glupteba | beff1cda19ab6d934a35b28b24b2ea3acc0d92cf688881c5c97ed85b642b3d49

Analysis

max time kernel
75s
max time network
157s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2023 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beff1cda19ab6d934a35b28b24b2ea3acc0d92cf688881c5c97ed85b642b3d49.exe
Size

1.4MB
MD5

083294a1d606413913a33812f3aea585
SHA1

059b65d957ffcd001c614332a8e7e8637d2570e8
SHA256

beff1cda19ab6d934a35b28b24b2ea3acc0d92cf688881c5c97ed85b642b3d49
SHA512

06ff53841a5af2535e2ab28b5f3b55fc934aed8f6f718864b77c985d477d41609f331dd315b72964bb4632a3f37ccbedf289b72924d0a0903365a578340173ab
SSDEEP

24576:9ynjVT9YVR+zuXfkHQaMCPYxIFO7Rf5H09UnaXoaqLbwWgtVxRMvNTaWfu21r4nj:YnjVOR+6PkHQhaE09voakg72fjr4n

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

pixelfresh

194.49.94.11:80

Extracted

Family

redline

Botnet

LiveTraffic

195.10.205.16:1056

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2728-28-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2728-31-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2728-33-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2728-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Detect ZGRat V1 11 IoCs

resource	yara_rule
behavioral1/memory/4396-1371-0x0000000004F10000-0x0000000004F8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/4396-1372-0x0000000004F10000-0x0000000004F8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/4396-1376-0x0000000004F10000-0x0000000004F8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/4396-1378-0x0000000004F10000-0x0000000004F8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/4396-1380-0x0000000004F10000-0x0000000004F8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/4396-1384-0x0000000004F10000-0x0000000004F8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/4396-1382-0x0000000004F10000-0x0000000004F8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/4396-1386-0x0000000004F10000-0x0000000004F8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/4396-1388-0x0000000004F10000-0x0000000004F8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/4396-1390-0x0000000004F10000-0x0000000004F8D000-memory.dmp	family_zgrat_v1
behavioral1/memory/4396-1392-0x0000000004F10000-0x0000000004F8D000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

resource	yara_rule
behavioral1/memory/1176-121-0x0000000002E60000-0x000000000374B000-memory.dmp	family_glupteba
behavioral1/memory/1176-122-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1176-202-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1176-435-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1176-436-0x0000000002E60000-0x000000000374B000-memory.dmp	family_glupteba
behavioral1/memory/4388-440-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4388-553-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4388-1051-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4388-1287-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4388-1359-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

resource	yara_rule
behavioral1/memory/428-38-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/files/0x000800000001abe1-531.dat	family_redline
behavioral1/files/0x000800000001abe1-545.dat	family_redline
behavioral1/memory/5072-547-0x0000000000850000-0x000000000086E000-memory.dmp	family_redline
behavioral1/memory/4824-1048-0x0000000000150000-0x000000000018C000-memory.dmp	family_redline
behavioral1/files/0x000a00000001abed-1176.dat	family_redline
behavioral1/files/0x000a00000001abed-1177.dat	family_redline
behavioral1/memory/4808-1327-0x0000000000680000-0x00000000006DA000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000800000001abe1-531.dat	family_sectoprat
behavioral1/files/0x000800000001abe1-545.dat	family_sectoprat
behavioral1/memory/5072-547-0x0000000000850000-0x000000000086E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2904	netsh.exe

.NET Reactor proctector 11 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/4396-1371-0x0000000004F10000-0x0000000004F8D000-memory.dmp	net_reactor
behavioral1/memory/4396-1372-0x0000000004F10000-0x0000000004F8D000-memory.dmp	net_reactor
behavioral1/memory/4396-1376-0x0000000004F10000-0x0000000004F8D000-memory.dmp	net_reactor
behavioral1/memory/4396-1378-0x0000000004F10000-0x0000000004F8D000-memory.dmp	net_reactor
behavioral1/memory/4396-1380-0x0000000004F10000-0x0000000004F8D000-memory.dmp	net_reactor
behavioral1/memory/4396-1384-0x0000000004F10000-0x0000000004F8D000-memory.dmp	net_reactor
behavioral1/memory/4396-1382-0x0000000004F10000-0x0000000004F8D000-memory.dmp	net_reactor
behavioral1/memory/4396-1386-0x0000000004F10000-0x0000000004F8D000-memory.dmp	net_reactor
behavioral1/memory/4396-1388-0x0000000004F10000-0x0000000004F8D000-memory.dmp	net_reactor
behavioral1/memory/4396-1390-0x0000000004F10000-0x0000000004F8D000-memory.dmp	net_reactor
behavioral1/memory/4396-1392-0x0000000004F10000-0x0000000004F8D000-memory.dmp	net_reactor

Executes dropped EXE 15 IoCs

pid	Process
2716	PL3oJ56.exe
4652	Zj2sO63.exe
4240	Eh8Ly98.exe
4036	3mR86VN.exe
712	4NN141PK.exe
2160	5vw8jh1.exe
4540	6Of7Xl3.exe
1060	7xz8gi11.exe
4528	5F90.exe
4112	InstallSetup5.exe
4544	toolspub2.exe
1176	31839b57a4f11171d6abc8bbc4451ee4.exe
2176	Broom.exe
4116	toolspub2.exe
4388	31839b57a4f11171d6abc8bbc4451ee4.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	PL3oJ56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Zj2sO63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Eh8Ly98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	beff1cda19ab6d934a35b28b24b2ea3acc0d92cf688881c5c97ed85b642b3d49.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4036 set thread context of 2728	4036	3mR86VN.exe	77
PID 712 set thread context of 428	712	4NN141PK.exe	82
PID 2160 set thread context of 3296	2160	5vw8jh1.exe	85
PID 1060 set thread context of 4840	1060	7xz8gi11.exe	90
PID 4544 set thread context of 4116	4544	toolspub2.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4888	2728	WerFault.exe	77
1020	4808	WerFault.exe	119

