glupteba | b28546dc6fd49007ebf76ad4b5225ffd8096240801fab6afaa18b3cc3cd9444e

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2023, 11:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.4MB
MD5

fa30364a5bb26b5aeb82b1013c10bbbd
SHA1

60c6392f1a24d2750f4bbea10dbf6741ab810309
SHA256

b28546dc6fd49007ebf76ad4b5225ffd8096240801fab6afaa18b3cc3cd9444e
SHA512

a5432d2208a1a137d196b5db4f184b5954f97b43ba24a0cbc71f9d0e9a6622d9c034f837bf3136eb4d4face091a9dc84398136f8c1a0d74bf24e3a58c373b3ea
SSDEEP

24576:ey4KLEwK2CZFbG2hnFSubF/5Qpw853d5zCXIUDklmrlTf4t7oq2z3L1qJ3nfHMzk:t49FDhnFS4Fx0wEDC3kcJfv723fIHGb

Score

10^/10

glupteba healer redline smokeloader xmrig trush up3 backdoor discovery dropper evasion infostealer loader miner persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/4816-57-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

resource	yara_rule
behavioral2/memory/5092-287-0x0000000002E80000-0x000000000376B000-memory.dmp	family_glupteba
behavioral2/memory/5092-288-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/5092-368-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/5092-463-0x0000000002E80000-0x000000000376B000-memory.dmp	family_glupteba
behavioral2/memory/5092-465-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/5092-510-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/5092-663-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/1388-290-0x0000000000D60000-0x0000000000DBA000-memory.dmp	family_redline
behavioral2/memory/2780-322-0x00000000004C0000-0x000000000069A000-memory.dmp	family_redline
behavioral2/memory/2780-299-0x00000000004C0000-0x000000000069A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral2/memory/4588-669-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4588-671-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4588-672-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4588-675-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4588-677-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4588-678-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4588-679-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4588-680-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	776F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	kos1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	kos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	67CD.exe

Executes dropped EXE 22 IoCs

pid	Process
4264	v1675885.exe
2180	v7507263.exe
2088	v6821120.exe
548	a7830673.exe
1328	b9970861.exe
2272	c6883948.exe
3948	d1825087.exe
3540	e5941888.exe
3744	67CD.exe
5000	776F.exe
3668	7CFE.exe
4016	ss41.exe
5016	toolspub2.exe
5092	31839b57a4f11171d6abc8bbc4451ee4.exe
2620	kos1.exe
1012	toolspub2.exe
2780	8675.exe
816	set16.exe
5204	kos.exe
5368	is-PBM8G.tmp
5728	previewer.exe
5860	previewer.exe

Loads dropped DLL 5 IoCs

pid	Process
828	rundll32.exe
2812	rundll32.exe
5368	is-PBM8G.tmp
5368	is-PBM8G.tmp
5368	is-PBM8G.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1675885.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7507263.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6821120.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 548 set thread context of 4652	548	a7830673.exe	91
PID 1328 set thread context of 2028	1328	b9970861.exe	98
PID 2272 set thread context of 1028	2272	c6883948.exe	104
PID 3948 set thread context of 4816	3948	d1825087.exe	111
PID 5016 set thread context of 1012	5016	toolspub2.exe	145
PID 2780 set thread context of 1388	2780	8675.exe	150
PID 3668 set thread context of 5352	3668	7CFE.exe	153
PID 5352 set thread context of 4588	5352	aspnet_compiler.exe	171

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-PBM8G.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-PBM8G.tmp
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-PBM8G.tmp
File created	C:\Program Files (x86)\PA Previewer\is-V46J2.tmp	is-PBM8G.tmp
File created	C:\Program Files (x86)\PA Previewer\is-EUGHF.tmp	is-PBM8G.tmp
File created	C:\Program Files (x86)\PA Previewer\is-I2CQQ.tmp	is-PBM8G.tmp
File created	C:\Program Files (x86)\PA Previewer\is-LGMVM.tmp	is-PBM8G.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2476	548	WerFault.exe	88
2304	1328	WerFault.exe	96
1464	2272	WerFault.exe	101
3580	1028	WerFault.exe	104
3868	3948	WerFault.exe	109

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings	67CD.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4652	AppLaunch.exe
4652	AppLaunch.exe
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found
3184	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3184	Process not Found

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4652	AppLaunch.exe
1012	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeDebugPrivilege	4816	AppLaunch.exe
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeDebugPrivilege	3668	7CFE.exe
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeDebugPrivilege	5204	kos.exe
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeDebugPrivilege	5728	previewer.exe
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeDebugPrivilege	5860	previewer.exe
Token: SeDebugPrivilege	5352	aspnet_compiler.exe
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeDebugPrivilege	1388	vbc.exe
Token: SeShutdownPrivilege	3184	Process not Found
Token: SeCreatePagefilePrivilege	3184	Process not Found
Token: SeShutdownPrivilege	3184	Process not Found

