bf13ce7f380adf4408af45ed576f430cdf75a79d388e072e69a748a9142bca9c

Analysis

max time kernel
164s
max time network
163s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10/10/2023, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf13ce7f380adf4408af45ed576f430cdf75a79d388e072e69a748a9142bca9c.exe
Size

271KB
MD5

652abe2dff915b50c76821e9038b7df7
SHA1

33d1f4793961c4f08a7da1f4009d83126ffcfdb4
SHA256

bf13ce7f380adf4408af45ed576f430cdf75a79d388e072e69a748a9142bca9c
SHA512

60948cc0600273e194c5870d59e12e15ce846ea91d341425bb518fe7bf82bb92b713ef2bd74367231506c6ae538b4a8501d0eec6238d924a448ca6068e364c6d
SSDEEP

6144:Yl51orRJXlDixHkUXe3tE0cEOkCybEaQRXr9HNdvOa:cqXUHkUXe3XOkx2LIa

Score

10^/10

upx vmprotect

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1208 created 420	1208	Explorer.EXE	22

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\uqM9Q0Jrjic.sys	mstsc.exe
File opened for modification	C:\Windows\system32\drivers\YmOXa5qYze50DO.bkg	mstsc.exe
File opened for modification	C:\Windows\system32\drivers\eK0KM6icCl.sys	mstsc.exe
File created	C:\Windows\System32\drivers\1io1BFpw.sys	mstsc.exe
File opened for modification	C:\Windows\system32\drivers\iE0aE7PmID.sys	mstsc.exe
File opened for modification	C:\Windows\system32\drivers\TAG12rsWd1Eemp.njg	mstsc.exe
File opened for modification	C:\Windows\system32\drivers\UaB40m6loJK0c.bqm	mstsc.exe
File opened for modification	C:\Windows\system32\drivers\g1lk1fKmUfQKrD.sys	mstsc.exe
File opened for modification	C:\Windows\system32\drivers\f8604ItfoBnn1m.zdy	mstsc.exe

Deletes itself 1 IoCs

pid	Process
2152	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2060	1280bd33
2692	mstsc.exe

Loads dropped DLL 43 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe
1172	Dwm.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000FB0000-0x0000000001039000-memory.dmp	upx
behavioral1/memory/2364-2-0x0000000000FB0000-0x0000000001039000-memory.dmp	upx
behavioral1/memory/2060-5-0x0000000000290000-0x0000000000319000-memory.dmp	upx
behavioral1/files/0x000a00000000e621-4.dat	upx
behavioral1/memory/2060-21-0x0000000000290000-0x0000000000319000-memory.dmp	upx
behavioral1/memory/2364-26-0x0000000000FB0000-0x0000000001039000-memory.dmp	upx
behavioral1/memory/2060-42-0x0000000000290000-0x0000000000319000-memory.dmp	upx
behavioral1/memory/2364-50-0x0000000000FB0000-0x0000000001039000-memory.dmp	upx
behavioral1/memory/2060-67-0x0000000000290000-0x0000000000319000-memory.dmp	upx
behavioral1/memory/2060-98-0x0000000000290000-0x0000000000319000-memory.dmp	upx
behavioral1/files/0x000a00000000e621-100.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0008000000003cf0-170.dat	vmprotect
behavioral1/files/0x0016000000003cf0-256.dat	vmprotect
behavioral1/files/0x0024000000003cf0-340.dat	vmprotect
behavioral1/files/0x0032000000003cf0-424.dat	vmprotect