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6Of7Xl3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6Of7Xl3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6Of7Xl3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4972	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4540	6Of7Xl3.exe
4540	6Of7Xl3.exe
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3264	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4540	6Of7Xl3.exe
4116	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeDebugPrivilege	1176	Process not Found
Token: SeImpersonatePrivilege	1176	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2176	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 2716	4232	beff1cda19ab6d934a35b28b24b2ea3acc0d92cf688881c5c97ed85b642b3d49.exe	71
PID 4232 wrote to memory of 2716	4232	beff1cda19ab6d934a35b28b24b2ea3acc0d92cf688881c5c97ed85b642b3d49.exe	71
PID 4232 wrote to memory of 2716	4232	beff1cda19ab6d934a35b28b24b2ea3acc0d92cf688881c5c97ed85b642b3d49.exe	71
PID 2716 wrote to memory of 4652	2716	PL3oJ56.exe	72
PID 2716 wrote to memory of 4652	2716	PL3oJ56.exe	72
PID 2716 wrote to memory of 4652	2716	PL3oJ56.exe	72
PID 4652 wrote to memory of 4240	4652	Zj2sO63.exe	73
PID 4652 wrote to memory of 4240	4652	Zj2sO63.exe	73
PID 4652 wrote to memory of 4240	4652	Zj2sO63.exe	73
PID 4240 wrote to memory of 4036	4240	Eh8Ly98.exe	74
PID 4240 wrote to memory of 4036	4240	Eh8Ly98.exe	74
PID 4240 wrote to memory of 4036	4240	Eh8Ly98.exe	74
PID 4036 wrote to memory of 4384	4036	3mR86VN.exe	76
PID 4036 wrote to memory of 4384	4036	3mR86VN.exe	76
PID 4036 wrote to memory of 4384	4036	3mR86VN.exe	76
PID 4036 wrote to memory of 2728	4036	3mR86VN.exe	77
PID 4036 wrote to memory of 2728	4036	3mR86VN.exe	77
PID 4036 wrote to memory of 2728	4036	3mR86VN.exe	77
PID 4036 wrote to memory of 2728	4036	3mR86VN.exe	77
PID 4036 wrote to memory of 2728	4036	3mR86VN.exe	77
PID 4036 wrote to memory of 2728	4036	3mR86VN.exe	77
PID 4036 wrote to memory of 2728	4036	3mR86VN.exe	77
PID 4036 wrote to memory of 2728	4036	3mR86VN.exe	77
PID 4036 wrote to memory of 2728	4036	3mR86VN.exe	77
PID 4036 wrote to memory of 2728	4036	3mR86VN.exe	77
PID 4240 wrote to memory of 712	4240	Eh8Ly98.exe	78
PID 4240 wrote to memory of 712	4240	Eh8Ly98.exe	78
PID 4240 wrote to memory of 712	4240	Eh8Ly98.exe	78
PID 712 wrote to memory of 428	712	4NN141PK.exe	82
PID 712 wrote to memory of 428	712	4NN141PK.exe	82
PID 712 wrote to memory of 428	712	4NN141PK.exe	82
PID 712 wrote to memory of 428	712	4NN141PK.exe	82
PID 712 wrote to memory of 428	712	4NN141PK.exe	82
PID 712 wrote to memory of 428	712	4NN141PK.exe	82
PID 712 wrote to memory of 428	712	4NN141PK.exe	82
PID 712 wrote to memory of 428	712	4NN141PK.exe	82
PID 4652 wrote to memory of 2160	4652	Zj2sO63.exe	83
PID 4652 wrote to memory of 2160	4652	Zj2sO63.exe	83
PID 4652 wrote to memory of 2160	4652	Zj2sO63.exe	83
PID 2160 wrote to memory of 3296	2160	5vw8jh1.exe	85
PID 2160 wrote to memory of 3296	2160	5vw8jh1.exe	85
PID 2160 wrote to memory of 3296	2160	5vw8jh1.exe	85
PID 2160 wrote to memory of 3296	2160	5vw8jh1.exe	85
PID 2160 wrote to memory of 3296	2160	5vw8jh1.exe	85
PID 2160 wrote to memory of 3296	2160	5vw8jh1.exe	85
PID 2160 wrote to memory of 3296	2160	5vw8jh1.exe	85
PID 2160 wrote to memory of 3296	2160	5vw8jh1.exe	85
PID 2160 wrote to memory of 3296	2160	5vw8jh1.exe	85
PID 2716 wrote to memory of 4540	2716	PL3oJ56.exe	86
PID 2716 wrote to memory of 4540	2716	PL3oJ56.exe	86
PID 2716 wrote to memory of 4540	2716	PL3oJ56.exe	86
PID 4232 wrote to memory of 1060	4232	beff1cda19ab6d934a35b28b24b2ea3acc0d92cf688881c5c97ed85b642b3d49.exe	87
PID 4232 wrote to memory of 1060	4232	beff1cda19ab6d934a35b28b24b2ea3acc0d92cf688881c5c97ed85b642b3d49.exe	87
PID 4232 wrote to memory of 1060	4232	beff1cda19ab6d934a35b28b24b2ea3acc0d92cf688881c5c97ed85b642b3d49.exe	87
PID 1060 wrote to memory of 3316	1060	7xz8gi11.exe	89
PID 1060 wrote to memory of 3316	1060	7xz8gi11.exe	89
PID 1060 wrote to memory of 3316	1060	7xz8gi11.exe	89
PID 1060 wrote to memory of 4840	1060	7xz8gi11.exe	90
PID 1060 wrote to memory of 4840	1060	7xz8gi11.exe	90
PID 1060 wrote to memory of 4840	1060	7xz8gi11.exe	90
PID 1060 wrote to memory of 4840	1060	7xz8gi11.exe	90
PID 1060 wrote to memory of 4840	1060	7xz8gi11.exe	90
PID 1060 wrote to memory of 4840	1060	7xz8gi11.exe	90
PID 1060 wrote to memory of 4840	1060	7xz8gi11.exe	90

