amadey | c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a

Analysis

max time kernel
302s
max time network
315s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe
Size

294KB
MD5

c7adc5593f9282e4c2dbd236dc7180ab
SHA1

9450b65d63b3768d4a330d6ba364c6c6fc8a3766
SHA256

c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a
SHA512

f9cfbeb626a9681c680aaea478b8822ea4f1a0384ba034dd6775f7d755aee6453051489630f7d44b834a53385022967fb58fac5d36f1445af035ae36753fe3e5
SSDEEP

6144:gmSRJmak5Phj2t8uQSKZTv90F6PGMAONMuZ+j4tJzn5:gdRcayPhj2dQSKH9kuBJN

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

6012068394_99

https://pastebin.com/raw/8baCJyMF

Extracted

Family

redline

Botnet

pixelscloud

85.209.176.171:80

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI		AppLaunch.exe
		884	schtasks.exe
		1748	schtasks.exe
		896	schtasks.exe

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0005000000018685-86.dat	healer
behavioral1/files/0x0005000000018685-85.dat	healer
behavioral1/memory/524-109-0x0000000001350000-0x000000000135A000-memory.dmp	healer

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

resource	yara_rule
behavioral1/memory/1948-175-0x0000000004410000-0x0000000004CFB000-memory.dmp	family_glupteba
behavioral1/memory/1948-186-0x0000000000400000-0x000000000266D000-memory.dmp	family_glupteba
behavioral1/memory/1948-211-0x0000000000400000-0x000000000266D000-memory.dmp	family_glupteba
behavioral1/memory/1948-248-0x0000000004410000-0x0000000004CFB000-memory.dmp	family_glupteba
behavioral1/memory/1948-249-0x0000000000400000-0x000000000266D000-memory.dmp	family_glupteba
behavioral1/memory/1948-251-0x0000000000400000-0x000000000266D000-memory.dmp	family_glupteba
behavioral1/memory/1948-365-0x0000000000400000-0x000000000266D000-memory.dmp	family_glupteba
behavioral1/memory/1948-436-0x0000000000400000-0x000000000266D000-memory.dmp	family_glupteba

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	7469.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	7469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	7469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	7469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	7469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	7469.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/1980-136-0x0000000000290000-0x00000000002EA000-memory.dmp	family_redline
behavioral1/files/0x0006000000018d0f-179.dat	family_redline
behavioral1/memory/1608-181-0x0000000000310000-0x000000000032E000-memory.dmp	family_redline
behavioral1/files/0x0006000000018d0f-180.dat	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018d0f-179.dat	family_sectoprat
behavioral1/memory/1608-181-0x0000000000310000-0x000000000032E000-memory.dmp	family_sectoprat
behavioral1/files/0x0006000000018d0f-180.dat	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 2352 created 1392	2352	latestX.exe	4
PID 2352 created 1392	2352	latestX.exe	4
PID 2352 created 1392	2352	latestX.exe	4
PID 2352 created 1392	2352	latestX.exe	4
PID 2352 created 1392	2352	latestX.exe	4
PID 944 created 1392	944	updater.exe	4
PID 944 created 1392	944	updater.exe	4
PID 944 created 1392	944	updater.exe	4
PID 944 created 1392	944	updater.exe	4
PID 944 created 1392	944	updater.exe	4
PID 944 created 1392	944	updater.exe	4

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 30 IoCs

pid	Process
2532	6CB7.exe
2808	6D74.exe
2464	6DE2.bat
2680	VH1ag4IK.exe
2480	WY0Fl3xP.exe
2884	6EEC.exe
1044	FC8mB1bm.exe
2516	dB9lZ4Iu.exe
524	7469.exe
1984	1jV90Hm9.exe
2256	7988.exe
748	explothe.exe
2840	explothe.exe
1172	BF6F.exe
1980	C51A.exe
2936	CA88.exe
1304	toolspub2.exe
1948	31839b57a4f11171d6abc8bbc4451ee4.exe
1608	DCD1.exe
2624	source1.exe
2240	toolspub2.exe
2352	latestX.exe
2148	sfffshf
2368	ejffshf
2184	explothe.exe
944	updater.exe
2924	explothe.exe
2872	31839b57a4f11171d6abc8bbc4451ee4.exe
1756	explothe.exe
1284	explothe.exe

Loads dropped DLL 39 IoCs

pid	Process
2532	6CB7.exe
2532	6CB7.exe
2680	VH1ag4IK.exe
2680	VH1ag4IK.exe
2480	WY0Fl3xP.exe
2480	WY0Fl3xP.exe
1044	FC8mB1bm.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
1044	FC8mB1bm.exe
2516	dB9lZ4Iu.exe
2516	dB9lZ4Iu.exe
1984	1jV90Hm9.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
2748	WerFault.exe
576	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe
2256	7988.exe
756	WerFault.exe
756	WerFault.exe
1172	BF6F.exe
1172	BF6F.exe
756	WerFault.exe
1172	BF6F.exe
1172	BF6F.exe
1172	BF6F.exe
1304	toolspub2.exe
1172	BF6F.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
2816	taskeng.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	7469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	7469.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	dB9lZ4Iu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6CB7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	VH1ag4IK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	WY0Fl3xP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	FC8mB1bm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 1688	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	28
PID 1304 set thread context of 2240	1304	toolspub2.exe	73
PID 2624 set thread context of 2964	2624	source1.exe	77
PID 944 set thread context of 2932	944	updater.exe	127
PID 944 set thread context of 1768	944	updater.exe	129

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20231011045031.cab	makecab.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2324	sc.exe
1744	sc.exe
2332	sc.exe
1888	sc.exe
1312	sc.exe
1512	sc.exe
560	sc.exe
2696	sc.exe
2668	sc.exe
1916	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2796	1684	WerFault.exe	16
576	2884	WerFault.exe	37
1328	1984	WerFault.exe
2748	2808	WerFault.exe	32
756	1980	WerFault.exe	64

