arkei | 411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3

Analysis

max time kernel
151s
max time network
151s
platform
windows10_x64
resource
win10-en-20211014
submitted
10-11-2021 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
Size

190KB
MD5

8a172ec581f1afe9574c54c13d338c9a
SHA1

ad5862ddde0bc737ee30d7a36c8d59e7939ac18c
SHA256

411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3
SHA512

8b13da741085c236e76726dd16a6434c455ac492f1ac16eec73c0db160e01ff6d2c556489902cd14395fdb9135573f55183f244e4bfa72694d93d45cf22f6298

Malware Config

Extracted

Family

smokeloader

Version

2020

http://nalirou70.top/

http://xacokuo80.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

icedid

Botnet

1217670233

lakogrefop.rest

hangetilin.top

follytresh.co

zojecurf.store

Attributes

auth_var
14
url_path
/posts/

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes

url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

redline

Botnet

pub3

185.215.113.46:80

Extracted

Family

redline

Botnet

1011bankk

charirelay.xyz:80

Extracted

Family

redline

Botnet

Test_3

94.103.9.139:80

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2580-143-0x0000000002170000-0x000000000218C000-memory.dmp	family_redline
behavioral1/memory/2580-149-0x00000000023C0000-0x00000000023DB000-memory.dmp	family_redline
behavioral1/memory/956-180-0x0000000004910000-0x000000000493D000-memory.dmp	family_redline
behavioral1/memory/956-182-0x00000000070E0000-0x000000000710C000-memory.dmp	family_redline
behavioral1/memory/2404-262-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2404-267-0x0000000000418EF6-mapping.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\F2EF.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\F2EF.exe	family_redline
behavioral1/memory/372-588-0x0000000000418F02-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2880 created 2968	2880	WerFault.exe	CE4E.exe
PID 3328 created 3168	3328	WerFault.exe	DBDC.exe
PID 3528 created 768	3528	WerFault.exe	730D.exe

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ADE.exe	family_arkei
C:\Users\Admin\AppData\Local\Temp\ADE.exe	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\852cbd77-7c85-41e7-ae85-9e7f963bd5c4\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\852cbd77-7c85-41e7-ae85-9e7f963bd5c4\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\852cbd77-7c85-41e7-ae85-9e7f963bd5c4\AdvancedRun.exe	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 19 IoCs

Processes:

2391.exe2391.exe4246.exe5254.exe5254.exe730D.exe730D.exe980B.exeCE4E.exeDBDC.exeF2EF.exeFE4B.exeAdvancedRun.exeAdvancedRun.exeADE.exeFE4B.exews.exewmpsrcwp.exewmpsrcwp.exe

pid	process
3956	2391.exe
3764	2391.exe
1176	4246.exe
1424	5254.exe
2580	5254.exe
1288	730D.exe
768	730D.exe
956	980B.exe
2968	CE4E.exe
3168	DBDC.exe
984	F2EF.exe
1364	FE4B.exe
3124	AdvancedRun.exe
876	AdvancedRun.exe
2664	ADE.exe
372	FE4B.exe
3208	ws.exe
1300	wmpsrcwp.exe
3912	wmpsrcwp.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmpsrcwp.exeADE.exewmpsrcwp.exews.exeCE4E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wmpsrcwp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ADE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmpsrcwp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wmpsrcwp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmpsrcwp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CE4E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CE4E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ADE.exe

Deletes itself 1 IoCs

Processes:

pid process

3056
Loads dropped DLL 5 IoCs

Processes:

4246.exeregsvr32.exeADE.exe

pid process

1176 4246.exe
2608 regsvr32.exe
2664 ADE.exe
2664 ADE.exe
2664 ADE.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

2280 icacls.exe
2992 icacls.exe
1392 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3056

pid	process
1176	4246.exe
2608	regsvr32.exe
2664	ADE.exe
2664	ADE.exe
2664	ADE.exe

pid	process
2280	icacls.exe
2992	icacls.exe
1392	icacls.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ADE.exe	themida
C:\Users\Admin\AppData\Local\Temp\ADE.exe	themida
C:\ProgramData\ws.exe	themida
C:\ProgramData\ws.exe	themida
C:\Users\Admin\AppData\Roaming\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ru-ru_5d03c0286be1e92c\wmpsrcwp.exe	themida
C:\Users\Admin\AppData\Roaming\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ru-ru_5d03c0286be1e92c\wmpsrcwp.exe	themida

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

FE4B.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	FE4B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	FE4B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	FE4B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	FE4B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	FE4B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	FE4B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	FE4B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	FE4B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\FE4B.exe = "0"	FE4B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	FE4B.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ADE.exews.exewmpsrcwp.exewmpsrcwp.exeCE4E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ADE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ws.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wmpsrcwp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wmpsrcwp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CE4E.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

