arkei | 672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8

Analysis

max time kernel
151s
max time network
144s
platform
windows10_x64
resource
win10-en-20210920
submitted
13-10-2021 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe
Size

310KB
MD5

b9104a5c754e4959b435dbecc22e6e4b
SHA1

6fdf844fd140e669b8eaaf7fc8970edff41abeaa
SHA256

672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8
SHA512

c93e0c1d6f59c0b25ccdcecdf44801c8643575874b66511e9ca31649e59eb55fc3fca4a3d6ca2dbdcc6845a73485644e5584f61895a2d134c30c3ce2f735db74

Malware Config

Extracted

Family

smokeloader

Version

2020

http://honawey7.xyz/

http://wijibui0.xyz/

http://hefahei6.xyz/

http://pipevai4.xyz/

http://nalirou7.xyz/

http://xacokuo8.xyz/

http://hajezey1.xyz/

http://gejajoo7.xyz/

http://sysaheu9.xyz/

http://rixoxeu9.xyz/

rc4.i32

Extracted

Family

redline

Botnet

109.234.34.165:12323

Extracted

Family

raccoon

Version

1.8.2

Botnet

fbe5e97e7d069407605ee9138022aa82166657e6

Attributes

url4cnc
http://telemirror.top/stevuitreen

http://tgmirror.top/stevuitreen

http://telegatt.top/stevuitreen

http://telegka.top/stevuitreen

http://telegin.top/stevuitreen

https://t.me/stevuitreen

rc4.plain

Extracted

Family

redline

Botnet

MegaProliv2

93.115.20.139:28978

Extracted

Family

raccoon

Botnet

7ebf9b416b72a203df65383eec899dc689d2c3d7

Attributes

url4cnc
http://telegatt.top/agrybirdsgamerept

http://telegka.top/agrybirdsgamerept

http://telegin.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

huyzalupanew

135.181.208.162:13904

Extracted

Family

redline

Botnet

@Nastya_ero

45.14.49.66:21899

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1384-128-0x0000000000740000-0x0000000000771000-memory.dmp	family_redline
behavioral1/memory/1384-133-0x0000000000890000-0x00000000008AC000-memory.dmp	family_redline
behavioral1/memory/68-167-0x000000000041B252-mapping.dmp	family_redline
behavioral1/memory/68-165-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/2496-183-0x0000000000BF0000-0x0000000000C21000-memory.dmp	family_redline
behavioral1/memory/2496-202-0x0000000002850000-0x000000000286C000-memory.dmp	family_redline
behavioral1/memory/848-214-0x0000000006170000-0x000000000618C000-memory.dmp	family_redline
behavioral1/memory/1212-296-0x000000000041B22A-mapping.dmp	family_redline
behavioral1/memory/4540-355-0x000000000041B256-mapping.dmp	family_redline

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1864 created 1192 1864 WerFault.exe 2EB1.exe
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

description	pid	process	target process
PID 1864 created 1192	1864	WerFault.exe	2EB1.exe

Arkei Stealer Payload 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1788-309-0x0000000000400000-0x000000000071C000-memory.dmp	family_arkei

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\db56c3fe-c279-437e-885f-188719f147dd\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\db56c3fe-c279-437e-885f-188719f147dd\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\db56c3fe-c279-437e-885f-188719f147dd\AdvancedRun.exe	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 20 IoCs

Processes:

DE6.exe17CB.exe20B5.exe247F.exe2EB1.exe247F.exe352A.exe3E43.exe4B84.exe4B84.exesqtvvs.exe4FFA.execsc.exeAdvancedRun.exe5C01.exe1_1.exeins.exesqtvvs.exesqtvvs.exe

pid	process
3168	DE6.exe
1384	17CB.exe
620	20B5.exe
416	247F.exe
1192	2EB1.exe
68	247F.exe
2496	352A.exe
848	3E43.exe
1212	4B84.exe
364	4B84.exe
3864	sqtvvs.exe
3420	4FFA.exe
1732	csc.exe
4048	AdvancedRun.exe
2784	5C01.exe
1208	1_1.exe
1788	ins.exe
1212	4B84.exe
496	sqtvvs.exe
4700	sqtvvs.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\46EF.exe	vmprotect
behavioral1/memory/1212-222-0x0000000001000000-0x0000000001699000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\46EF.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe	vmprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ins.exe1_1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ins.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ins.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1_1.exe

Deletes itself 1 IoCs

Processes:

pid process

3028
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ins.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Wine ins.exe
Loads dropped DLL 3 IoCs

Processes:

ins.exe

pid process

1788 ins.exe
1788 ins.exe
1788 ins.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3028

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Wine	ins.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1_1.exe	themida
C:\Users\Admin\AppData\Local\Temp\1_1.exe	themida