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1748	schtasks.exe
884	schtasks.exe
896	schtasks.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0dcab92fefbd901	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	AppLaunch.exe
1688	AppLaunch.exe
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE
1392	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1392	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1688	AppLaunch.exe
2240	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeDebugPrivilege	524	7469.exe
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeDebugPrivilege	1608	DCD1.exe
Token: SeDebugPrivilege	2624	source1.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeShutdownPrivilege	1392	Explorer.EXE
Token: SeShutdownPrivilege	2832	powercfg.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeShutdownPrivilege	1656	powercfg.exe
Token: SeShutdownPrivilege	2028	powercfg.exe
Token: SeShutdownPrivilege	2080	powercfg.exe
Token: SeDebugPrivilege	1948	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	1948	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeShutdownPrivilege	2296	powercfg.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeShutdownPrivilege	1244	powercfg.exe
Token: SeShutdownPrivilege	2432	powercfg.exe
Token: SeShutdownPrivilege	2476	powercfg.exe
Token: SeDebugPrivilege	944	updater.exe
Token: SeLockMemoryPrivilege	1768	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1688	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	28
PID 1684 wrote to memory of 1688	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	28
PID 1684 wrote to memory of 1688	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	28
PID 1684 wrote to memory of 1688	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	28
PID 1684 wrote to memory of 1688	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	28
PID 1684 wrote to memory of 1688	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	28
PID 1684 wrote to memory of 1688	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	28
PID 1684 wrote to memory of 1688	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	28
PID 1684 wrote to memory of 1688	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	28
PID 1684 wrote to memory of 1688	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	28
PID 1684 wrote to memory of 2796	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	30
PID 1684 wrote to memory of 2796	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	30
PID 1684 wrote to memory of 2796	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	30
PID 1684 wrote to memory of 2796	1684	c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe	30
PID 1392 wrote to memory of 2532	1392	Explorer.EXE	31
PID 1392 wrote to memory of 2532	1392	Explorer.EXE	31
PID 1392 wrote to memory of 2532	1392	Explorer.EXE	31
PID 1392 wrote to memory of 2532	1392	Explorer.EXE	31
PID 1392 wrote to memory of 2532	1392	Explorer.EXE	31
PID 1392 wrote to memory of 2532	1392	Explorer.EXE	31
PID 1392 wrote to memory of 2532	1392	Explorer.EXE	31
PID 1392 wrote to memory of 2808	1392	Explorer.EXE	32
PID 1392 wrote to memory of 2808	1392	Explorer.EXE	32
PID 1392 wrote to memory of 2808	1392	Explorer.EXE	32
PID 1392 wrote to memory of 2808	1392	Explorer.EXE	32
PID 1392 wrote to memory of 2464	1392	Explorer.EXE	33
PID 1392 wrote to memory of 2464	1392	Explorer.EXE	33
PID 1392 wrote to memory of 2464	1392	Explorer.EXE	33
PID 1392 wrote to memory of 2464	1392	Explorer.EXE	33
PID 2532 wrote to memory of 2680	2532	6CB7.exe	34
PID 2532 wrote to memory of 2680	2532	6CB7.exe	34
PID 2532 wrote to memory of 2680	2532	6CB7.exe	34
PID 2532 wrote to memory of 2680	2532	6CB7.exe	34
PID 2532 wrote to memory of 2680	2532	6CB7.exe	34
PID 2532 wrote to memory of 2680	2532	6CB7.exe	34
PID 2532 wrote to memory of 2680	2532	6CB7.exe	34
PID 2464 wrote to memory of 2600	2464	6DE2.bat	35
PID 2464 wrote to memory of 2600	2464	6DE2.bat	35
PID 2464 wrote to memory of 2600	2464	6DE2.bat	35
PID 2464 wrote to memory of 2600	2464	6DE2.bat	35
PID 2680 wrote to memory of 2480	2680	VH1ag4IK.exe	36
PID 2680 wrote to memory of 2480	2680	VH1ag4IK.exe	36
PID 2680 wrote to memory of 2480	2680	VH1ag4IK.exe	36
PID 2680 wrote to memory of 2480	2680	VH1ag4IK.exe	36
PID 2680 wrote to memory of 2480	2680	VH1ag4IK.exe	36
PID 2680 wrote to memory of 2480	2680	VH1ag4IK.exe	36
PID 2680 wrote to memory of 2480	2680	VH1ag4IK.exe	36
PID 1392 wrote to memory of 2884	1392	Explorer.EXE	37
PID 1392 wrote to memory of 2884	1392	Explorer.EXE	37
PID 1392 wrote to memory of 2884	1392	Explorer.EXE	37
PID 1392 wrote to memory of 2884	1392	Explorer.EXE	37
PID 2480 wrote to memory of 1044	2480	WY0Fl3xP.exe	39
PID 2480 wrote to memory of 1044	2480	WY0Fl3xP.exe	39
PID 2480 wrote to memory of 1044	2480	WY0Fl3xP.exe	39
PID 2480 wrote to memory of 1044	2480	WY0Fl3xP.exe	39
PID 2480 wrote to memory of 1044	2480	WY0Fl3xP.exe	39
PID 2480 wrote to memory of 1044	2480	WY0Fl3xP.exe	39
PID 2480 wrote to memory of 1044	2480	WY0Fl3xP.exe	39
PID 2808 wrote to memory of 2748	2808	6D74.exe	57
PID 2808 wrote to memory of 2748	2808	6D74.exe	57
PID 2808 wrote to memory of 2748	2808	6D74.exe	57
PID 2808 wrote to memory of 2748	2808	6D74.exe	57
PID 1044 wrote to memory of 2516	1044	FC8mB1bm.exe	56
PID 1044 wrote to memory of 2516	1044	FC8mB1bm.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Local\Temp\c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe
  "C:\Users\Admin\AppData\Local\Temp\c51b44ff2ecb1d6e7051f23226eb1d380d89e626ffe9b1e1a251ba50f16e9b5a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - DcRat
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 136
    3⤵
    - Program crash
    PID:2796
- C:\Users\Admin\AppData\Local\Temp\6CB7.exe
  C:\Users\Admin\AppData\Local\Temp\6CB7.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH1ag4IK.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH1ag4IK.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WY0Fl3xP.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WY0Fl3xP.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FC8mB1bm.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FC8mB1bm.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1044
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dB9lZ4Iu.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dB9lZ4Iu.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2516
- C:\Users\Admin\AppData\Local\Temp\6D74.exe
  C:\Users\Admin\AppData\Local\Temp\6D74.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 132
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2748
- C:\Users\Admin\AppData\Local\Temp\6DE2.bat
  "C:\Users\Admin\AppData\Local\Temp\6DE2.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6E1E.tmp\6E1F.tmp\6E20.bat C:\Users\Admin\AppData\Local\Temp\6DE2.bat"
    3⤵
    PID:2600
- C:\Users\Admin\AppData\Local\Temp\6EEC.exe
  C:\Users\Admin\AppData\Local\Temp\6EEC.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 132
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:576
- C:\Users\Admin\AppData\Local\Temp\7469.exe
  C:\Users\Admin\AppData\Local\Temp\7469.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Users\Admin\AppData\Local\Temp\7988.exe
  C:\Users\Admin\AppData\Local\Temp\7988.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\BF6F.exe
  C:\Users\Admin\AppData\Local\Temp\BF6F.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1172
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:2240
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      PID:2872
- - C:\Users\Admin\AppData\Local\Temp\source1.exe
    "C:\Users\Admin\AppData\Local\Temp\source1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:2964
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2352
- C:\Users\Admin\AppData\Local\Temp\C51A.exe
  C:\Users\Admin\AppData\Local\Temp\C51A.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 528
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:756
- C:\Users\Admin\AppData\Local\Temp\CA88.exe
  C:\Users\Admin\AppData\Local\Temp\CA88.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\DCD1.exe
  C:\Users\Admin\AppData\Local\Temp\DCD1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2088
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1312
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1512
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2324
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:560
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:884
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1348
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2764
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2696
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2668
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2332
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1888
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:896
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2560
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1244
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:2932
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 280
1⤵
- Loads dropped DLL
- Program crash
PID:1328

