Malware Analysis Report

2024-12-07 13:05

Sample ID 241109-ta7ekawngt
Target 92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi.vir
SHA256 92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf
Tags
gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf

Threat Level: Known bad

The file 92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi.vir was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Gh0st RAT payload

Gh0strat family

Gh0strat

Detect PurpleFox Rootkit

Purplefox family

PurpleFox

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Drops file in System32 directory

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Event Triggered Execution: Installer Packages

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Modifies registry class

Runs ping.exe

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 15:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 15:52

Reported

2024-11-09 15:55

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\K: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\P: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\W: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\L: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\Q: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\U: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\X: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\J: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\Y: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\M: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UhHKDmESOIjj.exe.log C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\SustainSleekTutor\NLGACUfhExiQgpFqVoxutQoGyuzRSw C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe N/A
File created C:\Program Files\SustainSleekTutor\NLGACUfhExiQgpFqVoxutQoGyuzRSw C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\bFchqPntlegL C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files\SustainSleekTutor\tsetup.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe N/A
File created C:\Program Files\SustainSleekTutor\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\bFchqPntlegL C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files\SustainSleekTutor\bFchqPntlegL.vbs C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe N/A
File created C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e57c575.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57c573.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57c573.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{E94DD97D-74C5-4066-895C-1E7D5A0698F5} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC803.tmp C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\tsetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-74GFC.tmp\tsetup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0D716B2B7A13A72439FD62E0DFA6E582 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D79DD49E5C47660498C5E1D7A560895F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\PackageCode = "422D740D8F2748241AF491420E7509A6" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Version = "100794368" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\PackageName = "92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D79DD49E5C47660498C5E1D7A560895F\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0D716B2B7A13A72439FD62E0DFA6E582\D79DD49E5C47660498C5E1D7A560895F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\ProductName = "SustainSleekTutor" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: 35 N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: 35 N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3472 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3472 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3472 wrote to memory of 4376 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3472 wrote to memory of 4376 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4376 wrote to memory of 2528 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 2528 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4376 wrote to memory of 4764 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 4376 wrote to memory of 4764 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 4764 wrote to memory of 1596 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 4764 wrote to memory of 1596 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 4764 wrote to memory of 1596 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 4764 wrote to memory of 4892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4764 wrote to memory of 4892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4764 wrote to memory of 3300 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 4764 wrote to memory of 3300 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 4764 wrote to memory of 3300 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 4376 wrote to memory of 2196 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 4376 wrote to memory of 2196 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 4376 wrote to memory of 2196 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 4376 wrote to memory of 1940 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\SustainSleekTutor\tsetup.exe
PID 4376 wrote to memory of 1940 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\SustainSleekTutor\tsetup.exe
PID 4376 wrote to memory of 1940 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\SustainSleekTutor\tsetup.exe
PID 1940 wrote to memory of 1448 N/A C:\Program Files\SustainSleekTutor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-74GFC.tmp\tsetup.tmp
PID 1940 wrote to memory of 1448 N/A C:\Program Files\SustainSleekTutor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-74GFC.tmp\tsetup.tmp
PID 1940 wrote to memory of 1448 N/A C:\Program Files\SustainSleekTutor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-74GFC.tmp\tsetup.tmp
PID 4124 wrote to memory of 4468 N/A C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 4124 wrote to memory of 4468 N/A C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 4124 wrote to memory of 4468 N/A C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 4468 wrote to memory of 5012 N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 4468 wrote to memory of 5012 N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 4468 wrote to memory of 5012 N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 93850F45A0F39388974AA35B745D7B86 E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\SustainSleekTutor','C:\Program Files','C:\Program Files'

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg" -o"C:\Program Files\SustainSleekTutor\" -p"10551gtm0S(>Gf#qrEw>" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf" -x!1_bFchqPntlegL.exe -x!sss -x!1_ZyhMwXBzCIJsXiZOsvVNAbbXEpqwBz.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\SustainSleekTutor\" -p"98858uC(.?=^~2>PRa?!" -y

C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe

"C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg" -o"C:\Program Files\SustainSleekTutor\" -p"10551gtm0S(>Gf#qrEw>" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe

"C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf" -x!1_bFchqPntlegL.exe -x!sss -x!1_ZyhMwXBzCIJsXiZOsvVNAbbXEpqwBz.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\SustainSleekTutor\" -p"98858uC(.?=^~2>PRa?!" -y

C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe

"C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe" -number 127 -file file3 -mode mode3

