fabookie | 9ed376f6a207601c6cd314a0475feca5ba4b0ff3077b048a8eeaac0aab30d4ac

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2023, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.4MB
MD5

748b2d86b4a88da177bd92331e79986e
SHA1

3971c0981eacb1c7d6efec7617eeb7097f6d3d98
SHA256

9ed376f6a207601c6cd314a0475feca5ba4b0ff3077b048a8eeaac0aab30d4ac
SHA512

e4d0693553b9dd49bfaea7b5f619124c0fe1d743a6df9475dc54ed5874f5cf1eb422e6bea41cb89d77b4258856766908f32832eca8d25e3d52562110a7000901
SSDEEP

24576:UyMrGd44yJPRGgqOy0v2uO3RLBYVVqyp0b9z7dZS+0ESDdnOdCXVKWiwT8HHnrn:jMrGQRGghU3Avqq0Z3/iESpnOdGrYnrc

Score

10^/10

fabookie glupteba healer redline smokeloader xmrig trush up3 backdoor discovery dropper evasion infostealer loader miner persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

fabookie

http://app.nnnaajjjgc.com/check/safe

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral2/memory/2188-461-0x0000000003250000-0x0000000003381000-memory.dmp	family_fabookie

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/1628-47-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

resource	yara_rule
behavioral2/memory/2984-267-0x0000000002E00000-0x00000000036EB000-memory.dmp	family_glupteba
behavioral2/memory/2984-275-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/2984-440-0x0000000002E00000-0x00000000036EB000-memory.dmp	family_glupteba
behavioral2/memory/2984-441-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/2984-455-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/2984-633-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/2984-658-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/3532-302-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral2/memory/4944-301-0x0000000000040000-0x000000000021A000-memory.dmp	family_redline
behavioral2/memory/4944-345-0x0000000000040000-0x000000000021A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/memory/4984-660-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4984-662-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4984-663-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4984-670-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4984-672-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4984-674-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4984-675-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4984-676-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4984-692-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4984-693-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	kos1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	kos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	754A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	85A8.exe

Executes dropped EXE 22 IoCs

pid	Process
5088	v7449632.exe
1224	v8496377.exe
2560	v8826133.exe
4612	a1840366.exe
4020	b4150836.exe
3056	c4597425.exe
3756	d8679780.exe
3268	e6624838.exe
3656	754A.exe
2580	85A8.exe
2188	ss41.exe
3432	toolspub2.exe
4308	8923.exe
2984	31839b57a4f11171d6abc8bbc4451ee4.exe
3188	kos1.exe
4532	toolspub2.exe
4944	924C.exe
3384	set16.exe
2180	kos.exe
5160	is-105FC.tmp
5552	previewer.exe
5732	previewer.exe

Loads dropped DLL 4 IoCs

pid	Process
436	WerFault.exe
5160	is-105FC.tmp
5160	is-105FC.tmp
5160	is-105FC.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8496377.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8826133.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7449632.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 4612 set thread context of 2708	4612	a1840366.exe	93
PID 4020 set thread context of 4160	4020	b4150836.exe	101
PID 3056 set thread context of 820	3056	c4597425.exe	106
PID 3756 set thread context of 1628	3756	d8679780.exe	111
PID 3432 set thread context of 4532	3432	toolspub2.exe	144
PID 4944 set thread context of 3532	4944	924C.exe	149
PID 4308 set thread context of 5376	4308	8923.exe	151
PID 5376 set thread context of 4984	5376	aspnet_compiler.exe	168

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-105FC.tmp
File created	C:\Program Files (x86)\PA Previewer\is-KVMNI.tmp	is-105FC.tmp
File created	C:\Program Files (x86)\PA Previewer\is-BV24O.tmp	is-105FC.tmp
File created	C:\Program Files (x86)\PA Previewer\is-RD1AT.tmp	is-105FC.tmp
File created	C:\Program Files (x86)\PA Previewer\is-5L3V0.tmp	is-105FC.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-105FC.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-105FC.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3728	4612	WerFault.exe	90
4192	2708	WerFault.exe	93
2864	4020	WerFault.exe	99
2944	3056	WerFault.exe	104
1812	3756	WerFault.exe	109

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4160	AppLaunch.exe
4160	AppLaunch.exe
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
1628	AppLaunch.exe
1628	AppLaunch.exe
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3192	Process not Found

