fabookie | bba3dd9184f05c4f905d8bdade137585d874469e3d118519d6271aedd31be6db

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2023, 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.4MB
MD5

36643b03cb6781a8dba43ad0ccaaa8dd
SHA1

48bccc5cf281ef7d2ca6def1bcdd507e4663fa56
SHA256

bba3dd9184f05c4f905d8bdade137585d874469e3d118519d6271aedd31be6db
SHA512

191fa777c9f569ace47d788702da6a916b0caad39f274caf134ccab9e1ae8e9e2ac565254c4ed87a4c8fb6982a73058e88708cad52c656258f8798fe34ddb89a
SSDEEP

24576:WyVBmnydIOoIqRiuvbSTh+3uHVxrHVCXoawWn99BQBYSwuHG2n:lDSYolvbSTs61o4F4BkGaG2

Score

10^/10

fabookie glupteba healer redline smokeloader xmrig trush up3 backdoor discovery dropper evasion infostealer loader miner persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral2/memory/4536-469-0x0000000003A40000-0x0000000003B71000-memory.dmp	family_fabookie

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/1172-57-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 6 IoCs

resource	yara_rule
behavioral2/memory/4160-264-0x0000000002E30000-0x000000000371B000-memory.dmp	family_glupteba
behavioral2/memory/4160-272-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/4160-434-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/4160-445-0x0000000002E30000-0x000000000371B000-memory.dmp	family_glupteba
behavioral2/memory/4160-462-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/4160-658-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/1488-335-0x0000000000820000-0x00000000009FA000-memory.dmp	family_redline
behavioral2/memory/3204-303-0x0000000000920000-0x000000000097A000-memory.dmp	family_redline
behavioral2/memory/1488-301-0x0000000000820000-0x00000000009FA000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/2736-662-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/2736-663-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/2736-664-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/2736-671-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/2736-672-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/2736-674-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/2736-675-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/2736-676-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/2736-689-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	6627.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	706A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	kos1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	kos.exe

Executes dropped EXE 23 IoCs

pid	Process
2532	v7503631.exe
1752	v2919041.exe
3792	v6701290.exe
3972	a1088978.exe
1484	b5941046.exe
2640	c3808594.exe
2112	d0242825.exe
656	e0501194.exe
208	6627.exe
1228	706A.exe
4536	ss41.exe
3884	toolspub2.exe
2272	756D.exe
4160	31839b57a4f11171d6abc8bbc4451ee4.exe
2696	kos1.exe
228	toolspub2.exe
1488	7EF3.exe
960	set16.exe
536	kos.exe
3240	is-G66TJ.tmp
4680	previewer.exe
1336	previewer.exe
384	hbvtfvf

Loads dropped DLL 4 IoCs

pid	Process
4604	regsvr32.exe
3240	is-G66TJ.tmp
3240	is-G66TJ.tmp
3240	is-G66TJ.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7503631.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2919041.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6701290.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 3972 set thread context of 4064	3972	a1088978.exe	91
PID 1484 set thread context of 4124	1484	b5941046.exe	98
PID 2640 set thread context of 1560	2640	c3808594.exe	103
PID 2112 set thread context of 1172	2112	d0242825.exe	110
PID 3884 set thread context of 228	3884	toolspub2.exe	140
PID 1488 set thread context of 3204	1488	7EF3.exe	144
PID 2272 set thread context of 4260	2272	756D.exe	146
PID 4260 set thread context of 2736	4260	aspnet_compiler.exe	168

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PA Previewer\is-992MO.tmp	is-G66TJ.tmp
File created	C:\Program Files (x86)\PA Previewer\is-EENGD.tmp	is-G66TJ.tmp
File created	C:\Program Files (x86)\PA Previewer\is-U73JT.tmp	is-G66TJ.tmp
File created	C:\Program Files (x86)\PA Previewer\is-LOSLM.tmp	is-G66TJ.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-G66TJ.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-G66TJ.tmp
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-G66TJ.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
540	3972	WerFault.exe	88
3660	1484	WerFault.exe	96
3324	2640	WerFault.exe	101
2548	1560	WerFault.exe	103
4872	2112	WerFault.exe	108

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4064	AppLaunch.exe
4064	AppLaunch.exe
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3164	Process not Found