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4588	AddInProcess.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3184	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 4264	2204	file.exe	85
PID 2204 wrote to memory of 4264	2204	file.exe	85
PID 2204 wrote to memory of 4264	2204	file.exe	85
PID 4264 wrote to memory of 2180	4264	v1675885.exe	86
PID 4264 wrote to memory of 2180	4264	v1675885.exe	86
PID 4264 wrote to memory of 2180	4264	v1675885.exe	86
PID 2180 wrote to memory of 2088	2180	v7507263.exe	87
PID 2180 wrote to memory of 2088	2180	v7507263.exe	87
PID 2180 wrote to memory of 2088	2180	v7507263.exe	87
PID 2088 wrote to memory of 548	2088	v6821120.exe	88
PID 2088 wrote to memory of 548	2088	v6821120.exe	88
PID 2088 wrote to memory of 548	2088	v6821120.exe	88
PID 548 wrote to memory of 5088	548	a7830673.exe	90
PID 548 wrote to memory of 5088	548	a7830673.exe	90
PID 548 wrote to memory of 5088	548	a7830673.exe	90
PID 548 wrote to memory of 4652	548	a7830673.exe	91
PID 548 wrote to memory of 4652	548	a7830673.exe	91
PID 548 wrote to memory of 4652	548	a7830673.exe	91
PID 548 wrote to memory of 4652	548	a7830673.exe	91
PID 548 wrote to memory of 4652	548	a7830673.exe	91
PID 548 wrote to memory of 4652	548	a7830673.exe	91
PID 2088 wrote to memory of 1328	2088	v6821120.exe	96
PID 2088 wrote to memory of 1328	2088	v6821120.exe	96
PID 2088 wrote to memory of 1328	2088	v6821120.exe	96
PID 1328 wrote to memory of 2028	1328	b9970861.exe	98
PID 1328 wrote to memory of 2028	1328	b9970861.exe	98
PID 1328 wrote to memory of 2028	1328	b9970861.exe	98
PID 1328 wrote to memory of 2028	1328	b9970861.exe	98
PID 1328 wrote to memory of 2028	1328	b9970861.exe	98
PID 1328 wrote to memory of 2028	1328	b9970861.exe	98
PID 1328 wrote to memory of 2028	1328	b9970861.exe	98
PID 1328 wrote to memory of 2028	1328	b9970861.exe	98
PID 2180 wrote to memory of 2272	2180	v7507263.exe	101
PID 2180 wrote to memory of 2272	2180	v7507263.exe	101
PID 2180 wrote to memory of 2272	2180	v7507263.exe	101
PID 2272 wrote to memory of 3020	2272	c6883948.exe	103
PID 2272 wrote to memory of 3020	2272	c6883948.exe	103
PID 2272 wrote to memory of 3020	2272	c6883948.exe	103
PID 2272 wrote to memory of 1028	2272	c6883948.exe	104
PID 2272 wrote to memory of 1028	2272	c6883948.exe	104
PID 2272 wrote to memory of 1028	2272	c6883948.exe	104
PID 2272 wrote to memory of 1028	2272	c6883948.exe	104
PID 2272 wrote to memory of 1028	2272	c6883948.exe	104
PID 2272 wrote to memory of 1028	2272	c6883948.exe	104
PID 2272 wrote to memory of 1028	2272	c6883948.exe	104
PID 2272 wrote to memory of 1028	2272	c6883948.exe	104
PID 2272 wrote to memory of 1028	2272	c6883948.exe	104
PID 2272 wrote to memory of 1028	2272	c6883948.exe	104
PID 4264 wrote to memory of 3948	4264	v1675885.exe	109
PID 4264 wrote to memory of 3948	4264	v1675885.exe	109
PID 4264 wrote to memory of 3948	4264	v1675885.exe	109
PID 3948 wrote to memory of 4816	3948	d1825087.exe	111
PID 3948 wrote to memory of 4816	3948	d1825087.exe	111
PID 3948 wrote to memory of 4816	3948	d1825087.exe	111
PID 3948 wrote to memory of 4816	3948	d1825087.exe	111
PID 3948 wrote to memory of 4816	3948	d1825087.exe	111
PID 3948 wrote to memory of 4816	3948	d1825087.exe	111
PID 3948 wrote to memory of 4816	3948	d1825087.exe	111
PID 3948 wrote to memory of 4816	3948	d1825087.exe	111
PID 2204 wrote to memory of 3540	2204	file.exe	114
PID 2204 wrote to memory of 3540	2204	file.exe	114
PID 2204 wrote to memory of 3540	2204	file.exe	114
PID 3184 wrote to memory of 3744	3184	Process not Found	119
PID 3184 wrote to memory of 3744	3184	Process not Found	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1675885.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1675885.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7507263.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7507263.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6821120.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6821120.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7830673.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7830673.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:548
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5088
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 588
        6⤵
        Program crash
        
        PID:2476
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970861.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970861.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 220
        6⤵
        Program crash
        
        PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6883948.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6883948.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3020
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 540
        6⤵
        Program crash
        
        PID:3580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 572
        5⤵
        Program crash
        
        PID:1464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1825087.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1825087.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious use of AdjustPrivilegeToken
      PID:4816
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 136
      4⤵
      Program crash
      PID:3868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5941888.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5941888.exe
  2⤵
  - Executes dropped EXE
  PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 548 -ip 548
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1328 -ip 1328
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2272 -ip 2272
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1028 -ip 1028
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3948 -ip 3948
1⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\67CD.exe
C:\Users\Admin\AppData\Local\Temp\67CD.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3744
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5E~C9IT.Cpl",
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5E~C9IT.Cpl",
    3⤵
    - Loads dropped DLL
    PID:828
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5E~C9IT.Cpl",
      4⤵
      PID:4928
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\5E~C9IT.Cpl",
        5⤵
        Loads dropped DLL
        
        PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\68A9.bat" "
1⤵
PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  PID:2792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffcbe0746f8,0x7ffcbe074708,0x7ffcbe074718
    3⤵
    PID:4944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,10016928953363921287,8591863610494470570,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
    3⤵
    PID:3232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,10016928953363921287,8591863610494470570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
    3⤵
    PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbe0746f8,0x7ffcbe074708,0x7ffcbe074718
    3⤵
    PID:2288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,7634506256288062717,18437279106144894020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
    3⤵
    PID:400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,7634506256288062717,18437279106144894020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
    3⤵
    PID:4436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,7634506256288062717,18437279106144894020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
    3⤵
    PID:3032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,7634506256288062717,18437279106144894020,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
    3⤵
    PID:3220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,7634506256288062717,18437279106144894020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
    3⤵
    PID:4224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,7634506256288062717,18437279106144894020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2560 /prefetch:1
    3⤵
    PID:4828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,7634506256288062717,18437279106144894020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
    3⤵
    PID:3580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,7634506256288062717,18437279106144894020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
    3⤵
    PID:4600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,7634506256288062717,18437279106144894020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
    3⤵
    PID:5260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,7634506256288062717,18437279106144894020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
    3⤵
    PID:5252
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,7634506256288062717,18437279106144894020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
    3⤵
    PID:3740
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,7634506256288062717,18437279106144894020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
    3⤵
    PID:5200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,7634506256288062717,18437279106144894020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
    3⤵
    PID:6072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,7634506256288062717,18437279106144894020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
    3⤵
    PID:6052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\776F.exe
C:\Users\Admin\AppData\Local\Temp\776F.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5000
- C:\Users\Admin\AppData\Local\Temp\ss41.exe
  "C:\Users\Admin\AppData\Local\Temp\ss41.exe"
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5016
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:1012
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  PID:5092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:5692
- C:\Users\Admin\AppData\Local\Temp\kos1.exe
  "C:\Users\Admin\AppData\Local\Temp\kos1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\set16.exe
    "C:\Users\Admin\AppData\Local\Temp\set16.exe"
    3⤵
    - Executes dropped EXE
    PID:816
  - - C:\Users\Admin\AppData\Local\Temp\is-DE8HF.tmp\is-PBM8G.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DE8HF.tmp\is-PBM8G.tmp" /SL4 $70258 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      PID:5368
    - - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -i
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5728
    - - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -s
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5860
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 8
        5⤵
        
        PID:5716
- - C:\Users\Admin\AppData\Local\Temp\kos.exe
    "C:\Users\Admin\AppData\Local\Temp\kos.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5204

C:\Users\Admin\AppData\Local\Temp\7CFE.exe
C:\Users\Admin\AppData\Local\Temp\7CFE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5352
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RBvfugTGdvfZCHCgvSoHZdsYt2u1JwYhUP.RIG_CPU -p x --cpu-max-threads-hint=50
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:4588

C:\Users\Admin\AppData\Local\Temp\8675.exe
C:\Users\Admin\AppData\Local\Temp\8675.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
1⤵
PID:5888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c126b33f65b7fc4ece66e42d6802b02e

SHA1
2a169a1c15e5d3dab708344661ec04d7339bcb58

SHA256
ca9d2a9ab8047067c8a78be0a7e7af94af34957875de8e640cf2f98b994f52d8

SHA512
eecbe3f0017e902639e0ecb8256ae62bf681bb5f80a7cddc9008d2571fe34d91828dfaee9a8df5a7166f337154232b9ea966c83561ace45d1e2923411702e822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
ffcb9b1e5468d1007e3b0aa887340c8f

SHA1
5bf67c788a37284eaf79b8c5c3061e6a3ebd147f

SHA256
da252eb98f23b2e3495f3f2caf81dd4f406465c576407a5b1f229dc01e787757

SHA512
f6b6c883fdf3987b98a14c236fa09e94754223410734160e8773cb35b6949b5f2df3dbd752b93628c913ceebc3e5fa3fa13a23d17a55f72444968be76f062999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
99a982dbb46d6d8acc890a8712e3f53e

SHA1
47ec27dbbf292c7af81112d6a84e53ab4494a2e4

SHA256
f99ee41db2cf641cb1077aa89c313075d26d0211a5f123e6ae2f325675d511f4

SHA512
1b3b0b1716e8a080dbf6bce3e7fbad3c1dcc3267e9f7bf6318d0706c55d2f34223a2dd679aa95d9b7a0b8de29230417154f9f7f804ce99313f9818d9ced81096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
670501b75401c52153c6ee1f6947422d

SHA1
2014225224827e3c31859f438082ef882df3c368

SHA256
e853b0a6bc114cac6b6ad00169e23e622263d4d506b44a8df95809434dc99968

SHA512
4ad04acb8a3344f60b12c57c360a48b53f3689f546b9c8849bcc85f148deb4ad03d344ddcb49b9bf750860ebe40147421cb82534475ae46e357df644cea02c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7b9ca44e665818c5209e41433bc32f70

SHA1
c6cd123fcde3de3e544de563eaa4f941b3ec55b8

SHA256
aa605ad00de252bc7d4ec10a286fa131addfe93da45c27391427d66009947c9e

SHA512
a965b903722836c3b5435f0846df888b2048ff919709043ea8e984ad58f0535b7abfcb6b33ed0765b7dc3ab3ab60496a7a8cd4cefad8e21a0f8fd15b271fba5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fab1aaa5fe9ce654e31bcbba1d7c8244

SHA1
526f603d0564399edc8435b9ac4a89c288065b31

SHA256
07128ff660b363838fbf742daace6f561f38a20558c0d4930371532a9b7236e5

SHA512
577d103cbe007f8a547c4288b22a78bfeff025d61ca5842f97e9c4af4a34a5424c2d7b39832150ae6a4001af9af234c9efd6deef29565276409b34a3423302cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6dcb90ba1ba8e06c1d4f27ec78f6911a

SHA1
71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9

SHA256
30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416

SHA512
dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
a0c0812c5daf6b24314c589060cc4438

SHA1
5360f608d824455d50356b402c1b0e4d45d34379

SHA256
10c86bc09afe3288664a6efc81fcf55ab1dc45a60aff033174e0ad6807e38fd5

SHA512
c1bf3af869bc11ca17c70a3414d76ef779ffcb8c9ad7b1c7df32224359325f96df9f4591e0205fadc9110ac1ceb4c387b572998cf90aa8f79dfce28ebd527b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d1d2.TMP

