djvu | 2be70f815e1bea93dfa56396f69f0c38e4d2732a254a29e5307426958e296133

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10-en-20210920
submitted
26-09-2021 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fcd73b1f787ef886832a7af7170bc56.exe
Size

134KB
MD5

7fcd73b1f787ef886832a7af7170bc56
SHA1

984e27643a7e6fe46d7944073ce57fd52cc278e9
SHA256

2be70f815e1bea93dfa56396f69f0c38e4d2732a254a29e5307426958e296133
SHA512

6a9c4ba3e20c3397eadd8d6468a09baa0ab5b192988fa3b54832b291f91dc6e9250990d1dc736397226c25c633d842a62160398dd695ff695a54fdbe74f77719

Score

10^/10

djvu redline smokeloader vidar paladin backdoor discovery evasion infostealer persistence ransomware spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://govsurplusstore.com/upload/

http://best-forsale.com/upload/

http://chmxnautoparts.com/upload/

http://kwazone.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

paladin

94.26.228.204:32917

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2684-121-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2684-122-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/2564-124-0x0000000002250000-0x000000000236B000-memory.dmp	family_djvu
behavioral2/memory/2684-125-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/376-131-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/376-140-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Start = "4" powershell.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Start = "4"	powershell.exe

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1060-141-0x0000000002530000-0x0000000002560000-memory.dmp	family_redline
behavioral2/memory/1060-143-0x0000000004B60000-0x0000000004B8E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1700-158-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar
behavioral2/memory/1700-159-0x00000000004A032D-mapping.dmp	family_vidar
behavioral2/memory/784-160-0x0000000003090000-0x0000000003164000-memory.dmp	family_vidar
behavioral2/memory/1700-162-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar
behavioral2/memory/2192-170-0x0000000003250000-0x00000000032FE000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 19 IoCs

Processes:

919.exe919.exe919.exe919.exe2174.exebuild2.exebuild2.exebuild3.exebuild3.exe58B2.exeeitcrwwmstsca.exemstsca.exe6AA5.exefilename.exedapeditor.exemstsca.exemstsca.exeDatabaseUpdater.exe

pid	process
2564	919.exe
2684	919.exe
3612	919.exe
376	919.exe
1060	2174.exe
784	build2.exe
1700	build2.exe
2192	build3.exe
2452	build3.exe
580	58B2.exe
1768	eitcrww
2188	mstsca.exe
340	mstsca.exe
2564	6AA5.exe
2700	filename.exe
2072	dapeditor.exe
3644	mstsca.exe
3652	mstsca.exe
2220	DatabaseUpdater.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DatabaseUpdater.exe58B2.exe6AA5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DatabaseUpdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DatabaseUpdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	58B2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	58B2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6AA5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6AA5.exe

Deletes itself 1 IoCs

Processes:

pid process

2648

pid	process
2648

Drops startup file 2 IoCs

Processes:

dapeditor.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dap-editor-plus.lnk	dapeditor.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	dapeditor.exe

Loads dropped DLL 15 IoCs

Processes:

build2.exefilename.exeMsiExec.exeMsiExec.exedapeditor.exe

pid	process
1700	build2.exe
1700	build2.exe
2700	filename.exe
2700	filename.exe
1472	MsiExec.exe
1472	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
2700	filename.exe
2072	dapeditor.exe
2072	dapeditor.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2808 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2808	icacls.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\58B2.exe	themida
behavioral2/memory/580-185-0x0000000000D60000-0x0000000000D61000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\6AA5.exe	themida
C:\Users\Admin\AppData\Local\Temp\6AA5.exe	themida
behavioral2/memory/2564-217-0x0000000000DF0000-0x0000000000DF1000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

919.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\24feb1d6-061f-473d-be9a-ae1ee4543396\\919.exe\" --AutoStart"	919.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

58B2.exe6AA5.exeDatabaseUpdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	58B2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6AA5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DatabaseUpdater.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

filename.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\X:	filename.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	filename.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	filename.exe
File opened (read-only)	\??\Y:	filename.exe
File opened (read-only)	\??\Z:	filename.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	filename.exe
File opened (read-only)	\??\K:	filename.exe
File opened (read-only)	\??\T:	filename.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	filename.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	filename.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	filename.exe
File opened (read-only)	\??\Q:	filename.exe
File opened (read-only)	\??\W:	filename.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	filename.exe
File opened (read-only)	\??\N:	filename.exe
File opened (read-only)	\??\P:	filename.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	filename.exe
File opened (read-only)	\??\M:	filename.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	filename.exe
File opened (read-only)	\??\E:	filename.exe
File opened (read-only)	\??\V:	filename.exe
File opened (read-only)	\??\A:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.2ip.ua
19 api.2ip.ua
30 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

58B2.exe6AA5.exeDatabaseUpdater.exe

pid process

580 58B2.exe
2564 6AA5.exe
2220 DatabaseUpdater.exe

flow	ioc
18	api.2ip.ua
19	api.2ip.ua
30	api.2ip.ua

pid	process
580	58B2.exe
2564	6AA5.exe
2220	DatabaseUpdater.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

919.exe919.exebuild2.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2564 set thread context of 2684	2564	919.exe	919.exe
PID 3612 set thread context of 376	3612	919.exe	919.exe
PID 784 set thread context of 1700	784	build2.exe	build2.exe
PID 2192 set thread context of 2452	2192	build3.exe	build3.exe
PID 2188 set thread context of 340	2188	mstsca.exe	mstsca.exe
PID 3644 set thread context of 3652	3644	mstsca.exe	mstsca.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\3b065.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB2A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB345.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B0A2F641-7E20-4EC9-B1F9-E5EE4F099294}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC62.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\3b065.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB3F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB49E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB52C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7fcd73b1f787ef886832a7af7170bc56.exeeitcrww

