eternity | 6c4aaf39142db9f2d3adc6f3a90d986a55fd54273be564d61a4cc229e55131af

Analysis

max time kernel
104s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2023, 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d75e7230bf434ceff8710174ee115b8.exe
Size

285KB
MD5

3d75e7230bf434ceff8710174ee115b8
SHA1

6db9c713d70d8f3715db9ef4139669d8d110c4e9
SHA256

6c4aaf39142db9f2d3adc6f3a90d986a55fd54273be564d61a4cc229e55131af
SHA512

3ae69eb16c4866b89b9a4ff48f75ea4bbed5d39ae63f2e4c3b51d04af6137b3ba9e11e17818f0afeb788abbae060256b936a1ff626497b181990328a4b6cf3b8
SSDEEP

6144:vyU1zKCKVDp3Cbitu7gJzmgkYUDBg8ZHAO0Jb8CuZoHI66G:vyU1K9pv6RZH2nuZn66G

Score

10^/10

eternity glupteba redline smokeloader zgrat @ytlogsbot backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://194.49.94.210/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Signatures

Detect ZGRat V1 22 IoCs

resource	yara_rule
behavioral2/memory/4084-39-0x00000268C40C0000-0x00000268C41A4000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-53-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-58-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-63-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-69-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-89-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-82-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-75-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-51-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-94-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-103-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-105-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-97-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-107-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-109-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-111-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-114-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-121-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-137-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-139-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-141-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4084-143-0x00000268C40C0000-0x00000268C41A0000-memory.dmp	family_zgrat_v1

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023200-11.dat	family_redline
behavioral2/files/0x0008000000023200-12.dat	family_redline
behavioral2/memory/3940-13-0x0000000000180000-0x00000000001BE000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2368 created 3340	2368	latestX.exe	37
PID 2368 created 3340	2368	latestX.exe	37
PID 2368 created 3340	2368	latestX.exe	37
PID 2368 created 3340	2368	latestX.exe	37
PID 2368 created 3340	2368	latestX.exe	37

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2920	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation	DFF2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation	F264.exe

Executes dropped EXE 31 IoCs

pid	Process
3940	BB32.exe
460	BD27.exe
4084	BD27.exe
2144	DFF2.exe
1652	hwhdrth
3920	E91B.exe
1300	E91B.tmp
2624	InstallSetup9.exe
4644	EC96.exe
3916	Broom.exe
436	toolspub2.exe
3888	F264.exe
4892	VolumeUTIL.exe
3292	31839b57a4f11171d6abc8bbc4451ee4.exe
4304	VolumeUTIL.exe
4684	F998.exe
1288	tuc3.exe
3176	tuc3.tmp
2368	latestX.exe
2316	5A0.exe
4508	107E.exe
2672	24F1.exe
4048	mpeg4bind.exe
4852	mpeg4bind.exe
2324	toolspub2.exe
4824	AppLaunch.exe
2396	31839b57a4f11171d6abc8bbc4451ee4.exe
2056	F264.exe
4896	AppLaunch.exe
4500	updater.exe
1904	csrss.exe

Loads dropped DLL 6 IoCs

pid	Process
1300	E91B.tmp
1300	E91B.tmp
1300	E91B.tmp
3176	tuc3.tmp
3176	tuc3.tmp
3176	tuc3.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	Conhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3692 set thread context of 2544	3692	3d75e7230bf434ceff8710174ee115b8.exe	87
PID 460 set thread context of 4084	460	BD27.exe	94
PID 4508 set thread context of 2408	4508	107E.exe	125
PID 436 set thread context of 2324	436	toolspub2.exe	136
PID 3888 set thread context of 2056	3888	F264.exe	154