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jV90Hm9.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jV90Hm9.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
1⤵
- DcRat
- Creates scheduled task(s)
PID:1748

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
1⤵
- Executes dropped EXE
PID:748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
  2⤵
  PID:2304
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "explothe.exe" /P "Admin:N"
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "explothe.exe" /P "Admin:R" /E
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "..\fefffe8cea" /P "Admin:N"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "..\fefffe8cea" /P "Admin:R" /E
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:684
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:1992

C:\Windows\system32\taskeng.exe
taskeng.exe {457F184B-116D-401F-A59E-71F83EA37F3C} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]
1⤵
PID:396
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Users\Admin\AppData\Roaming\sfffshf
  C:\Users\Admin\AppData\Roaming\sfffshf
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Users\Admin\AppData\Roaming\ejffshf
  C:\Users\Admin\AppData\Roaming\ejffshf
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  - Executes dropped EXE
  PID:1284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20648554221959395494-2098270942-1551862106-843765055-337940774-921016035-469524104"
1⤵
PID:2312

C:\Windows\system32\taskeng.exe
taskeng.exe {E1AD0E47-C559-438D-9098-1211F8E30143} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2816
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:944

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231011045031.log C:\Windows\Logs\CBS\CbsPersist_20231011045031.cab
1⤵
- Drops file in Windows directory
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
aa6f521d78f6e9101a1a99f8bfdfbf08

SHA1
81abd59d8275c1a1d35933f76282b411310323be

SHA256
3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d

SHA512
43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
aa6f521d78f6e9101a1a99f8bfdfbf08

SHA1
81abd59d8275c1a1d35933f76282b411310323be

SHA256
3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d

SHA512
43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CB7.exe

Filesize
1.3MB

MD5
1213014c16ae0035d5e4f13beec4fa2b

SHA1
8ac08908b49e88a8248f0405e319a1e9e84bf554

SHA256
e2e6de064b5189f8e6a47c82b9fad85b03733a4bb89880f4c240e09451c52ff8

SHA512
5070972569e87771e4e9758ca44dc887d30c3440b826c977e8804f6fcb564d3d77d911b957d7a37013c1475a154832b03e9c73efc41d2e111c3133062def29c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CB7.exe

Filesize
1.3MB

MD5
1213014c16ae0035d5e4f13beec4fa2b

SHA1
8ac08908b49e88a8248f0405e319a1e9e84bf554

SHA256
e2e6de064b5189f8e6a47c82b9fad85b03733a4bb89880f4c240e09451c52ff8

SHA512
5070972569e87771e4e9758ca44dc887d30c3440b826c977e8804f6fcb564d3d77d911b957d7a37013c1475a154832b03e9c73efc41d2e111c3133062def29c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D74.exe

Filesize
448KB

MD5
e9a21e3954a1f3fb17c71aea6c431e0f

SHA1
b51a4071b66b2bd01eab447bd1ca65a0de926dab

SHA256
7067940e0d3cfd438d956a788505234cddeb7162709e35f5395907b8f92ba9c7

SHA512
fe9340a07c208265bef1fee4ba0eef463ad69bfb025e760e1ee924e6a538e4a92ad1da96ea717d888725794350b3c6a04e70ae57771c699565feadccdf2b4f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DE2.bat

Filesize
97KB

MD5
714485e7efd02103277a5d31433eaf29

SHA1
2d2ecdba7e2a193151da53bdd7380aacf42d9f94

SHA256
bee56a5797cb12fb401f15a6bae9cfbfa2ee514d0d0decc7296e247c0fc99b90

SHA512
952b4f68a418c4bc4b0df4ef1ca279663b74880e3e403dcac8dc26463f354cbb0839b4c2a64deb1b825d31c12a2bd18884063c4dd98f4689b2509b7dd6d01fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DE2.bat

Filesize
97KB

MD5
714485e7efd02103277a5d31433eaf29

SHA1
2d2ecdba7e2a193151da53bdd7380aacf42d9f94

SHA256
bee56a5797cb12fb401f15a6bae9cfbfa2ee514d0d0decc7296e247c0fc99b90

SHA512
952b4f68a418c4bc4b0df4ef1ca279663b74880e3e403dcac8dc26463f354cbb0839b4c2a64deb1b825d31c12a2bd18884063c4dd98f4689b2509b7dd6d01fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E1E.tmp\6E1F.tmp\6E20.bat