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

4B84.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	4B84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	4B84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	4B84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	4B84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\4B84.exe = "0"	4B84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	4B84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	4B84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	4B84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	4B84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	4B84.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ins.exe1_1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ins.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1_1.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

ins.exe1_1.exe4B84.exe

pid	process
1788	ins.exe
1208	1_1.exe
364	4B84.exe
364	4B84.exe
364	4B84.exe
364	4B84.exe
364	4B84.exe
364	4B84.exe
364	4B84.exe
364	4B84.exe
364	4B84.exe
364	4B84.exe
364	4B84.exe
364	4B84.exe
364	4B84.exe
364	4B84.exe
364	4B84.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe247F.exe4B84.exe4FFA.exe

description	pid	process	target process
PID 1680 set thread context of 380	1680	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe
PID 416 set thread context of 68	416	247F.exe	247F.exe
PID 364 set thread context of 1212	364	4B84.exe	4B84.exe
PID 3420 set thread context of 4540	3420	4FFA.exe	RegSvcs.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3780	2496	WerFault.exe	352A.exe
1864	1192	WerFault.exe	2EB1.exe
3156	2496	WerFault.exe	352A.exe
4164	364	WerFault.exe	4B84.exe
4748	1788	WerFault.exe	ins.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3620 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4316 reg.exe
Runs net.exe

pid	process
3620	schtasks.exe

pid	process
4316	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe

pid	process
380	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe
380	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3028
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

640
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe

pid process

380 672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe

pid	process
3028

pid	process
640

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

17CB.exeWerFault.exe3E43.exe4B84.exepowershell.exe247F.execsc.exeAdvancedRun.exeWerFault.exe352A.exeWerFault.exeWerFault.exepowershell.exe1_1.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeDebugPrivilege	1384	17CB.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeRestorePrivilege	3780	WerFault.exe
Token: SeBackupPrivilege	3780	WerFault.exe
Token: SeDebugPrivilege	3780	WerFault.exe
Token: SeDebugPrivilege	848	3E43.exe
Token: SeDebugPrivilege	364	4B84.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	68	247F.exe
Token: SeDebugPrivilege	1732	csc.exe
Token: SeImpersonatePrivilege	1732	csc.exe
Token: SeDebugPrivilege	4048	AdvancedRun.exe
Token: SeImpersonatePrivilege	4048	AdvancedRun.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeDebugPrivilege	1864	WerFault.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeDebugPrivilege	2496	352A.exe
Token: SeDebugPrivilege	3156	WerFault.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeDebugPrivilege	4164	WerFault.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeDebugPrivilege	1208	1_1.exe
Token: SeDebugPrivilege	4748	WerFault.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3028
3028
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

3028
3028

pid	process
3028
3028

pid	process
3028
3028

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe247F.exe20B5.exe4B84.exe4B84.execsc.exesqtvvs.execmd.exe

description	pid	process	target process
PID 1680 wrote to memory of 380	1680	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe
PID 1680 wrote to memory of 380	1680	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe
PID 1680 wrote to memory of 380	1680	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe
PID 1680 wrote to memory of 380	1680	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe
PID 1680 wrote to memory of 380	1680	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe
PID 1680 wrote to memory of 380	1680	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe	672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe
PID 3028 wrote to memory of 3168	3028		DE6.exe
PID 3028 wrote to memory of 3168	3028		DE6.exe
PID 3028 wrote to memory of 3168	3028		DE6.exe
PID 3028 wrote to memory of 1384	3028		17CB.exe
PID 3028 wrote to memory of 1384	3028		17CB.exe
PID 3028 wrote to memory of 1384	3028		17CB.exe
PID 3028 wrote to memory of 620	3028		20B5.exe
PID 3028 wrote to memory of 620	3028		20B5.exe
PID 3028 wrote to memory of 620	3028		20B5.exe
PID 3028 wrote to memory of 416	3028		247F.exe
PID 3028 wrote to memory of 416	3028		247F.exe
PID 3028 wrote to memory of 416	3028		247F.exe
PID 416 wrote to memory of 68	416	247F.exe	247F.exe
PID 416 wrote to memory of 68	416	247F.exe	247F.exe
PID 416 wrote to memory of 68	416	247F.exe	247F.exe
PID 3028 wrote to memory of 1192	3028		2EB1.exe
PID 3028 wrote to memory of 1192	3028		2EB1.exe
PID 3028 wrote to memory of 1192	3028		2EB1.exe
PID 416 wrote to memory of 68	416	247F.exe	247F.exe
PID 416 wrote to memory of 68	416	247F.exe	247F.exe
PID 416 wrote to memory of 68	416	247F.exe	247F.exe
PID 416 wrote to memory of 68	416	247F.exe	247F.exe
PID 416 wrote to memory of 68	416	247F.exe	247F.exe
PID 3028 wrote to memory of 2496	3028		352A.exe
PID 3028 wrote to memory of 2496	3028		352A.exe
PID 3028 wrote to memory of 2496	3028		352A.exe
PID 3028 wrote to memory of 848	3028		3E43.exe
PID 3028 wrote to memory of 848	3028		3E43.exe
PID 3028 wrote to memory of 848	3028		3E43.exe
PID 3028 wrote to memory of 1212	3028		4B84.exe
PID 3028 wrote to memory of 1212	3028		4B84.exe
PID 3028 wrote to memory of 1212	3028		4B84.exe
PID 620 wrote to memory of 3048	620	20B5.exe	powershell.exe
PID 620 wrote to memory of 3048	620	20B5.exe	powershell.exe
PID 620 wrote to memory of 3048	620	20B5.exe	powershell.exe
PID 3028 wrote to memory of 364	3028		4B84.exe
PID 3028 wrote to memory of 364	3028		4B84.exe
PID 3028 wrote to memory of 364	3028		4B84.exe
PID 1212 wrote to memory of 3864	1212	4B84.exe	sqtvvs.exe
PID 1212 wrote to memory of 3864	1212	4B84.exe	sqtvvs.exe
PID 1212 wrote to memory of 3864	1212	4B84.exe	sqtvvs.exe
PID 3028 wrote to memory of 3420	3028		4FFA.exe
PID 3028 wrote to memory of 3420	3028		4FFA.exe
PID 3028 wrote to memory of 3420	3028		4FFA.exe
PID 364 wrote to memory of 1732	364	4B84.exe	csc.exe
PID 364 wrote to memory of 1732	364	4B84.exe	csc.exe
PID 364 wrote to memory of 1732	364	4B84.exe	csc.exe
PID 1732 wrote to memory of 4048	1732	csc.exe	AdvancedRun.exe
PID 1732 wrote to memory of 4048	1732	csc.exe	AdvancedRun.exe
PID 1732 wrote to memory of 4048	1732	csc.exe	AdvancedRun.exe
PID 3864 wrote to memory of 4000	3864	sqtvvs.exe	cmd.exe
PID 3864 wrote to memory of 4000	3864	sqtvvs.exe	cmd.exe
PID 3864 wrote to memory of 4000	3864	sqtvvs.exe	cmd.exe
PID 3864 wrote to memory of 3620	3864	sqtvvs.exe	schtasks.exe
PID 3864 wrote to memory of 3620	3864	sqtvvs.exe	schtasks.exe
PID 3864 wrote to memory of 3620	3864	sqtvvs.exe	schtasks.exe
PID 4000 wrote to memory of 3516	4000	cmd.exe	reg.exe
PID 4000 wrote to memory of 3516	4000	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe
"C:\Users\Admin\AppData\Local\Temp\672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe
  "C:\Users\Admin\AppData\Local\Temp\672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:380

