Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    23-05-2021 07:07

General

  • Target

    d69ad8d2f432e57d4f5ecf5d7e7f9300.exe

  • Size

    6.1MB

  • MD5

    d69ad8d2f432e57d4f5ecf5d7e7f9300

  • SHA1

    4db420d6dfc64506e6e8b71ff63e4b240f2a562c

  • SHA256

    21415b4bd92f908e375ef73e62b8539724488e9372c6df980d91c01e47ebfd15

  • SHA512

    d21339419c6a85cb0454e3821d9cf8526b8913007fc500e026dfb6ba28cca96057695f2fa8d283f2b037b467a4229fe9f2b2dcd7cd33c9b0e37925a46e2b3f34

Malware Config

Extracted

Family

vidar

Version

38.8

Botnet

827

C2

https://HAL9THapi.faceit.comlegomind

Attributes
  • profile_id

    827

Extracted

Family

redline

Botnet

BBS1

C2

87.251.71.193:80

Signatures

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 3 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Vidar Stealer 2 IoCs
  • Blocklisted process makes network request 62 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 36 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Loads dropped DLL 64 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 16 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 50 IoCs
  • Drops file in Windows directory 31 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Modifies data under HKEY_USERS 33 IoCs
  • Modifies registry class 37 IoCs
  • Modifies system certificate store 2 TTPs 22 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 11 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:468
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:856
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:284
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:844
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 335FA3DDA74E81DBDE4622058CC03C27 C
          3⤵
          • Loads dropped DLL
          PID:2076
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding C15E4982D0F517F4CD7106DFFC5115B1
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          PID:1208
          • C:\Windows\SysWOW64\taskkill.exe
            "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
            4⤵
            • Kills process with taskkill
            PID:2652
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding F33315BA5C244DB2FCC7EDD718317C4E M Global\MSI0000
          3⤵
            PID:2204
      • C:\Users\Admin\AppData\Local\Temp\d69ad8d2f432e57d4f5ecf5d7e7f9300.exe
        "C:\Users\Admin\AppData\Local\Temp\d69ad8d2f432e57d4f5ecf5d7e7f9300.exe"
        1⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1096
        • C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
          "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system certificate store
          PID:1164
          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
            3⤵
              PID:304
            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2736
          • C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
            "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            PID:1960
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
              3⤵
                PID:2924
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /im RunWW.exe /f
                  4⤵
                  • Kills process with taskkill
                  PID:2956
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 6
                  4⤵
                  • Delays execution with timeout.exe
                  PID:3000
            • C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
              "C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"
              2⤵
              • Executes dropped EXE
              • Modifies system certificate store
              • Suspicious use of AdjustPrivilegeToken
              PID:1340
              • C:\Users\Admin\AppData\Roaming\3477917.exe
                "C:\Users\Admin\AppData\Roaming\3477917.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:2052
              • C:\Users\Admin\AppData\Roaming\8554646.exe
                "C:\Users\Admin\AppData\Roaming\8554646.exe"
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                PID:2220
                • C:\ProgramData\Windows Host\Windows Host.exe
                  "C:\ProgramData\Windows Host\Windows Host.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:2556
              • C:\Users\Admin\AppData\Roaming\6442378.exe
                "C:\Users\Admin\AppData\Roaming\6442378.exe"
                3⤵
                • Executes dropped EXE
                PID:2448
            • C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
              "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1748
              • C:\Windows\SysWOW64\rUNdlL32.eXe
                "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
                3⤵
                • Loads dropped DLL
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:404
            • C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
              "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1708
              • C:\Users\Admin\AppData\Local\Temp\is-MCU1T.tmp\LabPicV3.tmp
                "C:\Users\Admin\AppData\Local\Temp\is-MCU1T.tmp\LabPicV3.tmp" /SL5="$300F6,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:968
                • C:\Users\Admin\AppData\Local\Temp\is-3SV5E.tmp\3316505.exe
                  "C:\Users\Admin\AppData\Local\Temp\is-3SV5E.tmp\3316505.exe" /S /UID=lab214
                  4⤵
                  • Drops file in Drivers directory
                  • Executes dropped EXE
                  PID:2176
            • C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe
              "C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1684
              • C:\Users\Admin\AppData\Local\Temp\is-6APTS.tmp\Versium.tmp
                "C:\Users\Admin\AppData\Local\Temp\is-6APTS.tmp\Versium.tmp" /SL5="$300D6,138429,56832,C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies system certificate store
                • Suspicious use of FindShellTrayWindow
                PID:1108
                • C:\Users\Admin\AppData\Local\Temp\is-O1UQE.tmp\Setup.exe
                  "C:\Users\Admin\AppData\Local\Temp\is-O1UQE.tmp\Setup.exe" /Verysilent
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Modifies system certificate store
                  PID:2360
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    5⤵
                      PID:2848
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2876
              • C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
                "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
                2⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1364
            • C:\Users\Admin\AppData\Local\Temp\is-8Q5MF.tmp\lylal220.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-8Q5MF.tmp\lylal220.tmp" /SL5="$400C8,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
              1⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:480
              • C:\Users\Admin\AppData\Local\Temp\is-PPMQR.tmp\4_177039.exe
                "C:\Users\Admin\AppData\Local\Temp\is-PPMQR.tmp\4_177039.exe" /S /UID=lylal220
                2⤵
                • Drops file in Drivers directory
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in Program Files directory
                PID:2104
                • C:\Program Files\Windows Journal\TPCLHYQQNY\irecord.exe
                  "C:\Program Files\Windows Journal\TPCLHYQQNY\irecord.exe" /VERYSILENT
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:3032
                  • C:\Users\Admin\AppData\Local\Temp\is-E3N30.tmp\irecord.tmp
                    "C:\Users\Admin\AppData\Local\Temp\is-E3N30.tmp\irecord.tmp" /SL5="$40184,6139911,56832,C:\Program Files\Windows Journal\TPCLHYQQNY\irecord.exe" /VERYSILENT
                    4⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in Program Files directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    PID:3052
                    • C:\Program Files (x86)\recording\i-record.exe
                      "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:2288
                • C:\Users\Admin\AppData\Local\Temp\f5-6d2c7-7f3-859a5-3d391166124ca\Disihokaesha.exe
                  "C:\Users\Admin\AppData\Local\Temp\f5-6d2c7-7f3-859a5-3d391166124ca\Disihokaesha.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:2128
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                    4⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:2608
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:275457 /prefetch:2
                      5⤵
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:1724
                • C:\Users\Admin\AppData\Local\Temp\9d-f3353-24c-d1592-dcb47fbe1d85e\SHisosyshaelo.exe
                  "C:\Users\Admin\AppData\Local\Temp\9d-f3353-24c-d1592-dcb47fbe1d85e\SHisosyshaelo.exe"
                  3⤵
                  • Executes dropped EXE
                  • Modifies system certificate store
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2368
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k1i10qrm.mz2\001.exe & exit
                    4⤵
                      PID:2464
                      • C:\Users\Admin\AppData\Local\Temp\k1i10qrm.mz2\001.exe
                        C:\Users\Admin\AppData\Local\Temp\k1i10qrm.mz2\001.exe
                        5⤵
                        • Executes dropped EXE
                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                        PID:2096
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pw1lpurr.nih\GcleanerEU.exe /eufive & exit
                      4⤵
                        PID:2204
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\raizlai0.wxw\installer.exe /qn CAMPAIGN="654" & exit
                        4⤵
                          PID:2924
                          • C:\Users\Admin\AppData\Local\Temp\raizlai0.wxw\installer.exe
                            C:\Users\Admin\AppData\Local\Temp\raizlai0.wxw\installer.exe /qn CAMPAIGN="654"
                            5⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Enumerates connected drives
                            • Modifies system certificate store
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            • Suspicious use of FindShellTrayWindow
                            PID:2592
                            • C:\Windows\SysWOW64\msiexec.exe
                              "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\raizlai0.wxw\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\raizlai0.wxw\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621494577 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                              6⤵
                                PID:1584
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\r44g0lnt.kit\hbggg.exe & exit
                            4⤵
                              PID:2420
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xjujoe3w.gd0\Setup3310.exe /Verysilent /subid=623 & exit
                              4⤵
                                PID:2624
                                • C:\Users\Admin\AppData\Local\Temp\xjujoe3w.gd0\Setup3310.exe
                                  C:\Users\Admin\AppData\Local\Temp\xjujoe3w.gd0\Setup3310.exe /Verysilent /subid=623
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                  PID:2900
                                  • C:\Users\Admin\AppData\Local\Temp\is-0P6VK.tmp\Setup3310.tmp
                                    "C:\Users\Admin\AppData\Local\Temp\is-0P6VK.tmp\Setup3310.tmp" /SL5="$302DC,138429,56832,C:\Users\Admin\AppData\Local\Temp\xjujoe3w.gd0\Setup3310.exe" /Verysilent /subid=623
                                    6⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Modifies system certificate store
                                    • Suspicious use of FindShellTrayWindow
                                    PID:2876
                                    • C:\Users\Admin\AppData\Local\Temp\is-BOBAD.tmp\Setup.exe
                                      "C:\Users\Admin\AppData\Local\Temp\is-BOBAD.tmp\Setup.exe" /Verysilent
                                      7⤵
                                      • Executes dropped EXE
                                      • Drops file in Program Files directory
                                      PID:2120
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\msqcd0wc.hye\google-game.exe & exit
                                4⤵
                                  PID:436
                                  • C:\Users\Admin\AppData\Local\Temp\msqcd0wc.hye\google-game.exe
                                    C:\Users\Admin\AppData\Local\Temp\msqcd0wc.hye\google-game.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    PID:2208
                                    • C:\Windows\SysWOW64\rUNdlL32.eXe
                                      "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",getname
                                      6⤵
                                      • Loads dropped DLL
                                      • Modifies registry class
                                      PID:2272
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cdaryvnt.o5o\setup.exe & exit
                                  4⤵
                                    PID:2760
                                    • C:\Users\Admin\AppData\Local\Temp\cdaryvnt.o5o\setup.exe
                                      C:\Users\Admin\AppData\Local\Temp\cdaryvnt.o5o\setup.exe
                                      5⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                      PID:2468
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\cdaryvnt.o5o\setup.exe"
                                        6⤵
                                          PID:2952
                                          • C:\Windows\SysWOW64\PING.EXE
                                            ping 1.1.1.1 -n 1 -w 3000
                                            7⤵
                                            • Runs ping.exe
                                            PID:812
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ps0ltvec.hdz\GcleanerWW.exe /mixone & exit
                                      4⤵
                                        PID:3008
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yrek5gzf.oxl\005.exe & exit
                                        4⤵
                                          PID:2272
                                          • C:\Users\Admin\AppData\Local\Temp\yrek5gzf.oxl\005.exe
                                            C:\Users\Admin\AppData\Local\Temp\yrek5gzf.oxl\005.exe
                                            5⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                            PID:2112
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nva1pi3v.ldw\toolspab1.exe & exit
                                          4⤵
                                            PID:2900
                                            • C:\Users\Admin\AppData\Local\Temp\nva1pi3v.ldw\toolspab1.exe
                                              C:\Users\Admin\AppData\Local\Temp\nva1pi3v.ldw\toolspab1.exe
                                              5⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                              PID:1624
                                              • C:\Users\Admin\AppData\Local\Temp\nva1pi3v.ldw\toolspab1.exe
                                                C:\Users\Admin\AppData\Local\Temp\nva1pi3v.ldw\toolspab1.exe
                                                6⤵
                                                • Executes dropped EXE
                                                • Checks SCSI registry key(s)
                                                • Suspicious behavior: MapViewOfSection
                                                PID:520
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nskfxoec.zlq\702564a0.exe & exit
                                            4⤵
                                              PID:2920
                                              • C:\Users\Admin\AppData\Local\Temp\nskfxoec.zlq\702564a0.exe
                                                C:\Users\Admin\AppData\Local\Temp\nskfxoec.zlq\702564a0.exe
                                                5⤵
                                                • Executes dropped EXE
                                                • Checks SCSI registry key(s)
                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                • Suspicious behavior: MapViewOfSection
                                                PID:2880
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1witnil2.1xq\installer.exe /qn CAMPAIGN="654" & exit
                                              4⤵
                                                PID:828
                                                • C:\Users\Admin\AppData\Local\Temp\1witnil2.1xq\installer.exe
                                                  C:\Users\Admin\AppData\Local\Temp\1witnil2.1xq\installer.exe /qn CAMPAIGN="654"
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                  PID:816
                                        • C:\Windows\system32\DllHost.exe
                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                          1⤵
                                          • Executes dropped EXE
                                          PID:304