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4	1280bd33
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	mstsc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	mstsc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	1280bd33
File created	C:\Windows\system32\ \Windows\System32\Wa2QsV.sys	mstsc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	mstsc.exe
File opened for modification	C:\Windows\system32\IepfVW8QTM.sys	mstsc.exe
File created	C:\Windows\Syswow64\1280bd33	bf13ce7f380adf4408af45ed576f430cdf75a79d388e072e69a748a9142bca9c.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	1280bd33
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	1280bd33
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	1280bd33
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	mstsc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	mstsc.exe
File opened for modification	C:\Windows\system32\Y6yFLa9Kxo.cog	mstsc.exe
File opened for modification	C:\Windows\system32\7xrQ640nc1vg2d.bgd	mstsc.exe
File opened for modification	C:\Windows\system32\7w3fhUVmpRMw4.kiu	mstsc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4	1280bd33
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	mstsc.exe
File opened for modification	C:\Windows\system32\98glGedDAwrX.sys	mstsc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	1280bd33
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	1280bd33
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	1280bd33
File opened for modification	C:\Windows\system32\gHSgRipM0XN624.sys	mstsc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	mstsc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	mstsc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	1280bd33
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	mstsc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	mstsc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	mstsc.exe
File opened for modification	C:\Windows\system32\pmnLgM1UZd.sys	mstsc.exe
File opened for modification	C:\Windows\system32\zb9SrJtdTD.iap	mstsc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	mstsc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	1280bd33
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	mstsc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	mstsc.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\QXaHteSCFtqXMu.sys	mstsc.exe
File opened for modification	C:\Program Files\Uninstall Information\3dde367c.js	mstsc.exe
File opened for modification	C:\Program Files (x86)\WJoEKB73cnQ.sys	mstsc.exe
File opened for modification	C:\Program Files\9omabXqeG34.baj	mstsc.exe
File opened for modification	C:\Program Files\Java\4d55c5f1.html	Explorer.EXE
File opened for modification	C:\Program Files\Mozilla Firefox\manifest.json	Dwm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\3dde3a24.js	Dwm.exe
File opened for modification	C:\Program Files\a43ql311obze19.sys	mstsc.exe
File opened for modification	C:\Program Files\Uninstall Information\manifest.json	mstsc.exe
File opened for modification	C:\Program Files\Uninstall Information\5ccd51ba.js	mstsc.exe
File opened for modification	C:\Program Files\Java\manifest.json	Explorer.EXE
File opened for modification	C:\Program Files\Java\3dde37f4.js	Explorer.EXE
File opened for modification	C:\Program Files\Uninstall Information\lib\6c44df59.js	mstsc.exe
File opened for modification	C:\Program Files (x86)\3FYBz5CSBp.sys	mstsc.exe
File opened for modification	C:\Program Files (x86)\1gXlNSVl56Hz9.mew	mstsc.exe
File opened for modification	C:\Program Files\e8uSmuq4jz.oci	mstsc.exe
File opened for modification	C:\Program Files (x86)\lc7E5uCYaE.sys	mstsc.exe
File opened for modification	C:\Program Files (x86)\YccCKU5f4zh.cgo	mstsc.exe
File opened for modification	C:\Program Files\1grlXMtIFGdOV2.vbl	mstsc.exe
File opened for modification	C:\Program Files (x86)\xQv0Bs8eK94iO.sys	mstsc.exe
File opened for modification	C:\Program Files (x86)\49jmNn3Jdpc4.pdr	mstsc.exe
File opened for modification	C:\Program Files\Java\5ccd53ee.js	Explorer.EXE