C:\Users\Admin\AppData\Local\Temp\DE6.exe
C:\Users\Admin\AppData\Local\Temp\DE6.exe
1⤵
- Executes dropped EXE
PID:3168

C:\Users\Admin\AppData\Local\Temp\17CB.exe
C:\Users\Admin\AppData\Local\Temp\17CB.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Users\Admin\AppData\Local\Temp\20B5.exe
C:\Users\Admin\AppData\Local\Temp\20B5.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vzjhxhyx\vzjhxhyx.cmdline"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES679F.tmp" "c:\Users\Admin\AppData\Local\Temp\vzjhxhyx\CSCA60F9A95F2644848932B6C4B6EF81FB4.TMP"
      4⤵
      PID:4228
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:4316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:4716
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start rdpdr
      4⤵
      PID:5036
    - - C:\Windows\SysWOW64\net.exe
        
        net start rdpdr
        5⤵
        
        PID:4604
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:5088
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:4128
    - - C:\Windows\SysWOW64\net.exe
        
        net start TermService
        5⤵
        
        PID:1136
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:4256

C:\Users\Admin\AppData\Local\Temp\247F.exe
C:\Users\Admin\AppData\Local\Temp\247F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:416
- C:\Users\Admin\AppData\Local\Temp\247F.exe
  C:\Users\Admin\AppData\Local\Temp\247F.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:68

C:\Users\Admin\AppData\Local\Temp\2EB1.exe
C:\Users\Admin\AppData\Local\Temp\2EB1.exe
1⤵
- Executes dropped EXE
PID:1192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 928
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1864

C:\Users\Admin\AppData\Local\Temp\352A.exe
C:\Users\Admin\AppData\Local\Temp\352A.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 676
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1212
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3156

C:\Users\Admin\AppData\Local\Temp\3E43.exe
C:\Users\Admin\AppData\Local\Temp\3E43.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Users\Admin\AppData\Local\Temp\46EF.exe
C:\Users\Admin\AppData\Local\Temp\46EF.exe
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
  "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
      4⤵
      PID:3516
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3620

C:\Users\Admin\AppData\Local\Temp\4B84.exe
C:\Users\Admin\AppData\Local\Temp\4B84.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364
- C:\Users\Admin\AppData\Local\Temp\db56c3fe-c279-437e-885f-188719f147dd\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\db56c3fe-c279-437e-885f-188719f147dd\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\db56c3fe-c279-437e-885f-188719f147dd\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\db56c3fe-c279-437e-885f-188719f147dd\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\db56c3fe-c279-437e-885f-188719f147dd\AdvancedRun.exe" /SpecialRun 4101d8 1732
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4B84.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\4B84.exe
  "C:\Users\Admin\AppData\Local\Temp\4B84.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 2244
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4164

C:\Users\Admin\AppData\Local\Temp\4FFA.exe
C:\Users\Admin\AppData\Local\Temp\4FFA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:4540

C:\Users\Admin\AppData\Local\Temp\5C01.exe
C:\Users\Admin\AppData\Local\Temp\5C01.exe
1⤵
- Executes dropped EXE
PID:2784
- C:\Users\Admin\AppData\Local\Temp\1_1.exe
  "C:\Users\Admin\AppData\Local\Temp\1_1.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Users\Admin\AppData\Local\Temp\ins.exe
  "C:\Users\Admin\AppData\Local\Temp\ins.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1356
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:4748

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
- Executes dropped EXE
PID:496

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
- Executes dropped EXE
PID:4700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\247F.exe.log

MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
f3068198b62b4b70404ec46694d632be

