fa0b3328dda7aa7e953780fc8b6be127f747fc778f0bd3f0a2e885402c1c481e

Analysis

max time kernel
299s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
17-05-2024 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

164/setup164.exe
Size

32KB
MD5

2b8b61308a4482526a259ccab970bfd6
SHA1

b41513afc20d492b556eb2f0ed2bd3af9e7b496c
SHA256

09ad227263cf701b1ee840b6744be44e1bf2478073c20b5dfc8dd29fecade71b
SHA512

b88a63c46062d3c6a608bc650d82a4b7e69e284a72655de6e5249060acba9a566287256b80afd0197ed6f903a9bf19c6e5c4565bb5bdb1bb4cfd64281bdb6324
SSDEEP

384:7oI1gYZw33FUWUcC6TBhdsDgZH4o5NEvdlcn0ScPmPn0Avsl9EPg/s4Xsn+KvHKj:j7Zw33FNUf6Nhd/fQ1l+0vM0iT9

Score

8^/10

execution spyware

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 40 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

Powershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exePowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4736	Powershell.exe
1448	Powershell.exe
2896	Powershell.exe
68	Powershell.exe
1432	Powershell.exe
2360	Powershell.exe
4104	Powershell.exe
2572	Powershell.exe
2524	Powershell.exe
856	Powershell.exe
4400	Powershell.exe
4592	Powershell.exe
3956	Powershell.exe
4420	Powershell.exe
3172	Powershell.exe
888	Powershell.exe
2884	powershell.exe
3172	Powershell.exe
4104	Powershell.exe
4740	powershell.exe
2856	powershell.exe
1432	Powershell.exe
3052	powershell.exe
4736	Powershell.exe
4676	powershell.exe
2572	Powershell.exe
5100	powershell.exe
888	Powershell.exe
700	powershell.exe
4400	Powershell.exe
1508	powershell.exe
3956	Powershell.exe
3732	powershell.exe
4812	powershell.exe
4056	powershell.exe
2592	powershell.exe
4792	powershell.exe
3528	powershell.exe
3912	powershell.exe
1788	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 21 IoCs

Processes:

YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exeUniversalInstaller.exeUniversalInstaller.exeYWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exeUniversalInstaller.exeUniversalInstaller.exeODUyODAyZWVjNTc0M2Y4YzViMjExNzQyMTNiZTI3MmU.exeUniversalInstaller.exeUniversalInstaller.exeM2YyMTAwNWFiYzYwNWUxZTAwYTVkYmVhMzBjNGNjYjE.exeUniversalInstaller.exeUniversalInstaller.exeNWQ5Yjg3OGQ5NjY4ZDVmNWNjMWQxYThiODk1ZDNiMjg.exeUniversalInstaller.exeUniversalInstaller.exeZjZhNjZhMmM4MjlkZDk2ZjgwZmQ2M2U5ZmQxNmYyMzM.exeUniversalInstaller.exeUniversalInstaller.exeNDY4MWNjNTYwOWZjODA1YzA0MDMxOWM2MWE3MDkzMjM.exeUniversalInstaller.exeUniversalInstaller.exe

pid	process
984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
4400	UniversalInstaller.exe
4680	UniversalInstaller.exe
4308	YWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exe
5108	UniversalInstaller.exe
2300	UniversalInstaller.exe
1200	ODUyODAyZWVjNTc0M2Y4YzViMjExNzQyMTNiZTI3MmU.exe
4472	UniversalInstaller.exe
1320	UniversalInstaller.exe
3512	M2YyMTAwNWFiYzYwNWUxZTAwYTVkYmVhMzBjNGNjYjE.exe
1772	UniversalInstaller.exe
1628	UniversalInstaller.exe
4420	NWQ5Yjg3OGQ5NjY4ZDVmNWNjMWQxYThiODk1ZDNiMjg.exe
2940	UniversalInstaller.exe
4544	UniversalInstaller.exe
2136	ZjZhNjZhMmM4MjlkZDk2ZjgwZmQ2M2U5ZmQxNmYyMzM.exe
2008	UniversalInstaller.exe
4852	UniversalInstaller.exe
3388	NDY4MWNjNTYwOWZjODA1YzA0MDMxOWM2MWE3MDkzMjM.exe
2832	UniversalInstaller.exe
1200	UniversalInstaller.exe

Loads dropped DLL 14 IoCs

Processes:

UniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exe

pid	process
4400	UniversalInstaller.exe
4680	UniversalInstaller.exe
5108	UniversalInstaller.exe
2300	UniversalInstaller.exe
4472	UniversalInstaller.exe
1320	UniversalInstaller.exe
1772	UniversalInstaller.exe
1628	UniversalInstaller.exe
2940	UniversalInstaller.exe
4544	UniversalInstaller.exe
2008	UniversalInstaller.exe
4852	UniversalInstaller.exe
2832	UniversalInstaller.exe
1200	UniversalInstaller.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service
T1102

