4f1c64f9a718df8014428ebfa1222183700c91b1c7f3a431f66bbcbb357a8574

Analysis

max time kernel
82s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2023 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KerbalSpaceProgram Turkce Yama Kurulumu.exe
Size

67.1MB
MD5

93530a9714f6b721ba45fbf82fb36c4e
SHA1

7fa1dc079004c8acd6d3a2c53ac9fba4dbfb11d5
SHA256

4f1c64f9a718df8014428ebfa1222183700c91b1c7f3a431f66bbcbb357a8574
SHA512

011e81762215bea51bb6b4295d3a8a36bde93c8cc845bab66b3ce7e475eadc19d0de164b0289e0e5c17454cb4a7bb0884a07aa4252d1322679be36a11ef2f234
SSDEEP

1572864:eGlqhpZDckekSjofjyjsUSnSTt2mjN6LIFTtAmriZn0:ZlqzpakSjobmsUQC0mjN6Qbs0

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableAntiSpyware = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	KerbalSpaceProgram Turkce Yama Kurulumu.exe

Loads dropped DLL 17 IoCs

pid	Process
3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
4300	MsiExec.exe
4300	MsiExec.exe
4300	MsiExec.exe
4300	MsiExec.exe
4300	MsiExec.exe
4300	MsiExec.exe
4300	MsiExec.exe
4300	MsiExec.exe
4656	MsiExec.exe
4656	MsiExec.exe
4656	MsiExec.exe
4656	MsiExec.exe
4656	MsiExec.exe
4656	MsiExec.exe
3148	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\Q:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\S:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\B:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\P:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\V:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\Y:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\J:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\I:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\W:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\T:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\U:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\O:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\S:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\R:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\K:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\L:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\G:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\O:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\A:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\L:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\Z:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\U:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\M:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\A:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\T:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\Y:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\H:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\J:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\N:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\P:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\G:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\W:	KerbalSpaceProgram Turkce Yama Kurulumu.exe
File opened (read-only)	\??\X:	KerbalSpaceProgram Turkce Yama Kurulumu.exe

AutoIT Executable 22 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4572-178-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp	autoit_exe
behavioral2/memory/4572-179-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp	autoit_exe
behavioral2/memory/4572-180-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp	autoit_exe
behavioral2/memory/4572-181-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp	autoit_exe
behavioral2/memory/4572-213-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp	autoit_exe
behavioral2/memory/3348-220-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp	autoit_exe
behavioral2/memory/3348-223-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp	autoit_exe
behavioral2/memory/3348-226-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp	autoit_exe
behavioral2/memory/2100-228-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp	autoit_exe
behavioral2/memory/3348-229-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp	autoit_exe
behavioral2/memory/2100-230-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp	autoit_exe
behavioral2/memory/2100-232-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp	autoit_exe
behavioral2/memory/2100-233-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp	autoit_exe
behavioral2/memory/3348-248-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp	autoit_exe
behavioral2/memory/2100-249-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp	autoit_exe
behavioral2/memory/3348-255-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp	autoit_exe
behavioral2/memory/3784-258-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp	autoit_exe
behavioral2/memory/3784-261-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp	autoit_exe
behavioral2/memory/3784-265-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp	autoit_exe
behavioral2/memory/3784-268-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp	autoit_exe
behavioral2/memory/3784-311-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp	autoit_exe
behavioral2/memory/3784-320-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp	autoit_exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\KSPCeviri\Kerbal Space Program Türkçe Yama\config_data.dll	msiexec.exe
File created	C:\Program Files (x86)\KSPCeviri\Kerbal Space Program Türkçe Yama\Launcher.exe	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIABE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA343.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA9BC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA89.tmp	msiexec.exe
File created	C:\Windows\Installer\e58a12d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58a12d.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Task.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\{3F9B5A3D-F4FB-4312-8194-E70CF3C54089}\Launcher.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA295.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA4A.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3F9B5A3D-F4FB-4312-8194-E70CF3C54089}	msiexec.exe
File created	C:\Windows\DotNetZip.dll	msiexec.exe
File created	C:\Windows\Installer\{3F9B5A3D-F4FB-4312-8194-E70CF3C54089}\Launcher.exe	msiexec.exe
File created	C:\Windows\Installer\e58a12f.msi	msiexec.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1476	sc.exe
1528	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e177523499fd9a390000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e17752340000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e1775234000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de1775234000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e177523400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1428	timeout.exe
448	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4028	msiexec.exe
4028	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4028	msiexec.exe
Token: SeCreateTokenPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeAssignPrimaryTokenPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeLockMemoryPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeIncreaseQuotaPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeMachineAccountPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeTcbPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeSecurityPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeTakeOwnershipPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeLoadDriverPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeSystemProfilePrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeSystemtimePrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeProfSingleProcessPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeIncBasePriorityPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeCreatePagefilePrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeCreatePermanentPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeBackupPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeRestorePrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeShutdownPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeDebugPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeAuditPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeSystemEnvironmentPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeChangeNotifyPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeRemoteShutdownPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeUndockPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeSyncAgentPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeEnableDelegationPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeManageVolumePrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeImpersonatePrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeCreateGlobalPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeCreateTokenPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeAssignPrimaryTokenPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeLockMemoryPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeIncreaseQuotaPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeMachineAccountPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeTcbPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeSecurityPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeTakeOwnershipPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeLoadDriverPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeSystemProfilePrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeSystemtimePrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeProfSingleProcessPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeIncBasePriorityPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeCreatePagefilePrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeCreatePermanentPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeBackupPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeRestorePrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeShutdownPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeDebugPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeAuditPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeSystemEnvironmentPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeChangeNotifyPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeRemoteShutdownPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeUndockPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeSyncAgentPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeEnableDelegationPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeManageVolumePrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeImpersonatePrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeCreateGlobalPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeCreateTokenPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeAssignPrimaryTokenPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeLockMemoryPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeIncreaseQuotaPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
Token: SeMachineAccountPrivilege	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe
3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 4300	4028	msiexec.exe	93
PID 4028 wrote to memory of 4300	4028	msiexec.exe	93
PID 4028 wrote to memory of 4300	4028	msiexec.exe	93
PID 3752 wrote to memory of 5112	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe	103
PID 3752 wrote to memory of 5112	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe	103
PID 3752 wrote to memory of 5112	3752	KerbalSpaceProgram Turkce Yama Kurulumu.exe	103
PID 4028 wrote to memory of 2060	4028	msiexec.exe	114
PID 4028 wrote to memory of 2060	4028	msiexec.exe	114
PID 4028 wrote to memory of 4656	4028	msiexec.exe	117
PID 4028 wrote to memory of 4656	4028	msiexec.exe	117
PID 4028 wrote to memory of 4656	4028	msiexec.exe	117
PID 4028 wrote to memory of 3148	4028	msiexec.exe	118
PID 4028 wrote to memory of 3148	4028	msiexec.exe	118
PID 4028 wrote to memory of 3148	4028	msiexec.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4732	attrib.exe
4456	attrib.exe

