redline | 381d09e67a798dfc8f96b33822cf4b0616652f44275f382ee75b9b6c840e04f2

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
12-02-2021 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe
Size

119KB
MD5

ed05d2c233a6a37bfbffd7b27c12d2b9
SHA1

221cfaece1b2b6a736f071b367a62d4f229e940e
SHA256

381d09e67a798dfc8f96b33822cf4b0616652f44275f382ee75b9b6c840e04f2
SHA512

465c3da441d3fc710213bc3793fb4ae36a22ab5b196a0309e4b2ce6b03796adfc53598ab562d3bf38aaf5b5d5e2ec44e02179a3621e0928810232437e6506296

Score

10^/10

redline discovery evasion infostealer persistence spyware themida trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2292-84-0x0000000000400000-0x000000000042C000-memory.dmp	family_redline
behavioral2/memory/2292-85-0x0000000000423FA2-mapping.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 7 IoCs

Processes:

5630331.614345431.475473871.607700345.845100845.56Windows Host.exe5473871.60

pid process

5040 5630331.61
5116 4345431.47
3456 5473871.60
3564 7700345.84
808 5100845.56
3168 Windows Host.exe
2292 5473871.60

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5100845.56

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5100845.56
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5100845.56

Loads dropped DLL 24 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
4596	regsvr32.exe
2476	regsvr32.exe
228	regsvr32.exe
184	regsvr32.exe
4308	regsvr32.exe
4516	regsvr32.exe
2024	regsvr32.exe
2948	regsvr32.exe
4632	regsvr32.exe
1072	regsvr32.exe
3116	regsvr32.exe
4868	regsvr32.exe
3972	regsvr32.exe
5048	regsvr32.exe
1820	regsvr32.exe
3460	regsvr32.exe
2848	regsvr32.exe
4988	regsvr32.exe
4960	regsvr32.exe
5024	regsvr32.exe
3876	regsvr32.exe
716	regsvr32.exe
4172	regsvr32.exe
2928	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

themida 2 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\5100845.56	themida
behavioral2/memory/808-63-0x0000000000940000-0x0000000000941000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4345431.47regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	4345431.47
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LanguagePack = "C:\\Windows\\system32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\protect\\bff533-b5a533-f1bf4516-6d6aa1-bbd0.db\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\LanguagePack = "C:\\Windows\\system32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\protect\\bff533-b5a533-f1bf4516-6d6aa1-bbd0.db\""	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

5100845.56

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5100845.56
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5100845.56

pid process

808 5100845.56
Suspicious use of SetThreadContext 1 IoCs

Processes:

5473871.60

description pid process target process

PID 3456 set thread context of 2292 3456 5473871.60 5473871.60

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5100845.56

pid	process
808	5100845.56

description	pid	process	target process
PID 3456 set thread context of 2292	3456	5473871.60	5473871.60

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5630331.615100845.565473871.607700345.84regsvr32.exe