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4160	AppLaunch.exe
4532	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	AppLaunch.exe
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeDebugPrivilege	4308	8923.exe
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeDebugPrivilege	2180	kos.exe
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeDebugPrivilege	5552	previewer.exe
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeDebugPrivilege	5732	previewer.exe
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeDebugPrivilege	5376	aspnet_compiler.exe
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeDebugPrivilege	3532	vbc.exe
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeDebugPrivilege	912	powershell.exe
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
4984	AddInProcess.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3192	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 5088	4248	file.exe	86
PID 4248 wrote to memory of 5088	4248	file.exe	86
PID 4248 wrote to memory of 5088	4248	file.exe	86
PID 5088 wrote to memory of 1224	5088	v7449632.exe	88
PID 5088 wrote to memory of 1224	5088	v7449632.exe	88
PID 5088 wrote to memory of 1224	5088	v7449632.exe	88
PID 1224 wrote to memory of 2560	1224	v8496377.exe	89
PID 1224 wrote to memory of 2560	1224	v8496377.exe	89
PID 1224 wrote to memory of 2560	1224	v8496377.exe	89
PID 2560 wrote to memory of 4612	2560	v8826133.exe	90
PID 2560 wrote to memory of 4612	2560	v8826133.exe	90
PID 2560 wrote to memory of 4612	2560	v8826133.exe	90
PID 4612 wrote to memory of 2708	4612	a1840366.exe	93
PID 4612 wrote to memory of 2708	4612	a1840366.exe	93
PID 4612 wrote to memory of 2708	4612	a1840366.exe	93
PID 4612 wrote to memory of 2708	4612	a1840366.exe	93
PID 4612 wrote to memory of 2708	4612	a1840366.exe	93
PID 4612 wrote to memory of 2708	4612	a1840366.exe	93
PID 4612 wrote to memory of 2708	4612	a1840366.exe	93
PID 4612 wrote to memory of 2708	4612	a1840366.exe	93
PID 4612 wrote to memory of 2708	4612	a1840366.exe	93
PID 4612 wrote to memory of 2708	4612	a1840366.exe	93
PID 2560 wrote to memory of 4020	2560	v8826133.exe	99
PID 2560 wrote to memory of 4020	2560	v8826133.exe	99
PID 2560 wrote to memory of 4020	2560	v8826133.exe	99
PID 4020 wrote to memory of 4160	4020	b4150836.exe	101
PID 4020 wrote to memory of 4160	4020	b4150836.exe	101
PID 4020 wrote to memory of 4160	4020	b4150836.exe	101
PID 4020 wrote to memory of 4160	4020	b4150836.exe	101
PID 4020 wrote to memory of 4160	4020	b4150836.exe	101
PID 4020 wrote to memory of 4160	4020	b4150836.exe	101
PID 1224 wrote to memory of 3056	1224	v8496377.exe	104
PID 1224 wrote to memory of 3056	1224	v8496377.exe	104
PID 1224 wrote to memory of 3056	1224	v8496377.exe	104
PID 3056 wrote to memory of 820	3056	c4597425.exe	106
PID 3056 wrote to memory of 820	3056	c4597425.exe	106
PID 3056 wrote to memory of 820	3056	c4597425.exe	106
PID 3056 wrote to memory of 820	3056	c4597425.exe	106
PID 3056 wrote to memory of 820	3056	c4597425.exe	106
PID 3056 wrote to memory of 820	3056	c4597425.exe	106
PID 3056 wrote to memory of 820	3056	c4597425.exe	106
PID 3056 wrote to memory of 820	3056	c4597425.exe	106
PID 5088 wrote to memory of 3756	5088	v7449632.exe	109
PID 5088 wrote to memory of 3756	5088	v7449632.exe	109
PID 5088 wrote to memory of 3756	5088	v7449632.exe	109
PID 3756 wrote to memory of 1628	3756	d8679780.exe	111
PID 3756 wrote to memory of 1628	3756	d8679780.exe	111
PID 3756 wrote to memory of 1628	3756	d8679780.exe	111
PID 3756 wrote to memory of 1628	3756	d8679780.exe	111
PID 3756 wrote to memory of 1628	3756	d8679780.exe	111
PID 3756 wrote to memory of 1628	3756	d8679780.exe	111
PID 3756 wrote to memory of 1628	3756	d8679780.exe	111
PID 3756 wrote to memory of 1628	3756	d8679780.exe	111
PID 4248 wrote to memory of 3268	4248	file.exe	115
PID 4248 wrote to memory of 3268	4248	file.exe	115
PID 4248 wrote to memory of 3268	4248	file.exe	115
PID 3192 wrote to memory of 3656	3192	Process not Found	119
PID 3192 wrote to memory of 3656	3192	Process not Found	119
PID 3192 wrote to memory of 3656	3192	Process not Found	119
PID 3192 wrote to memory of 4548	3192	Process not Found	120
PID 3192 wrote to memory of 4548	3192	Process not Found	120
PID 4548 wrote to memory of 2492	4548	cmd.exe	123
PID 4548 wrote to memory of 2492	4548	cmd.exe	123
PID 2492 wrote to memory of 1600	2492	msedge.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7449632.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7449632.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8496377.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8496377.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8826133.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8826133.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1840366.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1840366.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4612
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 540
        7⤵
        Program crash
        
        PID:4192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 556
        6⤵
        Program crash
        
        PID:3728
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4150836.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4150836.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4160
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 136
        6⤵
        Program crash
        
        PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4597425.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4597425.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 136
        5⤵
        Program crash
        