C:\Users\Admin\AppData\Local\Temp\KerbalSpaceProgram Turkce Yama Kurulumu.exe
"C:\Users\Admin\AppData\Local\Temp\KerbalSpaceProgram Turkce Yama Kurulumu.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Users\Admin\AppData\Local\Temp\KerbalSpaceProgram Turkce Yama Kurulumu.exe
  "C:\Users\Admin\AppData\Local\Temp\KerbalSpaceProgram Turkce Yama Kurulumu.exe" /i C:\Users\Admin\AppData\Local\Temp\{61C2C8B7-51C7-423E-A9EE-F57CA8F5BF75}\deneme.back.msi AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\KSPCeviri\Kerbal Space Program Türkçe Yama" SECONDSEQUENCE="1" CLIENTPROCESSID="3752" CHAINERUIPROCESSID="3752Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" TRANSFORMS=":1033" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\KerbalSpaceProgram Turkce Yama Kurulumu.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1699766622 " AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\KerbalSpaceProgram Turkce Yama Kurulumu.exe" TARGETDIR="C:\" AI_INSTALL="1"
  2⤵
  - Enumerates connected drives
  PID:5112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXECFEA.bat" "
  2⤵
  PID:3848
- - C:\Windows\SysWOW64\attrib.exe
    C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\AIE7D7D.tmp"
    3⤵
    - Views/modifies file attributes
    PID:4732
- - C:\Windows\SysWOW64\attrib.exe
    C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXECFEA.bat"
    3⤵
    - Views/modifies file attributes
    PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" cls"
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXECFEA.bat" "
    3⤵
    PID:4464

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies Windows Defender Real-time Protection settings
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D81D5575E394DD316B51EC5B92A5430F C
  2⤵
  - Loads dropped DLL
  PID:4300
- - C:\Program Files (x86)\KSPCeviri\Kerbal Space Program Türkçe Yama\Launcher.exe
    "C:\Program Files (x86)\KSPCeviri\Kerbal Space Program Türkçe Yama\Launcher.exe"
    3⤵
    PID:4572
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c sc start trustedinstaller
      4⤵
      PID:3292
    - - C:\Windows\system32\sc.exe
        
        sc start trustedinstaller
        5⤵
        Launches sc.exe
        
        PID:1476
  - - C:\Windows\rft64.exe
      C:\Windows\rft64.exe trustedinstaller.exe 1 powershell.exe
      4⤵
      PID:3348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' -Name 'C:\Windows' -PropertyType DWORD -Value 0
        5⤵
        
        PID:2196
    - - C:\Windows\WMK.exe
        
        C:\Windows\WMK.exe
        5⤵
        
        PID:2968
      - C:\Windows\System32\shutdown.exe
        
        "C:\Windows\System32\shutdown.exe" /r /t 0 /f
        6⤵
        
        PID:4756
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c TimeOut 1 & Del /F "C:\Windows\rft64.exe"
        5⤵
        
        PID:3428
      - C:\Windows\system32\timeout.exe
        
        TimeOut 1
        6⤵
        Delays execution with timeout.exe
        
        PID:1428
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2060
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7CF5B6BEF33BFB957DD0DAFE757A9248
  2⤵
  - Loads dropped DLL
  PID:4656
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E439937E8729686323E33818386E9AF4 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2832

C:\Program Files (x86)\KSPCeviri\Kerbal Space Program Türkçe Yama\Launcher.exe
"C:\Program Files (x86)\KSPCeviri\Kerbal Space Program Türkçe Yama\Launcher.exe"
1⤵
PID:2100
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc start trustedinstaller
  2⤵
  PID:2056
- - C:\Windows\system32\sc.exe
    sc start trustedinstaller
    3⤵
    - Launches sc.exe
    PID:1528
- C:\Windows\rft64.exe
  C:\Windows\rft64.exe trustedinstaller.exe 1 powershell.exe
  2⤵
  PID:3784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' -Name 'C:\Windows' -PropertyType DWORD -Value 0
    3⤵
    PID:4868
- - C:\Windows\WMK.exe
    C:\Windows\WMK.exe
    3⤵
    PID:3300
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c TimeOut 1 & Del /F "C:\Windows\rft64.exe"
    3⤵
    PID:3260
  - - C:\Windows\system32\timeout.exe
      TimeOut 1
      4⤵
      Delays execution with timeout.exe
      PID:448

