glupteba | df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744

Analysis

max time kernel
44s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09/05/2024, 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe
Size

521KB
MD5

c1d583657c7fe7973f820983fd1abb81
SHA1

4cfada887af87f32224fca86ed32edcac00edbec
SHA256

df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744
SHA512

2dc55bbf18ca62a8e5834d7341a646d3ea082eca7e28ad9c75f72e5813ea46cf10ab9fa98d7ab2f2830633f438aa19f2eb4af768dee4b7a130f8eec17936dd88
SSDEEP

12288:jpDxMM2vWugFMfmKL9ZVvwtgEOy9bxKdyH6WS2Fft:19MMYzftL97sgoKOSU1

Score

10^/10

glupteba smokeloader stealc zgrat pub2 backdoor dropper evasion execution loader rat stealer trojan upx

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Extracted

Family

smokeloader

Botnet

pub2

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/2424-2080-0x0000021C517E0000-0x0000021C51804000-memory.dmp	family_zgrat_v1
behavioral2/memory/2424-2074-0x0000021C51940000-0x0000021C51A4A000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 6 IoCs

resource	yara_rule
behavioral2/memory/208-1521-0x0000000000400000-0x0000000002957000-memory.dmp	family_glupteba
behavioral2/memory/5332-1529-0x0000000000400000-0x0000000002957000-memory.dmp	family_glupteba
behavioral2/memory/440-4779-0x0000000000400000-0x0000000002957000-memory.dmp	family_glupteba
behavioral2/memory/440-4786-0x0000000000400000-0x0000000002957000-memory.dmp	family_glupteba
behavioral2/memory/440-4799-0x0000000000400000-0x0000000002957000-memory.dmp	family_glupteba
behavioral2/memory/440-4802-0x0000000000400000-0x0000000002957000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2680	powershell.exe
1468	powershell.exe
1548	powershell.exe
4544	powershell.exe
4428	powershell.exe
1940	powershell.exe
5140	powershell.exe
4784	powershell.exe
4496	powershell.exe
4152	powershell.exe
4856	powershell.exe
604	powershell.exe
5872	powershell.exe
5428	powershell.exe
1304	powershell.exe
5840	powershell.exe
3744	powershell.exe
5840	powershell.exe
5720	powershell.exe
1320	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6100	netsh.exe
5992	netsh.exe
5976	netsh.exe
6096	netsh.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jm2DkkHLxia8jRXOIcJw3Gxw.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xHVBJJwfmHt7YYMB2sr26WDx.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zCi4qM2fZHHEIMvagdAEoNre.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sIYz70xJeyBSThiOoVvucFY1.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F7k6xd6TIuABFLJ9VEH0CPy.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CAThmcLEpGTd6nZ16k9NoR9g.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XmPg5Bjtj8oWu2GE08mGjH9s.bat	regsvcs.exe

Executes dropped EXE 12 IoCs

pid	Process
924	RgE6Zg7foUtn4zNX7IV77i7F.exe
4696	dMzItUMgFpswT7z9NggYlSZQ.exe
4288	gSmdAUGX92vg8dpCa26nABpf.exe
4656	rdL7C794xQ4Dm83pTBq14MDD.exe
4864	iAtEC5iri47Gyzu1pyQ0rYg4.exe
3224	WvRR3SpYI4RA6aoeQNKnwJLB.exe
3568	upo.0.exe
1184	upo.1.exe
208	dMzItUMgFpswT7z9NggYlSZQ.exe
3052	iAtEC5iri47Gyzu1pyQ0rYg4.exe
5332	rdL7C794xQ4Dm83pTBq14MDD.exe
5472	gSmdAUGX92vg8dpCa26nABpf.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4824-4784-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/5420-4796-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/5420-4800-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
3	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2804 set thread context of 4320	2804	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	74

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4120	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3968	3568	WerFault.exe	86

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	upo.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	upo.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	upo.1.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
208	schtasks.exe
3544	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
5604	tasklist.exe
2816	tasklist.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	gSmdAUGX92vg8dpCa26nABpf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	rdL7C794xQ4Dm83pTBq14MDD.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	dMzItUMgFpswT7z9NggYlSZQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	gSmdAUGX92vg8dpCa26nABpf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	gSmdAUGX92vg8dpCa26nABpf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	gSmdAUGX92vg8dpCa26nABpf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	rdL7C794xQ4Dm83pTBq14MDD.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	dMzItUMgFpswT7z9NggYlSZQ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	rdL7C794xQ4Dm83pTBq14MDD.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	gSmdAUGX92vg8dpCa26nABpf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	rdL7C794xQ4Dm83pTBq14MDD.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	gSmdAUGX92vg8dpCa26nABpf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	dMzItUMgFpswT7z9NggYlSZQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	dMzItUMgFpswT7z9NggYlSZQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	gSmdAUGX92vg8dpCa26nABpf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	dMzItUMgFpswT7z9NggYlSZQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	dMzItUMgFpswT7z9NggYlSZQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	dMzItUMgFpswT7z9NggYlSZQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	rdL7C794xQ4Dm83pTBq14MDD.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	dMzItUMgFpswT7z9NggYlSZQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	dMzItUMgFpswT7z9NggYlSZQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	gSmdAUGX92vg8dpCa26nABpf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	rdL7C794xQ4Dm83pTBq14MDD.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	dMzItUMgFpswT7z9NggYlSZQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	dMzItUMgFpswT7z9NggYlSZQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	gSmdAUGX92vg8dpCa26nABpf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	dMzItUMgFpswT7z9NggYlSZQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	dMzItUMgFpswT7z9NggYlSZQ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	rdL7C794xQ4Dm83pTBq14MDD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	gSmdAUGX92vg8dpCa26nABpf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	rdL7C794xQ4Dm83pTBq14MDD.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	gSmdAUGX92vg8dpCa26nABpf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	dMzItUMgFpswT7z9NggYlSZQ.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5500	PING.EXE