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4064	AppLaunch.exe
228	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeDebugPrivilege	1172	AppLaunch.exe
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeDebugPrivilege	2272	756D.exe
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeDebugPrivilege	536	kos.exe
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeDebugPrivilege	4680	previewer.exe
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeDebugPrivilege	1336	previewer.exe
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeDebugPrivilege	4260	aspnet_compiler.exe
Token: SeDebugPrivilege	3204	vbc.exe
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
2736	AddInProcess.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 2532	3236	file.exe	84
PID 3236 wrote to memory of 2532	3236	file.exe	84
PID 3236 wrote to memory of 2532	3236	file.exe	84
PID 2532 wrote to memory of 1752	2532	v7503631.exe	86
PID 2532 wrote to memory of 1752	2532	v7503631.exe	86
PID 2532 wrote to memory of 1752	2532	v7503631.exe	86
PID 1752 wrote to memory of 3792	1752	v2919041.exe	87
PID 1752 wrote to memory of 3792	1752	v2919041.exe	87
PID 1752 wrote to memory of 3792	1752	v2919041.exe	87
PID 3792 wrote to memory of 3972	3792	v6701290.exe	88
PID 3792 wrote to memory of 3972	3792	v6701290.exe	88
PID 3792 wrote to memory of 3972	3792	v6701290.exe	88
PID 3972 wrote to memory of 2220	3972	a1088978.exe	90
PID 3972 wrote to memory of 2220	3972	a1088978.exe	90
PID 3972 wrote to memory of 2220	3972	a1088978.exe	90
PID 3972 wrote to memory of 4064	3972	a1088978.exe	91
PID 3972 wrote to memory of 4064	3972	a1088978.exe	91
PID 3972 wrote to memory of 4064	3972	a1088978.exe	91
PID 3972 wrote to memory of 4064	3972	a1088978.exe	91
PID 3972 wrote to memory of 4064	3972	a1088978.exe	91
PID 3972 wrote to memory of 4064	3972	a1088978.exe	91
PID 3792 wrote to memory of 1484	3792	v6701290.exe	96
PID 3792 wrote to memory of 1484	3792	v6701290.exe	96
PID 3792 wrote to memory of 1484	3792	v6701290.exe	96
PID 1484 wrote to memory of 4124	1484	b5941046.exe	98
PID 1484 wrote to memory of 4124	1484	b5941046.exe	98
PID 1484 wrote to memory of 4124	1484	b5941046.exe	98
PID 1484 wrote to memory of 4124	1484	b5941046.exe	98
PID 1484 wrote to memory of 4124	1484	b5941046.exe	98
PID 1484 wrote to memory of 4124	1484	b5941046.exe	98
PID 1484 wrote to memory of 4124	1484	b5941046.exe	98
PID 1484 wrote to memory of 4124	1484	b5941046.exe	98
PID 1752 wrote to memory of 2640	1752	v2919041.exe	101
PID 1752 wrote to memory of 2640	1752	v2919041.exe	101
PID 1752 wrote to memory of 2640	1752	v2919041.exe	101
PID 2640 wrote to memory of 1560	2640	c3808594.exe	103
PID 2640 wrote to memory of 1560	2640	c3808594.exe	103
PID 2640 wrote to memory of 1560	2640	c3808594.exe	103
PID 2640 wrote to memory of 1560	2640	c3808594.exe	103
PID 2640 wrote to memory of 1560	2640	c3808594.exe	103
PID 2640 wrote to memory of 1560	2640	c3808594.exe	103
PID 2640 wrote to memory of 1560	2640	c3808594.exe	103
PID 2640 wrote to memory of 1560	2640	c3808594.exe	103
PID 2640 wrote to memory of 1560	2640	c3808594.exe	103
PID 2640 wrote to memory of 1560	2640	c3808594.exe	103
PID 2532 wrote to memory of 2112	2532	v7503631.exe	108
PID 2532 wrote to memory of 2112	2532	v7503631.exe	108
PID 2532 wrote to memory of 2112	2532	v7503631.exe	108
PID 2112 wrote to memory of 1172	2112	d0242825.exe	110
PID 2112 wrote to memory of 1172	2112	d0242825.exe	110
PID 2112 wrote to memory of 1172	2112	d0242825.exe	110
PID 2112 wrote to memory of 1172	2112	d0242825.exe	110
PID 2112 wrote to memory of 1172	2112	d0242825.exe	110
PID 2112 wrote to memory of 1172	2112	d0242825.exe	110
PID 2112 wrote to memory of 1172	2112	d0242825.exe	110
PID 2112 wrote to memory of 1172	2112	d0242825.exe	110
PID 3236 wrote to memory of 656	3236	file.exe	113
PID 3236 wrote to memory of 656	3236	file.exe	113
PID 3236 wrote to memory of 656	3236	file.exe	113
PID 3164 wrote to memory of 208	3164	Process not Found	118
PID 3164 wrote to memory of 208	3164	Process not Found	118
PID 3164 wrote to memory of 208	3164	Process not Found	118
PID 3164 wrote to memory of 3348	3164	Process not Found	119
PID 3164 wrote to memory of 3348	3164	Process not Found	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7503631.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7503631.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2919041.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2919041.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6701290.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6701290.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3792
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1088978.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1088978.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3972
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2220
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4064
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 588
        6⤵
        Program crash
        
        PID:540
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5941046.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5941046.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 136
        6⤵
        Program crash
        
        PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3808594.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3808594.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1560
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 540
        6⤵
        Program crash
        
        PID:2548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 148
        5⤵
        Program crash
        
        PID:3324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0242825.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0242825.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious use of AdjustPrivilegeToken
      PID:1172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 148
      4⤵
      Program crash
      PID:4872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0501194.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0501194.exe
  2⤵
  - Executes dropped EXE
  PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3972 -ip 3972
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1484 -ip 1484
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2640 -ip 2640
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1560 -ip 1560
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2112 -ip 2112
1⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\6627.exe
C:\Users\Admin\AppData\Local\Temp\6627.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:208
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -s UPT4NM.R
  2⤵
  - Loads dropped DLL
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6703.bat" "
1⤵
PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  PID:4524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc960446f8,0x7ffc96044708,0x7ffc96044718
    3⤵
    PID:816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,7442654867638325821,5077007615918353169,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
    3⤵
    PID:3156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,7442654867638325821,5077007615918353169,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1924 /prefetch:2
    3⤵
    PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,3268743904967223902,15111854900622714889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
    3⤵
    PID:4364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3268743904967223902,15111854900622714889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:2248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3268743904967223902,15111854900622714889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
    3⤵
    PID:4812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,3268743904967223902,15111854900622714889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
    3⤵
    PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,3268743904967223902,15111854900622714889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
    3⤵
    PID:1504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3268743904967223902,15111854900622714889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
    3⤵
    PID:912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3268743904967223902,15111854900622714889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
    3⤵
    PID:4440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3268743904967223902,15111854900622714889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
    3⤵
    PID:1380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3268743904967223902,15111854900622714889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2488 /prefetch:1
    3⤵
    PID:3604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3268743904967223902,15111854900622714889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
    3⤵
    PID:3740
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,3268743904967223902,15111854900622714889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
    3⤵
    PID:3764
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,3268743904967223902,15111854900622714889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
    3⤵
    PID:3744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3268743904967223902,15111854900622714889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
    3⤵
    PID:4304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3268743904967223902,15111854900622714889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
    3⤵
    PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc960446f8,0x7ffc96044708,0x7ffc96044718
1⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\706A.exe
C:\Users\Admin\AppData\Local\Temp\706A.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1228
- C:\Users\Admin\AppData\Local\Temp\ss41.exe
  "C:\Users\Admin\AppData\Local\Temp\ss41.exe"
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Users\Admin\AppData\Local\Temp\kos1.exe
  "C:\Users\Admin\AppData\Local\Temp\kos1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\set16.exe
    "C:\Users\Admin\AppData\Local\Temp\set16.exe"
    3⤵
    - Executes dropped EXE
    PID:960
  - - C:\Users\Admin\AppData\Local\Temp\is-Q033P.tmp\is-G66TJ.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-Q033P.tmp\is-G66TJ.tmp" /SL4 $3025C "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      PID:3240
- - C:\Users\Admin\AppData\Local\Temp\kos.exe
    "C:\Users\Admin\AppData\Local\Temp\kos.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  PID:4160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3468
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:228