Processes:

flow ioc

44 pastebin.com
51 pastebin.com
61 pastebin.com
68 pastebin.com
4 pastebin.com
5 pastebin.com
17 pastebin.com
29 pastebin.com

flow	ioc
44	pastebin.com
51	pastebin.com
61	pastebin.com
68	pastebin.com
4	pastebin.com
5	pastebin.com
17	pastebin.com
29	pastebin.com

Suspicious use of SetThreadContext 13 IoCs

Processes:

UniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.exe

description	pid	process	target process
PID 4680 set thread context of 3696	4680	UniversalInstaller.exe	cmd.exe
PID 3696 set thread context of 1084	3696	cmd.exe	MSBuild.exe
PID 2300 set thread context of 824	2300	UniversalInstaller.exe	cmd.exe
PID 824 set thread context of 4340	824	cmd.exe	MSBuild.exe
PID 1320 set thread context of 3640	1320	UniversalInstaller.exe	cmd.exe
PID 3640 set thread context of 3868	3640	cmd.exe	MSBuild.exe
PID 1628 set thread context of 1944	1628	UniversalInstaller.exe	cmd.exe
PID 1944 set thread context of 700	1944	cmd.exe	MSBuild.exe
PID 4544 set thread context of 3520	4544	UniversalInstaller.exe	cmd.exe
PID 3520 set thread context of 2440	3520	cmd.exe	MSBuild.exe
PID 4852 set thread context of 2304	4852	UniversalInstaller.exe	cmd.exe
PID 2304 set thread context of 1736	2304	cmd.exe	MSBuild.exe
PID 1200 set thread context of 2584	1200	UniversalInstaller.exe	cmd.exe

Drops file in Program Files directory 7 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows NT\ZjZhNjZhMmM4MjlkZDk2ZjgwZmQ2M2U5ZmQxNmYyMzM.exe	javaw.exe
File opened for modification	C:\Program Files\Windows NT\NDY4MWNjNTYwOWZjODA1YzA0MDMxOWM2MWE3MDkzMjM.exe	javaw.exe
File opened for modification	C:\Program Files\Windows NT\YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe	javaw.exe
File opened for modification	C:\Program Files\Windows NT\YWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exe	javaw.exe
File opened for modification	C:\Program Files\Windows NT\ODUyODAyZWVjNTc0M2Y4YzViMjExNzQyMTNiZTI3MmU.exe	javaw.exe
File opened for modification	C:\Program Files\Windows NT\M2YyMTAwNWFiYzYwNWUxZTAwYTVkYmVhMzBjNGNjYjE.exe	javaw.exe
File opened for modification	C:\Program Files\Windows NT\NWQ5Yjg3OGQ5NjY4ZDVmNWNjMWQxYThiODk1ZDNiMjg.exe	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Powershell.exePowershell.exepowershell.exepowershell.exeYjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exePowershell.exePowershell.exeUniversalInstaller.exeUniversalInstaller.exepowershell.exepowershell.execmd.exeYWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exePowershell.exePowershell.exeUniversalInstaller.exeUniversalInstaller.exepowershell.exepowershell.exeMSBuild.execmd.exeODUyODAyZWVjNTc0M2Y4YzViMjExNzQyMTNiZTI3MmU.exePowershell.exePowershell.exeUniversalInstaller.exe

pid	process
888	Powershell.exe
2524	Powershell.exe
2524	Powershell.exe
888	Powershell.exe
2524	Powershell.exe
888	Powershell.exe
2856	powershell.exe
3732	powershell.exe
2856	powershell.exe
3732	powershell.exe
2856	powershell.exe
3732	powershell.exe
984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
1432	Powershell.exe
68	Powershell.exe
68	Powershell.exe
1432	Powershell.exe
984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
68	Powershell.exe
4400	UniversalInstaller.exe
1432	Powershell.exe
4680	UniversalInstaller.exe
4680	UniversalInstaller.exe
4812	powershell.exe
3052	powershell.exe
4812	powershell.exe
3052	powershell.exe
4812	powershell.exe
3052	powershell.exe
3696	cmd.exe
3696	cmd.exe
4308	YWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exe
4308	YWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exe
4420	Powershell.exe
4736	Powershell.exe
5108	UniversalInstaller.exe
4420	Powershell.exe
4736	Powershell.exe
2300	UniversalInstaller.exe
2300	UniversalInstaller.exe
4420	Powershell.exe
4420	Powershell.exe
4736	Powershell.exe
4736	Powershell.exe
4056	powershell.exe
4676	powershell.exe
4056	powershell.exe
4676	powershell.exe
4676	powershell.exe
4056	powershell.exe
4056	powershell.exe
4676	powershell.exe
1084	MSBuild.exe
1084	MSBuild.exe
824	cmd.exe
824	cmd.exe
1200	ODUyODAyZWVjNTc0M2Y4YzViMjExNzQyMTNiZTI3MmU.exe
3172	Powershell.exe
856	Powershell.exe
3172	Powershell.exe
856	Powershell.exe
1200	ODUyODAyZWVjNTc0M2Y4YzViMjExNzQyMTNiZTI3MmU.exe
3172	Powershell.exe
4472	UniversalInstaller.exe