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1320	powershell.exe
1320	powershell.exe
1320	powershell.exe
1304	powershell.exe
1304	powershell.exe
2680	powershell.exe
2680	powershell.exe
1468	powershell.exe
1468	powershell.exe
1468	powershell.exe
4496	powershell.exe
4496	powershell.exe
2680	powershell.exe
1304	powershell.exe
4496	powershell.exe
2680	powershell.exe
4496	powershell.exe
1468	powershell.exe
1304	powershell.exe
4696	dMzItUMgFpswT7z9NggYlSZQ.exe
4696	dMzItUMgFpswT7z9NggYlSZQ.exe
4864	iAtEC5iri47Gyzu1pyQ0rYg4.exe
4864	iAtEC5iri47Gyzu1pyQ0rYg4.exe
4656	rdL7C794xQ4Dm83pTBq14MDD.exe
4656	rdL7C794xQ4Dm83pTBq14MDD.exe
4288	gSmdAUGX92vg8dpCa26nABpf.exe
4288	gSmdAUGX92vg8dpCa26nABpf.exe
5840	powershell.exe
5840	powershell.exe
4152	powershell.exe
4152	powershell.exe
1548	powershell.exe
1548	powershell.exe
5840	powershell.exe
4152	powershell.exe
1548	powershell.exe
5840	powershell.exe
4152	powershell.exe
1548	powershell.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	4320	regsvcs.exe
Token: SeIncreaseQuotaPrivilege	1320	powershell.exe
Token: SeSecurityPrivilege	1320	powershell.exe
Token: SeTakeOwnershipPrivilege	1320	powershell.exe
Token: SeLoadDriverPrivilege	1320	powershell.exe
Token: SeSystemProfilePrivilege	1320	powershell.exe
Token: SeSystemtimePrivilege	1320	powershell.exe
Token: SeProfSingleProcessPrivilege	1320	powershell.exe
Token: SeIncBasePriorityPrivilege	1320	powershell.exe
Token: SeCreatePagefilePrivilege	1320	powershell.exe
Token: SeBackupPrivilege	1320	powershell.exe
Token: SeRestorePrivilege	1320	powershell.exe
Token: SeShutdownPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeSystemEnvironmentPrivilege	1320	powershell.exe
Token: SeRemoteShutdownPrivilege	1320	powershell.exe
Token: SeUndockPrivilege	1320	powershell.exe
Token: SeManageVolumePrivilege	1320	powershell.exe
Token: 33	1320	powershell.exe
Token: 34	1320	powershell.exe
Token: 35	1320	powershell.exe
Token: 36	1320	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	4696	dMzItUMgFpswT7z9NggYlSZQ.exe
Token: SeImpersonatePrivilege	4696	dMzItUMgFpswT7z9NggYlSZQ.exe
Token: SeDebugPrivilege	4864	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Token: SeImpersonatePrivilege	4864	iAtEC5iri47Gyzu1pyQ0rYg4.exe
Token: SeDebugPrivilege	4656	rdL7C794xQ4Dm83pTBq14MDD.exe
Token: SeImpersonatePrivilege	4656	rdL7C794xQ4Dm83pTBq14MDD.exe
Token: SeDebugPrivilege	4288	gSmdAUGX92vg8dpCa26nABpf.exe
Token: SeImpersonatePrivilege	4288	gSmdAUGX92vg8dpCa26nABpf.exe
Token: SeDebugPrivilege	5604	tasklist.exe
Token: SeDebugPrivilege	5840	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1184	upo.1.exe
1184	upo.1.exe
1184	upo.1.exe
1184	upo.1.exe
1184	upo.1.exe
1184	upo.1.exe
1184	upo.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
1184	upo.1.exe
1184	upo.1.exe
1184	upo.1.exe
1184	upo.1.exe
1184	upo.1.exe
1184	upo.1.exe
1184	upo.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1320	2804	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	72
PID 2804 wrote to memory of 1320	2804	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	72
PID 2804 wrote to memory of 4320	2804	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	74
PID 2804 wrote to memory of 4320	2804	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	74
PID 2804 wrote to memory of 4320	2804	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	74
PID 2804 wrote to memory of 4320	2804	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	74
PID 2804 wrote to memory of 4320	2804	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	74
PID 2804 wrote to memory of 4320	2804	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	74
PID 2804 wrote to memory of 4320	2804	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	74
PID 2804 wrote to memory of 4320	2804	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe	74
PID 4320 wrote to memory of 924	4320	regsvcs.exe	78
PID 4320 wrote to memory of 924	4320	regsvcs.exe	78
PID 4320 wrote to memory of 924	4320	regsvcs.exe	78
PID 4320 wrote to memory of 4696	4320	regsvcs.exe	79
PID 4320 wrote to memory of 4696	4320	regsvcs.exe	79
PID 4320 wrote to memory of 4696	4320	regsvcs.exe	79
PID 4320 wrote to memory of 4288	4320	regsvcs.exe	80
PID 4320 wrote to memory of 4288	4320	regsvcs.exe	80
PID 4320 wrote to memory of 4288	4320	regsvcs.exe	80
PID 4320 wrote to memory of 4656	4320	regsvcs.exe	81
PID 4320 wrote to memory of 4656	4320	regsvcs.exe	81
PID 4320 wrote to memory of 4656	4320	regsvcs.exe	81
PID 4320 wrote to memory of 4864	4320	regsvcs.exe	82
PID 4320 wrote to memory of 4864	4320	regsvcs.exe	82
PID 4320 wrote to memory of 4864	4320	regsvcs.exe	82
PID 4320 wrote to memory of 3224	4320	regsvcs.exe	83
PID 4320 wrote to memory of 3224	4320	regsvcs.exe	83
PID 4320 wrote to memory of 3224	4320	regsvcs.exe	83
PID 3224 wrote to memory of 2132	3224	WvRR3SpYI4RA6aoeQNKnwJLB.exe	84
PID 3224 wrote to memory of 2132	3224	WvRR3SpYI4RA6aoeQNKnwJLB.exe	84
PID 3224 wrote to memory of 2132	3224	WvRR3SpYI4RA6aoeQNKnwJLB.exe	84
PID 924 wrote to memory of 3568	924	RgE6Zg7foUtn4zNX7IV77i7F.exe	86
PID 924 wrote to memory of 3568	924	RgE6Zg7foUtn4zNX7IV77i7F.exe	86
PID 924 wrote to memory of 3568	924	RgE6Zg7foUtn4zNX7IV77i7F.exe	86
PID 4696 wrote to memory of 1304	4696	dMzItUMgFpswT7z9NggYlSZQ.exe	89
PID 4696 wrote to memory of 1304	4696	dMzItUMgFpswT7z9NggYlSZQ.exe	89
PID 4696 wrote to memory of 1304	4696	dMzItUMgFpswT7z9NggYlSZQ.exe	89
PID 4864 wrote to memory of 2680	4864	iAtEC5iri47Gyzu1pyQ0rYg4.exe	90
PID 4864 wrote to memory of 2680	4864	iAtEC5iri47Gyzu1pyQ0rYg4.exe	90
PID 4864 wrote to memory of 2680	4864	iAtEC5iri47Gyzu1pyQ0rYg4.exe	90
PID 4288 wrote to memory of 1468	4288	gSmdAUGX92vg8dpCa26nABpf.exe	93
PID 4288 wrote to memory of 1468	4288	gSmdAUGX92vg8dpCa26nABpf.exe	93
PID 4288 wrote to memory of 1468	4288	gSmdAUGX92vg8dpCa26nABpf.exe	93
PID 4656 wrote to memory of 4496	4656	rdL7C794xQ4Dm83pTBq14MDD.exe	95
PID 4656 wrote to memory of 4496	4656	rdL7C794xQ4Dm83pTBq14MDD.exe	95
PID 4656 wrote to memory of 4496	4656	rdL7C794xQ4Dm83pTBq14MDD.exe	95
PID 924 wrote to memory of 1184	924	RgE6Zg7foUtn4zNX7IV77i7F.exe	156
PID 924 wrote to memory of 1184	924	RgE6Zg7foUtn4zNX7IV77i7F.exe	156
PID 924 wrote to memory of 1184	924	RgE6Zg7foUtn4zNX7IV77i7F.exe	156
PID 2132 wrote to memory of 5604	2132	cmd.exe	106
PID 2132 wrote to memory of 5604	2132	cmd.exe	106
PID 2132 wrote to memory of 5604	2132	cmd.exe	106
PID 2132 wrote to memory of 5700	2132	cmd.exe	107
PID 2132 wrote to memory of 5700	2132	cmd.exe	107
PID 2132 wrote to memory of 5700	2132	cmd.exe	107
PID 208 wrote to memory of 5840	208	dMzItUMgFpswT7z9NggYlSZQ.exe	139
PID 208 wrote to memory of 5840	208	dMzItUMgFpswT7z9NggYlSZQ.exe	139
PID 208 wrote to memory of 5840	208	dMzItUMgFpswT7z9NggYlSZQ.exe	139
PID 5472 wrote to memory of 1548	5472	gSmdAUGX92vg8dpCa26nABpf.exe	142
PID 5472 wrote to memory of 1548	5472	gSmdAUGX92vg8dpCa26nABpf.exe	142
PID 5472 wrote to memory of 1548	5472	gSmdAUGX92vg8dpCa26nABpf.exe	142
PID 5332 wrote to memory of 3744	5332	rdL7C794xQ4Dm83pTBq14MDD.exe	111
PID 5332 wrote to memory of 3744	5332	rdL7C794xQ4Dm83pTBq14MDD.exe	111
PID 5332 wrote to memory of 3744	5332	rdL7C794xQ4Dm83pTBq14MDD.exe	111

