Resubmissions

03/01/2023, 23:51

230103-3v4zlsge6z 10

03/01/2023, 23:11

230103-26p46age3w 10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2023, 23:51

General

  • Target

    Win64Sys.exe

  • Size

    378KB

  • MD5

    361ee66ffa93eda7d78eb4a5d14bfd57

  • SHA1

    e8157e8283a3f8eb7390d45b98ae4d32c53ce273

  • SHA256

    8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

  • SHA512

    19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

  • SSDEEP

    6144:+KMJx4pweP7kJS3irzPchzCSfj654xCbjj0P4MkV45M9TP:+KoSckh9765EAj0NHM9TP

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

stuhowe.ddns.net:4782

Mutex

QSR_MUTEX_X4mfjPTkLaQEdjHzYF

Attributes
  • encryption_key

    9FBvOmlVpI0GOzCn9KhI

  • install_name

    Win64Sys.exe

  • log_directory

    Keys

  • reconnect_delay

    3000

  • startup_key

    Windows x64 System Client

  • subdirectory

    Micosoft

Signatures

  • Quasar RAT 7 IoCs

    Quasar is an open source Remote Access Tool.

  • Quasar payload 15 IoCs
  • Executes dropped EXE 13 IoCs
  • Checks computer location settings 2 TTPs 13 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 13 IoCs
  • Creates scheduled task(s) 1 TTPs 14 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe
    "C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe" /rl HIGHEST /f
      2⤵
      • Quasar RAT
      • Creates scheduled task(s)
      PID:5088
    • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
      "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:3696
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VB3HpmYxHjBo.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3668
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:1252
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:3936
          • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
            "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
            4⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1052
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
              5⤵
              • Creates scheduled task(s)
              PID:2140
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AzkcscIlg5Z5.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4748
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                6⤵
                  PID:2352
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:2296
                • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
                  "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
                  6⤵
                  • Executes dropped EXE
                  • Checks computer location settings
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:4500
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
                    7⤵
                    • Creates scheduled task(s)
                    PID:1316
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGNN3oE1VN6l.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1468
                    • C:\Windows\SysWOW64\chcp.com
                      chcp 65001
                      8⤵
                        PID:4300
                      • C:\Windows\SysWOW64\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • Runs ping.exe
                        PID:3760
                      • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
                        "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
                        8⤵
                        • Executes dropped EXE
                        • Checks computer location settings
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:4768
                        • C:\Windows\SysWOW64\schtasks.exe
                          "schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
                          9⤵
                          • Creates scheduled task(s)
                          PID:4912
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLmGaymeXXRl.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4932
                          • C:\Windows\SysWOW64\chcp.com
                            chcp 65001
                            10⤵
                              PID:1440
                            • C:\Windows\SysWOW64\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • Runs ping.exe
                              PID:4988
                            • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
                              "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
                              10⤵
                              • Executes dropped EXE
                              • Checks computer location settings
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              PID:2996
                              • C:\Windows\SysWOW64\schtasks.exe
                                "schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
                                11⤵
                                • Creates scheduled task(s)
                                PID:368
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSJCPpLQyz2Y.bat" "
                                11⤵
                                  PID:4560
                                  • C:\Windows\SysWOW64\chcp.com
                                    chcp 65001
                                    12⤵
                                      PID:3964
                                    • C:\Windows\SysWOW64\PING.EXE
                                      ping -n 10 localhost
                                      12⤵
                                      • Runs ping.exe
                                      PID:4744
                                    • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
                                      "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Checks computer location settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of SetWindowsHookEx
                                      PID:4464
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        "schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
                                        13⤵
                                        • Creates scheduled task(s)
                                        PID:2212
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sbdr1R5VvELE.bat" "
                                        13⤵
                                          PID:3456
                                          • C:\Windows\SysWOW64\chcp.com
                                            chcp 65001
                                            14⤵
                                              PID:1296
                                            • C:\Windows\SysWOW64\PING.EXE
                                              ping -n 10 localhost
                                              14⤵
                                              • Runs ping.exe
                                              PID:4792
                                            • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
                                              "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Checks computer location settings
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of SetWindowsHookEx
                                              PID:3648
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                "schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
                                                15⤵
                                                • Creates scheduled task(s)
                                                PID:824
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2dJudxv233oh.bat" "
                                                15⤵
                                                  PID:2352
                                                  • C:\Windows\SysWOW64\chcp.com
                                                    chcp 65001
                                                    16⤵
                                                      PID:4616
                                                    • C:\Windows\SysWOW64\PING.EXE
                                                      ping -n 10 localhost
                                                      16⤵
                                                      • Runs ping.exe
                                                      PID:4780
                                                    • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
                                                      "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Checks computer location settings
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:3944
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        "schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
                                                        17⤵
                                                        • Creates scheduled task(s)
                                                        PID:4424
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cpNQ9CMDveyu.bat" "
                                                        17⤵
                                                          PID:2200
                                                          • C:\Windows\SysWOW64\chcp.com
                                                            chcp 65001
                                                            18⤵
                                                              PID:3636
                                                            • C:\Windows\SysWOW64\PING.EXE
                                                              ping -n 10 localhost
                                                              18⤵
                                                              • Runs ping.exe
                                                              PID:3524
                                                            • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
                                                              "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Checks computer location settings
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2344
                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                "schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
                                                                19⤵
                                                                • Creates scheduled task(s)
                                                                PID:1344
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V8k0E21afHN7.bat" "
                                                                19⤵
                                                                  PID:2760
                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                    chcp 65001
                                                                    20⤵
                                                                      PID:4012
                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                      ping -n 10 localhost
                                                                      20⤵
                                                                      • Runs ping.exe
                                                                      PID:1324
                                                                    • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
                                                                      "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Checks computer location settings
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:4912
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        "schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
                                                                        21⤵
                                                                        • Creates scheduled task(s)
                                                                        PID:1544
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\APMlQDxrUauo.bat" "
                                                                        21⤵
                                                                          PID:1216
                                                                          • C:\Windows\SysWOW64\chcp.com
                                                                            chcp 65001
                                                                            22⤵
                                                                              PID:2300
                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                              ping -n 10 localhost