                                        Network

                                        MITRE ATT&CK Enterprise v6

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe

                                          MD5

                                          96a80d0e7aafd552c6857ef310d64c7d

                                          SHA1

                                          b4f308a47c85a76e22b01cc6291c70a4e459ebe2

                                          SHA256

                                          1e706fc40379884d40b62ab4f6b26cd576447d93fc429123a2eae1b9c26892db

                                          SHA512

                                          f2671402c7eee989b62a0367eeba766ae7ac1dddfbbb45c4c62799112b8638fc798c79bb1772aa3a7a51e404239feb633ba2a03aebb84dd04a69adc47e2954b4

                                        • C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe

                                          MD5

                                          96a80d0e7aafd552c6857ef310d64c7d

                                          SHA1

                                          b4f308a47c85a76e22b01cc6291c70a4e459ebe2

                                          SHA256

                                          1e706fc40379884d40b62ab4f6b26cd576447d93fc429123a2eae1b9c26892db

                                          SHA512

                                          f2671402c7eee989b62a0367eeba766ae7ac1dddfbbb45c4c62799112b8638fc798c79bb1772aa3a7a51e404239feb633ba2a03aebb84dd04a69adc47e2954b4

                                        • C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe

                                          MD5

                                          1e09b73afa67d8bfe8591eb605cef0e3

                                          SHA1

                                          147fdec45342a0e069dd1aeea2c109440894bef9

                                          SHA256

                                          431c13d939d7460db6ec5f524145a93fae7711d61344fbf1898cea7895480286

                                          SHA512

                                          b74516b1f3d241790537aaaaf9c8b90bd2edbcf2e7693c166b11c260d6689b9e0f2a9c25b5e6787d6c717eb9ad64605b783bdd1ac09a9b50f211112007c27a49