SHA1
7b0b31ae227cf2a78cb751573a9d07f755104ea0

SHA256
bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8

SHA512
ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795

Download Submit
C:\Users\Admin\AppData\Local\Temp\15212481030822282825

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\15212481030822282825

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\15212481030822282825

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\17CB.exe

MD5
f5c4d463115dc020d5ec1756da0258a0

SHA1
b66eb6992d7c0191d1255ae0ada35b6403221425

SHA256
fa0bcd10cdc9df5fe9806e16a933d71d49c93fb6b21e75e2215bb728212b570e

SHA512
854bbe52abf339b75e68c20aef0b905fb29c4c2580a44b957b6d6b02889b78a44f6605a2e45f61f358b7b63d3530b61f6bad513f0672bcef06268d9ea1c55350

Download Submit
C:\Users\Admin\AppData\Local\Temp\17CB.exe

MD5
f5c4d463115dc020d5ec1756da0258a0

SHA1
b66eb6992d7c0191d1255ae0ada35b6403221425

SHA256
fa0bcd10cdc9df5fe9806e16a933d71d49c93fb6b21e75e2215bb728212b570e

SHA512
854bbe52abf339b75e68c20aef0b905fb29c4c2580a44b957b6d6b02889b78a44f6605a2e45f61f358b7b63d3530b61f6bad513f0672bcef06268d9ea1c55350

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_1.exe

MD5
f86fe50df10a86b3d831338108fbeb68

SHA1
28169cd527bc388c372d3f3932756391eea49e30

SHA256
46b582c33c1e8f0a9804a141b6eef63d977b28d393f0058c32629a14f25b8bc3

SHA512
9d03283a50be75ad20dc5f0dc942c93d09d46265326e6afe055bf1cf5387f462b8f668b33cd0c3818f3854cb87d71b9c999b6eb8accaedf64d0a00888f25be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_1.exe

MD5
f86fe50df10a86b3d831338108fbeb68

SHA1
28169cd527bc388c372d3f3932756391eea49e30

SHA256
46b582c33c1e8f0a9804a141b6eef63d977b28d393f0058c32629a14f25b8bc3

SHA512
9d03283a50be75ad20dc5f0dc942c93d09d46265326e6afe055bf1cf5387f462b8f668b33cd0c3818f3854cb87d71b9c999b6eb8accaedf64d0a00888f25be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\20B5.exe

MD5
2686d02fd6a82432c2bbfccdf7f334de

SHA1
75c80a6877c6e0724d19de0f5149bed186760e27

SHA256
35270b20b568beb5f844e1b8c9bfe53498cfbac02633a9cb3ca5927a2cba4e4d

SHA512
22333918e2fed9e39c967313f77844b6bc4f3a2dbfe97223c08def7b80057b7c89f5b75460575172e99c11ee2b824c66e4417588a12ae6a314968c2a34d01698

Download Submit
C:\Users\Admin\AppData\Local\Temp\20B5.exe

MD5
2686d02fd6a82432c2bbfccdf7f334de

SHA1
75c80a6877c6e0724d19de0f5149bed186760e27

SHA256
35270b20b568beb5f844e1b8c9bfe53498cfbac02633a9cb3ca5927a2cba4e4d

SHA512
22333918e2fed9e39c967313f77844b6bc4f3a2dbfe97223c08def7b80057b7c89f5b75460575172e99c11ee2b824c66e4417588a12ae6a314968c2a34d01698

Download Submit
C:\Users\Admin\AppData\Local\Temp\247F.exe

MD5
6f1a319fb002c4b62511ce54eeb9d017

SHA1
2a1d57f27737725e6a004735d787d2297b594b76

SHA256
bafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956

SHA512
ac02d51a6f374f87c34fa8dfed714018de8a72b97900a6c7f05c6e73fb7bc509f0931f9f3bd76edfc80c3840bfbc2e1237ad0375788b2e55f1ded62514f3b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\247F.exe

MD5
6f1a319fb002c4b62511ce54eeb9d017

SHA1
2a1d57f27737725e6a004735d787d2297b594b76

SHA256
bafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956

SHA512
ac02d51a6f374f87c34fa8dfed714018de8a72b97900a6c7f05c6e73fb7bc509f0931f9f3bd76edfc80c3840bfbc2e1237ad0375788b2e55f1ded62514f3b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\247F.exe

MD5
6f1a319fb002c4b62511ce54eeb9d017

SHA1
2a1d57f27737725e6a004735d787d2297b594b76

SHA256
bafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956

SHA512
ac02d51a6f374f87c34fa8dfed714018de8a72b97900a6c7f05c6e73fb7bc509f0931f9f3bd76edfc80c3840bfbc2e1237ad0375788b2e55f1ded62514f3b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EB1.exe

MD5
a7590868a85203e4873bc995240bb4b3

SHA1
4ff373bfff693b45444f0a6273764839540198ee

SHA256
afa506dea7e88d3aa2ff4c2f58a21a91cf5d6ae5a00dea2cf482832d1613e37b

SHA512
26cbd5ee1586539672d7f338462e17bd0ff4d4ac52c3f4f1b3a19431e6d7fd43854921d257469688d096bd7516a2290ebbb7505061e036b7463bd601b9965925

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EB1.exe

MD5
a7590868a85203e4873bc995240bb4b3

SHA1
4ff373bfff693b45444f0a6273764839540198ee

SHA256
afa506dea7e88d3aa2ff4c2f58a21a91cf5d6ae5a00dea2cf482832d1613e37b

SHA512
26cbd5ee1586539672d7f338462e17bd0ff4d4ac52c3f4f1b3a19431e6d7fd43854921d257469688d096bd7516a2290ebbb7505061e036b7463bd601b9965925