        PID:2944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d8679780.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d8679780.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 136
      4⤵
      Program crash
      PID:1812
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e6624838.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e6624838.exe
  2⤵
  - Executes dropped EXE
  PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2708 -ip 2708
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4612 -ip 4612
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4020 -ip 4020
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3056 -ip 3056
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3756 -ip 3756
1⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\754A.exe
C:\Users\Admin\AppData\Local\Temp\754A.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3656
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" .\1Rzr5T.uLG -u -s
  2⤵
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7636.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb407d46f8,0x7ffb407d4708,0x7ffb407d4718
    3⤵
    PID:1600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,752557373412376427,9519522094356958452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
    3⤵
    PID:3756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,752557373412376427,9519522094356958452,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1852 /prefetch:2
    3⤵
    PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb407d46f8,0x7ffb407d4708,0x7ffb407d4718
    3⤵
    PID:4588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,16785326030413551884,7301539475981488385,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
    3⤵
    PID:1156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,16785326030413551884,7301539475981488385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16785326030413551884,7301539475981488385,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:4416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16785326030413551884,7301539475981488385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:3648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16785326030413551884,7301539475981488385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:3448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16785326030413551884,7301539475981488385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
    3⤵
    PID:2564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16785326030413551884,7301539475981488385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
    3⤵
    PID:2928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16785326030413551884,7301539475981488385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
    3⤵
    PID:1252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16785326030413551884,7301539475981488385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
    3⤵
    PID:5348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16785326030413551884,7301539475981488385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
    3⤵
    PID:5340
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16785326030413551884,7301539475981488385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:8
    3⤵
    PID:6124
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16785326030413551884,7301539475981488385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:8
    3⤵
    PID:6108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16785326030413551884,7301539475981488385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
    3⤵
    PID:5720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16785326030413551884,7301539475981488385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
    3⤵
    PID:1940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\85A8.exe
C:\Users\Admin\AppData\Local\Temp\85A8.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2580
- C:\Users\Admin\AppData\Local\Temp\ss41.exe
  "C:\Users\Admin\AppData\Local\Temp\ss41.exe"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:4532
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  PID:2984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- C:\Users\Admin\AppData\Local\Temp\kos1.exe
  "C:\Users\Admin\AppData\Local\Temp\kos1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\set16.exe
    "C:\Users\Admin\AppData\Local\Temp\set16.exe"
    3⤵
    - Executes dropped EXE
    PID:3384
  - - C:\Users\Admin\AppData\Local\Temp\is-ADNO4.tmp\is-105FC.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-ADNO4.tmp\is-105FC.tmp" /SL4 $3025A "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      PID:5160
    - - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -i
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5552
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 8
        5⤵
        
        PID:5536
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 8
        6⤵
        
        PID:5760
    - - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -s
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5732
- - C:\Users\Admin\AppData\Local\Temp\kos.exe
    "C:\Users\Admin\AppData\Local\Temp\kos.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2180 -s 2264
      4⤵
      Loads dropped DLL
      PID:436

C:\Users\Admin\AppData\Local\Temp\8923.exe
C:\Users\Admin\AppData\Local\Temp\8923.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5376
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RBvfugTGdvfZCHCgvSoHZdsYt2u1JwYhUP.RIG_CPU -p x --cpu-max-threads-hint=50
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Users\Admin\AppData\Local\Temp\924C.exe
C:\Users\Admin\AppData\Local\Temp\924C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0987267c265b2de204ac19d29250d6cd

SHA1
247b7b1e917d9ad2aa903a497758ae75ae145692

SHA256
474887e5292c0cf7d5ed52e3bcd255eedd5347f6f811200080c4b5d813886264

SHA512
3b272b8c8d4772e1a4dc68d17a850439ffdd72a6f6b1306eafa18b810b103f3198af2c58d6ed92a1f3c498430c1b351e9f5c114ea5776b65629b1360f7ad13f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6a72c966b6244304c39f4377280b5bb1

SHA1
800fc2ac49bd72165126d1b0eb7b006d8c0a2280

SHA256
48a00abf820f14e6a3cbb1618b6325ab027d051c162e97724bc169191f7ac0a4

SHA512
fd98817f99d69021436212fe7496c2b672d6bd92fcdd889863b0fd0426be1211b944ecc9b98bdda3d96a6a7aa81692ac1472e730567f1687bc487ffc1fc41ce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b738709b95dae5fa3867f333eae8c270

SHA1
04fdfb5e50296385363a8ddc6599cf141cd61c04

SHA256
d58e463233e38f9f29a6dc2f042862312d88fc6029c99598786dbd7aaea971e1

SHA512
f5e3bc50e82d85d039946f6210be62205219b98ffe2e494e59406fec6ec28ff2d14bc50b9e4abe91246ccbb44482b610d92afbd838da58b857af59595f5a0a03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7441680a37ce7b3ae5b1db74cd5cb7e0

SHA1
902e42787131691e58ccc091dfd8f78a8863d39d

SHA256
64b7ed248aecfff1b68cb64d9892913c7b22a461c75b73cfa6f4a36619217626

SHA512
e64274b34305f9a3e42b828b4a8785d980f4385669cb91942b16dd52758de7047140c78d570d8ca72a8c14e4bec53f4bacdfe2811c6b61567498f0c97242150b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4ec8d626bb5c9e4cb0b4eab02402619c

SHA1
077ca566733dcc30d4130390ae901ed10f614bdc

SHA256
1ff57c975f3cc2a705911ac24d9284a87d030cfbd26a52a5699457d661228d7f

SHA512
2eb9d1169e258332f0776ff68ffbbcdff695dedf9ecdf3011b81080e1ccaa3b3dd12c7af7924ce0c89d3a41aa80a306c1012fd45eea3112aee2fb4d4233f42a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e4f305b6a82141111289e77e4c93e57

SHA1
7d6f8800faf98ed4e16ac4e4326b69b22783a0ba

SHA256
21f69da907eb3ea30d1975d3ce6fec983616692907b96dbbb8b40f4a973dece7

SHA512
83f1448768dadc225772656d00c85b19815b0842566e1601daabcb7fb808050cc49208184b5ef1352bac317874f4bb5f21fcb6f5f16bd6ef45a877ee3ae6a908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
4a078fb8a7c67594a6c2aa724e2ac684

SHA1
92bc5b49985c8588c60f6f85c50a516fae0332f4

SHA256
c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee

SHA512
188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
c922e7196dd44c67f7572d2743da7076

SHA1
128165ba1c1e150dce811d38581a5e2b590621ba

SHA256
ed74f343b28508ac2bdac0929b2e243438817e632bb15fe76fa13f101a672c1a

SHA512
6db56bafa85fb2c66be8ad3efebeb95a8bd38218ea9df2e3ea771f87bed98c1431a2dac64c3af3a4aecfe1bf565489bbd8a5ec7ad204d37e732fe53dfa7e8ec4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d452.TMP

