djvu | a6bd07c21acee8ebad1b892ab7dcf5e57bb7e0a1a9ba9ce36a54e62399407158

Analysis

max time kernel
105s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28/10/2022, 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6bd07c21acee8ebad1b892ab7dcf5e57bb7e0a1a9ba9ce36a54e62399407158.exe
Size

268KB
MD5

3b9b7394464129517cec702d56c0ed7a
SHA1

c8c07b6f2baa9b306233181555ec1cdab471323a
SHA256

a6bd07c21acee8ebad1b892ab7dcf5e57bb7e0a1a9ba9ce36a54e62399407158
SHA512

d670132779d9c7f55055267c66cba1e0409905365f90cf819b169268f9f8cdeab18c1ebecc9baf971641c1380c06aa37c5038f649ece9ca2926b9a705a11ece6
SSDEEP

6144:FRAH9g5LGW/HRAPTLuHg5kntOvczyFDWRj:FRAHkL5AXuA5kntOUzyFkj

Score

10^/10

djvu redline smokeloader vidar 1752 517 google2 mario23_10 slovarik15btc backdoor collection discovery infostealer persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Family

vidar

Version

55.2

Botnet

1752

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
1752

Extracted

Family

djvu

http://winnlinne.com/lancer/get.php

Attributes

extension
.pozq
offline_id
oq4l7AoeQAT1wLV4c2ModKTOluU7sQaRllQplQt1
payload_url
http://uaery.top/dl/build2.exe

http://winnlinne.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-2gP6wwZcZ9 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0593Jhyjd

rsa_pubkey.plain

Extracted

Family

redline

Botnet

mario23_10

167.235.252.160:10642

Attributes

auth_value
eca57cfb5172f71dc45986763bb98942

Extracted

Family

redline

Botnet

slovarik15btc

78.153.144.3:2510

Attributes

auth_value
bfedad55292538ad3edd07ac95ad8952

Extracted

Family

redline

Botnet

Google2

167.235.71.14:20469

Attributes

auth_value
fb274d9691235ba015830da570a13578

Extracted

Family

vidar

Version

55.3

Botnet

517

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
517

Signatures

Detected Djvu ransomware 7 IoCs

resource	yara_rule
behavioral1/memory/20424-500-0x0000000004A20000-0x0000000004B3B000-memory.dmp	family_djvu
behavioral1/memory/193800-537-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/193800-665-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/193800-768-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/193800-820-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/77920-1105-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/77920-1441-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 3 IoCs

resource	yara_rule
behavioral1/memory/2356-152-0x00000000001D0000-0x00000000001D9000-memory.dmp	family_smokeloader
behavioral1/memory/3464-416-0x0000000002C90000-0x0000000002C99000-memory.dmp	family_smokeloader
behavioral1/memory/4308-459-0x0000000002C80000-0x0000000002C89000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 11 IoCs

resource	yara_rule
behavioral1/memory/139120-420-0x000000000045ADEE-mapping.dmp	family_redline
behavioral1/memory/193764-543-0x00000000001CADEE-mapping.dmp	family_redline
behavioral1/memory/139120-559-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline
behavioral1/memory/193764-639-0x0000000000170000-0x00000000001D0000-memory.dmp	family_redline
behavioral1/memory/76760-845-0x0000000000722142-mapping.dmp	family_redline
behavioral1/memory/76308-846-0x00000000000E0000-0x0000000000198000-memory.dmp	family_redline
behavioral1/memory/76588-877-0x0000000000EA0000-0x0000000000F58000-memory.dmp	family_redline
behavioral1/memory/76588-881-0x0000000000EA0000-0x0000000000F58000-memory.dmp	family_redline
behavioral1/memory/76832-876-0x00000000006321AE-mapping.dmp	family_redline
behavioral1/memory/76760-919-0x0000000000700000-0x0000000000728000-memory.dmp	family_redline
behavioral1/memory/76832-970-0x0000000000610000-0x0000000000638000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
4640	2C51.exe
3264	2F8E.exe
3464	3B18.exe
4308	47AC.exe
20424	4F7D.exe
40204	5A7A.exe
193800	4F7D.exe
76308	C85.exe
76588	1C94.exe
76500	4F7D.exe
76952	352D.exe
77224	426D.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/76952-904-0x00007FF659B20000-0x00007FF65A383000-memory.dmp	upx
behavioral1/files/0x000700000001ac69-900.dat	upx
behavioral1/memory/76952-1200-0x00007FF659B20000-0x00007FF65A383000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
2068	Process not Found

Loads dropped DLL 4 IoCs

pid	Process
4724	regsvr32.exe
4640	2C51.exe
4640	2C51.exe
4640	2C51.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
76168	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\029c3c11-4b55-4b87-8ede-47641407fc47\\4F7D.exe\" --AutoStart"	4F7D.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	api.2ip.ua
24	api.2ip.ua
42	api.2ip.ua