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-JF4GH.tmp	E91B.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-CPHSM.tmp	E91B.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-JQHF9.tmp	E91B.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-UQ7M9.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-GH74N.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\VolumeUTIL\unins000.dat	E91B.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-S5MNA.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-PCRB1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-AL9RT.tmp	E91B.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-A0BH4.tmp	E91B.tmp
File opened for modification	C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe	E91B.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-FLRH0.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\UIText\is-TIVQ8.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-5OBKA.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-MID2P.tmp	tuc3.tmp
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-MDM00.tmp	E91B.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-1L3RB.tmp	E91B.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-7QIBA.tmp	E91B.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-3SSJS.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-NO9VK.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\Common Files\MPEG4Binder\mpeg4bind.exe	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-IA01N.tmp	E91B.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-SMETK.tmp	E91B.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\UIText\is-513QV.tmp	E91B.tmp
File opened for modification	C:\Program Files (x86)\Common Files\MPEG4Binder\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\UIText\is-B099G.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-VMDMV.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\unins000.dat	E91B.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-A3MRI.tmp	E91B.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-727G2.tmp	E91B.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-2AKLI.tmp	E91B.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-MSC8A.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-9LKSM.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\is-5F2EQ.tmp	E91B.tmp
File created	C:\Program Files (x86)\Common Files\VolumeUTIL\UIText\is-MD07N.tmp	E91B.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-8LSUC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\Common Files\MPEG4Binder\is-5ACGS.tmp	tuc3.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1496	sc.exe
4960	sc.exe
4160	sc.exe
4132	sc.exe
2524	sc.exe
2024	sc.exe
60	sc.exe
2104	sc.exe
2468	sc.exe
4732	sc.exe
4752	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4112	schtasks.exe
3364	schtasks.exe
4728	schtasks.exe
1332	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	AppLaunch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AppLaunch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	AppLaunch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	AppLaunch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	AppLaunch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AppLaunch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	AppLaunch.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3816	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2544	AppLaunch.exe
2544	AppLaunch.exe
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3340	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2544	AppLaunch.exe
2324	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	BD27.exe
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3916	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 2544	3692	3d75e7230bf434ceff8710174ee115b8.exe	87
PID 3692 wrote to memory of 2544	3692	3d75e7230bf434ceff8710174ee115b8.exe	87
PID 3692 wrote to memory of 2544	3692	3d75e7230bf434ceff8710174ee115b8.exe	87
PID 3692 wrote to memory of 2544	3692	3d75e7230bf434ceff8710174ee115b8.exe	87
PID 3692 wrote to memory of 2544	3692	3d75e7230bf434ceff8710174ee115b8.exe	87
PID 3692 wrote to memory of 2544	3692	3d75e7230bf434ceff8710174ee115b8.exe	87
PID 3340 wrote to memory of 3940	3340	Explorer.EXE	92
PID 3340 wrote to memory of 3940	3340	Explorer.EXE	92
PID 3340 wrote to memory of 3940	3340	Explorer.EXE	92
PID 3340 wrote to memory of 460	3340	Explorer.EXE	93
PID 3340 wrote to memory of 460	3340	Explorer.EXE	93
PID 460 wrote to memory of 4084	460	BD27.exe	94
PID 460 wrote to memory of 4084	460	BD27.exe	94
PID 460 wrote to memory of 4084	460	BD27.exe	94
PID 460 wrote to memory of 4084	460	BD27.exe	94
PID 460 wrote to memory of 4084	460	BD27.exe	94
PID 460 wrote to memory of 4084	460	BD27.exe	94
PID 3340 wrote to memory of 2144	3340	Explorer.EXE	95
PID 3340 wrote to memory of 2144	3340	Explorer.EXE	95
PID 3340 wrote to memory of 2144	3340	Explorer.EXE	95
PID 3340 wrote to memory of 3920	3340	Explorer.EXE	98
PID 3340 wrote to memory of 3920	3340	Explorer.EXE	98
PID 3340 wrote to memory of 3920	3340	Explorer.EXE	98
PID 3920 wrote to memory of 1300	3920	E91B.exe	110
PID 3920 wrote to memory of 1300	3920	E91B.exe	110
PID 3920 wrote to memory of 1300	3920	E91B.exe	110
PID 2144 wrote to memory of 2624	2144	DFF2.exe	99
PID 2144 wrote to memory of 2624	2144	DFF2.exe	99
PID 2144 wrote to memory of 2624	2144	DFF2.exe	99
PID 3340 wrote to memory of 4644	3340	Explorer.EXE	102
PID 3340 wrote to memory of 4644	3340	Explorer.EXE	102
PID 3340 wrote to memory of 4644	3340	Explorer.EXE	102
PID 2624 wrote to memory of 3916	2624	InstallSetup9.exe	103
PID 2624 wrote to memory of 3916	2624	InstallSetup9.exe	103
PID 2624 wrote to memory of 3916	2624	InstallSetup9.exe	103
PID 2144 wrote to memory of 436	2144	DFF2.exe	104
PID 2144 wrote to memory of 436	2144	DFF2.exe	104
PID 2144 wrote to memory of 436	2144	DFF2.exe	104
PID 1300 wrote to memory of 960	1300	E91B.tmp	109
PID 1300 wrote to memory of 960	1300	E91B.tmp	109
PID 1300 wrote to memory of 960	1300	E91B.tmp	109
PID 1300 wrote to memory of 4892	1300	E91B.tmp	108
PID 1300 wrote to memory of 4892	1300	E91B.tmp	108
PID 1300 wrote to memory of 4892	1300	E91B.tmp	108
PID 3340 wrote to memory of 3888	3340	Explorer.EXE	107
PID 3340 wrote to memory of 3888	3340	Explorer.EXE	107
PID 3340 wrote to memory of 3888	3340	Explorer.EXE	107
PID 2144 wrote to memory of 3292	2144	DFF2.exe	106
PID 2144 wrote to memory of 3292	2144	DFF2.exe	106
PID 2144 wrote to memory of 3292	2144	DFF2.exe	106
PID 1300 wrote to memory of 1328	1300	E91B.tmp	120
PID 1300 wrote to memory of 1328	1300	E91B.tmp	120
PID 1300 wrote to memory of 1328	1300	E91B.tmp	120
PID 1300 wrote to memory of 4304	1300	E91B.tmp	111
PID 1300 wrote to memory of 4304	1300	E91B.tmp	111
PID 1300 wrote to memory of 4304	1300	E91B.tmp	111
PID 3340 wrote to memory of 4684	3340	Explorer.EXE	112
PID 3340 wrote to memory of 4684	3340	Explorer.EXE	112
PID 3340 wrote to memory of 4684	3340	Explorer.EXE	112
PID 2144 wrote to memory of 1288	2144	DFF2.exe	119
PID 2144 wrote to memory of 1288	2144	DFF2.exe	119
PID 2144 wrote to memory of 1288	2144	DFF2.exe	119
PID 1288 wrote to memory of 3176	1288	tuc3.exe	115
PID 1288 wrote to memory of 3176	1288	tuc3.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\Temp\3d75e7230bf434ceff8710174ee115b8.exe
  "C:\Users\Admin\AppData\Local\Temp\3d75e7230bf434ceff8710174ee115b8.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\BB32.exe
  C:\Users\Admin\AppData\Local\Temp\BB32.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Users\Admin\AppData\Local\Temp\BD27.exe
  C:\Users\Admin\AppData\Local\Temp\BD27.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Users\Admin\AppData\Local\Temp\BD27.exe
    C:\Users\Admin\AppData\Local\Temp\BD27.exe
    3⤵
    - Executes dropped EXE
    PID:4084
- C:\Users\Admin\AppData\Local\Temp\DFF2.exe
  C:\Users\Admin\AppData\Local\Temp\DFF2.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3916
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:436
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:2324
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:3292
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:2396
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:3748
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2920
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4624
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1268
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1836
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        
        PID:1904
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3616
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:4728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1356
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:3384
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3900
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4256
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:3840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1836
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1332
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:2468
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2368
- - C:\Users\Admin\AppData\Local\Temp\tuc3.exe
    "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1288
- C:\Users\Admin\AppData\Local\Temp\E91B.exe
  C:\Users\Admin\AppData\Local\Temp\E91B.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Users\Admin\AppData\Local\Temp\is-KT42J.tmp\E91B.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KT42J.tmp\E91B.tmp" /SL5="$F0064,3304892,54272,C:\Users\Admin\AppData\Local\Temp\E91B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe
      "C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe" -s
      4⤵
      Executes dropped EXE
      PID:4304
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" helpmsg 29
      4⤵
      PID:1328
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 29
        5⤵
        