                                        • C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe

                                          MD5

                                          1e09b73afa67d8bfe8591eb605cef0e3

                                          SHA1

                                          147fdec45342a0e069dd1aeea2c109440894bef9

                                          SHA256

                                          431c13d939d7460db6ec5f524145a93fae7711d61344fbf1898cea7895480286

                                          SHA512

                                          b74516b1f3d241790537aaaaf9c8b90bd2edbcf2e7693c166b11c260d6689b9e0f2a9c25b5e6787d6c717eb9ad64605b783bdd1ac09a9b50f211112007c27a49

                                        • C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe

                                          MD5

                                          1035dfc35230ab6c46a141d8c649e920

                                          SHA1

                                          5eae1278d9f39b851f0629b5f96fe59b0aeb6c15

                                          SHA256

                                          60e93671b7e6ca75ddb53a4a2018a2b4d7873c0def05b0cc8392575e30cbe080

                                          SHA512

                                          0dd87bd8c8a58fd5f3d17b16e87873cffb74efa34c3bf7ce2b009806daaf7a50d7747ba5cd0a758870cc5ff7634c2771e8b8a950c542ec46c5e2a807b46087d2

                                        • C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe

                                          MD5

                                          1035dfc35230ab6c46a141d8c649e920

                                          SHA1

                                          5eae1278d9f39b851f0629b5f96fe59b0aeb6c15

                                          SHA256

                                          60e93671b7e6ca75ddb53a4a2018a2b4d7873c0def05b0cc8392575e30cbe080

                                          SHA512

                                          0dd87bd8c8a58fd5f3d17b16e87873cffb74efa34c3bf7ce2b009806daaf7a50d7747ba5cd0a758870cc5ff7634c2771e8b8a950c542ec46c5e2a807b46087d2

                                        • C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe

                                          MD5

                                          f6e70fbfe1d53b8d9d6d0b273542a7f7

                                          SHA1

                                          1f962079e158b2b0b27a02e6985a14e5f739d368

                                          SHA256

                                          ba0da2f848a7beeb8109b7a4baa6f79434be60a47a3ae9a980b29568d53eb8aa

                                          SHA512

                                          2a951950502ec835bea6ef875b519941d05f00a96dd0b6b9aef59b40723d32a5a6d546e4ba39650e046bc7dd1e23eba383fc41b8f96cf5ffe406a2f17fdb5b61

                                        • C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe

                                          MD5

                                          f6e70fbfe1d53b8d9d6d0b273542a7f7

                                          SHA1

                                          1f962079e158b2b0b27a02e6985a14e5f739d368

                                          SHA256

                                          ba0da2f848a7beeb8109b7a4baa6f79434be60a47a3ae9a980b29568d53eb8aa

                                          SHA512

                                          2a951950502ec835bea6ef875b519941d05f00a96dd0b6b9aef59b40723d32a5a6d546e4ba39650e046bc7dd1e23eba383fc41b8f96cf5ffe406a2f17fdb5b61

                                        • C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe

                                          MD5

                                          a30bdf843d0961c11e78fed101764f74

                                          SHA1

                                          0c421c3d2d007a09b9b968ac485464844fa8ca9d

                                          SHA256

                                          2c709b91decabb0daca10556e5cdd3a5efc6422ee1e27d9914475a26fa7cf219

                                          SHA512

                                          fea2281da0325f27e78483117356776400f01760c13bd3fab7c2f6ac91d5eb64300b820dedc9b55c84ecdeb7132b700a366046789b30b7ad7c9d0b9f577847bf

                                        • C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe

                                          MD5

                                          a30bdf843d0961c11e78fed101764f74

                                          SHA1

                                          0c421c3d2d007a09b9b968ac485464844fa8ca9d

                                          SHA256

                                          2c709b91decabb0daca10556e5cdd3a5efc6422ee1e27d9914475a26fa7cf219

                                          SHA512

                                          fea2281da0325f27e78483117356776400f01760c13bd3fab7c2f6ac91d5eb64300b820dedc9b55c84ecdeb7132b700a366046789b30b7ad7c9d0b9f577847bf

                                        • C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe

                                          MD5

                                          6bd341bfca324b52dfa4f696c7978025

                                          SHA1

                                          09029b634ff31a7e2cc903f2e1580bc6f554558d

                                          SHA256

                                          faae49fcc25f6c53f5b94d7d878b4babffcc2fbcb79f4f3183c68b465b1c33c6

                                          SHA512

                                          d848b7ddd7b10be177c805f4ec9d8976ee2de9bf154512e1367c2d8c448ecdee505e53542e7ee84de3d4850cde7a2f3b0ae5890f1d9f9375ad47c1f328a3e216

                                        • C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe

                                          MD5

                                          6bd341bfca324b52dfa4f696c7978025

                                          SHA1

                                          09029b634ff31a7e2cc903f2e1580bc6f554558d

                                          SHA256

                                          faae49fcc25f6c53f5b94d7d878b4babffcc2fbcb79f4f3183c68b465b1c33c6

                                          SHA512

                                          d848b7ddd7b10be177c805f4ec9d8976ee2de9bf154512e1367c2d8c448ecdee505e53542e7ee84de3d4850cde7a2f3b0ae5890f1d9f9375ad47c1f328a3e216

                                        • C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe

                                          MD5

                                          1cb9c1b506a1a0e472ba4ed650b84f68

                                          SHA1

                                          967034fcd28bcf9650b4fb55cc3eee487d56bd7b

                                          SHA256

                                          c16b2b130f8099f72465ea300b41f14efa56ee8d76e8da80f048203aff69b1e4

                                          SHA512

                                          5df9c7b9ae0fa91209e92967034336f0ed8c5e884df3e89cdba59ca0d566d7419975cc8154cff41d6a71596b929ac48e4719ced06dd347f342db4eef796e6f9a

                                        • C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe

                                          MD5

                                          1cb9c1b506a1a0e472ba4ed650b84f68

                                          SHA1

                                          967034fcd28bcf9650b4fb55cc3eee487d56bd7b

                                          SHA256

                                          c16b2b130f8099f72465ea300b41f14efa56ee8d76e8da80f048203aff69b1e4

                                          SHA512

                                          5df9c7b9ae0fa91209e92967034336f0ed8c5e884df3e89cdba59ca0d566d7419975cc8154cff41d6a71596b929ac48e4719ced06dd347f342db4eef796e6f9a

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                          MD5

                                          15775d95513782f99cdfb17e65dfceb1

                                          SHA1

                                          6c11f8bee799b093f9ff4841e31041b081b23388

                                          SHA256

                                          477a9559194edf48848fce59e05105168745a46bdc0871ea742a2588ca9fbe00

                                          SHA512

                                          ac09ce01122d7a837bd70277badd58ff71d8c5335f8fc599d5e3ed42c8fee2108dd043bce562c82ba12a81b9b08bd24b961c0961bf8fd3a0b8341c87483cd1e7

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          MD5

                                          3300537eed8669257cc7a2691c5d162e

                                          SHA1

                                          42dad1ad3acdd620edf701c273d0a4cd37ef82eb

                                          SHA256

                                          be3e96f76b1a3640640a15318eb5e1637abee73bdadd992a1d03ece87ddb05fd

                                          SHA512

                                          7c17bc785a06f4b9d47dfbe676b669dd59e755ec6650b3c9cc742c01737a65f25a8b268629171267c969802bac42592ceeee76dc8a207f341955386b60ed6284