Filesize
88B

MD5
0ec04fde104330459c151848382806e8

SHA1
3b0b78d467f2db035a03e378f7b3a3823fa3d156

SHA256
1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f

SHA512
8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EEC.exe

Filesize
490KB

MD5
3757f494fa94a0a935514922646bda32

SHA1
f113cad5748bb5a6cbc9dd354dafa8547870acad

SHA256
1f57f349abecdbd0b8e99503f2f67e35eca5dd5db823d7d96af9b55810fa27ea

SHA512
170fa2f35b54018547a2f293fb5d39abfdaecd8bfdcac42f86f85c831a60aef76f9f892acb5bdbcae7831119080c2c8bfc674c1e39b7d03db757b5d543b26b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\7469.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7469.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7988.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\7988.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF6F.exe

Filesize
15.1MB

MD5
1f353056dfcf60d0c62d87b84f0a5e3f

SHA1
c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0

SHA256
f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e

SHA512
84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF6F.exe

Filesize
15.1MB

MD5
1f353056dfcf60d0c62d87b84f0a5e3f

SHA1
c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0

SHA256
f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e

SHA512
84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C51A.exe

Filesize
429KB

MD5
21b738f4b6e53e6d210996fa6ba6cc69

SHA1
3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41

SHA256
3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58

SHA512
f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\C51A.exe

Filesize
429KB

MD5
21b738f4b6e53e6d210996fa6ba6cc69

SHA1
3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41

SHA256
3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58

SHA512
f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA88.exe

Filesize
180KB

MD5
109da216e61cf349221bd2455d2170d4

SHA1
ea6983b8581b8bb57e47c8492783256313c19480

SHA256
a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400

SHA512
460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA88.exe

Filesize
180KB

MD5
109da216e61cf349221bd2455d2170d4

SHA1
ea6983b8581b8bb57e47c8492783256313c19480

SHA256
a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400

SHA512
460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE16.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCD1.exe

Filesize
95KB

MD5
1199c88022b133b321ed8e9c5f4e6739

SHA1
8e5668edc9b4e1f15c936e68b59c84e165c9cb07

SHA256
e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836

SHA512
7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCD1.exe

Filesize
95KB

MD5
1199c88022b133b321ed8e9c5f4e6739

SHA1
8e5668edc9b4e1f15c936e68b59c84e165c9cb07

SHA256
e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836

SHA512
7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH1ag4IK.exe

Filesize
1.1MB

MD5
ce119802d42180ae4f0d5a675ac02bd1

SHA1
6b686d62165b0788e5f712c001125b60277fccba

SHA256
b0a5df307b3d0c825fb6aedfbfa181a1d426932fa13dbd5473d902555645e305

SHA512
794e8201b9465a5de3090c9d132ff62d27769dbf32a700ac7e433b105d5d58ff8747c6d8d50239d802664f0c88a7fefcff8498bf8d7f35013a6047107c18e7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH1ag4IK.exe

Filesize
1.1MB

MD5
ce119802d42180ae4f0d5a675ac02bd1

SHA1
6b686d62165b0788e5f712c001125b60277fccba

SHA256
b0a5df307b3d0c825fb6aedfbfa181a1d426932fa13dbd5473d902555645e305

SHA512
794e8201b9465a5de3090c9d132ff62d27769dbf32a700ac7e433b105d5d58ff8747c6d8d50239d802664f0c88a7fefcff8498bf8d7f35013a6047107c18e7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WY0Fl3xP.exe

Filesize
952KB

MD5
5b87bf18455d4effebedeb012f821d4e

SHA1
5ba7e4a2af0480e621b0dbff788481cb85531de0

SHA256
25d9a7d7570648f0f27750f0163f67d17c6309043177e2b13c206530d0a90cda

SHA512
ef45550ff517cf4313a7b9e55c5771b19a78c0c597397b2c20cd91772e728d88936b98f2dd22735bd42021b149d6945a8d7dc7237817fcc705e60665270dfdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WY0Fl3xP.exe

Filesize
952KB

MD5
5b87bf18455d4effebedeb012f821d4e

SHA1
5ba7e4a2af0480e621b0dbff788481cb85531de0

SHA256
25d9a7d7570648f0f27750f0163f67d17c6309043177e2b13c206530d0a90cda

SHA512
ef45550ff517cf4313a7b9e55c5771b19a78c0c597397b2c20cd91772e728d88936b98f2dd22735bd42021b149d6945a8d7dc7237817fcc705e60665270dfdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ns423Bw.exe

Filesize
490KB

MD5
3757f494fa94a0a935514922646bda32

SHA1
f113cad5748bb5a6cbc9dd354dafa8547870acad

SHA256
1f57f349abecdbd0b8e99503f2f67e35eca5dd5db823d7d96af9b55810fa27ea

SHA512
170fa2f35b54018547a2f293fb5d39abfdaecd8bfdcac42f86f85c831a60aef76f9f892acb5bdbcae7831119080c2c8bfc674c1e39b7d03db757b5d543b26b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FC8mB1bm.exe

Filesize
647KB

MD5
60ceda8e87ad96074744910df47d9fd8

SHA1
cdc46340928a85694535c99b53f3980f4c7837f8

SHA256
67d0906949c73e2035604c87e01712ba5d4db3935ff7d2abfd9ed7392c26f31a

SHA512
736086d20fab9b003d1f9b5640c3bb5fb6dd2c40177a8ba135cdb131a596e46a72556ad741c41549a665c04eab4359ded1049a46f24847d3dafa47cd78cf3f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FC8mB1bm.exe

Filesize
647KB

MD5
60ceda8e87ad96074744910df47d9fd8

SHA1
cdc46340928a85694535c99b53f3980f4c7837f8

SHA256
67d0906949c73e2035604c87e01712ba5d4db3935ff7d2abfd9ed7392c26f31a

SHA512
736086d20fab9b003d1f9b5640c3bb5fb6dd2c40177a8ba135cdb131a596e46a72556ad741c41549a665c04eab4359ded1049a46f24847d3dafa47cd78cf3f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dB9lZ4Iu.exe