File opened for modification	C:\Program Files\Mozilla Firefox\lib\6c44e5bf.js	Dwm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\5ccd5736.js	Dwm.exe
File opened for modification	C:\Program Files (x86)\ya1fPbShSX3dQJ.lnd	mstsc.exe
File opened for modification	C:\Program Files\VJXH5Y1jnc2.sys	mstsc.exe
File opened for modification	C:\Program Files\n6r2kOjnrLsFK.sys	mstsc.exe
File opened for modification	C:\Program Files\Uninstall Information\4d55c41b.html	mstsc.exe
File opened for modification	C:\Program Files\Java\lib\6c44e1eb.js	Explorer.EXE
File opened for modification	C:\Program Files\QveAY4ZLt9.sbb	mstsc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\4d55c8ad.html	Dwm.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CYdcBibTCVdV.zxi	mstsc.exe
File opened for modification	C:\Windows\234498	1280bd33
File created	C:\Windows\vvwtt1m.sys	mstsc.exe
File opened for modification	C:\Windows\bDwXUXk2HBrJh.gni	mstsc.exe
File opened for modification	C:\Windows\Opf8dJ55vkQ.sys	mstsc.exe
File opened for modification	C:\Windows\MgW97VQI5k.ogi	mstsc.exe
File opened for modification	C:\Windows\GTBZuYoAGwohMt.sys	mstsc.exe
File opened for modification	C:\Windows\l4Wphex5yUud.lfe	mstsc.exe
File opened for modification	C:\Windows\wJ30sKSzKGrs.sys	mstsc.exe
File opened for modification	C:\Windows\xCaJdFC3Jgtwi.sys	mstsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
940	timeout.exe
1912	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	1280bd33
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mstsc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mstsc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mstsc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30EF22C8-C304-43F6-93C2-78F92E419A2F}\WpadDecisionTime = 50b5d5e7d3fbd901	1280bd33
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-2d-85-2a-82-18\WpadDecision = "0"	1280bd33
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-2d-85-2a-82-18\WpadDecisionReason = "1"	mstsc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mstsc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mstsc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	1280bd33
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mstsc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mstsc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mstsc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mstsc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mstsc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mstsc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mstsc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mstsc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	1280bd33
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mstsc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mstsc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30EF22C8-C304-43F6-93C2-78F92E419A2F}\WpadDecision = "0"	mstsc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	1280bd33
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mstsc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	1280bd33
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-2d-85-2a-82-18\WpadDecisionTime = b04d37e8d3fbd901	mstsc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mstsc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mstsc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-2d-85-2a-82-18	mstsc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mstsc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-2d-85-2a-82-18\WpadDecisionTime = 30d9dff7d3fbd901	mstsc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mstsc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mstsc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	1280bd33
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mstsc.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1280bd33