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3926855 /state1:0x41c64e6d
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58a12e.rbs

Filesize
12KB

MD5
a7fc19f5ff2f699fa1f45313b37d793e

SHA1
e7de4f19d64754ca2bd076f7a7f1415b884f18bd

SHA256
cedfeb87ae9f1172f721bc30e139a5393fefa59c02b32f2fe256c1249d30c396

SHA512
8690daa1638c73e37f55826619726bb991191c2eaa3978cedc80ca4cf94cf7fcd113c2b00d67307e68bd1af87ac98ca9b56de3d7ee780e24ce860f15b570c979

Download Submit
C:\Program Files (x86)\KSPCeviri\Kerbal Space Program Türkçe Yama\Launcher.exe

Filesize
15.4MB

MD5
cf29f092eb7d654a73236a8becbc36f6

SHA1
e3cc40bfd4ec178a0285a9f8cd652f88c89eefcf

SHA256
44ea5818829a2a9c69274cfdcde623466f0734dd907dd2e2273256c48d27e761

SHA512
da36e9ff4b0c0db12c4747c6108aa46ad5c3ae49ac1dc6021824562bf6391dc77fd815e42a315b908a677507e9eece9c03bc09027e733d12457b56e5741a1ac8

Download Submit
C:\Program Files (x86)\KSPCeviri\Kerbal Space Program Türkçe Yama\Launcher.exe

Filesize
15.4MB

MD5
cf29f092eb7d654a73236a8becbc36f6

SHA1
e3cc40bfd4ec178a0285a9f8cd652f88c89eefcf

SHA256
44ea5818829a2a9c69274cfdcde623466f0734dd907dd2e2273256c48d27e761

SHA512
da36e9ff4b0c0db12c4747c6108aa46ad5c3ae49ac1dc6021824562bf6391dc77fd815e42a315b908a677507e9eece9c03bc09027e733d12457b56e5741a1ac8

Download Submit
C:\Program Files (x86)\KSPCeviri\Kerbal Space Program Türkçe Yama\Launcher.exe

Filesize
15.4MB

MD5
cf29f092eb7d654a73236a8becbc36f6

SHA1
e3cc40bfd4ec178a0285a9f8cd652f88c89eefcf

SHA256
44ea5818829a2a9c69274cfdcde623466f0734dd907dd2e2273256c48d27e761

SHA512
da36e9ff4b0c0db12c4747c6108aa46ad5c3ae49ac1dc6021824562bf6391dc77fd815e42a315b908a677507e9eece9c03bc09027e733d12457b56e5741a1ac8

Download Submit
C:\Program Files (x86)\KSPCeviri\Kerbal Space Program Türkçe Yama\config_data.dll

Filesize
21B

MD5
e3e38da1bfb9bc09b3516819cb856b5c

SHA1
05c16bc56e0ded751e2e65507068fd8884709785

SHA256
145eeff89e9231058eec20405e9e17eac807fbac11fbff1158b5d92bdfe5d656

SHA512
ac7255e30acae4c659f8d9f55f543aeb6b0e78dee17118b3d353ee58630e5c69b65c99f681b25bb48100c667ff33f96f317d9ee854086c2e7e9c83b6e6c504bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIE7D7D.tmp

Filesize
1.5MB

MD5
5f88312d034a455a46172c0ff94b90b4

SHA1
4971d18b5fb0a2f8fa3d36045c760e118d34752e

SHA256
d4655892ed32fba14027927cf26b4b58647cc924cd40386e80bd63dcb35e8197

SHA512
393430c68b4eadd5f81447f2deaf2f0e6e338b325e1b54079fa1ea14b1bcc7180cdd6e44678c4e4e26a2cabc095a805d8258bf3f2b664fe24dcd154e1e60b60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIE7D7D.tmp

Filesize
1.5MB

MD5
5f88312d034a455a46172c0ff94b90b4

SHA1
4971d18b5fb0a2f8fa3d36045c760e118d34752e

SHA256
d4655892ed32fba14027927cf26b4b58647cc924cd40386e80bd63dcb35e8197

SHA512
393430c68b4eadd5f81447f2deaf2f0e6e338b325e1b54079fa1ea14b1bcc7180cdd6e44678c4e4e26a2cabc095a805d8258bf3f2b664fe24dcd154e1e60b60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIE7D7D.tmp

Filesize
1.6MB

MD5
499d6b53b1665514aa79c7e9dc878832

SHA1
939945c71d6418a65094a29b6d807f8052ed24a4

SHA256
ec869c907c75a98377b4fc0eb80af5c100421dc49902a8f68fad1e4c3b2c5ec8

SHA512
4a88186475caa3556ac18d8c3eb0ce437411a1e9eee82aecde835c724d89dfaeaf03e7554f62e486f4f97dfa76af317b53e08fbc61225292a2a729188215f9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3752\banner

