91d59bd1cb4e4837c9d505c8a289ac147df7558d8602ba3a754ad9b7e45f6357

Analysis

max time kernel
110s
max time network
121s
platform
windows10_x64
resource
win10-ja-20211104
submitted
01-12-2021 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
Size

16.9MB
MD5

79dfcb8d33da660c748ff5f3685e7754
SHA1

1ddfef1a7fc60ca52b559cda7527ecb352613985
SHA256

8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941
SHA512

d42b399c3924fff83f599dd7b14818cfcc23ab68516439770d4a6e7a6c4675fb0c8f6a39b589e0dbf67fdac5dbdf9eb6a5e8948a4ca89f155b380b4f8c996f1f

Score

10^/10

collection persistence pyinstaller spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 3 IoCs

Processes:

bhost.exegbg-data.exegbg-data.exe

pid process

1316 bhost.exe
1216 gbg-data.exe
2240 gbg-data.exe

pid	process
1316	bhost.exe
1216	gbg-data.exe
2240	gbg-data.exe

Loads dropped DLL 56 IoCs

Processes:

8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exegbg-data.exe

pid	process
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs

collection

Email Collection

T1114

Processes:

gbg-data.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	gbg-data.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	gbg-data.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook	gbg-data.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	gbg-data.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	gbg-data.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	gbg-data.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	gbg-data.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

Processes:

OfficeC2RClient.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shm	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-wal	OfficeC2RClient.exe

Detects Pyinstaller 3 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gbg-data.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\gbg-data.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\gbg-data.exe	pyinstaller

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4000 1316 WerFault.exe bhost.exe

pid	pid_target	process	target process
4000	1316	WerFault.exe	bhost.exe

Modifies data under HKEY_USERS 23 IoCs

Processes:

OfficeC2RClient.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,17110988,7153487,39965824,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeC2RClient.exe

Modifies registry class 44 IoCs

Processes:

FileSyncConfig.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exeWerFault.exegbg-data.exe

pid	process
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe
2240	gbg-data.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exeWerFault.exereg.exereg.exereg.exe

description	pid	process
Token: 35	948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
Token: SeRestorePrivilege	4000	WerFault.exe
Token: SeBackupPrivilege	4000	WerFault.exe
Token: SeDebugPrivilege	4000	WerFault.exe
Token: SeBackupPrivilege	3044	reg.exe
Token: SeBackupPrivilege	3252	reg.exe
Token: SeBackupPrivilege	1900	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OfficeC2RClient.exe

pid process

3152 OfficeC2RClient.exe

pid	process
3152	OfficeC2RClient.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.execmd.execmd.exegbg-data.exegbg-data.execmd.execmd.execmd.exe

description	pid	process	target process
PID 812 wrote to memory of 948	812	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
PID 812 wrote to memory of 948	812	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
PID 812 wrote to memory of 948	812	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
PID 948 wrote to memory of 3884	948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe	cmd.exe
PID 948 wrote to memory of 3884	948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe	cmd.exe
PID 948 wrote to memory of 3884	948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe	cmd.exe
PID 948 wrote to memory of 2364	948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe	cmd.exe
PID 948 wrote to memory of 2364	948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe	cmd.exe
PID 948 wrote to memory of 2364	948	8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe	cmd.exe
PID 2364 wrote to memory of 1316	2364	cmd.exe	bhost.exe
PID 2364 wrote to memory of 1316	2364	cmd.exe	bhost.exe
PID 2364 wrote to memory of 1316	2364	cmd.exe	bhost.exe
PID 3884 wrote to memory of 1216	3884	cmd.exe	gbg-data.exe
PID 3884 wrote to memory of 1216	3884	cmd.exe	gbg-data.exe
PID 3884 wrote to memory of 1216	3884	cmd.exe	gbg-data.exe
PID 1216 wrote to memory of 2240	1216	gbg-data.exe	gbg-data.exe
PID 1216 wrote to memory of 2240	1216	gbg-data.exe	gbg-data.exe
PID 1216 wrote to memory of 2240	1216	gbg-data.exe	gbg-data.exe
PID 2240 wrote to memory of 1820	2240	gbg-data.exe	cmd.exe
PID 2240 wrote to memory of 1820	2240	gbg-data.exe	cmd.exe
PID 2240 wrote to memory of 1820	2240	gbg-data.exe	cmd.exe
PID 1820 wrote to memory of 3044	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 3044	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 3044	1820	cmd.exe	reg.exe
PID 2240 wrote to memory of 3284	2240	gbg-data.exe	cmd.exe
PID 2240 wrote to memory of 3284	2240	gbg-data.exe	cmd.exe
PID 2240 wrote to memory of 3284	2240	gbg-data.exe	cmd.exe
PID 3284 wrote to memory of 3252	3284	cmd.exe	reg.exe
PID 3284 wrote to memory of 3252	3284	cmd.exe	reg.exe
PID 3284 wrote to memory of 3252	3284	cmd.exe	reg.exe
PID 2240 wrote to memory of 960	2240	gbg-data.exe	cmd.exe
PID 2240 wrote to memory of 960	2240	gbg-data.exe	cmd.exe
PID 2240 wrote to memory of 960	2240	gbg-data.exe	cmd.exe
PID 960 wrote to memory of 1900	960	cmd.exe	reg.exe
PID 960 wrote to memory of 1900	960	cmd.exe	reg.exe
PID 960 wrote to memory of 1900	960	cmd.exe	reg.exe