                                                                              22⤵
                                                                              • Runs ping.exe
                                                                              PID:4196
                                                                            • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
                                                                              "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Checks computer location settings
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:3488
                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                "schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
                                                                                23⤵
                                                                                • Creates scheduled task(s)
                                                                                PID:628
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CnaFiOLSXqSK.bat" "
                                                                                23⤵
                                                                                  PID:3428
                                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                                    chcp 65001
                                                                                    24⤵
                                                                                      PID:1120
                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                      ping -n 10 localhost
                                                                                      24⤵
                                                                                      • Runs ping.exe
                                                                                      PID:4872
                                                                                    • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Checks computer location settings
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:1956
                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                        "schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
                                                                                        25⤵
                                                                                        • Creates scheduled task(s)
                                                                                        PID:1872
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bxje7kEr0tSu.bat" "
                                                                                        25⤵
                                                                                          PID:4936
                                                                                          • C:\Windows\SysWOW64\chcp.com
                                                                                            chcp 65001
                                                                                            26⤵
                                                                                              PID:2516
                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                              ping -n 10 localhost
                                                                                              26⤵
                                                                                              • Runs ping.exe
                                                                                              PID:2132
                                                                                            • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
                                                                                              "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
                                                                                              26⤵
                                                                                              • Executes dropped EXE
                                                                                              • Checks computer location settings
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                              PID:4848
                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                "schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
                                                                                                27⤵
                                                                                                • Creates scheduled task(s)
                                                                                                PID:672
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OETlc5ZbivSJ.bat" "
                                                                                                27⤵
                                                                                                  PID:1032
                                                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                                                    chcp 65001
                                                                                                    28⤵
                                                                                                      PID:2520
                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                      ping -n 10 localhost
                                                                                                      28⤵
                                                                                                      • Runs ping.exe
                                                                                                      PID:4484
                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2240
                                                                                                    27⤵
                                                                                                    • Program crash
                                                                                                    PID:2024
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1928
                                                                                                25⤵
                                                                                                • Program crash
                                                                                                PID:4792
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 2240
                                                                                            23⤵
                                                                                            • Program crash
                                                                                            PID:3116
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 2208
                                                                                        21⤵
                                                                                        • Program crash
                                                                                        PID:4568
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 2216
                                                                                    19⤵
                                                                                    • Program crash
                                                                                    PID:3180
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1688
                                                                                17⤵
                                                                                • Program crash
                                                                                PID:2384
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 2208
                                                                            15⤵
                                                                            • Program crash
                                                                            PID:432
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 2216
                                                                        13⤵
                                                                        • Program crash
                                                                        PID:2592
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 2188
                                                                    11⤵
                                                                    • Program crash
                                                                    PID:3600
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 2244
                                                                9⤵
                                                                • Program crash
                                                                PID:4068
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 2232
                                                            7⤵
                                                            • Program crash
                                                            PID:2960
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 2244
                                                        5⤵
                                                        • Program crash
                                                        PID:380
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 2220
                                                    3⤵
                                                    • Program crash
                                                    PID:1088
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1704 -ip 1704
                                                1⤵
                                                  PID:4896
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1052 -ip 1052
                                                  1⤵
                                                    PID:2040
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4500 -ip 4500
                                                    1⤵
                                                      PID:4376
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4768 -ip 4768
                                                      1⤵
                                                        PID:4596
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2996 -ip 2996
                                                        1⤵
                                                          PID:1812
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4464 -ip 4464
                                                          1⤵
                                                            PID:3724
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3648 -ip 3648
                                                            1⤵
                                                              PID:2552
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3944 -ip 3944
                                                              1⤵
                                                                PID:1340
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2344 -ip 2344
                                                                1⤵
                                                                  PID:4212
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4912 -ip 4912
                                                                  1⤵
                                                                    PID:1380
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3488 -ip 3488
                                                                    1⤵
                                                                      PID:3732
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1956 -ip 1956
                                                                      1⤵
                                                                        PID:3008
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4848 -ip 4848
                                                                        1⤵
                                                                          PID:4628