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7fcd73b1f787ef886832a7af7170bc56.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7fcd73b1f787ef886832a7af7170bc56.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7fcd73b1f787ef886832a7af7170bc56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eitcrww
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eitcrww
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eitcrww

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3720 schtasks.exe
4024 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2660 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3168 taskkill.exe

pid	process
3720	schtasks.exe
4024	schtasks.exe

pid	process
2660	timeout.exe

pid	process
3168	taskkill.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

filename.exe919.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	filename.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	filename.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	919.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	919.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	filename.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	filename.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	filename.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7fcd73b1f787ef886832a7af7170bc56.exe

pid	process
2072	7fcd73b1f787ef886832a7af7170bc56.exe
2072	7fcd73b1f787ef886832a7af7170bc56.exe
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2648
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

7fcd73b1f787ef886832a7af7170bc56.exeeitcrww

pid process

2072 7fcd73b1f787ef886832a7af7170bc56.exe
1768 eitcrww

pid	process
2648

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2174.exetaskkill.exe58B2.exe6AA5.exe

description	pid	process
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeDebugPrivilege	1060	2174.exe
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeDebugPrivilege	580	58B2.exe
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeDebugPrivilege	2564	6AA5.exe
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

612 msiexec.exe
612 msiexec.exe

pid	process
612	msiexec.exe
612	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

919.exe919.exe919.exe919.exebuild2.exebuild3.exebuild3.exebuild2.exe

description	pid	process	target process
PID 2648 wrote to memory of 2564	2648		919.exe
PID 2648 wrote to memory of 2564	2648		919.exe
PID 2648 wrote to memory of 2564	2648		919.exe
PID 2564 wrote to memory of 2684	2564	919.exe	919.exe
PID 2564 wrote to memory of 2684	2564	919.exe	919.exe
PID 2564 wrote to memory of 2684	2564	919.exe	919.exe
PID 2564 wrote to memory of 2684	2564	919.exe	919.exe
PID 2564 wrote to memory of 2684	2564	919.exe	919.exe
PID 2564 wrote to memory of 2684	2564	919.exe	919.exe
PID 2564 wrote to memory of 2684	2564	919.exe	919.exe
PID 2564 wrote to memory of 2684	2564	919.exe	919.exe
PID 2564 wrote to memory of 2684	2564	919.exe	919.exe
PID 2564 wrote to memory of 2684	2564	919.exe	919.exe
PID 2684 wrote to memory of 2808	2684	919.exe	icacls.exe
PID 2684 wrote to memory of 2808	2684	919.exe	icacls.exe
PID 2684 wrote to memory of 2808	2684	919.exe	icacls.exe
PID 2684 wrote to memory of 3612	2684	919.exe	919.exe
PID 2684 wrote to memory of 3612	2684	919.exe	919.exe
PID 2684 wrote to memory of 3612	2684	919.exe	919.exe
PID 3612 wrote to memory of 376	3612	919.exe	919.exe
PID 3612 wrote to memory of 376	3612	919.exe	919.exe
PID 3612 wrote to memory of 376	3612	919.exe	919.exe
PID 3612 wrote to memory of 376	3612	919.exe	919.exe
PID 3612 wrote to memory of 376	3612	919.exe	919.exe
PID 3612 wrote to memory of 376	3612	919.exe	919.exe
PID 3612 wrote to memory of 376	3612	919.exe	919.exe
PID 3612 wrote to memory of 376	3612	919.exe	919.exe
PID 3612 wrote to memory of 376	3612	919.exe	919.exe
PID 3612 wrote to memory of 376	3612	919.exe	919.exe
PID 2648 wrote to memory of 1060	2648		2174.exe
PID 2648 wrote to memory of 1060	2648		2174.exe
PID 2648 wrote to memory of 1060	2648		2174.exe
PID 376 wrote to memory of 784	376	919.exe	build2.exe
PID 376 wrote to memory of 784	376	919.exe	build2.exe
PID 376 wrote to memory of 784	376	919.exe	build2.exe
PID 784 wrote to memory of 1700	784	build2.exe	build2.exe
PID 784 wrote to memory of 1700	784	build2.exe	build2.exe
PID 784 wrote to memory of 1700	784	build2.exe	build2.exe
PID 784 wrote to memory of 1700	784	build2.exe	build2.exe
PID 784 wrote to memory of 1700	784	build2.exe	build2.exe
PID 784 wrote to memory of 1700	784	build2.exe	build2.exe
PID 784 wrote to memory of 1700	784	build2.exe	build2.exe
PID 784 wrote to memory of 1700	784	build2.exe	build2.exe
PID 376 wrote to memory of 2192	376	919.exe	build3.exe
PID 376 wrote to memory of 2192	376	919.exe	build3.exe
PID 376 wrote to memory of 2192	376	919.exe	build3.exe
PID 2192 wrote to memory of 2452	2192	build3.exe	build3.exe
PID 2192 wrote to memory of 2452	2192	build3.exe	build3.exe
PID 2192 wrote to memory of 2452	2192	build3.exe	build3.exe
PID 2192 wrote to memory of 2452	2192	build3.exe	build3.exe
PID 2192 wrote to memory of 2452	2192	build3.exe	build3.exe
PID 2192 wrote to memory of 2452	2192	build3.exe	build3.exe
PID 2192 wrote to memory of 2452	2192	build3.exe	build3.exe
PID 2192 wrote to memory of 2452	2192	build3.exe	build3.exe
PID 2192 wrote to memory of 2452	2192	build3.exe	build3.exe
PID 2452 wrote to memory of 3720	2452	build3.exe	schtasks.exe
PID 2452 wrote to memory of 3720	2452	build3.exe	schtasks.exe
PID 2452 wrote to memory of 3720	2452	build3.exe	schtasks.exe
PID 2648 wrote to memory of 580	2648		58B2.exe
PID 2648 wrote to memory of 580	2648		58B2.exe
PID 2648 wrote to memory of 580	2648		58B2.exe
PID 1700 wrote to memory of 1684	1700	build2.exe	cmd.exe
PID 1700 wrote to memory of 1684	1700	build2.exe	cmd.exe
PID 1700 wrote to memory of 1684	1700	build2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7fcd73b1f787ef886832a7af7170bc56.exe
"C:\Users\Admin\AppData\Local\Temp\7fcd73b1f787ef886832a7af7170bc56.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2072