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          MD5

                                          11c286b1c533dcc776e201095070b688

                                          SHA1

                                          7c3cfa03842f57f8d4e6604357080e0cfa501200

                                          SHA256

                                          67f66b6268fdcc7225dede2cca5c04d170d142178781b2ee8258fd43375c4188

                                          SHA512

                                          fc39b84a4973d5771e39bd1de68b471315f8b4fc5e512fc49efcd09801573a9103075d7a52953da04303bb61ff7d6ec71feff52eebd1c6c2dc76c522f5407ac3

                                        • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

                                          MD5

                                          b7161c0845a64ff6d7345b67ff97f3b0

                                          SHA1

                                          d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

                                          SHA256

                                          fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

                                          SHA512

                                          98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

                                        • C:\Users\Admin\AppData\Local\Temp\install.dat

                                          MD5

                                          77038c199399d4830a6bf570d46c4edb

                                          SHA1

                                          6158a9e03e797535e4438bf2f995c4904ed16079

                                          SHA256

                                          9051a4489a9fa483934b8df5146cc5cb6c55a6f74fd58b266f731dffa4a3271e

                                          SHA512

                                          191f8cf61672b2c1fd23cfe7fad6b9341181f593f5c2dcef5f7db07918572b596ff8c078800ed4d4ea9e143ddbce99a8a445137a3737684f7e06aa6fc25d8b3d

                                        • C:\Users\Admin\AppData\Local\Temp\install.dll

                                          MD5

                                          5e6df381ce1c9102799350b7033e41df

                                          SHA1

                                          f8a4012c9547d9bb2faecfba75fc69407aaec288

                                          SHA256

                                          01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7

                                          SHA512

                                          a27ca6d1643fbbbb13e46f35d06fe8a5414a8ddaedd9e417cbb1636ad96228ccadee928d5204123f2221a20fe7c416587d78967b47ffcbcf3c6ac4b7a1ca887d

                                        • C:\Users\Admin\AppData\Local\Temp\is-3SV5E.tmp\3316505.exe

                                          MD5

                                          02398f9746a8cdebb2bc1cb9ccb40e70

                                          SHA1

                                          fad0116890819ed4b83ae2014134e901aee88597

                                          SHA256

                                          4b7105a1cb274a12c7941cde88be0a8ed7d8fffb40a49d76b8a6d6c9a8264a7d

                                          SHA512

                                          54ff56ec3eb85aaffa95ecae8dd4e244f9725eab3a87951ed11c6143531e5af7a13d4e3662befd1038d1ae9e3ad804f7b55ee08577c9cb5994cf91f420ebaf62

                                        • C:\Users\Admin\AppData\Local\Temp\is-3SV5E.tmp\3316505.exe

                                          MD5

                                          02398f9746a8cdebb2bc1cb9ccb40e70

                                          SHA1

                                          fad0116890819ed4b83ae2014134e901aee88597

                                          SHA256

                                          4b7105a1cb274a12c7941cde88be0a8ed7d8fffb40a49d76b8a6d6c9a8264a7d

                                          SHA512

                                          54ff56ec3eb85aaffa95ecae8dd4e244f9725eab3a87951ed11c6143531e5af7a13d4e3662befd1038d1ae9e3ad804f7b55ee08577c9cb5994cf91f420ebaf62

                                        • C:\Users\Admin\AppData\Local\Temp\is-6APTS.tmp\Versium.tmp

                                          MD5

                                          ffcf263a020aa7794015af0edee5df0b

                                          SHA1

                                          bce1eb5f0efb2c83f416b1782ea07c776666fdab

                                          SHA256

                                          1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

                                          SHA512

                                          49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

                                        • C:\Users\Admin\AppData\Local\Temp\is-8Q5MF.tmp\lylal220.tmp

                                          MD5

                                          93839f8c15234e4c8f1f9d0f285400a0

                                          SHA1

                                          afedb5526c9962a6257dbd0b805ed76f9f26b093

                                          SHA256

                                          449895149bf2a3864240e6ce912b90023cbf391adea2e35bcad7c73cb169b1a6

                                          SHA512

                                          69e77f62d27f1466576725d0c802437813bbff1af010b7460dfcd3f6cfa79de808f166bae437258cafbfcefb8d9de6ab658cdedb2e63d98a77f571b5e4ae77e7

                                        • C:\Users\Admin\AppData\Local\Temp\is-MCU1T.tmp\LabPicV3.tmp

                                          MD5

                                          dda84ebcc3c9968655702f7a6da23e1f

                                          SHA1

                                          8514f2e9eab129bd8288d5f13cf0030cae2e7fc5

                                          SHA256

                                          743dcd957b3b1f5401d1812cbae0e546a31eff23507b5238198f8f0e7b65682b

                                          SHA512

                                          e54f70e0876b7f566b9889874c20b75eb7c264184a2e2e7067f6b5b5940331818c1bcf4e263b32e3d71c62f5f0c2880c07dabeb1d9742a3990231f6e459a61e8

                                        • C:\Users\Admin\AppData\Local\Temp\is-O1UQE.tmp\Setup.exe

                                          MD5

                                          e19f8b76b5a0c4959fcb41fe5b46ad80

                                          SHA1

                                          063ebfc56a5d210757bf44c3d09c323365769b3f

                                          SHA256

                                          fb4b3f42369b356e01ff430cc836d9291693cd54f7073f4293f0277c3450b500

                                          SHA512

                                          d4a0523a26282bcdfce88ab278602997cfb625cdb88a2235c1b0ef09aac21c081788c6878592d70ccdbfd1d2345285a08ed61124fe2731bc80b4b4414ad47544

                                        • C:\Users\Admin\AppData\Local\Temp\is-O1UQE.tmp\Setup.exe

                                          MD5

                                          e19f8b76b5a0c4959fcb41fe5b46ad80

                                          SHA1

                                          063ebfc56a5d210757bf44c3d09c323365769b3f

                                          SHA256

                                          fb4b3f42369b356e01ff430cc836d9291693cd54f7073f4293f0277c3450b500

                                          SHA512

                                          d4a0523a26282bcdfce88ab278602997cfb625cdb88a2235c1b0ef09aac21c081788c6878592d70ccdbfd1d2345285a08ed61124fe2731bc80b4b4414ad47544

                                        • C:\Users\Admin\AppData\Local\Temp\is-PPMQR.tmp\4_177039.exe

                                          MD5

                                          6f80701718727602e7196b1bba7fac1b

                                          SHA1

                                          c7a2c1534c20ca36c92f7f16cb6c1b4ab684f63d

                                          SHA256

                                          bcd3d6619e7ba03b2828060977aca8ad4f925ad92b2175d0567ecc81f7da3e20

                                          SHA512

                                          dc6232b465b778f003cdef2d9b60dbd89b1b66b5aa0c2e2efa3a1b5bfa48fef03545a205f71da64da2ef206728c0e33c2b8d641617da9fd4df83ab154304c6a1

                                        • C:\Users\Admin\AppData\Local\Temp\is-PPMQR.tmp\4_177039.exe

                                          MD5

                                          6f80701718727602e7196b1bba7fac1b

                                          SHA1

                                          c7a2c1534c20ca36c92f7f16cb6c1b4ab684f63d

                                          SHA256

                                          bcd3d6619e7ba03b2828060977aca8ad4f925ad92b2175d0567ecc81f7da3e20

                                          SHA512

                                          dc6232b465b778f003cdef2d9b60dbd89b1b66b5aa0c2e2efa3a1b5bfa48fef03545a205f71da64da2ef206728c0e33c2b8d641617da9fd4df83ab154304c6a1