                                                                        Network

                                                                        MITRE ATT&CK Enterprise v6

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Win64Sys.exe.log

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          10eab9c2684febb5327b6976f2047587

                                                                          SHA1

                                                                          a12ed54146a7f5c4c580416aecb899549712449e

                                                                          SHA256

                                                                          f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

                                                                          SHA512

                                                                          7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

                                                                        • C:\Users\Admin\AppData\Local\Temp\2dJudxv233oh.bat

                                                                          Filesize

                                                                          211B

                                                                          MD5

                                                                          7177e80810e2001cc62bd19902dcf14e

                                                                          SHA1

                                                                          2857135ac843c3ecef528b8f9492fffd889a3815

                                                                          SHA256

                                                                          89b39e5257c9b996052466c8b6211daf4e75561905b31084fd17527cc6febfa4

                                                                          SHA512

                                                                          dab3ffa3753370944796b53f729fb9bd452b45b3c027912419f7ec59339a2b3de031979a1c26e3bdc790f300abe06982abdc9ec7969ff62839cce899347e5cd2

                                                                        • C:\Users\Admin\AppData\Local\Temp\APMlQDxrUauo.bat

                                                                          Filesize

                                                                          211B

                                                                          MD5

                                                                          e53ac78296f63c90b41d538fecfeceb0

                                                                          SHA1

                                                                          fe1a1f79bdadacdbd5091b5ad5364780aa9b2831

                                                                          SHA256

                                                                          82a84e3bae0585cfa51b73f67a93f5307f1cb7ccf72922e1ef4bd7dc917df62d

                                                                          SHA512

                                                                          ec2b17f3b64b28102d421f02fedec348dda1ac9fa4c8a110c1495b126fdc58f006feb09e09e4bb9a2f2d5c2b20e87a77a1461f71cc21b664336ee4d80d7d665e

                                                                        • C:\Users\Admin\AppData\Local\Temp\AzkcscIlg5Z5.bat

                                                                          Filesize

                                                                          211B

                                                                          MD5

                                                                          052916aa9608eee3357fe0b9f19cdd96

                                                                          SHA1

                                                                          a1f9755a4e6ef140761318de9609834088e9a341

                                                                          SHA256

                                                                          66235147fb060ff5d5b67b2bbbbd1df9f37eb213bda3183ce8d953a3d4e5648f

                                                                          SHA512

                                                                          ae1c7f73971b028cef3c98fdb580e506a64b54bbc3c7618f80281186bdd386ddcf36a8d4297d1d7f68bbf80980137141953c54f4925b87b7a2a63068314c414d