Filesize
451KB

MD5
0ca2cfc661beaf42f85d14b8797e5fa2

SHA1
bfbfa8e000fc94e0ce29ec5dc4c596ecc5465271

SHA256
b93535f8ad835aa9730a0cae28a8e9a28fee437b9242f0553a4dcba93cf1e9bc

SHA512
ea062950e913059ca52650b07c30d3f017046a608cd9dc74ea5c38847ec234b005080ea10c4419427c7422937b858c04dc7ee193cf94e4591fce5eed685e076f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dB9lZ4Iu.exe

Filesize
451KB

MD5
0ca2cfc661beaf42f85d14b8797e5fa2

SHA1
bfbfa8e000fc94e0ce29ec5dc4c596ecc5465271

SHA256
b93535f8ad835aa9730a0cae28a8e9a28fee437b9242f0553a4dcba93cf1e9bc

SHA512
ea062950e913059ca52650b07c30d3f017046a608cd9dc74ea5c38847ec234b005080ea10c4419427c7422937b858c04dc7ee193cf94e4591fce5eed685e076f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jV90Hm9.exe

Filesize
448KB

MD5
9bef4d5ab8620b5531bff4b821af33fe

SHA1
d7cf180f9766eaa2f5664e9e5a823505c2f103b8

SHA256
3b7f358453d104107042c8de634dca0b15b77ab88a41e4f3e91f5fad4403f73b

SHA512
8f29526a2531e67d41258f5e31c6b22bb95f3c9651c6ef8b4721222d91ea315a428d509bda96217fca83fbdb9ba2d842e80b15d29c8e6889065926f93c31b745

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jV90Hm9.exe

Filesize
448KB

MD5
9bef4d5ab8620b5531bff4b821af33fe

SHA1
d7cf180f9766eaa2f5664e9e5a823505c2f103b8

SHA256
3b7f358453d104107042c8de634dca0b15b77ab88a41e4f3e91f5fad4403f73b

SHA512
8f29526a2531e67d41258f5e31c6b22bb95f3c9651c6ef8b4721222d91ea315a428d509bda96217fca83fbdb9ba2d842e80b15d29c8e6889065926f93c31b745

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE67.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\source1.exe

Filesize
5.1MB

MD5
e082a92a00272a3c1cd4b0de30967a79

SHA1
16c391acf0f8c637d36a93e217591d8319e3f041

SHA256
eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc

SHA512
26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp428F.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42C4.tmp

Filesize
92KB

MD5
9de8f5c2b2916ab8ca2989f2fe8b3fe2

SHA1
64e7ec07d4d201ad2a5067be2e43429240394339

SHA256
ace3173e6cbc20b7b89aba8db456417a654e26147b9f0a97e8289147782324b8

SHA512
ba3bacb0e8639c763015791dc19411ccc1f3eaca807815988cafd8d4ebe7ced1e02daab55583df505bd42275589509e98c967466015afff5e9792ac74cb432f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
294KB

MD5
b44f3ea702caf5fba20474d4678e67f6

SHA1
d33da22fcd5674123807aaf01123d49a69901e33

SHA256
6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8

SHA512
ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
294KB

MD5
b44f3ea702caf5fba20474d4678e67f6

SHA1
d33da22fcd5674123807aaf01123d49a69901e33

SHA256
6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8

SHA512
ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1OQD0DSURGRR6BOFD8AB.temp

Filesize
7KB

MD5
8cc7a9fe91c7dd0f49350f097eb33912

SHA1
885096b161a84d9cad00b1990b3ed89564ac8322

SHA256
a0933a6b80c861c84a0b71f4ac8acac76d07eb9b5125d16ff89143f827be8b29

SHA512
c826c79cfcded70020ca022fe522e14e3c50c34a3798f058ea02508d19b25181640aa7cf104fb335f7dd2b28b858a15738c9db2500577bfc91a972da5c6a3661

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
aa6f521d78f6e9101a1a99f8bfdfbf08

SHA1
81abd59d8275c1a1d35933f76282b411310323be

SHA256
3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d

SHA512
43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
aa6f521d78f6e9101a1a99f8bfdfbf08

SHA1
81abd59d8275c1a1d35933f76282b411310323be

SHA256
3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d

SHA512
43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

Download Submit
\Users\Admin\AppData\Local\Temp\6CB7.exe

Filesize
1.3MB

MD5
1213014c16ae0035d5e4f13beec4fa2b

SHA1
8ac08908b49e88a8248f0405e319a1e9e84bf554

SHA256
e2e6de064b5189f8e6a47c82b9fad85b03733a4bb89880f4c240e09451c52ff8

SHA512
5070972569e87771e4e9758ca44dc887d30c3440b826c977e8804f6fcb564d3d77d911b957d7a37013c1475a154832b03e9c73efc41d2e111c3133062def29c4

Download Submit
\Users\Admin\AppData\Local\Temp\6D74.exe

Filesize
448KB

MD5
e9a21e3954a1f3fb17c71aea6c431e0f

SHA1
b51a4071b66b2bd01eab447bd1ca65a0de926dab

SHA256
7067940e0d3cfd438d956a788505234cddeb7162709e35f5395907b8f92ba9c7

SHA512
fe9340a07c208265bef1fee4ba0eef463ad69bfb025e760e1ee924e6a538e4a92ad1da96ea717d888725794350b3c6a04e70ae57771c699565feadccdf2b4f3e

Download Submit
\Users\Admin\AppData\Local\Temp\6D74.exe

Filesize
448KB

MD5
e9a21e3954a1f3fb17c71aea6c431e0f

SHA1
b51a4071b66b2bd01eab447bd1ca65a0de926dab

SHA256
7067940e0d3cfd438d956a788505234cddeb7162709e35f5395907b8f92ba9c7

SHA512
fe9340a07c208265bef1fee4ba0eef463ad69bfb025e760e1ee924e6a538e4a92ad1da96ea717d888725794350b3c6a04e70ae57771c699565feadccdf2b4f3e

Download Submit
\Users\Admin\AppData\Local\Temp\6D74.exe

Filesize
448KB

MD5
e9a21e3954a1f3fb17c71aea6c431e0f

SHA1
b51a4071b66b2bd01eab447bd1ca65a0de926dab

SHA256
7067940e0d3cfd438d956a788505234cddeb7162709e35f5395907b8f92ba9c7

SHA512
fe9340a07c208265bef1fee4ba0eef463ad69bfb025e760e1ee924e6a538e4a92ad1da96ea717d888725794350b3c6a04e70ae57771c699565feadccdf2b4f3e