Filesize
2KB

MD5
ce1143e3563de4e200ba7f4953b3807b

SHA1
d3d4522a4bdcb68672047eb7b830cde532ef34a6

SHA256
a5eefaca044b04460a1ced5fec2229545edf85f01e1d6673e6e14d06b3108c2d

SHA512
c2fd5457d1a0b67f62d6f6d789d906702fe943e11c6e05a9fe77c2d633c347229f90444dcc78104311f90cd9f868b867940c84f28952a92a7b3fd98e6fd9b166

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3752\dialog

Filesize
11KB

MD5
553df955cb4b2e7be5cef99cb8ec9254

SHA1
370c2f61e886e53d8faf9537040daaafed330137

SHA256
f1fcb09df932aef09b24eea796286ceaedcbceccd4d8f4536345163c4d3d9ff7

SHA512
d31d4fc9080c794901b9fa3d3aec998a1b274f4c11c02362b30d2fbaf013b877198b08bb6d96fda68c7e9e329740090609a7d65249bc7e6209ace24fcfe3c34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXECFEA.bat

Filesize
369B

MD5
e405ff7e744cd9294e8c4ae3b241d1fa

SHA1
6899377269a65b763aaa1545c6e0b40a144f7a2b

SHA256
4fd8792f6c8feeac38c8f04d12fa25f64067ba4d160a01d54a288681b609214e

SHA512
f98bc66281f541a7f87cdfbd216e525fec599151a493bf7cb9eb5f5267135ef66970ec5223f6cd3b073358e01e5478797ac62a518787ad2e5214798ce10ca366

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8128.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8128.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI82CF.tmp

Filesize
544KB

MD5
40117f705bff008c3d96a73162dad044

SHA1
2735813836f36b5de83a745c47628053a0f61f66

SHA256
32211c43bcfee2ea3ae54899af178d1fc0c2b1111b2a9e3cc3fd125e1ab7daad

SHA512
eace1d55d479c4cf5692ec1dc98a6738e94874901bebe14a0a0a93eefd00fc4bd55a701e4629a1f7c47f72ac91fe3b698d590a8463119998852e05d6682f91a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI82CF.tmp

Filesize
544KB

MD5
40117f705bff008c3d96a73162dad044

SHA1
2735813836f36b5de83a745c47628053a0f61f66

SHA256
32211c43bcfee2ea3ae54899af178d1fc0c2b1111b2a9e3cc3fd125e1ab7daad

SHA512
eace1d55d479c4cf5692ec1dc98a6738e94874901bebe14a0a0a93eefd00fc4bd55a701e4629a1f7c47f72ac91fe3b698d590a8463119998852e05d6682f91a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI833E.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI833E.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI833E.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI835E.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI835E.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI841A.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI841A.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8469.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8469.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8536.tmp

Filesize
544KB

MD5
40117f705bff008c3d96a73162dad044

SHA1
2735813836f36b5de83a745c47628053a0f61f66

SHA256
32211c43bcfee2ea3ae54899af178d1fc0c2b1111b2a9e3cc3fd125e1ab7daad

SHA512
eace1d55d479c4cf5692ec1dc98a6738e94874901bebe14a0a0a93eefd00fc4bd55a701e4629a1f7c47f72ac91fe3b698d590a8463119998852e05d6682f91a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8536.tmp

Filesize
544KB

MD5
40117f705bff008c3d96a73162dad044

SHA1
2735813836f36b5de83a745c47628053a0f61f66

SHA256
32211c43bcfee2ea3ae54899af178d1fc0c2b1111b2a9e3cc3fd125e1ab7daad

SHA512
eace1d55d479c4cf5692ec1dc98a6738e94874901bebe14a0a0a93eefd00fc4bd55a701e4629a1f7c47f72ac91fe3b698d590a8463119998852e05d6682f91a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8575.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8575.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB3A5.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB3A5.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB3E5.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB3E5.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiED00.tmp

Filesize
4.8MB

MD5
77d6c08c6448071b47f02b41fa18ed37

SHA1
e7fdb62abdb6d4131c00398f92bc72a3b9b34668

SHA256
047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b

SHA512
e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{61C2C8B7-51C7-423E-A9EE-F57CA8F5BF75}\1033.dll

Filesize
162KB

MD5
b4f850a62de085524b026549acbe5571

SHA1
e81b3c4050e888e5556be64bbf2f53eeb75b2982

SHA256
fd1fb22420abf616082c3606d76b2d7b3c500ca73ec2f893ebd7ce5f98499e18

SHA512
d5c4f0d5fdddc9c7631a90237f3bb84348e5b9e201824d0c65cf9881f95fee70768f2f4c55b262cba44c20eba3e120105d513d7a838619344fddb763c96486b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{61C2C8B7-51C7-423E-A9EE-F57CA8F5BF75}\1033.dll

Filesize
162KB

MD5
b4f850a62de085524b026549acbe5571

SHA1
e81b3c4050e888e5556be64bbf2f53eeb75b2982

SHA256
fd1fb22420abf616082c3606d76b2d7b3c500ca73ec2f893ebd7ce5f98499e18

SHA512
d5c4f0d5fdddc9c7631a90237f3bb84348e5b9e201824d0c65cf9881f95fee70768f2f4c55b262cba44c20eba3e120105d513d7a838619344fddb763c96486b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{61C2C8B7-51C7-423E-A9EE-F57CA8F5BF75}\1033.dll