                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

                                          MD5

                                          7fee8223d6e4f82d6cd115a28f0b6d58

                                          SHA1

                                          1b89c25f25253df23426bd9ff6c9208f1202f58b

                                          SHA256

                                          a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

                                          SHA512

                                          3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

                                        • C:\Users\Admin\AppData\Roaming\3477917.exe

                                          MD5

                                          09656265d56f17fa65d3f634304cee06

                                          SHA1

                                          90a187289521fb17d14159409f92560afa841853

                                          SHA256

                                          edce208bc9457bfc328318d25e010fde7eb88fad6c9eb85e5df45cea1e1f5973

                                          SHA512

                                          86f0b4aaeb3a452185fae53e315002c9d5075783d41a37ac6365071692451fed9bbc9e8867b89bdc7cc3f8b3bda4603b741c39fb2efd6f685d6d6cc293c9117c

                                        • C:\Users\Admin\AppData\Roaming\3477917.exe

                                          MD5

                                          09656265d56f17fa65d3f634304cee06

                                          SHA1

                                          90a187289521fb17d14159409f92560afa841853

                                          SHA256

                                          edce208bc9457bfc328318d25e010fde7eb88fad6c9eb85e5df45cea1e1f5973

                                          SHA512

                                          86f0b4aaeb3a452185fae53e315002c9d5075783d41a37ac6365071692451fed9bbc9e8867b89bdc7cc3f8b3bda4603b741c39fb2efd6f685d6d6cc293c9117c

                                        • C:\Users\Admin\AppData\Roaming\8554646.exe

                                          MD5

                                          1bdd3ee74209de8dd84a2edd67447ee7

                                          SHA1

                                          5c612f2ad8b0212e98e198f77b71d82f549fe246

                                          SHA256

                                          6c926f68db1044f0d53e77ffdee6d6e6250482542ffa502101a38e547881b3fd

                                          SHA512

                                          2c083d856b3b3ea8d2abc280a43831febf70d382a3a40f4c2614e964946fdb29d95c28508c2e161034005e1af51b7967a76aa0a0396de8948de3d34d52421e91

                                        • C:\Users\Admin\AppData\Roaming\8554646.exe

                                          MD5

                                          1bdd3ee74209de8dd84a2edd67447ee7

                                          SHA1

                                          5c612f2ad8b0212e98e198f77b71d82f549fe246

                                          SHA256

                                          6c926f68db1044f0d53e77ffdee6d6e6250482542ffa502101a38e547881b3fd

                                          SHA512

                                          2c083d856b3b3ea8d2abc280a43831febf70d382a3a40f4c2614e964946fdb29d95c28508c2e161034005e1af51b7967a76aa0a0396de8948de3d34d52421e91

                                        • \Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe

                                          MD5

                                          96a80d0e7aafd552c6857ef310d64c7d

                                          SHA1

                                          b4f308a47c85a76e22b01cc6291c70a4e459ebe2

                                          SHA256

                                          1e706fc40379884d40b62ab4f6b26cd576447d93fc429123a2eae1b9c26892db

                                          SHA512

                                          f2671402c7eee989b62a0367eeba766ae7ac1dddfbbb45c4c62799112b8638fc798c79bb1772aa3a7a51e404239feb633ba2a03aebb84dd04a69adc47e2954b4

                                        • \Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe

                                          MD5

                                          1e09b73afa67d8bfe8591eb605cef0e3

                                          SHA1

                                          147fdec45342a0e069dd1aeea2c109440894bef9

                                          SHA256

                                          431c13d939d7460db6ec5f524145a93fae7711d61344fbf1898cea7895480286

                                          SHA512

                                          b74516b1f3d241790537aaaaf9c8b90bd2edbcf2e7693c166b11c260d6689b9e0f2a9c25b5e6787d6c717eb9ad64605b783bdd1ac09a9b50f211112007c27a49

                                        • \Program Files (x86)\Data Finder\Versium Research\RunWW.exe

                                          MD5

                                          1035dfc35230ab6c46a141d8c649e920

                                          SHA1

                                          5eae1278d9f39b851f0629b5f96fe59b0aeb6c15

                                          SHA256

                                          60e93671b7e6ca75ddb53a4a2018a2b4d7873c0def05b0cc8392575e30cbe080

                                          SHA512

                                          0dd87bd8c8a58fd5f3d17b16e87873cffb74efa34c3bf7ce2b009806daaf7a50d7747ba5cd0a758870cc5ff7634c2771e8b8a950c542ec46c5e2a807b46087d2

                                        • \Program Files (x86)\Data Finder\Versium Research\RunWW.exe

                                          MD5

                                          1035dfc35230ab6c46a141d8c649e920

                                          SHA1

                                          5eae1278d9f39b851f0629b5f96fe59b0aeb6c15

                                          SHA256

                                          60e93671b7e6ca75ddb53a4a2018a2b4d7873c0def05b0cc8392575e30cbe080

                                          SHA512

                                          0dd87bd8c8a58fd5f3d17b16e87873cffb74efa34c3bf7ce2b009806daaf7a50d7747ba5cd0a758870cc5ff7634c2771e8b8a950c542ec46c5e2a807b46087d2

                                        • \Program Files (x86)\Data Finder\Versium Research\Versium.exe

                                          MD5

                                          f6e70fbfe1d53b8d9d6d0b273542a7f7

                                          SHA1

                                          1f962079e158b2b0b27a02e6985a14e5f739d368

                                          SHA256

                                          ba0da2f848a7beeb8109b7a4baa6f79434be60a47a3ae9a980b29568d53eb8aa

                                          SHA512

                                          2a951950502ec835bea6ef875b519941d05f00a96dd0b6b9aef59b40723d32a5a6d546e4ba39650e046bc7dd1e23eba383fc41b8f96cf5ffe406a2f17fdb5b61

                                        • \Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe

                                          MD5

                                          a30bdf843d0961c11e78fed101764f74

                                          SHA1

                                          0c421c3d2d007a09b9b968ac485464844fa8ca9d

                                          SHA256

                                          2c709b91decabb0daca10556e5cdd3a5efc6422ee1e27d9914475a26fa7cf219

                                          SHA512

                                          fea2281da0325f27e78483117356776400f01760c13bd3fab7c2f6ac91d5eb64300b820dedc9b55c84ecdeb7132b700a366046789b30b7ad7c9d0b9f577847bf

                                        • \Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe

                                          MD5

                                          a30bdf843d0961c11e78fed101764f74

                                          SHA1

                                          0c421c3d2d007a09b9b968ac485464844fa8ca9d

                                          SHA256

                                          2c709b91decabb0daca10556e5cdd3a5efc6422ee1e27d9914475a26fa7cf219

                                          SHA512

                                          fea2281da0325f27e78483117356776400f01760c13bd3fab7c2f6ac91d5eb64300b820dedc9b55c84ecdeb7132b700a366046789b30b7ad7c9d0b9f577847bf