Download Submit
\Users\Admin\AppData\Local\Temp\6D74.exe

Filesize
448KB

MD5
e9a21e3954a1f3fb17c71aea6c431e0f

SHA1
b51a4071b66b2bd01eab447bd1ca65a0de926dab

SHA256
7067940e0d3cfd438d956a788505234cddeb7162709e35f5395907b8f92ba9c7

SHA512
fe9340a07c208265bef1fee4ba0eef463ad69bfb025e760e1ee924e6a538e4a92ad1da96ea717d888725794350b3c6a04e70ae57771c699565feadccdf2b4f3e

Download Submit
\Users\Admin\AppData\Local\Temp\6EEC.exe

Filesize
490KB

MD5
3757f494fa94a0a935514922646bda32

SHA1
f113cad5748bb5a6cbc9dd354dafa8547870acad

SHA256
1f57f349abecdbd0b8e99503f2f67e35eca5dd5db823d7d96af9b55810fa27ea

SHA512
170fa2f35b54018547a2f293fb5d39abfdaecd8bfdcac42f86f85c831a60aef76f9f892acb5bdbcae7831119080c2c8bfc674c1e39b7d03db757b5d543b26b66

Download Submit
\Users\Admin\AppData\Local\Temp\6EEC.exe

Filesize
490KB

MD5
3757f494fa94a0a935514922646bda32

SHA1
f113cad5748bb5a6cbc9dd354dafa8547870acad

SHA256
1f57f349abecdbd0b8e99503f2f67e35eca5dd5db823d7d96af9b55810fa27ea

SHA512
170fa2f35b54018547a2f293fb5d39abfdaecd8bfdcac42f86f85c831a60aef76f9f892acb5bdbcae7831119080c2c8bfc674c1e39b7d03db757b5d543b26b66

Download Submit
\Users\Admin\AppData\Local\Temp\6EEC.exe

Filesize
490KB

MD5
3757f494fa94a0a935514922646bda32

SHA1
f113cad5748bb5a6cbc9dd354dafa8547870acad

SHA256
1f57f349abecdbd0b8e99503f2f67e35eca5dd5db823d7d96af9b55810fa27ea

SHA512
170fa2f35b54018547a2f293fb5d39abfdaecd8bfdcac42f86f85c831a60aef76f9f892acb5bdbcae7831119080c2c8bfc674c1e39b7d03db757b5d543b26b66

Download Submit
\Users\Admin\AppData\Local\Temp\6EEC.exe

Filesize
490KB

MD5
3757f494fa94a0a935514922646bda32

SHA1
f113cad5748bb5a6cbc9dd354dafa8547870acad

SHA256
1f57f349abecdbd0b8e99503f2f67e35eca5dd5db823d7d96af9b55810fa27ea

SHA512
170fa2f35b54018547a2f293fb5d39abfdaecd8bfdcac42f86f85c831a60aef76f9f892acb5bdbcae7831119080c2c8bfc674c1e39b7d03db757b5d543b26b66

Download Submit
\Users\Admin\AppData\Local\Temp\C51A.exe

Filesize
429KB

MD5
21b738f4b6e53e6d210996fa6ba6cc69

SHA1
3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41

SHA256
3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58

SHA512
f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

Download Submit
\Users\Admin\AppData\Local\Temp\C51A.exe

Filesize
429KB

MD5
21b738f4b6e53e6d210996fa6ba6cc69

SHA1
3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41

SHA256
3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58

SHA512
f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

Download Submit
\Users\Admin\AppData\Local\Temp\C51A.exe

Filesize
429KB

MD5
21b738f4b6e53e6d210996fa6ba6cc69

SHA1
3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41

SHA256
3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58

SHA512
f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH1ag4IK.exe

Filesize
1.1MB

MD5
ce119802d42180ae4f0d5a675ac02bd1

SHA1
6b686d62165b0788e5f712c001125b60277fccba

SHA256
b0a5df307b3d0c825fb6aedfbfa181a1d426932fa13dbd5473d902555645e305

SHA512
794e8201b9465a5de3090c9d132ff62d27769dbf32a700ac7e433b105d5d58ff8747c6d8d50239d802664f0c88a7fefcff8498bf8d7f35013a6047107c18e7c7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH1ag4IK.exe

Filesize
1.1MB

MD5
ce119802d42180ae4f0d5a675ac02bd1

SHA1
6b686d62165b0788e5f712c001125b60277fccba

SHA256
b0a5df307b3d0c825fb6aedfbfa181a1d426932fa13dbd5473d902555645e305

SHA512
794e8201b9465a5de3090c9d132ff62d27769dbf32a700ac7e433b105d5d58ff8747c6d8d50239d802664f0c88a7fefcff8498bf8d7f35013a6047107c18e7c7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\WY0Fl3xP.exe

Filesize
952KB

MD5
5b87bf18455d4effebedeb012f821d4e

SHA1
5ba7e4a2af0480e621b0dbff788481cb85531de0

SHA256
25d9a7d7570648f0f27750f0163f67d17c6309043177e2b13c206530d0a90cda

SHA512
ef45550ff517cf4313a7b9e55c5771b19a78c0c597397b2c20cd91772e728d88936b98f2dd22735bd42021b149d6945a8d7dc7237817fcc705e60665270dfdfa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\WY0Fl3xP.exe

Filesize
952KB

MD5
5b87bf18455d4effebedeb012f821d4e

SHA1
5ba7e4a2af0480e621b0dbff788481cb85531de0

SHA256
25d9a7d7570648f0f27750f0163f67d17c6309043177e2b13c206530d0a90cda

SHA512
ef45550ff517cf4313a7b9e55c5771b19a78c0c597397b2c20cd91772e728d88936b98f2dd22735bd42021b149d6945a8d7dc7237817fcc705e60665270dfdfa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\FC8mB1bm.exe