ADE.exews.exewmpsrcwp.exewmpsrcwp.exe

pid process

2664 ADE.exe
3208 ws.exe
1300 wmpsrcwp.exe
3912 wmpsrcwp.exe

pid	process
2664	ADE.exe
3208	ws.exe
1300	wmpsrcwp.exe
3912	wmpsrcwp.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe2391.exe5254.exe730D.exeCE4E.exeFE4B.exe

description	pid	process	target process
PID 2748 set thread context of 1524	2748	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
PID 3956 set thread context of 3764	3956	2391.exe	2391.exe
PID 1424 set thread context of 2580	1424	5254.exe	5254.exe
PID 1288 set thread context of 768	1288	730D.exe	730D.exe
PID 2968 set thread context of 2404	2968	CE4E.exe	AppLaunch.exe
PID 1364 set thread context of 372	1364	FE4B.exe	FE4B.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2880 2968 WerFault.exe CE4E.exe
3328 3168 WerFault.exe DBDC.exe
3528 768 WerFault.exe 730D.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
2880	2968	WerFault.exe	CE4E.exe
3328	3168	WerFault.exe	DBDC.exe
3528	768	WerFault.exe	730D.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2391.exe4246.exe411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2391.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4246.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4246.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2391.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2391.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4246.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ADE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ADE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ADE.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

504 timeout.exe

pid	process
504	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe

pid	process
1524	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
1524	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3056
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe2391.exe4246.exe

pid process

1524 411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
3764 2391.exe
1176 4246.exe

pid	process
3056

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

980B.exeWerFault.exeWerFault.exeAppLaunch.exeFE4B.exeAdvancedRun.exeAdvancedRun.exeF2EF.exepowershell.exeFE4B.exe

description	pid	process
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	956	980B.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeRestorePrivilege	3328	WerFault.exe
Token: SeBackupPrivilege	3328	WerFault.exe
Token: SeRestorePrivilege	2880	WerFault.exe
Token: SeBackupPrivilege	2880	WerFault.exe
Token: SeBackupPrivilege	2880	WerFault.exe
Token: SeDebugPrivilege	3328	WerFault.exe
Token: SeDebugPrivilege	2880	WerFault.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	2404	AppLaunch.exe
Token: SeDebugPrivilege	1364	FE4B.exe
Token: SeDebugPrivilege	3124	AdvancedRun.exe
Token: SeImpersonatePrivilege	3124	AdvancedRun.exe
Token: SeDebugPrivilege	876	AdvancedRun.exe
Token: SeImpersonatePrivilege	876	AdvancedRun.exe
Token: SeDebugPrivilege	984	F2EF.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	372	FE4B.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe2391.exe5254.exe730D.exeCE4E.exe