        PID:232
- C:\Users\Admin\AppData\Local\Temp\EC96.exe
  C:\Users\Admin\AppData\Local\Temp\EC96.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Users\Admin\AppData\Local\Temp\F264.exe
  C:\Users\Admin\AppData\Local\Temp\F264.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\F264.exe"
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wabzaZXb.exe"
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wabzaZXb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8344.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:3364
- - C:\Users\Admin\AppData\Local\Temp\F264.exe
    "C:\Users\Admin\AppData\Local\Temp\F264.exe"
    3⤵
    - Executes dropped EXE
    PID:2056
- C:\Users\Admin\AppData\Local\Temp\F998.exe
  C:\Users\Admin\AppData\Local\Temp\F998.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Users\Admin\AppData\Local\Temp\5A0.exe
  C:\Users\Admin\AppData\Local\Temp\5A0.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Users\Admin\AppData\Local\Temp\107E.exe
  C:\Users\Admin\AppData\Local\Temp\107E.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
      4⤵
      PID:4160
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5068
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:3816
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:4112
    - - C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
        
        "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
        5⤵
        Executes dropped EXE
        
        PID:4824
- C:\Users\Admin\AppData\Local\Temp\24F1.exe
  C:\Users\Admin\AppData\Local\Temp\24F1.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:2160
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4712
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:748
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1496
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4960
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:60
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4160
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:4988
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3224
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4688
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4180
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1792
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1692
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:4412
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5072
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4132
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4732
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2524
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2024
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4752
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2868
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3584
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3656
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2392
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:820
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:2228
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:3424

C:\Users\Admin\AppData\Roaming\hwhdrth
C:\Users\Admin\AppData\Roaming\hwhdrth
1⤵
- Executes dropped EXE
PID:1652

C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe
"C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe" -i
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
1⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\is-NMQ49.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NMQ49.tmp\tuc3.tmp" /SL5="$5020A,3243561,76288,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3176
- C:\Program Files (x86)\Common Files\MPEG4Binder\mpeg4bind.exe
  "C:\Program Files (x86)\Common Files\MPEG4Binder\mpeg4bind.exe" -i
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Query
  2⤵
  PID:748
- C:\Program Files (x86)\Common Files\MPEG4Binder\mpeg4bind.exe
  "C:\Program Files (x86)\Common Files\MPEG4Binder\mpeg4bind.exe" -s
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\system32\net.exe" helpmsg 28
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 helpmsg 28
    3⤵
    PID:1404

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3064

C:\Users\Admin\AppData\Local\Opcode\rbduoexbi\XsdType.exe
C:\Users\Admin\AppData\Local\Opcode\rbduoexbi\XsdType.exe
1⤵
PID:208
- C:\Users\Admin\AppData\Local\Opcode\rbduoexbi\XsdType.exe
  C:\Users\Admin\AppData\Local\Opcode\rbduoexbi\XsdType.exe
  2⤵
  PID:4788

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
1⤵
- Modifies data under HKEY_USERS
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\MPEG4Binder\mpeg4bind.exe

Filesize
3.8MB

MD5
5f22b18abe5f6ed6ee7701ed018762f3

SHA1
120bc488a5abaf573aa326cfaa8f8c9b3546a5de

SHA256
458386bfa06d242b439bc05efa0739faad0383cfb3e9f17251e582ea7b7d6066

SHA512
4a04166c4b5c967501e58eba45c22dccd0ea6fc7d685f3b6f57a7b40d546852cf46080c2b0441168b2160100b059390342d264e1f3dc97815eca8028c693c1d2

Download Submit
C:\Program Files (x86)\Common Files\MPEG4Binder\mpeg4bind.exe

Filesize
3.8MB

MD5
5f22b18abe5f6ed6ee7701ed018762f3

SHA1
120bc488a5abaf573aa326cfaa8f8c9b3546a5de

SHA256
458386bfa06d242b439bc05efa0739faad0383cfb3e9f17251e582ea7b7d6066

SHA512
4a04166c4b5c967501e58eba45c22dccd0ea6fc7d685f3b6f57a7b40d546852cf46080c2b0441168b2160100b059390342d264e1f3dc97815eca8028c693c1d2

Download Submit
C:\Program Files (x86)\Common Files\MPEG4Binder\mpeg4bind.exe

Filesize
3.8MB

MD5
5f22b18abe5f6ed6ee7701ed018762f3

SHA1
120bc488a5abaf573aa326cfaa8f8c9b3546a5de

SHA256
458386bfa06d242b439bc05efa0739faad0383cfb3e9f17251e582ea7b7d6066

SHA512
4a04166c4b5c967501e58eba45c22dccd0ea6fc7d685f3b6f57a7b40d546852cf46080c2b0441168b2160100b059390342d264e1f3dc97815eca8028c693c1d2