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	mstsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA6E02B0949E42396EF91A22EAB113EFD3251831	mstsc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA6E02B0949E42396EF91A22EAB113EFD3251831\Blob = 0f0000000100000020000000bc8243dbd7e0d651c4d154e04cfa2ff0001c4087e6945ccc40e7cf1e7caaed34030000000100000014000000aa6e02b0949e42396ef91a22eab113efd32518312000000001000000200200003082021c30820185a003020102020100300d06092a864886f70d01010b05003032310b300906035504061302434e3123302106035504030c1a446967694365727420476c6f62616c20526f6f74204341205632301e170d3233313031303233343630385a170d3234313030393233343630385a3032310b300906035504061302434e3123302106035504030c1a446967694365727420476c6f62616c20526f6f7420434120563230819f300d06092a864886f70d010101050003818d0030818902818100c7edf15696dbedbb270cc0cad4a337cd35048795eb66ab0c4a62510f6991fd4b62d22e665e6dd187bf84f4969e34ebda578366fbd58d810e35c732d260d1e7e1374cdac6410aba5b5a2ea36b95f64a64349794c6b44f77f9535fe3671d65d0811a08729322fd1b865830e81c195dd36530ecc7c824ac0c28f95f0c7d233ef6850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414bf9bd0cee0bdb5b666dfbb576b050af05a42c67a300d06092a864886f70d01010b0500038181006d17e9d9031f0d2e9f6511eebd3e1b4c5715a714c1208abdded04fab3342cc58e236aa3d48dabb41c09e15b7fa53ac6fe92a70273a56ef5e624c0698193086cd785a553c7f7ac846ae9238cffba624554138ad8d800e17ad2bdaa896a6fb8e708f52b4605a8bf1d01f36ff5570864d55d5c3e16926b66cb048b1f2095a2c3405	mstsc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA6E02B0949E42396EF91A22EAB113EFD3251831\Blob = 190000000100000010000000201c606030cd6df8dc8a45ece3b40b4e0f0000000100000020000000bc8243dbd7e0d651c4d154e04cfa2ff0001c4087e6945ccc40e7cf1e7caaed34030000000100000014000000aa6e02b0949e42396ef91a22eab113efd3251831140000000100000014000000bf9bd0cee0bdb5b666dfbb576b050af05a42c67a2000000001000000200200003082021c30820185a003020102020100300d06092a864886f70d01010b05003032310b300906035504061302434e3123302106035504030c1a446967694365727420476c6f62616c20526f6f74204341205632301e170d3233313031303233343630385a170d3234313030393233343630385a3032310b300906035504061302434e3123302106035504030c1a446967694365727420476c6f62616c20526f6f7420434120563230819f300d06092a864886f70d010101050003818d0030818902818100c7edf15696dbedbb270cc0cad4a337cd35048795eb66ab0c4a62510f6991fd4b62d22e665e6dd187bf84f4969e34ebda578366fbd58d810e35c732d260d1e7e1374cdac6410aba5b5a2ea36b95f64a64349794c6b44f77f9535fe3671d65d0811a08729322fd1b865830e81c195dd36530ecc7c824ac0c28f95f0c7d233ef6850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414bf9bd0cee0bdb5b666dfbb576b050af05a42c67a300d06092a864886f70d01010b0500038181006d17e9d9031f0d2e9f6511eebd3e1b4c5715a714c1208abdded04fab3342cc58e236aa3d48dabb41c09e15b7fa53ac6fe92a70273a56ef5e624c0698193086cd785a553c7f7ac846ae9238cffba624554138ad8d800e17ad2bdaa896a6fb8e708f52b4605a8bf1d01f36ff5570864d55d5c3e16926b66cb048b1f2095a2c3405	mstsc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1280bd33
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1280bd33
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1280bd33
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	mstsc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA6E02B0949E42396EF91A22EAB113EFD3251831\Blob = 140000000100000014000000bf9bd0cee0bdb5b666dfbb576b050af05a42c67a030000000100000014000000aa6e02b0949e42396ef91a22eab113efd32518310f0000000100000020000000bc8243dbd7e0d651c4d154e04cfa2ff0001c4087e6945ccc40e7cf1e7caaed342000000001000000200200003082021c30820185a003020102020100300d06092a864886f70d01010b05003032310b300906035504061302434e3123302106035504030c1a446967694365727420476c6f62616c20526f6f74204341205632301e170d3233313031303233343630385a170d3234313030393233343630385a3032310b300906035504061302434e3123302106035504030c1a446967694365727420476c6f62616c20526f6f7420434120563230819f300d06092a864886f70d010101050003818d0030818902818100c7edf15696dbedbb270cc0cad4a337cd35048795eb66ab0c4a62510f6991fd4b62d22e665e6dd187bf84f4969e34ebda578366fbd58d810e35c732d260d1e7e1374cdac6410aba5b5a2ea36b95f64a64349794c6b44f77f9535fe3671d65d0811a08729322fd1b865830e81c195dd36530ecc7c824ac0c28f95f0c7d233ef6850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414bf9bd0cee0bdb5b666dfbb576b050af05a42c67a300d06092a864886f70d01010b0500038181006d17e9d9031f0d2e9f6511eebd3e1b4c5715a714c1208abdded04fab3342cc58e236aa3d48dabb41c09e15b7fa53ac6fe92a70273a56ef5e624c0698193086cd785a553c7f7ac846ae9238cffba624554138ad8d800e17ad2bdaa896a6fb8e708f52b4605a8bf1d01f36ff5570864d55d5c3e16926b66cb048b1f2095a2c3405	mstsc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2060	1280bd33