                                        • \Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe

                                          MD5

                                          6bd341bfca324b52dfa4f696c7978025

                                          SHA1

                                          09029b634ff31a7e2cc903f2e1580bc6f554558d

                                          SHA256

                                          faae49fcc25f6c53f5b94d7d878b4babffcc2fbcb79f4f3183c68b465b1c33c6

                                          SHA512

                                          d848b7ddd7b10be177c805f4ec9d8976ee2de9bf154512e1367c2d8c448ecdee505e53542e7ee84de3d4850cde7a2f3b0ae5890f1d9f9375ad47c1f328a3e216

                                        • \Program Files (x86)\Data Finder\Versium Research\lylal220.exe

                                          MD5

                                          1cb9c1b506a1a0e472ba4ed650b84f68

                                          SHA1

                                          967034fcd28bcf9650b4fb55cc3eee487d56bd7b

                                          SHA256

                                          c16b2b130f8099f72465ea300b41f14efa56ee8d76e8da80f048203aff69b1e4

                                          SHA512

                                          5df9c7b9ae0fa91209e92967034336f0ed8c5e884df3e89cdba59ca0d566d7419975cc8154cff41d6a71596b929ac48e4719ced06dd347f342db4eef796e6f9a

                                        • \Users\Admin\AppData\Local\Temp\install.dll

                                          MD5

                                          5e6df381ce1c9102799350b7033e41df

                                          SHA1

                                          f8a4012c9547d9bb2faecfba75fc69407aaec288

                                          SHA256

                                          01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7

                                          SHA512

                                          a27ca6d1643fbbbb13e46f35d06fe8a5414a8ddaedd9e417cbb1636ad96228ccadee928d5204123f2221a20fe7c416587d78967b47ffcbcf3c6ac4b7a1ca887d

                                        • \Users\Admin\AppData\Local\Temp\install.dll

                                          MD5

                                          5e6df381ce1c9102799350b7033e41df

                                          SHA1

                                          f8a4012c9547d9bb2faecfba75fc69407aaec288

                                          SHA256

                                          01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7

                                          SHA512

                                          a27ca6d1643fbbbb13e46f35d06fe8a5414a8ddaedd9e417cbb1636ad96228ccadee928d5204123f2221a20fe7c416587d78967b47ffcbcf3c6ac4b7a1ca887d

                                        • \Users\Admin\AppData\Local\Temp\install.dll

                                          MD5

                                          5e6df381ce1c9102799350b7033e41df

                                          SHA1

                                          f8a4012c9547d9bb2faecfba75fc69407aaec288

                                          SHA256

                                          01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7

                                          SHA512

                                          a27ca6d1643fbbbb13e46f35d06fe8a5414a8ddaedd9e417cbb1636ad96228ccadee928d5204123f2221a20fe7c416587d78967b47ffcbcf3c6ac4b7a1ca887d

                                        • \Users\Admin\AppData\Local\Temp\install.dll

                                          MD5

                                          5e6df381ce1c9102799350b7033e41df

                                          SHA1

                                          f8a4012c9547d9bb2faecfba75fc69407aaec288

                                          SHA256

                                          01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7

                                          SHA512

                                          a27ca6d1643fbbbb13e46f35d06fe8a5414a8ddaedd9e417cbb1636ad96228ccadee928d5204123f2221a20fe7c416587d78967b47ffcbcf3c6ac4b7a1ca887d

                                        • \Users\Admin\AppData\Local\Temp\is-3SV5E.tmp\3316505.exe

                                          MD5

                                          02398f9746a8cdebb2bc1cb9ccb40e70

                                          SHA1

                                          fad0116890819ed4b83ae2014134e901aee88597

                                          SHA256

                                          4b7105a1cb274a12c7941cde88be0a8ed7d8fffb40a49d76b8a6d6c9a8264a7d

                                          SHA512

                                          54ff56ec3eb85aaffa95ecae8dd4e244f9725eab3a87951ed11c6143531e5af7a13d4e3662befd1038d1ae9e3ad804f7b55ee08577c9cb5994cf91f420ebaf62

                                        • \Users\Admin\AppData\Local\Temp\is-3SV5E.tmp\_isetup\_shfoldr.dll

                                          MD5

                                          92dc6ef532fbb4a5c3201469a5b5eb63

                                          SHA1

                                          3e89ff837147c16b4e41c30d6c796374e0b8e62c

                                          SHA256

                                          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                                          SHA512

                                          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                                        • \Users\Admin\AppData\Local\Temp\is-3SV5E.tmp\_isetup\_shfoldr.dll

                                          MD5

                                          92dc6ef532fbb4a5c3201469a5b5eb63

                                          SHA1

                                          3e89ff837147c16b4e41c30d6c796374e0b8e62c

                                          SHA256

                                          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                                          SHA512

                                          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                                        • \Users\Admin\AppData\Local\Temp\is-3SV5E.tmp\idp.dll

                                          MD5

                                          8f995688085bced38ba7795f60a5e1d3

                                          SHA1

                                          5b1ad67a149c05c50d6e388527af5c8a0af4343a

                                          SHA256

                                          203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

                                          SHA512

                                          043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

                                        • \Users\Admin\AppData\Local\Temp\is-6APTS.tmp\Versium.tmp

                                          MD5

                                          ffcf263a020aa7794015af0edee5df0b

                                          SHA1

                                          bce1eb5f0efb2c83f416b1782ea07c776666fdab

                                          SHA256

                                          1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

                                          SHA512

                                          49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

                                        • \Users\Admin\AppData\Local\Temp\is-8Q5MF.tmp\lylal220.tmp

                                          MD5

                                          93839f8c15234e4c8f1f9d0f285400a0

                                          SHA1

                                          afedb5526c9962a6257dbd0b805ed76f9f26b093

                                          SHA256

                                          449895149bf2a3864240e6ce912b90023cbf391adea2e35bcad7c73cb169b1a6

                                          SHA512

                                          69e77f62d27f1466576725d0c802437813bbff1af010b7460dfcd3f6cfa79de808f166bae437258cafbfcefb8d9de6ab658cdedb2e63d98a77f571b5e4ae77e7

                                        • \Users\Admin\AppData\Local\Temp\is-MCU1T.tmp\LabPicV3.tmp

                                          MD5

                                          dda84ebcc3c9968655702f7a6da23e1f

                                          SHA1

                                          8514f2e9eab129bd8288d5f13cf0030cae2e7fc5

                                          SHA256

                                          743dcd957b3b1f5401d1812cbae0e546a31eff23507b5238198f8f0e7b65682b

                                          SHA512

                                          e54f70e0876b7f566b9889874c20b75eb7c264184a2e2e7067f6b5b5940331818c1bcf4e263b32e3d71c62f5f0c2880c07dabeb1d9742a3990231f6e459a61e8

                                        • \Users\Admin\AppData\Local\Temp\is-O1UQE.tmp\Setup.exe

                                          MD5

                                          e19f8b76b5a0c4959fcb41fe5b46ad80

                                          SHA1

                                          063ebfc56a5d210757bf44c3d09c323365769b3f

                                          SHA256

                                          fb4b3f42369b356e01ff430cc836d9291693cd54f7073f4293f0277c3450b500

                                          SHA512

                                          d4a0523a26282bcdfce88ab278602997cfb625cdb88a2235c1b0ef09aac21c081788c6878592d70ccdbfd1d2345285a08ed61124fe2731bc80b4b4414ad47544