Filesize
162KB

MD5
b4f850a62de085524b026549acbe5571

SHA1
e81b3c4050e888e5556be64bbf2f53eeb75b2982

SHA256
fd1fb22420abf616082c3606d76b2d7b3c500ca73ec2f893ebd7ce5f98499e18

SHA512
d5c4f0d5fdddc9c7631a90237f3bb84348e5b9e201824d0c65cf9881f95fee70768f2f4c55b262cba44c20eba3e120105d513d7a838619344fddb763c96486b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{61C2C8B7-51C7-423E-A9EE-F57CA8F5BF75}\deneme.back.msi

Filesize
1.5MB

MD5
500c824b3862d7caadaf7bf1ab51803a

SHA1
dddaf7467c10ae206bd8b213ce2ca8216b3183cb

SHA256
4ec1e2a5d24aa742761dd67660907ecb320dbf0db7f5d1b092322c5ee4d5dfb8

SHA512
475b0ff7d157bf87ed509c6a3e968530779afb054155fd64c8351e2def021a8a12615e0cbd99cf7b0d2b8490cd8e8d1f9196af15124840da845c6411e4b8a16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{61C2C8B7-51C7-423E-A9EE-F57CA8F5BF75}\deneme.back1.cab

Filesize
15.3MB

MD5
bc8f50573a55f12b2d364eeea316b445

SHA1
2924a75897819f965b9ebf3715f2c74ccb576cfb

SHA256
786a97ab6626b952ec69e6b8276b533859dfffd38c2b376ddabfb76b4af4671b

SHA512
421e81d74fa9cf142855f3bc6a7414fce7f2d9428b23536719f5a4f1f5d0f5071b2dec1d2ab0f754b54f75ce0629704d442fe661d718f194f518ef725e223221

Download Submit
C:\Users\Public\Desktop\KSPTRGiris.lnk

Filesize
2KB

MD5
0a70a01871e54207805137dac6d54a11

SHA1
963b23031031fd9d79c2450ca897c4ca8fd1298f

SHA256
6a7b67f65a92722ddc7e430a07ff4ca085fe9929eddfb740029d7c57ed4823b5

SHA512
1732d276bc3aa41b29876626d0485b9940242894037b9e509dc834efde1f4f4871f744fa9444961edeadc21d1aa6380b6dc5811940e97f591c2712649b33f155

Download Submit
C:\Windows\Installer\MSIA1F8.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Windows\Installer\MSIA1F8.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Windows\Installer\MSIA295.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Windows\Installer\MSIA295.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Windows\Installer\MSIA2D5.tmp

Filesize
544KB

MD5
40117f705bff008c3d96a73162dad044

SHA1
2735813836f36b5de83a745c47628053a0f61f66

SHA256
32211c43bcfee2ea3ae54899af178d1fc0c2b1111b2a9e3cc3fd125e1ab7daad

SHA512
eace1d55d479c4cf5692ec1dc98a6738e94874901bebe14a0a0a93eefd00fc4bd55a701e4629a1f7c47f72ac91fe3b698d590a8463119998852e05d6682f91a4

Download Submit
C:\Windows\Installer\MSIA2D5.tmp

Filesize
544KB

MD5
40117f705bff008c3d96a73162dad044

SHA1
2735813836f36b5de83a745c47628053a0f61f66

SHA256
32211c43bcfee2ea3ae54899af178d1fc0c2b1111b2a9e3cc3fd125e1ab7daad

SHA512
eace1d55d479c4cf5692ec1dc98a6738e94874901bebe14a0a0a93eefd00fc4bd55a701e4629a1f7c47f72ac91fe3b698d590a8463119998852e05d6682f91a4

Download Submit
C:\Windows\Installer\MSIA2D5.tmp

Filesize
544KB

MD5
40117f705bff008c3d96a73162dad044

SHA1
2735813836f36b5de83a745c47628053a0f61f66

SHA256
32211c43bcfee2ea3ae54899af178d1fc0c2b1111b2a9e3cc3fd125e1ab7daad

SHA512
eace1d55d479c4cf5692ec1dc98a6738e94874901bebe14a0a0a93eefd00fc4bd55a701e4629a1f7c47f72ac91fe3b698d590a8463119998852e05d6682f91a4

Download Submit
C:\Windows\Installer\MSIA343.tmp

Filesize
544KB

MD5
40117f705bff008c3d96a73162dad044

SHA1
2735813836f36b5de83a745c47628053a0f61f66

SHA256
32211c43bcfee2ea3ae54899af178d1fc0c2b1111b2a9e3cc3fd125e1ab7daad

SHA512
eace1d55d479c4cf5692ec1dc98a6738e94874901bebe14a0a0a93eefd00fc4bd55a701e4629a1f7c47f72ac91fe3b698d590a8463119998852e05d6682f91a4

Download Submit
C:\Windows\Installer\MSIA343.tmp

Filesize
544KB

MD5
40117f705bff008c3d96a73162dad044

SHA1
2735813836f36b5de83a745c47628053a0f61f66

SHA256
32211c43bcfee2ea3ae54899af178d1fc0c2b1111b2a9e3cc3fd125e1ab7daad

SHA512
eace1d55d479c4cf5692ec1dc98a6738e94874901bebe14a0a0a93eefd00fc4bd55a701e4629a1f7c47f72ac91fe3b698d590a8463119998852e05d6682f91a4

Download Submit
C:\Windows\Installer\MSIAA4A.tmp

Filesize
278KB

MD5
5d7495207fbb9e5bfb0037ba83e86214

SHA1
2f61780801d657424dd891e9d72463767fd5d5fb

SHA256
0503e4d5de79d2fa7a55a25e8b43d8e2bac3759365314d9bf17ed231082a5ae1

SHA512
2a7bdd1bac890580ab99b2509e45fc2f0b7fcbe699ffb24d3ecdbfd406a79d6d42409f968c54f70c5eec6bd85793a52aa786d7d5a5e87e5533d84f1f95a7a4e1