pid	process
5040	5630331.61
5040	5630331.61
808	5100845.56
808	5100845.56
2292	5473871.60
3564	7700345.84
3564	7700345.84
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe
4516	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe5630331.615100845.565473871.60regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process
Token: SeDebugPrivilege	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe
Token: SeDebugPrivilege	5040	5630331.61
Token: SeDebugPrivilege	808	5100845.56
Token: SeDebugPrivilege	2292	5473871.60
Token: SeCreateGlobalPrivilege	4516	regsvr32.exe
Token: SeDebugPrivilege	4516	regsvr32.exe
Token: SeCreateGlobalPrivilege	2948	regsvr32.exe
Token: SeCreateGlobalPrivilege	1072	regsvr32.exe
Token: SeCreateGlobalPrivilege	4868	regsvr32.exe
Token: SeCreateGlobalPrivilege	5048	regsvr32.exe
Token: SeCreateGlobalPrivilege	3460	regsvr32.exe
Token: SeCreateGlobalPrivilege	4988	regsvr32.exe
Token: SeCreateGlobalPrivilege	5024	regsvr32.exe
Token: SeCreateGlobalPrivilege	716	regsvr32.exe
Token: SeCreateGlobalPrivilege	2928	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe4345431.475473871.607700345.84regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 4640 wrote to memory of 5040	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	5630331.61
PID 4640 wrote to memory of 5040	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	5630331.61
PID 4640 wrote to memory of 5040	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	5630331.61
PID 4640 wrote to memory of 5116	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	4345431.47
PID 4640 wrote to memory of 5116	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	4345431.47
PID 4640 wrote to memory of 5116	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	4345431.47
PID 4640 wrote to memory of 3456	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	5473871.60
PID 4640 wrote to memory of 3456	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	5473871.60
PID 4640 wrote to memory of 3456	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	5473871.60
PID 4640 wrote to memory of 3564	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	7700345.84
PID 4640 wrote to memory of 3564	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	7700345.84
PID 4640 wrote to memory of 3564	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	7700345.84
PID 4640 wrote to memory of 808	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	5100845.56
PID 4640 wrote to memory of 808	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	5100845.56
PID 4640 wrote to memory of 808	4640	SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe	5100845.56
PID 5116 wrote to memory of 3168	5116	4345431.47	Windows Host.exe
PID 5116 wrote to memory of 3168	5116	4345431.47	Windows Host.exe
PID 5116 wrote to memory of 3168	5116	4345431.47	Windows Host.exe
PID 3456 wrote to memory of 2292	3456	5473871.60	5473871.60
PID 3456 wrote to memory of 2292	3456	5473871.60	5473871.60
PID 3456 wrote to memory of 2292	3456	5473871.60	5473871.60
PID 3456 wrote to memory of 2292	3456	5473871.60	5473871.60
PID 3456 wrote to memory of 2292	3456	5473871.60	5473871.60
PID 3456 wrote to memory of 2292	3456	5473871.60	5473871.60
PID 3456 wrote to memory of 2292	3456	5473871.60	5473871.60
PID 3456 wrote to memory of 2292	3456	5473871.60	5473871.60
PID 3564 wrote to memory of 4596	3564	7700345.84	regsvr32.exe
PID 3564 wrote to memory of 4596	3564	7700345.84	regsvr32.exe
PID 4596 wrote to memory of 2476	4596	regsvr32.exe	regsvr32.exe
PID 4596 wrote to memory of 2476	4596	regsvr32.exe	regsvr32.exe
PID 2476 wrote to memory of 228	2476	regsvr32.exe	regsvr32.exe
PID 2476 wrote to memory of 228	2476	regsvr32.exe	regsvr32.exe
PID 228 wrote to memory of 184	228	regsvr32.exe	regsvr32.exe
PID 228 wrote to memory of 184	228	regsvr32.exe	regsvr32.exe
PID 184 wrote to memory of 4308	184	regsvr32.exe	regsvr32.exe
PID 184 wrote to memory of 4308	184	regsvr32.exe	regsvr32.exe
PID 4308 wrote to memory of 4516	4308	regsvr32.exe	regsvr32.exe
PID 4308 wrote to memory of 4516	4308	regsvr32.exe	regsvr32.exe
PID 4516 wrote to memory of 2024	4516	regsvr32.exe	regsvr32.exe
PID 4516 wrote to memory of 2024	4516	regsvr32.exe	regsvr32.exe
PID 2024 wrote to memory of 2948	2024	regsvr32.exe	regsvr32.exe
PID 2024 wrote to memory of 2948	2024	regsvr32.exe	regsvr32.exe
PID 4516 wrote to memory of 4632	4516	regsvr32.exe	regsvr32.exe
PID 4516 wrote to memory of 4632	4516	regsvr32.exe	regsvr32.exe
PID 4632 wrote to memory of 1072	4632	regsvr32.exe	regsvr32.exe
PID 4632 wrote to memory of 1072	4632	regsvr32.exe	regsvr32.exe
PID 4516 wrote to memory of 3116	4516	regsvr32.exe	regsvr32.exe
PID 4516 wrote to memory of 3116	4516	regsvr32.exe	regsvr32.exe
PID 3116 wrote to memory of 4868	3116	regsvr32.exe	regsvr32.exe
PID 3116 wrote to memory of 4868	3116	regsvr32.exe	regsvr32.exe
PID 4516 wrote to memory of 3972	4516	regsvr32.exe	regsvr32.exe
PID 4516 wrote to memory of 3972	4516	regsvr32.exe	regsvr32.exe
PID 3972 wrote to memory of 5048	3972	regsvr32.exe	regsvr32.exe
PID 3972 wrote to memory of 5048	3972	regsvr32.exe	regsvr32.exe
PID 4516 wrote to memory of 1820	4516	regsvr32.exe	regsvr32.exe
PID 4516 wrote to memory of 1820	4516	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 3460	1820	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 3460	1820	regsvr32.exe	regsvr32.exe
PID 4516 wrote to memory of 2848	4516	regsvr32.exe	regsvr32.exe
PID 4516 wrote to memory of 2848	4516	regsvr32.exe	regsvr32.exe
PID 2848 wrote to memory of 4988	2848	regsvr32.exe	regsvr32.exe
PID 2848 wrote to memory of 4988	2848	regsvr32.exe	regsvr32.exe
PID 4516 wrote to memory of 4960	4516	regsvr32.exe	regsvr32.exe
PID 4516 wrote to memory of 4960	4516	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640