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe

C:\Users\Admin\AppData\Local\Temp\df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe
"C:\Users\Admin\AppData\Local\Temp\df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Users\Admin\Pictures\RgE6Zg7foUtn4zNX7IV77i7F.exe
    "C:\Users\Admin\Pictures\RgE6Zg7foUtn4zNX7IV77i7F.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Users\Admin\AppData\Local\Temp\upo.0.exe
      "C:\Users\Admin\AppData\Local\Temp\upo.0.exe"
      4⤵
      Executes dropped EXE
      PID:3568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1188
        5⤵
        Program crash
        
        PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\upo.1.exe
      "C:\Users\Admin\AppData\Local\Temp\upo.1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1184
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        
        PID:2424
- - C:\Users\Admin\Pictures\dMzItUMgFpswT7z9NggYlSZQ.exe
    "C:\Users\Admin\Pictures\dMzItUMgFpswT7z9NggYlSZQ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1304
  - - C:\Users\Admin\Pictures\dMzItUMgFpswT7z9NggYlSZQ.exe
      "C:\Users\Admin\Pictures\dMzItUMgFpswT7z9NggYlSZQ.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5840
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5780
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5976
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4544
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5140
- - C:\Users\Admin\Pictures\gSmdAUGX92vg8dpCa26nABpf.exe
    "C:\Users\Admin\Pictures\gSmdAUGX92vg8dpCa26nABpf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1468
  - - C:\Users\Admin\Pictures\gSmdAUGX92vg8dpCa26nABpf.exe
      "C:\Users\Admin\Pictures\gSmdAUGX92vg8dpCa26nABpf.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:5472
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5548
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5992
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:604
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5872
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1548
- - C:\Users\Admin\Pictures\rdL7C794xQ4Dm83pTBq14MDD.exe
    "C:\Users\Admin\Pictures\rdL7C794xQ4Dm83pTBq14MDD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4496
  - - C:\Users\Admin\Pictures\rdL7C794xQ4Dm83pTBq14MDD.exe
      "C:\Users\Admin\Pictures\rdL7C794xQ4Dm83pTBq14MDD.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:5332
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        
        PID:3744
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5724
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:6096
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4428
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5428
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:440
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5720
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:208
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:2312
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4784
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1940
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:4232
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:3544
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:4120
- - C:\Users\Admin\Pictures\iAtEC5iri47Gyzu1pyQ0rYg4.exe
    "C:\Users\Admin\Pictures\iAtEC5iri47Gyzu1pyQ0rYg4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2680
  - - C:\Users\Admin\Pictures\iAtEC5iri47Gyzu1pyQ0rYg4.exe
      "C:\Users\Admin\Pictures\iAtEC5iri47Gyzu1pyQ0rYg4.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      PID:3052
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5696
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:6100
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4856
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5840
- - C:\Users\Admin\Pictures\WvRR3SpYI4RA6aoeQNKnwJLB.exe
    "C:\Users\Admin\Pictures\WvRR3SpYI4RA6aoeQNKnwJLB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Condos Condos.cmd & Condos.cmd & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5604
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        
        PID:5700
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2816
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:5928
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 1101
        5⤵
        
        PID:2020
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "MAKINGSICKDIFFERENTIALCONSOLES" Reached
        5⤵
        
        PID:5820
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Preparation 1101\W
        5⤵
        
        PID:5456
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1101\Relation.pif
        
        1101\Relation.pif 1101\W
        5⤵
        
        PID:3148
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:5500

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
1⤵
PID:1184

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5420

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1101\Relation.pif
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1101\Relation.pif
1⤵
PID:5980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Assumptions

Filesize
30KB

MD5
191defa5ed07e4895c30176c816388f8

SHA1
d8eb01573b563dd4ff44664e9011b233f1247bf4

SHA256
1ae053b84dd0e3960ad12010537fcf699647eb38088de8460cc67af9d8a8927b

SHA512
94019365d8ee804c4b8846011cc887ef8776117f654f5eb381006ffceaf338d747d456ad60625135aba84f2313da3444b4a2a4b0a5c8b991fe75c6a7e8940fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Atmosphere

Filesize
4KB

MD5
660f7e19225369777dfffc352434aff7

SHA1
dcb029db311c7bf6b8326ba08c31a38e010c4b83

SHA256
a62207582a6433aece63c4572d82c4a62a08ba07a883846d8c7924485bb644da

SHA512
7a040ecf7713df2aa81f2e87fef0456e2f7a8e832d044946c010331e784d0cff00670319a508e50161cfd5d24b6afe08578d05ccdba3db86e4ee75fec7ab5c7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bbw

Filesize
12KB

MD5
7002847fa087b02ea0ef12b456321d35

SHA1
3c8fb2c8c848bdaf28e542d533e00e28a74fd000

SHA256
fb11908020eba9c8e74a4251539fb6ad3023968b3b673f71ccfca64e412b64de

SHA512
d341a9a2e91f7418752fff990e52dc3e3a843b7651b2e9ef97e64a67266648da81962ab5332e9d1cecf18fb3bb4d44aabb2f94567b54005fe0c39c22277881d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Belly

Filesize
10KB

MD5
65f53277780a48d3c0f07274b525f4c4

SHA1
9f22741f8e291ca07316416eb1565cb32d2da43e

SHA256
fca82be7c83638610f35bb6167446034e9b6a57cfccf9a6e1badcac8453dcb33

SHA512
7d962f27b3c19e678355e5082b9d47131b8fe1e9deaa65aee6b266f2ba83dfbbafd1a670d2702eaeb2e4061805cf55b02cc21881ad38dcf18665243d44ba7e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Breakfast

Filesize
62KB

MD5
4cb3dbd1f379b3596a903aed2df61cb3

SHA1
ae1709bc8cb85aac416e63511e95c5934cd48e16

SHA256
a734a1350b8cd30b487587a86911b456fa107edabe4ecdbd7f8c2c1ec528a290

SHA512
d6d186347be0c3ea0b882643bae5dc32a00363e59a98f3fb5803e7078533642f0a9cd7c93f38ef2d4cd4832f4ea64412f4b36ad9bd02c5f4f73666701ca73284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cds

Filesize
24KB

MD5
fdb32a6e9e0f2954cb1b14ecc79fed6a

SHA1
13699b7d9c048c82debc03817176746ec1a5f809

SHA256
efa353678b065d2d04e3fec7eebcb607878c2e54bf929c44b2c74aca83ab72c0

SHA512
6b84ab7e50821ab97c5d78ba1ea4ee03d57ab363eaba6f9261667640c0293aeb62075d8c709c0400f7dc25555ee84af57d34ca899c1e6b36688cac6471e7be1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Chapter