2060	1280bd33
2060	1280bd33
2060	1280bd33
2060	1280bd33
2060	1280bd33
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
2060	1280bd33
2692	mstsc.exe
528	netsh.exe
2692	mstsc.exe
1208	Explorer.EXE
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious behavior: LoadsDriver 59 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	bf13ce7f380adf4408af45ed576f430cdf75a79d388e072e69a748a9142bca9c.exe
Token: SeTcbPrivilege	2364	bf13ce7f380adf4408af45ed576f430cdf75a79d388e072e69a748a9142bca9c.exe
Token: SeDebugPrivilege	2060	1280bd33
Token: SeTcbPrivilege	2060	1280bd33
Token: SeDebugPrivilege	2060	1280bd33
Token: SeDebugPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	1208	Explorer.EXE
Token: SeIncBasePriorityPrivilege	2364	bf13ce7f380adf4408af45ed576f430cdf75a79d388e072e69a748a9142bca9c.exe
Token: SeDebugPrivilege	2060	1280bd33
Token: SeDebugPrivilege	2692	mstsc.exe
Token: SeDebugPrivilege	2692	mstsc.exe
Token: SeDebugPrivilege	2692	mstsc.exe
Token: SeIncBasePriorityPrivilege	2060	1280bd33
Token: SeDebugPrivilege	2692	mstsc.exe
Token: SeDebugPrivilege	2692	mstsc.exe
Token: SeBackupPrivilege	2692	mstsc.exe
Token: SeDebugPrivilege	2692	mstsc.exe
Token: SeDebugPrivilege	2692	mstsc.exe
Token: SeDebugPrivilege	2692	mstsc.exe
Token: SeDebugPrivilege	1208	Explorer.EXE
Token: SeBackupPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	1172	Dwm.exe
Token: SeBackupPrivilege	1172	Dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1208	2060	1280bd33	5
PID 2060 wrote to memory of 1208	2060	1280bd33	5
PID 2060 wrote to memory of 1208	2060	1280bd33	5
PID 2060 wrote to memory of 1208	2060	1280bd33	5
PID 2060 wrote to memory of 1208	2060	1280bd33	5
PID 1208 wrote to memory of 2692	1208	Explorer.EXE	30
PID 1208 wrote to memory of 2692	1208	Explorer.EXE	30
PID 1208 wrote to memory of 2692	1208	Explorer.EXE	30
PID 1208 wrote to memory of 2692	1208	Explorer.EXE	30
PID 1208 wrote to memory of 2692	1208	Explorer.EXE	30
PID 1208 wrote to memory of 2692	1208	Explorer.EXE	30
PID 1208 wrote to memory of 2692	1208	Explorer.EXE	30
PID 1208 wrote to memory of 2692	1208	Explorer.EXE	30
PID 2060 wrote to memory of 420	2060	1280bd33	22
PID 2060 wrote to memory of 420	2060	1280bd33	22
PID 2060 wrote to memory of 420	2060	1280bd33	22
PID 2060 wrote to memory of 420	2060	1280bd33	22
PID 2060 wrote to memory of 420	2060	1280bd33	22
PID 2364 wrote to memory of 2152	2364	bf13ce7f380adf4408af45ed576f430cdf75a79d388e072e69a748a9142bca9c.exe	32
PID 2364 wrote to memory of 2152	2364	bf13ce7f380adf4408af45ed576f430cdf75a79d388e072e69a748a9142bca9c.exe	32
PID 2364 wrote to memory of 2152	2364	bf13ce7f380adf4408af45ed576f430cdf75a79d388e072e69a748a9142bca9c.exe	32
PID 2364 wrote to memory of 2152	2364	bf13ce7f380adf4408af45ed576f430cdf75a79d388e072e69a748a9142bca9c.exe	32
PID 2152 wrote to memory of 1912	2152	cmd.exe	33
PID 2152 wrote to memory of 1912	2152	cmd.exe	33
PID 2152 wrote to memory of 1912	2152	cmd.exe	33
PID 2152 wrote to memory of 1912	2152	cmd.exe	33
PID 2060 wrote to memory of 564	2060	1280bd33	34
PID 2060 wrote to memory of 564	2060	1280bd33	34
PID 2060 wrote to memory of 564	2060	1280bd33	34
PID 2060 wrote to memory of 564	2060	1280bd33	34
PID 564 wrote to memory of 940	564	cmd.exe	36
PID 564 wrote to memory of 940	564	cmd.exe	36
PID 564 wrote to memory of 940	564	cmd.exe	36
PID 564 wrote to memory of 940	564	cmd.exe	36
PID 2692 wrote to memory of 528	2692	mstsc.exe	38
PID 2692 wrote to memory of 528	2692	mstsc.exe	38
PID 2692 wrote to memory of 528	2692	mstsc.exe	38
PID 2692 wrote to memory of 528	2692	mstsc.exe	38
PID 2692 wrote to memory of 528	2692	mstsc.exe	38
PID 2692 wrote to memory of 528	2692	mstsc.exe	38
PID 2692 wrote to memory of 528	2692	mstsc.exe	38
PID 2692 wrote to memory of 528	2692	mstsc.exe	38
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5
PID 2692 wrote to memory of 1208	2692	mstsc.exe	5