C:\ProgramData\5630331.61
"C:\ProgramData\5630331.61"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\ProgramData\4345431.47
"C:\ProgramData\4345431.47"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
3⤵
- Executes dropped EXE
PID:3168

C:\ProgramData\7700345.84
"C:\ProgramData\7700345.84"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 4
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 3
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 2
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:184

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 1
7⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 0
8⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 1
9⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 0
10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 1
9⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 0
10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 1
9⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 0
10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 1
9⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 0
10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 1
9⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 0
10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 1
9⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 0
10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 1
9⤵
- Loads dropped DLL
PID:4960

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 0
10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 1
9⤵
- Loads dropped DLL
PID:3876

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 0
10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 1
9⤵
- Loads dropped DLL
PID:4172

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\protect\\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db" 0
10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\ProgramData\5473871.60
"C:\ProgramData\5473871.60"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3456

C:\ProgramData\5473871.60
"C:\ProgramData\5473871.60"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\ProgramData\5100845.56
"C:\ProgramData\5100845.56"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\4345431.47

MD5
812106381d9d1e2b02a890710b56b47d

SHA1
e779d19559c8eb1a59be586a0309e559a0d175fa

SHA256
4dc2cda6da2e009dea089f085bb193c06e8fe6239788c7250e64b92c4130b25c

SHA512
cd4195284f26c76bcd67b2c08329c877325324dcf0137fe05224186f384180ed88ee9743cd0a984f8a7cefc93115d26accacc2b284a5090c4a9ec60f2d04e975

Download Submit
C:\ProgramData\4345431.47

MD5
812106381d9d1e2b02a890710b56b47d

SHA1
e779d19559c8eb1a59be586a0309e559a0d175fa

SHA256
4dc2cda6da2e009dea089f085bb193c06e8fe6239788c7250e64b92c4130b25c

SHA512
cd4195284f26c76bcd67b2c08329c877325324dcf0137fe05224186f384180ed88ee9743cd0a984f8a7cefc93115d26accacc2b284a5090c4a9ec60f2d04e975

Download Submit
C:\ProgramData\5100845.56

MD5
d143fb6fe3d6dff333bfc8bc9aaa034e

SHA1
abf7d975dfe6b29602bb95fe38e91a03d049ac9b

SHA256
5af08f747a5ae785dc18317e0a2db06d7764c7fdf48cd9c0176970c9f7fc79a8

SHA512
8b445f417a6c1b694d1b55502974010ecf8f27e8887fdc0e10eb9f6d221daa09b792f6162189dd45fd2399f546cd7cade4ef0fd764af92e84bf38361ac27a950

Download Submit
C:\ProgramData\5473871.60

MD5
6918dc96448960f42ff64164e89929d6

SHA1
77dd79138c42843321f4c156cbd2e7e2666825fd

SHA256
0da9a2cf8e4411f1ece2971e322631cca48a3de22884e72c519c80c76623e780

SHA512
f59103ce28827d96cea85341a31e54a1ae722ff5c387b597f325050e76d254305c0b8c317edf335bc7a1af846429bcdc2429983622b9626e703b520f6339010a

Download Submit
C:\ProgramData\5473871.60

MD5
6918dc96448960f42ff64164e89929d6

SHA1
77dd79138c42843321f4c156cbd2e7e2666825fd

SHA256
0da9a2cf8e4411f1ece2971e322631cca48a3de22884e72c519c80c76623e780

SHA512
f59103ce28827d96cea85341a31e54a1ae722ff5c387b597f325050e76d254305c0b8c317edf335bc7a1af846429bcdc2429983622b9626e703b520f6339010a

