redline | 5cf09ada20a1467a9f031f8253ca916e3a61d1a399ad64153e63d6ed140f7ee3

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2022 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.2MB
MD5

106adc0183d444263d6675db1a2e9540
SHA1

d4479ce12196290bea418795e36628a136021949
SHA256

5cf09ada20a1467a9f031f8253ca916e3a61d1a399ad64153e63d6ed140f7ee3
SHA512

921aa6487e6bb524fab9dad94b59c65f2a567965d845490fd5ada5c27be3e23889d22700591ca581cf639c6662b33d61d3e42b2fe87a52482050edd5a91110fb
SSDEEP

49152:F70aLyun15F4UfHlSQWeBGnWSglFJp+uRp4LgCBAvQlAXHzziRy2oqIR7R4j:FAaLyun15FHnJsWJ0oH4lAgSJR2

Score

10^/10

redline 5 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

116.203.187.3:14916

Attributes

auth_value
febe6965b41d2583ad2bb6b5aa23cfd5

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3028-148-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

mnr.exeCsatu.exeCsatu.exeCsatu.exeCsatu.exeCsatu.exeCsatu.exeCsatu.exeCsatu.exeCsatu.exeCsatu.exeCsatu.exemnr.exe

pid	process
1472	mnr.exe
4180	Csatu.exe
3484	Csatu.exe
3480	Csatu.exe
3472	Csatu.exe
2828	Csatu.exe
1976	Csatu.exe
420	Csatu.exe
308	Csatu.exe
636	Csatu.exe
768	Csatu.exe
964	Csatu.exe
1668	mnr.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exefile.exeCsatu.exemnr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Csatu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	mnr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exeCsatu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tehtosfc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gsvigc\\Tehtosfc.exe\""	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pmfumz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fhejna\\Pmfumz.exe\""	Csatu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 504 set thread context of 3028 504 file.exe file.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 504 set thread context of 3028	504	file.exe	file.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

powershell.exefile.exepowershell.exefile.exeCsatu.exepowershell.exepowershell.exe

pid	process
420	powershell.exe
420	powershell.exe
504	file.exe
344	powershell.exe
344	powershell.exe
504	file.exe
504	file.exe
3028	file.exe
4180	Csatu.exe
4908	powershell.exe
4908	powershell.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
4180	Csatu.exe
2312	powershell.exe
2312	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exefile.exepowershell.exefile.exeCsatu.exepowershell.exemnr.exepowershell.exemnr.exe

description	pid	process
Token: SeDebugPrivilege	420	powershell.exe
Token: SeDebugPrivilege	504	file.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	3028	file.exe
Token: SeDebugPrivilege	4180	Csatu.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	1472	mnr.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1668	mnr.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