description	pid	process	target process
PID 2748 wrote to memory of 1524	2748	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
PID 2748 wrote to memory of 1524	2748	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
PID 2748 wrote to memory of 1524	2748	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
PID 2748 wrote to memory of 1524	2748	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
PID 2748 wrote to memory of 1524	2748	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
PID 2748 wrote to memory of 1524	2748	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe	411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
PID 3056 wrote to memory of 3956	3056		2391.exe
PID 3056 wrote to memory of 3956	3056		2391.exe
PID 3056 wrote to memory of 3956	3056		2391.exe
PID 3956 wrote to memory of 3764	3956	2391.exe	2391.exe
PID 3956 wrote to memory of 3764	3956	2391.exe	2391.exe
PID 3956 wrote to memory of 3764	3956	2391.exe	2391.exe
PID 3956 wrote to memory of 3764	3956	2391.exe	2391.exe
PID 3956 wrote to memory of 3764	3956	2391.exe	2391.exe
PID 3956 wrote to memory of 3764	3956	2391.exe	2391.exe
PID 3056 wrote to memory of 1176	3056		4246.exe
PID 3056 wrote to memory of 1176	3056		4246.exe
PID 3056 wrote to memory of 1176	3056		4246.exe
PID 3056 wrote to memory of 1424	3056		5254.exe
PID 3056 wrote to memory of 1424	3056		5254.exe
PID 3056 wrote to memory of 1424	3056		5254.exe
PID 1424 wrote to memory of 2580	1424	5254.exe	5254.exe
PID 1424 wrote to memory of 2580	1424	5254.exe	5254.exe
PID 1424 wrote to memory of 2580	1424	5254.exe	5254.exe
PID 1424 wrote to memory of 2580	1424	5254.exe	5254.exe
PID 1424 wrote to memory of 2580	1424	5254.exe	5254.exe
PID 1424 wrote to memory of 2580	1424	5254.exe	5254.exe
PID 1424 wrote to memory of 2580	1424	5254.exe	5254.exe
PID 1424 wrote to memory of 2580	1424	5254.exe	5254.exe
PID 1424 wrote to memory of 2580	1424	5254.exe	5254.exe
PID 3056 wrote to memory of 2608	3056		regsvr32.exe
PID 3056 wrote to memory of 2608	3056		regsvr32.exe
PID 3056 wrote to memory of 1288	3056		730D.exe
PID 3056 wrote to memory of 1288	3056		730D.exe
PID 3056 wrote to memory of 1288	3056		730D.exe
PID 1288 wrote to memory of 768	1288	730D.exe	730D.exe
PID 1288 wrote to memory of 768	1288	730D.exe	730D.exe
PID 1288 wrote to memory of 768	1288	730D.exe	730D.exe
PID 1288 wrote to memory of 768	1288	730D.exe	730D.exe
PID 1288 wrote to memory of 768	1288	730D.exe	730D.exe
PID 1288 wrote to memory of 768	1288	730D.exe	730D.exe
PID 1288 wrote to memory of 768	1288	730D.exe	730D.exe
PID 1288 wrote to memory of 768	1288	730D.exe	730D.exe
PID 1288 wrote to memory of 768	1288	730D.exe	730D.exe
PID 1288 wrote to memory of 768	1288	730D.exe	730D.exe
PID 3056 wrote to memory of 956	3056		980B.exe
PID 3056 wrote to memory of 956	3056		980B.exe
PID 3056 wrote to memory of 956	3056		980B.exe
PID 3056 wrote to memory of 2968	3056		CE4E.exe
PID 3056 wrote to memory of 2968	3056		CE4E.exe
PID 3056 wrote to memory of 2968	3056		CE4E.exe
PID 3056 wrote to memory of 3168	3056		DBDC.exe
PID 3056 wrote to memory of 3168	3056		DBDC.exe
PID 3056 wrote to memory of 3168	3056		DBDC.exe
PID 2968 wrote to memory of 2404	2968	CE4E.exe	AppLaunch.exe
PID 2968 wrote to memory of 2404	2968	CE4E.exe	AppLaunch.exe
PID 2968 wrote to memory of 2404	2968	CE4E.exe	AppLaunch.exe
PID 2968 wrote to memory of 2404	2968	CE4E.exe	AppLaunch.exe
PID 2968 wrote to memory of 2404	2968	CE4E.exe	AppLaunch.exe
PID 3056 wrote to memory of 984	3056		F2EF.exe
PID 3056 wrote to memory of 984	3056		F2EF.exe
PID 3056 wrote to memory of 984	3056		F2EF.exe
PID 3056 wrote to memory of 1364	3056		FE4B.exe
PID 3056 wrote to memory of 1364	3056		FE4B.exe

C:\Users\Admin\AppData\Local\Temp\411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
"C:\Users\Admin\AppData\Local\Temp\411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe
"C:\Users\Admin\AppData\Local\Temp\411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1524

C:\Users\Admin\AppData\Local\Temp\2391.exe
C:\Users\Admin\AppData\Local\Temp\2391.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\Temp\2391.exe
C:\Users\Admin\AppData\Local\Temp\2391.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3764

C:\Users\Admin\AppData\Local\Temp\4246.exe
C:\Users\Admin\AppData\Local\Temp\4246.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1176

C:\Users\Admin\AppData\Local\Temp\5254.exe
C:\Users\Admin\AppData\Local\Temp\5254.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\5254.exe
C:\Users\Admin\AppData\Local\Temp\5254.exe
2⤵
- Executes dropped EXE
PID:2580

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\60BD.dll
1⤵
- Loads dropped DLL
PID:2608

C:\Users\Admin\AppData\Local\Temp\730D.exe
C:\Users\Admin\AppData\Local\Temp\730D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\730D.exe
C:\Users\Admin\AppData\Local\Temp\730D.exe
2⤵
- Executes dropped EXE
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1268
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:3528