Filesize
872B

MD5
1a052df51a49d46b5981c1a91cc1db96

SHA1
368601e3fd88044391084b8e8a6a531d5d4e892a

SHA256
90bdf33d492969c83ce22cc63c9e55ee7ab2dec88ed0880e13b14752830ebedb

SHA512
125d7055464a975c3fff9472369cf40de1f2f5cbf29edaf617c1b9b205aa0e10b4c7cc17529575562177eba27d477e107895f9eb8144885c1e6e3a8974b13ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
af4d17d491e6d416cc2bb2af6212e9a6

SHA1
2adf0a50901b7afe06d4e108ea52cd930a4d3bfd

SHA256
7ecbad5e078c757356bb73cab7665c16f64859b93029a493ffaea969e86a8c4f

SHA512
9f4414040d2e43b80b960ed8e5a32222b45f0365670ab3948ed5ae2b572a5876818a29441053c2408e522feacaea4439fcff8c769dc2e251c5447249fa08dc50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6c7b90b0b23aa4aa74cb3722454c663e

SHA1
d41f10f948c4dffa407bc875894aa1ca0884268c

SHA256
7d0611f9fbe94bfa3ba2facb6e48fdc7c8669c59bf2ee406a3bde7c797744436

SHA512
532ebd0c363fbb2fd7e4631277c0c9db2eb066eb66c9867da5b9c13d62b7d3454d464778ce31b5c4ef68e22b8fe226ca51c61f5d17725690a90be29cb499f6f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6c7b90b0b23aa4aa74cb3722454c663e

SHA1
d41f10f948c4dffa407bc875894aa1ca0884268c

SHA256
7d0611f9fbe94bfa3ba2facb6e48fdc7c8669c59bf2ee406a3bde7c797744436

SHA512
532ebd0c363fbb2fd7e4631277c0c9db2eb066eb66c9867da5b9c13d62b7d3454d464778ce31b5c4ef68e22b8fe226ca51c61f5d17725690a90be29cb499f6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Rzr5T.uLG

Filesize
1.4MB

MD5
07056f263460b1880b0197d4d987e692

SHA1
5f25f5f837afb234927361517178d5cac624cca2

SHA256
6d240a794947c47b506ae76a388a0e65ecb4b5203118d8c47b408ab89a9e52c8

SHA512
740972a69c7ed12c6272a8a5a925bfde37819f6c2cb8d8cd0c783f3e1a486eba3bd785ab99477cb28d5fd08d4a0ac377c413be8ac133d79b98810c2bd400e65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1rzr5T.uLG

Filesize
1.4MB

MD5
07056f263460b1880b0197d4d987e692

SHA1
5f25f5f837afb234927361517178d5cac624cca2

SHA256
6d240a794947c47b506ae76a388a0e65ecb4b5203118d8c47b408ab89a9e52c8

SHA512
740972a69c7ed12c6272a8a5a925bfde37819f6c2cb8d8cd0c783f3e1a486eba3bd785ab99477cb28d5fd08d4a0ac377c413be8ac133d79b98810c2bd400e65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
f2a6bcee6c6bb311325b1b41b5363622

SHA1
587c5b9e0d6a6f50607e461667a09806e5866745

SHA256
ae3d87edb3a831555bac3684482ac5f4f1d794b75d00809250ea8d4937e65e8a

SHA512
9e7802dd50798bfb50553396fa9a45cf0ad16ca5937a33eeb731b4b9744dc0c0b837166675bf4a169c2fe1bc1ac5883b4791b4f2ac7dea4e42e43de77d053e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
f2a6bcee6c6bb311325b1b41b5363622

SHA1
587c5b9e0d6a6f50607e461667a09806e5866745

SHA256
ae3d87edb3a831555bac3684482ac5f4f1d794b75d00809250ea8d4937e65e8a

SHA512
9e7802dd50798bfb50553396fa9a45cf0ad16ca5937a33eeb731b4b9744dc0c0b837166675bf4a169c2fe1bc1ac5883b4791b4f2ac7dea4e42e43de77d053e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
f2a6bcee6c6bb311325b1b41b5363622

SHA1
587c5b9e0d6a6f50607e461667a09806e5866745

SHA256
ae3d87edb3a831555bac3684482ac5f4f1d794b75d00809250ea8d4937e65e8a

SHA512
9e7802dd50798bfb50553396fa9a45cf0ad16ca5937a33eeb731b4b9744dc0c0b837166675bf4a169c2fe1bc1ac5883b4791b4f2ac7dea4e42e43de77d053e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\754A.exe

Filesize
1.6MB

MD5
994788f3c3c74a2a75bcbda9335178be

SHA1
26c15810bfdc429f19d17684190a83f2027813ea

SHA256
1bfd6f4a0a28bb48c1dc845b2cda2306556bf53e4c4eb2fff686e7edf7a3e73d

SHA512
87c3223f9b0feb27a6099eaafed3938b258512cb9dcfd6b02c6af9334e0391b30a52deb07d1d30bef3f6d60525da133db7e98c50c3a1d233e291928ad4f4c609

Download Submit
C:\Users\Admin\AppData\Local\Temp\754A.exe

Filesize
1.6MB

MD5
994788f3c3c74a2a75bcbda9335178be

SHA1
26c15810bfdc429f19d17684190a83f2027813ea

SHA256
1bfd6f4a0a28bb48c1dc845b2cda2306556bf53e4c4eb2fff686e7edf7a3e73d

SHA512
87c3223f9b0feb27a6099eaafed3938b258512cb9dcfd6b02c6af9334e0391b30a52deb07d1d30bef3f6d60525da133db7e98c50c3a1d233e291928ad4f4c609

