesize

                                                                                                5.7MB

                                                                                                Download
                                                                                              • memory/1048-673-0x0000000001120000-0x0000000001160000-memory.dmp
                                                                                                Filesize

                                                                                                256KB

                                                                                                Download
                                                                                              • memory/1048-672-0x0000000001120000-0x0000000001160000-memory.dmp
                                                                                                Filesize

                                                                                                256KB

                                                                                                Download
                                                                                              • memory/1316-504-0x000007FEF5370000-0x000007FEF54C8000-memory.dmp
                                                                                                Filesize

                                                                                                1.3MB

                                                                                                Download
                                                                                              • memory/1316-481-0x000007FEF5370000-0x000007FEF54C8000-memory.dmp
                                                                                                Filesize

                                                                                                1.3MB

                                                                                                Download
                                                                                              • memory/1316-403-0x0000000000400000-0x00000000012DD000-memory.dmp
                                                                                                Filesize

                                                                                                14.9MB

                                                                                                Download
                                                                                              • memory/1316-412-0x000007FEF5370000-0x000007FEF54C8000-memory.dmp
                                                                                                Filesize

                                                                                                1.3MB

                                                                                                Download
                                                                                              • memory/1324-664-0x0000000000400000-0x0000000003009000-memory.dmp
                                                                                                Filesize

                                                                                                44.0MB

                                                                                                Download
                                                                                              • memory/1324-663-0x00000000031B0000-0x00000000035A8000-memory.dmp
                                                                                                Filesize

                                                                                                4.0MB

                                                                                                Download
                                                                                              • memory/1336-327-0x0000000000400000-0x000000000084E000-memory.dmp
                                                                                                Filesize

                                                                                                4.3MB

                                                                                                Download
                                                                                              • memory/1336-326-0x00000000002B0000-0x00000000002D7000-memory.dmp
                                                                                                Filesize

                                                                                                156KB

                                                                                                Download
                                                                                              • memory/1336-362-0x0000000000400000-0x000000000084E000-memory.dmp
                                                                                                Filesize

                                                                                                4.3MB

                                                                                                Download
                                                                                              • memory/1336-325-0x00000000008D0000-0x00000000009D0000-memory.dmp
                                                                                                Filesize

                                                                                                1024KB

                                                                                                Download
                                                                                              • memory/1444-574-0x00000000013A0000-0x0000000004C98000-memory.dmp
                                                                                                Filesize

                                                                                                57.0MB

                                                                                                Download
                                                                                              • memory/1444-665-0x0000000000400000-0x000000000040A000-memory.dmp
                                                                                                Filesize

                                                                                                40KB

                                                                                                Download
                                                                                              • memory/1444-619-0x000000001E610000-0x000000001E63A000-memory.dmp
                                                                                                Filesize

                                                                                                168KB

                                                                                                Download
                                                                                              • memory/1444-629-0x00000000003E0000-0x00000000003EA000-memory.dmp
                                                                                                Filesize

                                                                                                40KB

                                                                                                Download
                                                                                              • memory/1444-618-0x0000000000B30000-0x0000000000B3A000-memory.dmp
                                                                                                Filesize

                                                                                                40KB

                                                                                                Download
                                                                                              • memory/1444-613-0x0000000000D40000-0x0000000000D64000-memory.dmp
                                                                                                Filesize

                                                                                                144KB

                                                                                                Download
                                                                                              • memory/1444-611-0x000000001EBD0000-0x000000001EC50000-memory.dmp
                                                                                                Filesize

                                                                                                512KB

                                                                                                Download
                                                                                              • memory/1444-626-0x000000013FBE0000-0x00000001406C2000-memory.dmp
                                                                                                Filesize

                                                                                                10.9MB

                                                                                                Download
                                                                                              • memory/1444-610-0x00000000006D0000-0x00000000006E4000-memory.dmp
                                                                                                Filesize