file.exefile.exeCsatu.exemnr.exe

description	pid	process	target process
PID 504 wrote to memory of 420	504	file.exe	powershell.exe
PID 504 wrote to memory of 420	504	file.exe	powershell.exe
PID 504 wrote to memory of 420	504	file.exe	powershell.exe
PID 504 wrote to memory of 344	504	file.exe	powershell.exe
PID 504 wrote to memory of 344	504	file.exe	powershell.exe
PID 504 wrote to memory of 344	504	file.exe	powershell.exe
PID 504 wrote to memory of 3820	504	file.exe	file.exe
PID 504 wrote to memory of 3820	504	file.exe	file.exe
PID 504 wrote to memory of 3820	504	file.exe	file.exe
PID 504 wrote to memory of 3028	504	file.exe	file.exe
PID 504 wrote to memory of 3028	504	file.exe	file.exe
PID 504 wrote to memory of 3028	504	file.exe	file.exe
PID 504 wrote to memory of 3028	504	file.exe	file.exe
PID 504 wrote to memory of 3028	504	file.exe	file.exe
PID 504 wrote to memory of 3028	504	file.exe	file.exe
PID 504 wrote to memory of 3028	504	file.exe	file.exe
PID 504 wrote to memory of 3028	504	file.exe	file.exe
PID 3028 wrote to memory of 1472	3028	file.exe	mnr.exe
PID 3028 wrote to memory of 1472	3028	file.exe	mnr.exe
PID 3028 wrote to memory of 4180	3028	file.exe	Csatu.exe
PID 3028 wrote to memory of 4180	3028	file.exe	Csatu.exe
PID 3028 wrote to memory of 4180	3028	file.exe	Csatu.exe
PID 4180 wrote to memory of 4908	4180	Csatu.exe	powershell.exe
PID 4180 wrote to memory of 4908	4180	Csatu.exe	powershell.exe
PID 4180 wrote to memory of 4908	4180	Csatu.exe	powershell.exe
PID 4180 wrote to memory of 3484	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 3484	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 3484	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 3480	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 3480	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 3480	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 3472	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 3472	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 3472	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 2828	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 2828	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 2828	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 1976	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 1976	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 1976	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 420	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 420	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 420	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 308	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 308	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 308	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 636	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 636	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 636	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 768	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 768	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 768	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 964	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 964	4180	Csatu.exe	Csatu.exe
PID 4180 wrote to memory of 964	4180	Csatu.exe	Csatu.exe
PID 1472 wrote to memory of 2312	1472	mnr.exe	powershell.exe
PID 1472 wrote to memory of 2312	1472	mnr.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 30
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Users\Admin\AppData\Local\Temp\file.exe
C:\Users\Admin\AppData\Local\Temp\file.exe
2⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\file.exe
C:\Users\Admin\AppData\Local\Temp\file.exe
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\mnr.exe
"C:\Users\Admin\AppData\Local\Temp\mnr.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACAAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
"C:\Users\Admin\AppData\Local\Temp\Csatu.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
- Executes dropped EXE
PID:3484

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
- Executes dropped EXE
PID:3480

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
- Executes dropped EXE
PID:3472

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
- Executes dropped EXE
PID:308

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
- Executes dropped EXE
PID:964

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
- Executes dropped EXE
PID:768

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
- Executes dropped EXE
PID:636

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
- Executes dropped EXE
PID:420

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
- Executes dropped EXE
PID:1976

C:\Users\Admin\AppData\Local\Temp\Csatu.exe
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
4⤵
- Executes dropped EXE
PID:2828

C:\Users\Admin\AppData\Roaming\mnr.exe
C:\Users\Admin\AppData\Roaming\mnr.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mnr.exe.log
Filesize
1KB

MD5
b77068250c95a82dc5ed9b3c41ef678e

SHA1
2e002b8ff5b6b2d403f1d7bfa3ed0e4e250bf928

SHA256
ee39a8ce2aa18998cf3d4f175133794304422b3ee937566b35414d4b1d7e9d85

SHA512
32848c7cf2735d9641ceaf3821a2334caad1826a61a0a810078db2f5beee596af517da43015a26209ad52bae301623383a8fdc97e052be8ce8b3c2162c66aaf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
Filesize
1KB

MD5
5a71ec3b6f3e3d68fc5237316e80493d

SHA1
8ba5f6c33faa98200251ff91e3e9ee8d46885176

SHA256
a3c6a55e3b7a7054082d00842bb117c388669b51b09b0f8f74b77d8f72d9d3be

SHA512
a5425c4b1322af8d473c81bdec3c06129a9a676e47d193e1d8494b2519a380c22c6d6ece86a7f863716f3a261d40f16093162a9654c2b961a99d33e7c64d9e9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
29dc260c693ab67f6bdc4b2a2afb1a8d

SHA1
a886abd179203ca44803d2adcdf7e6caa99b8a40

SHA256
934626c99493301f528f7a7433aa0b2c8e067fa112a1ac26a0ece78759502e11

SHA512
72f0b8c332e76e90ed13b99b3aac0c94d4d2328e042fa4199bfd26b3957ffdb49e046efb6c1f4fe7474444335d37c00eecc19dfa80f6fd869766ad2fb0b7f7c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
63ec0b782fea7ea5600094390f0f1f8f