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\bf13ce7f380adf4408af45ed576f430cdf75a79d388e072e69a748a9142bca9c.exe
  "C:\Users\Admin\AppData\Local\Temp\bf13ce7f380adf4408af45ed576f430cdf75a79d388e072e69a748a9142bca9c.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\bf13ce7f380adf4408af45ed576f430cdf75a79d388e072e69a748a9142bca9c.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:1912

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420
- C:\ProgramData\Microsoft\mstsc.exe
  "C:\ProgramData\Microsoft\mstsc.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe"
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:528

C:\Windows\Syswow64\1280bd33
C:\Windows\Syswow64\1280bd33
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\1280bd33"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
C:\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
C:\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab69DC.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar69EF.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6B1B.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\GTBZuYoAGwohMt.sys

Filesize
447KB

MD5
d15f5f23df8036bd5089ce8d151b0e0d

SHA1
4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

SHA256
f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

SHA512
feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

Download Submit
C:\Windows\Opf8dJ55vkQ.sys

Filesize
415KB

MD5
64bc1983743c584a9ad09dacf12792e5

SHA1
0f14098f523d21f11129c4df09451413ddff6d61

SHA256
057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

SHA512
9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

Download Submit
C:\Windows\SysWOW64\1280bd33

Filesize
271KB

MD5
193a8d5589f703439e763477c2d33b0b

SHA1
46142d5de0e2351780b85904d02c5a3c77d42260

SHA256
a7ae69246f5f5500b67fb0715ba95d0862cc30829a092144c4e1274d343a9c04

SHA512
d08e7281d618ea300d9429c8a200804abaa41bc1a0e6fd3385c8961c79683cd012a9d12f2d174b78252c75fec7a4c77f95518bb537b4f80a9323b0064403cf1d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
90cde68496cb07ea3caa569d21a6fc70

SHA1
08cf15430b4eba7f12975245db8e2d5c8e24338f

SHA256
413c2807b3321f5206e74db7c72709e477d75239540a9ca5f070c27720bc23fd

SHA512
99eb2cde35f16d63a31a90c3ef92e4db3fc28375b96a77d2894c832608545e6b48f8d95f27dd6435c246cb4fae9286431be34952f0cf7e9c77b33f0b4ea39c50

Download Submit
C:\Windows\Syswow64\1280bd33

Filesize
271KB

MD5
193a8d5589f703439e763477c2d33b0b

SHA1
46142d5de0e2351780b85904d02c5a3c77d42260

SHA256
a7ae69246f5f5500b67fb0715ba95d0862cc30829a092144c4e1274d343a9c04

SHA512
d08e7281d618ea300d9429c8a200804abaa41bc1a0e6fd3385c8961c79683cd012a9d12f2d174b78252c75fec7a4c77f95518bb537b4f80a9323b0064403cf1d