Filesize
54KB

MD5
75b2bb1581932049ff195ad2ca090d4e

SHA1
0c5ae49798bddc824c039ab477e8035d8531b5f6

SHA256
cd029ae05fe48174da1ff8a3ff40bcecf3fda4f452df129c17e68fe7acf9ece0

SHA512
e65c070ca3bb1afefe645cc7cb6bbe3d84ada968e5ff7955f236a46d134410cd33b31b82298e56e9d85e8a349cbfeb2c38585583db860a56b8b554d790a92771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Chip

Filesize
36KB

MD5
aaf99a2da429134ee8c723a965001742

SHA1
b26ef510ec16f0ab28242acb790764ec53018174

SHA256
08ee275735b41a482db0a32be02c519be429b026c1ad1a0ff9a127dec8562909

SHA512
921818139a6623454c73f983ce69d1315fa2e3136005cf1a6c6040e489e7512403b48e86e4090f5e0a2557baf5cec91b5e671a005a41ff510e25758f402b3bfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Condos

Filesize
25KB

MD5
cdb2932ff35f980158e251eb95392a54

SHA1
f0133b9bc1d06646b537eb3ad6771b17c1b9b397

SHA256
1e8d9429827487572b8a0e4b8b0ff7deab9696d2186075ca1d9df404ecbc88f2

SHA512
53d7f302ed135a1e780be037918f9bb4aae5502b9ca2539719002fe47bf6d1e0b1cae62f4d0c56e55520c66e1fcb4ec515f5046a8ec14c6d613fe417698625b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cooper

Filesize
24KB

MD5
8e995591a7a4eb7d7418302ef5d515ae

SHA1
d2c47b03e1b3a37af127ae588871360be4a2d0b6

SHA256
057b1d521d4a083cafee62fd9c2dfefad939f1f9f84f8b1028b948858796021e

SHA512
f8d657b294926bac7ea3d364fce716e21e1247b938cf533edad3e7b9fa43e241ab97aeb1e314264c13b50716663e7f7a75afe77769b48c73d662b64d6714b07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Custom

Filesize
68KB

MD5
022f3a00000c173b3d0f125b6c3e741a

SHA1
cea8239a58fabbf3f4fbc9bd356ff2a81e32cf45

SHA256
633d4237545cbd53854d48de66769da35527c194ebbfcb29fba5fc9fcc807859

SHA512
826ff7273170d6a0934ffde98c0d28663c4d876e2f2cbc1de0cbc5bf96425c6fd7b20c60af74563df0d1ed2dd5efb84b39d7c9af9624916cfd2e4780cb95eb78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dawn

Filesize
26KB

MD5
aa2a5f1c5e1261042a597d67d176eb2e

SHA1
9be24809122b0a4e2ab1fe51a300937e20c7c523

SHA256
4f87e70a75ac736b58605c2690f05b81e1361c0dc9547d1bcfa1fca487a26555

SHA512
d86b726e510be805dc7b222fb892cb5bce5625aeccb3a0c419496aa1bbd1120844eace9149e995d618ef1b9aae3c4c55dfcff2768099adb2766ec9dc8f15f756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Desert

Filesize
48KB

MD5
fab0f8bc843df7fb4f28dd097cc76a3d

SHA1
9d6f051ca98aec37276fc558c586ad2dfe6a0923

SHA256
3c160730ca9e0ff95bd68887ad99c5cae7a2ca1a2ec923764b48074a87605572

SHA512
17ae111f4c3790766581243cca1569953f0b479750a058acb27fbbc9d736f7cbedb0c59f952c673766ee5739fe594d38ab2b79baf404e3fa6b61b37457becd14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Headline

Filesize
30KB

MD5
fdb391ac4c45c35508435c9cda69e018

SHA1
3a0d53b20b73bd0cb28d19e3813d75b1d95aff52

SHA256
d7d4f9e34f40549e686f5cc3cb74041848ee38bee8a5293eca7f969c56ba2708

SHA512
55be1e9a7182b3df68a330cf2a9e94839a7d808748d1d4c7bfb2915c2a205339d6b0e5224b9df70b0053f007ccfd7c42aa7fc5a3426bc8759dea6186f167a351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ht

Filesize
23KB

MD5
915a9a3892708b7671b95e7490db64ec

SHA1
f37a89fd3d08c7d8e8cea3fd67c4d80c1a996f7d

SHA256
86db30f6a2a4c175274cb45cb1a0d869eb0e272a9157728b021159c04ca74dc4

SHA512
7a2be931c2a4ade3fd2d80a60d9fea221aa288f3c402d66409a35b5c00c81d97615ce80977c67521910ec9e2e106874331c780ce7805a9861bcf7380c2daabe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\K

Filesize
23KB

MD5
9076bb2763755a369e725b7d90cb9a6e

SHA1
950dab154109608dce3a710daffd494a6c6e56a5

SHA256
3ebd51bcaa3a9912b6f0c7ff47fab1e999334eeab3a179bb16c0f1fcc400b266

SHA512
78563047dfb2542364e3ff09830c6b4117376b6ffde741cb4d6d1f65a7e85f7e92c6610ad6ececa5117258dd498cedf4e93687e9edd117d79062613094e48729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lite

Filesize
35KB

MD5
2845984f979b604f1c6b6e749ff30541

SHA1
457a27dbe60f8249e253cdc37ffa11686754bc96

SHA256
275004c4562f9ebf00cab6571e35f59ff1ba48a1f073b134566bd37889f454ab

SHA512
d95792a146ffc4de26eb9f3e41765eb7e0c296aa2993230b69754e6217a1698711edfbf7565783b048bdbd0a2077758a0fd307d3247651429f6e4c52028a4395

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ooo

Filesize
9KB

MD5
601ebaeaa4c3dca8b085e080911bbbbc

SHA1
6d1608cb089e860e5868ac317629f38d1e5cefbb

SHA256
fb853dab53bf849c8cb2cbda654e90388d060f2f47000e7968b334c56d403981

SHA512
c2c56dfc650bd6401e98101f00f75a9e333677fdaa9006aaca86b50d70966ad81943cee5c65052813cc5865ed2e1d7ff96b664cc675d1758e012bfcffdd9b3fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Phenomenon

Filesize
22KB

MD5
05acc2c532b339ae2a048314dccb2bce

SHA1
7a06e246ad283654c040f55241d20cc3ecd5b0e8

SHA256
57e9b2a94cf474411fa6395e601efaffcb894395e0624b6c2242a1e782d144e5

SHA512
05407f0453826dd9ae5281c5d4c9e768897bafcbe73d6acb0a80ff9efc7082b8dd42ebe8d8ea0bd9261afc82474e558514397e9f57ee570735fdf7731f832eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Pitch

Filesize
14KB

MD5
f1a9d44c7e3758ca9dfdae1182256e76

SHA1
b4456482a0d76399b155ac6788749be2bdb12ba6

SHA256
9cae9fc2200459d69a119b7ffd95e75c4d53ede32d9d394c15ec4cb19c8ac8cd

SHA512
8a3a3bb0d9cec4bdda515a1f10ed7f0f3341e813397970be83a1b60b4a622600bcce2abb163afd29b62818b97dc39caf9570a2cea0018a0ced703a1b058894d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Radios