Download Submit
C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe

Filesize
2.9MB

MD5
de11086ada8a65c306cdbd174b819b3f

SHA1
1526ea71df855ad981ea828793cec721a217624d

SHA256
78481f5ea5ca959500f26a4e772a8ee929efe00ba38aa711039694855de7f273

SHA512
693f747003a67706c4c840f3a76812c37a8990c576aa098450091a2d4993b1de5555bc6e20607cb3052816fffb82a4534856ce13f525dbff9073e20428b2b5de

Download Submit
C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe

Filesize
2.9MB

MD5
de11086ada8a65c306cdbd174b819b3f

SHA1
1526ea71df855ad981ea828793cec721a217624d

SHA256
78481f5ea5ca959500f26a4e772a8ee929efe00ba38aa711039694855de7f273

SHA512
693f747003a67706c4c840f3a76812c37a8990c576aa098450091a2d4993b1de5555bc6e20607cb3052816fffb82a4534856ce13f525dbff9073e20428b2b5de

Download Submit
C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe

Filesize
2.9MB

MD5
de11086ada8a65c306cdbd174b819b3f

SHA1
1526ea71df855ad981ea828793cec721a217624d

SHA256
78481f5ea5ca959500f26a4e772a8ee929efe00ba38aa711039694855de7f273

SHA512
693f747003a67706c4c840f3a76812c37a8990c576aa098450091a2d4993b1de5555bc6e20607cb3052816fffb82a4534856ce13f525dbff9073e20428b2b5de

Download Submit
C:\ProgramData\SVGARateEX\SVGARateEX.exe

Filesize
2.9MB

MD5
de11086ada8a65c306cdbd174b819b3f

SHA1
1526ea71df855ad981ea828793cec721a217624d

SHA256
78481f5ea5ca959500f26a4e772a8ee929efe00ba38aa711039694855de7f273

SHA512
693f747003a67706c4c840f3a76812c37a8990c576aa098450091a2d4993b1de5555bc6e20607cb3052816fffb82a4534856ce13f525dbff9073e20428b2b5de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BD27.exe.log

Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
321B

MD5
baf5d1398fdb79e947b60fe51e45397f

SHA1
49e7b8389f47b93509d621b8030b75e96bb577af

SHA256
10c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8

SHA512
b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1d7f3d1036cc09d2b9c5d8d5acfbb867

SHA1
5a76ade3e2ced7d72b6ce450b074d3c5aaa13b85

SHA256
0725190ee120338da973024f3d633bd17d0009af194000fa0a91dde961a8d76c

SHA512
dc993da2058b91cd4870b0e868963cadd68d0c03aee091691d7ed0a027215ef5114c9d56ec8d9e228cd7d022339d277903fc12481e2e00df758a3915a17d1fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
012c1b249b1a61cab89e915d8e213694

SHA1
613e5fe8f958d12a0a128a789cc7dffd79de6ba8

SHA256
395f574de243c2c9fb3e7ce857939b0dfd356ffd57d56204f51bbe9fb438bd07

SHA512
a81d3fbfc9bc6d1d4251fc4f1c24b19b71e5e153a2b5544fecf819dae6665ef264f0c869d6a6437abe03bf6e3283e710068d2c94a2828a8121e850e594b1cb9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9c1c50422f13110847dec86f9276dd89

SHA1
37a59b2f7e26e449054b8a65fb6b0529dd549b94

SHA256
c28dbc0947ac8d14cc8cbca849bb0393d760e21aaeabb97d661734ff9aa3ae4f

SHA512
9d38ff99888e75f4f5102f61f129ba978a0f7a52f67901904a447bc66af9a5b20182eb7f92e23bb13914fd6c2f66edc82ea9dbd3984b3bbf5439c34b2cc057b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9c1c50422f13110847dec86f9276dd89

SHA1
37a59b2f7e26e449054b8a65fb6b0529dd549b94

SHA256
c28dbc0947ac8d14cc8cbca849bb0393d760e21aaeabb97d661734ff9aa3ae4f

SHA512
9d38ff99888e75f4f5102f61f129ba978a0f7a52f67901904a447bc66af9a5b20182eb7f92e23bb13914fd6c2f66edc82ea9dbd3984b3bbf5439c34b2cc057b4

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\107E.exe

Filesize
894KB

MD5
e26272619587d5c3802c4ac123aca5d6

SHA1
59fe8f9ae04c77f95097bfe3f9547d58da5d26d7

SHA256
4ed003489a25ab5618781760c97987538ef6685125081f8c57c3f5da1a96fd6b

SHA512
2fd203bcb48efc8a2e99c50376e29f4b9070ece91694c8a57263935399dfbfa7862603b1f79fd0cca67986804f58863c94b498d65beb4ff7c3405d0c805018a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\107E.exe

Filesize
894KB

MD5
e26272619587d5c3802c4ac123aca5d6

SHA1
59fe8f9ae04c77f95097bfe3f9547d58da5d26d7

SHA256
4ed003489a25ab5618781760c97987538ef6685125081f8c57c3f5da1a96fd6b

SHA512
2fd203bcb48efc8a2e99c50376e29f4b9070ece91694c8a57263935399dfbfa7862603b1f79fd0cca67986804f58863c94b498d65beb4ff7c3405d0c805018a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F1.exe

Filesize
2.9MB

MD5
87e4a080d8475d0034728a84f57b3669

SHA1
c2b5ce84677b0100e43ece782dbecf8c91be82cd

SHA256
448367c941ffb279ab32f8d5db2a98b83ef3400b44c4feed0b5560137eae5f70

SHA512
4f9ec63cc433778eec832d352486ff7e1d0e7957068439f7319f9f17c8690029c61ca05393047fce79316f27e550742949f4c597e1bbd28c4f7f35fa73e0656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A0.exe