SHA1
1a06ad3e6237ec7587fd14e8e6f93014e3b8e279

SHA256
80dacc1d36886c3ed9324b90c698523c4c110fd36529ec13d9d393419ae52940

SHA512
cd97c6841121b669aede1b9071133a5075a45e0e9f81d89ae1e7c9a144b96ca405035a15ddf5d62e756a0ab51dced6ce86cf5ac64ad1b5544ee0b0c7a6a0c915

Download Submit
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
Filesize
2.5MB

MD5
abe7dd67159fc04f49f0fead1465e16c

SHA1
683b8f96cee5ae7f00ebe7104e92137478c63583

SHA256
228a12d1c29aafcf7cfe1781159eb135cb7124271f64d0bc4ad259f907db134f

SHA512
ebcbcbdba71096034ec59b7e0030cafe844ff8968e359634e9810f8d044172089f7827038d59499a55200b060b01d0d2db8eb25e2221743ffc5161f1b52a135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
Filesize
2.5MB

MD5
abe7dd67159fc04f49f0fead1465e16c

SHA1
683b8f96cee5ae7f00ebe7104e92137478c63583

SHA256
228a12d1c29aafcf7cfe1781159eb135cb7124271f64d0bc4ad259f907db134f

SHA512
ebcbcbdba71096034ec59b7e0030cafe844ff8968e359634e9810f8d044172089f7827038d59499a55200b060b01d0d2db8eb25e2221743ffc5161f1b52a135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
Filesize
2.5MB

MD5
abe7dd67159fc04f49f0fead1465e16c

SHA1
683b8f96cee5ae7f00ebe7104e92137478c63583

SHA256
228a12d1c29aafcf7cfe1781159eb135cb7124271f64d0bc4ad259f907db134f

SHA512
ebcbcbdba71096034ec59b7e0030cafe844ff8968e359634e9810f8d044172089f7827038d59499a55200b060b01d0d2db8eb25e2221743ffc5161f1b52a135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
Filesize
2.5MB

MD5
abe7dd67159fc04f49f0fead1465e16c

SHA1
683b8f96cee5ae7f00ebe7104e92137478c63583

SHA256
228a12d1c29aafcf7cfe1781159eb135cb7124271f64d0bc4ad259f907db134f

SHA512
ebcbcbdba71096034ec59b7e0030cafe844ff8968e359634e9810f8d044172089f7827038d59499a55200b060b01d0d2db8eb25e2221743ffc5161f1b52a135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
Filesize
2.5MB

MD5
abe7dd67159fc04f49f0fead1465e16c

SHA1
683b8f96cee5ae7f00ebe7104e92137478c63583

SHA256
228a12d1c29aafcf7cfe1781159eb135cb7124271f64d0bc4ad259f907db134f

SHA512
ebcbcbdba71096034ec59b7e0030cafe844ff8968e359634e9810f8d044172089f7827038d59499a55200b060b01d0d2db8eb25e2221743ffc5161f1b52a135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
Filesize
2.5MB

MD5
abe7dd67159fc04f49f0fead1465e16c

SHA1
683b8f96cee5ae7f00ebe7104e92137478c63583

SHA256
228a12d1c29aafcf7cfe1781159eb135cb7124271f64d0bc4ad259f907db134f

SHA512
ebcbcbdba71096034ec59b7e0030cafe844ff8968e359634e9810f8d044172089f7827038d59499a55200b060b01d0d2db8eb25e2221743ffc5161f1b52a135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
Filesize
2.5MB

MD5
abe7dd67159fc04f49f0fead1465e16c

SHA1
683b8f96cee5ae7f00ebe7104e92137478c63583

SHA256
228a12d1c29aafcf7cfe1781159eb135cb7124271f64d0bc4ad259f907db134f

SHA512
ebcbcbdba71096034ec59b7e0030cafe844ff8968e359634e9810f8d044172089f7827038d59499a55200b060b01d0d2db8eb25e2221743ffc5161f1b52a135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
Filesize
2.5MB

MD5
abe7dd67159fc04f49f0fead1465e16c

SHA1
683b8f96cee5ae7f00ebe7104e92137478c63583

SHA256
228a12d1c29aafcf7cfe1781159eb135cb7124271f64d0bc4ad259f907db134f

SHA512
ebcbcbdba71096034ec59b7e0030cafe844ff8968e359634e9810f8d044172089f7827038d59499a55200b060b01d0d2db8eb25e2221743ffc5161f1b52a135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
Filesize
2.5MB