C:\Users\Admin\AppData\Local\Temp\919.exe
C:\Users\Admin\AppData\Local\Temp\919.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\919.exe
  C:\Users\Admin\AppData\Local\Temp\919.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\24feb1d6-061f-473d-be9a-ae1ee4543396" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2808
- - C:\Users\Admin\AppData\Local\Temp\919.exe
    "C:\Users\Admin\AppData\Local\Temp\919.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\919.exe
      "C:\Users\Admin\AppData\Local\Temp\919.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build2.exe
        
        "C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:784
      - C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build2.exe
        
        "C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build2.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im build2.exe /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:2660
    - - C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build3.exe
        
        "C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build3.exe
        
        "C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:3720

C:\Users\Admin\AppData\Local\Temp\2174.exe
C:\Users\Admin\AppData\Local\Temp\2174.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Users\Admin\AppData\Local\Temp\58B2.exe
C:\Users\Admin\AppData\Local\Temp\58B2.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2188
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  PID:340
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4024

C:\Users\Admin\AppData\Roaming\eitcrww
C:\Users\Admin\AppData\Roaming\eitcrww
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1768

C:\Users\Admin\AppData\Local\Temp\6AA5.exe
C:\Users\Admin\AppData\Local\Temp\6AA5.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2564
- C:\Users\Admin\AppData\Local\Temp\filename.exe
  "C:\Users\Admin\AppData\Local\Temp\filename.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies system certificate store
  PID:2700
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK 0.3.0.4\install\F099294\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\filename.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632678981 " AI_EUIMSI=""
    3⤵
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    PID:612

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:3812
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C765831013226A8AEF802117D946FE6A C
  2⤵
  - Loads dropped DLL
  PID:1472
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B0AB4CAFD539B9A7F245B618F462456E
  2⤵
  - Loads dropped DLL
  PID:1356
- C:\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK\dapeditor.exe
  "C:\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK\dapeditor.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  PID:2072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(exit)
    3⤵
    - Modifies security service
    PID:3720
  - - C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
      4⤵
      PID:3600
- - C:\ProgramData\Systemd\DatabaseUpdater.exe
    NULL
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2220

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3644
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  PID:3652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll

MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll

MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
57ba3fd55153ccfffc38981d45eb27ef

SHA1
8b89079e2a405fe04a1a87fe901d88982ef516cb

SHA256
19d84b87ec3acb0894fbbb2c95b23053373568282aa6817da64607ed3225dcef

SHA512
58ae33ebb38e6bec6332b9085f8b41850b53d7de804bc87a462f9ce7b1e960051d3682fb87a14c159041a7577a36af95cb2edf971e4d23c902d583da9945c0b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
3f5ce173eed18d061760acea4c8f69f3

SHA1
c8a02499ede88cb10496fbbc77fee1f2757e6629

SHA256
b7666f21ebc73a75f02fefbf7d6f17700897b69301eae07ce4bab6b32ab107c8

SHA512
22f7b2af2a230e7f6ae2830d27b5769c07f0c3f8d327cfb6be6a4c632af012e823e303514c62dac8f70c973e4df81aeba10138a930d4a8880caf18c8a7062d24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
e1e76fdaba918d94a940d8597ffde5ca

SHA1
49be3407d8857207c4bf0736f1f2de3b2580e39e

SHA256
bb33cc8dc60cf303bf1c2be81fda92cf6f1b0e3aa2376852f207c4607e6692c5

SHA512
23bd7e9e999d5a67181898a7929d3ab4c080a5d0835b9a83031fd1495e0107165f91485bffb71b248f5e6530c9b07d43c6d120431c36fa07d800dcbd1c859542

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
58673c077b748f95958c071057cc554f

SHA1
4e0835f96bfb98b90bc00bf6cc278c8ad3c245c9

SHA256
fe802a39489fb52afcec1e8af6acbf9beba809f0e4297083a43133bf6b2c7790

SHA512
f65520ea05d40e08c526159f21c90d719fb319d24a6cd13bff254c8cf767ff8fa7abb8f3a957f97f7545c97a25740e6805f198e69bb977d4eee90a5aa05d87af