Filesize
872B

MD5
04dc28d2f4d3f3477955064d0ce29990

SHA1
b9bdb2facf7c0c181ce3108c56c7fce645658390

SHA256
06ef573294e4522edeb76bff9b2dbbf205c2102ecd479871672d110198068ec6

SHA512
48dee25ed84cf22a81d51d6e2f718ae0e4fd5844518000bdf3766e1f90d57341b7a5574dce4284f500809dee4bffb5eb8c69b861f18709f99c89e10999ca019f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
63ad5a38fc54433365da45a250605f27

SHA1
69ee911a2b2fe161dbf0431e10fa191e3561486c

SHA256
b4a6ac9cdc8c35d96ebcaf3f067ecc0394400c3a05136393719aa79afd29c36c

SHA512
b6b5b981943ae1490ebfd965d26a253466922b0cf6565610d7fb64df2c721f5d9911a3132f4d9feff40f04f51f11dd85f3139d11d96f5aeee4784b1262e3e76c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b5864af2f8096540f39066aa0772e787

SHA1
24261496b67d45d9ad6835114095c19c819a13d8

SHA256
002bcfcfe5383d77aecd52f1c0d1268c310839930946758b68dbcdf651a1b154

SHA512
49269cdbf422cb50fc6632291300082f23da84d2f52bc5ac5a25c0da7cbb447be1112999afac0b73f186b8ca3dadeb3fe3e769db4dc9e61fd09ca68d93924c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bbee0fd5ce4d22cd88ffc6557f11a9c6

SHA1
ef2ce7c008276dd9240df9d6b8c5e99fffb5d6c2

SHA256
339a98381cdafa4489974838db50e87e4883087399ec887cb724f3b9f4848b86

SHA512
7d7db94a5fb723386869489dfde825138446e102f5a6cca79d68032c122d3193a00ea089fc7f5baec4ad81f64710e03b168c7a5d0298066d11c74a34c4dec6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
f2a6bcee6c6bb311325b1b41b5363622

SHA1
587c5b9e0d6a6f50607e461667a09806e5866745

SHA256
ae3d87edb3a831555bac3684482ac5f4f1d794b75d00809250ea8d4937e65e8a

SHA512
9e7802dd50798bfb50553396fa9a45cf0ad16ca5937a33eeb731b4b9744dc0c0b837166675bf4a169c2fe1bc1ac5883b4791b4f2ac7dea4e42e43de77d053e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
f2a6bcee6c6bb311325b1b41b5363622

SHA1
587c5b9e0d6a6f50607e461667a09806e5866745

SHA256
ae3d87edb3a831555bac3684482ac5f4f1d794b75d00809250ea8d4937e65e8a

SHA512
9e7802dd50798bfb50553396fa9a45cf0ad16ca5937a33eeb731b4b9744dc0c0b837166675bf4a169c2fe1bc1ac5883b4791b4f2ac7dea4e42e43de77d053e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
f2a6bcee6c6bb311325b1b41b5363622

SHA1
587c5b9e0d6a6f50607e461667a09806e5866745

SHA256
ae3d87edb3a831555bac3684482ac5f4f1d794b75d00809250ea8d4937e65e8a

SHA512
9e7802dd50798bfb50553396fa9a45cf0ad16ca5937a33eeb731b4b9744dc0c0b837166675bf4a169c2fe1bc1ac5883b4791b4f2ac7dea4e42e43de77d053e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E~C9IT.Cpl

Filesize
1.4MB

MD5
befce95193ff364fec2f0927dc728a32

SHA1
26b8f44b1273670102842c68aad20c32e2c25003

SHA256
f15fe8bf1aeb3b78992da3a9ede1d2787f6f77a9721f1c7759f4b54b40b66293

SHA512
fcda2c26f5131878867aa56baccb32823079cc40c944102db9be59f0ea3d605c538269d63acf0696cf33c8ff218aa2648db880d9029eb5e40554ef6659c78d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E~C9It.cpl

Filesize
1.4MB

MD5
befce95193ff364fec2f0927dc728a32

SHA1
26b8f44b1273670102842c68aad20c32e2c25003

SHA256
f15fe8bf1aeb3b78992da3a9ede1d2787f6f77a9721f1c7759f4b54b40b66293

SHA512
fcda2c26f5131878867aa56baccb32823079cc40c944102db9be59f0ea3d605c538269d63acf0696cf33c8ff218aa2648db880d9029eb5e40554ef6659c78d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E~C9It.cpl

Filesize
1.4MB

MD5
befce95193ff364fec2f0927dc728a32

SHA1
26b8f44b1273670102842c68aad20c32e2c25003

SHA256
f15fe8bf1aeb3b78992da3a9ede1d2787f6f77a9721f1c7759f4b54b40b66293

SHA512
fcda2c26f5131878867aa56baccb32823079cc40c944102db9be59f0ea3d605c538269d63acf0696cf33c8ff218aa2648db880d9029eb5e40554ef6659c78d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E~C9It.cpl

Filesize
1.4MB

MD5
befce95193ff364fec2f0927dc728a32

SHA1
26b8f44b1273670102842c68aad20c32e2c25003

SHA256
f15fe8bf1aeb3b78992da3a9ede1d2787f6f77a9721f1c7759f4b54b40b66293

SHA512
fcda2c26f5131878867aa56baccb32823079cc40c944102db9be59f0ea3d605c538269d63acf0696cf33c8ff218aa2648db880d9029eb5e40554ef6659c78d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\67CD.exe

Filesize
1.6MB

MD5
1061bafc0007dca524d3e17a6c2dc5be

SHA1
ca9875fb970bde0f93a475b4cbf695d5baf805e5

SHA256
5f434bf13ed08cec11b4d2f659b2f32a42b55a86d0f3785ae131fd940bd3bf52

SHA512
62e4a62e770638f062683998a2e32f521f6626d6de85db8177117af790205f0e6bcc96009990d1ad5aa97ce082ad6128d75d7004520a4851c74a1284e969ec2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\67CD.exe