C:\Users\Admin\AppData\Local\Temp\980B.exe
C:\Users\Admin\AppData\Local\Temp\980B.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Users\Admin\AppData\Local\Temp\CE4E.exe
C:\Users\Admin\AppData\Local\Temp\CE4E.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 560
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Users\Admin\AppData\Local\Temp\DBDC.exe
C:\Users\Admin\AppData\Local\Temp\DBDC.exe
1⤵
- Executes dropped EXE
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 652
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Users\Admin\AppData\Local\Temp\F2EF.exe
C:\Users\Admin\AppData\Local\Temp\F2EF.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Users\Admin\AppData\Local\Temp\FE4B.exe
C:\Users\Admin\AppData\Local\Temp\FE4B.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Users\Admin\AppData\Local\Temp\852cbd77-7c85-41e7-ae85-9e7f963bd5c4\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\852cbd77-7c85-41e7-ae85-9e7f963bd5c4\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\852cbd77-7c85-41e7-ae85-9e7f963bd5c4\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Users\Admin\AppData\Local\Temp\852cbd77-7c85-41e7-ae85-9e7f963bd5c4\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\852cbd77-7c85-41e7-ae85-9e7f963bd5c4\AdvancedRun.exe" /SpecialRun 4101d8 3124
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FE4B.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Users\Admin\AppData\Local\Temp\FE4B.exe
C:\Users\Admin\AppData\Local\Temp\FE4B.exe
2⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\FE4B.exe
C:\Users\Admin\AppData\Local\Temp\FE4B.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Users\Admin\AppData\Local\Temp\ADE.exe
C:\Users\Admin\AppData\Local\Temp\ADE.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:2664

C:\ProgramData\ws.exe
"C:\ProgramData\ws.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ru-ru_5d03c0286be1e92c" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ru-ru_5d03c0286be1e92c" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ru-ru_5d03c0286be1e92c" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
3⤵
PID:3184

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ru-ru_5d03c0286be1e92c" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:2992

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ru-ru_5d03c0286be1e92c" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:1392

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ru-ru_5d03c0286be1e92c" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:2280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ADE.exe" & exit
2⤵
PID:3564

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:504

C:\Users\Admin\AppData\Roaming\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ru-ru_5d03c0286be1e92c\wmpsrcwp.exe
C:\Users\Admin\AppData\Roaming\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ru-ru_5d03c0286be1e92c\wmpsrcwp.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1300

C:\Users\Admin\AppData\Roaming\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ru-ru_5d03c0286be1e92c\wmpsrcwp.exe
C:\Users\Admin\AppData\Roaming\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ru-ru_5d03c0286be1e92c\wmpsrcwp.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ws.exe
MD5
5d45aa165cc3aaa50388e65ae1ea754a

SHA1
337fc0db88b40a2a423e4fbd86195896e9731b1e

SHA256
6479ff5c29030c073647fb7af3bd2fb39e5b8d165e36ae788837c27bbb3fe61e

SHA512
3f5a2fae0d758cf5ead516ee62933dead69501c25193162faa958cf8b26cbd44734c952aad7102a98b3415e02963a3e655b6c997934b9509b01c3895b3ddaa71

Download Submit
C:\ProgramData\ws.exe
MD5
5d45aa165cc3aaa50388e65ae1ea754a

SHA1
337fc0db88b40a2a423e4fbd86195896e9731b1e

SHA256
6479ff5c29030c073647fb7af3bd2fb39e5b8d165e36ae788837c27bbb3fe61e

SHA512
3f5a2fae0d758cf5ead516ee62933dead69501c25193162faa958cf8b26cbd44734c952aad7102a98b3415e02963a3e655b6c997934b9509b01c3895b3ddaa71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FE4B.exe.log
MD5
f4bb5bd0b2282cf9cada18a90a50971a

SHA1
c3954cfd8c8341a571eb49feb3ebf36f8ce46e43

SHA256
cc64510ae8390b72dcdcbafb854e064821bfcebc4d8fa5bac960331fe915485d

SHA512
396f5370479d685cc115612d5a42bccffe3d48f991d17c848aa758af64c177b3e30eaaa1d335422c8773a789fdc1236ee47835fa3b5235632c0e668dd31543a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2391.exe
MD5
8a172ec581f1afe9574c54c13d338c9a

SHA1
ad5862ddde0bc737ee30d7a36c8d59e7939ac18c

SHA256
411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3

SHA512
8b13da741085c236e76726dd16a6434c455ac492f1ac16eec73c0db160e01ff6d2c556489902cd14395fdb9135573f55183f244e4bfa72694d93d45cf22f6298

Download Submit
C:\Users\Admin\AppData\Local\Temp\2391.exe
MD5
8a172ec581f1afe9574c54c13d338c9a

SHA1
ad5862ddde0bc737ee30d7a36c8d59e7939ac18c

SHA256
411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3

SHA512
8b13da741085c236e76726dd16a6434c455ac492f1ac16eec73c0db160e01ff6d2c556489902cd14395fdb9135573f55183f244e4bfa72694d93d45cf22f6298

Download Submit
C:\Users\Admin\AppData\Local\Temp\2391.exe
MD5
8a172ec581f1afe9574c54c13d338c9a