                                                                        • C:\Users\Admin\AppData\Local\Temp\CnaFiOLSXqSK.bat

                                                                          Filesize

                                                                          211B

                                                                          MD5

                                                                          87fd781e0445b9d7b0e9f626a609ff94

                                                                          SHA1

                                                                          5a38489cc575c0b555911687c243f84ac2eaf581

                                                                          SHA256

                                                                          4f9aae0759e4082b22897a1afac12f35dfdb34343afc95166f32a76fca73cf8c

                                                                          SHA512

                                                                          238045cc318fb019072f02c4c1e57457e7fd3af4d713c4febea1a21e96ac538fc6dcacbe14bfed9322a1eb3e69815fd1cec7a0e65f31ce35a2855cdc2962c76f

                                                                        • C:\Users\Admin\AppData\Local\Temp\DLmGaymeXXRl.bat

                                                                          Filesize

                                                                          211B

                                                                          MD5

                                                                          92b394305956d93c719e9c7ad38a639f

                                                                          SHA1

                                                                          b8c08541e7db0df8a1549bdb57d8f34144c9bed6

                                                                          SHA256

                                                                          d36d302b0bce1fd81fd74ae9c13828541fe1350a84b2a5983c6cbb1c3f3a1381

                                                                          SHA512

                                                                          e2eb7269dede7ffe870cc01e3e8206c989e9f1525a76d2e06e51e9c014f7dde9a944b6b1fdb65b2508b3ac52125c68ac46f3ff7b05b09c2cab101ce40b65d453

                                                                        • C:\Users\Admin\AppData\Local\Temp\OETlc5ZbivSJ.bat

                                                                          Filesize

                                                                          211B

                                                                          MD5

                                                                          87fce8dc2dd4f12a677f51675ad003f1

                                                                          SHA1

                                                                          01d5bee32cb6379f704d5867474adfe6b4680ca4

                                                                          SHA256

                                                                          463b2f99dabd4d1fbeefe3d579dd1684be68907873f167a8a83449d1e72f0b7b

                                                                          SHA512

                                                                          43cd8f49637aa44fd71e7979703b1c514a2de27e129725423ed99f0fc2c2762b3b2297101b230f17a290429fc2579b644a9ac7c0f10247742fb5dbe72b0198ea

                                                                        • C:\Users\Admin\AppData\Local\Temp\V8k0E21afHN7.bat

                                                                          Filesize

                                                                          211B

                                                                          MD5

                                                                          79f0dd4d45391202d3cf9056649acc38

                                                                          SHA1

                                                                          a6a260ff965a05ce2630159c5394996210e99cd1

                                                                          SHA256

                                                                          85f6cd0d24436b665b656fb644e314136dd8e44f394f9d0eae65d70339d24dbf

                                                                          SHA512

                                                                          8d7ce7eb9fc00e6fb11800f78de6081335acf3239936742a9a8e3da9292700e68a94ed127d5f7e8278e6f17b8ea2ac02bf4206171b8f691382241ccac7438d76

                                                                        • C:\Users\Admin\AppData\Local\Temp\VB3HpmYxHjBo.bat

                                                                          Filesize

                                                                          211B

                                                                          MD5

                                                                          b2772e0c2565c6595381219e2f6d5413

                                                                          SHA1

                                                                          a6709cba4eaffeccd4f54cf3d26a9caa13ebee1b

                                                                          SHA256

                                                                          c965d44107b9c21c9fd122f31dee75716a1c1df2a37ee3a1754f033037695f22

                                                                          SHA512

                                                                          93b36a8a293ee593bcac5167414a61c101d6f64593ffc801379078615fbe9d5992232012d5e6ef5046a46cd2f1205eaca545ffbfa1edfc8f7255cc0f50d01fe3

                                                                        • C:\Users\Admin\AppData\Local\Temp\WSJCPpLQyz2Y.bat

                                                                          Filesize

                                                                          211B

                                                                          MD5

                                                                          231eeacb49c61d5619b8bff5289c6753

                                                                          SHA1

                                                                          1f0622b6de15f895970babc0fa576c50f230a964

                                                                          SHA256

                                                                          948768cea40f1e284208af59e35a154dd263d20e855f3b2dd845b9f35f0a89b6

                                                                          SHA512

                                                                          c01280e5e93b2a081674d9c6da5e673a7517de8d606b3b4fccb95b873cc6500fecf00934523c8e8dddd5ad8333646076d669fc27a7fd2a5987c8f54ba0d86960