Filesize
1.6MB

MD5
1061bafc0007dca524d3e17a6c2dc5be

SHA1
ca9875fb970bde0f93a475b4cbf695d5baf805e5

SHA256
5f434bf13ed08cec11b4d2f659b2f32a42b55a86d0f3785ae131fd940bd3bf52

SHA512
62e4a62e770638f062683998a2e32f521f6626d6de85db8177117af790205f0e6bcc96009990d1ad5aa97ce082ad6128d75d7004520a4851c74a1284e969ec2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\68A9.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\776F.exe

Filesize
6.3MB

MD5
8b5d24e77671774b5716ff06ad3b2559

SHA1
a180c0057a361be4361df00992ad75b4557dff96

SHA256
856fc5a591470b6dd10633727130a65d47afed149da52d2c275ef4ef3fdd9856

SHA512
7699e3c6c2ecdc717a5378dea0032938d37e96569e6c8943400d39ad2f6a9831a0bf716e43e8ffea90b443dfed0715b9fbeb3e324ef955070a88a1dc400914df

Download Submit
C:\Users\Admin\AppData\Local\Temp\776F.exe

Filesize
6.3MB

MD5
8b5d24e77671774b5716ff06ad3b2559

SHA1
a180c0057a361be4361df00992ad75b4557dff96

SHA256
856fc5a591470b6dd10633727130a65d47afed149da52d2c275ef4ef3fdd9856

SHA512
7699e3c6c2ecdc717a5378dea0032938d37e96569e6c8943400d39ad2f6a9831a0bf716e43e8ffea90b443dfed0715b9fbeb3e324ef955070a88a1dc400914df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CFE.exe

Filesize
894KB

MD5
ef11a166e73f258d4159c1904485623c

SHA1
bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e

SHA256
dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747

SHA512
2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CFE.exe

Filesize
894KB

MD5
ef11a166e73f258d4159c1904485623c

SHA1
bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e

SHA256
dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747

SHA512
2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

Download Submit
C:\Users\Admin\AppData\Local\Temp\8675.exe

Filesize
1.5MB

MD5
578f82576563fbb7b0b50054c8ea2c7a

SHA1
2b78dd3a97c214455373b257a66298aeb072819e

SHA256
7fd444dae9993f000c25c1948669a25f851aa9559f7feaa570e66f5f94b457de

SHA512
5ef71babc9d2b0a5e3c009a1a98d82b9d54d77192d7844c77b27eb7eec251b589b60940ea7a25ad9e2e8fd3abcae2a363d0c3e6f3b56810c796668717bc025a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8675.exe

Filesize
1.5MB

MD5
578f82576563fbb7b0b50054c8ea2c7a

SHA1
2b78dd3a97c214455373b257a66298aeb072819e

SHA256
7fd444dae9993f000c25c1948669a25f851aa9559f7feaa570e66f5f94b457de

SHA512
5ef71babc9d2b0a5e3c009a1a98d82b9d54d77192d7844c77b27eb7eec251b589b60940ea7a25ad9e2e8fd3abcae2a363d0c3e6f3b56810c796668717bc025a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5941888.exe

Filesize
16KB

MD5
d44a13e21c443c230b81930812c8d023

SHA1
8611e980c3aa02835eb014615c269308cdcd5180

SHA256
24eceaba1974e080e1e9ad38168060f0ec743306ce4357d599b89ef6ee77b359

SHA512
fe3d26e535072145e7bc450058a13bea1e6242939d65df8e5e081987bc174834c11ace5e796a5811962bb3fa74a8b5f6801b31e34ab393a82fd68948619146af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5941888.exe

Filesize
16KB

MD5
d44a13e21c443c230b81930812c8d023

SHA1
8611e980c3aa02835eb014615c269308cdcd5180

SHA256
24eceaba1974e080e1e9ad38168060f0ec743306ce4357d599b89ef6ee77b359

SHA512
fe3d26e535072145e7bc450058a13bea1e6242939d65df8e5e081987bc174834c11ace5e796a5811962bb3fa74a8b5f6801b31e34ab393a82fd68948619146af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1675885.exe

Filesize
1.3MB

MD5
9072f6d4c3aff2425c5cc53479569534

SHA1
0b6773cb6a2139b91056c6b01f2912785d32dc77

SHA256
d28c2c17991cc87c4baaddff9524e92b7dc3ad876fcda8681b8657aa31ec21f4

SHA512
18fc7a622ecf973984be53aad2de0f1abab1356064864dcee023fd7e5c1ef33fe897de106ecaeced94045d25f317c003ca82c14f906773ceabe6b1e86a454f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1675885.exe

Filesize
1.3MB

MD5
9072f6d4c3aff2425c5cc53479569534

SHA1
0b6773cb6a2139b91056c6b01f2912785d32dc77

SHA256
d28c2c17991cc87c4baaddff9524e92b7dc3ad876fcda8681b8657aa31ec21f4

SHA512
18fc7a622ecf973984be53aad2de0f1abab1356064864dcee023fd7e5c1ef33fe897de106ecaeced94045d25f317c003ca82c14f906773ceabe6b1e86a454f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1825087.exe

Filesize
880KB

MD5
b0e8cb44dfe60fc82fb106772b7e96b6

SHA1
9a8fcd5f6d45152055306c8056200b7e2a92912f

SHA256
07da772bc5d38c830e929136e848468669f8023f10fc5a3d675ab13c0c555035

SHA512
3218610922544c4ccaf52359b5ff811d43415791b27e092aa7e9090bc5750def1cb6dd93bb50ba44d629946968c38db54860e7894c8e05e3bee7bc8a89528510