SHA1
ad5862ddde0bc737ee30d7a36c8d59e7939ac18c

SHA256
411dec11aa55d30ba5e1d70b6f5d7cef77b1234b49b57dd967d29e733d0f3de3

SHA512
8b13da741085c236e76726dd16a6434c455ac492f1ac16eec73c0db160e01ff6d2c556489902cd14395fdb9135573f55183f244e4bfa72694d93d45cf22f6298

Download Submit
C:\Users\Admin\AppData\Local\Temp\4246.exe
MD5
435b9c498c170c228aaa2006c59e91d0

SHA1
49a3706be6ce2bf71fa72402243737a8c2700396

SHA256
1dd7a2de3a100eb6258ba36d8714ab63494934bea8a7ec3756ef40c6655e155a

SHA512
2b3659d67c2e6e004378d539199d10c77ed6be6dd0ab9e71f8accc975d3fbf5cf7476cda5eb5e6bbcdeeb844f5c69d3b73223e8d35d4d334ade630244e185734

Download Submit
C:\Users\Admin\AppData\Local\Temp\4246.exe
MD5
435b9c498c170c228aaa2006c59e91d0

SHA1
49a3706be6ce2bf71fa72402243737a8c2700396

SHA256
1dd7a2de3a100eb6258ba36d8714ab63494934bea8a7ec3756ef40c6655e155a

SHA512
2b3659d67c2e6e004378d539199d10c77ed6be6dd0ab9e71f8accc975d3fbf5cf7476cda5eb5e6bbcdeeb844f5c69d3b73223e8d35d4d334ade630244e185734

Download Submit
C:\Users\Admin\AppData\Local\Temp\5254.exe
MD5
9084d28488646d0d39fbeef1f8174d10

SHA1
8cc8ea6413fefc1f85662bc958fd89e1937ecfbf

SHA256
773f13851179b37dfaed4f1883b94474c12ddbe366e36f50f556c5b3fa5cd024

SHA512
883ea4a3950cfad258a838fb8ab41a46a0711e6dd72909791daa69a289e82ea4f94444d6b300ce81ddde6950e1e1dfba6a850e340c56b36d0557dcdf869c8ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5254.exe
MD5
9084d28488646d0d39fbeef1f8174d10

SHA1
8cc8ea6413fefc1f85662bc958fd89e1937ecfbf

SHA256
773f13851179b37dfaed4f1883b94474c12ddbe366e36f50f556c5b3fa5cd024

SHA512
883ea4a3950cfad258a838fb8ab41a46a0711e6dd72909791daa69a289e82ea4f94444d6b300ce81ddde6950e1e1dfba6a850e340c56b36d0557dcdf869c8ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5254.exe
MD5
9084d28488646d0d39fbeef1f8174d10

SHA1
8cc8ea6413fefc1f85662bc958fd89e1937ecfbf

SHA256
773f13851179b37dfaed4f1883b94474c12ddbe366e36f50f556c5b3fa5cd024

SHA512
883ea4a3950cfad258a838fb8ab41a46a0711e6dd72909791daa69a289e82ea4f94444d6b300ce81ddde6950e1e1dfba6a850e340c56b36d0557dcdf869c8ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\60BD.dll
MD5
3766ceff9fad0d5ccd13b060ca5269bb

SHA1
8fc8b51db082bc0a34c6088322a070578fb4fb21

SHA256
d0ca2f465d8e620742682dbcc955e7a52e20d71333483d31379d776e1ef0be58

SHA512
e132814c710195b9993331e9108b08aefe1e0a68572128509329e6747c3c948ebb8d52903b113ebb82a5868d66a0f282c116e05a61fd5c57c09447a8f235a105

Download Submit
C:\Users\Admin\AppData\Local\Temp\730D.exe
MD5
bde1dbafbe609f7da66db66356d8f9e3

SHA1
a82f4a80f7f0849ecc021855fcbfbf3220982d06

SHA256
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86

SHA512
fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\730D.exe
MD5
bde1dbafbe609f7da66db66356d8f9e3

SHA1
a82f4a80f7f0849ecc021855fcbfbf3220982d06

SHA256
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86

SHA512
fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\730D.exe
MD5
bde1dbafbe609f7da66db66356d8f9e3

SHA1
a82f4a80f7f0849ecc021855fcbfbf3220982d06

SHA256
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86

SHA512
fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\852cbd77-7c85-41e7-ae85-9e7f963bd5c4\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\852cbd77-7c85-41e7-ae85-9e7f963bd5c4\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\852cbd77-7c85-41e7-ae85-9e7f963bd5c4\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\980B.exe
MD5
ff5f9201e8bca81a126ea15a536e5eed