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3264 set thread context of 139120	3264	2F8E.exe	78
PID 20424 set thread context of 193800	20424	4F7D.exe	83
PID 40204 set thread context of 193764	40204	5A7A.exe	82
PID 76308 set thread context of 76760	76308	C85.exe	91
PID 76588 set thread context of 76832	76588	1C94.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
180080	3264	WerFault.exe	71
184244	4308	WerFault.exe	72
76180	4640	WerFault.exe	67

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a6bd07c21acee8ebad1b892ab7dcf5e57bb7e0a1a9ba9ce36a54e62399407158.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a6bd07c21acee8ebad1b892ab7dcf5e57bb7e0a1a9ba9ce36a54e62399407158.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3B18.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3B18.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3B18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a6bd07c21acee8ebad1b892ab7dcf5e57bb7e0a1a9ba9ce36a54e62399407158.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2C51.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2C51.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
81128	schtasks.exe
80852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	a6bd07c21acee8ebad1b892ab7dcf5e57bb7e0a1a9ba9ce36a54e62399407158.exe
2356	a6bd07c21acee8ebad1b892ab7dcf5e57bb7e0a1a9ba9ce36a54e62399407158.exe
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2068	Process not Found

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2356	a6bd07c21acee8ebad1b892ab7dcf5e57bb7e0a1a9ba9ce36a54e62399407158.exe
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
3464	3B18.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeShutdownPrivilege	2068	Process not Found
Token: SeCreatePagefilePrivilege	2068	Process not Found
Token: SeDebugPrivilege	139120	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 4864	2068	Process not Found	66
PID 2068 wrote to memory of 4864	2068	Process not Found	66
PID 2068 wrote to memory of 4640	2068	Process not Found	67
PID 2068 wrote to memory of 4640	2068	Process not Found	67
PID 2068 wrote to memory of 4640	2068	Process not Found	67
PID 4864 wrote to memory of 4724	4864	regsvr32.exe	68
PID 4864 wrote to memory of 4724	4864	regsvr32.exe	68
PID 4864 wrote to memory of 4724	4864	regsvr32.exe	68
PID 2068 wrote to memory of 3264	2068	Process not Found	71
PID 2068 wrote to memory of 3264	2068	Process not Found	71
PID 2068 wrote to memory of 3264	2068	Process not Found	71
PID 2068 wrote to memory of 3464	2068	Process not Found	70
PID 2068 wrote to memory of 3464	2068	Process not Found	70
PID 2068 wrote to memory of 3464	2068	Process not Found	70
PID 2068 wrote to memory of 4308	2068	Process not Found	72
PID 2068 wrote to memory of 4308	2068	Process not Found	72
PID 2068 wrote to memory of 4308	2068	Process not Found	72
PID 2068 wrote to memory of 20424	2068	Process not Found	73
PID 2068 wrote to memory of 20424	2068	Process not Found	73
PID 2068 wrote to memory of 20424	2068	Process not Found	73
PID 2068 wrote to memory of 40204	2068	Process not Found	74
PID 2068 wrote to memory of 40204	2068	Process not Found	74
PID 2068 wrote to memory of 40204	2068	Process not Found	74
PID 2068 wrote to memory of 44008	2068	Process not Found	75
PID 2068 wrote to memory of 44008	2068	Process not Found	75
PID 2068 wrote to memory of 44008	2068	Process not Found	75
PID 2068 wrote to memory of 44008	2068	Process not Found	75
PID 2068 wrote to memory of 58504	2068	Process not Found	77
PID 2068 wrote to memory of 58504	2068	Process not Found	77
PID 2068 wrote to memory of 58504	2068	Process not Found	77
PID 3264 wrote to memory of 139120	3264	2F8E.exe	78
PID 3264 wrote to memory of 139120	3264	2F8E.exe	78
PID 3264 wrote to memory of 139120	3264	2F8E.exe	78
PID 3264 wrote to memory of 139120	3264	2F8E.exe	78
PID 3264 wrote to memory of 139120	3264	2F8E.exe	78
PID 40204 wrote to memory of 193764	40204	5A7A.exe	82
PID 40204 wrote to memory of 193764	40204	5A7A.exe	82
PID 40204 wrote to memory of 193764	40204	5A7A.exe	82
PID 40204 wrote to memory of 193764	40204	5A7A.exe	82
PID 20424 wrote to memory of 193800	20424	4F7D.exe	83
PID 20424 wrote to memory of 193800	20424	4F7D.exe	83
PID 20424 wrote to memory of 193800	20424	4F7D.exe	83
PID 20424 wrote to memory of 193800	20424	4F7D.exe	83
PID 20424 wrote to memory of 193800	20424	4F7D.exe	83
PID 20424 wrote to memory of 193800	20424	4F7D.exe	83
PID 20424 wrote to memory of 193800	20424	4F7D.exe	83
PID 20424 wrote to memory of 193800	20424	4F7D.exe	83
PID 20424 wrote to memory of 193800	20424	4F7D.exe	83
PID 20424 wrote to memory of 193800	20424	4F7D.exe	83
PID 40204 wrote to memory of 193764	40204	5A7A.exe	82
PID 193800 wrote to memory of 76168	193800	4F7D.exe	85
PID 193800 wrote to memory of 76168	193800	4F7D.exe	85
PID 193800 wrote to memory of 76168	193800	4F7D.exe	85
PID 2068 wrote to memory of 76308	2068	Process not Found	86
PID 2068 wrote to memory of 76308	2068	Process not Found	86
PID 2068 wrote to memory of 76308	2068	Process not Found	86
PID 193800 wrote to memory of 76500	193800	4F7D.exe	87
PID 193800 wrote to memory of 76500	193800	4F7D.exe	87
PID 193800 wrote to memory of 76500	193800	4F7D.exe	87
PID 2068 wrote to memory of 76588	2068	Process not Found	90
PID 2068 wrote to memory of 76588	2068	Process not Found	90
PID 2068 wrote to memory of 76588	2068	Process not Found	90
PID 76308 wrote to memory of 76760	76308	C85.exe	91
PID 76308 wrote to memory of 76760	76308	C85.exe	91