Download Submit
C:\Windows\wJ30sKSzKGrs.sys

Filesize
447KB

MD5
886816f24cd4f530dbd66bd79a57b4f4

SHA1
e9d1eab7cc78b939819df44980273d6484de220f

SHA256
d378beb85eddc01fe4c16f6b87d36ded4e7eda0f0c93a5b4364413770d10b2e8

SHA512
b969674fc7fd19fb7752ed02274b00203dd0c3314131ea18d12207d6c4ad0c4f306e28cedaddae0b5ec322245edd937536f8f19f493e9227f40a201f894921e3

Download Submit
C:\Windows\xCaJdFC3Jgtwi.sys

Filesize
415KB

MD5
e9f09f3a27ddd0a2f85a08c7e93f4ea3

SHA1
028f397a33a5bd0da3e117dd2fded326183540c8

SHA256
6e760616d096b0d5f8920e6f56f26fe6bbe26bf03e9c31baf2e55ae9a1175e17

SHA512
6c0f81e2ead7e33a557523aaf615e2795104faa79bea044096666b8b3d5da51daa1eba8c39a9aeef21fb7dbc2411e631921e77d7ecfd68bd86002e9499604bf9

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\ProgramData\Microsoft\mstsc.exe

Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
memory/420-52-0x0000000000870000-0x0000000000898000-memory.dmp

Filesize
160KB

Download
memory/420-48-0x0000000000860000-0x0000000000863000-memory.dmp

Filesize
12KB

Download
memory/528-138-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/528-144-0x0000000000C20000-0x0000000000DC6000-memory.dmp

Filesize
1.6MB

Download
memory/528-139-0x0000000000C20000-0x0000000000DC6000-memory.dmp

Filesize
1.6MB

Download
memory/528-141-0x000007FEBCF20000-0x000007FEBCF30000-memory.dmp

Filesize
64KB

Download
memory/528-181-0x0000000000C20000-0x0000000000DC6000-memory.dmp

Filesize
1.6MB

Download
memory/528-126-0x00000000002E0000-0x000000000047C000-memory.dmp

Filesize
1.6MB

Download
memory/528-142-0x0000000000C20000-0x0000000000DC6000-memory.dmp

Filesize
1.6MB

Download
memory/1172-664-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download
memory/1172-772-0x0000000002480000-0x00000000025A2000-memory.dmp

Filesize
1.1MB

Download
memory/1172-666-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1172-667-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1172-665-0x0000000002480000-0x00000000025A2000-memory.dmp

Filesize
1.1MB

Download
memory/1208-749-0x0000000008D10000-0x0000000008E32000-memory.dmp

Filesize
1.1MB

Download
memory/1208-148-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/1208-115-0x000007FEF5220000-0x000007FEF5363000-memory.dmp

Filesize
1.3MB

Download
memory/1208-660-0x0000000008D10000-0x0000000008E32000-memory.dmp

Filesize
1.1MB

Download
memory/1208-684-0x0000000008F50000-0x0000000008F54000-memory.dmp

Filesize
16KB

Download
memory/1208-646-0x0000000002BF0000-0x0000000002BF3000-memory.dmp

Filesize
12KB

Download
memory/1208-30-0x0000000006750000-0x0000000006847000-memory.dmp

Filesize
988KB

Download
memory/1208-54-0x000007FE7A1C0000-0x000007FE7A1CA000-memory.dmp

Filesize
40KB

Download
memory/1208-205-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/1208-53-0x000007FEF5220000-0x000007FEF5363000-memory.dmp