SHA1
9c009acb34a16c0a185df24d362da1b690003978

SHA256
efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c

SHA512
1b3c7e2cad142bbfe8529633b4a8e53f68a3319579a94cfa4e8019628113ea4b341ea397cb5c2e64eda971c5fd07d88f1d3af4f673385f262b5f6a67a2e2f4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\980B.exe
MD5
ff5f9201e8bca81a126ea15a536e5eed

SHA1
9c009acb34a16c0a185df24d362da1b690003978

SHA256
efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c

SHA512
1b3c7e2cad142bbfe8529633b4a8e53f68a3319579a94cfa4e8019628113ea4b341ea397cb5c2e64eda971c5fd07d88f1d3af4f673385f262b5f6a67a2e2f4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADE.exe
MD5
5c0c23fe5cff2614f1bf711f66d18fda

SHA1
96022c8946156ad678d4cb7168b5a7379c804bf9

SHA256
c44342d56d388e7fb7fa07a598197f03c1b2d696b1549fdd319dc28732628943

SHA512
bee080459cf878542d43bf20f59c4cf09afadc849890e744b9ee2106f47a5fea5065d28caa1af7d5488356f06e883a7aaf840f3973f2621391031647de24221b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADE.exe
MD5
5c0c23fe5cff2614f1bf711f66d18fda

SHA1
96022c8946156ad678d4cb7168b5a7379c804bf9

SHA256
c44342d56d388e7fb7fa07a598197f03c1b2d696b1549fdd319dc28732628943

SHA512
bee080459cf878542d43bf20f59c4cf09afadc849890e744b9ee2106f47a5fea5065d28caa1af7d5488356f06e883a7aaf840f3973f2621391031647de24221b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE4E.exe
MD5
b73c34e7b239cf0d14810c17fecefbe7

SHA1
9cbc5fb855aa90249a721f8277b88ea84bea00b6

SHA256
4c08d306d3272e38e7e592e6dd2f269ab79d9e375dbf2bc5911cadd10fb5755e

SHA512
35ce91ef2bb88fb3b642768501066cfa82848ef7066008181e070b29349b4a6e917ae6e67685b4bfc24abbfee47a698986cd4d23eebd67c54e6beeabd910cbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE4E.exe
MD5
b73c34e7b239cf0d14810c17fecefbe7

SHA1
9cbc5fb855aa90249a721f8277b88ea84bea00b6

SHA256
4c08d306d3272e38e7e592e6dd2f269ab79d9e375dbf2bc5911cadd10fb5755e

SHA512
35ce91ef2bb88fb3b642768501066cfa82848ef7066008181e070b29349b4a6e917ae6e67685b4bfc24abbfee47a698986cd4d23eebd67c54e6beeabd910cbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DBDC.exe
MD5
26fbf98952ff7906697bce1f27a3712a

SHA1
318452d3d055e1d942b486c3167a7c6947b6728e

SHA256
52cef020b33b1dc6d7910f0d538b1d20ed2b85611b1c662fb690de0631e9f1cd

SHA512
eddf196543a1ee0742921de6d16f22cd893c72f012eb42e258b32674962031ee59f9abbbac97db23e38227aeb7392b8af81a0d529ad7f66064dec5d6afaefd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\DBDC.exe
MD5
26fbf98952ff7906697bce1f27a3712a

SHA1
318452d3d055e1d942b486c3167a7c6947b6728e

SHA256
52cef020b33b1dc6d7910f0d538b1d20ed2b85611b1c662fb690de0631e9f1cd

SHA512
eddf196543a1ee0742921de6d16f22cd893c72f012eb42e258b32674962031ee59f9abbbac97db23e38227aeb7392b8af81a0d529ad7f66064dec5d6afaefd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2EF.exe
MD5
17b57e346f1b5eecc8a37dd405eb5b76

SHA1
f120c1acd341ceff5e35c8891c007406ff8986bc

SHA256
2da5e33b3e0a7bf86bbd2e28d6214b10c835d98ebebd0eb1e0f35c195613dc94

SHA512
79c39cad1ca5aad3d568a0e1665ffeea02e546dacbde42132e26944d99caf87dc6f9e5b0db98c9077911d3cb210607a43e12d0b242aec77b2a3755bb588b9208

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2EF.exe
MD5
17b57e346f1b5eecc8a37dd405eb5b76

SHA1
f120c1acd341ceff5e35c8891c007406ff8986bc

SHA256
2da5e33b3e0a7bf86bbd2e28d6214b10c835d98ebebd0eb1e0f35c195613dc94

SHA512
79c39cad1ca5aad3d568a0e1665ffeea02e546dacbde42132e26944d99caf87dc6f9e5b0db98c9077911d3cb210607a43e12d0b242aec77b2a3755bb588b9208

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE4B.exe
MD5
6010065a771416d920f8cd442235c8e3