Download Submit
C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build2.exe

MD5
7c48019f424bbd08de9d0c7d66e0ea7c

SHA1
1394ad4f1fd9a7109e179695d4b404eaca70fa88

SHA256
33d15dacd2b4951517f39aa2e12afa747ddc5785b0ef3c2d78c3db16cae97d7c

SHA512
63cf0ee393e8a3dec78a06dd0a478a993143bc9061acdb828fa6edecc5d45b286aa081d0ed99819ab8d8c95345eac73658c819eefdf6efa30da877af7374e322

Download Submit
C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build2.exe

MD5
7c48019f424bbd08de9d0c7d66e0ea7c

SHA1
1394ad4f1fd9a7109e179695d4b404eaca70fa88

SHA256
33d15dacd2b4951517f39aa2e12afa747ddc5785b0ef3c2d78c3db16cae97d7c

SHA512
63cf0ee393e8a3dec78a06dd0a478a993143bc9061acdb828fa6edecc5d45b286aa081d0ed99819ab8d8c95345eac73658c819eefdf6efa30da877af7374e322

Download Submit
C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build2.exe

MD5
7c48019f424bbd08de9d0c7d66e0ea7c

SHA1
1394ad4f1fd9a7109e179695d4b404eaca70fa88

SHA256
33d15dacd2b4951517f39aa2e12afa747ddc5785b0ef3c2d78c3db16cae97d7c

SHA512
63cf0ee393e8a3dec78a06dd0a478a993143bc9061acdb828fa6edecc5d45b286aa081d0ed99819ab8d8c95345eac73658c819eefdf6efa30da877af7374e322

Download Submit
C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build3.exe

MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build3.exe

MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\17971eaf-0304-416d-934e-b03aa17735ce\build3.exe

MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\24feb1d6-061f-473d-be9a-ae1ee4543396\919.exe

MD5
529e8be02997763c411f015ba5d64c1e

SHA1
8b3ba119fefaa74e3586af9cd354bd64f1ed5401

SHA256
b949a65a9d87c2861dbe3783215694f20a6433b1a6b10f19e614478229a9b2e9

SHA512
0b3f4403098d87dd12cb5f7d526932673ed6bb42ab68bcfe3605afcd429ce3180fcdead6796c485079fdff99ff6e4c97cf69b20ae4702f5f06a3fffb94c3389f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2174.exe

MD5
00f96742e30d5151d30b199e822b014b

SHA1
b00a8589649e09282ea8de72a9c6ebd37f59874c

SHA256
1a258df93de3955089e869e2348df88c72444d09930ff31cba0fab7022701da1

SHA512
c582946d3eabe342b64f58ddde6a8766df0a7760e6bf4767a93e1465b4dad34bb838981790fdfc55906e8c695f1f567172d2ce4a20b0eb8f4c5b94d2dc8de094

Download Submit
C:\Users\Admin\AppData\Local\Temp\2174.exe

MD5
00f96742e30d5151d30b199e822b014b

SHA1
b00a8589649e09282ea8de72a9c6ebd37f59874c

SHA256
1a258df93de3955089e869e2348df88c72444d09930ff31cba0fab7022701da1

SHA512
c582946d3eabe342b64f58ddde6a8766df0a7760e6bf4767a93e1465b4dad34bb838981790fdfc55906e8c695f1f567172d2ce4a20b0eb8f4c5b94d2dc8de094

Download Submit
C:\Users\Admin\AppData\Local\Temp\58B2.exe

MD5
706e056e6b2aaebd358701538b774fcd

SHA1
a528290b1eec45a22587c15d8a0135185832e71a

SHA256
c431a09f7c0a0c4ec016f16ca7150c1a6b9227fe5ed216ce004eda4af9878ac8

SHA512
a3ff93f0e7f8781c8c4b664a6d33c63a5bd712dc999f69394a4d991bb3d1059aae0c0c001ec16d6c6b72f3054bce3cb2e7030bd81b15360fdee6a1a8f8c39fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AA5.exe

MD5
b8408976630c4ccdeffc0f1164a7960c

SHA1
9cd12dc965bf3846a44f851328eb2e5c52f8c01c

SHA256
46854855604b19ab94433e80a09712b6f4b3d7186c93c9516ee9a1ef37514180

SHA512
2ff94576906bcd190bbe8314f64a25c7939c1fe33683e5f7effe6551038c3be4decf86edb476f9c9aa391a1da6a6ccb5c08e2ebba02b9d4ca5dcd622aeb008d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AA5.exe

MD5
b8408976630c4ccdeffc0f1164a7960c

SHA1
9cd12dc965bf3846a44f851328eb2e5c52f8c01c

SHA256
46854855604b19ab94433e80a09712b6f4b3d7186c93c9516ee9a1ef37514180

SHA512
2ff94576906bcd190bbe8314f64a25c7939c1fe33683e5f7effe6551038c3be4decf86edb476f9c9aa391a1da6a6ccb5c08e2ebba02b9d4ca5dcd622aeb008d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\919.exe

MD5
529e8be02997763c411f015ba5d64c1e

SHA1
8b3ba119fefaa74e3586af9cd354bd64f1ed5401

SHA256
b949a65a9d87c2861dbe3783215694f20a6433b1a6b10f19e614478229a9b2e9

SHA512
0b3f4403098d87dd12cb5f7d526932673ed6bb42ab68bcfe3605afcd429ce3180fcdead6796c485079fdff99ff6e4c97cf69b20ae4702f5f06a3fffb94c3389f