Download Submit
C:\Windows\Installer\MSIAA4A.tmp

Filesize
278KB

MD5
5d7495207fbb9e5bfb0037ba83e86214

SHA1
2f61780801d657424dd891e9d72463767fd5d5fb

SHA256
0503e4d5de79d2fa7a55a25e8b43d8e2bac3759365314d9bf17ed231082a5ae1

SHA512
2a7bdd1bac890580ab99b2509e45fc2f0b7fcbe699ffb24d3ecdbfd406a79d6d42409f968c54f70c5eec6bd85793a52aa786d7d5a5e87e5533d84f1f95a7a4e1

Download Submit
C:\Windows\Installer\MSIAA89.tmp

Filesize
278KB

MD5
5d7495207fbb9e5bfb0037ba83e86214

SHA1
2f61780801d657424dd891e9d72463767fd5d5fb

SHA256
0503e4d5de79d2fa7a55a25e8b43d8e2bac3759365314d9bf17ed231082a5ae1

SHA512
2a7bdd1bac890580ab99b2509e45fc2f0b7fcbe699ffb24d3ecdbfd406a79d6d42409f968c54f70c5eec6bd85793a52aa786d7d5a5e87e5533d84f1f95a7a4e1

Download Submit
C:\Windows\Installer\MSIAA89.tmp

Filesize
278KB

MD5
5d7495207fbb9e5bfb0037ba83e86214

SHA1
2f61780801d657424dd891e9d72463767fd5d5fb

SHA256
0503e4d5de79d2fa7a55a25e8b43d8e2bac3759365314d9bf17ed231082a5ae1

SHA512
2a7bdd1bac890580ab99b2509e45fc2f0b7fcbe699ffb24d3ecdbfd406a79d6d42409f968c54f70c5eec6bd85793a52aa786d7d5a5e87e5533d84f1f95a7a4e1

Download Submit
C:\Windows\Installer\MSIAA89.tmp

Filesize
278KB

MD5
5d7495207fbb9e5bfb0037ba83e86214

SHA1
2f61780801d657424dd891e9d72463767fd5d5fb

SHA256
0503e4d5de79d2fa7a55a25e8b43d8e2bac3759365314d9bf17ed231082a5ae1

SHA512
2a7bdd1bac890580ab99b2509e45fc2f0b7fcbe699ffb24d3ecdbfd406a79d6d42409f968c54f70c5eec6bd85793a52aa786d7d5a5e87e5533d84f1f95a7a4e1

Download Submit
C:\Windows\Installer\MSIABE2.tmp

Filesize
278KB

MD5
5d7495207fbb9e5bfb0037ba83e86214

SHA1
2f61780801d657424dd891e9d72463767fd5d5fb

SHA256
0503e4d5de79d2fa7a55a25e8b43d8e2bac3759365314d9bf17ed231082a5ae1

SHA512
2a7bdd1bac890580ab99b2509e45fc2f0b7fcbe699ffb24d3ecdbfd406a79d6d42409f968c54f70c5eec6bd85793a52aa786d7d5a5e87e5533d84f1f95a7a4e1

Download Submit
C:\Windows\Installer\MSIABE2.tmp

Filesize
278KB

MD5
5d7495207fbb9e5bfb0037ba83e86214

SHA1
2f61780801d657424dd891e9d72463767fd5d5fb

SHA256
0503e4d5de79d2fa7a55a25e8b43d8e2bac3759365314d9bf17ed231082a5ae1

SHA512
2a7bdd1bac890580ab99b2509e45fc2f0b7fcbe699ffb24d3ecdbfd406a79d6d42409f968c54f70c5eec6bd85793a52aa786d7d5a5e87e5533d84f1f95a7a4e1

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_dbxy5myz.wu1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\WMK.InstallLog

Filesize
462B

MD5
7d8a23cdd959b0dcc1de667843c71217

SHA1
b29611a518d385db59a69e57379451cc4b115a7a

SHA256
0247cb3c3921d783f1a357a74f7ca0e4bdb9bab2fd84841415097ff124be4c19

SHA512
54a4283461013270194453a491d654bf99c045f65edeb18774c75087e0e26740a1de05b32c5863f42c15b2ce7807cc9eef3cf06c541b098384f61608f12b98c1

Download Submit
C:\Windows\WMK.exe

Filesize
5.4MB

MD5
41884fa83bcd678590fc4d84aaad3c05

SHA1
14ea8f40c06840c8ae59e18808f06bfe226d1049

SHA256
455c7f9dfdade15e45fe5bf35b29372cc74ab92691f3fe1d4a15ac62ccb86ee9

SHA512
0522c621beac0cb5a01309f2ef4c212d4ee3a12207cf3793a76f25d284b37b978695a31a6af5c0d10c494abe6e56b72f795f197c42b1d5051ba44e713d431969

Download Submit
C:\Windows\WMK.exe

Filesize
5.4MB

MD5
41884fa83bcd678590fc4d84aaad3c05

SHA1
14ea8f40c06840c8ae59e18808f06bfe226d1049

SHA256
455c7f9dfdade15e45fe5bf35b29372cc74ab92691f3fe1d4a15ac62ccb86ee9

SHA512
0522c621beac0cb5a01309f2ef4c212d4ee3a12207cf3793a76f25d284b37b978695a31a6af5c0d10c494abe6e56b72f795f197c42b1d5051ba44e713d431969