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

UniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.execmd.exeUniversalInstaller.exe

pid	process
4680	UniversalInstaller.exe
3696	cmd.exe
3696	cmd.exe
2300	UniversalInstaller.exe
824	cmd.exe
824	cmd.exe
1320	UniversalInstaller.exe
3640	cmd.exe
3640	cmd.exe
1628	UniversalInstaller.exe
1944	cmd.exe
1944	cmd.exe
4544	UniversalInstaller.exe
3520	cmd.exe
3520	cmd.exe
4852	UniversalInstaller.exe
2304	cmd.exe
2304	cmd.exe
1200	UniversalInstaller.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Powershell.exePowershell.exepowershell.exepowershell.exeYjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe

description	pid	process
Token: SeDebugPrivilege	888	Powershell.exe
Token: SeDebugPrivilege	2524	Powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeBackupPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeRestorePrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
Token: SeChangeNotifyPrivilege	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

javaw.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeMSBuild.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exeUniversalInstaller.exe

pid	process
2232	javaw.exe
2232	javaw.exe
4400	UniversalInstaller.exe
4400	UniversalInstaller.exe
4680	UniversalInstaller.exe
4680	UniversalInstaller.exe
5108	UniversalInstaller.exe
5108	UniversalInstaller.exe
2300	UniversalInstaller.exe
2300	UniversalInstaller.exe
1084	MSBuild.exe
4472	UniversalInstaller.exe
4472	UniversalInstaller.exe
1320	UniversalInstaller.exe
1320	UniversalInstaller.exe
1772	UniversalInstaller.exe
1772	UniversalInstaller.exe
1628	UniversalInstaller.exe
1628	UniversalInstaller.exe
2940	UniversalInstaller.exe
2940	UniversalInstaller.exe
4544	UniversalInstaller.exe
4544	UniversalInstaller.exe
2008	UniversalInstaller.exe
2008	UniversalInstaller.exe
4852	UniversalInstaller.exe
4852	UniversalInstaller.exe
2832	UniversalInstaller.exe
2832	UniversalInstaller.exe
1200	UniversalInstaller.exe
1200	UniversalInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup164.exejavaw.exePowershell.exePowershell.exeexplorer.exeYjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exeUniversalInstaller.exeUniversalInstaller.exePowershell.exePowershell.execmd.exeexplorer.exeYWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exeUniversalInstaller.exe

description	pid	process	target process
PID 4568 wrote to memory of 2232	4568	setup164.exe	javaw.exe
PID 4568 wrote to memory of 2232	4568	setup164.exe	javaw.exe
PID 4568 wrote to memory of 2232	4568	setup164.exe	javaw.exe
PID 2232 wrote to memory of 888	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 888	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 888	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 2524	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 2524	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 2524	2232	javaw.exe	Powershell.exe
PID 888 wrote to memory of 2856	888	Powershell.exe	powershell.exe
PID 888 wrote to memory of 2856	888	Powershell.exe	powershell.exe
PID 888 wrote to memory of 2856	888	Powershell.exe	powershell.exe
PID 2524 wrote to memory of 3732	2524	Powershell.exe	powershell.exe
PID 2524 wrote to memory of 3732	2524	Powershell.exe	powershell.exe
PID 2524 wrote to memory of 3732	2524	Powershell.exe	powershell.exe
PID 2232 wrote to memory of 4084	2232	javaw.exe	explorer.exe
PID 2232 wrote to memory of 4084	2232	javaw.exe	explorer.exe
PID 2232 wrote to memory of 4084	2232	javaw.exe	explorer.exe
PID 2840 wrote to memory of 984	2840	explorer.exe	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
PID 2840 wrote to memory of 984	2840	explorer.exe	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
PID 2840 wrote to memory of 984	2840	explorer.exe	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
PID 2232 wrote to memory of 1432	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 1432	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 1432	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 68	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 68	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 68	2232	javaw.exe	Powershell.exe
PID 984 wrote to memory of 4400	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe	UniversalInstaller.exe
PID 984 wrote to memory of 4400	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe	UniversalInstaller.exe
PID 984 wrote to memory of 4400	984	YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe	UniversalInstaller.exe
PID 4400 wrote to memory of 4680	4400	UniversalInstaller.exe	UniversalInstaller.exe
PID 4400 wrote to memory of 4680	4400	UniversalInstaller.exe	UniversalInstaller.exe
PID 4400 wrote to memory of 4680	4400	UniversalInstaller.exe	UniversalInstaller.exe
PID 4680 wrote to memory of 3696	4680	UniversalInstaller.exe	cmd.exe
PID 4680 wrote to memory of 3696	4680	UniversalInstaller.exe	cmd.exe
PID 4680 wrote to memory of 3696	4680	UniversalInstaller.exe	cmd.exe
PID 68 wrote to memory of 4812	68	Powershell.exe	powershell.exe
PID 68 wrote to memory of 4812	68	Powershell.exe	powershell.exe
PID 68 wrote to memory of 4812	68	Powershell.exe	powershell.exe
PID 1432 wrote to memory of 3052	1432	Powershell.exe	powershell.exe
PID 1432 wrote to memory of 3052	1432	Powershell.exe	powershell.exe
PID 1432 wrote to memory of 3052	1432	Powershell.exe	powershell.exe
PID 4680 wrote to memory of 3696	4680	UniversalInstaller.exe	cmd.exe
PID 3696 wrote to memory of 1084	3696	cmd.exe	MSBuild.exe
PID 3696 wrote to memory of 1084	3696	cmd.exe	MSBuild.exe
PID 3696 wrote to memory of 1084	3696	cmd.exe	MSBuild.exe
PID 3696 wrote to memory of 1084	3696	cmd.exe	MSBuild.exe
PID 3696 wrote to memory of 1084	3696	cmd.exe	MSBuild.exe
PID 2232 wrote to memory of 1812	2232	javaw.exe	explorer.exe
PID 2232 wrote to memory of 1812	2232	javaw.exe	explorer.exe
PID 2232 wrote to memory of 1812	2232	javaw.exe	explorer.exe
PID 2228 wrote to memory of 4308	2228	explorer.exe	YWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exe
PID 2228 wrote to memory of 4308	2228	explorer.exe	YWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exe
PID 2228 wrote to memory of 4308	2228	explorer.exe	YWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exe
PID 2232 wrote to memory of 4736	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 4736	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 4736	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 4420	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 4420	2232	javaw.exe	Powershell.exe
PID 2232 wrote to memory of 4420	2232	javaw.exe	Powershell.exe
PID 4308 wrote to memory of 5108	4308	YWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exe	UniversalInstaller.exe
PID 4308 wrote to memory of 5108	4308	YWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exe	UniversalInstaller.exe
PID 4308 wrote to memory of 5108	4308	YWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exe	UniversalInstaller.exe
PID 5108 wrote to memory of 2300	5108	UniversalInstaller.exe	UniversalInstaller.exe