Filesize
651KB

MD5
cfa3e6ac04f2cd8e22c5ecd2b2119333

SHA1
428caaae3142b4976cd158bb9cdc433b8dbf11b1

SHA256
4b0f65a9706c2c604bac8a03c33ca9935656d08a4a94905f1ce2a16aedff5382

SHA512
ea68f638a7a1229d7cae2125bd4d358c3c4bbc2f7bc354c8c2d6568c1928893c21b53e4d6e4bc91490dccc328963acb7dee0af976519d3925c0344eac2f7bf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A0.exe

Filesize
651KB

MD5
cfa3e6ac04f2cd8e22c5ecd2b2119333

SHA1
428caaae3142b4976cd158bb9cdc433b8dbf11b1

SHA256
4b0f65a9706c2c604bac8a03c33ca9935656d08a4a94905f1ce2a16aedff5382

SHA512
ea68f638a7a1229d7cae2125bd4d358c3c4bbc2f7bc354c8c2d6568c1928893c21b53e4d6e4bc91490dccc328963acb7dee0af976519d3925c0344eac2f7bf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB32.exe

Filesize
222KB

MD5
9e41d2cc0de2e45ce74e42dd3608df3b

SHA1
a9744a4b76e2f38a0b3b287ef229cbeb8c9e4ba6

SHA256
1081d313fe627ca22ce02c7bd8d33ece52b1e2cc8978f99653671f94175caf8f

SHA512
849673924bdb3db9a08c2ff4a510af599539531e052847caaf8a2d47f91497bedaf48714a3a6cdee1c0f5b8a8b53054c91564267be2c02de63446e207a78f9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB32.exe

Filesize
222KB

MD5
9e41d2cc0de2e45ce74e42dd3608df3b

SHA1
a9744a4b76e2f38a0b3b287ef229cbeb8c9e4ba6

SHA256
1081d313fe627ca22ce02c7bd8d33ece52b1e2cc8978f99653671f94175caf8f

SHA512
849673924bdb3db9a08c2ff4a510af599539531e052847caaf8a2d47f91497bedaf48714a3a6cdee1c0f5b8a8b53054c91564267be2c02de63446e207a78f9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD27.exe

Filesize
908KB

MD5
eace63ea1948f012941dd4a9b3ac3c94

SHA1
a405bafadae7f27a3dbe108e8690034fe45b3330

SHA256
a481b300f1cf5ec873245d16c0e0fdfc18f681cf2ee682b23d47dd0b122c4998

SHA512
3350590ead968dd755accf8ae017c65601953707622cc8747a4fc884be9712a3426397797203720f6aa0725ef1077093797ce44237920ccdfd0dd7be046cf024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD27.exe

Filesize
908KB

MD5
eace63ea1948f012941dd4a9b3ac3c94

SHA1
a405bafadae7f27a3dbe108e8690034fe45b3330

SHA256
a481b300f1cf5ec873245d16c0e0fdfc18f681cf2ee682b23d47dd0b122c4998

SHA512
3350590ead968dd755accf8ae017c65601953707622cc8747a4fc884be9712a3426397797203720f6aa0725ef1077093797ce44237920ccdfd0dd7be046cf024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD27.exe

Filesize
908KB

MD5
eace63ea1948f012941dd4a9b3ac3c94

SHA1
a405bafadae7f27a3dbe108e8690034fe45b3330

SHA256
a481b300f1cf5ec873245d16c0e0fdfc18f681cf2ee682b23d47dd0b122c4998

SHA512
3350590ead968dd755accf8ae017c65601953707622cc8747a4fc884be9712a3426397797203720f6aa0725ef1077093797ce44237920ccdfd0dd7be046cf024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFF2.exe

Filesize
15.7MB

MD5
0666ec08cfd84b8e3bca9f8458395df0

SHA1
b16539196615ea2b3341ecb24ff708a375cb25df

SHA256
af28ca70335efa9702faf39ba2f9313123b6453350855b287653151a6b5944e9

SHA512
47bac4457da37eab7f00c03f6996fbbc56691982be3268b22226a79c92390a755cc79e4f3843f1f7203aac6bff3dc269681a8a771649413af6553318262d7a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFF2.exe

Filesize
15.7MB

MD5
0666ec08cfd84b8e3bca9f8458395df0

SHA1
b16539196615ea2b3341ecb24ff708a375cb25df

SHA256
af28ca70335efa9702faf39ba2f9313123b6453350855b287653151a6b5944e9

SHA512
47bac4457da37eab7f00c03f6996fbbc56691982be3268b22226a79c92390a755cc79e4f3843f1f7203aac6bff3dc269681a8a771649413af6553318262d7a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E91B.exe

Filesize
3.4MB

MD5
0cee153812548f5bc1d3fd195fb674d5

SHA1
5cd5326fc6a958bb7ff51bd6b2aaa816aa39c23c

SHA256
453497f8d8f1dcdec96d220e28946d5480baedd4d1a44ae23f0d09ca6ee21f43

SHA512
254dfbb1766aa152d303461588710c16d1533c92f891dcd91ef5f4584f210e06c72e923528a91a79bb9c996cd2f86687b016cfa3cd1bea27e823552d95357f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\E91B.exe