Filesize
647KB

MD5
60ceda8e87ad96074744910df47d9fd8

SHA1
cdc46340928a85694535c99b53f3980f4c7837f8

SHA256
67d0906949c73e2035604c87e01712ba5d4db3935ff7d2abfd9ed7392c26f31a

SHA512
736086d20fab9b003d1f9b5640c3bb5fb6dd2c40177a8ba135cdb131a596e46a72556ad741c41549a665c04eab4359ded1049a46f24847d3dafa47cd78cf3f87

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\FC8mB1bm.exe

Filesize
647KB

MD5
60ceda8e87ad96074744910df47d9fd8

SHA1
cdc46340928a85694535c99b53f3980f4c7837f8

SHA256
67d0906949c73e2035604c87e01712ba5d4db3935ff7d2abfd9ed7392c26f31a

SHA512
736086d20fab9b003d1f9b5640c3bb5fb6dd2c40177a8ba135cdb131a596e46a72556ad741c41549a665c04eab4359ded1049a46f24847d3dafa47cd78cf3f87

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\dB9lZ4Iu.exe

Filesize
451KB

MD5
0ca2cfc661beaf42f85d14b8797e5fa2

SHA1
bfbfa8e000fc94e0ce29ec5dc4c596ecc5465271

SHA256
b93535f8ad835aa9730a0cae28a8e9a28fee437b9242f0553a4dcba93cf1e9bc

SHA512
ea062950e913059ca52650b07c30d3f017046a608cd9dc74ea5c38847ec234b005080ea10c4419427c7422937b858c04dc7ee193cf94e4591fce5eed685e076f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\dB9lZ4Iu.exe

Filesize
451KB

MD5
0ca2cfc661beaf42f85d14b8797e5fa2

SHA1
bfbfa8e000fc94e0ce29ec5dc4c596ecc5465271

SHA256
b93535f8ad835aa9730a0cae28a8e9a28fee437b9242f0553a4dcba93cf1e9bc

SHA512
ea062950e913059ca52650b07c30d3f017046a608cd9dc74ea5c38847ec234b005080ea10c4419427c7422937b858c04dc7ee193cf94e4591fce5eed685e076f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jV90Hm9.exe

Filesize
448KB

MD5
9bef4d5ab8620b5531bff4b821af33fe

SHA1
d7cf180f9766eaa2f5664e9e5a823505c2f103b8

SHA256
3b7f358453d104107042c8de634dca0b15b77ab88a41e4f3e91f5fad4403f73b

SHA512
8f29526a2531e67d41258f5e31c6b22bb95f3c9651c6ef8b4721222d91ea315a428d509bda96217fca83fbdb9ba2d842e80b15d29c8e6889065926f93c31b745

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jV90Hm9.exe

Filesize
448KB

MD5
9bef4d5ab8620b5531bff4b821af33fe

SHA1
d7cf180f9766eaa2f5664e9e5a823505c2f103b8

SHA256
3b7f358453d104107042c8de634dca0b15b77ab88a41e4f3e91f5fad4403f73b

SHA512
8f29526a2531e67d41258f5e31c6b22bb95f3c9651c6ef8b4721222d91ea315a428d509bda96217fca83fbdb9ba2d842e80b15d29c8e6889065926f93c31b745

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jV90Hm9.exe

Filesize
448KB

MD5
9bef4d5ab8620b5531bff4b821af33fe

SHA1
d7cf180f9766eaa2f5664e9e5a823505c2f103b8

SHA256
3b7f358453d104107042c8de634dca0b15b77ab88a41e4f3e91f5fad4403f73b

SHA512
8f29526a2531e67d41258f5e31c6b22bb95f3c9651c6ef8b4721222d91ea315a428d509bda96217fca83fbdb9ba2d842e80b15d29c8e6889065926f93c31b745

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jV90Hm9.exe

Filesize
448KB

MD5
9bef4d5ab8620b5531bff4b821af33fe

SHA1
d7cf180f9766eaa2f5664e9e5a823505c2f103b8

SHA256
3b7f358453d104107042c8de634dca0b15b77ab88a41e4f3e91f5fad4403f73b

SHA512
8f29526a2531e67d41258f5e31c6b22bb95f3c9651c6ef8b4721222d91ea315a428d509bda96217fca83fbdb9ba2d842e80b15d29c8e6889065926f93c31b745

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jV90Hm9.exe

Filesize
448KB

MD5
9bef4d5ab8620b5531bff4b821af33fe

SHA1
d7cf180f9766eaa2f5664e9e5a823505c2f103b8

SHA256
3b7f358453d104107042c8de634dca0b15b77ab88a41e4f3e91f5fad4403f73b

SHA512
8f29526a2531e67d41258f5e31c6b22bb95f3c9651c6ef8b4721222d91ea315a428d509bda96217fca83fbdb9ba2d842e80b15d29c8e6889065926f93c31b745

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jV90Hm9.exe

Filesize
448KB

MD5
9bef4d5ab8620b5531bff4b821af33fe

SHA1
d7cf180f9766eaa2f5664e9e5a823505c2f103b8

SHA256
3b7f358453d104107042c8de634dca0b15b77ab88a41e4f3e91f5fad4403f73b

SHA512
8f29526a2531e67d41258f5e31c6b22bb95f3c9651c6ef8b4721222d91ea315a428d509bda96217fca83fbdb9ba2d842e80b15d29c8e6889065926f93c31b745

Download Submit
\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
\Users\Admin\AppData\Local\Temp\source1.exe

Filesize
5.1MB

MD5
e082a92a00272a3c1cd4b0de30967a79

SHA1
16c391acf0f8c637d36a93e217591d8319e3f041

SHA256
eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc

SHA512
26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
294KB

MD5
b44f3ea702caf5fba20474d4678e67f6

SHA1
d33da22fcd5674123807aaf01123d49a69901e33

SHA256
6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8

SHA512
ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
294KB

MD5
b44f3ea702caf5fba20474d4678e67f6

SHA1
d33da22fcd5674123807aaf01123d49a69901e33

SHA256
6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8

SHA512
ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

Download Submit
memory/524-116-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/524-109-0x0000000001350000-0x000000000135A000-memory.dmp

Filesize
40KB

Download
memory/524-118-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/524-119-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/1012-430-0x0000000000880000-0x0000000000888000-memory.dmp