                                                                        • C:\Users\Admin\AppData\Local\Temp\bxje7kEr0tSu.bat

                                                                          Filesize

                                                                          211B

                                                                          MD5

                                                                          ea90a6590cb2cf0b3e1069e28bf4df28

                                                                          SHA1

                                                                          186fd8c69c2ea8b3aceff67b42137fc91d91642f

                                                                          SHA256

                                                                          65c6b6f8162103062b87356e1f0daea7ff8b4a8f182133fd90b4f3ec2eff8ee1

                                                                          SHA512

                                                                          8c987b4a66041ac331009cdb7e73c1d45a83b7e7e7142f9702546e2e8cbc171822ce7949a8a8564d5ddb3f27a30dcbd78fa762735ead001ee064feeeac910871

                                                                        • C:\Users\Admin\AppData\Local\Temp\cpNQ9CMDveyu.bat

                                                                          Filesize

                                                                          211B

                                                                          MD5

                                                                          9e69c2759e2514eb65d298ce6be37297

                                                                          SHA1

                                                                          dd450317b2e3e05c0c216cb516f586f43c68b407

                                                                          SHA256

                                                                          d71d0e685b34832af16d215004d87dbf62e121c1c325c267081c0f5cfe1723ea

                                                                          SHA512

                                                                          00666767616bbc90513c8a2c48432ccf5ab47251bc24e1b5764b90fba2022b720139bcb9e1ff6c5412908feeeed14e385ed026b99f326c6134335b6a4bf9b3c9

                                                                        • C:\Users\Admin\AppData\Local\Temp\pGNN3oE1VN6l.bat

                                                                          Filesize

                                                                          211B

                                                                          MD5

                                                                          4af6a8885f2ee5105f68081849ba646d

                                                                          SHA1

                                                                          efa4b0fb839052cfc022de7cc3df424399802bb8

                                                                          SHA256

                                                                          03f1fcee4ccc0b8b977da1e017a9dec8b23ed39201305e089fa6565c4d0583c2

                                                                          SHA512

                                                                          5a6e819cf074e5ad753d211443226d27f705c696fec4dd1afbd00ed872e70d7e0881efe361e718acae5c3d0fb23052687e94044767b1292ae254e88c852be2de

                                                                        • C:\Users\Admin\AppData\Local\Temp\sbdr1R5VvELE.bat

                                                                          Filesize

                                                                          211B

                                                                          MD5

                                                                          c849d9bd5498d4096335a4c404ba5139

                                                                          SHA1

                                                                          7860de2ef93de82032c667bea76b8d537d5022a5

                                                                          SHA256

                                                                          1c350ec4a45140eca68fedba58d4204964f6d61a487954cced202fe5d8625106

                                                                          SHA512

                                                                          a90ab0204b99626c2febf1cd85bad5e6263a8da9e30f366652daf8e396effd2652233c0cdcbbadd429249ae8e0432268479e77a97e96ead1469e184bfe9fdffd

                                                                        • C:\Users\Admin\AppData\Roaming\Keys\01-03-2023

                                                                          Filesize

                                                                          224B

                                                                          MD5

                                                                          617da47d9ac161bcb3647fd07eae1504

                                                                          SHA1

                                                                          466761cf8dbaefd182c1c28767666995beef84c0

                                                                          SHA256

                                                                          c5bd968168d85c0544edf5053d57e9cd2f571a3c14760b55582df9c0c5505e27

                                                                          SHA512

                                                                          8bed1e8184abcc1066919730fa512ea43fb953268b01293b52e48aa367e83d06e99572767e455c0593f34e4d9d2044556f77b2bcdd90ff3d604107f404f2d5a5

                                                                        • C:\Users\Admin\AppData\Roaming\Keys\01-03-2023

                                                                          Filesize

                                                                          224B

                                                                          MD5

                                                                          ae078958c3c2b8d9e7a60fd56d15291b

                                                                          SHA1

                                                                          7d79fa9a2df471c9577396e65ab211b3c7cc06e8

                                                                          SHA256

                                                                          f2781896e59e84b8ed528ef643b81ca598c606a304e93f58568cdfb9158a27de

                                                                          SHA512

                                                                          75c7ba6ee04388c75321d752ada471509301dd2dde8d970a76c56cd3a8ce551857a1c305f5344325c7b5db1570bb0969ebed757a92409ec6e632fc07eb592889