Download Submit
C:\Users\Admin\AppData\Local\Temp\352A.exe

MD5
c18af761a48838778687bb55d0e2c16f

SHA1
c5016ef065bc93e8018fa61ca49ce7d1a16b1a4e

SHA256
06eb69ecc1a19bc3e3a3fa8c2aa820bc2c89245aa379f930fc3633eccc8a8eaf

SHA512
268f91e3461ff7ab9175557dfc5cccf752b940502ca083de50c582864b02482070a12884720dd4e99a8139bb8fc3b88b6d3d210fadf9779033ff2ddae3fa32ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\352A.exe

MD5
c18af761a48838778687bb55d0e2c16f

SHA1
c5016ef065bc93e8018fa61ca49ce7d1a16b1a4e

SHA256
06eb69ecc1a19bc3e3a3fa8c2aa820bc2c89245aa379f930fc3633eccc8a8eaf

SHA512
268f91e3461ff7ab9175557dfc5cccf752b940502ca083de50c582864b02482070a12884720dd4e99a8139bb8fc3b88b6d3d210fadf9779033ff2ddae3fa32ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E43.exe

MD5
f6111397666f71d39312d36e750779b1

SHA1
3ce182a8a55e19f68e38946b2b2e48ff767c04eb

SHA256
cf11c84874c8e7b49532cf0382a1a15475cdb394ed6fadc45f9228aa769f95c3

SHA512
cbc13c03f2b33404262e8c816a2f878ae0ed9017dbf1798b16f270247946888b02aa27749021059ff8701442cb1411986abc48485165266530d7ac1ad261b9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E43.exe

MD5
f6111397666f71d39312d36e750779b1

SHA1
3ce182a8a55e19f68e38946b2b2e48ff767c04eb

SHA256
cf11c84874c8e7b49532cf0382a1a15475cdb394ed6fadc45f9228aa769f95c3

SHA512
cbc13c03f2b33404262e8c816a2f878ae0ed9017dbf1798b16f270247946888b02aa27749021059ff8701442cb1411986abc48485165266530d7ac1ad261b9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\46EF.exe

MD5
007c11352b9cac242621a3d8716bf50c

SHA1
eab0851b0bea26a2c446fbc55cbd6d773e44070b

SHA256
40e212c958863828659369007b3ccd7ac89873d1e6d03cae79acfc9397722b4e

SHA512
bbc1975c0e03f984e2106652ff8b170501ab3983a7076a1b08160ccd69e083e101eae8cbe80aa61a916aa43cf9b1908a63aaed0730ee17074a4a2adbfebddf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\46EF.exe

MD5
007c11352b9cac242621a3d8716bf50c

SHA1
eab0851b0bea26a2c446fbc55cbd6d773e44070b

SHA256
40e212c958863828659369007b3ccd7ac89873d1e6d03cae79acfc9397722b4e

SHA512
bbc1975c0e03f984e2106652ff8b170501ab3983a7076a1b08160ccd69e083e101eae8cbe80aa61a916aa43cf9b1908a63aaed0730ee17074a4a2adbfebddf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B84.exe

MD5
8ba7a97c91e622bd624dcadba96dc13b

SHA1
a47f8e021092675e7d48e57b18ca64c66ac83a0d

SHA256
5c07175f6fe70bec4bced7e29adaa0ff1e0d748761d8b0d39b23d92cb2163e78

SHA512
faa9781394ce1f790bf19201550d08b37fe0eda03a157b789a1b1f49109c774afddc5cb2cdc49939d1b76d172906013b6462d12f351792c4b17393180107d2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B84.exe

MD5
8ba7a97c91e622bd624dcadba96dc13b

SHA1
a47f8e021092675e7d48e57b18ca64c66ac83a0d

SHA256
5c07175f6fe70bec4bced7e29adaa0ff1e0d748761d8b0d39b23d92cb2163e78

SHA512
faa9781394ce1f790bf19201550d08b37fe0eda03a157b789a1b1f49109c774afddc5cb2cdc49939d1b76d172906013b6462d12f351792c4b17393180107d2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B84.exe

MD5
8ba7a97c91e622bd624dcadba96dc13b

SHA1
a47f8e021092675e7d48e57b18ca64c66ac83a0d

SHA256
5c07175f6fe70bec4bced7e29adaa0ff1e0d748761d8b0d39b23d92cb2163e78

SHA512
faa9781394ce1f790bf19201550d08b37fe0eda03a157b789a1b1f49109c774afddc5cb2cdc49939d1b76d172906013b6462d12f351792c4b17393180107d2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FFA.exe

MD5
b1e5d3e631e1f212791b3c7848cce6a2

SHA1
da79f7620d037a6ec5fa646e6afacd56915e6c4e

SHA256
d6f2de7170bb488e751893d9c0d98066514ea1fb9ab0d8eebfec57dc095aa5fc

SHA512
8e8c703685d286c70fe46ef42090281258859371ba2ccfe4fc2103af80b9c73355e0eaca6704ae91b9eb9daa3181d0caa46c9dbf7d67a2592401d22e3e130691

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FFA.exe

MD5
b1e5d3e631e1f212791b3c7848cce6a2

SHA1
da79f7620d037a6ec5fa646e6afacd56915e6c4e

SHA256
d6f2de7170bb488e751893d9c0d98066514ea1fb9ab0d8eebfec57dc095aa5fc

SHA512
8e8c703685d286c70fe46ef42090281258859371ba2ccfe4fc2103af80b9c73355e0eaca6704ae91b9eb9daa3181d0caa46c9dbf7d67a2592401d22e3e130691