                                                                                                80KB

                                                                                                Download
                                                                                              • memory/1444-661-0x0000000000400000-0x000000000040A000-memory.dmp
                                                                                                Filesize

                                                                                                40KB

                                                                                                Download
                                                                                              • memory/1444-622-0x0000000000DE0000-0x0000000000E5A000-memory.dmp
                                                                                                Filesize

                                                                                                488KB

                                                                                                Download
                                                                                              • memory/1444-602-0x000007FEF4470000-0x000007FEF4E5C000-memory.dmp
                                                                                                Filesize

                                                                                                9.9MB

                                                                                                Download
                                                                                              • memory/1444-593-0x00000000006E0000-0x00000000006EC000-memory.dmp
                                                                                                Filesize

                                                                                                48KB

                                                                                                Download
                                                                                              • memory/1444-625-0x0000000001320000-0x0000000001382000-memory.dmp
                                                                                                Filesize

                                                                                                392KB

                                                                                                Download
                                                                                              • memory/1444-634-0x000000001F9D0000-0x000000001FCD0000-memory.dmp
                                                                                                Filesize

                                                                                                3.0MB

                                                                                                Download
                                                                                              • memory/1444-621-0x000000001F240000-0x000000001F2F2000-memory.dmp
                                                                                                Filesize

                                                                                                712KB

                                                                                                Download
                                                                                              • memory/1444-592-0x0000000000590000-0x00000000005A0000-memory.dmp
                                                                                                Filesize

                                                                                                64KB

                                                                                                Download
                                                                                              • memory/1444-584-0x000000001EDD0000-0x000000001EEE0000-memory.dmp
                                                                                                Filesize

                                                                                                1.1MB

                                                                                                Download
                                                                                              • memory/1444-624-0x000000013FBE0000-0x00000001406C2000-memory.dmp
                                                                                                Filesize

                                                                                                10.9MB

                                                                                                Download
                                                                                              • memory/1488-607-0x000000006B7F0000-0x000000006B964000-memory.dmp
                                                                                                Filesize

                                                                                                1.5MB

                                                                                                Download
                                                                                              • memory/1488-658-0x000000006B7F0000-0x000000006B964000-memory.dmp
                                                                                                Filesize

                                                                                                1.5MB

                                                                                                Download
                                                                                              • memory/1968-373-0x0000000000400000-0x0000000003009000-memory.dmp
                                                                                                Filesize

                                                                                                44.0MB

                                                                                                Download
                                                                                              • memory/1968-300-0x0000000003110000-0x0000000003508000-memory.dmp
                                                                                                Filesize

                                                                                                4.0MB

                                                                                                Download
                                                                                              • memory/1968-301-0x0000000004D90000-0x000000000567B000-memory.dmp
                                                                                                Filesize

                                                                                                8.9MB

                                                                                                Download
                                                                                              • memory/1968-302-0x0000000000400000-0x0000000003009000-memory.dmp
                                                                                                Filesize

                                                                                                44.0MB

                                                                                                Download
                                                                                              • memory/1968-344-0x0000000000400000-0x0000000003009000-memory.dmp
                                                                                                Filesize

                                                                                                44.0MB

                                                                                                Download
                                                                                              • memory/1968-386-0x0000000000400000-0x0000000003009000-memory.dmp
                                                                                                Filesize

                                                                                                44.0MB

                                                                                                Download
                                                                                              • memory/1968-285-0x0000000003110000-0x0000000003508000-memory.dmp
                                                                                                Filesize

                                                                                                4.0MB

                                                                                                Download
                                                                                              • memory/1976-651-0x0000000000400000-0x0000000003009000-memory.dmp
                                                                                                Filesize

                                                                                                44.0MB

                                                                                                Download
                                                                                              • memory/1976-609-0x0000000000400000-0x0000000003009000-memory.dmp
                                                                                                Filesize

                                                                                                44.0MB

                                                                                                Download
                                                                                              • memory/1976-608-0x0000000003430000-0x0000000003828000-memory.dmp
                                                                                                Filesize