Download Submit
C:\Windows\WMK.exe

Filesize
5.4MB

MD5
41884fa83bcd678590fc4d84aaad3c05

SHA1
14ea8f40c06840c8ae59e18808f06bfe226d1049

SHA256
455c7f9dfdade15e45fe5bf35b29372cc74ab92691f3fe1d4a15ac62ccb86ee9

SHA512
0522c621beac0cb5a01309f2ef4c212d4ee3a12207cf3793a76f25d284b37b978695a31a6af5c0d10c494abe6e56b72f795f197c42b1d5051ba44e713d431969

Download Submit
C:\Windows\rft64.exe

Filesize
10.4MB

MD5
27c3445f5d46964e15f8358a9589dbe4

SHA1
4d3b42f0d82428791eea8f2a0ebd463d30df70aa

SHA256
3d71f4dd329a115945231bc5abf38a0171b2561181e92eb0bf465db4589e45ca

SHA512
5b4f67d10fc15a54a3103183b8548353f47599e47e4e60e64b474bdc624c0e29af39215eeeac44e7aea7a2ff7ddbe3d3199a6b950a213b7cd8be03cd88e659ed

Download Submit
C:\Windows\rft64.exe

Filesize
10.4MB

MD5
27c3445f5d46964e15f8358a9589dbe4

SHA1
4d3b42f0d82428791eea8f2a0ebd463d30df70aa

SHA256
3d71f4dd329a115945231bc5abf38a0171b2561181e92eb0bf465db4589e45ca

SHA512
5b4f67d10fc15a54a3103183b8548353f47599e47e4e60e64b474bdc624c0e29af39215eeeac44e7aea7a2ff7ddbe3d3199a6b950a213b7cd8be03cd88e659ed

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38f0f14cc7ca72ad51216866e66efb4e

SHA1
34ed0f47a4aaa95e786ca9f125b0341b38bfb9be

SHA256
668820fc659c9d229d32731ead41381eca0e5fb57232bbd3ef0118f5a21fc501

SHA512
4a7d00c585784cf1aec6ed82d8c78542d2db3b9da30d8db20680a1ee9fd45b697207fbd459557336f2166d8b6ac17016f9e71c61ad351f2915bb163c8ed2b73a

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
16e1aae665e4d978ed0f04ed1bddab04

SHA1
28f8a3e1008e2a6468c2fc0898ae17fd903c25e8

SHA256
6513dbc2f7eeac5fa633d6c22f6931a385241a44a8a51b9c9800d4bbb5071adc

SHA512
526b55300cf5844ec64448d8d9405afedc7f16560a2972f82622f9800d2645f12ad8506456d592cd57f3f508854c6454a2b5c7830c7bc78a08cd6c8b3f77e353

Download Submit
\??\Volume{345277e1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ff85aa55-70c2-4937-8131-e1e969e576fd}_OnDiskSnapshotProp

Filesize
5KB

MD5
01c8a19c1980f6d4f7e9f1f7e06f0fa1

SHA1
aed297f26aca94f535423802d666e1bf33239f29

SHA256
f0290f557da25f36eafa13cafee34231565595b6004a58c6da3736c39b844f6c

SHA512
7a5c5bf2bf352c33ed0a58468084e917b3375d4d85d4a600b40fdbda97031753f755ef4cd596abbe11624a7fc7115190896f2050a8a966f278b2ab17f1066ed4

Download Submit
\??\c:\windows\rft64.exe

Filesize
10.4MB

MD5
27c3445f5d46964e15f8358a9589dbe4

SHA1
4d3b42f0d82428791eea8f2a0ebd463d30df70aa

SHA256
3d71f4dd329a115945231bc5abf38a0171b2561181e92eb0bf465db4589e45ca

SHA512
5b4f67d10fc15a54a3103183b8548353f47599e47e4e60e64b474bdc624c0e29af39215eeeac44e7aea7a2ff7ddbe3d3199a6b950a213b7cd8be03cd88e659ed

Download Submit
memory/2100-225-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp

Filesize
30.8MB

Download
memory/2100-228-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp

Filesize
30.8MB

Download
memory/2100-249-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp

Filesize
30.8MB

Download
memory/2100-256-0x00007FF45E3A0000-0x00007FF45E771000-memory.dmp

Filesize
3.8MB

Download
memory/2100-233-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp

Filesize
30.8MB

Download
memory/2100-232-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp

Filesize
30.8MB

Download
memory/2100-227-0x00007FF45E3A0000-0x00007FF45E771000-memory.dmp

Filesize
3.8MB

Download
memory/2100-230-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp

Filesize
30.8MB

Download
memory/2196-244-0x00007FFC8CC60000-0x00007FFC8D721000-memory.dmp

Filesize
10.8MB

Download
memory/2196-245-0x00000205B60C0000-0x00000205B60D0000-memory.dmp

Filesize
64KB

Download
memory/2196-246-0x00000205B60C0000-0x00000205B60D0000-memory.dmp

Filesize
64KB

Download
memory/2196-243-0x00000205CF020000-0x00000205CF042000-memory.dmp

Filesize
136KB

Download
memory/2196-266-0x00000205B60C0000-0x00000205B60D0000-memory.dmp

Filesize
64KB

Download
memory/2196-296-0x00007FFC8CC60000-0x00007FFC8D721000-memory.dmp

Filesize
10.8MB

Download
memory/2968-264-0x00007FF4C8DA0000-0x00007FF4C9171000-memory.dmp

Filesize
3.8MB

Download
memory/2968-313-0x00007FF6A2F10000-0x00007FF6A49D4000-memory.dmp

Filesize
26.8MB

Download
memory/2968-267-0x00007FFCACBF0000-0x00007FFCACC00000-memory.dmp

Filesize
64KB

Download
memory/2968-269-0x00007FFC8CC60000-0x00007FFC8D721000-memory.dmp

Filesize
10.8MB

Download
memory/2968-270-0x00007FF6A2F10000-0x00007FF6A49D4000-memory.dmp

Filesize
26.8MB

Download
memory/2968-315-0x0000020D2B370000-0x0000020D2B380000-memory.dmp

Filesize
64KB

Download
memory/2968-260-0x00007FF6A2F10000-0x00007FF6A49D4000-memory.dmp

Filesize
26.8MB

Download
memory/2968-271-0x00007FF6A2F10000-0x00007FF6A49D4000-memory.dmp

Filesize
26.8MB

Download
memory/2968-281-0x00007FF6A2F10000-0x00007FF6A49D4000-memory.dmp

Filesize
26.8MB

Download
memory/2968-263-0x00007FF6A2F10000-0x00007FF6A49D4000-memory.dmp

Filesize
26.8MB

Download
memory/2968-297-0x0000020D2B2E0000-0x0000020D2B2F2000-memory.dmp

Filesize
72KB

Download
memory/2968-298-0x0000020D2B3D0000-0x0000020D2B40C000-memory.dmp

Filesize
240KB

Download
memory/3300-314-0x00007FF6A2F10000-0x00007FF6A49D4000-memory.dmp

Filesize
26.8MB

Download
memory/3300-323-0x00007FF495880000-0x00007FF495C51000-memory.dmp

Filesize
3.8MB

Download
memory/3300-322-0x00007FF6A2F10000-0x00007FF6A49D4000-memory.dmp

Filesize
26.8MB

Download
memory/3300-326-0x00007FF6A2F10000-0x00007FF6A49D4000-memory.dmp

Filesize
26.8MB

Download
memory/3300-325-0x00007FFC8CC60000-0x00007FFC8D721000-memory.dmp

Filesize
10.8MB

Download
memory/3300-327-0x00007FF6A2F10000-0x00007FF6A49D4000-memory.dmp

Filesize
26.8MB

Download
memory/3348-255-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp

Filesize
25.8MB

Download
memory/3348-220-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp

Filesize
25.8MB

Download
memory/3348-229-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp

Filesize
25.8MB

Download
memory/3348-226-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp

Filesize
25.8MB

Download
memory/3348-223-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp

Filesize
25.8MB

Download
memory/3348-248-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp

Filesize
25.8MB

Download
memory/3348-219-0x00007FF4D46D0000-0x00007FF4D4AA1000-memory.dmp

Filesize
3.8MB

Download
memory/3348-215-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp

Filesize
25.8MB

Download
memory/3348-259-0x00007FF4D46D0000-0x00007FF4D4AA1000-memory.dmp

Filesize
3.8MB

Download
memory/3348-231-0x00007FFCACBF0000-0x00007FFCACC00000-memory.dmp

Filesize
64KB

Download
memory/3784-258-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp

Filesize
25.8MB

Download
memory/3784-257-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp

Filesize
25.8MB

Download
memory/3784-268-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp

Filesize
25.8MB

Download
memory/3784-261-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp

Filesize
25.8MB

Download
memory/3784-265-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp

Filesize
25.8MB

Download
memory/3784-311-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp

Filesize
25.8MB

Download
memory/3784-324-0x00007FF495340000-0x00007FF495711000-memory.dmp

Filesize
3.8MB

Download
memory/3784-262-0x00007FF495340000-0x00007FF495711000-memory.dmp

Filesize
3.8MB

Download
memory/3784-320-0x00007FF7DAE80000-0x00007FF7DC857000-memory.dmp

Filesize
25.8MB

Download
memory/4572-181-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp

Filesize
30.8MB

Download
memory/4572-182-0x00007FFCACBF0000-0x00007FFCACC00000-memory.dmp

Filesize
64KB

Download
memory/4572-176-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp

Filesize
30.8MB

Download
memory/4572-177-0x00007FF4C0E60000-0x00007FF4C1231000-memory.dmp

Filesize
3.8MB

Download
memory/4572-179-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp

Filesize
30.8MB

Download
memory/4572-218-0x00007FF4C0E60000-0x00007FF4C1231000-memory.dmp

Filesize
3.8MB

Download
memory/4572-180-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp

Filesize
30.8MB

Download
memory/4572-213-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp

Filesize
30.8MB

Download
memory/4572-178-0x00007FF6E3300000-0x00007FF6E51CF000-memory.dmp

Filesize
30.8MB

Download
memory/4868-317-0x00007FFC8CC60000-0x00007FFC8D721000-memory.dmp

Filesize
10.8MB

Download
memory/4868-319-0x000001D7622C0000-0x000001D7622D0000-memory.dmp

Filesize
64KB

Download
memory/4868-318-0x000001D7622C0000-0x000001D7622D0000-memory.dmp

Filesize
64KB

Download
memory/4868-331-0x00007FFC8CC60000-0x00007FFC8D721000-memory.dmp

Filesize
10.8MB

Download
memory/4868-321-0x000001D7622C0000-0x000001D7622D0000-memory.dmp

Filesize
64KB

Download