C:\Users\Admin\AppData\Local\Temp\7EF3.exe
C:\Users\Admin\AppData\Local\Temp\7EF3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RBvfugTGdvfZCHCgvSoHZdsYt2u1JwYhUP.RIG_CPU -p x --cpu-max-threads-hint=50
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2736

C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -s
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
1⤵
PID:2216

C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -i
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
1⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\756D.exe
C:\Users\Admin\AppData\Local\Temp\756D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Users\Admin\AppData\Roaming\hbvtfvf
C:\Users\Admin\AppData\Roaming\hbvtfvf
1⤵
- Executes dropped EXE
PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
16c2a9f4b2e1386aab0e353614a63f0d

SHA1
6edd3be593b653857e579cbd3db7aa7e1df3e30f

SHA256
0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81

SHA512
aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
16c2a9f4b2e1386aab0e353614a63f0d

SHA1
6edd3be593b653857e579cbd3db7aa7e1df3e30f

SHA256
0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81

SHA512
aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6351be8b63227413881e5dfb033459cc

SHA1
f24489be1e693dc22d6aac7edd692833c623d502

SHA256
e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b

SHA512
66e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
16c2a9f4b2e1386aab0e353614a63f0d

SHA1
6edd3be593b653857e579cbd3db7aa7e1df3e30f

SHA256
0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81

SHA512
aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
16c2a9f4b2e1386aab0e353614a63f0d

SHA1
6edd3be593b653857e579cbd3db7aa7e1df3e30f

SHA256
0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81

SHA512
aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
16c2a9f4b2e1386aab0e353614a63f0d

SHA1
6edd3be593b653857e579cbd3db7aa7e1df3e30f

SHA256
0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81

SHA512
aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1e76cb79-df3f-4e3d-9503-95a602415595.tmp

Filesize
872B

MD5
3214d71a4b642e43e0dcc1551502a5ac

SHA1
d83825d43475d2ef17c1ebcd8e24312a800ca89a

SHA256
f99fb2bdb0cca1fb8e655897439449cbc89bc04bb374f5fabaee639af7656d99

SHA512
6fe05a69004d34331ef80b2f07180cfd55ee0e6dcf376fcaefe554f11e6fd7c0a26514b6df65423e9b477a309d4026735a9f4a798da54ba348ba6eb006c6f791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
73cbb507ce8d8b42927f6951a3bff9a6

SHA1
919f1f0119f25ce668830d1247dd11464261f4dd

SHA256
54df6f341679961862352afc715055dc52852a16b2ec9767a839986fafd034ce

SHA512
29fcbc4a90229040f52ea656cb21a71ca736c2e370ab9ee95b32b3c0f74437525740ff23319f371eafe89df0d37828961d449f1bc35787bdb3a6788205f2769b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
cdaaf7a38ba106062ede0923ac634f0b

SHA1
7fbf57b1c01dd8dc3dda5d8f09170fc89e8761d5

SHA256
2251692794fde7113386270c0a0b3be950c7d98007b61ea4af610140938ae182

SHA512
38e25bbcfb2c1d5cb3ee4b5941a98248ef2870bf2d7490fff3c726a9e50c285244679efdc312f23c6dc7aed215d7c8c3f46689b7ca56786cd04c438c697b197f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f5331ce496b1a40e77418eefbde4502a

SHA1
3eb88b487375aa3c029381c40976cb17a15d39d9

SHA256
ce85c9f1bd9daef91aea46ff0e454d3409026851b8fd3d3a1df0e307faee770b

SHA512
774c55cdfa613db2a8c12e3c20df300a2ed1b6299854531fca3f27a9a3a89a525e35b974cb12ce4282d673341d01d19a38ced1b901c74d810ea1e033c58a21c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73e43c38b946ec88df34a2e7749a26dc

SHA1
43da143312d786cdce1acdbb3d4ddb120c2e65fa

SHA256
17128057f733cd8b5446732a4e85f56fd9aa47bd5faba72fd0648a71223284b3

SHA512
1166b7d66e2e9e8b89bed71e002df48392f9207f5b2b008e048e18e622fb142ff521e285e3285b196ab531c64e9deb23c11f424868494ad93cffff60a85cbe9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
23a11a88e5a9cb63a35cf17908e6db1a

SHA1
6c65b5dc19986fbed011b4d805bf2dc7830a920f

SHA256
9daf1449425d5691a1830f21cc4b5712b869de1ce223e5bf3f166c3e61ba7b6f

SHA512
f1c103dcf5629ce6bc2121668da8a7ad213f6838d3a4606e56c8d10862cfb3c2ad5cb1f9a7f03d311da528d4192270278ea648e6ec99dff530094f096f842954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
699e3636ed7444d9b47772e4446ccfc1