Download Submit
C:\ProgramData\5473871.60

MD5
6918dc96448960f42ff64164e89929d6

SHA1
77dd79138c42843321f4c156cbd2e7e2666825fd

SHA256
0da9a2cf8e4411f1ece2971e322631cca48a3de22884e72c519c80c76623e780

SHA512
f59103ce28827d96cea85341a31e54a1ae722ff5c387b597f325050e76d254305c0b8c317edf335bc7a1af846429bcdc2429983622b9626e703b520f6339010a

Download Submit
C:\ProgramData\5630331.61

MD5
8ece2251ab92449e39a13e0e5fd01ee7

SHA1
9a38b32e8c7db75544687eac7d2afe5281adbf65

SHA256
d9b2cec18cc84167a10a96b4761bf3de8c4314fea1fcb101074863ef6e187a0b

SHA512
29b61d259f07490bd560139eb08f635dc95f7350b821c284f94601b993342c3a359aad5990a32bcd3a907d82d5e134468c73f0075700611b3d9325264ff6155f

Download Submit
C:\ProgramData\5630331.61

MD5
8ece2251ab92449e39a13e0e5fd01ee7

SHA1
9a38b32e8c7db75544687eac7d2afe5281adbf65

SHA256
d9b2cec18cc84167a10a96b4761bf3de8c4314fea1fcb101074863ef6e187a0b

SHA512
29b61d259f07490bd560139eb08f635dc95f7350b821c284f94601b993342c3a359aad5990a32bcd3a907d82d5e134468c73f0075700611b3d9325264ff6155f

Download Submit
C:\ProgramData\7700345.84

MD5
d7345c600135d1cf0bf5654b4e62e4d7

SHA1
ff337e5e406f2f202fd6e8c55ba698bb2469daaa

SHA256
d620caed49949ebcbfd64a6fa71c0e896136b7d97c538aee66d063520bf18170

SHA512
e5e152614d20939df201292fb581f16b07e570a661be2ee2372724b9f601a82b630ea7eb316dab34ef6aa19559db26469313b6a7c9fd292bcbe687e98175dafc

Download Submit
C:\ProgramData\7700345.84

MD5
d7345c600135d1cf0bf5654b4e62e4d7

SHA1
ff337e5e406f2f202fd6e8c55ba698bb2469daaa

SHA256
d620caed49949ebcbfd64a6fa71c0e896136b7d97c538aee66d063520bf18170

SHA512
e5e152614d20939df201292fb581f16b07e570a661be2ee2372724b9f601a82b630ea7eb316dab34ef6aa19559db26469313b6a7c9fd292bcbe687e98175dafc

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe

MD5
812106381d9d1e2b02a890710b56b47d

SHA1
e779d19559c8eb1a59be586a0309e559a0d175fa

SHA256
4dc2cda6da2e009dea089f085bb193c06e8fe6239788c7250e64b92c4130b25c

SHA512
cd4195284f26c76bcd67b2c08329c877325324dcf0137fe05224186f384180ed88ee9743cd0a984f8a7cefc93115d26accacc2b284a5090c4a9ec60f2d04e975

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe

MD5
812106381d9d1e2b02a890710b56b47d

SHA1
e779d19559c8eb1a59be586a0309e559a0d175fa

SHA256
4dc2cda6da2e009dea089f085bb193c06e8fe6239788c7250e64b92c4130b25c

SHA512
cd4195284f26c76bcd67b2c08329c877325324dcf0137fe05224186f384180ed88ee9743cd0a984f8a7cefc93115d26accacc2b284a5090c4a9ec60f2d04e975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5473871.60.log

MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6b67f8-b74dc1-56fc3564-e16ea0-b6c0.db

MD5
8cdc078ea551a6b01778ec2be2cc359f

SHA1
754cdf9019220976d3857ebfec7875a6ac1a249d

SHA256
ae42f22a93a36ac02168764557980f5103c538286f77ad28ba54a269778143ea

SHA512
26cbc034629c61b115ee579786f5b6fe9d44940ed3533c477fc8fdc6024036046c28c8922c8addb1d01ec0d421c971583f2fb6430ee9cbd2a5b991e5fc3de93d