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C01.exe

MD5
7f08d18bc0ed3723e6d91e9e86d8b8f9

SHA1
09775a45093e1ed74d153f759fd1d6d0a541625b

SHA256
df80ab9dee28e69f415a66a79d7c4fe17676507eee7bdc3e530929e13bae2452

SHA512
2e95a7f84acf3938ed72259a6fce12d86456f07b2402e51c5347b0b6243da9706ab670922be8b35b320f69c776997447e97947c53c3088ac70e703c88a59c820

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C01.exe

MD5
7f08d18bc0ed3723e6d91e9e86d8b8f9

SHA1
09775a45093e1ed74d153f759fd1d6d0a541625b

SHA256
df80ab9dee28e69f415a66a79d7c4fe17676507eee7bdc3e530929e13bae2452

SHA512
2e95a7f84acf3938ed72259a6fce12d86456f07b2402e51c5347b0b6243da9706ab670922be8b35b320f69c776997447e97947c53c3088ac70e703c88a59c820

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
007c11352b9cac242621a3d8716bf50c

SHA1
eab0851b0bea26a2c446fbc55cbd6d773e44070b

SHA256
40e212c958863828659369007b3ccd7ac89873d1e6d03cae79acfc9397722b4e

SHA512
bbc1975c0e03f984e2106652ff8b170501ab3983a7076a1b08160ccd69e083e101eae8cbe80aa61a916aa43cf9b1908a63aaed0730ee17074a4a2adbfebddf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
007c11352b9cac242621a3d8716bf50c

SHA1
eab0851b0bea26a2c446fbc55cbd6d773e44070b

SHA256
40e212c958863828659369007b3ccd7ac89873d1e6d03cae79acfc9397722b4e

SHA512
bbc1975c0e03f984e2106652ff8b170501ab3983a7076a1b08160ccd69e083e101eae8cbe80aa61a916aa43cf9b1908a63aaed0730ee17074a4a2adbfebddf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe

MD5
007c11352b9cac242621a3d8716bf50c

SHA1
eab0851b0bea26a2c446fbc55cbd6d773e44070b

SHA256
40e212c958863828659369007b3ccd7ac89873d1e6d03cae79acfc9397722b4e

SHA512
bbc1975c0e03f984e2106652ff8b170501ab3983a7076a1b08160ccd69e083e101eae8cbe80aa61a916aa43cf9b1908a63aaed0730ee17074a4a2adbfebddf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE6.exe

MD5
4ddce1574ea6e7b9d9d70f9c6f23a1c9

SHA1
89a9b86f4ffb646bf9856584292a42c5db14da26

SHA256
cb3be2979c500241fb4fae88ac0773a56745aa2807ba5c2970370b09d32231f3

SHA512
7a5beeac769961e393349ab2330f467edbacebf7b713883539eaf76792cdb978724d763ad1c3d54b4f79da32276ab466f2f844790020ecaf546e0fffaeb1f64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE6.exe

MD5
4ddce1574ea6e7b9d9d70f9c6f23a1c9

SHA1
89a9b86f4ffb646bf9856584292a42c5db14da26

SHA256
cb3be2979c500241fb4fae88ac0773a56745aa2807ba5c2970370b09d32231f3

SHA512
7a5beeac769961e393349ab2330f467edbacebf7b713883539eaf76792cdb978724d763ad1c3d54b4f79da32276ab466f2f844790020ecaf546e0fffaeb1f64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES679F.tmp

MD5
860059950f8c1070d982a23e13067139

SHA1
672c3ca06151378ef64ce776ac9082177eca8fc1

SHA256
dd23ed8d381c09114130a8eba9cc77c338b876dc866b12985ac8796bc7180088

SHA512
211d3e092b6d6da70e3e7d50611e4214c60b7772d93f3916163d2c6e317d6688a98d2e5800ef597e325f7cdbb831cf12cb655da8a4bbcbaef55cf1e4cec3cdc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\db56c3fe-c279-437e-885f-188719f147dd\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\db56c3fe-c279-437e-885f-188719f147dd\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\db56c3fe-c279-437e-885f-188719f147dd\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
794bf0ae26a7efb0c516cf4a7692c501

SHA1
c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2

SHA256
97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825

SHA512
20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\ins.exe

MD5
bb280c6b75aee863a117808ff4410313

SHA1
0580d60c6ee0f69dddee5f85f9fe8034c91e2163

SHA256
2c8dce0c1e1a9be96a0fd1541b0dd94a846e30b71859f3f24bda00d9f6af113e

SHA512
bfc69451b8d021236551986c4215d89af244d93c9ce9c86e64bc138e6e2b7531c629d579ba0090d0467a43f9dc05925637d209399a21c7bf45303ab1406b5255

Download Submit
C:\Users\Admin\AppData\Local\Temp\ins.exe

MD5
bb280c6b75aee863a117808ff4410313

SHA1
0580d60c6ee0f69dddee5f85f9fe8034c91e2163

SHA256
2c8dce0c1e1a9be96a0fd1541b0dd94a846e30b71859f3f24bda00d9f6af113e

SHA512
bfc69451b8d021236551986c4215d89af244d93c9ce9c86e64bc138e6e2b7531c629d579ba0090d0467a43f9dc05925637d209399a21c7bf45303ab1406b5255