C:\Users\Admin\AppData\Local\Temp\beff1cda19ab6d934a35b28b24b2ea3acc0d92cf688881c5c97ed85b642b3d49.exe
"C:\Users\Admin\AppData\Local\Temp\beff1cda19ab6d934a35b28b24b2ea3acc0d92cf688881c5c97ed85b642b3d49.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PL3oJ56.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PL3oJ56.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zj2sO63.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zj2sO63.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eh8Ly98.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eh8Ly98.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4240
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mR86VN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mR86VN.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4036
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4384
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 568
        7⤵
        Program crash
        
        PID:4888
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4NN141PK.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4NN141PK.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:712
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:428
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5vw8jh1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5vw8jh1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3296
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Of7Xl3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Of7Xl3.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4540
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7xz8gi11.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7xz8gi11.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3316
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4840

C:\Users\Admin\AppData\Local\Temp\5F90.exe
C:\Users\Admin\AppData\Local\Temp\5F90.exe
1⤵
- Executes dropped EXE
PID:4528
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  - Executes dropped EXE
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2176
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:4116
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  PID:1176
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4388
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2748
  - - C:\Windows\System32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:984
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4972
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:3824
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4220
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:4972
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:4048
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5112
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4616
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:3852

C:\Users\Admin\AppData\Local\Temp\D359.exe
C:\Users\Admin\AppData\Local\Temp\D359.exe
1⤵
PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:4824

C:\Users\Admin\AppData\Local\Temp\D658.exe
C:\Users\Admin\AppData\Local\Temp\D658.exe
1⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\1E8D.exe
C:\Users\Admin\AppData\Local\Temp\1E8D.exe
1⤵
PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:3516

C:\Users\Admin\AppData\Local\Temp\217C.exe
C:\Users\Admin\AppData\Local\Temp\217C.exe
1⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\29BB.exe
C:\Users\Admin\AppData\Local\Temp\29BB.exe
1⤵
PID:5068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:3976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:636

C:\Users\Admin\AppData\Local\Temp\2CD9.exe
C:\Users\Admin\AppData\Local\Temp\2CD9.exe
1⤵
PID:4808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 756
  2⤵
  - Program crash
  PID:1020

C:\Users\Admin\AppData\Local\Temp\3035.exe
C:\Users\Admin\AppData\Local\Temp\3035.exe
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1E8D.exe

Filesize
15.3MB

MD5
e2d9ea8f72bc239d7372048430301e5e

SHA1
602c740f6497656c7952d65441ea36f623f588cb

SHA256
564ad08d79345be7121e76d778719928ddb37af7208368ca6dfcb703bc7168f4

SHA512
2f1394f494639b74f70238d3c893a99b1faa388a7c0aeb3c114fb09ac5717a7ee703b06e0a3ec1ebac9c0cfdade31951cb47b73e52865f520e2d342330692b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\217C.exe

Filesize
222KB

MD5
9e41d2cc0de2e45ce74e42dd3608df3b

SHA1
a9744a4b76e2f38a0b3b287ef229cbeb8c9e4ba6

SHA256
1081d313fe627ca22ce02c7bd8d33ece52b1e2cc8978f99653671f94175caf8f

SHA512
849673924bdb3db9a08c2ff4a510af599539531e052847caaf8a2d47f91497bedaf48714a3a6cdee1c0f5b8a8b53054c91564267be2c02de63446e207a78f9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\217C.exe

Filesize
222KB

MD5
9e41d2cc0de2e45ce74e42dd3608df3b

SHA1
a9744a4b76e2f38a0b3b287ef229cbeb8c9e4ba6

SHA256
1081d313fe627ca22ce02c7bd8d33ece52b1e2cc8978f99653671f94175caf8f

SHA512
849673924bdb3db9a08c2ff4a510af599539531e052847caaf8a2d47f91497bedaf48714a3a6cdee1c0f5b8a8b53054c91564267be2c02de63446e207a78f9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\29BB.exe

Filesize
4.0MB

MD5
547267d1f4af300668737da9e4979413

SHA1
801ddcf4bf33609da1b2b0f88ebbd5f1107600b4

SHA256
4ecddc16e5b3e808518b5ba17950c04427f9de389259b4027ad76ac5289e0d8a

SHA512
118ddcdce722238ac207cde3053389699b396ba3af796f86140ad6a0072ffe7162ab150d82f8c3d6ca28f49f726c16551bfa5d56a8bec0bbc143092024f24b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\29BB.exe