MD5
abe7dd67159fc04f49f0fead1465e16c

SHA1
683b8f96cee5ae7f00ebe7104e92137478c63583

SHA256
228a12d1c29aafcf7cfe1781159eb135cb7124271f64d0bc4ad259f907db134f

SHA512
ebcbcbdba71096034ec59b7e0030cafe844ff8968e359634e9810f8d044172089f7827038d59499a55200b060b01d0d2db8eb25e2221743ffc5161f1b52a135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
Filesize
2.5MB

MD5
abe7dd67159fc04f49f0fead1465e16c

SHA1
683b8f96cee5ae7f00ebe7104e92137478c63583

SHA256
228a12d1c29aafcf7cfe1781159eb135cb7124271f64d0bc4ad259f907db134f

SHA512
ebcbcbdba71096034ec59b7e0030cafe844ff8968e359634e9810f8d044172089f7827038d59499a55200b060b01d0d2db8eb25e2221743ffc5161f1b52a135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
Filesize
2.5MB

MD5
abe7dd67159fc04f49f0fead1465e16c

SHA1
683b8f96cee5ae7f00ebe7104e92137478c63583

SHA256
228a12d1c29aafcf7cfe1781159eb135cb7124271f64d0bc4ad259f907db134f

SHA512
ebcbcbdba71096034ec59b7e0030cafe844ff8968e359634e9810f8d044172089f7827038d59499a55200b060b01d0d2db8eb25e2221743ffc5161f1b52a135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Csatu.exe
Filesize
2.5MB

MD5
abe7dd67159fc04f49f0fead1465e16c

SHA1
683b8f96cee5ae7f00ebe7104e92137478c63583

SHA256
228a12d1c29aafcf7cfe1781159eb135cb7124271f64d0bc4ad259f907db134f

SHA512
ebcbcbdba71096034ec59b7e0030cafe844ff8968e359634e9810f8d044172089f7827038d59499a55200b060b01d0d2db8eb25e2221743ffc5161f1b52a135d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnr.exe
Filesize
1.1MB

MD5
83f5b59561ffd68339e06f5e007537bf

SHA1
235df5c30aeba5f1f2fa93ea93a18f31f863460d

SHA256
dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a

SHA512
cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnr.exe
Filesize
1.1MB

MD5
83f5b59561ffd68339e06f5e007537bf

SHA1
235df5c30aeba5f1f2fa93ea93a18f31f863460d

SHA256
dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a

SHA512
cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7

Download Submit
C:\Users\Admin\AppData\Roaming\mnr.exe
Filesize
1.1MB

MD5
83f5b59561ffd68339e06f5e007537bf

SHA1
235df5c30aeba5f1f2fa93ea93a18f31f863460d

SHA256
dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a

SHA512
cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7

Download Submit
C:\Users\Admin\AppData\Roaming\mnr.exe
Filesize
1.1MB

MD5
83f5b59561ffd68339e06f5e007537bf

SHA1
235df5c30aeba5f1f2fa93ea93a18f31f863460d

SHA256
dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a

SHA512
cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7

Download Submit
memory/308-200-0x0000000000000000-mapping.dmp

Download
memory/344-142-0x0000000000000000-mapping.dmp

Download
memory/420-141-0x0000000006A60000-0x0000000006A7A000-memory.dmp

Filesize
104KB

Download
memory/420-137-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/420-140-0x0000000007D80000-0x00000000083FA000-memory.dmp

Filesize
6.5MB

Download
memory/420-139-0x0000000006550000-0x000000000656E000-memory.dmp

Filesize
120KB

Download
memory/420-138-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/420-198-0x0000000000000000-mapping.dmp