Download Submit
C:\Users\Admin\AppData\Local\Temp\919.exe

MD5
529e8be02997763c411f015ba5d64c1e

SHA1
8b3ba119fefaa74e3586af9cd354bd64f1ed5401

SHA256
b949a65a9d87c2861dbe3783215694f20a6433b1a6b10f19e614478229a9b2e9

SHA512
0b3f4403098d87dd12cb5f7d526932673ed6bb42ab68bcfe3605afcd429ce3180fcdead6796c485079fdff99ff6e4c97cf69b20ae4702f5f06a3fffb94c3389f

Download Submit
C:\Users\Admin\AppData\Local\Temp\919.exe

MD5
529e8be02997763c411f015ba5d64c1e

SHA1
8b3ba119fefaa74e3586af9cd354bd64f1ed5401

SHA256
b949a65a9d87c2861dbe3783215694f20a6433b1a6b10f19e614478229a9b2e9

SHA512
0b3f4403098d87dd12cb5f7d526932673ed6bb42ab68bcfe3605afcd429ce3180fcdead6796c485079fdff99ff6e4c97cf69b20ae4702f5f06a3fffb94c3389f

Download Submit
C:\Users\Admin\AppData\Local\Temp\919.exe

MD5
529e8be02997763c411f015ba5d64c1e

SHA1
8b3ba119fefaa74e3586af9cd354bd64f1ed5401

SHA256
b949a65a9d87c2861dbe3783215694f20a6433b1a6b10f19e614478229a9b2e9

SHA512
0b3f4403098d87dd12cb5f7d526932673ed6bb42ab68bcfe3605afcd429ce3180fcdead6796c485079fdff99ff6e4c97cf69b20ae4702f5f06a3fffb94c3389f

Download Submit
C:\Users\Admin\AppData\Local\Temp\919.exe

MD5
529e8be02997763c411f015ba5d64c1e

SHA1
8b3ba119fefaa74e3586af9cd354bd64f1ed5401

SHA256
b949a65a9d87c2861dbe3783215694f20a6433b1a6b10f19e614478229a9b2e9

SHA512
0b3f4403098d87dd12cb5f7d526932673ed6bb42ab68bcfe3605afcd429ce3180fcdead6796c485079fdff99ff6e4c97cf69b20ae4702f5f06a3fffb94c3389f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAC4F.tmp

MD5
a32decee57c661563b038d4f324e2b42

SHA1
3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

SHA256
fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

SHA512
e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAD0C.tmp

MD5
4e2e67fc241ab6e440ad2789f705fc69

SHA1
bda5f46c1f51656d3cbad481fa2c76a553f03aba

SHA256
98f4ebaa6ea1083e98ea0dd5c74c2cb22b1375c55b6a12cfdc5d877f716de392

SHA512
452df66dd2b09485bf92d92b72b3ad2638cbf0a570741b80309056d1e67e68a18cbd0ad3616a2943bb29de62a057848a7382b6c64c3821335a51b0a03131564c

Download Submit
C:\Users\Admin\AppData\Local\Temp\filename.exe

MD5
d690ee8b18112f4c97fd27e1c0110d91

SHA1
5c7796c012880f232e1d164e1ee9e1ecb1be4bb1

SHA256
07d8ff8e2cdaf6c2d5c5c5a9614f169a649317cd82e14f5fe872fde8a7237108

SHA512
d1e31f9cad377b4d191cfcc2c10a9f4167af33e236b5bc54ee00301c922943d3b80d0ea40e5b4da2d75020ec478b35fca9435525fa8f8b031a27099af781d7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\filename.exe

MD5
d690ee8b18112f4c97fd27e1c0110d91

SHA1
5c7796c012880f232e1d164e1ee9e1ecb1be4bb1

SHA256
07d8ff8e2cdaf6c2d5c5c5a9614f169a649317cd82e14f5fe872fde8a7237108

SHA512
d1e31f9cad377b4d191cfcc2c10a9f4167af33e236b5bc54ee00301c922943d3b80d0ea40e5b4da2d75020ec478b35fca9435525fa8f8b031a27099af781d7fe

Download Submit
C:\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK 0.3.0.4\install\F099294\Examples\3d\3DBITMAP.LGO

MD5
c7eb72cbf51334c39e297403a6e00e5c

SHA1
eb8e6b0b81888da182730c055ad228907c0e49b1

SHA256
f29fc7faf7d4bb8797367c5ab027c797c2af33edcf081efa9daa7a7e7bd9ee0f

SHA512
f6e79a3e723baeba11b21694d5177d8211510ac69e770f9f05553094c681e91613c2e6687da1b253a72d9e242c9975c25d62b3493fc070a1fdecd41cf3bd02f2

Download Submit
C:\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK 0.3.0.4\install\F099294\Examples\Misc\CAR.BMP

MD5
5fc366b3371bde5c769a8c5b9d0ff966

SHA1
124f3a48111e1adba8cbee101655d6bf438c9129

SHA256
4b0231a2577be467d7d37612b75e38d6e944b7ba757f7fe1c36b697e0fc5ee46

SHA512
e78445e2e70e7ffe3100ff91f5c388817b3cec3964e58ea3e5f415e221c88faf421712d363edcb954ec32d929f6c9e7e3da9e8fed0877e2516312afc5fa585b3

Download Submit
C:\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK 0.3.0.4\install\F099294\Examples\Multimed\CDROM.LGO

MD5
b7e032a03eca04ab9a57cd9378c2daea

SHA1
9819866aa84e9f69ac1cf244306e4055c20376c2

SHA256
4dac6972d0437a91f0e8d122c2d5a3b3dbd7ea7cae44ba30a210b948b7bc8082

SHA512
1ce2cd639efb2ac6ad6dbff9ca895485fd67d27b0497973003957769c4a9167288816d21c61af047500caf7f16cc0822a3b7d6b6c44a76ca64fd12d95e0d1544