Filesize
56KB

MD5
b20fa9ef1174947acdc4a9846333f36f

SHA1
ec6f2624e66250ef03a8e43a1d2dd63db3094ab9

SHA256
250ff5b66e141a864a838fcaae2757b77dd4e32b130a5360c95baa408b37abe3

SHA512
7d684ce6586d3703fee97b3e059d1241cb386689836a00d5f3f57148390c0053848e60bd87afcebbf21235bcb590d66b8e3bfad4443df413802529c83b8d355b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rb

Filesize
51KB

MD5
bb9479999fa8e8d2357858f9bc13c624

SHA1
14275a134e8846587a15098143b6ef5725b4a781

SHA256
fab163cf0618114d25b89c4d5ea1a80afe55860888dfd269e6f2274bf2da0f8c

SHA512
6f7e8483211d88430ce8d9eb9757cbe2dc98946f55e1474f47383503768d3c3bb6bbc7946491bc045d3fe0a1fcd89a03d0d5c3ae76ee9d1dd02aa994e91d2461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Reached

Filesize
193B

MD5
b8d87f89dbb78ade03e66cbb417dadfb

SHA1
051c9f18770f3debf83cf1de47451bd1c2ccc7ff

SHA256
b0f1ba9c4210a321e4294de108d755be0a6ec74009de1077f9625290f7fc30f2

SHA512
731fbc0eb10e52e8d1910cc641ad61920b2a1d2dc341aba950ea769b5a3e3a6435b05a795e80fa591f8fa3ca2e64294d897bfc12f168f2339badb566f9a8ee6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Relocation

Filesize
45KB

MD5
014a32d860ea71ce3da8a9ad5a0b6a20

SHA1
b6ea93e9b181a6daa09341bf08f0823cb456bec9

SHA256
c141ed8f5edf8f9cb910b7a0ecbbd2e8419558b1d004fa1205e9513242fa7546

SHA512
1f7b0cefd216e94853e63b7545b985ee741d0b702229917185d52b7c9db52098322f025e8ce6cfbf5f4f6a31f69e5d4c4da6d494f2370df8ee5afcbda8a67895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Shades

Filesize
32KB

MD5
d3f33efe60986ae6e19ddbf88996b6b2

SHA1
cc7f8446a24f0caecbd32b088c69827302ce3e52

SHA256
b4f06c73ab45dfda45d43c89863b9a6d4a7dc8793fd5c9aa0c975894ffcf6b98

SHA512
1f23efd0a30f24429d0740f270ea2928b37973b6ee46d4fc74f4cb46b8be96cd12446bccb94509c1a5617ea9b91c3677bc7ef5648f324f8f7faff8c2ce281814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Stress

Filesize
60KB

MD5
e7a9f69e9cb8756fdc28ee571ccf44c0

SHA1
c95c9d89b468a49688e5fe0a1815792053444422

SHA256
34e6d06f9165232b79b01fb2ef98441b8a5fabd916d70d9f63de2ba382942de2

SHA512
b803394cf5ea031135f881473855bdfbfbb8d104a0e3d1a7e1460b5fac5fce8982a83aa26707f28153d3a9578398f3c9e2995863cce7c37010b42b7073298d7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Surfaces

Filesize
32KB

MD5
abd0c385b8f946d9ecdd9714136c76ce

SHA1
cccd9c745149a5ff9674377d90330a6dfd197fdc

SHA256
2e3d927996819e69633de40cd8e7016e531fce0ae80a1c053ee70157ff716d6c

SHA512
9b7e5183b14a5609c5a1f41f58c70aeb1313dad351256e52ca8050988226321124a2079ab8dbd863d7215f9201845bfff3b2ad2d2881b7b707486cd6553631a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Technique

Filesize
48KB

MD5
da9e230c9d95aa47f18f5d9f4898f94a

SHA1
04903bbe23ffea0097cbfb18a27a2106f8c19c3a

SHA256
3aafbb1246924f7db47a5cd38bc09872547a7942aea036fcec4b6da3f78c1232

SHA512
fd0e8b4a1e893c1810f10427aaa6d555612518bbdcdd5addcd9e9460da11f80535623058e7fc57b267401b3d29a1f20fb9dfa2de3ddc13d9a03b3141d77f6738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wonder

Filesize
28KB

MD5
c7ccc2e3093614ca1fb5a4bc5ed467e1

SHA1
99e159f9a6478f4accd70cae77ad180fa294dc70

SHA256
1db28cada947fb8d37e9550a08718774f7d55f64f3ff3b2ee9b1b8ad9db8ce34

SHA512
6d77c91c8c2a80742f1cedb69cde2cf3d68bd74764a76cbb086daa015b3d18eeb9131919ea93cf13e9f400d824809bf8a2ee40fd1353a04bee392ebcbe09fb36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Za

Filesize
18KB

MD5
14e0d2a31ef79d37669d4f65db310bd1

SHA1
8908a3b1b30d5bcb5aea066eac185f3cd76ed2d2

SHA256
1c86e9dcc3f6bb33efd2f5bbf62ead4b83a2f884813cc8d4cb35f0926337fc01

SHA512
ad4fb2c7c501c248ad9cbda8dddd1d8a22a51d01bc1cf82a4316c2bc5d839bbbf9dce90a47f9a029d86d8cb8ade1428bdaffa1927d8414b8c9cfd381ca44c12e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
0e7000518a594147acd303680b13cb64

SHA1
ea207e671b0d725ad2b651ae13fbc767745bcdec

SHA256
96106e144e177904443f94723470f410f6f68bd5121581eff78557ece9b36e34

SHA512
6126c616083205c002157b0eec7e290b5e52cf6467be5e9936a86e01f6d64f3af2a1f962159f1cf8f72b02b9398c1f4b46e820dec28855f0826ae77fe6e038e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
591db663f820cdbd667b160d37962551

SHA1
830dd72ceed743d42094c462a880e3e3bd9ad500

SHA256
6e8dd31addf64c3246eb18d3cf17d2d6b3a5f0e597821e69b030d3b3207f0fb6

SHA512
5c10cb859633e4ebdafaf82bf71adb98db7e9d7957ddf907e01c8c8545129cef614fea26d064f7e51925102a69430cc95f8760b79ffb749690329316e3b0aa51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c6ab402c7114c2d88f0b724d0a51c279

SHA1
51800630c1261868f47aab9f1308b6c4580fcd61

SHA256
44e11f61fc76bc867a25319c19c918a7b16daa441aaeea12f834cb99d1c3a288

SHA512
c28a2b1b3aaf171238f21fdf73ecabc820432eb40091080b87d84c6b73cfca7f998558bb6292e67cf8286afba268e7a5ba97f0b9eb33ccd43752be79f5aceae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ueijgwts.pez.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
a76af35efd631ccb3f7f8db025eecec7

SHA1
5fc9f9afdaa57062925c864d91f4503899fceaac

SHA256
d98c6eed685e2a5acdf2e534a5449c367c106000a717f58d84181c09b5d987dc

SHA512
76ee00a0ad6fc2e5125708a0f870c7158ec1bd0ed5136f247125baa4a5a0b2cfe8f666188bc80ccdb627dcd292c85bcff7705d71e66f50a78aa71893b8b87bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
673f197c869fb9a2de4dd743065da496

SHA1
c5ea4d4ca19f0bc4c3d2e11d24f6d06618973dcc

SHA256
641a6089171f6eddd239644b60686b2e52502101c9d02571bda03a7c9694ecaf

SHA512
950fc091f9ec178aaac58481bf9e745df39243230ee3a066d38f62ba435478ccc38367a6d95f17348c9164c3567dfa376ea12f0ab8062a2732fe4e77c0e77f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\upo.0.exe