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\a6bd07c21acee8ebad1b892ab7dcf5e57bb7e0a1a9ba9ce36a54e62399407158.exe
"C:\Users\Admin\AppData\Local\Temp\a6bd07c21acee8ebad1b892ab7dcf5e57bb7e0a1a9ba9ce36a54e62399407158.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2356

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2B94.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\2B94.dll
  2⤵
  - Loads dropped DLL
  PID:4724

C:\Users\Admin\AppData\Local\Temp\2C51.exe
C:\Users\Admin\AppData\Local\Temp\2C51.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1724
  2⤵
  - Program crash
  PID:76180

C:\Users\Admin\AppData\Local\Temp\3B18.exe
C:\Users\Admin\AppData\Local\Temp\3B18.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3464

C:\Users\Admin\AppData\Local\Temp\2F8E.exe
C:\Users\Admin\AppData\Local\Temp\2F8E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:139120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 193272
  2⤵
  - Program crash
  PID:180080

C:\Users\Admin\AppData\Local\Temp\47AC.exe
C:\Users\Admin\AppData\Local\Temp\47AC.exe
1⤵
- Executes dropped EXE
PID:4308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 476
  2⤵
  - Program crash
  PID:184244

C:\Users\Admin\AppData\Local\Temp\4F7D.exe
C:\Users\Admin\AppData\Local\Temp\4F7D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:20424
- C:\Users\Admin\AppData\Local\Temp\4F7D.exe
  C:\Users\Admin\AppData\Local\Temp\4F7D.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:193800
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\029c3c11-4b55-4b87-8ede-47641407fc47" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:76168
- - C:\Users\Admin\AppData\Local\Temp\4F7D.exe
    "C:\Users\Admin\AppData\Local\Temp\4F7D.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    PID:76500
  - - C:\Users\Admin\AppData\Local\Temp\4F7D.exe
      "C:\Users\Admin\AppData\Local\Temp\4F7D.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:77920
    - - C:\Users\Admin\AppData\Local\dc3fd493-06ba-40d9-8f3b-6266baf3574c\build2.exe
        
        "C:\Users\Admin\AppData\Local\dc3fd493-06ba-40d9-8f3b-6266baf3574c\build2.exe"
        5⤵
        
        PID:80480
      - C:\Users\Admin\AppData\Local\dc3fd493-06ba-40d9-8f3b-6266baf3574c\build2.exe
        
        "C:\Users\Admin\AppData\Local\dc3fd493-06ba-40d9-8f3b-6266baf3574c\build2.exe"
        6⤵
        
        PID:81340
    - - C:\Users\Admin\AppData\Local\dc3fd493-06ba-40d9-8f3b-6266baf3574c\build3.exe
        
        "C:\Users\Admin\AppData\Local\dc3fd493-06ba-40d9-8f3b-6266baf3574c\build3.exe"
        5⤵
        
        PID:80584
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:80852

C:\Users\Admin\AppData\Local\Temp\5A7A.exe
C:\Users\Admin\AppData\Local\Temp\5A7A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:40204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:193764

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:44008

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:58504

C:\Users\Admin\AppData\Local\Temp\C85.exe
C:\Users\Admin\AppData\Local\Temp\C85.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:76308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:76760

C:\Users\Admin\AppData\Local\Temp\1C94.exe
C:\Users\Admin\AppData\Local\Temp\1C94.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:76588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:76832

C:\Users\Admin\AppData\Local\Temp\352D.exe
C:\Users\Admin\AppData\Local\Temp\352D.exe
1⤵
- Executes dropped EXE
PID:76952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "Get-WmiObject Win32_PortConnector"
  2⤵
  PID:80776

C:\Users\Admin\AppData\Local\Temp\426D.exe
C:\Users\Admin\AppData\Local\Temp\426D.exe
1⤵
- Executes dropped EXE
PID:77224
- C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe"
  2⤵
  PID:80284
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:81128

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:77504

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:77664

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:75956

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:78020

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:78144

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:78280

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:78460

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:78672

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:78900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
34feb9279587011e5bd1bc825e7d2943