Filesize
32KB

Download
memory/1012-432-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/1012-433-0x0000000001064000-0x0000000001067000-memory.dmp

Filesize
12KB

Download
memory/1012-434-0x000000000106B000-0x00000000010D2000-memory.dmp

Filesize
412KB

Download
memory/1012-429-0x0000000019C20000-0x0000000019F02000-memory.dmp

Filesize
2.9MB

Download
memory/1172-127-0x0000000000EA0000-0x0000000001DCA000-memory.dmp

Filesize
15.2MB

Download
memory/1172-125-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1172-200-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1304-197-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1304-196-0x00000000023B0000-0x00000000024B0000-memory.dmp

Filesize
1024KB

Download
memory/1392-5-0x0000000002A30000-0x0000000002A46000-memory.dmp

Filesize
88KB

Download
memory/1392-206-0x0000000003960000-0x0000000003976000-memory.dmp

Filesize
88KB

Download
memory/1608-181-0x0000000000310000-0x000000000032E000-memory.dmp

Filesize
120KB

Download
memory/1608-191-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/1608-201-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1608-253-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1608-252-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/1608-412-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1688-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1688-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1688-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1688-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1688-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1688-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1768-459-0x0000000000B10000-0x0000000000B30000-memory.dmp

Filesize
128KB

Download
memory/1948-249-0x0000000000400000-0x000000000266D000-memory.dmp

Filesize
34.4MB

Download
memory/1948-248-0x0000000004410000-0x0000000004CFB000-memory.dmp

Filesize
8.9MB

Download
memory/1948-211-0x0000000000400000-0x000000000266D000-memory.dmp

Filesize
34.4MB

Download
memory/1948-219-0x0000000004010000-0x0000000004408000-memory.dmp

Filesize
4.0MB

Download
memory/1948-175-0x0000000004410000-0x0000000004CFB000-memory.dmp

Filesize
8.9MB

Download
memory/1948-174-0x0000000004010000-0x0000000004408000-memory.dmp

Filesize
4.0MB

Download
memory/1948-173-0x0000000004010000-0x0000000004408000-memory.dmp

Filesize
4.0MB

Download
memory/1948-186-0x0000000000400000-0x000000000266D000-memory.dmp

Filesize
34.4MB

Download
memory/1948-365-0x0000000000400000-0x000000000266D000-memory.dmp

Filesize
34.4MB

Download
memory/1948-436-0x0000000000400000-0x000000000266D000-memory.dmp

Filesize
34.4MB

Download
memory/1948-251-0x0000000000400000-0x000000000266D000-memory.dmp

Filesize
34.4MB

Download
memory/1980-140-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-203-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-135-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1980-136-0x0000000000290000-0x00000000002EA000-memory.dmp

Filesize
360KB

Download
memory/1980-202-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2204-422-0x000000000233B000-0x00000000023A2000-memory.dmp

Filesize
412KB

Download
memory/2204-418-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download
memory/2204-419-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2204-420-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download
memory/2204-421-0x0000000002334000-0x0000000002337000-memory.dmp

Filesize
12KB

Download
memory/2240-207-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2240-195-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2240-198-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2240-193-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2352-238-0x000000013FDD0000-0x0000000140371000-memory.dmp

Filesize
5.6MB

Download
memory/2504-438-0x0000000019B50000-0x0000000019E32000-memory.dmp

Filesize
2.9MB

Download
memory/2504-441-0x000000000107B000-0x00000000010E2000-memory.dmp

Filesize
412KB

Download
memory/2504-440-0x0000000001074000-0x0000000001077000-memory.dmp

Filesize
12KB

Download
memory/2504-439-0x000007FEF47F0000-0x000007FEF518D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-374-0x00000000009A0000-0x00000000009B5000-memory.dmp

Filesize
84KB

Download
memory/2624-355-0x00000000009A0000-0x00000000009B5000-memory.dmp

Filesize
84KB

Download
memory/2624-382-0x00000000009A0000-0x00000000009B5000-memory.dmp

Filesize
84KB

Download
memory/2624-383-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2624-192-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2624-187-0x0000000000E30000-0x0000000001346000-memory.dmp

Filesize
5.1MB

Download
memory/2624-204-0x0000000005130000-0x0000000005170000-memory.dmp

Filesize
256KB

Download
memory/2624-205-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2624-250-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2624-281-0x0000000005130000-0x0000000005170000-memory.dmp

Filesize
256KB

Download
memory/2624-354-0x00000000009A0000-0x00000000009BC000-memory.dmp

Filesize
112KB

Download
memory/2624-400-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2624-356-0x00000000009A0000-0x00000000009B5000-memory.dmp

Filesize
84KB

Download
memory/2624-380-0x00000000009A0000-0x00000000009B5000-memory.dmp

Filesize
84KB

Download
memory/2624-358-0x00000000009A0000-0x00000000009B5000-memory.dmp

Filesize
84KB

Download
memory/2624-360-0x00000000009A0000-0x00000000009B5000-memory.dmp

Filesize
84KB

Download
memory/2624-362-0x00000000009A0000-0x00000000009B5000-memory.dmp

Filesize
84KB

Download
memory/2624-364-0x00000000009A0000-0x00000000009B5000-memory.dmp

Filesize
84KB

Download
memory/2624-367-0x00000000009A0000-0x00000000009B5000-memory.dmp

Filesize
84KB

Download
memory/2624-378-0x00000000009A0000-0x00000000009B5000-memory.dmp

Filesize
84KB

Download
memory/2624-376-0x00000000009A0000-0x00000000009B5000-memory.dmp

Filesize
84KB

Download
memory/2624-372-0x00000000009A0000-0x00000000009B5000-memory.dmp

Filesize
84KB

Download
memory/2916-410-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2916-411-0x000000000240B000-0x0000000002472000-memory.dmp

Filesize
412KB

Download
memory/2916-409-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2916-408-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/2916-407-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2916-406-0x000000001B010000-0x000000001B2F2000-memory.dmp

Filesize
2.9MB

Download
memory/2936-157-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/2936-158-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2964-396-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2964-401-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2964-425-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2964-394-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2964-392-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2964-390-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2964-388-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2964-386-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2964-384-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download