C:\Program Files\SustainSleekTutor\tsetup.exe

"C:\Program Files\SustainSleekTutor\tsetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-74GFC.tmp\tsetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-74GFC.tmp\tsetup.tmp" /SL5="$90254,44246395,814592,C:\Program Files\SustainSleekTutor\tsetup.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\SustainSleekTutor\bFchqPntlegL.vbs"

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe

"C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe" install

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe

"C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe" start

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe

"C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe"

C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe

"C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe" -number 291 -file file3 -mode mode3

C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe

"C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe" -number 62 -file file3 -mode mode3

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 246.197.219.23.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 dsfgdg5641rfe.icu udp
HK 38.47.221.100:80 dsfgdg5641rfe.icu tcp
US 8.8.8.8:53 100.221.47.38.in-addr.arpa udp
HK 27.124.9.39:13000 tcp
US 8.8.8.8:53 39.9.124.27.in-addr.arpa udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 qdfbvccc.cyou udp

Files

\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5db66f6d-1b08-4c43-ad0d-1134d7b40fd6}_OnDiskSnapshotProp

MD5 741cc9fa046aa3cf7bc5b25d673cc020
SHA1 8f5e74a98ae297478cad01d080e3bee7c33c1ed3
SHA256 29cb9ef9b5b69660cf0d9507c3dcf656e934c3e97759d3aedb9b9aaa44443d23
SHA512 341142bf85fc585d4cce410b0376fa269f9fbfd81c12d6e391d35dcdca60d8c7bc1aaffd069427349fdf3a16935e45e79955a08c09f8f59d8bcc5a9965f86fbe

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 aea754cf23c10ccdb392f09588ad0668
SHA1 f6da6f946194fd168561ed8c84942d0063da6b08
SHA256 462fab7aa9a76c4fe2af092dc56ddf82937f15ab142d119bc6411ed9714aaf0c
SHA512 077a3a771f56337fe69881cfb8010891251e96422e80869a5689dd9b0831fd00418e92c282ee8671e4a1cd03f9003842f2db00f2e93a64cad72d436801bbc9a9

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eclw0uin.tag.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2528-20-0x0000014B84D00000-0x0000014B84D22000-memory.dmp

C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg

MD5 86e0062ac9e3c38a69470a57bb619533
SHA1 7d04a283f51e145724e20a5925ee811a4645e5d9
SHA256 42a64f04499a0836946073eb7bfc1cb67a98faa58d65eeb09fb6ac8fccc7f547
SHA512 aefc23fcf566748b60de0e95268f834cef3e4cfb1754b18e9ea2e1a867a764d027d43c68aad2b7c3f4520b3232fd50430c2b7fb4494dee223ac340a8c1e67794

C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf

MD5 17f3ece27717fa4a5ad13f06e6c2846e
SHA1 47b8230c0f0dd0b8a451bd378203a0ec0aaa13f6
SHA256 f0217b72add9c431299fda7983e8a7c592f6b4cd5a1df5118208c19dc7251c86
SHA512 998dcba619566edba18b2dcaefd8e86d1d6c09340c8004cf487d6944bb2a90b75231f2d3140162bcf0a161321d5febccf7d947d4752451424082f3cd06de9b7b

C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe

MD5 90134a5b913cd5d9d993f6f58601740e
SHA1 c6fc923eae06097227dab095633a0c47beba327a
SHA256 8462d6b3f1a8037f6f60412d3f4e0ecad89aaed3c10915ffa1e602c5ae8b0942
SHA512 7385ebcce7e33efb3a9b26d9690d8a2a221bc05071bc499f313de2de8d31935dd0cdd366ac7baccd4004d9e1eb27a0471328785ad1acf325054fd036d4b9dd61

C:\Program Files\SustainSleekTutor\tsetup.exe

MD5 8a53cf72375f6899082463c36422d411
SHA1 161d9d3b21bf0d9a9790b92013ec76c6d839af06
SHA256 1b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65
SHA512 daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190

memory/1940-57-0x0000000000400000-0x00000000004D4000-memory.dmp

C:\Config.Msi\e57c574.rbs

MD5 754ecc2c6d8ba122916ea37c313fa218
SHA1 b1603fc7ffa1cb67f3ab7062cbe94dbf4e9fc09c
SHA256 73f78d1cab0bd15fdc2286c2d6d19c77c2f685aa6daedeacbb79f4e162ceff92
SHA512 72d7366517dbf1495dab8e5e5603a85243b0f236be89d393391cd9ef52830d7d59b70d568acc74f915ae79ed7e92c921acdbfa8118def74373c1a5a27c07d9be