                                        • \Users\Admin\AppData\Local\Temp\is-O1UQE.tmp\_isetup\_shfoldr.dll

                                          MD5

                                          92dc6ef532fbb4a5c3201469a5b5eb63

                                          SHA1

                                          3e89ff837147c16b4e41c30d6c796374e0b8e62c

                                          SHA256

                                          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                                          SHA512

                                          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                                        • \Users\Admin\AppData\Local\Temp\is-O1UQE.tmp\_isetup\_shfoldr.dll

                                          MD5

                                          92dc6ef532fbb4a5c3201469a5b5eb63

                                          SHA1

                                          3e89ff837147c16b4e41c30d6c796374e0b8e62c

                                          SHA256

                                          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                                          SHA512

                                          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                                        • \Users\Admin\AppData\Local\Temp\is-O1UQE.tmp\itdownload.dll

                                          MD5

                                          d82a429efd885ca0f324dd92afb6b7b8

                                          SHA1

                                          86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

                                          SHA256

                                          b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

                                          SHA512

                                          5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

                                        • \Users\Admin\AppData\Local\Temp\is-PPMQR.tmp\4_177039.exe

                                          MD5

                                          6f80701718727602e7196b1bba7fac1b

                                          SHA1

                                          c7a2c1534c20ca36c92f7f16cb6c1b4ab684f63d

                                          SHA256

                                          bcd3d6619e7ba03b2828060977aca8ad4f925ad92b2175d0567ecc81f7da3e20

                                          SHA512

                                          dc6232b465b778f003cdef2d9b60dbd89b1b66b5aa0c2e2efa3a1b5bfa48fef03545a205f71da64da2ef206728c0e33c2b8d641617da9fd4df83ab154304c6a1

                                        • \Users\Admin\AppData\Local\Temp\is-PPMQR.tmp\_isetup\_shfoldr.dll

                                          MD5

                                          92dc6ef532fbb4a5c3201469a5b5eb63

                                          SHA1

                                          3e89ff837147c16b4e41c30d6c796374e0b8e62c

                                          SHA256

                                          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                                          SHA512

                                          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                                        • \Users\Admin\AppData\Local\Temp\is-PPMQR.tmp\_isetup\_shfoldr.dll

                                          MD5

                                          92dc6ef532fbb4a5c3201469a5b5eb63

                                          SHA1

                                          3e89ff837147c16b4e41c30d6c796374e0b8e62c

                                          SHA256

                                          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                                          SHA512

                                          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                                        • \Users\Admin\AppData\Local\Temp\is-PPMQR.tmp\idp.dll

                                          MD5

                                          8f995688085bced38ba7795f60a5e1d3

                                          SHA1

                                          5b1ad67a149c05c50d6e388527af5c8a0af4343a

                                          SHA256

                                          203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

                                          SHA512

                                          043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

                                        • \Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

                                          MD5

                                          7fee8223d6e4f82d6cd115a28f0b6d58

                                          SHA1

                                          1b89c25f25253df23426bd9ff6c9208f1202f58b

                                          SHA256

                                          a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

                                          SHA512

                                          3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

                                        • \Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

                                          MD5

                                          7fee8223d6e4f82d6cd115a28f0b6d58

                                          SHA1

                                          1b89c25f25253df23426bd9ff6c9208f1202f58b

                                          SHA256

                                          a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

                                          SHA512

                                          3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

                                        • memory/284-159-0x00000000FF91246C-mapping.dmp

                                        • memory/284-262-0x0000000002F80000-0x0000000003086000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/284-263-0x00000000004E0000-0x00000000004FB000-memory.dmp

                                          Filesize

                                          108KB

                                        • memory/284-163-0x0000000000450000-0x00000000004C0000-memory.dmp

                                          Filesize

                                          448KB

                                        • memory/284-162-0x0000000000110000-0x000000000015B000-memory.dmp

                                          Filesize

                                          300KB

                                        • memory/304-169-0x0000000000000000-mapping.dmp

                                        • memory/404-160-0x0000000010000000-0x0000000010002000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/404-161-0x0000000001F50000-0x0000000002051000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/404-134-0x0000000000000000-mapping.dmp

                                        • memory/404-164-0x00000000002E0000-0x000000000033C000-memory.dmp

                                          Filesize

                                          368KB

                                        • memory/436-296-0x0000000000000000-mapping.dmp

                                        • memory/480-103-0x0000000000000000-mapping.dmp

                                        • memory/480-128-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/520-315-0x0000000000402F68-mapping.dmp

                                        • memory/812-307-0x0000000000000000-mapping.dmp

                                        • memory/816-314-0x0000000000000000-mapping.dmp

                                        • memory/828-313-0x0000000000000000-mapping.dmp

                                        • memory/844-280-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/856-166-0x00000000013A0000-0x0000000001410000-memory.dmp

                                          Filesize

                                          448KB

                                        • memory/968-130-0x0000000000240000-0x0000000000241000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/968-115-0x0000000000000000-mapping.dmp

                                        • memory/1096-60-0x0000000075281000-0x0000000075283000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/1108-133-0x0000000002090000-0x0000000002091000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1108-147-0x0000000003980000-0x0000000003981000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1108-131-0x0000000000880000-0x0000000000881000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1108-132-0x0000000000890000-0x0000000000891000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1108-146-0x0000000003970000-0x0000000003971000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1108-135-0x00000000020A0000-0x00000000020A1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1108-148-0x0000000003990000-0x0000000003991000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1108-106-0x0000000000000000-mapping.dmp

                                        • memory/1108-136-0x0000000003790000-0x0000000003791000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1108-138-0x00000000037A0000-0x00000000037A1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1108-150-0x00000000039B0000-0x00000000039B1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1108-139-0x00000000037C0000-0x0000000003817000-memory.dmp

                                          Filesize

                                          348KB

                                        • memory/1108-122-0x00000000003C0000-0x00000000003FC000-memory.dmp

                                          Filesize

                                          240KB

                                        • memory/1108-145-0x0000000003960000-0x0000000003961000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1108-129-0x0000000000240000-0x0000000000241000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1108-149-0x00000000039A0000-0x00000000039A1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1164-80-0x00000000011F0000-0x000000000184F000-memory.dmp

                                          Filesize

                                          6.4MB

                                        • memory/1164-62-0x0000000000000000-mapping.dmp

                                        • memory/1208-295-0x0000000000000000-mapping.dmp

                                        • memory/1340-94-0x0000000000490000-0x00000000004B0000-memory.dmp

                                          Filesize

                                          128KB

                                        • memory/1340-69-0x0000000000000000-mapping.dmp

                                        • memory/1340-107-0x000000001AF30000-0x000000001AF32000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/1340-101-0x00000000004B0000-0x00000000004B1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1340-88-0x0000000000480000-0x0000000000481000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1340-76-0x0000000000300000-0x0000000000301000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1364-82-0x0000000000000000-mapping.dmp