Download
memory/420-133-0x0000000000000000-mapping.dmp

Download
memory/420-134-0x0000000004FC0000-0x0000000004FF6000-memory.dmp

Filesize
216KB

Download
memory/420-135-0x0000000005630000-0x0000000005C58000-memory.dmp

Filesize
6.2MB

Download
memory/420-136-0x00000000055A0000-0x00000000055C2000-memory.dmp

Filesize
136KB

Download
memory/504-145-0x0000000006B60000-0x0000000007104000-memory.dmp

Filesize
5.6MB

Download
memory/504-144-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/504-132-0x0000000000320000-0x0000000000556000-memory.dmp

Filesize
2.2MB

Download
memory/636-202-0x0000000000000000-mapping.dmp

Download
memory/768-204-0x0000000000000000-mapping.dmp

Download
memory/964-206-0x0000000000000000-mapping.dmp

Download
memory/1472-186-0x00007FFA219A0000-0x00007FFA219C7000-memory.dmp

Filesize
156KB

Download
memory/1472-164-0x00007FFA06890000-0x00007FFA0693A000-memory.dmp

Filesize
680KB

Download
memory/1472-176-0x00007FFA22A80000-0x00007FFA22AAB000-memory.dmp

Filesize
172KB

Download
memory/1472-167-0x00007FFA1F4D0000-0x00007FFA1F4E2000-memory.dmp

Filesize
72KB

Download
memory/1472-177-0x00007FF6F42D0000-0x00007FF6F43E8000-memory.dmp

Filesize
1.1MB

Download
memory/1472-178-0x00007FF6F42D0000-0x00007FF6F43E8000-memory.dmp

Filesize
1.1MB

Download
memory/1472-179-0x00007FFA06170000-0x00007FFA062BE000-memory.dmp

Filesize
1.3MB

Download
memory/1472-180-0x00007FFA16260000-0x00007FFA16279000-memory.dmp

Filesize
100KB

Download
memory/1472-221-0x00007FF6F42D0000-0x00007FF6F43E8000-memory.dmp

Filesize
1.1MB

Download
memory/1472-182-0x00007FFA049B0000-0x00007FFA05471000-memory.dmp

Filesize
10.8MB

Download
memory/1472-175-0x0000000003660000-0x00000000036A2000-memory.dmp

Filesize
264KB

Download
memory/1472-184-0x00007FF6F42D0000-0x00007FF6F43E8000-memory.dmp

Filesize
1.1MB

Download
memory/1472-185-0x0000000003660000-0x00000000036A2000-memory.dmp

Filesize
264KB

Download
memory/1472-174-0x00007FF6F42D0000-0x00007FF6F43E8000-memory.dmp

Filesize
1.1MB

Download
memory/1472-187-0x00007FFA049B0000-0x00007FFA05471000-memory.dmp

Filesize
10.8MB

Download
memory/1472-224-0x00007FFA049B0000-0x00007FFA05471000-memory.dmp

Filesize
10.8MB

Download
memory/1472-173-0x00007FFA049B0000-0x00007FFA05471000-memory.dmp

Filesize
10.8MB

Download
memory/1472-159-0x0000000000000000-mapping.dmp

Download
memory/1472-165-0x00007FFA23410000-0x00007FFA234AE000-memory.dmp

Filesize
632KB

Download
memory/1472-168-0x00007FFA06460000-0x00007FFA0651D000-memory.dmp

Filesize
756KB

Download
memory/1472-172-0x00007FFA22660000-0x00007FFA22801000-memory.dmp

Filesize
1.6MB

Download
memory/1668-225-0x00007FFA049B0000-0x00007FFA05471000-memory.dmp

Filesize
10.8MB

Download
memory/1668-223-0x00007FFA22A80000-0x00007FFA22AAB000-memory.dmp

Filesize
172KB

Download
memory/1668-227-0x00007FF70D520000-0x00007FF70D638000-memory.dmp

Filesize
1.1MB

Download
memory/1668-220-0x00007FFA049B0000-0x00007FFA05471000-memory.dmp

Filesize
10.8MB

Download
memory/1668-219-0x00007FFA22660000-0x00007FFA22801000-memory.dmp

Filesize
1.6MB

Download
memory/1668-218-0x00007FFA06460000-0x00007FFA0651D000-memory.dmp