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1825087.exe

Filesize
880KB

MD5
b0e8cb44dfe60fc82fb106772b7e96b6

SHA1
9a8fcd5f6d45152055306c8056200b7e2a92912f

SHA256
07da772bc5d38c830e929136e848468669f8023f10fc5a3d675ab13c0c555035

SHA512
3218610922544c4ccaf52359b5ff811d43415791b27e092aa7e9090bc5750def1cb6dd93bb50ba44d629946968c38db54860e7894c8e05e3bee7bc8a89528510

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7507263.exe

Filesize
950KB

MD5
53aba51741fc3032e48b57916f177cb7

SHA1
e8065ff9a2fdf3c94262f111455f3fa705f51d56

SHA256
8d074cc110eddd2681308a882caa97d2597883f4642c66390ff089797898d768

SHA512
3ef6228737251f12bb3b93bb972a4d1e106d3a9965261cb432d5fed3504cecf8ec73f5ae428a5e53392d94231441e4007caddb91d4cbc3ca9a1661203fb65671

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7507263.exe

Filesize
950KB

MD5
53aba51741fc3032e48b57916f177cb7

SHA1
e8065ff9a2fdf3c94262f111455f3fa705f51d56

SHA256
8d074cc110eddd2681308a882caa97d2597883f4642c66390ff089797898d768

SHA512
3ef6228737251f12bb3b93bb972a4d1e106d3a9965261cb432d5fed3504cecf8ec73f5ae428a5e53392d94231441e4007caddb91d4cbc3ca9a1661203fb65671

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6883948.exe

Filesize
1.0MB

MD5
cb7d910d214a1d69de522181ffb00f0c

SHA1
3f6277cd7771f04133783f099bcc6b8152048d05

SHA256
20a2fcd0d5845d6661feac74d1a50e9740e035502d5e4795f38712ea7bb82be6

SHA512
fad3ed93df50803ab63e5d4c01f9e50d55ba2126a9766aefe89d3fcff4cb4f71e207ef75965f79d192f523b8c9d8fc4c34b8195086f02eb64747db550684936c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6883948.exe

Filesize
1.0MB

MD5
cb7d910d214a1d69de522181ffb00f0c

SHA1
3f6277cd7771f04133783f099bcc6b8152048d05

SHA256
20a2fcd0d5845d6661feac74d1a50e9740e035502d5e4795f38712ea7bb82be6

SHA512
fad3ed93df50803ab63e5d4c01f9e50d55ba2126a9766aefe89d3fcff4cb4f71e207ef75965f79d192f523b8c9d8fc4c34b8195086f02eb64747db550684936c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6821120.exe

Filesize
514KB

MD5
acd59671ecb45c41ede6bd9b6fa3fa70

SHA1
d088126f4eeab990809586f4f7ea08364f5b5d98

SHA256
9088725460057ad5abc4a1c751ea63701d57a0eabc4f0be254f7938f66888126

SHA512
61a8ef5adbb1489462893b52b67ee75fff72463c8dc429a62519da85c1c50b9b629afa27a0f18160653d692e4546fd056dd3a076b22942ef4ac49963a16828cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6821120.exe

Filesize
514KB

MD5
acd59671ecb45c41ede6bd9b6fa3fa70

SHA1
d088126f4eeab990809586f4f7ea08364f5b5d98

SHA256
9088725460057ad5abc4a1c751ea63701d57a0eabc4f0be254f7938f66888126

SHA512
61a8ef5adbb1489462893b52b67ee75fff72463c8dc429a62519da85c1c50b9b629afa27a0f18160653d692e4546fd056dd3a076b22942ef4ac49963a16828cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7830673.exe

Filesize
903KB

MD5
9451394b72b57da0dc4ed668cfb71ead

SHA1
855050a3962fdbf89873130a270422eb4b917467

SHA256
83eff21503b0957722c16c672afe8f038342cf8e65daf638d6861ca621cbefbe

SHA512
cd24813b4ea5929abb9cb4054f355c25d957b993cecbbe307999e8fad189560c5decd663c9d009568b4018e3cf4be7bac7e50e36006512ff9e4eb0dcf6accbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7830673.exe

Filesize
903KB

MD5
9451394b72b57da0dc4ed668cfb71ead

SHA1
855050a3962fdbf89873130a270422eb4b917467

SHA256
83eff21503b0957722c16c672afe8f038342cf8e65daf638d6861ca621cbefbe

SHA512
cd24813b4ea5929abb9cb4054f355c25d957b993cecbbe307999e8fad189560c5decd663c9d009568b4018e3cf4be7bac7e50e36006512ff9e4eb0dcf6accbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970861.exe

Filesize
1.1MB

MD5
3b1fc954609331dc457d69a57991ee52

SHA1
ebedad509ada0851006ce0a8fc621b616e23b2ff

SHA256
0a188a5258a9fdb8b2534e7ad0c6947a0dba076753bd9001dc5e76616860d70e

SHA512
79d96bdaa0ebab5b19da310848877ed271d4aff03dd5b59d9cf5772f6b5a090bc13ef9cb182a51c7852deae0f8c95bd55caf58f1dd15215f942777d75877a139

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970861.exe

Filesize
1.1MB

MD5
3b1fc954609331dc457d69a57991ee52

SHA1
ebedad509ada0851006ce0a8fc621b616e23b2ff

SHA256
0a188a5258a9fdb8b2534e7ad0c6947a0dba076753bd9001dc5e76616860d70e

SHA512
79d96bdaa0ebab5b19da310848877ed271d4aff03dd5b59d9cf5772f6b5a090bc13ef9cb182a51c7852deae0f8c95bd55caf58f1dd15215f942777d75877a139