                                                                        • C:\Users\Admin\AppData\Roaming\Keys\01-03-2023

                                                                          Filesize

                                                                          224B

                                                                          MD5

                                                                          1d9e1e245624fd2dcd1152e687f0809e

                                                                          SHA1

                                                                          1deeb60c74916e19d9666089f99aad91bd29471d

                                                                          SHA256

                                                                          f55fed215087ca87e2bf56b4041bdd515b15597d2cb038f442d1288b27542700

                                                                          SHA512

                                                                          fa4837ca5ba78ae1221afdc4fd52376f8f62b4b521c3c4e4710ab356fd27977ea8396041c6d299295afa90c09f85ae575cca6f11a9d5c14f61f65528877f8c93

                                                                        • C:\Users\Admin\AppData\Roaming\Keys\01-03-2023

                                                                          Filesize

                                                                          224B

                                                                          MD5

                                                                          2b6fb25dcb589282203046231d507b66

                                                                          SHA1

                                                                          114c4b6f66557dc8a59051a1541834442996ecad

                                                                          SHA256

                                                                          959f4da4d49eb943eabe0ed2de6d6700195b28ad069f0fdf22c91a95ea45478e

                                                                          SHA512

                                                                          82b35cd80e93da2d4f7b931f47c076006266a897366b339cbff10663cc204defab61a8e50c72a63853da8a4cca9408d3980040a094337d461a5724197ccb2e26

                                                                        • C:\Users\Admin\AppData\Roaming\Keys\01-03-2023

                                                                          Filesize

                                                                          224B

                                                                          MD5

                                                                          a64e2e8c2aec18b93b7ff94a22a3a17e

                                                                          SHA1

                                                                          c7bfe46af4fea44740aa8c0412e15f19ee067252

                                                                          SHA256

                                                                          fae6d4333d5093451ef333f2ec7836f1acd931d42a330c192e03c6f5fb746e9b

                                                                          SHA512

                                                                          8dcce2a0ba512d4dadd00dc154b384a5f44ef2d221333993aa78d32797b2b05fbf4d0e06c19abab1292bfbcad3d4a528ae476a704ace3f60494c4c77a8df49de

                                                                        • C:\Users\Admin\AppData\Roaming\Keys\01-03-2023

                                                                          Filesize

                                                                          224B

                                                                          MD5

                                                                          068d28417aa88a7f20dd748605f30c62

                                                                          SHA1

                                                                          17cf4372ecf6476a74abed735ece360ef0d7ac1b

                                                                          SHA256

                                                                          87238edd69e686282b7a5d55831c437fb4ab1b4bb90c0d266ab04fd8aea81b62

                                                                          SHA512

                                                                          4496b0c28fe8732d50d6816184187a1d00cf9843ae4e70c1d77bfa8c22c8c43bcd57dbb812194a35d3978683d8d2c63305c1c1802eec83e675602e17c4e91c9b

                                                                        • C:\Users\Admin\AppData\Roaming\Keys\01-03-2023

                                                                          Filesize

                                                                          224B

                                                                          MD5

                                                                          07a86d85532448f84c72a08abb88da5a

                                                                          SHA1

                                                                          455f0d7da00f08c90d62ca0aa8225c4d370a496a

                                                                          SHA256

                                                                          c46b0c454b87c3e4c128b9894a4d3b5db7fafd757a97f79db8d6961327369b40

                                                                          SHA512

                                                                          eefe34df99fa6138e287996125f00e96b19f192d0dac376cd42cef6cde3ae9de1aa37d41203d24da96bb20d7fa570b4dd2ea30e8ef0c2eb9940157acd3a52132

                                                                        • C:\Users\Admin\AppData\Roaming\Keys\01-03-2023

                                                                          Filesize

                                                                          224B

                                                                          MD5

                                                                          7f3ff96b5ecaadce6d7adf4ec410a5f7

                                                                          SHA1

                                                                          015db7dbd6228314f3ec49f89c9574b2cc653275

                                                                          SHA256

                                                                          8c995a28eef58f01395a235e905a8bd45f913eb167df69c89ae40d77b029a79f

                                                                          SHA512

                                                                          ce62f6911aea23effb6b731531e62a50e1de3b3776095bf2baa452cc0570252078761033ebadd96df056259e6cbe6711492afd98965d22954af73dc6c1f8ad74

                                                                        • C:\Users\Admin\AppData\Roaming\Keys\01-03-2023

                                                                          Filesize

                                                                          224B

                                                                          MD5

                                                                          0db7907f443d6f85735a335d3a0cde5f

                                                                          SHA1

                                                                          325618b6be9a3f595d3e854aefb415bb5816d2b5

                                                                          SHA256

                                                                          268d394a5bb5ec0904d5a3e8248bfc2e11de0994db163b9d7c0315c39e8d7c5d

                                                                          SHA512

                                                                          b10c8b07ecc92b9bff503ba943962beac2c25e1c9b1fe85a750065afdd5edac5cb29622d2d4bb0b604b5f27f55286e92c605e592fcfcf520414843a6140c3daf