C:\Users\Admin\AppData\Local\Temp\164\setup164.exe
"C:\Users\Admin\AppData\Local\Temp\164\setup164.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\Temp\164\jre\bin\javaw.exe
  "C:\Users\Admin\AppData\Local\Temp\164\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\asm-all.jar;lib\commons-email.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2856
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3732
- - C:\Windows\SysWOW64\explorer.exe
    explorer "C:\Program Files\Windows NT\YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe"
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:68
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4812
- - C:\Windows\SysWOW64\explorer.exe
    explorer "C:\Program Files\Windows NT\YWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exe"
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4736
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4420
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4056
- - C:\Windows\SysWOW64\explorer.exe
    explorer "C:\Program Files\Windows NT\ODUyODAyZWVjNTc0M2Y4YzViMjExNzQyMTNiZTI3MmU.exe"
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:856
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2592
- - C:\Windows\SysWOW64\explorer.exe
    explorer "C:\Program Files\Windows NT\M2YyMTAwNWFiYzYwNWUxZTAwYTVkYmVhMzBjNGNjYjE.exe"
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4400
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1508
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1448
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4792
- - C:\Windows\SysWOW64\explorer.exe
    explorer "C:\Program Files\Windows NT\NWQ5Yjg3OGQ5NjY4ZDVmNWNjMWQxYThiODk1ZDNiMjg.exe"
    3⤵
    PID:696
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2360
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3528
- - C:\Windows\SysWOW64\explorer.exe
    explorer "C:\Program Files\Windows NT\ZjZhNjZhMmM4MjlkZDk2ZjgwZmQ2M2U5ZmQxNmYyMzM.exe"
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3956
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2884
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3912
- - C:\Windows\SysWOW64\explorer.exe
    explorer "C:\Program Files\Windows NT\NDY4MWNjNTYwOWZjODA1YzA0MDMxOWM2MWE3MDkzMjM.exe"
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2572
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2896
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Program Files\Windows NT\YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe
  "C:\Program Files\Windows NT\YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
    C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
      C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3696
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Program Files\Windows NT\YWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exe
  "C:\Program Files\Windows NT\YWY1NDQ2YjQ4ZmNjNTRjNTUyMjQ4YjZmYTZkMTJkZTQ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
    C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
      C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:824
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        
        PID:4340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2888
- C:\Program Files\Windows NT\ODUyODAyZWVjNTc0M2Y4YzViMjExNzQyMTNiZTI3MmU.exe
  "C:\Program Files\Windows NT\ODUyODAyZWVjNTc0M2Y4YzViMjExNzQyMTNiZTI3MmU.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
    C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4472
  - - C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
      C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3640
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        
        PID:3868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:60
- C:\Program Files\Windows NT\M2YyMTAwNWFiYzYwNWUxZTAwYTVkYmVhMzBjNGNjYjE.exe
  "C:\Program Files\Windows NT\M2YyMTAwNWFiYzYwNWUxZTAwYTVkYmVhMzBjNGNjYjE.exe"
  2⤵
  - Executes dropped EXE
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
    C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1772
  - - C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
      C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1944
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        
        PID:700