Filesize
4.0MB

MD5
547267d1f4af300668737da9e4979413

SHA1
801ddcf4bf33609da1b2b0f88ebbd5f1107600b4

SHA256
4ecddc16e5b3e808518b5ba17950c04427f9de389259b4027ad76ac5289e0d8a

SHA512
118ddcdce722238ac207cde3053389699b396ba3af796f86140ad6a0072ffe7162ab150d82f8c3d6ca28f49f726c16551bfa5d56a8bec0bbc143092024f24b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CD9.exe

Filesize
399KB

MD5
1bb7721e9262db1fd4f9b7cedae730b0

SHA1
e0f58302e87d4da8cafc2e6b454e88a2fab005c2

SHA256
bb3ea9c2b4b2523ef2628dd64ec9b2fc2db3eac89d8b315bfdb055fa5a386d13

SHA512
c28d4b0d140938c59fdee4e46fb2cdb1266d375c84d7f470d313b637411f81a19b4a89ec3663a560dea719ac07df1bd6a7c22461f589a4cc06b3a193ff750233

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CD9.exe

Filesize
399KB

MD5
1bb7721e9262db1fd4f9b7cedae730b0

SHA1
e0f58302e87d4da8cafc2e6b454e88a2fab005c2

SHA256
bb3ea9c2b4b2523ef2628dd64ec9b2fc2db3eac89d8b315bfdb055fa5a386d13

SHA512
c28d4b0d140938c59fdee4e46fb2cdb1266d375c84d7f470d313b637411f81a19b4a89ec3663a560dea719ac07df1bd6a7c22461f589a4cc06b3a193ff750233

Download Submit
C:\Users\Admin\AppData\Local\Temp\3035.exe

Filesize
460KB

MD5
17c8b1be1c8c7812785bbb6defd10b87

SHA1
9beeb094b86af6b7d43a144c43b7173c60cebf5d

SHA256
37bdb80672fbdb644974eb46f5b7f8a8a074712f5687cdeb416f15dbe825ab6a

SHA512
6772165edbb4468bc613a0ae59a83f1f27a955bf020a4d144140689175b5b9c1fae76e24ae56fefd438955879525f269a8d4f139ca8de6280986477135897b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3035.exe

Filesize
460KB

MD5
17c8b1be1c8c7812785bbb6defd10b87

SHA1
9beeb094b86af6b7d43a144c43b7173c60cebf5d

SHA256
37bdb80672fbdb644974eb46f5b7f8a8a074712f5687cdeb416f15dbe825ab6a

SHA512
6772165edbb4468bc613a0ae59a83f1f27a955bf020a4d144140689175b5b9c1fae76e24ae56fefd438955879525f269a8d4f139ca8de6280986477135897b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F90.exe

Filesize
6.9MB

MD5
d9921e971523d3f4b1debc3e90e62096

SHA1
22edc25bf24193c00d139e2253ec4c6fb04e6c76

SHA256
cf7afbb776ecb9d56aadbe8b35a2491d92c2eb30cf3b4b121fec74d8d285d88d

SHA512
8f3291b7e9944b437390baa272c2c6bca99678e58fd360c83bdbb9240348baf1efbc3dca26da1b9d570d488bbb598058d8ac48a543da5aefc223794f2639033f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F90.exe

Filesize
6.9MB

MD5
d9921e971523d3f4b1debc3e90e62096

SHA1
22edc25bf24193c00d139e2253ec4c6fb04e6c76

SHA256
cf7afbb776ecb9d56aadbe8b35a2491d92c2eb30cf3b4b121fec74d8d285d88d

SHA512
8f3291b7e9944b437390baa272c2c6bca99678e58fd360c83bdbb9240348baf1efbc3dca26da1b9d570d488bbb598058d8ac48a543da5aefc223794f2639033f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\D359.exe

Filesize
18.0MB

MD5
95357230a99689a58f8d89c1acdc6bf2

SHA1
f89ed22d1139d2d5049d09db778702b40f466b4d

SHA256
8f572436d4a7b8ea6f2a3e0cb987fb609afb575133d706938c9fd4b4a3117d2d

SHA512
4e5311c2a6ab8810b26400b7d478b7241ed376dfe8212919a3e6925fad86de5d9c336dbec8456f3c7d56e124ae3547fa492a6a95a0d8ba9414fb72c99d8f7281

Download Submit
C:\Users\Admin\AppData\Local\Temp\D359.exe

Filesize
18.0MB

MD5
95357230a99689a58f8d89c1acdc6bf2

SHA1
f89ed22d1139d2d5049d09db778702b40f466b4d

SHA256
8f572436d4a7b8ea6f2a3e0cb987fb609afb575133d706938c9fd4b4a3117d2d

SHA512
4e5311c2a6ab8810b26400b7d478b7241ed376dfe8212919a3e6925fad86de5d9c336dbec8456f3c7d56e124ae3547fa492a6a95a0d8ba9414fb72c99d8f7281

Download Submit
C:\Users\Admin\AppData\Local\Temp\D658.exe

Filesize
95KB

MD5
a2687e610dad6bcf4359bf2a5953e10a

SHA1
8320fd92e757ab42f8429a9e3b43dec909add268

SHA256
439cc980ba48e5f62a043f0e923221e90a58bb20812b48569a223a562ade571a

SHA512
b16e6a6453ae5d18461aba546436f038070a4708116c0079cae27c9a9113efe61a750b8547f2911615cd07b350b9d857c474c4b3407093aec40ada71b2e76adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\D658.exe