SHA1
d7ad421c0f4c305936e4b6b1ee3b4d73dea0b094

SHA256
96b9b67b871e3adbab0a5b0ba635679443636a97c7dd2f19fec1b45a2dd36a5d

SHA512
9fd6ff36a966661ab2ccd5e0c2dd0b24661fc87686fe039db97f79eecbb1504ac9735462b16d8657ef900e3bc405c149ff98c32aa1c682b83d2ffd2382b5f285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
28d104709bf1eb7d9b0f50c9b71f8ffb

SHA1
3622e9c08765df6b773b7f9d28819d289ddc5894

SHA256
9648713c60ba24ca1550adc7eafcf81438c6e059e63f778d4461fc23044213b3

SHA512
175dbcc54a2c013f87bebeced0ee569f9d56e5eeb67c65fb1f0c3ac55fdf9a07251abdbad951d270b635af0031840b48e4521aee7b211f68b18479e75e56a2cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
7c04618b7c531422df729dea612bc847

SHA1
edd07557199e50e0b309837c3d8514220670ade0

SHA256
01e2b8131e201ca9f5fef25d61ca6b75951cfbb673ca344534fcb0e0292920b8

SHA512
91cfef260003fd81aeb5a649b6029ced0403f9eabf527cc6fed8e5a42738aac754175310ee858c36c41f3a24530cd7f4e16cea750eb2ab91041f81b3670c0387

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
8ad5134a6c604927d1e462d393400f8c

SHA1
b5c081cdd4dd8a24c04af99a00ad21c2e5270e08

SHA256
1ed3b23b3b34d05903614fc70f146530dfacb21c246511fbd11d80fc72613cd6

SHA512
bd34a69ade03c1dbbcc1673aec12ef92d7561c8584f651f248fc6b354e7fe37f308fc5b3057dcc8821c0b5dfe39e5ce739d8cd2f74430483bd038606d7f7fcd0

Download Submit
C:\Users\Admin\AppData\Local\029c3c11-4b55-4b87-8ede-47641407fc47\4F7D.exe

Filesize
767KB

MD5
255b28fdb2739fed02c7fa07e8a203eb

SHA1
5b8120a3c5806fa0625f3da9d4c677f3e8546c01

SHA256
d747f2231ca7608bdfda9b0069afd178a45f170940558a7423b956cbaa818279

SHA512
a1fe4c3696a0902618f485f0621b044285e0cb94a24a3a8f1b26cfe9785b409850506b1d675891e89564ed889ba6ffce83c030284a8c94e12f8b87eeb55d76e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C94.exe

Filesize
724KB

MD5
0e42369b3f3f95295f779075187d2327

SHA1
65bd41ea6960ad8499d6decd774c876d292bc376

SHA256
5e082f5510f6f8f0dd534d748da20dcd5d4cf12f2d834e87d1e104bea645875e

SHA512
67c3006d4bf60a797e2f85a11fa80a7342ba4dd50d87b5742e8579b570a53b99a1523961ef82ffbfcfee23ab34926d47f5eb1962dfdecb25dffc9c6634bd98ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C94.exe

Filesize
724KB

MD5
0e42369b3f3f95295f779075187d2327

SHA1
65bd41ea6960ad8499d6decd774c876d292bc376

SHA256
5e082f5510f6f8f0dd534d748da20dcd5d4cf12f2d834e87d1e104bea645875e

SHA512
67c3006d4bf60a797e2f85a11fa80a7342ba4dd50d87b5742e8579b570a53b99a1523961ef82ffbfcfee23ab34926d47f5eb1962dfdecb25dffc9c6634bd98ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B94.dll

Filesize
2.9MB

MD5
29aed617847ea377543d6ee9b6f8e4dc

SHA1
d33edffe7aa23884db4e34abf4f7bb5c061beff8

SHA256
0e2d36b89cc18e35919d132a0bfe21da4bbbe2d4c884739e4437b37057316c88

SHA512
719acd6c61597b4e071fcd8e69d249c9fa31b8978f5d08f18d18c149748708ef4230c1a9797273b9a754d6036109d39adaf5bb5ed047822966c0baedf4a1e688

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C51.exe

Filesize
327KB

MD5
d15781d757edf0a03934b606371342ba

SHA1
1b21111f86709a97bf5de34d3797219d00a75038

SHA256
2ecfd1b2898479688cc8374b178ccc7f75142021dcc40787694faad198c693e4

SHA512
ce056282b54538286875bd790aecb16d4eca4de297721247653be9fd3a42c35fcef89efc27c73276b944d19b45e14239c69d01846a83fc179c788b13ba13b4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C51.exe

Filesize
327KB

MD5
d15781d757edf0a03934b606371342ba

SHA1
1b21111f86709a97bf5de34d3797219d00a75038

SHA256
2ecfd1b2898479688cc8374b178ccc7f75142021dcc40787694faad198c693e4

SHA512
ce056282b54538286875bd790aecb16d4eca4de297721247653be9fd3a42c35fcef89efc27c73276b944d19b45e14239c69d01846a83fc179c788b13ba13b4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F8E.exe