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3756
- C:\Program Files\Windows NT\NWQ5Yjg3OGQ5NjY4ZDVmNWNjMWQxYThiODk1ZDNiMjg.exe
  "C:\Program Files\Windows NT\NWQ5Yjg3OGQ5NjY4ZDVmNWNjMWQxYThiODk1ZDNiMjg.exe"
  2⤵
  - Executes dropped EXE
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
    C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2940
  - - C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
      C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      PID:4544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3520
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        
        PID:2440

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2576
- C:\Program Files\Windows NT\ZjZhNjZhMmM4MjlkZDk2ZjgwZmQ2M2U5ZmQxNmYyMzM.exe
  "C:\Program Files\Windows NT\ZjZhNjZhMmM4MjlkZDk2ZjgwZmQ2M2U5ZmQxNmYyMzM.exe"
  2⤵
  - Executes dropped EXE
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
    C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2008
  - - C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
      C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      PID:4852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2304
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        
        PID:1736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:316
- C:\Program Files\Windows NT\NDY4MWNjNTYwOWZjODA1YzA0MDMxOWM2MWE3MDkzMjM.exe
  "C:\Program Files\Windows NT\NDY4MWNjNTYwOWZjODA1YzA0MDMxOWM2MWE3MDkzMjM.exe"
  2⤵
  - Executes dropped EXE
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
    C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2832
  - - C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
      C:\Users\Admin\AppData\Roaming\ChannelStream\UniversalInstaller.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      PID:1200
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\YjM3NjAyNGI3YzNjZTdjMzg0ZDA2MTVmMjRhNDlkNzk.exe

Filesize
6.5MB

MD5
680ffe6980363c348001cecf37c0b3c9

SHA1
aee40ae32edea2bf27649579780264ea4c82c376

SHA256
430548ce3a1ff4274119c3445988796606396a8026826c4dea631d89e3fd0d08

SHA512
84c9197267ea5ccf0508f76c43afec1eb5770add46f92500518092240428413b325582d29e9ef6b47d98d78603a9de791157bfe19e33548099db554115e7fcdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Powershell.exe.log

Filesize
2KB

MD5
6bf0e5945fb9da68e1b03bdaed5f6f8d

SHA1
eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

SHA256
dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

SHA512
977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ea2fd563214f93ad497f108bc91037ee

SHA1
35f983dab3d98a3cd106ae72fea30e47ee4b1c31

SHA256
fd89fa86b793cd9347c91d47aafa2148dc6cdd015461d68b8ac3ffd95ff66754

SHA512
c98929fa3b5977a20ec3328c6828d7cf8ae04519aed0ff9558575b3cae26c9c9907af9e09fdc26696916c65cd5da72535c937ace7dee8c9486707bf201c015fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
648f9a5048cc9ec7d42aad08b179382b

SHA1
ddd3dcf6fc8071b5e1d23d642749da7b5e80782b

SHA256
1af78763097ad7d52959f7c8aad3d8a3f6c5ec2d88ef3d31da0afcae8efc8eb1

SHA512
b4fd80b725b116771030b84ee8b41cd66d3d0e61edaca3a636457a95983cddc43e6a53ddb7e35ec15e6240a277d3aebc146777c81b1032ec05322e43b5c77191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
239e242a73001efb993aa013559a38b3

SHA1
1b3b1893f5ccff2670aa3146ac104c009021bed2

SHA256
cce15e1c28d88b0105b721bfb284adf5d5e3851c36294f2543bad4656427df10

SHA512
76b39d03d825a43d764f46e66319125b6b78a0dbf866b97d9bec2567a86031465984b0662acc83f5ca72770ee904d7a5430eab763ae0841201341aef71b038b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
8a2100e64f3bc5ac36c2d82a21767499

SHA1
5c6f2a3e107c6245211e057d2c39c397011011d6

SHA256
019bf7a66f0d2b301447fed9467f68c91ac048cadc69a260ddb9f9405e79cc37

SHA512
78ea3832094c906beaec3730d886799c68184eca3b02af49365e90ac4e07ea826ed0ea2fb860dbb7e298a81d8518af6a39a34c4c9d6da525c157545131b428b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
1a39e5e70d8f0402dbbd23f1008bbbcc

SHA1
81e0c2c0ad13a0ac4543125b4640792b0fb63e4a

SHA256
f32a770a0945c45f0fc5fce06aca8d0621c4e5e18bbb8240fc3c8bff43cc69ea

SHA512
fd6a9771b1c69716ae6050e6d6f7b26f028bc2e975759cd831bc10776c419016829b98ae2d54875c1cea0324d218fbef3349c38817cfac1d0d7832f7af62482f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7ea02a085394e8e4ed779df19341a60c