Download Submit
C:\Users\Admin\AppData\Local\Temp\7636.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\85A8.exe

Filesize
6.3MB

MD5
8b5d24e77671774b5716ff06ad3b2559

SHA1
a180c0057a361be4361df00992ad75b4557dff96

SHA256
856fc5a591470b6dd10633727130a65d47afed149da52d2c275ef4ef3fdd9856

SHA512
7699e3c6c2ecdc717a5378dea0032938d37e96569e6c8943400d39ad2f6a9831a0bf716e43e8ffea90b443dfed0715b9fbeb3e324ef955070a88a1dc400914df

Download Submit
C:\Users\Admin\AppData\Local\Temp\85A8.exe

Filesize
6.3MB

MD5
8b5d24e77671774b5716ff06ad3b2559

SHA1
a180c0057a361be4361df00992ad75b4557dff96

SHA256
856fc5a591470b6dd10633727130a65d47afed149da52d2c275ef4ef3fdd9856

SHA512
7699e3c6c2ecdc717a5378dea0032938d37e96569e6c8943400d39ad2f6a9831a0bf716e43e8ffea90b443dfed0715b9fbeb3e324ef955070a88a1dc400914df

Download Submit
C:\Users\Admin\AppData\Local\Temp\8923.exe

Filesize
894KB

MD5
ef11a166e73f258d4159c1904485623c

SHA1
bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e

SHA256
dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747

SHA512
2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

Download Submit
C:\Users\Admin\AppData\Local\Temp\8923.exe

Filesize
894KB

MD5
ef11a166e73f258d4159c1904485623c

SHA1
bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e

SHA256
dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747

SHA512
2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

Download Submit
C:\Users\Admin\AppData\Local\Temp\924C.exe

Filesize
1.5MB

MD5
578f82576563fbb7b0b50054c8ea2c7a

SHA1
2b78dd3a97c214455373b257a66298aeb072819e

SHA256
7fd444dae9993f000c25c1948669a25f851aa9559f7feaa570e66f5f94b457de

SHA512
5ef71babc9d2b0a5e3c009a1a98d82b9d54d77192d7844c77b27eb7eec251b589b60940ea7a25ad9e2e8fd3abcae2a363d0c3e6f3b56810c796668717bc025a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\924C.exe

Filesize
1.5MB

MD5
578f82576563fbb7b0b50054c8ea2c7a

SHA1
2b78dd3a97c214455373b257a66298aeb072819e

SHA256
7fd444dae9993f000c25c1948669a25f851aa9559f7feaa570e66f5f94b457de

SHA512
5ef71babc9d2b0a5e3c009a1a98d82b9d54d77192d7844c77b27eb7eec251b589b60940ea7a25ad9e2e8fd3abcae2a363d0c3e6f3b56810c796668717bc025a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e6624838.exe

Filesize
17KB

MD5
6c5ad2cbf7f489b16c19a079f5904a91

SHA1
914f534d9e5e2e2e9a0d25dc0f9cdd2d302a5114

SHA256
323f177013c55592ca3701fb68cee08def3263866d3abf03694c5bfbeec7ed48

SHA512
759fb953a3ec459a1d2a4b1f14425d3303406434dd2598f11d29e8b5eb7e75d0216c96ddbf3d861f10a550a28291e2c23503e2e9804b77a9cb67e0a4a38c99b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e6624838.exe

Filesize
17KB

MD5
6c5ad2cbf7f489b16c19a079f5904a91

SHA1
914f534d9e5e2e2e9a0d25dc0f9cdd2d302a5114

SHA256
323f177013c55592ca3701fb68cee08def3263866d3abf03694c5bfbeec7ed48

SHA512
759fb953a3ec459a1d2a4b1f14425d3303406434dd2598f11d29e8b5eb7e75d0216c96ddbf3d861f10a550a28291e2c23503e2e9804b77a9cb67e0a4a38c99b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7449632.exe

Filesize
1.3MB

MD5
7172c4c27c118939b53a99f73bdbc0aa

SHA1
012a47ae2c02558e46e738508fdded3749722a4d

SHA256
1848f726ef5f8801fb393af1e6f8a9a3efb74487b796e1c72af6b963aa28ae13

SHA512
68af5c0fad6059b9a38365b32f94927f22ead1215685cd9ec3b17ec72f1b659b32ae2bef07ea5d15f48e9d0bff459a2b00cab705af9f0fd6cc163de0796226d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7449632.exe

Filesize
1.3MB

MD5
7172c4c27c118939b53a99f73bdbc0aa

SHA1
012a47ae2c02558e46e738508fdded3749722a4d

SHA256
1848f726ef5f8801fb393af1e6f8a9a3efb74487b796e1c72af6b963aa28ae13

SHA512
68af5c0fad6059b9a38365b32f94927f22ead1215685cd9ec3b17ec72f1b659b32ae2bef07ea5d15f48e9d0bff459a2b00cab705af9f0fd6cc163de0796226d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d8679780.exe

Filesize
880KB

MD5
0290a861544dd80b650ee00ba3941ba9

SHA1
f5c203a45bb1bb363eeacb6ff429e0beb4572a66

SHA256
f819b27b5796ba769ef26c3973fc5ab3e4d347133bde34049715fe5e28a0d3c6

SHA512
a36fdb1a3aa5f97252af6239282bad58494b03280ec39bacbc73884bbcae1a23b45a65898080ebbf80cbc752e681f80983ec5e0a5bacdef721bbbd6f4c56978e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d8679780.exe