SHA1
3e7b1b3ba029629f0d7dc04a33f33d9fafd2b367

SHA256
31198eeb3293a01d7f4900fc45a935e53216ab6c962ccbd0aa7f8740bbdddca2

SHA512
eb2fe7cdd586f457bf1fae090217274ddf5ef404b05ff673958ff8cc12aa783e184c95b1c0b6feffe12682b8f5e04bcdcf0d59fc3643415184c9d1eec378207c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE4B.exe
MD5
6010065a771416d920f8cd442235c8e3

SHA1
3e7b1b3ba029629f0d7dc04a33f33d9fafd2b367

SHA256
31198eeb3293a01d7f4900fc45a935e53216ab6c962ccbd0aa7f8740bbdddca2

SHA512
eb2fe7cdd586f457bf1fae090217274ddf5ef404b05ff673958ff8cc12aa783e184c95b1c0b6feffe12682b8f5e04bcdcf0d59fc3643415184c9d1eec378207c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE4B.exe
MD5
6010065a771416d920f8cd442235c8e3

SHA1
3e7b1b3ba029629f0d7dc04a33f33d9fafd2b367

SHA256
31198eeb3293a01d7f4900fc45a935e53216ab6c962ccbd0aa7f8740bbdddca2

SHA512
eb2fe7cdd586f457bf1fae090217274ddf5ef404b05ff673958ff8cc12aa783e184c95b1c0b6feffe12682b8f5e04bcdcf0d59fc3643415184c9d1eec378207c

Download Submit
C:\Users\Admin\AppData\Roaming\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ru-ru_5d03c0286be1e92c\wmpsrcwp.exe
MD5
5d45aa165cc3aaa50388e65ae1ea754a

SHA1
337fc0db88b40a2a423e4fbd86195896e9731b1e

SHA256
6479ff5c29030c073647fb7af3bd2fb39e5b8d165e36ae788837c27bbb3fe61e

SHA512
3f5a2fae0d758cf5ead516ee62933dead69501c25193162faa958cf8b26cbd44734c952aad7102a98b3415e02963a3e655b6c997934b9509b01c3895b3ddaa71

Download Submit
C:\Users\Admin\AppData\Roaming\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ru-ru_5d03c0286be1e92c\wmpsrcwp.exe
MD5
5d45aa165cc3aaa50388e65ae1ea754a

SHA1
337fc0db88b40a2a423e4fbd86195896e9731b1e

SHA256
6479ff5c29030c073647fb7af3bd2fb39e5b8d165e36ae788837c27bbb3fe61e

SHA512
3f5a2fae0d758cf5ead516ee62933dead69501c25193162faa958cf8b26cbd44734c952aad7102a98b3415e02963a3e655b6c997934b9509b01c3895b3ddaa71

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\60BD.dll
MD5
3766ceff9fad0d5ccd13b060ca5269bb

SHA1
8fc8b51db082bc0a34c6088322a070578fb4fb21

SHA256
d0ca2f465d8e620742682dbcc955e7a52e20d71333483d31379d776e1ef0be58

SHA512
e132814c710195b9993331e9108b08aefe1e0a68572128509329e6747c3c948ebb8d52903b113ebb82a5868d66a0f282c116e05a61fd5c57c09447a8f235a105

Download Submit
memory/372-588-0x0000000000418F02-mapping.dmp

Download
memory/504-884-0x0000000000000000-mapping.dmp

Download
memory/768-171-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/768-175-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/768-173-0x00000000004A0000-0x000000000054E000-memory.dmp

Filesize
696KB

Download
memory/768-174-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/768-172-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/768-166-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/768-167-0x0000000000402998-mapping.dmp

Download
memory/876-313-0x0000000000000000-mapping.dmp

Download
memory/956-185-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/956-195-0x0000000008F10000-0x0000000008F11000-memory.dmp