SHA1
86e7a3d7ef9e8ebc88edf2d01fc76934846d3b91

SHA256
5e2ab691381024fc26f561385c7b6f0030c1ecceb3cab99ed6fc4801e27f34a3

SHA512
8011ce00eb7bd81ae8d1cf857085b1739621a108a9f661a1fb3bd55fa5a0f1a998dd0fde8a4bfc415193d87888765aa8fbb3343029da1c995bc6d6f4d8db587d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
ffceaff90f795031da782777e7ab5591

SHA1
f85de71c8abe3009c8b124dcc47d5b273c6d08e3

SHA256
457fad3b495bc4f8f7c6fc2f4fc21f83327c3abffe506c78a750a8736bc63cf9

SHA512
76e2e555b984af17a9dbc627690345465ddac178204782fbd1247c85e8ba65da5969198b7f9d4eed30016462a460c009a7671dada1afa29e7678396e26b601d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f26d380

Filesize
1.4MB

MD5
bacc45b1f80ac503f4eff900774d3e0e

SHA1
94420e7749feebcc8022ac64e6f68693121df5ba

SHA256
32f40fb778c02bce36adba96b57a5d2dab92dc7b3d5bb32d98284a75f2efae84

SHA512
bf13e707304c89ee9462324b016e020fb61fab662b69742ee75a160925689086f4d046665edcafdeaf8d13ca796cd5785f53a906a6f4901a129019cf76b911b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChannelStream\UIxMarketPlugin.dll

Filesize
1.6MB

MD5
d1ba9412e78bfc98074c5d724a1a87d6

SHA1
0572f98d78fb0b366b5a086c2a74cc68b771d368

SHA256
cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

SHA512
8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChannelStream\UniversalInstaller.exe

Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChannelStream\incurable.wmv

Filesize
1.3MB

MD5
5616178af97894358c3d01aeaf683ecf

SHA1
438f31828f091ff64e93f57ded65714dd0510465

SHA256
6e109d59070e53c408d698dbc77a7e2308dc708a7e109076332d16d27cf363cb

SHA512
a8e379b38298d8c565832ffdaaabd20c8a70fa94a5f36f6e9026048367cbc7c9d8c58b25f1760a6247f204de4de8e03c8ae62c02015547fd8339fd7013c7a785

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChannelStream\storiette.psd

Filesize
15KB

MD5
e130d08bc94db4675e7883f1643ed6de

SHA1
3b292178565112dc8361c1aca1a170a2158c7f0c

SHA256
97abec36adc375fb4f1588d31bba8c7bbbcc994b683ded4740716a5e91f8dfcf

SHA512
7575364958befe5866d7a2476c590bbf920880eab3e48410fd47142fe7168455404d8c13e270d435db1416151115fae0c85e656974d78682c1447ae4384eb467

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1qfecend.wqu.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c02af39e

Filesize
5.9MB

MD5
fa85f765b7af9dcca3be61f25a642918

SHA1
ba8740145c78ddf667a31d0ef5f53d6107523d60

SHA256
2d7c77b907b3a66f59942f82c04bbc36bfe4498b648021aaae8178c0732dc7bc

SHA512
9a333aad5242806656aa643b73e22b15b81851260c9a78ba82a7a2b06a8d8007ca596e60d02df8b4d58d2b3772eff289c86ff26f741cc18e7cb9a7b51eb6d9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfbace3d

Filesize
1.4MB

MD5
d97d19ce9627edaf79f645a09cc629df

SHA1
b5b3fa19a0d7ffa363d2f9ca87ec0ddbdc37337c

SHA256
acdabcf9a483674936d2078fbacac6fc18ba20ceec1ad8de47baa2eea882a7f5

SHA512
3504b5028f7eaf712e850cee2f5eeee3903618c0081b9b49ba182388383e9cc65aca3a9dec3826c123940a406f996ab42356477ee4519d5fd1f7029b579b7e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp924A.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
\Users\Admin\AppData\Local\Temp\ChannelStream\relay.dll

Filesize
1.5MB

MD5
fe637ff7a6aae4a74306bae07c561b11

SHA1
22e50d0b680ef4110cd156d0da8b965be3b31968

SHA256
6122b4ceb394e4a441b4f7ac92745b1aa64b6c83a4101d6d326e130efa5a5d10

SHA512
97a68dfae7e387684a6f6bb00b68688f91e2135f4b60b6bd551291518f77b48b718b72bca8cca1dbf6f2c8721e5ee1b2bb6fbe68989c931ddbc8b19c741cd64d