Filesize
95KB

MD5
a2687e610dad6bcf4359bf2a5953e10a

SHA1
8320fd92e757ab42f8429a9e3b43dec909add268

SHA256
439cc980ba48e5f62a043f0e923221e90a58bb20812b48569a223a562ade571a

SHA512
b16e6a6453ae5d18461aba546436f038070a4708116c0079cae27c9a9113efe61a750b8547f2911615cd07b350b9d857c474c4b3407093aec40ada71b2e76adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7xz8gi11.exe

Filesize
717KB

MD5
df3f6aaad5f353b395b567fd7c6e5076

SHA1
1916ade9d9bd302270e0877cd27f45971863b123

SHA256
0e8085d0f25d4a563097dc688f4870ffe1e6621d59917a391461dd3c1566ad5a

SHA512
637f605c5b0d0aa3eb4425a1dde3fb6c6d568a5e5e0c690fcb659aa3c2b610df99e9825634e26f6c7019402062f2d8c84b67679ec861d499c47a55e65ef09e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7xz8gi11.exe

Filesize
717KB

MD5
df3f6aaad5f353b395b567fd7c6e5076

SHA1
1916ade9d9bd302270e0877cd27f45971863b123

SHA256
0e8085d0f25d4a563097dc688f4870ffe1e6621d59917a391461dd3c1566ad5a

SHA512
637f605c5b0d0aa3eb4425a1dde3fb6c6d568a5e5e0c690fcb659aa3c2b610df99e9825634e26f6c7019402062f2d8c84b67679ec861d499c47a55e65ef09e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PL3oJ56.exe

Filesize
1006KB

MD5
4ecdde3da61d22a38d76f2c1f86b3f0c

SHA1
24c10843df6d0de467dda8f89ef24c2ddab88888

SHA256
c703fbc7557671fd67b2dbf229288c19bffd403d666db06043000ae7aef70f25

SHA512
c6d26a24f3b63285faacc91e7498fcfdd7577f73887c111803c4cafcd266efe57c1a88c9d792e1af02ea614e1ac80eb0ebddb12bd921cf779225a23164f86f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PL3oJ56.exe

Filesize
1006KB

MD5
4ecdde3da61d22a38d76f2c1f86b3f0c

SHA1
24c10843df6d0de467dda8f89ef24c2ddab88888

SHA256
c703fbc7557671fd67b2dbf229288c19bffd403d666db06043000ae7aef70f25

SHA512
c6d26a24f3b63285faacc91e7498fcfdd7577f73887c111803c4cafcd266efe57c1a88c9d792e1af02ea614e1ac80eb0ebddb12bd921cf779225a23164f86f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Of7Xl3.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Of7Xl3.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zj2sO63.exe

Filesize
881KB

MD5
ea915b5ffbe2a1d01909094a2e009541

SHA1
4e6ffa3c383b4ce801a3e2b8c578049212bc1256

SHA256
bceb0f0994a05d15b83173983c914e978271f2b5924165e10d285f00ad29a66d

SHA512
49c85e3b33f94a217f455f8f047012554712bcf57f0e85265ea1d46f2a9011a133ee1cd7f7d906be0ba86221ed66f648c29674516ec34792257b176aea71c402

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zj2sO63.exe

Filesize
881KB

MD5
ea915b5ffbe2a1d01909094a2e009541

SHA1
4e6ffa3c383b4ce801a3e2b8c578049212bc1256

SHA256
bceb0f0994a05d15b83173983c914e978271f2b5924165e10d285f00ad29a66d

SHA512
49c85e3b33f94a217f455f8f047012554712bcf57f0e85265ea1d46f2a9011a133ee1cd7f7d906be0ba86221ed66f648c29674516ec34792257b176aea71c402

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5vw8jh1.exe

Filesize
717KB

MD5
d6b22f77b94892d4365b3f998bfd72c7

SHA1
730e5ddccd3eebbc7a5892aab11ebc8b2767786e

SHA256
e71b8e3c5bda70d2485dbac558709e27f19f2611a02cbb13b5f39f918836140d

SHA512
89b8654585e005c4541f46da37135895b31a420c12c8b2b564e3f60578c6575a99ad3691192cb8ea087ae98f1e53ff3232413a35e428914033df791ac1c3d7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5vw8jh1.exe

Filesize
717KB

MD5
d6b22f77b94892d4365b3f998bfd72c7

SHA1
730e5ddccd3eebbc7a5892aab11ebc8b2767786e

SHA256
e71b8e3c5bda70d2485dbac558709e27f19f2611a02cbb13b5f39f918836140d

SHA512
89b8654585e005c4541f46da37135895b31a420c12c8b2b564e3f60578c6575a99ad3691192cb8ea087ae98f1e53ff3232413a35e428914033df791ac1c3d7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5vw8jh1.exe

Filesize
717KB

MD5
d6b22f77b94892d4365b3f998bfd72c7

SHA1
730e5ddccd3eebbc7a5892aab11ebc8b2767786e

SHA256
e71b8e3c5bda70d2485dbac558709e27f19f2611a02cbb13b5f39f918836140d

SHA512
89b8654585e005c4541f46da37135895b31a420c12c8b2b564e3f60578c6575a99ad3691192cb8ea087ae98f1e53ff3232413a35e428914033df791ac1c3d7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eh8Ly98.exe

Filesize
420KB

MD5
1791e16f3bb0ad499e7ba57babb71009

SHA1
f26ba0032f6217d46d0bf141136f5202e815fd6b

SHA256
1f3f97f02cd06819c4f466fc6194971a10bcb5af42220f0422067001332c7bdd

SHA512
d12403da961f080b9c739571f1a077b359c4b977b2f3360ff1621a9d62c38e923e870a8c8698111eccc40b907a4deddc117485b4fce546979fdbeab0bd9fc3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eh8Ly98.exe