Filesize
756KB

Download
memory/1668-231-0x00007FFA16260000-0x00007FFA16279000-memory.dmp

Filesize
100KB

Download
memory/1668-230-0x00007FFA06170000-0x00007FFA062BE000-memory.dmp

Filesize
1.3MB

Download
memory/1668-229-0x00007FF70D520000-0x00007FF70D638000-memory.dmp

Filesize
1.1MB

Download
memory/1668-228-0x0000000002EF0000-0x0000000002F32000-memory.dmp

Filesize
264KB

Download
memory/1668-217-0x00007FFA1F4D0000-0x00007FFA1F4E2000-memory.dmp

Filesize
72KB

Download
memory/1668-237-0x00007FFA049B0000-0x00007FFA05471000-memory.dmp

Filesize
10.8MB

Download
memory/1668-239-0x00007FFA219A0000-0x00007FFA219C7000-memory.dmp

Filesize
156KB

Download
memory/1668-216-0x00007FFA23410000-0x00007FFA234AE000-memory.dmp

Filesize
632KB

Download
memory/1668-215-0x00007FFA06890000-0x00007FFA0693A000-memory.dmp

Filesize
680KB

Download
memory/1668-238-0x00007FF70D520000-0x00007FF70D638000-memory.dmp

Filesize
1.1MB

Download
memory/1976-196-0x0000000000000000-mapping.dmp

Download
memory/2312-226-0x00007FFA049B0000-0x00007FFA05471000-memory.dmp

Filesize
10.8MB

Download
memory/2312-209-0x000001955A7C0000-0x000001955A7E2000-memory.dmp

Filesize
136KB

Download
memory/2312-234-0x000001955ABA0000-0x000001955ABA8000-memory.dmp

Filesize
32KB

Download
memory/2312-236-0x00007FFA049B0000-0x00007FFA05471000-memory.dmp

Filesize
10.8MB

Download
memory/2312-235-0x000001955ABB0000-0x000001955ABBA000-memory.dmp

Filesize
40KB

Download
memory/2312-232-0x000001955AA30000-0x000001955AA4C000-memory.dmp

Filesize
112KB

Download
memory/2312-233-0x000001955AB90000-0x000001955AB9A000-memory.dmp

Filesize
40KB

Download
memory/2312-208-0x0000000000000000-mapping.dmp

Download
memory/2828-194-0x0000000000000000-mapping.dmp

Download
memory/3028-152-0x0000000005C90000-0x0000000005D9A000-memory.dmp

Filesize
1.0MB

Download
memory/3028-156-0x0000000007520000-0x0000000007570000-memory.dmp

Filesize
320KB

Download
memory/3028-147-0x0000000000000000-mapping.dmp

Download
memory/3028-148-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3028-150-0x0000000006120000-0x0000000006738000-memory.dmp

Filesize
6.1MB

Download
memory/3028-151-0x0000000005B60000-0x0000000005B72000-memory.dmp

Filesize
72KB

Download
memory/3028-153-0x0000000005BC0000-0x0000000005BFC000-memory.dmp

Filesize
240KB

Download
memory/3028-154-0x0000000005F60000-0x0000000005FD6000-memory.dmp

Filesize
472KB

Download
memory/3028-155-0x0000000006040000-0x000000000605E000-memory.dmp

Filesize
120KB

Download
memory/3028-158-0x0000000007E40000-0x000000000836C000-memory.dmp

Filesize
5.2MB

Download
memory/3028-157-0x0000000007740000-0x0000000007902000-memory.dmp

Filesize
1.8MB

Download
memory/3472-192-0x0000000000000000-mapping.dmp

Download
memory/3480-190-0x0000000000000000-mapping.dmp

Download
memory/3484-188-0x0000000000000000-mapping.dmp

Download
memory/3820-146-0x0000000000000000-mapping.dmp

Download
memory/4180-171-0x00000000003D0000-0x000000000064E000-memory.dmp

Filesize
2.5MB

Download
memory/4180-166-0x0000000000000000-mapping.dmp

Download
memory/4908-181-0x0000000000000000-mapping.dmp

Download