SHA1
db0459ca6ceeea2e87e0023a6b7ee06aeed6fded

SHA256
9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a

SHA512
d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c704.TMP

Filesize
872B

MD5
b539ec69ee386f57aaacec697a230589

SHA1
045e53dd4927b940abd77e23a47f440bc69a4bcd

SHA256
c8da5cb296b68cc43bde1f009a0b44e8359bb7ccf725c086082b5fe3fe0fd140

SHA512
8b83efa8ca74f012f5a1343613d59d28d41b920684946fc00542ec23644d3c82032d72ade6e92c8d0ec8782f8a1a7d35fcfa4fb861d4f4823ba4ffcef388c3f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
41e7462f4ce76ae89b7804824332927f

SHA1
c42b04e026649101459b00fc65d94c833bda6fe7

SHA256
2e279797164722e79929c963a84f50c70ee968f29f74bb0660dcb3578e523e8f

SHA512
579b131cd644b58329048deddf7e1b5c90cc79507263acf6765d7b9e7aa01ca1faf7cef0c4d194f07e1d72942a3a7628731bb85cf311996202df51edb455f0f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a028ba16269a24eed831515ded292edc

SHA1
5f36a3482d8d2576ac0bac0641038d82e913df8c

SHA256
96165803209ba24169dc0dfbba46f5d5e38ecce3f4bc5622c08b600681d7df80

SHA512
1598470d251c7984417aa6c3e14f0df7ea1e5356b9591faae77e4d57a35132b1130ae750128100c83e4c0cc24b791fc29b1764d729e657a1a8d42a688d41847f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
41e7462f4ce76ae89b7804824332927f

SHA1
c42b04e026649101459b00fc65d94c833bda6fe7

SHA256
2e279797164722e79929c963a84f50c70ee968f29f74bb0660dcb3578e523e8f

SHA512
579b131cd644b58329048deddf7e1b5c90cc79507263acf6765d7b9e7aa01ca1faf7cef0c4d194f07e1d72942a3a7628731bb85cf311996202df51edb455f0f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
70e94ba58ddee38ed59098dccde3f9c3

SHA1
ed522c666fa4e106f3b0b501ee99957e4a75a047

SHA256
108fb09d8f5f80069a48cd4246836fd30a0ae512afd7966416f530f49b607384

SHA512
d61738ac18c180587d32de45d01bb07d60fd1658a5b763a1afa0919292cf87968c43d28129c59f6b5dfd660e44c866188a54951f0db296d4a29fe98612288d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2ab1824836a5af5f6827bfdfe309d4b4

SHA1
cbf2d72bf3bd02d828916d8ffa3a97ac7629d217

SHA256
63870402a086b0d84b58b177e54115cce2828dcef1ae9e977108b221fe0115c5

SHA512
fb930da02c54003d14b0066e1026b3625ba45bea0ea5f0cf6f0396333910200f13c24af35c3a2b153ead6cf0762750ae4b58ec1efdc9da6a9a8ebaa15d03f57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
f2a6bcee6c6bb311325b1b41b5363622

SHA1
587c5b9e0d6a6f50607e461667a09806e5866745

SHA256
ae3d87edb3a831555bac3684482ac5f4f1d794b75d00809250ea8d4937e65e8a

SHA512
9e7802dd50798bfb50553396fa9a45cf0ad16ca5937a33eeb731b4b9744dc0c0b837166675bf4a169c2fe1bc1ac5883b4791b4f2ac7dea4e42e43de77d053e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
f2a6bcee6c6bb311325b1b41b5363622

SHA1
587c5b9e0d6a6f50607e461667a09806e5866745

SHA256
ae3d87edb3a831555bac3684482ac5f4f1d794b75d00809250ea8d4937e65e8a

SHA512
9e7802dd50798bfb50553396fa9a45cf0ad16ca5937a33eeb731b4b9744dc0c0b837166675bf4a169c2fe1bc1ac5883b4791b4f2ac7dea4e42e43de77d053e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
f2a6bcee6c6bb311325b1b41b5363622

SHA1
587c5b9e0d6a6f50607e461667a09806e5866745

SHA256
ae3d87edb3a831555bac3684482ac5f4f1d794b75d00809250ea8d4937e65e8a

SHA512
9e7802dd50798bfb50553396fa9a45cf0ad16ca5937a33eeb731b4b9744dc0c0b837166675bf4a169c2fe1bc1ac5883b4791b4f2ac7dea4e42e43de77d053e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6627.exe

Filesize
1.6MB

MD5
ccf141b287b56de4f8b2dadc5c9e80d7

SHA1
2595d744e3d3dd4daea8969e636cef59e7c43e8c

SHA256
bade156b8eb1c4adf0bb331210ba79f9c9a54fdf434fbd1af240451252a56019

SHA512
62e1047e648bf36744fb063e14d18e9aad94d6c220e40ef5a4ffe7db79d43227cbe33d56bc674de913897b7159144cfd3b2bfa0372db8e04cca352a73b6c253f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6627.exe

Filesize
1.6MB

MD5
ccf141b287b56de4f8b2dadc5c9e80d7

SHA1
2595d744e3d3dd4daea8969e636cef59e7c43e8c

SHA256
bade156b8eb1c4adf0bb331210ba79f9c9a54fdf434fbd1af240451252a56019

SHA512
62e1047e648bf36744fb063e14d18e9aad94d6c220e40ef5a4ffe7db79d43227cbe33d56bc674de913897b7159144cfd3b2bfa0372db8e04cca352a73b6c253f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6703.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\706A.exe