Filesize
4KB

Download
memory/956-199-0x00000000095D0000-0x00000000095D1000-memory.dmp

Filesize
4KB

Download
memory/956-198-0x0000000009400000-0x0000000009401000-memory.dmp

Filesize
4KB

Download
memory/956-197-0x00000000091C0000-0x00000000091C1000-memory.dmp

Filesize
4KB

Download
memory/956-196-0x0000000008FC0000-0x0000000008FC1000-memory.dmp

Filesize
4KB

Download
memory/956-194-0x0000000008BD0000-0x0000000008BD1000-memory.dmp

Filesize
4KB

Download
memory/956-193-0x0000000007274000-0x0000000007276000-memory.dmp

Filesize
8KB

Download
memory/956-176-0x0000000000000000-mapping.dmp

Download
memory/956-186-0x0000000007272000-0x0000000007273000-memory.dmp

Filesize
4KB

Download
memory/956-187-0x0000000007273000-0x0000000007274000-memory.dmp

Filesize
4KB

Download
memory/956-179-0x0000000002E76000-0x0000000002EA2000-memory.dmp

Filesize
176KB

Download
memory/956-180-0x0000000004910000-0x000000000493D000-memory.dmp

Filesize
180KB

Download
memory/956-182-0x00000000070E0000-0x000000000710C000-memory.dmp

Filesize
176KB

Download
memory/956-184-0x0000000000400000-0x0000000002B5B000-memory.dmp

Filesize
39.4MB

Download
memory/956-183-0x0000000002DF0000-0x0000000002E29000-memory.dmp

Filesize
228KB

Download
memory/984-286-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/984-283-0x0000000000000000-mapping.dmp

Download
memory/1176-132-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/1176-133-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1176-131-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/1176-127-0x0000000000000000-mapping.dmp

Download
memory/1288-170-0x0000000002290000-0x0000000002300000-memory.dmp

Filesize
448KB

Download
memory/1288-165-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1288-164-0x0000000002130000-0x00000000021B3000-memory.dmp

Filesize
524KB

Download
memory/1288-169-0x0000000002220000-0x0000000002283000-memory.dmp

Filesize
396KB

Download
memory/1288-163-0x00000000020B0000-0x0000000002127000-memory.dmp

Filesize
476KB

Download
memory/1288-160-0x0000000000000000-mapping.dmp

Download
memory/1364-301-0x0000000000000000-mapping.dmp

Download
memory/1392-885-0x0000000000000000-mapping.dmp

Download
memory/1424-140-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/1424-141-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/1424-134-0x0000000000000000-mapping.dmp

Download
memory/1524-115-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1524-116-0x0000000000402DC6-mapping.dmp

Download
memory/2280-886-0x0000000000000000-mapping.dmp

Download
memory/2404-262-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2404-279-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/2404-271-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2404-270-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/2404-269-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/2404-268-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/2404-267-0x0000000000418EF6-mapping.dmp

Download
memory/2580-143-0x0000000002170000-0x000000000218C000-memory.dmp

Filesize
112KB

Download
memory/2580-151-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/2580-154-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2580-153-0x0000000004B74000-0x0000000004B76000-memory.dmp

Filesize
8KB

Download
memory/2580-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-159-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/2580-146-0x0000000004B72000-0x0000000004B73000-memory.dmp

Filesize
4KB

Download
memory/2580-138-0x000000000040CD2F-mapping.dmp

Download
memory/2580-152-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2580-145-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/2580-150-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/2580-149-0x00000000023C0000-0x00000000023DB000-memory.dmp

Filesize
108KB

Download
memory/2580-148-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/2580-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-147-0x0000000004B73000-0x0000000004B74000-memory.dmp

Filesize
4KB

Download
memory/2608-158-0x00000000008D0000-0x0000000000907000-memory.dmp

Filesize
220KB

Download
memory/2608-155-0x0000000000000000-mapping.dmp

Download
memory/2664-495-0x0000000000000000-mapping.dmp

Download
memory/2748-117-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/2748-118-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/2968-231-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2968-228-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2968-235-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/2968-237-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2968-238-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2968-236-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/2968-215-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2968-216-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2968-233-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2968-213-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download
memory/2968-204-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/2968-203-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download
memory/2968-208-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download
memory/2968-212-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download
memory/2968-211-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2968-210-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2968-232-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/2968-209-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/2968-214-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2968-207-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2968-205-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download
memory/2968-206-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2968-230-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/2968-217-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/2968-229-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2968-234-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2968-227-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2968-200-0x0000000000000000-mapping.dmp

Download
memory/2968-226-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2968-225-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2968-224-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/2968-218-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2968-223-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2968-222-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/2968-220-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2968-219-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2968-221-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2992-883-0x0000000000000000-mapping.dmp

Download
memory/3056-119-0x0000000000790000-0x00000000007A6000-memory.dmp

Filesize
88KB

Download
memory/3056-126-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

Filesize
88KB

Download
memory/3056-144-0x0000000000D60000-0x0000000000D76000-memory.dmp

Filesize
88KB

Download
memory/3124-310-0x0000000000000000-mapping.dmp

Download
memory/3168-256-0x0000000000000000-mapping.dmp

Download
memory/3184-865-0x0000000000000000-mapping.dmp

Download
memory/3208-855-0x0000000000000000-mapping.dmp

Download
memory/3564-869-0x0000000000000000-mapping.dmp

Download
memory/3764-124-0x0000000000402DC6-mapping.dmp

Download
memory/3776-578-0x0000000000000000-mapping.dmp

Download
memory/3956-120-0x0000000000000000-mapping.dmp

Download