Download Submit
C:\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK 0.3.0.4\install\F099294\Examples\Network\NETLOCAL.LGO

MD5
886a6ec4c437b9d71c061c0b95f4fd40

SHA1
9e601bb54017a9a24df60b6c5709b86321fbdd60

SHA256
04ebc67ede85c171148c4a41c19ddfaf64a8342c6d10aaf97a3b7dc8da08ae76

SHA512
b2ee5ac1a59e3003469435b1138e7d2b64f0cee50eb7c7f1e47daec9d6d222b5c38f8ee0e482865d2845ef3bddeb0b0c525121f5a7bd1386360363529190f023

Download Submit
C:\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK 0.3.0.4\install\F099294\Examples\Pascal\CARDS.PAS

MD5
b5e99669b838116e212ff4cdc97550ad

SHA1
2642129e6ca9263e465908ad3f2164442a5ec3b4

SHA256
9df2836c574e5597fde9decf6e626f3dfab36cb8e286a67ccc269a085f2263df

SHA512
465f0a13ec509c018894e2b0ce02bfe04c7458d4a4b398da8899a96fd02a61a5703764eafa4148d06b99263bdc8fa190d5fbf30b333be2954d5ac821f26ad281

Download Submit
C:\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK 0.3.0.4\install\F099294\Examples\UCBLogo\ALGS.LGO

MD5
6adc19d9f3ffdefd4853fcc2cb7a7b7d

SHA1
0f245efb8ba7286b63caccd559b602beda8957ae

SHA256
4299e80f6ad590041c422c0927200b3effd2bb0a1bd186b25c5277e93c5d1ca6

SHA512
fa941a5a93f34dacd4f624918041ccd9ee43f94ef51f4dc9d25b4165af33594e1fcd6dcd85426c207a8c97bf9916c5ff9976bf1f0988790c268cdb5ec221c7e4

Download Submit
C:\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK 0.3.0.4\install\F099294\Examples\index.html

MD5
6e86736d64a4522b490c716cde97a8bc

SHA1
e48de1ddecfc842bbb8924c1023029ec21f838f6

SHA256
26d4e150e3fcb0b881d9cadf4adfc1aa369ca96e16b46c6935b7903d3916c04e

SHA512
67fe43cacf04a4844c4b11580ca549f4cb7fff160f32be5cd8d8449a6c47775f91a78b6503802615a5fc7e450358bfc53d486a07d302099fc73f8d67fa2b9804

Download Submit
C:\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK 0.3.0.4\install\F099294\adv.msi

MD5
050bc5eccfe94edd0b3836f98e89a2f7

SHA1
eafc8d53dcb725827a11a2d5cd3a6a3ca8278970

SHA256
6cec0a3d862e545b6ba6ae6b366faebe9be365922fb133d935e7d1f1c062d052

SHA512
65707f402f3d6dedf8241f6dfc9d1b54c6fef0ea563c88959359e996035e8ec74e1622f5fc6237a13d66227c40b3852e5e48d29fa2631372ebd92be93a801d8d

Download Submit
C:\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK 0.3.0.4\install\F099294\logolib\#

MD5
f0a82f611f562197355d1d8b19de1fcb

SHA1
6cc0f96476fa9cf1f92e8d6dbdc3932d2c65c3f3

SHA256
ec9546682cb6e9f0cd51acf4e40a21d7e37cc5bf511718bf77857d82839eda5c

SHA512
fd4a2e5319ff95712bb663095d3989a21d2291aab1a80fe6edebe3178e6ad919fe3b42005a476f50d823c2224ecfbf5e3a569d360d5f9328cca5d61a999a0ef4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\eitcrww

MD5
7fcd73b1f787ef886832a7af7170bc56

SHA1
984e27643a7e6fe46d7944073ce57fd52cc278e9

SHA256
2be70f815e1bea93dfa56396f69f0c38e4d2732a254a29e5307426958e296133

SHA512
6a9c4ba3e20c3397eadd8d6468a09baa0ab5b192988fa3b54832b291f91dc6e9250990d1dc736397226c25c633d842a62160398dd695ff695a54fdbe74f77719

Download Submit
C:\Users\Admin\AppData\Roaming\eitcrww

MD5
7fcd73b1f787ef886832a7af7170bc56

SHA1
984e27643a7e6fe46d7944073ce57fd52cc278e9

SHA256
2be70f815e1bea93dfa56396f69f0c38e4d2732a254a29e5307426958e296133

SHA512
6a9c4ba3e20c3397eadd8d6468a09baa0ab5b192988fa3b54832b291f91dc6e9250990d1dc736397226c25c633d842a62160398dd695ff695a54fdbe74f77719

Download Submit
C:\Windows\Installer\MSIB2A7.tmp

MD5
a32decee57c661563b038d4f324e2b42

SHA1
3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

SHA256
fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

SHA512
e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

Download Submit
C:\Windows\Installer\MSIB345.tmp

MD5
a32decee57c661563b038d4f324e2b42

SHA1
3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

SHA256
fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

SHA512
e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

Download Submit
C:\Windows\Installer\MSIB3F1.tmp

MD5
a32decee57c661563b038d4f324e2b42

SHA1
3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

SHA256
fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

SHA512
e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

Download Submit
C:\Windows\Installer\MSIB49E.tmp

MD5
4e2e67fc241ab6e440ad2789f705fc69

SHA1
bda5f46c1f51656d3cbad481fa2c76a553f03aba

SHA256
98f4ebaa6ea1083e98ea0dd5c74c2cb22b1375c55b6a12cfdc5d877f716de392

SHA512
452df66dd2b09485bf92d92b72b3ad2638cbf0a570741b80309056d1e67e68a18cbd0ad3616a2943bb29de62a057848a7382b6c64c3821335a51b0a03131564c