Filesize
1.3MB

Download
memory/1208-24-0x0000000002B50000-0x0000000002B53000-memory.dmp

Filesize
12KB

Download
memory/1208-68-0x0000000006750000-0x0000000006847000-memory.dmp

Filesize
988KB

Download
memory/1208-29-0x0000000002B50000-0x0000000002B53000-memory.dmp

Filesize
12KB

Download
memory/1208-663-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2060-5-0x0000000000290000-0x0000000000319000-memory.dmp

Filesize
548KB

Download
memory/2060-67-0x0000000000290000-0x0000000000319000-memory.dmp

Filesize
548KB

Download
memory/2060-21-0x0000000000290000-0x0000000000319000-memory.dmp

Filesize
548KB

Download
memory/2060-42-0x0000000000290000-0x0000000000319000-memory.dmp

Filesize
548KB

Download
memory/2060-98-0x0000000000290000-0x0000000000319000-memory.dmp

Filesize
548KB

Download
memory/2364-2-0x0000000000FB0000-0x0000000001039000-memory.dmp

Filesize
548KB

Download
memory/2364-26-0x0000000000FB0000-0x0000000001039000-memory.dmp

Filesize
548KB

Download
memory/2364-0-0x0000000000FB0000-0x0000000001039000-memory.dmp

Filesize
548KB

Download
memory/2364-50-0x0000000000FB0000-0x0000000001039000-memory.dmp

Filesize
548KB

Download
memory/2692-35-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2692-150-0x0000000005D30000-0x0000000005EFA000-memory.dmp

Filesize
1.8MB

Download
memory/2692-642-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2692-643-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2692-644-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2692-113-0x000007FE7A1C0000-0x000007FE7A1CA000-memory.dmp

Filesize
40KB

Download
memory/2692-724-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2692-33-0x0000000000060000-0x0000000000123000-memory.dmp

Filesize
780KB

Download
memory/2692-38-0x0000000000160000-0x0000000000163000-memory.dmp

Filesize
12KB

Download
memory/2692-41-0x0000000000160000-0x0000000000163000-memory.dmp

Filesize
12KB

Download
memory/2692-44-0x0000000001D40000-0x0000000001E0B000-memory.dmp

Filesize
812KB

Download
memory/2692-99-0x0000000001D40000-0x0000000001E0B000-memory.dmp

Filesize
812KB

Download
memory/2692-110-0x0000000036D30000-0x0000000036D40000-memory.dmp

Filesize
64KB

Download
memory/2692-43-0x0000000001D40000-0x0000000001E0B000-memory.dmp

Filesize
812KB

Download
memory/2692-112-0x0000000001D40000-0x0000000001E0B000-memory.dmp

Filesize
812KB

Download
memory/2692-593-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2692-46-0x000007FEBDA10000-0x000007FEBDA20000-memory.dmp

Filesize
64KB

Download
memory/2692-140-0x0000000005860000-0x0000000005982000-memory.dmp

Filesize
1.1MB

Download
memory/2692-128-0x0000000005D30000-0x0000000005EFA000-memory.dmp

Filesize
1.8MB

Download
memory/2692-125-0x0000000005D30000-0x0000000005EFA000-memory.dmp

Filesize
1.8MB

Download
memory/2692-124-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2692-122-0x0000000005860000-0x0000000005982000-memory.dmp

Filesize
1.1MB

Download
memory/2692-120-0x0000000002040000-0x000000000206E000-memory.dmp

Filesize
184KB

Download
memory/2692-119-0x0000000001E10000-0x0000000001E1F000-memory.dmp

Filesize
60KB

Download
memory/2692-118-0x0000000003F50000-0x0000000004007000-memory.dmp

Filesize
732KB

Download
memory/2692-117-0x0000000003F50000-0x0000000004007000-memory.dmp

Filesize
732KB

Download
memory/2692-116-0x000007FE7A1C0000-0x000007FE7A1CA000-memory.dmp

Filesize
40KB

Download
memory/2692-661-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2692-114-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download