                                                                                                4.0MB

                                                                                                Download
                                                                                              • memory/1976-435-0x0000000003430000-0x0000000003828000-memory.dmp
                                                                                                Filesize

                                                                                                4.0MB

                                                                                                Download
                                                                                              • memory/2060-643-0x0000000000280000-0x0000000002FA5000-memory.dmp
                                                                                                Filesize

                                                                                                45.1MB

                                                                                                Download
                                                                                              • memory/2116-575-0x000007FE80010000-0x000007FE80011000-memory.dmp
                                                                                                Filesize

                                                                                                4KB

                                                                                                Download
                                                                                              • memory/2116-476-0x000000013FBE0000-0x00000001406C2000-memory.dmp
                                                                                                Filesize

                                                                                                10.9MB

                                                                                                Download
                                                                                              • memory/2116-379-0x000000013FBE0000-0x00000001406C2000-memory.dmp
                                                                                                Filesize

                                                                                                10.9MB

                                                                                                Download
                                                                                              • memory/2116-404-0x000000013FBE0000-0x00000001406C2000-memory.dmp
                                                                                                Filesize

                                                                                                10.9MB

                                                                                                Download
                                                                                              • memory/2116-383-0x000000013FBE0000-0x00000001406C2000-memory.dmp
                                                                                                Filesize

                                                                                                10.9MB

                                                                                                Download
                                                                                              • memory/2116-375-0x000000013FBE0000-0x00000001406C2000-memory.dmp
                                                                                                Filesize

                                                                                                10.9MB

                                                                                                Download
                                                                                              • memory/2116-382-0x000000013FBE0000-0x00000001406C2000-memory.dmp
                                                                                                Filesize

                                                                                                10.9MB

                                                                                                Download
                                                                                              • memory/2116-568-0x00000000000E0000-0x00000000000E1000-memory.dmp
                                                                                                Filesize

                                                                                                4KB

                                                                                                Download
                                                                                              • memory/2116-571-0x0000000076DB0000-0x0000000076F59000-memory.dmp
                                                                                                Filesize

                                                                                                1.7MB

                                                                                                Download
                                                                                              • memory/2116-291-0x000000013FBE0000-0x00000001406C2000-memory.dmp
                                                                                                Filesize

                                                                                                10.9MB

                                                                                                Download
                                                                                              • memory/2116-323-0x000000013FBE0000-0x00000001406C2000-memory.dmp
                                                                                                Filesize

                                                                                                10.9MB

                                                                                                Download
                                                                                              • memory/2164-543-0x0000000076DB0000-0x0000000076F59000-memory.dmp
                                                                                                Filesize

                                                                                                1.7MB

                                                                                                Download
                                                                                              • memory/2164-579-0x000000006B7F0000-0x000000006B964000-memory.dmp
                                                                                                Filesize

                                                                                                1.5MB

                                                                                                Download
                                                                                              • memory/2164-541-0x000000006B7F0000-0x000000006B964000-memory.dmp
                                                                                                Filesize

                                                                                                1.5MB

                                                                                                Download
                                                                                              • memory/2164-582-0x000000006B7F0000-0x000000006B964000-memory.dmp
                                                                                                Filesize

                                                                                                1.5MB

                                                                                                Download
                                                                                              • memory/2236-374-0x0000000000400000-0x0000000003009000-memory.dmp
                                                                                                Filesize

                                                                                                44.0MB

                                                                                                Download
                                                                                              • memory/2236-299-0x0000000003270000-0x0000000003668000-memory.dmp
                                                                                                Filesize

                                                                                                4.0MB

                                                                                                Download
                                                                                              • memory/2236-361-0x0000000000400000-0x0000000003009000-memory.dmp
                                                                                                Filesize

                                                                                                44.0MB

                                                                                                Download
                                                                                              • memory/2236-303-0x0000000000400000-0x0000000003009000-memory.dmp
                                                                                                Filesize