Filesize
880KB

MD5
0290a861544dd80b650ee00ba3941ba9

SHA1
f5c203a45bb1bb363eeacb6ff429e0beb4572a66

SHA256
f819b27b5796ba769ef26c3973fc5ab3e4d347133bde34049715fe5e28a0d3c6

SHA512
a36fdb1a3aa5f97252af6239282bad58494b03280ec39bacbc73884bbcae1a23b45a65898080ebbf80cbc752e681f80983ec5e0a5bacdef721bbbd6f4c56978e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8496377.exe

Filesize
953KB

MD5
91baa50e1d7bb9b3e13c95e58f543ffb

SHA1
4b7e2176feb497c1f447c68d7968bae504149a3e

SHA256
bfa3f1e83b9482f4ed5006a0df473a974ded15a8919bb072c96a5735d02aaa85

SHA512
50f6bacd8c40833f7140d69ee4532165bb4568a1f550d6eaa5a3fab79875b20951153147dcea6bac87e61ae25ef75b405c20336dedede9ee298ef386e74f8bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8496377.exe

Filesize
953KB

MD5
91baa50e1d7bb9b3e13c95e58f543ffb

SHA1
4b7e2176feb497c1f447c68d7968bae504149a3e

SHA256
bfa3f1e83b9482f4ed5006a0df473a974ded15a8919bb072c96a5735d02aaa85

SHA512
50f6bacd8c40833f7140d69ee4532165bb4568a1f550d6eaa5a3fab79875b20951153147dcea6bac87e61ae25ef75b405c20336dedede9ee298ef386e74f8bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4597425.exe

Filesize
1.1MB

MD5
6e9538738ad0b310621d72bf59473225

SHA1
2568f69271ac1a1f0e3564659e774b84b9741f5c

SHA256
ebee228a7ad820876b2f5f3a3fb3c5a7dc3b78b1ea761e26f0a9426c51954755

SHA512
407073264e318f11b5e9d0f377beb623b54df879f83aff4638b06fb8a38395603f2ecfb9dc022394808592e4f6d0aab8b1450bb217aaba7478e4af30ca4544ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4597425.exe

Filesize
1.1MB

MD5
6e9538738ad0b310621d72bf59473225

SHA1
2568f69271ac1a1f0e3564659e774b84b9741f5c

SHA256
ebee228a7ad820876b2f5f3a3fb3c5a7dc3b78b1ea761e26f0a9426c51954755

SHA512
407073264e318f11b5e9d0f377beb623b54df879f83aff4638b06fb8a38395603f2ecfb9dc022394808592e4f6d0aab8b1450bb217aaba7478e4af30ca4544ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8826133.exe

Filesize
548KB

MD5
56337e5b3efd7528f87ff79a8573a2ff

SHA1
397536ff8a89865854c29b192f460bb5c918fc3b

SHA256
12b514ec3a91eb9b2597e965b594037cb9c15a1021f29269277652a550243eea

SHA512
40b8a39a5e8d49eef6c69c954de1a4f0dee45acd48e880f9663fcb96617fb35e8de9a4c9acd48efa904ce9161818a4c8c79ddfc91b1f47f016d56fab48bdd49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8826133.exe

Filesize
548KB

MD5
56337e5b3efd7528f87ff79a8573a2ff

SHA1
397536ff8a89865854c29b192f460bb5c918fc3b

SHA256
12b514ec3a91eb9b2597e965b594037cb9c15a1021f29269277652a550243eea

SHA512
40b8a39a5e8d49eef6c69c954de1a4f0dee45acd48e880f9663fcb96617fb35e8de9a4c9acd48efa904ce9161818a4c8c79ddfc91b1f47f016d56fab48bdd49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1840366.exe

Filesize
1.0MB

MD5
4bf9b3a4342c4227144001d34c240c83

SHA1
ea09c4d8fc7a3706f2a5e124dd10a03deb839682

SHA256
3177859ceeda6aee545c1443329402e13e940499638209a64041c170479ae2df

SHA512
b40fd3960585165237c45569a2d62119a403fc3ba2e1d30813c5ee023e81bc686eb8d1a25cc234c9fc8ffce8ae6772c0a2b5351c7a4debbe36c7b64863e0c104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1840366.exe

Filesize
1.0MB

MD5
4bf9b3a4342c4227144001d34c240c83

SHA1
ea09c4d8fc7a3706f2a5e124dd10a03deb839682

SHA256
3177859ceeda6aee545c1443329402e13e940499638209a64041c170479ae2df

SHA512
b40fd3960585165237c45569a2d62119a403fc3ba2e1d30813c5ee023e81bc686eb8d1a25cc234c9fc8ffce8ae6772c0a2b5351c7a4debbe36c7b64863e0c104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4150836.exe

Filesize
903KB

MD5
47991e984c9638c4678202150310cc2b

SHA1
66eb3d95e369890ba33f79736f503e607ac58fcf

SHA256
8e036e300d54f8a348db456895cf8595396b302d4ca911432443285cae2e1c28

SHA512
eb5c6374b8dd4c4f2c71b0994f6c670f2f1eb9ffc9855e9925be8e05ab5fd6b0d1bf95511346364fd41dbc3801443b07e99d0a518a2a3e01070778966d12fbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4150836.exe