Filesize
223KB

MD5
816cbc57fc20eb01645497ed35bdeb19

SHA1
3222b725c5031a12b310ef8c1b8bb120b345c80e

SHA256
c15c3a1a771770d1f3a838cdb6d0fcffea562e42d118b37087dd6022fff13c53

SHA512
2bf23ac407844682107c68705e0ac072d7a8767f0c9a8c2bb913cc394e6c85bd22a7024c5253130f4a5b26a083e9518f2d4f21b775da6d2812ab808587aa399e

Download Submit
C:\Users\Admin\AppData\Local\Temp\upo.1.exe

Filesize
576KB

MD5
9ad529d04bba59270326802f05eea285

SHA1
9b0439ebc689c5ce31675a75219b33ba66eb8d1a

SHA256
337471d45b8cae5a0a6ca2b6f2f6d162adbd6f251a8cb510b6d4a400e4a0a96e

SHA512
5bc52c7c5f13aa8d282bf1615c84dcb82e5d1375a4c10342d2f726dbe6f250bce97141efe855f71b71ad0bf096fff62eeeea631e6ba5a5094cf2b375cfe5de0d

Download Submit
C:\Users\Admin\Pictures\RgE6Zg7foUtn4zNX7IV77i7F.exe

Filesize
364KB

MD5
17ae1a58d1a582890ef6f3eb8c2936fe

SHA1
cddf7c81e45fdec83cb81dca6faff0bdc5cb5661

SHA256
b883b97b17450a10f95eba96de2c9921b2527d5ff6948a61a6147c94bd023fe6

SHA512
6e7da090a92470421a623303b66a2d5b2577ecb755e7cf8283511b04d79dde9af1375df245cb4da69f94b2a971f839d734e21b6b07e962dfadd50af8ac4db41d

Download Submit
C:\Users\Admin\Pictures\WvRR3SpYI4RA6aoeQNKnwJLB.exe

Filesize
760KB

MD5
b014a9fa212f522998525a0d50513237

SHA1
2e0f6e70510af4f265e74c423a5994d5926e8620

SHA256
64c69d08fe3c0f60d11aa4c93ee181b34cb8769175f4cb6c6c4dbb799d029e90

SHA512
944f0d681a0c54ee3b8a14ade618eb26291ce457c3bf56a8234748257e8e8cec36cbfd9db63ba0964c42503db29999e919799e587488d34038824e47159f383a

Download Submit
C:\Users\Admin\Pictures\Y4tM4ZZDFTZyV0SDxTaxnUOn.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\dMzItUMgFpswT7z9NggYlSZQ.exe

Filesize
128KB

MD5
c37b36b17b1eac4e69d482e07096c061

SHA1
3a1cf32bc12b844491e15370d7cf6ad665c4c29f

SHA256
804cf7ae91507c99c661d096cff0c595f540e82c4dd7116cf64eb581abfab6e2

SHA512
62a4f629c4487197e790cdd5badb4e83d4fa71df4a69b6952a8e95cc384a3d0a31e7e7eae183fcc6c297ddae0c42b35524eaf268d46002fafecd1396144669f7

Download Submit
C:\Users\Admin\Pictures\dMzItUMgFpswT7z9NggYlSZQ.exe

Filesize
1.2MB

MD5
3440065098a4a9adce69991dc9fddc68

SHA1
b233d62ea5a9c4cbdfb68a94627d290da4167e07

SHA256
3d91aba8ad0c0a02589ab1ff080a25c209fce1a3bbedde9598c78cf937325c32

SHA512
29be4ba0816d61db01eacdd4f51def00505d981ebf58268ad4e606da14695d2c53e0b1c92ff2f2373020882e8db3a72d3d430f8d4e60ec702a365cd57145da22

Download Submit
C:\Users\Admin\Pictures\gSmdAUGX92vg8dpCa26nABpf.exe

Filesize
2.1MB

MD5
98a614c32f63103813a9f9ed610f3971

SHA1
e8f90f2f2fa4c72a5b7b65025570ceb6f604b03b

SHA256
fb396e9aa9116781904621cad9ecc9793018d2120d9aa9c4f958c40b2bf62c5b

SHA512
32b1373169fe030a73aadcc110c779559dbf8ce6699155b975ce967cf2dc03207f01fce4c92955ef670d5251c6d792c5343cf4db9daa471914080c8aea0f1ffc

Download Submit
C:\Users\Admin\Pictures\gSmdAUGX92vg8dpCa26nABpf.exe

Filesize
3.6MB

MD5
6f48d89d3fc445e2f23c6c3c2298fc00

SHA1
a1ba97ff9bb29a7095217a4e7613401d5686bd3f

SHA256
35244577e19a854d4d2e93ae9de3f82678c51f56ea3e7fc4f09455034119a163

SHA512
3d43ab7f1f65ab33a7852611cc80a0aeed357018eab75b3c460632b08fc28ec8d570acdbe2d50b9f8b564661daeba0c0346911528c13c5f70ddcd42dbd80bf02

Download Submit
C:\Users\Admin\Pictures\gSmdAUGX92vg8dpCa26nABpf.exe

Filesize
1.9MB

MD5
9d7d59a4e257a7c10c5481b61dd25279

SHA1
a079fbbe225bc97fc0de044171d1bec8925bba07

SHA256
73aa5c4866c0fee7168d78c7ed9c580ba6c4d687cbe4ffc4bc86ad661ae41056

SHA512
59d0a927aed135f7477b96b09fe13697a9e06230bd9e2467c2558b32de743d1e7d531d53af43d0d0eac565201dd97dccdb81f8e908e5026b0bc09b47c6883329

Download Submit
C:\Users\Admin\Pictures\iAtEC5iri47Gyzu1pyQ0rYg4.exe

Filesize
1.2MB

MD5
8a51c27bb95393ef669bcc7616679546

SHA1
d42ebb54d95390c4254aeed6d819e5fbf2ddd67c

SHA256
750374ae0d729f9d682cf2f984cb65a63ca9c28f060f79e3f2244c2788a2f3e7

SHA512
db2a1572504ff7353d57ba57f2c157c8844245583629831155c66efeb6f004e24da51110df160f96291529946b22791b7a2baa31014b2f1460e1eda3ae503637

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
21efccb1731887526faaa98950885b08

SHA1
d6b3e9de196d590fccfd541c1a2c92fd251a0ccc

SHA256
af4bdbeff46e4b59ec17aef320a63d6e36250b8f3c8ae49892d3043f9c630cec

SHA512
3413b47599146ebb24fdb8f69b742fc4737f7988b5484285f1f26cad112f17b2d86ce4fd52085782f60a0e3bbe90f779a18ef12ced5b650c268c66fcc9cf33fd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
053e58dd447b4402411825e4a6cd4aee

SHA1
9f6faf73314359f6dcff7d98295c7f1d5131098e

SHA256
9426284c68c6a56ccb7ce65db67b281e00a16cf69f98a84cd725cb263b51341d

SHA512
13052bdce2fa542747e83dbada25a6444799426c9634be066d23716ac9bfb1f921a4a560876a392d5b65dd3c8c364b3d988445448efe8187f17655c6708d1aeb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
d53a5fb3dac5e8e90143a25d1275611c