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzjhxhyx\vzjhxhyx.dll

MD5
642346a601bf55cf9349505024454945

SHA1
2b1b20052feb4707aa18c247f9668872b3cc7f41

SHA256
da0327e5ce13d24ef1eb61764f1c55a80df7f38c9e5e38b7258f00ae3f6733bb

SHA512
9e3b57c3c35594f46705354f501c3e9b4fc368f687ffcf3fa07a96238d8e289f553554ea5c4566f2dfd62b61075d76f613f4abe637d5e12a275d0757baa28688

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vzjhxhyx\CSCA60F9A95F2644848932B6C4B6EF81FB4.TMP

MD5
520bedc5fd7566ad738c85f7ddb1bf66

SHA1
b542daa57b83d64b239f59e7f8ee07d9adabcf84

SHA256
46e0d28173e3aebca2b9283ee664b77d1456c938dab6f9d4e7a78c5c00477930

SHA512
d407fce45e8fde9cdfaba128dee330289b45119ace06a22c0db0fa960a42d85704a1ceb6d41253f921260f0238f516022c5b4006765abdf53324fac3682dd763

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vzjhxhyx\vzjhxhyx.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vzjhxhyx\vzjhxhyx.cmdline

MD5
447e9982b8e63b90667234c30d79af1e

SHA1
6cd9098a9df59620ef5c1b839a626b4fa90c5a1d

SHA256
5b0727ee66df139c1b61ae0e3b929a68f06bbc83a4b4b4d9c581d319d974fb57

SHA512
160e32a25263d4453820f628b11ce338d6a4367b2ecbdd9ff91eeddd83b1975a3434751cf4fee9d6922b34c9a584003b6ccc7e96f78b97b1739f8d5a059bd1f0

Download Submit
\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/68-165-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/68-181-0x0000000004C60000-0x0000000005266000-memory.dmp

Filesize
6.0MB

Download
memory/68-167-0x000000000041B252-mapping.dmp

Download
memory/364-250-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/364-229-0x0000000000000000-mapping.dmp

Download
memory/364-233-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/380-117-0x0000000000402E8F-mapping.dmp

Download
memory/380-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/416-149-0x0000000000000000-mapping.dmp

Download
memory/416-152-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/416-157-0x0000000002920000-0x0000000002996000-memory.dmp

Filesize
472KB

Download
memory/416-156-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/416-155-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/416-154-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/620-178-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/620-180-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/620-189-0x00000000055C3000-0x00000000055C4000-memory.dmp

Filesize
4KB

Download
memory/620-148-0x0000000000CFE000-0x0000000001104000-memory.dmp

Filesize
4.0MB

Download
memory/620-145-0x0000000000000000-mapping.dmp

Download
memory/620-187-0x00000000055C2000-0x00000000055C3000-memory.dmp

Filesize
4KB

Download
memory/620-194-0x0000000008260000-0x0000000008261000-memory.dmp

Filesize
4KB

Download
memory/620-162-0x00000000059E0000-0x0000000005DDF000-memory.dmp

Filesize
4.0MB

Download
memory/620-193-0x00000000055C4000-0x00000000055C5000-memory.dmp

Filesize
4KB

Download
memory/620-168-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/620-179-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/620-176-0x0000000001110000-0x0000000001512000-memory.dmp

Filesize
4.0MB

Download
memory/848-214-0x0000000006170000-0x000000000618C000-memory.dmp

Filesize
112KB

Download
memory/848-213-0x00000000056A0000-0x00000000056C1000-memory.dmp

Filesize
132KB

Download
memory/848-196-0x0000000000000000-mapping.dmp

Download
memory/848-199-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/848-201-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/848-207-0x0000000005640000-0x00000000056DC000-memory.dmp

Filesize
624KB

Download
memory/1136-1496-0x0000000000000000-mapping.dmp

Download
memory/1192-184-0x0000000001700000-0x000000000184A000-memory.dmp

Filesize
1.3MB

Download
memory/1192-161-0x0000000001A46000-0x0000000001A95000-memory.dmp

Filesize
316KB

Download
memory/1192-158-0x0000000000000000-mapping.dmp

Download
memory/1192-191-0x0000000000400000-0x00000000016FF000-memory.dmp

Filesize
19.0MB

Download
memory/1208-317-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/1208-275-0x0000000000000000-mapping.dmp

Download
memory/1208-306-0x0000000077590000-0x000000007771E000-memory.dmp

Filesize
1.6MB

Download
memory/1212-222-0x0000000001000000-0x0000000001699000-memory.dmp

Filesize
6.6MB

Download
memory/1212-220-0x0000000000000000-mapping.dmp

Download
memory/1212-296-0x000000000041B22A-mapping.dmp

Download
memory/1212-337-0x0000000004FF0000-0x00000000055F6000-memory.dmp

Filesize
6.0MB

Download
memory/1384-138-0x0000000002973000-0x0000000002974000-memory.dmp

Filesize
4KB

Download
memory/1384-137-0x0000000002972000-0x0000000002973000-memory.dmp

Filesize
4KB

Download
memory/1384-144-0x0000000002974000-0x0000000002975000-memory.dmp

Filesize
4KB

Download
memory/1384-143-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/1384-125-0x0000000000000000-mapping.dmp

Download
memory/1384-142-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/1384-128-0x0000000000740000-0x0000000000771000-memory.dmp