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
116B

MD5
ec6aae2bb7d8781226ea61adca8f0586

SHA1
d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

SHA256
b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

SHA512
aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ubtagdbc.dgh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DE8HF.tmp\is-PBM8G.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DE8HF.tmp\is-PBM8G.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GDB3E.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GDB3E.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GDB3E.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
7fa8c779e04ab85290f00d09f866e13a

SHA1
7874a09e435f599dcc1c64e73e5cfa7634135d23

SHA256
7d1732e37813cc0f5a44fa44a37c1e3826cf7e5583d4827b7846f959b1682868

SHA512
07354b7eb413bd4054ed62dc1506be4ab51cf745c70fea0f40b4effeeb74743298f0f7333908de0bca9dd7c9b6aef4eb39b83a9772213938f2de15325e376ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
7fa8c779e04ab85290f00d09f866e13a

SHA1
7874a09e435f599dcc1c64e73e5cfa7634135d23

SHA256
7d1732e37813cc0f5a44fa44a37c1e3826cf7e5583d4827b7846f959b1682868

SHA512
07354b7eb413bd4054ed62dc1506be4ab51cf745c70fea0f40b4effeeb74743298f0f7333908de0bca9dd7c9b6aef4eb39b83a9772213938f2de15325e376ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
7fa8c779e04ab85290f00d09f866e13a

SHA1
7874a09e435f599dcc1c64e73e5cfa7634135d23

SHA256
7d1732e37813cc0f5a44fa44a37c1e3826cf7e5583d4827b7846f959b1682868

SHA512
07354b7eb413bd4054ed62dc1506be4ab51cf745c70fea0f40b4effeeb74743298f0f7333908de0bca9dd7c9b6aef4eb39b83a9772213938f2de15325e376ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
265KB

MD5
7a63d490060ac081e1008c78fb0135fa

SHA1
81bda021cd9254cf786cf16aedc3b805ef10326f

SHA256
9c63b33c936df8c3cca5b1e3665b3f0c1b36a1c1ca826a8bc80551610413b74f

SHA512
602ef6907cc4b0b2aa16f7d4b5b5ff14c5434ea2a50854ae0fc4583eba77bb043089fb47c8963f0e9b296ee1481f4f32caa69ab48890156ed08e3b50eac11349

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
265KB

MD5
7a63d490060ac081e1008c78fb0135fa

SHA1
81bda021cd9254cf786cf16aedc3b805ef10326f

SHA256
9c63b33c936df8c3cca5b1e3665b3f0c1b36a1c1ca826a8bc80551610413b74f

SHA512
602ef6907cc4b0b2aa16f7d4b5b5ff14c5434ea2a50854ae0fc4583eba77bb043089fb47c8963f0e9b296ee1481f4f32caa69ab48890156ed08e3b50eac11349

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
265KB

MD5
7a63d490060ac081e1008c78fb0135fa

SHA1
81bda021cd9254cf786cf16aedc3b805ef10326f

SHA256
9c63b33c936df8c3cca5b1e3665b3f0c1b36a1c1ca826a8bc80551610413b74f

SHA512
602ef6907cc4b0b2aa16f7d4b5b5ff14c5434ea2a50854ae0fc4583eba77bb043089fb47c8963f0e9b296ee1481f4f32caa69ab48890156ed08e3b50eac11349

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
265KB

MD5
7a63d490060ac081e1008c78fb0135fa

SHA1
81bda021cd9254cf786cf16aedc3b805ef10326f

SHA256
9c63b33c936df8c3cca5b1e3665b3f0c1b36a1c1ca826a8bc80551610413b74f

SHA512
602ef6907cc4b0b2aa16f7d4b5b5ff14c5434ea2a50854ae0fc4583eba77bb043089fb47c8963f0e9b296ee1481f4f32caa69ab48890156ed08e3b50eac11349

Download Submit
memory/816-298-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/816-440-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/828-103-0x0000000001020000-0x0000000001026000-memory.dmp

Filesize
24KB

Download
memory/828-209-0x00000000030D0000-0x00000000031DD000-memory.dmp

Filesize
1.1MB

Download
memory/828-275-0x00000000031E0000-0x00000000032D3000-memory.dmp

Filesize
972KB

Download
memory/828-242-0x00000000031E0000-0x00000000032D3000-memory.dmp

Filesize
972KB

Download
memory/828-102-0x0000000010000000-0x0000000010167000-memory.dmp

Filesize
1.4MB

Download
memory/828-263-0x00000000031E0000-0x00000000032D3000-memory.dmp

Filesize
972KB

Download
memory/1012-271-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1012-267-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1012-334-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1028-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-50-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-49-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-325-0x0000000074390000-0x0000000074B40000-memory.dmp

Filesize
7.7MB

Download
memory/1388-375-0x0000000007A60000-0x0000000007A70000-memory.dmp

Filesize
64KB

Download
memory/1388-467-0x000000000A0B0000-0x000000000A5DC000-memory.dmp

Filesize
5.2MB

Download
memory/1388-339-0x0000000007A70000-0x0000000007B02000-memory.dmp

Filesize
584KB

Download
memory/1388-290-0x0000000000D60000-0x0000000000DBA000-memory.dmp

Filesize
360KB

Download
memory/1388-333-0x0000000007F30000-0x00000000084D4000-memory.dmp

Filesize
5.6MB

Download
memory/1388-371-0x0000000007C30000-0x0000000007C3A000-memory.dmp

Filesize
40KB

Download
memory/1388-466-0x00000000099B0000-0x0000000009B72000-memory.dmp

Filesize
1.8MB

Download
memory/1388-395-0x0000000008660000-0x00000000086C6000-memory.dmp

Filesize
408KB

Download
memory/1388-446-0x0000000009640000-0x00000000096B6000-memory.dmp

Filesize
472KB

Download
memory/1388-464-0x0000000009540000-0x000000000955E000-memory.dmp

Filesize
120KB

Download
memory/1388-445-0x0000000009570000-0x00000000095C0000-memory.dmp

Filesize
320KB

Download
memory/2028-40-0x00000000055A0000-0x00000000056AA000-memory.dmp

Filesize
1.0MB

Download
memory/2028-43-0x0000000005510000-0x000000000554C000-memory.dmp

Filesize
240KB

Download
memory/2028-34-0x0000000074390000-0x0000000074B40000-memory.dmp

Filesize
7.7MB

Download
memory/2028-35-0x0000000002EF0000-0x0000000002EF6000-memory.dmp

Filesize
24KB

Download
memory/2028-42-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/2028-39-0x0000000005AB0000-0x00000000060C8000-memory.dmp