Filesize
420KB

MD5
1791e16f3bb0ad499e7ba57babb71009

SHA1
f26ba0032f6217d46d0bf141136f5202e815fd6b

SHA256
1f3f97f02cd06819c4f466fc6194971a10bcb5af42220f0422067001332c7bdd

SHA512
d12403da961f080b9c739571f1a077b359c4b977b2f3360ff1621a9d62c38e923e870a8c8698111eccc40b907a4deddc117485b4fce546979fdbeab0bd9fc3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mR86VN.exe

Filesize
369KB

MD5
fc106f064e33ce21ed9060ab41134631

SHA1
b35604e7db0dc3b38c3a39d22d545f17aa7f91ab

SHA256
69ebafbc52384579a3217f362d27f2873d61296daf1c588dbb4c6a379357fbe8

SHA512
1b1ddacb30c634a20a49e4d62e7bc814462df758699c7631a355163173ba856e94fd4b782cde8861b1cd8f42e993002ba17900aafb88b4fc8268774457809e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3mR86VN.exe

Filesize
369KB

MD5
fc106f064e33ce21ed9060ab41134631

SHA1
b35604e7db0dc3b38c3a39d22d545f17aa7f91ab

SHA256
69ebafbc52384579a3217f362d27f2873d61296daf1c588dbb4c6a379357fbe8

SHA512
1b1ddacb30c634a20a49e4d62e7bc814462df758699c7631a355163173ba856e94fd4b782cde8861b1cd8f42e993002ba17900aafb88b4fc8268774457809e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4NN141PK.exe

Filesize
408KB

MD5
cda13dd7e3cb0f9f9a841b9cea261685

SHA1
6bf7e6390d548bff06a1941dba91870217b4d958

SHA256
5905fdf21c43ba6a167a124c40c99fcbe0f4e168b15c9794c9625df582609a7d

SHA512
1ec722843e13b314afc510d8b20e670e4ca3b9da97e24c54cada25c55fe56b8fa617ada9bb2730d24be856a6387a44f410a34122b6627dd98a752f781bd9cadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4NN141PK.exe

Filesize
408KB

MD5
cda13dd7e3cb0f9f9a841b9cea261685

SHA1
6bf7e6390d548bff06a1941dba91870217b4d958

SHA256
5905fdf21c43ba6a167a124c40c99fcbe0f4e168b15c9794c9625df582609a7d

SHA512
1ec722843e13b314afc510d8b20e670e4ca3b9da97e24c54cada25c55fe56b8fa617ada9bb2730d24be856a6387a44f410a34122b6627dd98a752f781bd9cadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lrvdy0rb.klg.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA71.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA87.tmp

Filesize
92KB

MD5
843933002e97a0ed13a5842ff69162e7

SHA1
78c28c8cf61ad98c9dce2855d27af25c2cb0254c

SHA256
1976c8cf1ab2fd32680f25be2b7b5d7c8ae5780948024cafbbdde28e25cdf31c

SHA512
77c82c3cc8dc7dccb2e59670b35539fda008ed002624125126558116697f07862cdce4489e581b6a2bf5e61bc5f0fd93d8adcd2370556dd053649c4ab2b0ebdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFAC2.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
aec6574d82d7e5f96a01f9f048192490

SHA1
0286b5d6fa5fb8c17fcab11648857e91fbba803f

SHA256
4502fe32e39a7351336cde70507ee3f07eaad121a4dda4757608fc7354c7d157

SHA512
53848861e058547c4ad7faa29afe33b1df2382ab28689627c70e3ea8fd39014244a093d6e49294663e669becd3251126fb3e72f05f5e136a25c0aafb46aa755c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
aec6574d82d7e5f96a01f9f048192490

SHA1
0286b5d6fa5fb8c17fcab11648857e91fbba803f

SHA256
4502fe32e39a7351336cde70507ee3f07eaad121a4dda4757608fc7354c7d157

SHA512
53848861e058547c4ad7faa29afe33b1df2382ab28689627c70e3ea8fd39014244a093d6e49294663e669becd3251126fb3e72f05f5e136a25c0aafb46aa755c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
aec6574d82d7e5f96a01f9f048192490

SHA1
0286b5d6fa5fb8c17fcab11648857e91fbba803f

SHA256
4502fe32e39a7351336cde70507ee3f07eaad121a4dda4757608fc7354c7d157

SHA512
53848861e058547c4ad7faa29afe33b1df2382ab28689627c70e3ea8fd39014244a093d6e49294663e669becd3251126fb3e72f05f5e136a25c0aafb46aa755c

Download Submit
C:\Users\Admin\AppData\Roaming\auijgst

Filesize
217KB

MD5
aec6574d82d7e5f96a01f9f048192490

SHA1
0286b5d6fa5fb8c17fcab11648857e91fbba803f

SHA256
4502fe32e39a7351336cde70507ee3f07eaad121a4dda4757608fc7354c7d157

SHA512
53848861e058547c4ad7faa29afe33b1df2382ab28689627c70e3ea8fd39014244a093d6e49294663e669becd3251126fb3e72f05f5e136a25c0aafb46aa755c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
80ea6ed9a5939c3c25087498fa236f2a