                                                                                                44.0MB

                                                                                                Download
                                                                                              • memory/2236-304-0x0000000003270000-0x0000000003668000-memory.dmp
                                                                                                Filesize

                                                                                                4.0MB

                                                                                                Download
                                                                                              • memory/2412-365-0x0000000001F50000-0x0000000004C75000-memory.dmp
                                                                                                Filesize

                                                                                                45.1MB

                                                                                                Download
                                                                                              • memory/2636-215-0x0000000000400000-0x0000000002C4A000-memory.dmp
                                                                                                Filesize

                                                                                                40.3MB

                                                                                                Download
                                                                                              • memory/2636-162-0x0000000002C50000-0x0000000002CBD000-memory.dmp
                                                                                                Filesize

                                                                                                436KB

                                                                                                Download
                                                                                              • memory/2636-468-0x0000000000260000-0x0000000000360000-memory.dmp
                                                                                                Filesize

                                                                                                1024KB

                                                                                                Download
                                                                                              • memory/2636-161-0x0000000000260000-0x0000000000360000-memory.dmp
                                                                                                Filesize

                                                                                                1024KB

                                                                                                Download
                                                                                              • memory/2636-341-0x0000000000400000-0x0000000002C4A000-memory.dmp
                                                                                                Filesize

                                                                                                40.3MB

                                                                                                Download
                                                                                              • memory/2636-465-0x0000000000400000-0x0000000002C4A000-memory.dmp
                                                                                                Filesize

                                                                                                40.3MB

                                                                                                Download
                                                                                              • memory/2636-413-0x0000000000400000-0x0000000002C4A000-memory.dmp
                                                                                                Filesize

                                                                                                40.3MB

                                                                                                Download
                                                                                              • memory/2636-387-0x0000000000400000-0x0000000002C4A000-memory.dmp
                                                                                                Filesize

                                                                                                40.3MB

                                                                                                Download
                                                                                              • memory/2636-469-0x0000000002C50000-0x0000000002CBD000-memory.dmp
                                                                                                Filesize

                                                                                                436KB

                                                                                                Download
                                                                                              • memory/2660-606-0x0000000003D70000-0x0000000006A95000-memory.dmp
                                                                                                Filesize

                                                                                                45.1MB

                                                                                                Download
                                                                                              • memory/2660-370-0x0000000010000000-0x0000000013BC3000-memory.dmp
                                                                                                Filesize

                                                                                                59.8MB

                                                                                                Download
                                                                                              • memory/2660-475-0x0000000003D70000-0x0000000006A95000-memory.dmp
                                                                                                Filesize

                                                                                                45.1MB

                                                                                                Download
                                                                                              • memory/2660-371-0x0000000001040000-0x0000000003D65000-memory.dmp
                                                                                                Filesize

                                                                                                45.1MB

                                                                                                Download
                                                                                              • memory/2660-411-0x0000000003D70000-0x0000000006A95000-memory.dmp
                                                                                                Filesize

                                                                                                45.1MB

                                                                                                Download
                                                                                              • memory/2792-521-0x000000006DA50000-0x000000006DBC4000-memory.dmp
                                                                                                Filesize

                                                                                                1.5MB

                                                                                                Download
                                                                                              • memory/2792-522-0x0000000076DB0000-0x0000000076F59000-memory.dmp
                                                                                                Filesize

                                                                                                1.7MB

                                                                                                Download
                                                                                              • memory/2844-679-0x0000000004910000-0x0000000004950000-memory.dmp
                                                                                                Filesize

                                                                                                256KB

                                                                                                Download
                                                                                              • memory/2844-678-0x0000000073C00000-0x00000000742EE000-memory.dmp
                                                                                                Filesize

                                                                                                6.9MB

                                                                                                Download
                                                                                              • memory/2844-676-0x0000000000400000-0x00000000004C6000-memory.dmp
                                                                                                Filesize

                                                                                                792KB

                                                                                                Download