Filesize
903KB

MD5
47991e984c9638c4678202150310cc2b

SHA1
66eb3d95e369890ba33f79736f503e607ac58fcf

SHA256
8e036e300d54f8a348db456895cf8595396b302d4ca911432443285cae2e1c28

SHA512
eb5c6374b8dd4c4f2c71b0994f6c670f2f1eb9ffc9855e9925be8e05ab5fd6b0d1bf95511346364fd41dbc3801443b07e99d0a518a2a3e01070778966d12fbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
116B

MD5
ec6aae2bb7d8781226ea61adca8f0586

SHA1
d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

SHA256
b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

SHA512
aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i3gnaxrf.zyr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2KCMC.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2KCMC.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2KCMC.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ADNO4.tmp\is-105FC.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ADNO4.tmp\is-105FC.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
7fa8c779e04ab85290f00d09f866e13a

SHA1
7874a09e435f599dcc1c64e73e5cfa7634135d23

SHA256
7d1732e37813cc0f5a44fa44a37c1e3826cf7e5583d4827b7846f959b1682868

SHA512
07354b7eb413bd4054ed62dc1506be4ab51cf745c70fea0f40b4effeeb74743298f0f7333908de0bca9dd7c9b6aef4eb39b83a9772213938f2de15325e376ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
7fa8c779e04ab85290f00d09f866e13a

SHA1
7874a09e435f599dcc1c64e73e5cfa7634135d23

SHA256
7d1732e37813cc0f5a44fa44a37c1e3826cf7e5583d4827b7846f959b1682868

SHA512
07354b7eb413bd4054ed62dc1506be4ab51cf745c70fea0f40b4effeeb74743298f0f7333908de0bca9dd7c9b6aef4eb39b83a9772213938f2de15325e376ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
7fa8c779e04ab85290f00d09f866e13a

SHA1
7874a09e435f599dcc1c64e73e5cfa7634135d23

SHA256
7d1732e37813cc0f5a44fa44a37c1e3826cf7e5583d4827b7846f959b1682868

SHA512
07354b7eb413bd4054ed62dc1506be4ab51cf745c70fea0f40b4effeeb74743298f0f7333908de0bca9dd7c9b6aef4eb39b83a9772213938f2de15325e376ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
265KB

MD5
7a63d490060ac081e1008c78fb0135fa

SHA1
81bda021cd9254cf786cf16aedc3b805ef10326f

SHA256
9c63b33c936df8c3cca5b1e3665b3f0c1b36a1c1ca826a8bc80551610413b74f

SHA512
602ef6907cc4b0b2aa16f7d4b5b5ff14c5434ea2a50854ae0fc4583eba77bb043089fb47c8963f0e9b296ee1481f4f32caa69ab48890156ed08e3b50eac11349

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
265KB

MD5
7a63d490060ac081e1008c78fb0135fa

SHA1
81bda021cd9254cf786cf16aedc3b805ef10326f

SHA256
9c63b33c936df8c3cca5b1e3665b3f0c1b36a1c1ca826a8bc80551610413b74f

SHA512
602ef6907cc4b0b2aa16f7d4b5b5ff14c5434ea2a50854ae0fc4583eba77bb043089fb47c8963f0e9b296ee1481f4f32caa69ab48890156ed08e3b50eac11349

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
265KB

MD5
7a63d490060ac081e1008c78fb0135fa

SHA1
81bda021cd9254cf786cf16aedc3b805ef10326f

SHA256
9c63b33c936df8c3cca5b1e3665b3f0c1b36a1c1ca826a8bc80551610413b74f

SHA512
602ef6907cc4b0b2aa16f7d4b5b5ff14c5434ea2a50854ae0fc4583eba77bb043089fb47c8963f0e9b296ee1481f4f32caa69ab48890156ed08e3b50eac11349

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
265KB

MD5
7a63d490060ac081e1008c78fb0135fa

SHA1
81bda021cd9254cf786cf16aedc3b805ef10326f

SHA256
9c63b33c936df8c3cca5b1e3665b3f0c1b36a1c1ca826a8bc80551610413b74f

SHA512
602ef6907cc4b0b2aa16f7d4b5b5ff14c5434ea2a50854ae0fc4583eba77bb043089fb47c8963f0e9b296ee1481f4f32caa69ab48890156ed08e3b50eac11349

Download Submit
memory/436-254-0x0000000002D70000-0x0000000002E67000-memory.dmp

Filesize
988KB

Download
memory/436-333-0x0000000002E80000-0x0000000002F60000-memory.dmp

Filesize
896KB

Download
memory/436-282-0x0000000002E80000-0x0000000002F60000-memory.dmp

Filesize
896KB

Download
memory/436-95-0x0000000002C30000-0x0000000002C36000-memory.dmp

Filesize
24KB

Download
memory/436-300-0x0000000002E80000-0x0000000002F60000-memory.dmp

Filesize
896KB

Download
memory/436-96-0x0000000010000000-0x0000000010167000-memory.dmp

Filesize
1.4MB

Download
memory/820-55-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/820-42-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/820-54-0x00000000050B0000-0x00000000050C2000-memory.dmp

Filesize
72KB

Download
memory/820-41-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/820-56-0x0000000005110000-0x000000000514C000-memory.dmp

Filesize
240KB

Download
memory/820-43-0x0000000002970000-0x0000000002976000-memory.dmp

Filesize
24KB

Download
memory/820-62-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/820-50-0x0000000005170000-0x000000000527A000-memory.dmp

Filesize
1.0MB

Download
memory/820-57-0x0000000005280000-0x00000000052CC000-memory.dmp

Filesize
304KB

Download
memory/820-65-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/820-49-0x0000000005650000-0x0000000005C68000-memory.dmp