Filesize
3.4MB

MD5
0cee153812548f5bc1d3fd195fb674d5

SHA1
5cd5326fc6a958bb7ff51bd6b2aaa816aa39c23c

SHA256
453497f8d8f1dcdec96d220e28946d5480baedd4d1a44ae23f0d09ca6ee21f43

SHA512
254dfbb1766aa152d303461588710c16d1533c92f891dcd91ef5f4584f210e06c72e923528a91a79bb9c996cd2f86687b016cfa3cd1bea27e823552d95357f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC96.exe

Filesize
236KB

MD5
cae8d7245f2ce21eab170cffb198ea08

SHA1
9dd943fcf9e1debf3eaffbc77114cb19c6b98e62

SHA256
bc9252b7eb4a717ced3b8fc017a527eea07fcb89fa2605295380a9e62549d401

SHA512
6d55de55c0f37a91f66371959c25dfdc9c1e128d3efc654b9248886e7b547557623c27418a3adc5e6b8c12d05f6426df28142af03d4ed7bb5b10c47ae229b74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\F264.exe

Filesize
948KB

MD5
17b10059937dfd719ed14ccf111d0879

SHA1
b71db6b40d8b7749c979fd20a98c45489b5631bd

SHA256
eaab9f6775fbec120229d909a457058334c79609fd8c92bb99a2b186b34ed5df

SHA512
faae0e883550c9bded3bb13660f1a92ea7038ca75a431d90e503db9d5f2d97a5b04e02567739aad01e4457b3ac177e389667a510783d3e3455a548b98853fa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\F264.exe

Filesize
948KB

MD5
17b10059937dfd719ed14ccf111d0879

SHA1
b71db6b40d8b7749c979fd20a98c45489b5631bd

SHA256
eaab9f6775fbec120229d909a457058334c79609fd8c92bb99a2b186b34ed5df

SHA512
faae0e883550c9bded3bb13660f1a92ea7038ca75a431d90e503db9d5f2d97a5b04e02567739aad01e4457b3ac177e389667a510783d3e3455a548b98853fa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\F264.exe

Filesize
948KB

MD5
17b10059937dfd719ed14ccf111d0879

SHA1
b71db6b40d8b7749c979fd20a98c45489b5631bd

SHA256
eaab9f6775fbec120229d909a457058334c79609fd8c92bb99a2b186b34ed5df

SHA512
faae0e883550c9bded3bb13660f1a92ea7038ca75a431d90e503db9d5f2d97a5b04e02567739aad01e4457b3ac177e389667a510783d3e3455a548b98853fa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\F998.exe

Filesize
379KB

MD5
bb74e6197a380a186ad6ccf14d703b1c

SHA1
ee3c3d6bd4ab7cd05c7ef0f5701f3adba09efd94

SHA256
2ae72f719e14d9502e691a7874e690334b4507904ed233263af97fa2ba8763ba

SHA512
95a2942450a171fce2606d65da10dc2813af0bac1c875f81377b69efe6b16bafb01f041f0a38641ab42f2328e117fe16a9dcc39a02fa6b5fc67b91a3a58a8ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\F998.exe

Filesize
379KB

MD5
bb74e6197a380a186ad6ccf14d703b1c

SHA1
ee3c3d6bd4ab7cd05c7ef0f5701f3adba09efd94

SHA256
2ae72f719e14d9502e691a7874e690334b4507904ed233263af97fa2ba8763ba

SHA512
95a2942450a171fce2606d65da10dc2813af0bac1c875f81377b69efe6b16bafb01f041f0a38641ab42f2328e117fe16a9dcc39a02fa6b5fc67b91a3a58a8ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
2.3MB

MD5
5a4d9c7655774781ac874d28e5f4e8c3

SHA1
a07b8efb4ba7a5325310d67f8ab0bab289c1bcfe

SHA256
6dbdd7e60ed858d48b55cc0ccc5036e0f075fac5ca204711c3e2e96488335af1

SHA512
ff9cdb2b0e881c6edbf1e35d280f5fa308ccc4e58dce8aa095990c721950f8378435c8479fd7707a18eede44baf5c4fed8ee23a6d0c67f170b74812d9b0c732f

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
2.3MB

MD5
5a4d9c7655774781ac874d28e5f4e8c3

SHA1
a07b8efb4ba7a5325310d67f8ab0bab289c1bcfe

SHA256
6dbdd7e60ed858d48b55cc0ccc5036e0f075fac5ca204711c3e2e96488335af1

SHA512
ff9cdb2b0e881c6edbf1e35d280f5fa308ccc4e58dce8aa095990c721950f8378435c8479fd7707a18eede44baf5c4fed8ee23a6d0c67f170b74812d9b0c732f

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
2.3MB

MD5
5a4d9c7655774781ac874d28e5f4e8c3

SHA1
a07b8efb4ba7a5325310d67f8ab0bab289c1bcfe

SHA256
6dbdd7e60ed858d48b55cc0ccc5036e0f075fac5ca204711c3e2e96488335af1

SHA512
ff9cdb2b0e881c6edbf1e35d280f5fa308ccc4e58dce8aa095990c721950f8378435c8479fd7707a18eede44baf5c4fed8ee23a6d0c67f170b74812d9b0c732f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qbhvnjzs.akt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EGM16.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EGM16.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EGM16.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KT42J.tmp\E91B.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KT42J.tmp\E91B.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NMQ49.tmp\tuc3.tmp

Filesize
683KB

MD5
f507ce43ea08d1721816ad4b0e090f50

SHA1
e4f02bcd410bddabea4c741838d9a88386547629

SHA256
d2218bde27d66f28e3caf15e899653a9357ebdc7adf9a763b687f6c03c93e5e1

SHA512
37b2f92df632f75447572df840a236ef01021e8291536bf2e8156179333f770afdd8bcbf50cb05bbdbdaa53c00ace46119290800b115823ea035a2389a3f6693