Download Submit
memory/888-212-0x0000000008AD0000-0x0000000008B64000-memory.dmp

Filesize
592KB

Download
memory/888-214-0x0000000008A30000-0x0000000008A52000-memory.dmp

Filesize
136KB

Download
memory/888-179-0x0000000006C10000-0x0000000006C76000-memory.dmp

Filesize
408KB

Download
memory/888-182-0x0000000007E70000-0x0000000007EBB000-memory.dmp

Filesize
300KB

Download
memory/888-176-0x0000000006DC0000-0x00000000073E8000-memory.dmp

Filesize
6.2MB

Download
memory/888-177-0x0000000006B00000-0x0000000006B22000-memory.dmp

Filesize
136KB

Download
memory/888-213-0x0000000008980000-0x000000000899A000-memory.dmp

Filesize
104KB

Download
memory/888-178-0x0000000006BA0000-0x0000000006C06000-memory.dmp

Filesize
408KB

Download
memory/888-181-0x0000000006CF0000-0x0000000006D0C000-memory.dmp

Filesize
112KB

Download
memory/888-215-0x0000000009070000-0x000000000956E000-memory.dmp

Filesize
5.0MB

Download
memory/984-769-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

Filesize
1.9MB

Download
memory/984-771-0x000000006E650000-0x000000006E7CB000-memory.dmp

Filesize
1.5MB

Download
memory/984-1320-0x000000006E650000-0x000000006E7CB000-memory.dmp

Filesize
1.5MB

Download
memory/984-753-0x0000000000400000-0x0000000000ABD000-memory.dmp

Filesize
6.7MB

Download
memory/984-767-0x000000006E650000-0x000000006E7CB000-memory.dmp

Filesize
1.5MB

Download
memory/1084-1332-0x0000000070F50000-0x00000000722D3000-memory.dmp

Filesize
19.5MB

Download
memory/2232-142-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/2232-73-0x0000000002448000-0x0000000002450000-memory.dmp

Filesize
32KB

Download
memory/2232-85-0x0000000002458000-0x0000000002460000-memory.dmp

Filesize
32KB

Download
memory/2232-90-0x00000000024B0000-0x00000000024B8000-memory.dmp

Filesize
32KB

Download
memory/2232-89-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/2232-93-0x00000000024B8000-0x00000000024C0000-memory.dmp

Filesize
32KB

Download
memory/2232-92-0x0000000002468000-0x0000000002470000-memory.dmp

Filesize
32KB

Download
memory/2232-96-0x00000000024C0000-0x00000000024C8000-memory.dmp

Filesize
32KB

Download
memory/2232-95-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/2232-100-0x00000000024C8000-0x00000000024D0000-memory.dmp

Filesize
32KB

Download
memory/2232-99-0x0000000002478000-0x0000000002480000-memory.dmp

Filesize
32KB

Download
memory/2232-102-0x0000000002480000-0x0000000002488000-memory.dmp

Filesize
32KB

Download
memory/2232-103-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/2232-108-0x00000000024D8000-0x00000000024E0000-memory.dmp

Filesize
32KB

Download
memory/2232-107-0x0000000002488000-0x0000000002490000-memory.dmp

Filesize
32KB

Download
memory/2232-109-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2232-111-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2232-110-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2232-117-0x00000000024E8000-0x00000000024F0000-memory.dmp

Filesize
32KB

Download
memory/2232-116-0x0000000002498000-0x00000000024A0000-memory.dmp

Filesize
32KB

Download
memory/2232-119-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2232-122-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/2232-121-0x00000000024A0000-0x00000000024A8000-memory.dmp

Filesize
32KB

Download
memory/2232-125-0x00000000024F8000-0x0000000002500000-memory.dmp

Filesize
32KB

Download
memory/2232-124-0x00000000024A8000-0x00000000024B0000-memory.dmp

Filesize
32KB

Download
memory/2232-130-0x0000000002500000-0x0000000002508000-memory.dmp

Filesize
32KB

Download
memory/2232-129-0x00000000024B0000-0x00000000024B8000-memory.dmp

Filesize
32KB

Download
memory/2232-132-0x00000000024B8000-0x00000000024C0000-memory.dmp

Filesize
32KB

Download
memory/2232-133-0x0000000002508000-0x0000000002510000-memory.dmp

Filesize
32KB

Download
memory/2232-136-0x00000000024C0000-0x00000000024C8000-memory.dmp

Filesize
32KB

Download
memory/2232-137-0x0000000002518000-0x0000000002520000-memory.dmp

Filesize
32KB

Download
memory/2232-138-0x00000000024C8000-0x00000000024D0000-memory.dmp

Filesize
32KB

Download
memory/2232-139-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/2232-77-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/2232-141-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/2232-145-0x0000000002528000-0x0000000002530000-memory.dmp

Filesize
32KB

Download
memory/2232-144-0x00000000024D8000-0x00000000024E0000-memory.dmp

Filesize
32KB

Download
memory/2232-150-0x0000000002530000-0x0000000002538000-memory.dmp

Filesize
32KB

Download
memory/2232-149-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2232-152-0x0000000002538000-0x0000000002540000-memory.dmp

Filesize
32KB

Download
memory/2232-151-0x00000000024E8000-0x00000000024F0000-memory.dmp

Filesize
32KB

Download
memory/2232-156-0x0000000002540000-0x0000000002548000-memory.dmp

Filesize
32KB

Download
memory/2232-155-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/2232-160-0x0000000002548000-0x0000000002550000-memory.dmp

Filesize
32KB

Download
memory/2232-158-0x00000000024F8000-0x0000000002500000-memory.dmp

Filesize
32KB

Download
memory/2232-162-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/2232-161-0x0000000002500000-0x0000000002508000-memory.dmp