Filesize
6.3MB

MD5
8b5d24e77671774b5716ff06ad3b2559

SHA1
a180c0057a361be4361df00992ad75b4557dff96

SHA256
856fc5a591470b6dd10633727130a65d47afed149da52d2c275ef4ef3fdd9856

SHA512
7699e3c6c2ecdc717a5378dea0032938d37e96569e6c8943400d39ad2f6a9831a0bf716e43e8ffea90b443dfed0715b9fbeb3e324ef955070a88a1dc400914df

Download Submit
C:\Users\Admin\AppData\Local\Temp\706A.exe

Filesize
6.3MB

MD5
8b5d24e77671774b5716ff06ad3b2559

SHA1
a180c0057a361be4361df00992ad75b4557dff96

SHA256
856fc5a591470b6dd10633727130a65d47afed149da52d2c275ef4ef3fdd9856

SHA512
7699e3c6c2ecdc717a5378dea0032938d37e96569e6c8943400d39ad2f6a9831a0bf716e43e8ffea90b443dfed0715b9fbeb3e324ef955070a88a1dc400914df

Download Submit
C:\Users\Admin\AppData\Local\Temp\756D.exe

Filesize
894KB

MD5
ef11a166e73f258d4159c1904485623c

SHA1
bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e

SHA256
dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747

SHA512
2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

Download Submit
C:\Users\Admin\AppData\Local\Temp\756D.exe

Filesize
894KB

MD5
ef11a166e73f258d4159c1904485623c

SHA1
bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e

SHA256
dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747

SHA512
2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EF3.exe

Filesize
1.5MB

MD5
578f82576563fbb7b0b50054c8ea2c7a

SHA1
2b78dd3a97c214455373b257a66298aeb072819e

SHA256
7fd444dae9993f000c25c1948669a25f851aa9559f7feaa570e66f5f94b457de

SHA512
5ef71babc9d2b0a5e3c009a1a98d82b9d54d77192d7844c77b27eb7eec251b589b60940ea7a25ad9e2e8fd3abcae2a363d0c3e6f3b56810c796668717bc025a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EF3.exe

Filesize
1.5MB

MD5
578f82576563fbb7b0b50054c8ea2c7a

SHA1
2b78dd3a97c214455373b257a66298aeb072819e

SHA256
7fd444dae9993f000c25c1948669a25f851aa9559f7feaa570e66f5f94b457de

SHA512
5ef71babc9d2b0a5e3c009a1a98d82b9d54d77192d7844c77b27eb7eec251b589b60940ea7a25ad9e2e8fd3abcae2a363d0c3e6f3b56810c796668717bc025a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0501194.exe

Filesize
16KB

MD5
c934a11da640bdbf4a78a681834052eb

SHA1
d063790a029de282c7e89340bf9357ed2a3abe45

SHA256
70d5fce53c447d6a88c714bb93f86c2cc6cd3432adcf68f21b326e13f8e0cd32

SHA512
a8d21d08a30b9db2155d95bf0c4b261ac1be83928362738e21584ecaa6c69d4abc749ead45204b51bbc2caace7e0395a79b7f6a234a00cbdad30830a282248e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0501194.exe

Filesize
16KB

MD5
c934a11da640bdbf4a78a681834052eb

SHA1
d063790a029de282c7e89340bf9357ed2a3abe45

SHA256
70d5fce53c447d6a88c714bb93f86c2cc6cd3432adcf68f21b326e13f8e0cd32

SHA512
a8d21d08a30b9db2155d95bf0c4b261ac1be83928362738e21584ecaa6c69d4abc749ead45204b51bbc2caace7e0395a79b7f6a234a00cbdad30830a282248e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7503631.exe

Filesize
1.3MB

MD5
23b98d50ae6c9bbe051799d9e665c95c

SHA1
ab19e3f8ccc1da168bfd73f9664ea407d456ba93

SHA256
04abaa1bacb9184dc9ed4750b35bba9bc44110cbefabb2c44f85211f3a2bb093

SHA512
4d7a96b40136b0d9b32d682d6af4c347a4664868f27cc91c32f6cc39c12e5deb33615ff94275e974516705d38ce73cfc2314ef41586685cbdd3b67f33407c65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7503631.exe

Filesize
1.3MB

MD5
23b98d50ae6c9bbe051799d9e665c95c

SHA1
ab19e3f8ccc1da168bfd73f9664ea407d456ba93

SHA256
04abaa1bacb9184dc9ed4750b35bba9bc44110cbefabb2c44f85211f3a2bb093

SHA512
4d7a96b40136b0d9b32d682d6af4c347a4664868f27cc91c32f6cc39c12e5deb33615ff94275e974516705d38ce73cfc2314ef41586685cbdd3b67f33407c65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0242825.exe

Filesize
899KB

MD5
306ba776cc23ca75d362c0d38f90c11e

SHA1
d4e021549a111cf831f2129943d1a88697bd8942

SHA256
4a602f97787226a110e8a1e5ba988338a5500dce143fb2bed04e4e6b7ea0ec14

SHA512
126099242c4428c0a2f30d217681c888596068a3bbfd83bf9e56c0d9f78d1b35aab7b6c80610fbaba575be4c409e80b35b0071279db119f02c2387684f16f214

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0242825.exe

Filesize
899KB

MD5
306ba776cc23ca75d362c0d38f90c11e

SHA1
d4e021549a111cf831f2129943d1a88697bd8942

SHA256
4a602f97787226a110e8a1e5ba988338a5500dce143fb2bed04e4e6b7ea0ec14

SHA512
126099242c4428c0a2f30d217681c888596068a3bbfd83bf9e56c0d9f78d1b35aab7b6c80610fbaba575be4c409e80b35b0071279db119f02c2387684f16f214