Filesize
6.1MB

Download
memory/912-462-0x0000000002C30000-0x0000000002C66000-memory.dmp

Filesize
216KB

Download
memory/912-464-0x0000000005550000-0x0000000005B78000-memory.dmp

Filesize
6.2MB

Download
memory/912-463-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/1628-48-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/1628-64-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/1628-47-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2180-466-0x000000001BCB0000-0x000000001BCC0000-memory.dmp

Filesize
64KB

Download
memory/2180-310-0x00007FFB3D9C0000-0x00007FFB3E481000-memory.dmp

Filesize
10.8MB

Download
memory/2180-330-0x000000001BCB0000-0x000000001BCC0000-memory.dmp

Filesize
64KB

Download
memory/2180-298-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

Filesize
32KB

Download
memory/2180-459-0x00007FFB3D9C0000-0x00007FFB3E481000-memory.dmp

Filesize
10.8MB

Download
memory/2188-460-0x00000000030D0000-0x0000000003241000-memory.dmp

Filesize
1.4MB

Download
memory/2188-461-0x0000000003250000-0x0000000003381000-memory.dmp

Filesize
1.2MB

Download
memory/2188-218-0x00007FF7B3410000-0x00007FF7B347A000-memory.dmp

Filesize
424KB

Download
memory/2708-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-267-0x0000000002E00000-0x00000000036EB000-memory.dmp

Filesize
8.9MB

Download
memory/2984-275-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2984-658-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2984-633-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2984-262-0x0000000002A00000-0x0000000002E00000-memory.dmp

Filesize
4.0MB

Download
memory/2984-397-0x0000000002A00000-0x0000000002E00000-memory.dmp

Filesize
4.0MB

Download
memory/2984-440-0x0000000002E00000-0x00000000036EB000-memory.dmp

Filesize
8.9MB

Download
memory/2984-441-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2984-455-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3188-308-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/3188-248-0x0000000000B10000-0x0000000000C84000-memory.dmp

Filesize
1.5MB

Download
memory/3188-257-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/3192-361-0x0000000003490000-0x00000000034A6000-memory.dmp

Filesize
88KB

Download
memory/3192-58-0x00000000014C0000-0x00000000014D6000-memory.dmp

Filesize
88KB

Download
memory/3384-283-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3384-452-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3432-250-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download
memory/3432-252-0x0000000000760000-0x0000000000769000-memory.dmp

Filesize
36KB

Download
memory/3532-341-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/3532-352-0x0000000007B10000-0x00000000080B4000-memory.dmp

Filesize
5.6MB

Download
memory/3532-354-0x0000000007640000-0x00000000076D2000-memory.dmp

Filesize
584KB

Download
memory/3532-445-0x00000000081F0000-0x0000000008256000-memory.dmp

Filesize
408KB

Download
memory/3532-465-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/3532-302-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3532-356-0x0000000007800000-0x000000000780A000-memory.dmp

Filesize
40KB

Download
memory/4160-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4160-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4160-37-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4308-259-0x000001BED8C40000-0x000001BED8C50000-memory.dmp

Filesize
64KB

Download
memory/4308-260-0x000001BEBEAB0000-0x000001BEBEAFC000-memory.dmp

Filesize
304KB

Download
memory/4308-251-0x000001BED8C50000-0x000001BED8D20000-memory.dmp

Filesize
832KB

Download
memory/4308-353-0x00007FFB3D9C0000-0x00007FFB3E481000-memory.dmp

Filesize
10.8MB

Download
memory/4308-228-0x000001BEBE550000-0x000001BEBE636000-memory.dmp

Filesize
920KB

Download
memory/4308-245-0x00007FFB3D9C0000-0x00007FFB3E481000-memory.dmp

Filesize
10.8MB

Download
memory/4308-249-0x000001BED8B40000-0x000001BED8C22000-memory.dmp

Filesize
904KB

Download
memory/4532-363-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4532-261-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4532-256-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4944-278-0x0000000000040000-0x000000000021A000-memory.dmp

Filesize
1.9MB

Download
memory/4944-301-0x0000000000040000-0x000000000021A000-memory.dmp

Filesize
1.9MB

Download
memory/4944-345-0x0000000000040000-0x000000000021A000-memory.dmp

Filesize
1.9MB

Download
memory/4984-676-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4984-692-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4984-693-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4984-660-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4984-675-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4984-674-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4984-672-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4984-670-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4984-665-0x000001E007490000-0x000001E0074B0000-memory.dmp

Filesize
128KB

Download
memory/4984-663-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4984-662-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/5160-331-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/5160-454-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5376-390-0x000002222D8F0000-0x000002222D8F8000-memory.dmp

Filesize
32KB

Download
memory/5376-332-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5376-401-0x0000022246020000-0x0000022246076000-memory.dmp

Filesize
344KB

Download
memory/5376-348-0x0000022246090000-0x00000222460A0000-memory.dmp

Filesize
64KB

Download
memory/5376-344-0x00000222460A0000-0x00000222461A2000-memory.dmp

Filesize
1.0MB

Download
memory/5376-364-0x00007FFB3D9C0000-0x00007FFB3E481000-memory.dmp

Filesize
10.8MB

Download
memory/5376-456-0x0000022246090000-0x00000222460A0000-memory.dmp

Filesize
64KB

Download
memory/5552-351-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5552-362-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5552-355-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5732-400-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5732-690-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5732-685-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5732-677-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5732-694-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/5732-697-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download