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NMQ49.tmp\tuc3.tmp

Filesize
683KB

MD5
f507ce43ea08d1721816ad4b0e090f50

SHA1
e4f02bcd410bddabea4c741838d9a88386547629

SHA256
d2218bde27d66f28e3caf15e899653a9357ebdc7adf9a763b687f6c03c93e5e1

SHA512
37b2f92df632f75447572df840a236ef01021e8291536bf2e8156179333f770afdd8bcbf50cb05bbdbdaa53c00ace46119290800b115823ea035a2389a3f6693

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TE5MR.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TE5MR.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TE5MR.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b6f11a0ab7715f570f45900a1fe84732

SHA1
77b1201e535445af5ea94c1b03c0a1c34d67a77b

SHA256
e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67

SHA512
78a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TE5MR.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b6f11a0ab7715f570f45900a1fe84732

SHA1
77b1201e535445af5ea94c1b03c0a1c34d67a77b

SHA256
e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67

SHA512
78a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TE5MR.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8344.tmp

Filesize
1KB

MD5
eeac8c7b49072f1f16f4c832cea94ea0

SHA1
fbb2915ddbc10f20b407a41dc8e470c305211788

SHA256
b72c2b9a11baaa67a60eb56d0f5bad437ea3901f1bdf38ae86cb4e8737e3f9bd

SHA512
64b1e46292636c18250180448d65a2e0aac0f1e6f42dc36450efeafff6c5fc7ae8285574778c762a74b8718d701b191552bb67ec79e4e2886d9f1d731b14c7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
282KB

MD5
2edd463e1e0eb9ee47c8c652292376fd

SHA1
4489c3b20a3a6d2f97838371a53c6d1a25493359

SHA256
d2a392c59f9985f753b9a10f03a7a567f21747ff3a7589722f22748a005953e7

SHA512
d964b77fbb92910909415f5fe7823984752f03d3cda4051da95f8b075ecf4bffa16acc8716f7fe79a017251438f415c41526bfa6245e8e1bab73da4113e99516

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
282KB

MD5
2edd463e1e0eb9ee47c8c652292376fd

SHA1
4489c3b20a3a6d2f97838371a53c6d1a25493359

SHA256
d2a392c59f9985f753b9a10f03a7a567f21747ff3a7589722f22748a005953e7

SHA512
d964b77fbb92910909415f5fe7823984752f03d3cda4051da95f8b075ecf4bffa16acc8716f7fe79a017251438f415c41526bfa6245e8e1bab73da4113e99516

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
282KB

MD5
2edd463e1e0eb9ee47c8c652292376fd

SHA1
4489c3b20a3a6d2f97838371a53c6d1a25493359

SHA256
d2a392c59f9985f753b9a10f03a7a567f21747ff3a7589722f22748a005953e7

SHA512
d964b77fbb92910909415f5fe7823984752f03d3cda4051da95f8b075ecf4bffa16acc8716f7fe79a017251438f415c41526bfa6245e8e1bab73da4113e99516

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
282KB

MD5
2edd463e1e0eb9ee47c8c652292376fd

SHA1
4489c3b20a3a6d2f97838371a53c6d1a25493359

SHA256
d2a392c59f9985f753b9a10f03a7a567f21747ff3a7589722f22748a005953e7

SHA512
d964b77fbb92910909415f5fe7823984752f03d3cda4051da95f8b075ecf4bffa16acc8716f7fe79a017251438f415c41526bfa6245e8e1bab73da4113e99516

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
3.3MB

MD5
9d203bb88cfaf2a9dc2cdb04d888b4a2

SHA1
4481b6b9195590eee905f895cce62524f970fd51

SHA256
ba8a003d3491205e5e43c608daa1a51087d43dfe53260eb82227ddfb7448d83b

SHA512
86790d21b2731f36c9e1f80b617e016c37a01b3d8bb74dc73f53387b2c57dfd301f936f9ec6bc8d9750870ffcd7bb3dedb92c41c07eb0b519961e029aff2996d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
3.3MB

MD5
9d203bb88cfaf2a9dc2cdb04d888b4a2

SHA1
4481b6b9195590eee905f895cce62524f970fd51

SHA256
ba8a003d3491205e5e43c608daa1a51087d43dfe53260eb82227ddfb7448d83b

SHA512
86790d21b2731f36c9e1f80b617e016c37a01b3d8bb74dc73f53387b2c57dfd301f936f9ec6bc8d9750870ffcd7bb3dedb92c41c07eb0b519961e029aff2996d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
3.3MB

MD5
9d203bb88cfaf2a9dc2cdb04d888b4a2

SHA1
4481b6b9195590eee905f895cce62524f970fd51

SHA256
ba8a003d3491205e5e43c608daa1a51087d43dfe53260eb82227ddfb7448d83b

SHA512
86790d21b2731f36c9e1f80b617e016c37a01b3d8bb74dc73f53387b2c57dfd301f936f9ec6bc8d9750870ffcd7bb3dedb92c41c07eb0b519961e029aff2996d

Download Submit
C:\Users\Admin\AppData\Roaming\hwhdrth

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Roaming\hwhdrth

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Roaming\wabzaZXb.exe

Filesize
948KB

MD5
17b10059937dfd719ed14ccf111d0879

SHA1
b71db6b40d8b7749c979fd20a98c45489b5631bd

SHA256
eaab9f6775fbec120229d909a457058334c79609fd8c92bb99a2b186b34ed5df

SHA512
faae0e883550c9bded3bb13660f1a92ea7038ca75a431d90e503db9d5f2d97a5b04e02567739aad01e4457b3ac177e389667a510783d3e3455a548b98853fa80

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
459c2b9f6ac465a30e2c7f4f015cd43d