Filesize
6.1MB

Download
memory/2028-33-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2028-41-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/2028-63-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/2028-44-0x0000000005550000-0x000000000559C000-memory.dmp

Filesize
304KB

Download
memory/2028-62-0x0000000074390000-0x0000000074B40000-memory.dmp

Filesize
7.7MB

Download
memory/2620-324-0x0000000074390000-0x0000000074B40000-memory.dmp

Filesize
7.7MB

Download
memory/2620-268-0x0000000074390000-0x0000000074B40000-memory.dmp

Filesize
7.7MB

Download
memory/2620-265-0x0000000000D30000-0x0000000000EA4000-memory.dmp

Filesize
1.5MB

Download
memory/2780-278-0x00000000004C0000-0x000000000069A000-memory.dmp

Filesize
1.9MB

Download
memory/2780-322-0x00000000004C0000-0x000000000069A000-memory.dmp

Filesize
1.9MB

Download
memory/2780-299-0x00000000004C0000-0x000000000069A000-memory.dmp

Filesize
1.9MB

Download
memory/2812-393-0x0000000002F60000-0x0000000003053000-memory.dmp

Filesize
972KB

Download
memory/2812-293-0x0000000000E50000-0x0000000000E56000-memory.dmp

Filesize
24KB

Download
memory/2812-405-0x0000000002F60000-0x0000000003053000-memory.dmp

Filesize
972KB

Download
memory/2812-398-0x0000000002F60000-0x0000000003053000-memory.dmp

Filesize
972KB

Download
memory/2812-366-0x0000000002E50000-0x0000000002F5D000-memory.dmp

Filesize
1.1MB

Download
memory/3184-45-0x0000000003340000-0x0000000003356000-memory.dmp

Filesize
88KB

Download
memory/3184-328-0x00000000032C0000-0x00000000032D6000-memory.dmp

Filesize
88KB

Download
memory/3668-320-0x00007FFCBB520000-0x00007FFCBBFE1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-367-0x00007FFCBB520000-0x00007FFCBBFE1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-253-0x0000017F36E50000-0x0000017F36F20000-memory.dmp

Filesize
832KB

Download
memory/3668-241-0x0000017F1E540000-0x0000017F1E622000-memory.dmp

Filesize
904KB

Download
memory/3668-239-0x00007FFCBB520000-0x00007FFCBBFE1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-223-0x0000017F1C870000-0x0000017F1C956000-memory.dmp

Filesize
920KB

Download
memory/3668-252-0x0000017F36F90000-0x0000017F36FA0000-memory.dmp

Filesize
64KB

Download
memory/3668-262-0x0000017F36F20000-0x0000017F36F6C000-memory.dmp

Filesize
304KB

Download
memory/4016-240-0x00007FF7BDCA0000-0x00007FF7BDD0A000-memory.dmp

Filesize
424KB

Download
memory/4588-678-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4588-673-0x000001EA28100000-0x000001EA28120000-memory.dmp

Filesize
128KB

Download
memory/4588-680-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4588-672-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4588-671-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4588-677-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4588-669-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4588-679-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4588-675-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4652-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4652-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4652-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4816-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4816-58-0x0000000074390000-0x0000000074B40000-memory.dmp

Filesize
7.7MB

Download
memory/4816-65-0x0000000074390000-0x0000000074B40000-memory.dmp

Filesize
7.7MB

Download
memory/5016-266-0x00000000007A0000-0x00000000007A9000-memory.dmp

Filesize
36KB

Download
memory/5016-264-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/5092-288-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/5092-463-0x0000000002E80000-0x000000000376B000-memory.dmp

Filesize
8.9MB

Download
memory/5092-465-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/5092-368-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/5092-459-0x0000000002A80000-0x0000000002E7B000-memory.dmp

Filesize
4.0MB

Download
memory/5092-279-0x0000000002A80000-0x0000000002E7B000-memory.dmp

Filesize
4.0MB

Download
memory/5092-510-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/5092-287-0x0000000002E80000-0x000000000376B000-memory.dmp

Filesize
8.9MB

Download
memory/5092-663-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/5204-318-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/5204-374-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/5204-359-0x00007FFCBB520000-0x00007FFCBBFE1000-memory.dmp

Filesize
10.8MB

Download
memory/5352-468-0x000001C47EBE0000-0x000001C47EBF0000-memory.dmp

Filesize
64KB

Download
memory/5352-383-0x00007FFCBB520000-0x00007FFCBBFE1000-memory.dmp

Filesize
10.8MB

Download
memory/5352-385-0x000001C47EBE0000-0x000001C47EBF0000-memory.dmp

Filesize
64KB

Download
memory/5352-390-0x000001C4181C0000-0x000001C418216000-memory.dmp

Filesize
344KB

Download
memory/5352-388-0x000001C4181B0000-0x000001C4181B8000-memory.dmp

Filesize
32KB

Download
memory/5352-352-0x000001C47EAC0000-0x000001C47EBC2000-memory.dmp

Filesize
1.0MB

Download
memory/5352-335-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5368-386-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/5368-443-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5728-378-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5728-382-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5728-379-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5860-396-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5860-389-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5860-687-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download