C:\Users\Admin\AppData\Local\Temp\is-74GFC.tmp\tsetup.tmp

MD5 d90927477dbf0725af0a10e151c184c4
SHA1 4cd69b23ee9c1efe9bd539f0fef841a09a4a773e
SHA256 43182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029
SHA512 bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98

C:\Windows\Installer\e57c573.msi

MD5 7ba3fd79c3ccfdb9f1a311a3f05a7d94
SHA1 c4115a8d08ce102bcb14ed00dad86e52e163c81c
SHA256 92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf
SHA512 f491a16cc375d6756e2debed08e76f01c090ae52b16e7b3eeed2930e0eb8e47e56aada96b54a6dfaa212354d66ca92955a4fc39434a378429f54416f5043048c

memory/2196-74-0x000000002A680000-0x000000002A6AF000-memory.dmp

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

C:\Program Files\SustainSleekTutor\bFchqPntlegL.vbs

MD5 615235ef40ac677be4c414e7dfb9ff53
SHA1 ef7cea67851aed94a5e14e9b907f366d1185e172
SHA256 1a7dd87bb537e41f7742da7cbb9839523d905747aad4522f4a39932ba626a132
SHA512 c694a4cf03ce5587e164b4f31b141951b949281f8ba08a69178f56c290afbbbe139651a849f3436976ee7c29b6aa0408b60c7e529a44c8c4bc52aff0498ae89b

memory/4160-80-0x0000000000DF0000-0x0000000000EC6000-memory.dmp

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml

MD5 a64dd3b12bb2c5bc00fb61a6c9ddcc8d
SHA1 27b65d6e3c47cefd0d21e9412185601d03a2756f
SHA256 73c03e24b2378cd1a660ac8127f44edae43ee31a73092afb88bd617b9638db9f
SHA512 8824bb6e846c9ee4e5ef3bf0373dcd0b513aa5f91d3858a5e34868b1f72f7052dc55776d0cd40154fe4f1dc160ea7d7324872e6e7e8a265db294e53f36878e39

memory/1940-88-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/1448-89-0x0000000000400000-0x0000000000710000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UhHKDmESOIjj.exe.log

MD5 122cf3c4f3452a55a92edee78316e071
SHA1 f2caa36d483076c92d17224cf92e260516b3cbbf
SHA256 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512 c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log

MD5 8f0ebed5a85069167a43be2f421f370e
SHA1 47d5186604ff3a5074e4110c90ede6cfacfc8265
SHA256 c50ae0005964444763599bccd561747d95ec4090b5f303e1984a02377aa67afa
SHA512 b32fecd7c8cb38bda53851974a4d26d518410efcf0231f5863452ddb95c2142b2ef1a57fb5f1fb77066bdc5b415fe7a26e658f3a0837215833405b27eacdcbab

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log

MD5 1226617303e471801147e17897fca124
SHA1 ef520fc7f9df305e5cda543d2e350896cfb2c533
SHA256 ae34bd6cdf1646e227df7c331005c391a512c091356589bdf076d2f62f59d4fd
SHA512 847070ae63d30bb2a1724d698131c623a41d4c0799c7b2bd18bfbe2c70c92275b7ddfe6228f437728a9651a767f0a20128deb7dc54d987dd7fd4c36742047748

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log

MD5 a3e45e19b3a9dd50e3183832d99125b9
SHA1 70d612884e46fba3b6fa7353324f88274b94f4c5
SHA256 923273eb24d176c913b6250b32bae91acd788e2d727b0a84fc5e56d1b3600429
SHA512 4a7125e90fd7d83ac4eb17bb518155ed4e0f5e6567503a1ff22e9374b44f0a13998255afbfb4724516c6933ef4bfd6d4a2485915754ba6b406cebc598e0b0077

memory/5012-112-0x0000000029FD0000-0x000000002A01D000-memory.dmp

memory/1448-114-0x0000000000400000-0x0000000000710000-memory.dmp

memory/5012-116-0x000000002BBE0000-0x000000002BD9C000-memory.dmp

memory/5012-118-0x000000002BBE0000-0x000000002BD9C000-memory.dmp

memory/5012-119-0x000000002BBE0000-0x000000002BD9C000-memory.dmp

memory/5012-121-0x000000002BBE0000-0x000000002BD9C000-memory.dmp