SHA1
17008d67062c7a82c3cea1a4e58d8738bf4a2ea5

SHA256
5e7320ac0dd7869fca448d72aa09801b5f6ddfae0ad4abd19cf2a723a5aa56da

SHA512
71072ca9fbd30502df2260ee2b4d5f36bfc42308b8afa8ab8aa2c6943b8c84eafa3a48214c8e87d68ac009b1d10090afd538f80ae3b5d856d0cd23983312d7de

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
e86553acd54dfb5f4af93e4496a98e93

SHA1
99160a5206dacc54b30341ef56dec48577cd04f3

SHA256
3018b3ed8cac9d6fd729c2800c98c5fd4a73b62eb9435c043236d8a4b0152c12

SHA512
fc710731094aa87164ac2dd65036565689be0319600e364fcac152169a958164ad28365a93c3117b3aec12171a8ef7118d9dd1d50a7b20a40e074b0fd2e3e7c1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
4cd785bc983f7182dd148385a5ef3d28

SHA1
915beb57e47c480b94de56854e7242a9ff2a7ca2

SHA256
41cd89e53cab0fb88c5a884c9e12f7e1d28368dd49f9e488e36d04b4f7cd1b66

SHA512
4f2d0129057cc70ea94526cbf8dac58a2df9e7376706d2ff7328bf7aa9e6fde303c5d50504ea9e0b821012cbb7773774b713ad86a693def8eac0abed2f69a19c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
9138ebb05dab358011280960d32f9baa

SHA1
360fb90328c288930f9d519afdfc86297a1b8cb6

SHA256
8c464bf0fa3c38d2f215e0ca070b1f237542ec170abc72270c3c5bb1cda02b19

SHA512
82541d65f9b4786cc930f21a1bbc287463f00005a2942056923a2eeaf1bac47eece27d996ff8d82beebd676127f0e03d308f3590293ec06b10bc6cb4cfb2a448

Download Submit
memory/208-1521-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/208-4013-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/208-3076-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/208-2038-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/440-4799-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/440-4805-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/440-4779-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/440-4786-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/440-4795-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/440-4802-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/440-4790-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/440-4389-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/604-2148-0x000000006E470000-0x000000006E7C0000-memory.dmp

Filesize
3.3MB

Download
memory/604-2071-0x0000000008750000-0x000000000879B000-memory.dmp

Filesize
300KB

Download
memory/604-2147-0x000000006EDC0000-0x000000006EE0B000-memory.dmp

Filesize
300KB

Download
memory/604-2155-0x00000000099F0000-0x0000000009A95000-memory.dmp

Filesize
660KB

Download
memory/924-413-0x0000000000400000-0x0000000002597000-memory.dmp

Filesize
33.6MB

Download
memory/924-161-0x0000000000400000-0x0000000002597000-memory.dmp

Filesize
33.6MB

Download
memory/1184-1314-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1184-2065-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1304-398-0x000000006E450000-0x000000006E7A0000-memory.dmp