SHA1
cdd0da55d770daedc514521e501425c89daa86e7

SHA256
2dd3a65b9c5d72e07a67abae37a1628f96c052ccc93a66fcfae5ef83583c2280

SHA512
eee5177915214d48bc08a749ea91827fec41ca110fe342ed21e84a11ee424492874f0cb21278185894bbab9188f5fc9ba7aea6a728488298ef08202aecf72ea2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
c4d60cb03991f0c0c24e602240916826

SHA1
f80363dd0eb8da245abadf5d9a9aa404e0ef6834

SHA256
cdc63f1388b3bb52b1bfac7c804fc83c728491e84325f6b115a9e6f6f1aeb6e8

SHA512
f79465fa5b79530f5829a88e819a294295af71809824deb2c515eb2bd4da9e6c915b0efaf043fd420e6738a24e42d6924a809f6f1923e2f67e98a1cc9b89b20f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
a3ccbb5d9a2ec9e34fa064da1cbc2c5c

SHA1
53d732cf7a5a59801b9d8fbc58561818b42c4ffb

SHA256
881c8ae7c1cb0b631aaba14b129fbdd6ca230d7b7784b58bb41c719d37e4ec8e

SHA512
ce3ee359e954772d7c3293cdb883ad33a7fbc134c11e901b22c78c1d2edaf0a790b62938161a00769c925e1ff1be453ea65a0363bf4f803fb4fc7030eb0be6e1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
32f404ed58912e8c1cae40bfc9db4089

SHA1
8c8e5c68d6c9b71db1aed23a9333d27ef5b98438

SHA256
e54f386962f46222a50c659eedf83014c484ed8183c29c868db984825759cdb0

SHA512
703b3f8e98680bbad8ba460c76a4ab0ec08862246892da89d0395eb9e116bdcf6d30cf6c4a3e56a3178bcc17ea0445b12f44d4c0922df8b0f1579f363fbc26f4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
f825f225f60ebe68c00e07e53a89449e

SHA1
3e20daeffe2b2713dc47ba0bc41caf2e98895d0e

SHA256
e37ea0618601ea3836d5ce8bd7208cf479ba3249baf47428bfdbe693e64eae3e

SHA512
88f1ee973652b215dcd1514c0df81c6c1986c3d9870ca181225c50081c8bddb83c60e6f184dcd71b44d69abd347a5605e30cb36ccb0e3096d814743b5249e5c8

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
\Users\Admin\AppData\Local\Temp\2CD9.exe

Filesize
399KB

MD5
1bb7721e9262db1fd4f9b7cedae730b0

SHA1
e0f58302e87d4da8cafc2e6b454e88a2fab005c2

SHA256
bb3ea9c2b4b2523ef2628dd64ec9b2fc2db3eac89d8b315bfdb055fa5a386d13

SHA512
c28d4b0d140938c59fdee4e46fb2cdb1266d375c84d7f470d313b637411f81a19b4a89ec3663a560dea719ac07df1bd6a7c22461f589a4cc06b3a193ff750233

Download Submit
\Users\Admin\AppData\Local\Temp\2CD9.exe

Filesize
399KB

MD5
1bb7721e9262db1fd4f9b7cedae730b0

SHA1
e0f58302e87d4da8cafc2e6b454e88a2fab005c2

SHA256
bb3ea9c2b4b2523ef2628dd64ec9b2fc2db3eac89d8b315bfdb055fa5a386d13

SHA512
c28d4b0d140938c59fdee4e46fb2cdb1266d375c84d7f470d313b637411f81a19b4a89ec3663a560dea719ac07df1bd6a7c22461f589a4cc06b3a193ff750233

Download Submit
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/428-46-0x000000000B7A0000-0x000000000BC9E000-memory.dmp

Filesize
5.0MB

Download
memory/428-52-0x000000000B2E0000-0x000000000B31E000-memory.dmp

Filesize
248KB

Download
memory/428-80-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download
memory/428-53-0x000000000B4A0000-0x000000000B4EB000-memory.dmp

Filesize
300KB

Download
memory/428-49-0x000000000C2B0000-0x000000000C8B6000-memory.dmp

Filesize
6.0MB

Download
memory/428-48-0x0000000006710000-0x000000000671A000-memory.dmp

Filesize
40KB

Download
memory/428-50-0x000000000B630000-0x000000000B73A000-memory.dmp

Filesize
1.0MB

Download
memory/428-51-0x0000000008EF0000-0x0000000008F02000-memory.dmp

Filesize
72KB

Download
memory/428-47-0x000000000B340000-0x000000000B3D2000-memory.dmp

Filesize
584KB

Download
memory/428-38-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/428-45-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download
memory/1176-120-0x0000000002A60000-0x0000000002E60000-memory.dmp

Filesize
4.0MB

Download
memory/1176-436-0x0000000002E60000-0x000000000374B000-memory.dmp

Filesize
8.9MB

Download
memory/1176-435-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1176-122-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1176-121-0x0000000002E60000-0x000000000374B000-memory.dmp

Filesize
8.9MB

Download
memory/1176-431-0x0000000002A60000-0x0000000002E60000-memory.dmp

Filesize
4.0MB

Download
memory/1176-202-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1808-207-0x000000006BF00000-0x000000006C250000-memory.dmp

Filesize
3.3MB

Download
memory/1808-215-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/1808-203-0x000000000A110000-0x000000000A143000-memory.dmp