                                        • memory/1364-95-0x0000000000400000-0x000000000042C000-memory.dmp

                                          Filesize

                                          176KB

                                        • memory/1584-294-0x0000000000000000-mapping.dmp

                                        • memory/1624-310-0x0000000000000000-mapping.dmp

                                        • memory/1684-91-0x0000000000000000-mapping.dmp

                                        • memory/1684-96-0x0000000000400000-0x0000000000414000-memory.dmp

                                          Filesize

                                          80KB

                                        • memory/1708-79-0x0000000000000000-mapping.dmp

                                        • memory/1708-97-0x0000000000400000-0x000000000046D000-memory.dmp

                                          Filesize

                                          436KB

                                        • memory/1724-260-0x0000000000000000-mapping.dmp

                                        • memory/1748-74-0x0000000000000000-mapping.dmp

                                        • memory/1960-191-0x0000000000400000-0x00000000004A9000-memory.dmp

                                          Filesize

                                          676KB

                                        • memory/1960-66-0x0000000000000000-mapping.dmp

                                        • memory/1960-186-0x00000000002B0000-0x0000000000347000-memory.dmp

                                          Filesize

                                          604KB

                                        • memory/2052-198-0x00000000003B0000-0x00000000003B1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2052-175-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2052-209-0x00000000005B0000-0x00000000005E1000-memory.dmp

                                          Filesize

                                          196KB

                                        • memory/2052-172-0x0000000000000000-mapping.dmp

                                        • memory/2052-211-0x00000000003D0000-0x00000000003D1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2052-226-0x0000000000510000-0x0000000000511000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2076-288-0x0000000000000000-mapping.dmp

                                        • memory/2096-273-0x0000000000270000-0x0000000000282000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2096-269-0x0000000000000000-mapping.dmp

                                        • memory/2096-272-0x0000000000240000-0x0000000000250000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2104-178-0x0000000000000000-mapping.dmp

                                        • memory/2104-189-0x0000000001F30000-0x0000000001F32000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/2112-305-0x0000000000000000-mapping.dmp

                                        • memory/2120-301-0x0000000000000000-mapping.dmp

                                        • memory/2128-247-0x0000000000000000-mapping.dmp

                                        • memory/2128-250-0x00000000009B0000-0x00000000009B2000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/2176-183-0x0000000000000000-mapping.dmp

                                        • memory/2176-192-0x0000000000370000-0x0000000000372000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/2204-271-0x0000000000000000-mapping.dmp

                                        • memory/2204-308-0x0000000000000000-mapping.dmp

                                        • memory/2208-297-0x0000000000000000-mapping.dmp

                                        • memory/2220-187-0x0000000000000000-mapping.dmp

                                        • memory/2220-210-0x00000000004B0000-0x00000000004B1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2220-203-0x0000000000460000-0x0000000000470000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2220-193-0x0000000000220000-0x0000000000221000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2220-199-0x0000000000450000-0x0000000000451000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2220-212-0x0000000004720000-0x0000000004721000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2272-304-0x0000000000000000-mapping.dmp

                                        • memory/2272-299-0x0000000000000000-mapping.dmp

                                        • memory/2288-266-0x0000000000392000-0x0000000000393000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2288-261-0x0000000000391000-0x0000000000392000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2288-248-0x0000000000000000-mapping.dmp

                                        • memory/2288-267-0x0000000000397000-0x00000000003A8000-memory.dmp

                                          Filesize

                                          68KB

                                        • memory/2288-251-0x0000000000390000-0x0000000000391000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2288-265-0x00000000053B0000-0x00000000054E0000-memory.dmp

                                          Filesize

                                          1.2MB

                                        • memory/2288-256-0x00000000006A0000-0x00000000006F1000-memory.dmp

                                          Filesize

                                          324KB

                                        • memory/2288-259-0x00000000006A1000-0x00000000006E3000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/2288-258-0x000000006AB00000-0x000000006AD71000-memory.dmp

                                          Filesize

                                          2.4MB

                                        • memory/2288-257-0x0000000065EC0000-0x0000000067271000-memory.dmp

                                          Filesize

                                          19.7MB

                                        • memory/2360-202-0x0000000000000000-mapping.dmp

                                        • memory/2360-214-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2360-217-0x0000000000230000-0x0000000000239000-memory.dmp

                                          Filesize

                                          36KB

                                        • memory/2360-207-0x0000000001270000-0x0000000001271000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2368-253-0x000007FEF44D0000-0x000007FEF5566000-memory.dmp

                                          Filesize

                                          16.6MB

                                        • memory/2368-264-0x0000000000A46000-0x0000000000A65000-memory.dmp

                                          Filesize

                                          124KB

                                        • memory/2368-254-0x0000000000A40000-0x0000000000A42000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/2368-252-0x0000000000000000-mapping.dmp

                                        • memory/2420-278-0x0000000000000000-mapping.dmp

                                        • memory/2448-213-0x0000000000000000-mapping.dmp

                                        • memory/2448-225-0x0000000000520000-0x000000000055A000-memory.dmp

                                          Filesize

                                          232KB

                                        • memory/2448-215-0x0000000001230000-0x0000000001231000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2448-218-0x00000000003A0000-0x00000000003A1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2464-268-0x0000000000000000-mapping.dmp

                                        • memory/2468-302-0x0000000000000000-mapping.dmp

                                        • memory/2556-219-0x0000000000000000-mapping.dmp

                                        • memory/2556-220-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2556-227-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2592-275-0x0000000000000000-mapping.dmp

                                        • memory/2592-279-0x00000000002A0000-0x000000000033D000-memory.dmp

                                          Filesize

                                          628KB

                                        • memory/2608-255-0x0000000000000000-mapping.dmp

                                        • memory/2624-281-0x0000000000000000-mapping.dmp

                                        • memory/2652-298-0x0000000000000000-mapping.dmp

                                        • memory/2736-228-0x0000000000000000-mapping.dmp

                                        • memory/2760-300-0x0000000000000000-mapping.dmp

                                        • memory/2876-291-0x0000000000800000-0x0000000000801000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2876-292-0x0000000002040000-0x0000000002041000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2876-293-0x0000000002050000-0x0000000002051000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2876-290-0x00000000007F0000-0x00000000007F1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2876-285-0x0000000000000000-mapping.dmp

                                        • memory/2876-236-0x0000000000340000-0x0000000000341000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2876-233-0x0000000000400000-0x000000000041C000-memory.dmp

                                          Filesize

                                          112KB

                                        • memory/2876-231-0x0000000000416372-mapping.dmp

                                        • memory/2876-230-0x0000000000400000-0x000000000041C000-memory.dmp

                                          Filesize

                                          112KB

                                        • memory/2880-312-0x0000000000000000-mapping.dmp

                                        • memory/2900-309-0x0000000000000000-mapping.dmp

                                        • memory/2900-282-0x0000000000000000-mapping.dmp

                                        • memory/2900-284-0x0000000000400000-0x0000000000414000-memory.dmp

                                          Filesize

                                          80KB

                                        • memory/2920-311-0x0000000000000000-mapping.dmp

                                        • memory/2924-274-0x0000000000000000-mapping.dmp

                                        • memory/2924-235-0x0000000000000000-mapping.dmp

                                        • memory/2952-306-0x0000000000000000-mapping.dmp

                                        • memory/2956-237-0x0000000000000000-mapping.dmp

                                        • memory/3000-238-0x0000000000000000-mapping.dmp

                                        • memory/3008-303-0x0000000000000000-mapping.dmp

                                        • memory/3032-239-0x0000000000000000-mapping.dmp

                                        • memory/3032-241-0x0000000000400000-0x0000000000414000-memory.dmp

                                          Filesize

                                          80KB

                                        • memory/3052-242-0x0000000000000000-mapping.dmp

                                        • memory/3052-244-0x0000000071B81000-0x0000000071B83000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/3052-246-0x0000000000240000-0x0000000000241000-memory.dmp

                                          Filesize

                                          4KB