Filesize
3.3MB

Download
memory/1304-156-0x00000000074E0000-0x0000000007546000-memory.dmp

Filesize
408KB

Download
memory/1304-397-0x000000006ED40000-0x000000006ED8B000-memory.dmp

Filesize
300KB

Download
memory/1304-155-0x0000000006D60000-0x0000000006D82000-memory.dmp

Filesize
136KB

Download
memory/1304-157-0x0000000006E20000-0x0000000006E86000-memory.dmp

Filesize
408KB

Download
memory/1304-162-0x00000000076B0000-0x00000000076CC000-memory.dmp

Filesize
112KB

Download
memory/1304-163-0x0000000007E20000-0x0000000007E6B000-memory.dmp

Filesize
300KB

Download
memory/1320-75-0x00007FF95CBF0000-0x00007FF95D5DC000-memory.dmp

Filesize
9.9MB

Download
memory/1320-23-0x00007FF95CBF0000-0x00007FF95D5DC000-memory.dmp

Filesize
9.9MB

Download
memory/1320-13-0x000001AA6F6F0000-0x000001AA6F766000-memory.dmp

Filesize
472KB

Download
memory/1320-9-0x000001AA6F540000-0x000001AA6F562000-memory.dmp

Filesize
136KB

Download
memory/1320-14-0x00007FF95CBF0000-0x00007FF95D5DC000-memory.dmp

Filesize
9.9MB

Download
memory/1320-10-0x00007FF95CBF0000-0x00007FF95D5DC000-memory.dmp

Filesize
9.9MB

Download
memory/1468-212-0x0000000009500000-0x000000000953C000-memory.dmp

Filesize
240KB

Download
memory/1468-382-0x000000006ED40000-0x000000006ED8B000-memory.dmp

Filesize
300KB

Download
memory/1468-385-0x000000006E450000-0x000000006E7A0000-memory.dmp

Filesize
3.3MB

Download
memory/1548-1531-0x000000006E1D0000-0x000000006E520000-memory.dmp

Filesize
3.3MB

Download
memory/1548-1530-0x000000006E180000-0x000000006E1CB000-memory.dmp

Filesize
300KB

Download
memory/1940-4562-0x0000000009950000-0x00000000099F5000-memory.dmp

Filesize
660KB

Download
memory/1940-4537-0x0000000008430000-0x000000000847B000-memory.dmp

Filesize
300KB

Download
memory/1940-4557-0x000000006F6E0000-0x000000006FA30000-memory.dmp

Filesize
3.3MB

Download
memory/1940-4556-0x000000006F690000-0x000000006F6DB000-memory.dmp

Filesize
300KB

Download
memory/1940-4536-0x0000000007FC0000-0x0000000008310000-memory.dmp

Filesize
3.3MB

Download
memory/2424-2074-0x0000021C51940000-0x0000021C51A4A000-memory.dmp

Filesize
1.0MB

Download
memory/2424-3849-0x0000021C51C80000-0x0000021C51D32000-memory.dmp

Filesize
712KB

Download
memory/2424-4000-0x0000021C55FD0000-0x0000021C55FD8000-memory.dmp

Filesize
32KB

Download
memory/2424-2080-0x0000021C517E0000-0x0000021C51804000-memory.dmp

Filesize
144KB

Download
memory/2424-3998-0x0000021C55F70000-0x0000021C55F78000-memory.dmp

Filesize
32KB

Download
memory/2424-3859-0x0000021C51E30000-0x0000021C52130000-memory.dmp

Filesize
3.0MB

Download
memory/2424-3855-0x0000021C38DA0000-0x0000021C38DAA000-memory.dmp

Filesize
40KB

Download
memory/2424-4295-0x0000021C571C0000-0x0000021C571DE000-memory.dmp

Filesize
120KB

Download
memory/2424-3851-0x0000021C51D30000-0x0000021C51D5A000-memory.dmp

Filesize
168KB

Download
memory/2424-3850-0x0000021C51D80000-0x0000021C51DD0000-memory.dmp

Filesize
320KB

Download
memory/2424-2077-0x0000021C38E80000-0x0000021C38E94000-memory.dmp

Filesize
80KB

Download
memory/2424-2076-0x0000021C51780000-0x0000021C5178C000-memory.dmp

Filesize
48KB

Download
memory/2424-3848-0x0000021C51810000-0x0000021C5181A000-memory.dmp

Filesize
40KB

Download
memory/2424-3999-0x0000021C56E00000-0x0000021C56E38000-memory.dmp

Filesize
224KB

Download
memory/2424-2069-0x0000021C33930000-0x0000021C37164000-memory.dmp

Filesize
56.2MB

Download
memory/2424-4012-0x0000021C57180000-0x0000021C571A2000-memory.dmp

Filesize
136KB

Download
memory/2424-2075-0x0000021C38E70000-0x0000021C38E80000-memory.dmp

Filesize
64KB

Download
memory/2424-4011-0x0000021C57120000-0x0000021C57182000-memory.dmp

Filesize
392KB

Download
memory/2424-4017-0x0000021C57110000-0x0000021C5711C000-memory.dmp

Filesize
48KB

Download
memory/2424-4014-0x0000021C576E0000-0x0000021C57C06000-memory.dmp

Filesize
5.1MB

Download
memory/2424-4010-0x0000021C57100000-0x0000021C5710A000-memory.dmp

Filesize
40KB

Download
memory/2680-396-0x000000000A730000-0x000000000A7D5000-memory.dmp

Filesize
660KB

Download
memory/2680-380-0x000000000A6F0000-0x000000000A723000-memory.dmp

Filesize
204KB

Download
memory/2680-386-0x000000006E450000-0x000000006E7A0000-memory.dmp

Filesize
3.3MB

Download
memory/2680-152-0x0000000007A40000-0x0000000008068000-memory.dmp

Filesize
6.2MB

Download
memory/2680-414-0x000000000A950000-0x000000000A9E4000-memory.dmp

Filesize
592KB

Download
memory/2680-151-0x0000000005290000-0x00000000052C6000-memory.dmp

Filesize
216KB

Download
memory/2680-381-0x000000006ED40000-0x000000006ED8B000-memory.dmp

Filesize
300KB

Download
memory/2680-160-0x00000000083B0000-0x0000000008700000-memory.dmp

Filesize
3.3MB

Download
memory/2680-387-0x000000000A6D0000-0x000000000A6EE000-memory.dmp

Filesize
120KB

Download
memory/2680-319-0x00000000098B0000-0x0000000009926000-memory.dmp

Filesize
472KB

Download
memory/2804-2-0x00000230D7DD0000-0x00000230D7E2E000-memory.dmp

Filesize
376KB

Download
memory/2804-0-0x00000230BD850000-0x00000230BD87A000-memory.dmp

Filesize
168KB

Download
memory/2804-1537-0x00007FF95CBF0000-0x00007FF95D5DC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-1315-0x00007FF95CBF3000-0x00007FF95CBF4000-memory.dmp

Filesize
4KB

Download
memory/2804-3-0x00007FF95CBF0000-0x00007FF95D5DC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-1-0x00007FF95CBF3000-0x00007FF95CBF4000-memory.dmp

Filesize
4KB

Download
memory/3052-1524-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/3052-2039-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/3052-3995-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/3052-3077-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/3568-4789-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/3568-707-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/3568-3854-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/3568-2037-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/3568-4778-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/3744-2050-0x0000000000E20000-0x0000000000ECE000-memory.dmp

Filesize
696KB

Download
memory/4152-1375-0x000000006E1D0000-0x000000006E520000-memory.dmp

Filesize
3.3MB

Download
memory/4152-1380-0x00000000095B0000-0x0000000009655000-memory.dmp

Filesize
660KB

Download
memory/4152-1374-0x000000006E180000-0x000000006E1CB000-memory.dmp

Filesize
300KB

Download
memory/4288-1308-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/4288-1295-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/4288-704-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/4320-2176-0x0000000073D0E000-0x0000000073D0F000-memory.dmp

Filesize
4KB

Download
memory/4320-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4320-24-0x0000000073D0E000-0x0000000073D0F000-memory.dmp

Filesize
4KB

Download
memory/4428-2157-0x000000006E470000-0x000000006E7C0000-memory.dmp

Filesize
3.3MB

Download
memory/4428-2068-0x0000000007E00000-0x0000000008150000-memory.dmp

Filesize
3.3MB

Download
memory/4428-2156-0x000000006EDC0000-0x000000006EE0B000-memory.dmp

Filesize
300KB

Download
memory/4496-404-0x000000006E450000-0x000000006E7A0000-memory.dmp

Filesize
3.3MB

Download
memory/4496-1173-0x00000000075F0000-0x00000000075F8000-memory.dmp

Filesize
32KB

Download
memory/4496-399-0x000000006ED40000-0x000000006ED8B000-memory.dmp

Filesize
300KB

Download
memory/4496-1144-0x0000000007600000-0x000000000761A000-memory.dmp

Filesize
104KB

Download
memory/4544-2162-0x000000006EDC0000-0x000000006EE0B000-memory.dmp

Filesize
300KB

Download
memory/4544-2164-0x000000006E470000-0x000000006E7C0000-memory.dmp

Filesize
3.3MB

Download
memory/4656-1306-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/4656-705-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/4656-1296-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/4696-1302-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/4696-1294-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/4696-703-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/4784-4316-0x000000006E470000-0x000000006E7C0000-memory.dmp

Filesize
3.3MB

Download
memory/4784-4315-0x000000006EDC0000-0x000000006EE0B000-memory.dmp

Filesize
300KB

Download
memory/4824-4784-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4856-2163-0x000000006EDC0000-0x000000006EE0B000-memory.dmp

Filesize
300KB

Download
memory/4856-2165-0x000000006E470000-0x000000006E7C0000-memory.dmp

Filesize
3.3MB

Download
memory/4864-1304-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/4864-706-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/5140-3753-0x000000006E470000-0x000000006E7C0000-memory.dmp

Filesize
3.3MB

Download
memory/5140-3750-0x000000006EDC0000-0x000000006EE0B000-memory.dmp

Filesize
300KB

Download
memory/5332-1529-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/5332-3080-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/5332-2053-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/5332-3832-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/5420-4800-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/5420-4796-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/5428-3087-0x000000006E470000-0x000000006E7C0000-memory.dmp

Filesize
3.3MB

Download
memory/5428-3084-0x000000006EDC0000-0x000000006EE0B000-memory.dmp

Filesize
300KB

Download
memory/5472-1536-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/5472-3996-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/5472-3081-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/5472-2175-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/5720-4040-0x000000006EDC0000-0x000000006EE0B000-memory.dmp

Filesize
300KB

Download
memory/5720-4044-0x000000006E470000-0x000000006E7C0000-memory.dmp

Filesize
3.3MB

Download
memory/5840-3101-0x000000006E470000-0x000000006E7C0000-memory.dmp

Filesize
3.3MB

Download
memory/5840-3100-0x000000006EDC0000-0x000000006EE0B000-memory.dmp

Filesize
300KB

Download
memory/5840-1382-0x000000006E1D0000-0x000000006E520000-memory.dmp

Filesize
3.3MB

Download
memory/5840-1381-0x000000006E180000-0x000000006E1CB000-memory.dmp

Filesize
300KB

Download
memory/5840-1323-0x0000000008780000-0x00000000087CB000-memory.dmp

Filesize
300KB

Download
memory/5840-1322-0x0000000007D10000-0x0000000008060000-memory.dmp

Filesize
3.3MB

Download
memory/5872-3108-0x000000006EDC0000-0x000000006EE0B000-memory.dmp

Filesize
300KB

Download
memory/5872-3115-0x000000006E470000-0x000000006E7C0000-memory.dmp

Filesize
3.3MB

Download
memory/5980-4794-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5980-4797-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download