SHA1
e452ed81742e67dcebceedc870cf92f07ef8b43b

SHA256
dc6fbcb34d12f931e24100a7b245544fddb03fec0234b3e124431105987be43d

SHA512
d4be1bc569c95d54dff2c3e7aae2a6c48b5704d07a615fbcf4b82ba5ffce8adeb6e2fb6edbae682ba7176411b630b798b27de27e36f0b9873791892ae24b9436

Download Submit
memory/460-19-0x000001C2113D0000-0x000001C2114B8000-memory.dmp

Filesize
928KB

Download
memory/460-24-0x000001C211880000-0x000001C211890000-memory.dmp

Filesize
64KB

Download
memory/460-42-0x00007FFD55940000-0x00007FFD56401000-memory.dmp

Filesize
10.8MB

Download
memory/460-28-0x000001C213310000-0x000001C21335C000-memory.dmp

Filesize
304KB

Download
memory/460-27-0x000001C22BBE0000-0x000001C22BCA8000-memory.dmp

Filesize
800KB

Download
memory/460-26-0x000001C22BB10000-0x000001C22BBD8000-memory.dmp

Filesize
800KB

Download
memory/460-25-0x000001C22BA30000-0x000001C22BB10000-memory.dmp

Filesize
896KB

Download
memory/460-20-0x000001C213230000-0x000001C21330E000-memory.dmp

Filesize
888KB

Download
memory/460-22-0x00007FFD55940000-0x00007FFD56401000-memory.dmp

Filesize
10.8MB

Download
memory/1288-288-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1300-178-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2144-399-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/2144-96-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/2144-285-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/2144-90-0x0000000000F10000-0x0000000001ECE000-memory.dmp

Filesize
15.7MB

Download
memory/2408-476-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2544-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2544-1-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2544-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3176-428-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3340-61-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-80-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-57-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-71-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-52-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-49-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-30-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-33-0x00000000032C0000-0x00000000032D0000-memory.dmp

Filesize
64KB

Download
memory/3340-46-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-102-0x00000000032C0000-0x00000000032D0000-memory.dmp

Filesize
64KB

Download
memory/3340-38-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-34-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-88-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-2-0x0000000002BE0000-0x0000000002BF6000-memory.dmp

Filesize
88KB

Download
memory/3340-74-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-65-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-77-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-76-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/3340-68-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-62-0x0000000008B70000-0x0000000008B80000-memory.dmp

Filesize
64KB

Download
memory/3340-250-0x0000000002F80000-0x0000000002F83000-memory.dmp

Filesize
12KB

Download
memory/3340-59-0x0000000002F80000-0x0000000002F83000-memory.dmp

Filesize
12KB

Download
memory/3340-56-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-255-0x0000000008B70000-0x0000000008B80000-memory.dmp

Filesize
64KB

Download
memory/3340-98-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3340-92-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3888-401-0x0000000005B40000-0x0000000005B46000-memory.dmp

Filesize
24KB

Download
memory/3888-397-0x0000000005AE0000-0x0000000005AF8000-memory.dmp

Filesize
96KB

Download
memory/3888-242-0x0000000000E60000-0x0000000000F52000-memory.dmp

Filesize
968KB

Download
memory/3888-238-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/3916-259-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3920-119-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3940-50-0x0000000007370000-0x00000000073AC000-memory.dmp

Filesize
240KB

Download
memory/3940-253-0x0000000007D30000-0x0000000007D96000-memory.dmp

Filesize
408KB

Download
memory/3940-14-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/3940-21-0x0000000007520000-0x0000000007AC4000-memory.dmp

Filesize
5.6MB

Download
memory/3940-23-0x0000000007070000-0x0000000007102000-memory.dmp

Filesize
584KB

Download
memory/3940-31-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/3940-13-0x0000000000180000-0x00000000001BE000-memory.dmp

Filesize
248KB

Download
memory/3940-47-0x0000000007310000-0x0000000007322000-memory.dmp

Filesize
72KB

Download
memory/3940-43-0x00000000073F0000-0x00000000074FA000-memory.dmp

Filesize
1.0MB

Download
memory/3940-40-0x00000000080F0000-0x0000000008708000-memory.dmp

Filesize
6.1MB

Download
memory/3940-467-0x0000000008B80000-0x0000000008D42000-memory.dmp

Filesize
1.8MB

Download
memory/3940-29-0x0000000007230000-0x000000000723A000-memory.dmp

Filesize
40KB

Download
memory/3940-55-0x0000000007AD0000-0x0000000007B1C000-memory.dmp

Filesize
304KB

Download
memory/3940-85-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/3940-474-0x0000000009280000-0x00000000097AC000-memory.dmp

Filesize
5.2MB

Download
memory/4084-75-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-53-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-103-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-94-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-97-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-51-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-175-0x00000268C4240000-0x00000268C4250000-memory.dmp

Filesize
64KB

Download
memory/4084-82-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-107-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-109-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-89-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-69-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-63-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-58-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-111-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-105-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-114-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-39-0x00000268C40C0000-0x00000268C41A4000-memory.dmp

Filesize
912KB

Download
memory/4084-121-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-122-0x00007FFD55940000-0x00007FFD56401000-memory.dmp

Filesize
10.8MB

Download
memory/4084-137-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-139-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-41-0x00007FFD55940000-0x00007FFD56401000-memory.dmp

Filesize
10.8MB

Download
memory/4084-44-0x00000268C4240000-0x00000268C4250000-memory.dmp

Filesize
64KB

Download
memory/4084-32-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4084-141-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4084-143-0x00000268C40C0000-0x00000268C41A0000-memory.dmp

Filesize
896KB

Download
memory/4304-275-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4892-257-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/4892-246-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download