                                                                        • C:\Users\Admin\AppData\Roaming\Keys\01-03-2023

                                                                          Filesize

                                                                          224B

                                                                          MD5

                                                                          4daf3feaf3109914263c64ed2b5b60d6

                                                                          SHA1

                                                                          d37231a4e94d4ab54e6fe2c4b6ab0fb3b6dcbb96

                                                                          SHA256

                                                                          28bcb7081fe52437108593c16a5e897f212f9270304adf2d4c13ef665ce02ead

                                                                          SHA512

                                                                          3c0692543c79f322908873141430dc760b75f0047431f85dce8be7447d40a66b6777332594589d672db287f33a875ca8a1e4a6b92e9e28ab55b2c2c2610dce1e

                                                                        • C:\Users\Admin\AppData\Roaming\Keys\01-03-2023

                                                                          Filesize

                                                                          224B

                                                                          MD5

                                                                          0498aa1527aeda4cf1cc02f535208c62

                                                                          SHA1

                                                                          4d338cd507d5fd3e190ddd2806871dcb3238358e

                                                                          SHA256

                                                                          ba643b6af49d3e48246a694adc481d8eb6ffff1a23f600327a3a9c25db13be93

                                                                          SHA512

                                                                          f9d65f5cbe2c8fe771e707efd74b6698d96adfb488200d9c18fa3ff0c07c9c062dfd35700c7ba5faf4eedff2fa2f4a12fb6ed47744a6df1c29020d94e0c8e325

                                                                        • C:\Users\Admin\AppData\Roaming\Keys\01-03-2023

                                                                          Filesize

                                                                          224B

                                                                          MD5

                                                                          17ceef730f590c96b687894cb95deaac

                                                                          SHA1

                                                                          cebf3cbded6c2691e65e3f521af504edc582c451

                                                                          SHA256

                                                                          f423dc1ac35d2b89ae8a2766085588c6633c0d4e73a664fd4322dafd3c383586

                                                                          SHA512

                                                                          b8ce8430c3aafeaf6240634633ab5ceb708f4c2210d102cabede3aeaba20a668674865611a261ca4065c342b939e07e306c58e2ac42e5efb75a88658dd4b8c94