Filesize
32KB

Download
memory/2232-166-0x0000000002558000-0x0000000002560000-memory.dmp

Filesize
32KB

Download
memory/2232-165-0x0000000002508000-0x0000000002510000-memory.dmp

Filesize
32KB

Download
memory/2232-4-0x0000000002390000-0x00000000023B8000-memory.dmp

Filesize
160KB

Download
memory/2232-10-0x00000000023D8000-0x00000000023E0000-memory.dmp

Filesize
32KB

Download
memory/2232-78-0x00000000024A0000-0x00000000024A8000-memory.dmp

Filesize
32KB

Download
memory/2232-86-0x00000000024A8000-0x00000000024B0000-memory.dmp

Filesize
32KB

Download
memory/2232-13-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/2232-74-0x0000000002498000-0x00000000024A0000-memory.dmp

Filesize
32KB

Download
memory/2232-70-0x0000000002440000-0x0000000002448000-memory.dmp

Filesize
32KB

Download
memory/2232-71-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2232-65-0x0000000002430000-0x0000000002438000-memory.dmp

Filesize
32KB

Download
memory/2232-66-0x00000000023C8000-0x00000000023D0000-memory.dmp

Filesize
32KB

Download
memory/2232-220-0x0000000002518000-0x0000000002520000-memory.dmp

Filesize
32KB

Download
memory/2232-67-0x0000000002438000-0x0000000002440000-memory.dmp

Filesize
32KB

Download
memory/2232-68-0x0000000002488000-0x0000000002490000-memory.dmp

Filesize
32KB

Download
memory/2232-30-0x00000000023D0000-0x00000000023D8000-memory.dmp

Filesize
32KB

Download
memory/2232-33-0x0000000002438000-0x0000000002440000-memory.dmp

Filesize
32KB

Download
memory/2232-32-0x0000000002428000-0x0000000002430000-memory.dmp

Filesize
32KB

Download
memory/2232-1330-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2232-1328-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2232-31-0x00000000023C8000-0x00000000023D0000-memory.dmp

Filesize
32KB

Download
memory/2232-60-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/2232-734-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2232-748-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2232-61-0x0000000002480000-0x0000000002488000-memory.dmp

Filesize
32KB

Download
memory/2232-56-0x00000000023D8000-0x00000000023E0000-memory.dmp

Filesize
32KB

Download
memory/2232-758-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2232-57-0x0000000002478000-0x0000000002480000-memory.dmp

Filesize
32KB

Download
memory/2232-55-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2232-52-0x0000000002390000-0x00000000023B8000-memory.dmp

Filesize
160KB

Download
memory/2232-53-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/2232-50-0x0000000002468000-0x0000000002470000-memory.dmp

Filesize
32KB

Download
memory/2232-45-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/2232-43-0x0000000002458000-0x0000000002460000-memory.dmp

Filesize
32KB

Download
memory/2232-29-0x0000000002430000-0x0000000002438000-memory.dmp

Filesize
32KB

Download
memory/2232-41-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2232-40-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/2232-36-0x0000000002440000-0x0000000002448000-memory.dmp

Filesize
32KB

Download
memory/2232-38-0x0000000002448000-0x0000000002450000-memory.dmp

Filesize
32KB

Download
memory/2524-175-0x00000000008E0000-0x0000000000916000-memory.dmp

Filesize
216KB

Download
memory/2524-180-0x00000000075F0000-0x0000000007940000-memory.dmp

Filesize
3.3MB

Download
memory/2524-183-0x0000000007B70000-0x0000000007BE6000-memory.dmp

Filesize
472KB

Download
memory/2856-277-0x0000000009220000-0x00000000092C5000-memory.dmp

Filesize
660KB

Download
memory/2856-271-0x000000006EC90000-0x000000006ECDB000-memory.dmp

Filesize
300KB

Download
memory/2856-270-0x00000000090F0000-0x0000000009123000-memory.dmp

Filesize
204KB

Download
memory/2856-272-0x0000000008EC0000-0x0000000008EDE000-memory.dmp

Filesize
120KB

Download
memory/3696-1326-0x000000006E650000-0x000000006E7CB000-memory.dmp

Filesize
1.5MB

Download
memory/3696-1324-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

Filesize
1.9MB

Download
memory/3732-282-0x000000006EC90000-0x000000006ECDB000-memory.dmp

Filesize
300KB

Download
memory/3732-661-0x0000000008FD0000-0x0000000008FEA000-memory.dmp

Filesize
104KB

Download
memory/4400-803-0x000000006E650000-0x000000006E7CB000-memory.dmp

Filesize
1.5MB

Download
memory/4400-806-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

Filesize
1.9MB

Download
memory/4568-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4680-824-0x000000006E650000-0x000000006E7CB000-memory.dmp

Filesize
1.5MB

Download
memory/4680-1321-0x000000006E650000-0x000000006E7CB000-memory.dmp

Filesize
1.5MB

Download
memory/4680-827-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

Filesize
1.9MB

Download