Filesize
196KB

Download
memory/1384-133-0x0000000000890000-0x00000000008AC000-memory.dmp

Filesize
112KB

Download
memory/1384-141-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/1384-140-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/1384-139-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/1384-136-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1680-115-0x00000000018E6000-0x00000000018F6000-memory.dmp

Filesize
64KB

Download
memory/1680-118-0x00000000017A0000-0x00000000018EA000-memory.dmp

Filesize
1.3MB

Download
memory/1732-251-0x0000000000000000-mapping.dmp

Download
memory/1732-286-0x0000000000000000-mapping.dmp

Download
memory/1736-1490-0x0000000000000000-mapping.dmp

Download
memory/1788-280-0x0000000000000000-mapping.dmp

Download
memory/1788-307-0x0000000077590000-0x000000007771E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-309-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1788-314-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2472-335-0x0000000006952000-0x0000000006953000-memory.dmp

Filesize
4KB

Download
memory/2472-445-0x0000000006953000-0x0000000006954000-memory.dmp

Filesize
4KB

Download
memory/2472-332-0x0000000006950000-0x0000000006951000-memory.dmp

Filesize
4KB

Download
memory/2472-411-0x000000007E430000-0x000000007E431000-memory.dmp

Filesize
4KB

Download
memory/2472-289-0x0000000000000000-mapping.dmp

Download
memory/2496-166-0x0000000000000000-mapping.dmp

Download
memory/2496-195-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2496-202-0x0000000002850000-0x000000000286C000-memory.dmp

Filesize
112KB

Download
memory/2496-209-0x0000000002A22000-0x0000000002A23000-memory.dmp

Filesize
4KB

Download
memory/2496-183-0x0000000000BF0000-0x0000000000C21000-memory.dmp

Filesize
196KB

Download
memory/2496-210-0x0000000002A23000-0x0000000002A24000-memory.dmp

Filesize
4KB

Download
memory/2496-212-0x0000000002A24000-0x0000000002A25000-memory.dmp

Filesize
4KB

Download
memory/2784-269-0x0000000000000000-mapping.dmp

Download
memory/3028-119-0x0000000001060000-0x0000000001076000-memory.dmp

Filesize
88KB

Download
memory/3048-228-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/3048-227-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/3048-226-0x0000000000000000-mapping.dmp

Download
memory/3048-343-0x00000000047E3000-0x00000000047E4000-memory.dmp

Filesize
4KB

Download
memory/3048-231-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/3048-235-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/3048-245-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/3048-247-0x00000000047E2000-0x00000000047E3000-memory.dmp

Filesize
4KB

Download
memory/3168-135-0x0000000000400000-0x00000000016FF000-memory.dmp

Filesize
19.0MB

Download
memory/3168-120-0x0000000000000000-mapping.dmp

Download
memory/3168-124-0x0000000003300000-0x000000000338E000-memory.dmp

Filesize
568KB

Download
memory/3420-244-0x0000000000000000-mapping.dmp

Download
memory/3516-265-0x0000000000000000-mapping.dmp

Download
memory/3620-262-0x0000000000000000-mapping.dmp

Download
memory/3864-239-0x0000000000000000-mapping.dmp

Download
memory/4000-259-0x0000000000000000-mapping.dmp

Download
memory/4048-260-0x0000000000000000-mapping.dmp

Download
memory/4128-1495-0x0000000000000000-mapping.dmp

Download
memory/4228-312-0x0000000000000000-mapping.dmp

Download
memory/4252-1169-0x0000000000000000-mapping.dmp

Download
memory/4252-1185-0x0000000006822000-0x0000000006823000-memory.dmp

Filesize
4KB

Download
memory/4252-1184-0x0000000006820000-0x0000000006821000-memory.dmp

Filesize
4KB

Download
memory/4252-1277-0x000000007EA90000-0x000000007EA91000-memory.dmp

Filesize
4KB

Download
memory/4256-1497-0x0000000000000000-mapping.dmp

Download
memory/4284-1447-0x0000000000000000-mapping.dmp

Download
memory/4316-1448-0x0000000000000000-mapping.dmp

Download
memory/4404-1449-0x0000000000000000-mapping.dmp

Download
memory/4540-355-0x000000000041B256-mapping.dmp

Download
memory/4540-373-0x00000000054D0000-0x00000000059CE000-memory.dmp

Filesize
5.0MB

Download
memory/4604-1492-0x0000000000000000-mapping.dmp

Download
memory/4692-917-0x0000000000000000-mapping.dmp

Download
memory/4692-927-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/4692-943-0x000000007EB80000-0x000000007EB81000-memory.dmp

Filesize
4KB

Download
memory/4692-928-0x00000000046F2000-0x00000000046F3000-memory.dmp

Filesize
4KB

Download
memory/4716-1486-0x0000000000000000-mapping.dmp

Download
memory/4876-1487-0x0000000000000000-mapping.dmp

Download
memory/5036-1491-0x0000000000000000-mapping.dmp

Download
memory/5044-1493-0x0000000000000000-mapping.dmp

Download
memory/5072-766-0x000000007E960000-0x000000007E961000-memory.dmp

Filesize
4KB

Download
memory/5072-447-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/5072-449-0x0000000004752000-0x0000000004753000-memory.dmp

Filesize
4KB

Download
memory/5072-423-0x0000000000000000-mapping.dmp

Download
memory/5088-1494-0x0000000000000000-mapping.dmp

Download