Download Submit
C:\Windows\Installer\MSIB52C.tmp

MD5
a32decee57c661563b038d4f324e2b42

SHA1
3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

SHA256
fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

SHA512
e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

Download Submit
C:\Windows\Installer\MSIB5E8.tmp

MD5
0be7cdee6c5103c740539d18a94acbd0

SHA1
a364c342ff150f69b471b922c0d065630a0989bb

SHA256
41abe8eb54a1910e6fc97fcea4de37a67058b7527badae8f39fba3788c46de14

SHA512
f96ef5458fdc985501e0dca9cac3c912b3f2308be29eb8e6a305a3b02a3c61b129c4db2c98980b32fd01779566fa5173b2d841755d3cb30885e2f130e4ad6e2c

Download Submit
\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\MSIAC4F.tmp

MD5
a32decee57c661563b038d4f324e2b42

SHA1
3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

SHA256
fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

SHA512
e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

Download Submit
\Users\Admin\AppData\Local\Temp\MSIAD0C.tmp

MD5
4e2e67fc241ab6e440ad2789f705fc69

SHA1
bda5f46c1f51656d3cbad481fa2c76a553f03aba

SHA256
98f4ebaa6ea1083e98ea0dd5c74c2cb22b1375c55b6a12cfdc5d877f716de392

SHA512
452df66dd2b09485bf92d92b72b3ad2638cbf0a570741b80309056d1e67e68a18cbd0ad3616a2943bb29de62a057848a7382b6c64c3821335a51b0a03131564c

Download Submit
\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK 0.3.0.4\install\decoder.dll

MD5
831e0b597db11a6eb6f3f797105f7be8

SHA1
d89154670218f9fba4515b0c1c634ae0900ca6d4

SHA256
e3404d4af16702a67dcaa4da4c5a8776ef350343b179ae6e7f2d347e7e1d1fb7

SHA512
e5e71a62c937e7d1c2cf7698bc80fa42732ddd82735ba0ccaee28aee7a7ea7b2132650dfd2c483eb6fb93f447b59643e1a3d6d077a50f0cd42b6f3fc78c1ad8f

Download Submit
\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK 0.3.0.4\install\decoder.dll

MD5
831e0b597db11a6eb6f3f797105f7be8

SHA1
d89154670218f9fba4515b0c1c634ae0900ca6d4

SHA256
e3404d4af16702a67dcaa4da4c5a8776ef350343b179ae6e7f2d347e7e1d1fb7

SHA512
e5e71a62c937e7d1c2cf7698bc80fa42732ddd82735ba0ccaee28aee7a7ea7b2132650dfd2c483eb6fb93f447b59643e1a3d6d077a50f0cd42b6f3fc78c1ad8f

Download Submit
\Users\Admin\AppData\Roaming\DusanRodina\SoftwareIdeas Controls SDK 0.3.0.4\install\decoder.dll

MD5
831e0b597db11a6eb6f3f797105f7be8

SHA1
d89154670218f9fba4515b0c1c634ae0900ca6d4

SHA256
e3404d4af16702a67dcaa4da4c5a8776ef350343b179ae6e7f2d347e7e1d1fb7

SHA512
e5e71a62c937e7d1c2cf7698bc80fa42732ddd82735ba0ccaee28aee7a7ea7b2132650dfd2c483eb6fb93f447b59643e1a3d6d077a50f0cd42b6f3fc78c1ad8f

Download Submit
\Windows\Installer\MSIB2A7.tmp

MD5
a32decee57c661563b038d4f324e2b42

SHA1
3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

SHA256
fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

SHA512
e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

Download Submit
\Windows\Installer\MSIB345.tmp

MD5
a32decee57c661563b038d4f324e2b42

SHA1
3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

SHA256
fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

SHA512
e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

Download Submit
\Windows\Installer\MSIB3F1.tmp

MD5
a32decee57c661563b038d4f324e2b42

SHA1
3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

SHA256
fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

SHA512
e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

Download Submit
\Windows\Installer\MSIB49E.tmp

MD5
4e2e67fc241ab6e440ad2789f705fc69

SHA1
bda5f46c1f51656d3cbad481fa2c76a553f03aba

SHA256
98f4ebaa6ea1083e98ea0dd5c74c2cb22b1375c55b6a12cfdc5d877f716de392

SHA512
452df66dd2b09485bf92d92b72b3ad2638cbf0a570741b80309056d1e67e68a18cbd0ad3616a2943bb29de62a057848a7382b6c64c3821335a51b0a03131564c

Download Submit
\Windows\Installer\MSIB52C.tmp

MD5
a32decee57c661563b038d4f324e2b42

SHA1
3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

SHA256
fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

SHA512
e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

Download Submit
\Windows\Installer\MSIB5E8.tmp

MD5
0be7cdee6c5103c740539d18a94acbd0

SHA1
a364c342ff150f69b471b922c0d065630a0989bb

SHA256
41abe8eb54a1910e6fc97fcea4de37a67058b7527badae8f39fba3788c46de14

SHA512
f96ef5458fdc985501e0dca9cac3c912b3f2308be29eb8e6a305a3b02a3c61b129c4db2c98980b32fd01779566fa5173b2d841755d3cb30885e2f130e4ad6e2c