                                                                        • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe

                                                                          Filesize

                                                                          378KB

                                                                          MD5

                                                                          361ee66ffa93eda7d78eb4a5d14bfd57

                                                                          SHA1

                                                                          e8157e8283a3f8eb7390d45b98ae4d32c53ce273

                                                                          SHA256

                                                                          8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

                                                                          SHA512

                                                                          19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

                                                                        • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe

                                                                          Filesize

                                                                          378KB

                                                                          MD5

                                                                          361ee66ffa93eda7d78eb4a5d14bfd57

                                                                          SHA1

                                                                          e8157e8283a3f8eb7390d45b98ae4d32c53ce273

                                                                          SHA256

                                                                          8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

                                                                          SHA512

                                                                          19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

                                                                        • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe

                                                                          Filesize

                                                                          378KB

                                                                          MD5

                                                                          361ee66ffa93eda7d78eb4a5d14bfd57

                                                                          SHA1

                                                                          e8157e8283a3f8eb7390d45b98ae4d32c53ce273

                                                                          SHA256

                                                                          8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

                                                                          SHA512

                                                                          19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

                                                                        • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe

                                                                          Filesize

                                                                          378KB

                                                                          MD5

                                                                          361ee66ffa93eda7d78eb4a5d14bfd57

                                                                          SHA1

                                                                          e8157e8283a3f8eb7390d45b98ae4d32c53ce273

                                                                          SHA256

                                                                          8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

                                                                          SHA512

                                                                          19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

                                                                        • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe

                                                                          Filesize

                                                                          378KB

                                                                          MD5

                                                                          361ee66ffa93eda7d78eb4a5d14bfd57

                                                                          SHA1

                                                                          e8157e8283a3f8eb7390d45b98ae4d32c53ce273

                                                                          SHA256

                                                                          8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

                                                                          SHA512

                                                                          19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

                                                                        • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe

                                                                          Filesize

                                                                          378KB

                                                                          MD5

                                                                          361ee66ffa93eda7d78eb4a5d14bfd57

                                                                          SHA1

                                                                          e8157e8283a3f8eb7390d45b98ae4d32c53ce273

                                                                          SHA256

                                                                          8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

                                                                          SHA512

                                                                          19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

                                                                        • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe

                                                                          Filesize

                                                                          378KB

                                                                          MD5

                                                                          361ee66ffa93eda7d78eb4a5d14bfd57

                                                                          SHA1

                                                                          e8157e8283a3f8eb7390d45b98ae4d32c53ce273

                                                                          SHA256

                                                                          8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

                                                                          SHA512

                                                                          19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

                                                                        • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe

                                                                          Filesize

                                                                          378KB

                                                                          MD5

                                                                          361ee66ffa93eda7d78eb4a5d14bfd57

                                                                          SHA1

                                                                          e8157e8283a3f8eb7390d45b98ae4d32c53ce273

                                                                          SHA256

                                                                          8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

                                                                          SHA512

                                                                          19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

                                                                        • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe

                                                                          Filesize

                                                                          378KB

                                                                          MD5

                                                                          361ee66ffa93eda7d78eb4a5d14bfd57

                                                                          SHA1

                                                                          e8157e8283a3f8eb7390d45b98ae4d32c53ce273

                                                                          SHA256

                                                                          8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

                                                                          SHA512

                                                                          19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

                                                                        • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe

                                                                          Filesize

                                                                          378KB

                                                                          MD5

                                                                          361ee66ffa93eda7d78eb4a5d14bfd57

                                                                          SHA1

                                                                          e8157e8283a3f8eb7390d45b98ae4d32c53ce273

                                                                          SHA256

                                                                          8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

                                                                          SHA512

                                                                          19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

                                                                        • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe

                                                                          Filesize

                                                                          378KB

                                                                          MD5

                                                                          361ee66ffa93eda7d78eb4a5d14bfd57

                                                                          SHA1

                                                                          e8157e8283a3f8eb7390d45b98ae4d32c53ce273

                                                                          SHA256

                                                                          8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

                                                                          SHA512

                                                                          19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

                                                                        • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe

                                                                          Filesize

                                                                          378KB

                                                                          MD5

                                                                          361ee66ffa93eda7d78eb4a5d14bfd57

                                                                          SHA1

                                                                          e8157e8283a3f8eb7390d45b98ae4d32c53ce273

                                                                          SHA256

                                                                          8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

                                                                          SHA512

                                                                          19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

                                                                        • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe

                                                                          Filesize

                                                                          378KB

                                                                          MD5

                                                                          361ee66ffa93eda7d78eb4a5d14bfd57

                                                                          SHA1

                                                                          e8157e8283a3f8eb7390d45b98ae4d32c53ce273

                                                                          SHA256

                                                                          8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

                                                                          SHA512

                                                                          19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

                                                                        • C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe

                                                                          Filesize

                                                                          378KB

                                                                          MD5

                                                                          361ee66ffa93eda7d78eb4a5d14bfd57

                                                                          SHA1

                                                                          e8157e8283a3f8eb7390d45b98ae4d32c53ce273

                                                                          SHA256

                                                                          8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567

                                                                          SHA512

                                                                          19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6

                                                                        • memory/1704-143-0x0000000006BC0000-0x0000000006BCA000-memory.dmp

                                                                          Filesize

                                                                          40KB

                                                                        • memory/4816-136-0x00000000066B0000-0x00000000066C2000-memory.dmp

                                                                          Filesize

                                                                          72KB

                                                                        • memory/4816-133-0x0000000005BC0000-0x0000000006164000-memory.dmp

                                                                          Filesize

                                                                          5.6MB

                                                                        • memory/4816-134-0x0000000005750000-0x00000000057E2000-memory.dmp

                                                                          Filesize

                                                                          584KB

                                                                        • memory/4816-135-0x0000000005A60000-0x0000000005AC6000-memory.dmp

                                                                          Filesize

                                                                          408KB

                                                                        • memory/4816-132-0x0000000000C70000-0x0000000000CD4000-memory.dmp

                                                                          Filesize

                                                                          400KB

                                                                        • memory/4816-137-0x0000000006AE0000-0x0000000006B1C000-memory.dmp

                                                                          Filesize

                                                                          240KB