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2919041.exe

Filesize
969KB

MD5
8c8c69376e401130f5dbf7989f3689d7

SHA1
3a3d47189511822e9002e43d96d02bca054c0e70

SHA256
d33b7f9d5f380ed33f2dcaa354cd2d2097da1dfdbe2c96fb5bf15e0d0eaa121e

SHA512
c72b1cf6ddce4ba644dd26dbf3073307e98267feec3a20d6a8ef4fcecac23ea5b26e5b433bc3064d6b3c22d9182de6f88e797caa7ad5c43ff33573af56dce771

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2919041.exe

Filesize
969KB

MD5
8c8c69376e401130f5dbf7989f3689d7

SHA1
3a3d47189511822e9002e43d96d02bca054c0e70

SHA256
d33b7f9d5f380ed33f2dcaa354cd2d2097da1dfdbe2c96fb5bf15e0d0eaa121e

SHA512
c72b1cf6ddce4ba644dd26dbf3073307e98267feec3a20d6a8ef4fcecac23ea5b26e5b433bc3064d6b3c22d9182de6f88e797caa7ad5c43ff33573af56dce771

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3808594.exe

Filesize
1.1MB

MD5
77fb38d04ec6bd573ebf8d103e36d02e

SHA1
46e16b23b8eff5771c1fdbec35fd924f3a796dcd

SHA256
4f463cb614ac672da97c0fdf054bc5938f5813dad136a2aebbae276976112d11

SHA512
d8bc6201867fde605d3bb63a2d229008d9d217c5214d3fb1c928b1a6d6c15c176d43169aa95420f2f81b06a9f9a9d75e794c78ea669fc27921bee0b3b84daa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3808594.exe

Filesize
1.1MB

MD5
77fb38d04ec6bd573ebf8d103e36d02e

SHA1
46e16b23b8eff5771c1fdbec35fd924f3a796dcd

SHA256
4f463cb614ac672da97c0fdf054bc5938f5813dad136a2aebbae276976112d11

SHA512
d8bc6201867fde605d3bb63a2d229008d9d217c5214d3fb1c928b1a6d6c15c176d43169aa95420f2f81b06a9f9a9d75e794c78ea669fc27921bee0b3b84daa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6701290.exe

Filesize
522KB

MD5
696c81f2bfcf86cb782abf5c98cf5a0e

SHA1
211656d88361e0a78483ad9d66f4fd679632d34c

SHA256
ec2b2b64007b7bd80dfa03bf8e6799ac94c7a72bf48e6219446b38104024a159

SHA512
5dee9fdf7234fb5f1b44460e6a2a0cb743068fcff8f32e93dad903791cc160dd251f0f71e3178c2b5cc120b830bcf5a40d39b3d101263c0a17d0a16748d3a191

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6701290.exe

Filesize
522KB

MD5
696c81f2bfcf86cb782abf5c98cf5a0e

SHA1
211656d88361e0a78483ad9d66f4fd679632d34c

SHA256
ec2b2b64007b7bd80dfa03bf8e6799ac94c7a72bf48e6219446b38104024a159

SHA512
5dee9fdf7234fb5f1b44460e6a2a0cb743068fcff8f32e93dad903791cc160dd251f0f71e3178c2b5cc120b830bcf5a40d39b3d101263c0a17d0a16748d3a191

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1088978.exe

Filesize
922KB

MD5
f8894a4506393ebc5f1114f80030b95d

SHA1
34374a22766f2d95f3fe635bdda0b679ecba274e

SHA256
19d3c032590ad28dadbeeed608b78e92752e12d736c30d5d95e82f0f13f60b7e

SHA512
7d1b006021e5e990ee8da6f3d8e1704e62878d4bb10e7c4142a7fb6b391bbf1b51b6faf9d568925c1ac9872f8d11afd07c770895f95ac991cf56efd74bc764e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1088978.exe

Filesize
922KB

MD5
f8894a4506393ebc5f1114f80030b95d

SHA1
34374a22766f2d95f3fe635bdda0b679ecba274e

SHA256
19d3c032590ad28dadbeeed608b78e92752e12d736c30d5d95e82f0f13f60b7e

SHA512
7d1b006021e5e990ee8da6f3d8e1704e62878d4bb10e7c4142a7fb6b391bbf1b51b6faf9d568925c1ac9872f8d11afd07c770895f95ac991cf56efd74bc764e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5941046.exe

Filesize
1.1MB

MD5
a051cd833233cb7399dec1dcee3eb5dc

SHA1
06d0481186f91e8d7bd19e3cde49fd23f36a4ada

SHA256
75a2bd6e59d9f337c9d7bc6e8c165431bc57cb880c6d7bd50ee63f51d044e3d9

SHA512
fdbf73898cd619627e35e1167cf1917c4d0ce5d8465f8d1eb0e06d304e52cfd43fda6d6bb9fa8dc00922268e365ea8669c2a439f4726ca0cf61d5ab42954235e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5941046.exe

Filesize
1.1MB

MD5
a051cd833233cb7399dec1dcee3eb5dc

SHA1
06d0481186f91e8d7bd19e3cde49fd23f36a4ada

SHA256
75a2bd6e59d9f337c9d7bc6e8c165431bc57cb880c6d7bd50ee63f51d044e3d9

SHA512
fdbf73898cd619627e35e1167cf1917c4d0ce5d8465f8d1eb0e06d304e52cfd43fda6d6bb9fa8dc00922268e365ea8669c2a439f4726ca0cf61d5ab42954235e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
116B

MD5
ec6aae2bb7d8781226ea61adca8f0586

SHA1
d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

SHA256
b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

SHA512
aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPT4NM.R

Filesize
1.4MB

MD5
068c04dbeb88b9eadd0a40fc3c0c1764

SHA1
65e2ca692631bba69c6c6fc652eefc29d47e44ed

SHA256
062fee35375b42773b67eaf50dd631d682a278835f1e4cf7b0e533921e8df8d8

SHA512
1843a5c859f56ce3dcb74870d2be1164029e469359f19032739d5367dc1019dec6a4005fe514b288247e13ccf47f01d0bffc11bf22adffe30e94861968ffbcbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPT4Nm.R