Filesize
1.6MB

MD5
ca1c6c4ab17df66febd0fbb52e77e543

SHA1
f0312684ec973dc1a062b6aa087b2a33b8d49ad1

SHA256
474b143cd92f6a058630687023ce314592ab92775f26257afc7c44e95fef3b1e

SHA512
268023576c90cddba97fa2f5efbd887a14efe16863f8bbd6b2f193278e4391f6cb4e3d1e51e8f86e943bf1d0fe9e77e3df5f6e11347ca09a2d8d2babfcda4c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F8E.exe

Filesize
1.6MB

MD5
ca1c6c4ab17df66febd0fbb52e77e543

SHA1
f0312684ec973dc1a062b6aa087b2a33b8d49ad1

SHA256
474b143cd92f6a058630687023ce314592ab92775f26257afc7c44e95fef3b1e

SHA512
268023576c90cddba97fa2f5efbd887a14efe16863f8bbd6b2f193278e4391f6cb4e3d1e51e8f86e943bf1d0fe9e77e3df5f6e11347ca09a2d8d2babfcda4c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\352D.exe

Filesize
2.6MB

MD5
701b03f316f1906936a7882afb8e93c6

SHA1
305c0d52f4e83661d604c01ee1a0171b2532b380

SHA256
b4c758e51a6f76ed43e0219aac7367af7d7b54c12130a39fdad3caa1f402d675

SHA512
08fcd469bc2ca2ca83d27ce17e7eb2852d5bfa3bd7a7e4183bb0789915f15f1ba056cd2b12d3aaf72035ffe0af0198ef5dea86d1dd9412cb3f9ec8e07890cef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B18.exe

Filesize
269KB

MD5
82897b115fb9ed32b9498d9ab2642cca

SHA1
cd47fe6f26eef6eefe08e22bbb7bb5cf9fb8f59e

SHA256
0a431c74536788713335c814c5185d433a61ab2add7a1e6afa2c9adfcafdc268

SHA512
d2be5bb085fe94aca7890a18aa842dc02e1a7219f3ebe3dba6a3e5be6520db84d13f9b4dc3587485dcfb1f4262cf3a4845579a51a9805090a71eb426315c39b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B18.exe

Filesize
269KB

MD5
82897b115fb9ed32b9498d9ab2642cca

SHA1
cd47fe6f26eef6eefe08e22bbb7bb5cf9fb8f59e

SHA256
0a431c74536788713335c814c5185d433a61ab2add7a1e6afa2c9adfcafdc268

SHA512
d2be5bb085fe94aca7890a18aa842dc02e1a7219f3ebe3dba6a3e5be6520db84d13f9b4dc3587485dcfb1f4262cf3a4845579a51a9805090a71eb426315c39b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\426D.exe

Filesize
300KB

MD5
24e5f233787422196e41e36b0e63d861

SHA1
4d0244491be1530ddc71b155466b0040fa20081d

SHA256
4487367116d41259ec417981ac5f91850437a53b0a292b93ca97a3b079781325

SHA512
bb7666d9e6c6ffa74547663fc754d55ed1a202f42066e6452b397c8d25e037324990a91984daf191154f2158f8f527c12b1916b1e5eda9e25543ec63dd69d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\426D.exe

Filesize
300KB

MD5
24e5f233787422196e41e36b0e63d861

SHA1
4d0244491be1530ddc71b155466b0040fa20081d

SHA256
4487367116d41259ec417981ac5f91850437a53b0a292b93ca97a3b079781325

SHA512
bb7666d9e6c6ffa74547663fc754d55ed1a202f42066e6452b397c8d25e037324990a91984daf191154f2158f8f527c12b1916b1e5eda9e25543ec63dd69d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\47AC.exe

Filesize
256KB

MD5
322e1f9be173e881a9338aa15fc2f779

SHA1
abf139eccde40824b0eb52e2a275e400f25d3a1d

SHA256
4468ce5cc5fe2589893be91a0cd2170aad8ec75aff9d1003d36995cabcad3658

SHA512
ae9f8521e84cadbd4782e254ac7408f74c8d595561803b93a420c56b5c4d48c3d2080fb04627cc6d5ac2159aa4c3428bf4e91b0072b21c2408dcfa33c7e5ca3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\47AC.exe

Filesize
256KB

MD5
322e1f9be173e881a9338aa15fc2f779

SHA1
abf139eccde40824b0eb52e2a275e400f25d3a1d

SHA256
4468ce5cc5fe2589893be91a0cd2170aad8ec75aff9d1003d36995cabcad3658

SHA512
ae9f8521e84cadbd4782e254ac7408f74c8d595561803b93a420c56b5c4d48c3d2080fb04627cc6d5ac2159aa4c3428bf4e91b0072b21c2408dcfa33c7e5ca3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F7D.exe