Filesize
204KB

Download
memory/1808-205-0x000000006D5C0000-0x000000006D60B000-memory.dmp

Filesize
300KB

Download
memory/1808-193-0x0000000009360000-0x00000000093D6000-memory.dmp

Filesize
472KB

Download
memory/1808-206-0x000000007F3F0000-0x000000007F400000-memory.dmp

Filesize
64KB

Download
memory/1808-208-0x000000000A0D0000-0x000000000A0EE000-memory.dmp

Filesize
120KB

Download
memory/1808-158-0x0000000007010000-0x000000000704C000-memory.dmp

Filesize
240KB

Download
memory/1808-213-0x000000000A150000-0x000000000A1F5000-memory.dmp

Filesize
660KB

Download
memory/1808-131-0x0000000007CB0000-0x0000000007D16000-memory.dmp

Filesize
408KB

Download
memory/1808-216-0x000000000A350000-0x000000000A3E4000-memory.dmp

Filesize
592KB

Download
memory/1808-130-0x00000000073C0000-0x00000000073E2000-memory.dmp

Filesize
136KB

Download
memory/1808-409-0x000000000A220000-0x000000000A23A000-memory.dmp

Filesize
104KB

Download
memory/1808-414-0x000000000A210000-0x000000000A218000-memory.dmp

Filesize
32KB

Download
memory/1808-132-0x00000000074A0000-0x0000000007506000-memory.dmp

Filesize
408KB

Download
memory/1808-433-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download
memory/1808-129-0x0000000007580000-0x0000000007BA8000-memory.dmp

Filesize
6.2MB

Download
memory/1808-134-0x0000000008150000-0x000000000816C000-memory.dmp

Filesize
112KB

Download
memory/1808-133-0x0000000007D20000-0x0000000008070000-memory.dmp

Filesize
3.3MB

Download
memory/1808-128-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/1808-127-0x0000000004C90000-0x0000000004CC6000-memory.dmp

Filesize
216KB

Download
memory/1808-126-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/1808-125-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-1049-0x00007FF7895F0000-0x00007FF78A866000-memory.dmp

Filesize
18.5MB

Download
memory/2176-112-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/2176-204-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2176-1285-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2176-438-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2176-214-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/2728-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-444-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/2748-445-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/2748-443-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-473-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/2748-446-0x0000000008380000-0x00000000086D0000-memory.dmp

Filesize
3.3MB

Download
memory/2748-465-0x000000007F320000-0x000000007F330000-memory.dmp

Filesize
64KB

Download
memory/2748-702-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-472-0x0000000009D50000-0x0000000009DF5000-memory.dmp

Filesize
660KB

Download
memory/2748-466-0x000000006D5C0000-0x000000006D60B000-memory.dmp

Filesize
300KB

Download
memory/2748-467-0x000000006BF80000-0x000000006C2D0000-memory.dmp

Filesize
3.3MB

Download
memory/3264-67-0x00000000010F0000-0x0000000001106000-memory.dmp

Filesize
88KB

Download
memory/3264-145-0x0000000002990000-0x00000000029A6000-memory.dmp

Filesize
88KB

Download
memory/3296-66-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3296-63-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3296-58-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3296-62-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4116-119-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4116-146-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4116-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4388-1051-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4388-553-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4388-706-0x00000000029D0000-0x0000000002DD2000-memory.dmp

Filesize
4.0MB

Download
memory/4388-1359-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4388-440-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4388-1287-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4388-439-0x00000000029D0000-0x0000000002DD2000-memory.dmp

Filesize
4.0MB

Download
memory/4396-1380-0x0000000004F10000-0x0000000004F8D000-memory.dmp

Filesize
500KB

Download
memory/4396-1390-0x0000000004F10000-0x0000000004F8D000-memory.dmp

Filesize
500KB

Download
memory/4396-1392-0x0000000004F10000-0x0000000004F8D000-memory.dmp

Filesize
500KB

Download
memory/4396-1388-0x0000000004F10000-0x0000000004F8D000-memory.dmp

Filesize
500KB

Download
memory/4396-1386-0x0000000004F10000-0x0000000004F8D000-memory.dmp

Filesize
500KB

Download
memory/4396-1382-0x0000000004F10000-0x0000000004F8D000-memory.dmp

Filesize
500KB

Download
memory/4396-1384-0x0000000004F10000-0x0000000004F8D000-memory.dmp

Filesize
500KB

Download
memory/4396-1378-0x0000000004F10000-0x0000000004F8D000-memory.dmp

Filesize
500KB

Download
memory/4396-1376-0x0000000004F10000-0x0000000004F8D000-memory.dmp

Filesize
500KB

Download
memory/4396-1372-0x0000000004F10000-0x0000000004F8D000-memory.dmp

Filesize
500KB

Download
memory/4396-1371-0x0000000004F10000-0x0000000004F8D000-memory.dmp

Filesize
500KB

Download
memory/4528-90-0x0000000000980000-0x0000000001066000-memory.dmp

Filesize
6.9MB

Download
memory/4528-91-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download
memory/4528-111-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download
memory/4540-64-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4540-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4544-116-0x0000000000A00000-0x0000000000A09000-memory.dmp

Filesize
36KB

Download
memory/4544-115-0x0000000000A90000-0x0000000000B90000-memory.dmp

Filesize
1024KB

Download
memory/4808-1327-0x0000000000680000-0x00000000006DA000-memory.dmp

Filesize
360KB

Download
memory/4824-1048-0x0000000000150000-0x000000000018C000-memory.dmp

Filesize
240KB

Download
memory/4840-82-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4840-81-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4840-83-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4840-85-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/5072-554-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/5072-549-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download
memory/5072-547-0x0000000000850000-0x000000000086E000-memory.dmp

Filesize
120KB

Download