Filesize
1.4MB

MD5
068c04dbeb88b9eadd0a40fc3c0c1764

SHA1
65e2ca692631bba69c6c6fc652eefc29d47e44ed

SHA256
062fee35375b42773b67eaf50dd631d682a278835f1e4cf7b0e533921e8df8d8

SHA512
1843a5c859f56ce3dcb74870d2be1164029e469359f19032739d5367dc1019dec6a4005fe514b288247e13ccf47f01d0bffc11bf22adffe30e94861968ffbcbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_snwnnm2y.iv1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OQT3L.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OQT3L.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OQT3L.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q033P.tmp\is-G66TJ.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q033P.tmp\is-G66TJ.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
7fa8c779e04ab85290f00d09f866e13a

SHA1
7874a09e435f599dcc1c64e73e5cfa7634135d23

SHA256
7d1732e37813cc0f5a44fa44a37c1e3826cf7e5583d4827b7846f959b1682868

SHA512
07354b7eb413bd4054ed62dc1506be4ab51cf745c70fea0f40b4effeeb74743298f0f7333908de0bca9dd7c9b6aef4eb39b83a9772213938f2de15325e376ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
7fa8c779e04ab85290f00d09f866e13a

SHA1
7874a09e435f599dcc1c64e73e5cfa7634135d23

SHA256
7d1732e37813cc0f5a44fa44a37c1e3826cf7e5583d4827b7846f959b1682868

SHA512
07354b7eb413bd4054ed62dc1506be4ab51cf745c70fea0f40b4effeeb74743298f0f7333908de0bca9dd7c9b6aef4eb39b83a9772213938f2de15325e376ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
7fa8c779e04ab85290f00d09f866e13a

SHA1
7874a09e435f599dcc1c64e73e5cfa7634135d23

SHA256
7d1732e37813cc0f5a44fa44a37c1e3826cf7e5583d4827b7846f959b1682868

SHA512
07354b7eb413bd4054ed62dc1506be4ab51cf745c70fea0f40b4effeeb74743298f0f7333908de0bca9dd7c9b6aef4eb39b83a9772213938f2de15325e376ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
265KB

MD5
7a63d490060ac081e1008c78fb0135fa

SHA1
81bda021cd9254cf786cf16aedc3b805ef10326f

SHA256
9c63b33c936df8c3cca5b1e3665b3f0c1b36a1c1ca826a8bc80551610413b74f

SHA512
602ef6907cc4b0b2aa16f7d4b5b5ff14c5434ea2a50854ae0fc4583eba77bb043089fb47c8963f0e9b296ee1481f4f32caa69ab48890156ed08e3b50eac11349

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
265KB

MD5
7a63d490060ac081e1008c78fb0135fa

SHA1
81bda021cd9254cf786cf16aedc3b805ef10326f

SHA256
9c63b33c936df8c3cca5b1e3665b3f0c1b36a1c1ca826a8bc80551610413b74f

SHA512
602ef6907cc4b0b2aa16f7d4b5b5ff14c5434ea2a50854ae0fc4583eba77bb043089fb47c8963f0e9b296ee1481f4f32caa69ab48890156ed08e3b50eac11349

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
265KB

MD5
7a63d490060ac081e1008c78fb0135fa

SHA1
81bda021cd9254cf786cf16aedc3b805ef10326f

SHA256
9c63b33c936df8c3cca5b1e3665b3f0c1b36a1c1ca826a8bc80551610413b74f

SHA512
602ef6907cc4b0b2aa16f7d4b5b5ff14c5434ea2a50854ae0fc4583eba77bb043089fb47c8963f0e9b296ee1481f4f32caa69ab48890156ed08e3b50eac11349

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
265KB

MD5
7a63d490060ac081e1008c78fb0135fa

SHA1
81bda021cd9254cf786cf16aedc3b805ef10326f

SHA256
9c63b33c936df8c3cca5b1e3665b3f0c1b36a1c1ca826a8bc80551610413b74f

SHA512
602ef6907cc4b0b2aa16f7d4b5b5ff14c5434ea2a50854ae0fc4583eba77bb043089fb47c8963f0e9b296ee1481f4f32caa69ab48890156ed08e3b50eac11349

Download Submit
memory/228-249-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/228-256-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/228-432-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/536-328-0x00007FFC92690000-0x00007FFC93151000-memory.dmp

Filesize
10.8MB

Download
memory/536-452-0x00007FFC92690000-0x00007FFC93151000-memory.dmp

Filesize
10.8MB

Download
memory/536-300-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/536-308-0x0000000000E10000-0x0000000000E20000-memory.dmp

Filesize
64KB

Download
memory/960-446-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/960-278-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1172-65-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/1172-58-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/1172-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1336-688-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1336-680-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1336-683-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1336-378-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1336-665-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1488-301-0x0000000000820000-0x00000000009FA000-memory.dmp

Filesize
1.9MB

Download
memory/1488-335-0x0000000000820000-0x00000000009FA000-memory.dmp

Filesize
1.9MB

Download
memory/1488-262-0x0000000000820000-0x00000000009FA000-memory.dmp

Filesize
1.9MB

Download
memory/1560-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-50-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-49-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-250-0x000001BB805C0000-0x000001BB8060C000-memory.dmp