Filesize
767KB

MD5
255b28fdb2739fed02c7fa07e8a203eb

SHA1
5b8120a3c5806fa0625f3da9d4c677f3e8546c01

SHA256
d747f2231ca7608bdfda9b0069afd178a45f170940558a7423b956cbaa818279

SHA512
a1fe4c3696a0902618f485f0621b044285e0cb94a24a3a8f1b26cfe9785b409850506b1d675891e89564ed889ba6ffce83c030284a8c94e12f8b87eeb55d76e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F7D.exe

Filesize
767KB

MD5
255b28fdb2739fed02c7fa07e8a203eb

SHA1
5b8120a3c5806fa0625f3da9d4c677f3e8546c01

SHA256
d747f2231ca7608bdfda9b0069afd178a45f170940558a7423b956cbaa818279

SHA512
a1fe4c3696a0902618f485f0621b044285e0cb94a24a3a8f1b26cfe9785b409850506b1d675891e89564ed889ba6ffce83c030284a8c94e12f8b87eeb55d76e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F7D.exe

Filesize
767KB

MD5
255b28fdb2739fed02c7fa07e8a203eb

SHA1
5b8120a3c5806fa0625f3da9d4c677f3e8546c01

SHA256
d747f2231ca7608bdfda9b0069afd178a45f170940558a7423b956cbaa818279

SHA512
a1fe4c3696a0902618f485f0621b044285e0cb94a24a3a8f1b26cfe9785b409850506b1d675891e89564ed889ba6ffce83c030284a8c94e12f8b87eeb55d76e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F7D.exe

Filesize
767KB

MD5
255b28fdb2739fed02c7fa07e8a203eb

SHA1
5b8120a3c5806fa0625f3da9d4c677f3e8546c01

SHA256
d747f2231ca7608bdfda9b0069afd178a45f170940558a7423b956cbaa818279

SHA512
a1fe4c3696a0902618f485f0621b044285e0cb94a24a3a8f1b26cfe9785b409850506b1d675891e89564ed889ba6ffce83c030284a8c94e12f8b87eeb55d76e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F7D.exe

Filesize
767KB

MD5
255b28fdb2739fed02c7fa07e8a203eb

SHA1
5b8120a3c5806fa0625f3da9d4c677f3e8546c01

SHA256
d747f2231ca7608bdfda9b0069afd178a45f170940558a7423b956cbaa818279

SHA512
a1fe4c3696a0902618f485f0621b044285e0cb94a24a3a8f1b26cfe9785b409850506b1d675891e89564ed889ba6ffce83c030284a8c94e12f8b87eeb55d76e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A7A.exe

Filesize
1.4MB

MD5
be5e5013e21321a527331fc2df3e0d53

SHA1
6e3d9c3e71a7248deb8d99246f2336fb901b907e

SHA256
296453246eb59d82e13b3300e1ae490c6ea58e008cfa627c7a3bedcf9c69b8c1

SHA512
ad2bcb112ae04752fbec216f6124e9a849780b088320c3096ced3ff37178bd06b87017e53938b0f29005b3fb856291f16f2a9d747ec41f44d022cde6283ca122

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A7A.exe

Filesize
1.4MB

MD5
be5e5013e21321a527331fc2df3e0d53

SHA1
6e3d9c3e71a7248deb8d99246f2336fb901b907e

SHA256
296453246eb59d82e13b3300e1ae490c6ea58e008cfa627c7a3bedcf9c69b8c1

SHA512
ad2bcb112ae04752fbec216f6124e9a849780b088320c3096ced3ff37178bd06b87017e53938b0f29005b3fb856291f16f2a9d747ec41f44d022cde6283ca122

Download Submit
C:\Users\Admin\AppData\Local\Temp\C85.exe

Filesize
724KB

MD5
2f95034e7bcce4986bf4b7c2abd9dce5

SHA1
2d0da3e35bdb1305be49e80eec5bf162e86d413c

SHA256
789971880f9d8784b1c81f3527fbd577ef6d0d2f3e124a22573f6dd45a676ecc

SHA512
12dd7b052e0b820d3ba3e621c37c0f00a7706f69c806a7919ef7e1121cbec1eedbdf7372cd21e0a9b7b42bdb61cc807240545e046f061d9f5a64e044652bb970

Download Submit
C:\Users\Admin\AppData\Local\Temp\C85.exe

Filesize
724KB

MD5
2f95034e7bcce4986bf4b7c2abd9dce5

SHA1
2d0da3e35bdb1305be49e80eec5bf162e86d413c

SHA256
789971880f9d8784b1c81f3527fbd577ef6d0d2f3e124a22573f6dd45a676ecc

SHA512
12dd7b052e0b820d3ba3e621c37c0f00a7706f69c806a7919ef7e1121cbec1eedbdf7372cd21e0a9b7b42bdb61cc807240545e046f061d9f5a64e044652bb970

Download Submit
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe

Filesize
300KB

MD5
24e5f233787422196e41e36b0e63d861

SHA1
4d0244491be1530ddc71b155466b0040fa20081d

SHA256
4487367116d41259ec417981ac5f91850437a53b0a292b93ca97a3b079781325

SHA512
bb7666d9e6c6ffa74547663fc754d55ed1a202f42066e6452b397c8d25e037324990a91984daf191154f2158f8f527c12b1916b1e5eda9e25543ec63dd69d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe

Filesize
300KB

MD5
24e5f233787422196e41e36b0e63d861

SHA1
4d0244491be1530ddc71b155466b0040fa20081d

SHA256
4487367116d41259ec417981ac5f91850437a53b0a292b93ca97a3b079781325

SHA512
bb7666d9e6c6ffa74547663fc754d55ed1a202f42066e6452b397c8d25e037324990a91984daf191154f2158f8f527c12b1916b1e5eda9e25543ec63dd69d1fd

Download Submit
C:\Users\Admin\AppData\Local\dc3fd493-06ba-40d9-8f3b-6266baf3574c\build2.exe

Filesize
345KB

MD5
389225207ba356127263222954a68a16

SHA1
a85970a73f5cb71c7481fbee46790edcc911b5f0

SHA256
799f2747bfd32e55f313521cecf93182c6067f16edab15ab3f789601c33d50c9

SHA512
e6cd5da7f3921099007220ff2adde85fda0b980b4b4e12fa556f1b120522032987f96c11cf36ff42b842d9139b90f279e70eb00959f228a6210d617bd6672ff0

Download Submit
C:\Users\Admin\AppData\Local\dc3fd493-06ba-40d9-8f3b-6266baf3574c\build2.exe

Filesize
345KB

MD5
389225207ba356127263222954a68a16

SHA1
a85970a73f5cb71c7481fbee46790edcc911b5f0

SHA256
799f2747bfd32e55f313521cecf93182c6067f16edab15ab3f789601c33d50c9

SHA512
e6cd5da7f3921099007220ff2adde85fda0b980b4b4e12fa556f1b120522032987f96c11cf36ff42b842d9139b90f279e70eb00959f228a6210d617bd6672ff0

Download Submit
C:\Users\Admin\AppData\Local\dc3fd493-06ba-40d9-8f3b-6266baf3574c\build2.exe

Filesize
345KB

MD5
389225207ba356127263222954a68a16

SHA1
a85970a73f5cb71c7481fbee46790edcc911b5f0

SHA256
799f2747bfd32e55f313521cecf93182c6067f16edab15ab3f789601c33d50c9

SHA512
e6cd5da7f3921099007220ff2adde85fda0b980b4b4e12fa556f1b120522032987f96c11cf36ff42b842d9139b90f279e70eb00959f228a6210d617bd6672ff0

Download Submit
C:\Users\Admin\AppData\Local\dc3fd493-06ba-40d9-8f3b-6266baf3574c\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\dc3fd493-06ba-40d9-8f3b-6266baf3574c\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\ProgramData\sqlite3.dll

Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
\Users\Admin\AppData\Local\Temp\2B94.dll

Filesize
2.9MB

MD5
29aed617847ea377543d6ee9b6f8e4dc

SHA1
d33edffe7aa23884db4e34abf4f7bb5c061beff8

SHA256
0e2d36b89cc18e35919d132a0bfe21da4bbbe2d4c884739e4437b37057316c88

SHA512
719acd6c61597b4e071fcd8e69d249c9fa31b8978f5d08f18d18c149748708ef4230c1a9797273b9a754d6036109d39adaf5bb5ed047822966c0baedf4a1e688

Download Submit
memory/2356-143-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-128-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-156-0x0000000002E33000-0x0000000002E49000-memory.dmp

Filesize
88KB

Download
memory/2356-155-0x0000000000400000-0x0000000002C30000-memory.dmp

Filesize
40.2MB

Download
memory/2356-154-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-153-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-152-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/2356-151-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-149-0x0000000002E33000-0x0000000002E49000-memory.dmp

Filesize
88KB

Download
memory/2356-150-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-148-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-147-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-120-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-146-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-145-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-144-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-142-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-141-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-140-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-139-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-121-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-138-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-137-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-136-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-135-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-134-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-133-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-122-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-123-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-124-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-125-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-126-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-132-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-131-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-127-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-157-0x0000000000400000-0x0000000002C30000-memory.dmp

Filesize
40.2MB

Download
memory/2356-130-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-129-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3264-186-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3264-192-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3264-183-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3264-189-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3464-536-0x0000000000400000-0x0000000002C30000-memory.dmp

Filesize
40.2MB

Download
memory/3464-412-0x0000000002CB0000-0x0000000002DFA000-memory.dmp

Filesize
1.3MB

Download
memory/3464-416-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/3464-447-0x0000000000400000-0x0000000002C30000-memory.dmp

Filesize
40.2MB

Download
memory/4308-454-0x0000000002E31000-0x0000000002E47000-memory.dmp

Filesize
88KB

Download
memory/4308-459-0x0000000002C80000-0x0000000002C89000-memory.dmp

Filesize
36KB

Download
memory/4308-711-0x0000000002E31000-0x0000000002E47000-memory.dmp

Filesize
88KB

Download
memory/4308-697-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/4308-489-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/4640-162-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4640-179-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4640-185-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4640-188-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4640-193-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4640-378-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/4640-374-0x00000000005B0000-0x000000000065E000-memory.dmp