Download Submit
memory/184-112-0x0000000000000000-mapping.dmp

Download
memory/228-110-0x0000000000000000-mapping.dmp

Download
memory/716-148-0x0000000000000000-mapping.dmp

Download
memory/808-77-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/808-75-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/808-81-0x0000000008790000-0x0000000008791000-memory.dmp

Filesize
4KB

Download
memory/808-76-0x0000000006D80000-0x0000000006D81000-memory.dmp

Filesize
4KB

Download
memory/808-31-0x0000000000000000-mapping.dmp

Download
memory/808-62-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/808-63-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/808-65-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/808-66-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/808-67-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/808-68-0x0000000077CD4000-0x0000000077CD5000-memory.dmp

Filesize
4KB

Download
memory/808-69-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/808-70-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/808-71-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/808-72-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/1072-124-0x0000000000000000-mapping.dmp

Download
memory/1820-134-0x0000000000000000-mapping.dmp

Download
memory/2024-118-0x0000000000000000-mapping.dmp

Download
memory/2292-97-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/2292-84-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2292-85-0x0000000000423FA2-mapping.dmp

Download
memory/2292-88-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2292-96-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/2476-108-0x0000000000000000-mapping.dmp

Download
memory/2848-138-0x0000000000000000-mapping.dmp

Download
memory/2928-152-0x0000000000000000-mapping.dmp

Download
memory/2948-120-0x0000000000000000-mapping.dmp

Download
memory/3116-126-0x0000000000000000-mapping.dmp

Download
memory/3168-49-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/3168-46-0x0000000000000000-mapping.dmp

Download
memory/3168-55-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/3456-26-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/3456-20-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/3456-39-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/3456-41-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/3456-30-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/3456-29-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/3456-40-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/3456-44-0x00000000053A0000-0x00000000053A4000-memory.dmp

Filesize
16KB

Download
memory/3456-83-0x0000000001200000-0x0000000001253000-memory.dmp

Filesize
332KB

Download
memory/3456-15-0x0000000000000000-mapping.dmp

Download
memory/3456-33-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/3460-136-0x0000000000000000-mapping.dmp

Download
memory/3564-22-0x0000000000000000-mapping.dmp

Download
memory/3564-59-0x0000000000B10000-0x0000000000B44000-memory.dmp

Filesize
208KB

Download
memory/3564-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3564-57-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/3876-146-0x0000000000000000-mapping.dmp

Download
memory/3972-130-0x0000000000000000-mapping.dmp

Download
memory/4172-150-0x0000000000000000-mapping.dmp

Download
memory/4308-114-0x0000000000000000-mapping.dmp

Download
memory/4516-116-0x0000000000000000-mapping.dmp

Download
memory/4596-105-0x0000000000000000-mapping.dmp

Download
memory/4632-122-0x0000000000000000-mapping.dmp

Download
memory/4640-3-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/4640-2-0x00007FF9C90A0000-0x00007FF9C9A8C000-memory.dmp

Filesize
9.9MB

Download
memory/4640-5-0x0000000000540000-0x0000000000556000-memory.dmp

Filesize
88KB

Download
memory/4640-14-0x0000000002370000-0x0000000002372000-memory.dmp

Filesize
8KB

Download
memory/4868-128-0x0000000000000000-mapping.dmp

Download
memory/4960-142-0x0000000000000000-mapping.dmp

Download
memory/4988-140-0x0000000000000000-mapping.dmp

Download
memory/5024-144-0x0000000000000000-mapping.dmp

Download
memory/5040-27-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/5040-16-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/5040-6-0x0000000000000000-mapping.dmp

Download
memory/5040-45-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/5040-58-0x0000000009300000-0x0000000009301000-memory.dmp

Filesize
4KB

Download
memory/5040-13-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5040-38-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/5040-42-0x00000000049A0000-0x00000000049D3000-memory.dmp

Filesize
204KB

Download
memory/5048-132-0x0000000000000000-mapping.dmp

Download
memory/5116-9-0x0000000000000000-mapping.dmp

Download
memory/5116-12-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/5116-21-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/5116-32-0x0000000002540000-0x000000000254B000-memory.dmp

Filesize
44KB

Download
memory/5116-36-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download