Filesize
304KB

Download
memory/2272-343-0x000001BB804E0000-0x000001BB804F0000-memory.dmp

Filesize
64KB

Download
memory/2272-169-0x000001BBE5D10000-0x000001BBE5DF6000-memory.dmp

Filesize
920KB

Download
memory/2272-251-0x000001BB804E0000-0x000001BB804F0000-memory.dmp

Filesize
64KB

Download
memory/2272-208-0x000001BB803B0000-0x000001BB80492000-memory.dmp

Filesize
904KB

Download
memory/2272-199-0x00007FFC92690000-0x00007FFC93151000-memory.dmp

Filesize
10.8MB

Download
memory/2272-439-0x00007FFC92690000-0x00007FFC93151000-memory.dmp

Filesize
10.8MB

Download
memory/2272-236-0x000001BB804F0000-0x000001BB805C0000-memory.dmp

Filesize
832KB

Download
memory/2272-342-0x00007FFC92690000-0x00007FFC93151000-memory.dmp

Filesize
10.8MB

Download
memory/2696-247-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/2696-304-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/2696-218-0x00000000009B0000-0x0000000000B24000-memory.dmp

Filesize
1.5MB

Download
memory/2736-663-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/2736-664-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/2736-672-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/2736-674-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/2736-689-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/2736-671-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/2736-676-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/2736-662-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/2736-675-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/2736-666-0x0000027DCD3A0000-0x0000027DCD3C0000-memory.dmp

Filesize
128KB

Download
memory/3164-428-0x0000000002960000-0x0000000002976000-memory.dmp

Filesize
88KB

Download
memory/3164-43-0x0000000002270000-0x0000000002286000-memory.dmp

Filesize
88KB

Download
memory/3204-303-0x0000000000920000-0x000000000097A000-memory.dmp

Filesize
360KB

Download
memory/3204-357-0x0000000007350000-0x000000000735A000-memory.dmp

Filesize
40KB

Download
memory/3204-352-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/3204-387-0x0000000007F00000-0x0000000007F66000-memory.dmp

Filesize
408KB

Download
memory/3204-350-0x00000000078E0000-0x0000000007E84000-memory.dmp

Filesize
5.6MB

Download
memory/3204-353-0x00000000073D0000-0x0000000007462000-memory.dmp

Filesize
584KB

Download
memory/3204-377-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/3240-333-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3240-459-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3468-464-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3468-465-0x00000000052C0000-0x00000000058E8000-memory.dmp

Filesize
6.2MB

Download
memory/3468-463-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/3468-461-0x0000000004C50000-0x0000000004C86000-memory.dmp

Filesize
216KB

Download
memory/3884-219-0x00000000007B0000-0x00000000007B9000-memory.dmp

Filesize
36KB

Download
memory/3884-257-0x00000000007F8000-0x000000000080B000-memory.dmp

Filesize
76KB

Download
memory/4064-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4064-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4064-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4124-42-0x0000000005930000-0x0000000005942000-memory.dmp

Filesize
72KB

Download
memory/4124-33-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4124-62-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/4124-48-0x0000000005B00000-0x0000000005B4C000-memory.dmp

Filesize
304KB

Download
memory/4124-63-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/4124-34-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/4124-35-0x00000000032A0000-0x00000000032A6000-memory.dmp

Filesize
24KB

Download
memory/4124-39-0x0000000005EF0000-0x0000000006508000-memory.dmp

Filesize
6.1MB

Download
memory/4124-40-0x00000000059F0000-0x0000000005AFA000-memory.dmp

Filesize
1.0MB

Download
memory/4124-41-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/4124-45-0x0000000005990000-0x00000000059CC000-memory.dmp

Filesize
240KB

Download
memory/4160-445-0x0000000002E30000-0x000000000371B000-memory.dmp

Filesize
8.9MB

Download
memory/4160-264-0x0000000002E30000-0x000000000371B000-memory.dmp

Filesize
8.9MB

Download
memory/4160-272-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/4160-440-0x0000000002A30000-0x0000000002E2E000-memory.dmp

Filesize
4.0MB

Download
memory/4160-260-0x0000000002A30000-0x0000000002E2E000-memory.dmp

Filesize
4.0MB

Download
memory/4160-434-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/4160-462-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/4160-658-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/4260-354-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4260-444-0x000001C77AA50000-0x000001C77AAA6000-memory.dmp

Filesize
344KB

Download
memory/4260-441-0x00007FFC92690000-0x00007FFC93151000-memory.dmp

Filesize
10.8MB

Download
memory/4260-442-0x000001C77AAB0000-0x000001C77AAC0000-memory.dmp

Filesize
64KB

Download
memory/4260-443-0x000001C77AA40000-0x000001C77AA48000-memory.dmp

Filesize
32KB

Download
memory/4260-433-0x000001C77B3C0000-0x000001C77B4C2000-memory.dmp

Filesize
1.0MB

Download
memory/4536-469-0x0000000003A40000-0x0000000003B71000-memory.dmp

Filesize
1.2MB

Download
memory/4536-468-0x00000000038C0000-0x0000000003A31000-memory.dmp

Filesize
1.4MB

Download
memory/4536-154-0x00007FF6AE4E0000-0x00007FF6AE54A000-memory.dmp

Filesize
424KB

Download
memory/4604-82-0x0000000010000000-0x0000000010167000-memory.dmp

Filesize
1.4MB

Download
memory/4604-355-0x0000000002F20000-0x0000000003013000-memory.dmp

Filesize
972KB

Download
memory/4604-334-0x0000000002F20000-0x0000000003013000-memory.dmp

Filesize
972KB

Download
memory/4604-376-0x0000000010000000-0x0000000010167000-memory.dmp

Filesize
1.4MB

Download
memory/4604-83-0x0000000001240000-0x0000000001246000-memory.dmp

Filesize
24KB

Download
memory/4604-246-0x0000000002E10000-0x0000000002F1D000-memory.dmp

Filesize
1.1MB

Download
memory/4604-311-0x0000000002F20000-0x0000000003013000-memory.dmp

Filesize
972KB

Download
memory/4680-356-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4680-360-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download