Filesize
696KB

Download
memory/4640-190-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4640-166-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4640-171-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4640-272-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/4640-269-0x0000000002200000-0x0000000002249000-memory.dmp

Filesize
292KB

Download
memory/4640-267-0x00000000005B0000-0x000000000065E000-memory.dmp

Filesize
696KB

Download
memory/4640-173-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4640-168-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4640-165-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4640-164-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4640-180-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4640-176-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4724-194-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4724-169-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4724-172-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4724-196-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4724-804-0x0000000005080000-0x00000000051C8000-memory.dmp

Filesize
1.3MB

Download
memory/4724-174-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4724-167-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4724-181-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4724-306-0x0000000004DF0000-0x000000000507E000-memory.dmp

Filesize
2.6MB

Download
memory/4724-170-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4724-195-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4724-191-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4724-184-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4724-177-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4724-187-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/4724-309-0x0000000005080000-0x00000000051C8000-memory.dmp

Filesize
1.3MB

Download
memory/20424-524-0x0000000002EE0000-0x0000000002F81000-memory.dmp

Filesize
644KB

Download
memory/20424-500-0x0000000004A20000-0x0000000004B3B000-memory.dmp

Filesize
1.1MB

Download
memory/40204-552-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/40204-545-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/44008-520-0x0000000000420000-0x000000000048B000-memory.dmp

Filesize
428KB

Download
memory/44008-517-0x0000000000490000-0x0000000000505000-memory.dmp

Filesize
468KB

Download
memory/58504-335-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/75956-1448-0x0000000001050000-0x0000000001055000-memory.dmp

Filesize
20KB

Download
memory/75956-1487-0x0000000001040000-0x0000000001049000-memory.dmp

Filesize
36KB

Download
memory/76308-846-0x00000000000E0000-0x0000000000198000-memory.dmp

Filesize
736KB

Download
memory/76500-1053-0x0000000002CB0000-0x0000000002DFA000-memory.dmp

Filesize
1.3MB

Download
memory/76588-877-0x0000000000EA0000-0x0000000000F58000-memory.dmp

Filesize
736KB

Download
memory/76588-881-0x0000000000EA0000-0x0000000000F58000-memory.dmp

Filesize
736KB

Download
memory/76760-919-0x0000000000700000-0x0000000000728000-memory.dmp

Filesize
160KB

Download
memory/76832-970-0x0000000000610000-0x0000000000638000-memory.dmp

Filesize
160KB

Download
memory/76952-1200-0x00007FF659B20000-0x00007FF65A383000-memory.dmp

Filesize
8.4MB

Download
memory/76952-904-0x00007FF659B20000-0x00007FF65A383000-memory.dmp

Filesize
8.4MB

Download
memory/77504-1391-0x00000000005B0000-0x00000000005BB000-memory.dmp

Filesize
44KB

Download
memory/77504-1339-0x00000000005C0000-0x00000000005C7000-memory.dmp

Filesize
28KB

Download
memory/77664-1061-0x0000000000A20000-0x0000000000A29000-memory.dmp

Filesize
36KB

Download
memory/77664-1067-0x0000000000A10000-0x0000000000A1F000-memory.dmp

Filesize
60KB

Download
memory/77920-1441-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/78020-1134-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/78020-1129-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/78672-1284-0x0000000000350000-0x0000000000357000-memory.dmp

Filesize
28KB

Download
memory/78672-1292-0x0000000000340000-0x000000000034D000-memory.dmp

Filesize
52KB

Download
memory/139120-708-0x0000000009350000-0x000000000939B000-memory.dmp

Filesize
300KB

Download
memory/139120-694-0x00000000092E0000-0x000000000931E000-memory.dmp

Filesize
248KB

Download
memory/139120-685-0x0000000009280000-0x0000000009292000-memory.dmp

Filesize
72KB

Download
memory/139120-675-0x0000000009460000-0x000000000956A000-memory.dmp

Filesize
1.0MB

Download
memory/139120-671-0x0000000009960000-0x0000000009F66000-memory.dmp

Filesize
6.0MB

Download
memory/139120-592-0x0000000000FD0000-0x0000000000FD6000-memory.dmp

Filesize
24KB

Download
memory/139120-781-0x0000000009610000-0x0000000009676000-memory.dmp

Filesize
408KB

Download
memory/139120-559-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/193764-928-0x000000000C000000-0x000000000C52C000-memory.dmp

Filesize
5.2MB

Download
memory/193764-920-0x0000000009F80000-0x000000000A142000-memory.dmp

Filesize
1.8MB

Download
memory/193764-639-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/193764-890-0x0000000009BB0000-0x0000000009C42000-memory.dmp

Filesize
584KB

Download
memory/193764-780-0x000000000A2B0000-0x000000000A7AE000-memory.dmp

Filesize
5.0MB

Download
memory/193800-820-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/193800-665-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/193800-768-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download