Download Submit
memory/340-201-0x0000000000401AFA-mapping.dmp

Download
memory/376-131-0x0000000000424141-mapping.dmp

Download
memory/376-140-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/580-180-0x0000000000000000-mapping.dmp

Download
memory/580-185-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/580-198-0x0000000077C30000-0x0000000077DBE000-memory.dmp

Filesize
1.6MB

Download
memory/580-199-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/612-254-0x0000000000000000-mapping.dmp

Download
memory/784-145-0x0000000000000000-mapping.dmp

Download
memory/784-160-0x0000000003090000-0x0000000003164000-memory.dmp

Filesize
848KB

Download
memory/1060-156-0x0000000004C54000-0x0000000004C56000-memory.dmp

Filesize
8KB

Download
memory/1060-155-0x0000000004C53000-0x0000000004C54000-memory.dmp

Filesize
4KB

Download
memory/1060-141-0x0000000002530000-0x0000000002560000-memory.dmp

Filesize
192KB

Download
memory/1060-197-0x0000000006070000-0x0000000006071000-memory.dmp

Filesize
4KB

Download
memory/1060-142-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1060-143-0x0000000004B60000-0x0000000004B8E000-memory.dmp

Filesize
184KB

Download
memory/1060-144-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/1060-147-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/1060-179-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download
memory/1060-149-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/1060-178-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/1060-150-0x0000000002140000-0x0000000002182000-memory.dmp

Filesize
264KB

Download
memory/1060-177-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/1060-176-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/1060-175-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/1060-174-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/1060-154-0x0000000004C52000-0x0000000004C53000-memory.dmp

Filesize
4KB

Download
memory/1060-153-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/1060-152-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/1060-133-0x0000000000000000-mapping.dmp

Download
memory/1060-151-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1060-157-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/1356-258-0x0000000000000000-mapping.dmp

Download
memory/1472-247-0x0000000000000000-mapping.dmp

Download
memory/1684-182-0x0000000000000000-mapping.dmp

Download
memory/1700-158-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1700-162-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1700-159-0x00000000004A032D-mapping.dmp

Download
memory/1768-207-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2072-115-0x0000000000590000-0x0000000000599000-memory.dmp

Filesize
36KB

Download
memory/2072-116-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2072-282-0x0000000000000000-mapping.dmp

Download
memory/2188-204-0x00000000001D0000-0x00000000001D4000-memory.dmp

Filesize
16KB

Download
memory/2192-170-0x0000000003250000-0x00000000032FE000-memory.dmp

Filesize
696KB

Download
memory/2192-163-0x0000000000000000-mapping.dmp

Download
memory/2220-389-0x0000000000000000-mapping.dmp

Download
memory/2452-171-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2452-166-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2452-167-0x0000000000401AFA-mapping.dmp

Download
memory/2564-231-0x0000000005910000-0x0000000005F16000-memory.dmp

Filesize
6.0MB

Download
memory/2564-217-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2564-118-0x0000000000000000-mapping.dmp

Download
memory/2564-209-0x0000000077C30000-0x0000000077DBE000-memory.dmp

Filesize
1.6MB

Download
memory/2564-205-0x0000000000000000-mapping.dmp

Download
memory/2564-124-0x0000000002250000-0x000000000236B000-memory.dmp

Filesize
1.1MB

Download
memory/2648-299-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-305-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/2648-314-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-315-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-313-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-312-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-311-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/2648-310-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-117-0x0000000000B70000-0x0000000000B85000-memory.dmp

Filesize
84KB

Download
memory/2648-232-0x0000000005480000-0x0000000005495000-memory.dmp

Filesize
84KB

Download
memory/2648-309-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-296-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-295-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/2648-298-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-297-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/2648-300-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-302-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-301-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-303-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/2648-308-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-304-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-307-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2648-306-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2660-187-0x0000000000000000-mapping.dmp

Download
memory/2684-121-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2684-122-0x0000000000424141-mapping.dmp

Download
memory/2684-125-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2700-240-0x0000000000000000-mapping.dmp

Download
memory/2808-126-0x0000000000000000-mapping.dmp

Download
memory/3168-183-0x0000000000000000-mapping.dmp

Download
memory/3600-366-0x0000000000000000-mapping.dmp

Download
memory/3612-128-0x0000000000000000-mapping.dmp

Download
memory/3644-318-0x0000000003250000-0x00000000032FE000-memory.dmp

Filesize
696KB

Download
memory/3652-317-0x0000000000401AFA-mapping.dmp

Download
memory/3720-319-0x0000000000000000-mapping.dmp

Download
memory/3720-324-0x0000026EF1FA0000-0x0000026EF1FA1000-memory.dmp

Filesize
4KB

Download
memory/3720-328-0x0000026EF2AF0000-0x0000026EF2AF1000-memory.dmp

Filesize
4KB

Download
memory/3720-329-0x0000026EF1960000-0x0000026EF1962000-memory.dmp

Filesize
8KB

Download
memory/3720-330-0x0000026EF1963000-0x0000026EF1965000-memory.dmp

Filesize
8KB

Download
memory/3720-355-0x0000026EF1966000-0x0000026EF1968000-memory.dmp

Filesize
8KB

Download
memory/3720-169-0x0000000000000000-mapping.dmp

Download
memory/3720-388-0x0000026EF1968000-0x0000026EF1969000-memory.dmp

Filesize
4KB

Download
memory/4024-203-0x0000000000000000-mapping.dmp

Download