outlook_office_path 1 IoCs

Processes:

gbg-data.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	gbg-data.exe

outlook_win_path 1 IoCs

Processes:

gbg-data.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	gbg-data.exe

C:\Users\Admin\AppData\Local\Temp\8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
"C:\Users\Admin\AppData\Local\Temp\8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Local\Temp\8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe
"C:\Users\Admin\AppData\Local\Temp\8b314389db05b558dd18b17ff52b225abbf40d99513ca78042f4af9d39831941.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "start /b gbg-data.exe all -oN"
3⤵
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Local\Temp\gbg-data.exe
gbg-data.exe all -oN
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\gbg-data.exe
gbg-data.exe all -oN
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "reg.exe save hklm\sam C:\Users\Admin\AppData\Local\Temp\wzbyagwsuaq"
6⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\reg.exe
reg.exe save hklm\sam C:\Users\Admin\AppData\Local\Temp\wzbyagwsuaq
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "reg.exe save hklm\security C:\Users\Admin\AppData\Local\Temp\ninwbhaxsn"
6⤵
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\reg.exe
reg.exe save hklm\security C:\Users\Admin\AppData\Local\Temp\ninwbhaxsn
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "reg.exe save hklm\system C:\Users\Admin\AppData\Local\Temp\exnzuyy"
6⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\reg.exe
reg.exe save hklm\system C:\Users\Admin\AppData\Local\Temp\exnzuyy
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "start /b bhost.exe > fire.txt"
3⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\Temp\bhost.exe
bhost.exe
4⤵
- Executes dropped EXE
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 704
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
1⤵
- Modifies registry class
PID:1376

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI12162\VCRUNTIME140.dll

MD5
e4ca3dce43b1184bb18ff01f3a0f1a40

SHA1
604611d559ca41e73b12c362de6acf84db9aee43

SHA256
0778c7e17016895bb6962a9774acc5568afa1a50ba309b7d9726c89dad70bdbf

SHA512
137c884afa1b0b731bbd523abb47b83f31487a6ca051487292bc2a9eb7f103a0d3974fa743014018bd564be957210bdcd62c822f4ffb6441aee23b444c23e812

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12162\_ctypes.pyd

MD5
97c703c86e9cf46876330db4bccc2796

SHA1
7719b2993ec530b2cdaabd1b19a367fa34f67d54

SHA256
6e1848fc6dbc3ca3eab702dd917dac65438d694fae06216ba0140bbfac984616

SHA512
d810ccad5bf4d088911e184d38b0f08e52a026ea92f3f87b76bd5241c4a33825feff3999c6c1da0788e1c13b80249ea973db0de8f62f3be15452b5dedaa0be65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12162\base_library.zip

MD5
0376b761cd26f3a1cf901db9aa4b53f2

SHA1
049e22346ee27d2015d48aea21c3424822fb1ba8

SHA256
8acff2d30b63e1f782bf6bceb8faebdd3fe002b7605d79abcc4cf6a9a81bad4e

SHA512
7434b2819baacc476dbf6a1e35cac503b2cb05df3ad7f2008768c9afc470cfb885bc42680f9ae4d030bee5d5977a6c24992a5d6d46a4b2edbc75095fbf15cf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12162\libffi-7.dll

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12162\python39.dll

MD5
b28171046f2d50c645b076b6ebac220e

SHA1
4fb1ca03eb372592e0b20d5e7aceedb501bbb64c

SHA256
6366bcf2e53e6f3dc588779b3b7401b7ad955759c03d722221595e26a8d8f347

SHA512
7b9cd051ec42e23110020ed75281eec7854ad7f885c150377885663bee2a0e5b1eece6d7a54837b60e622fa8f56c2d1dbcb62bc8c086c017d9831db8717cd0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12162\ucrtbase.dll

MD5
d6326267ae77655f312d2287903db4d3

SHA1
1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f

SHA256
0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9

SHA512
11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\MSVCP140.dll

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\PIL\_imaging.cp36-win32.pyd

MD5
363b9c3038742ead3449fb920194c0b1

SHA1
0bcfeba9fb37928edb33255931243e01244a061c

SHA256
32f54f8683662925e030dd77990ae8b49fbff3df76a56e54a5f7d52a464e3894

SHA512
378674670cebf4a3620b48950b9e18d11fb6a2b34985c13336fd2587d5f1c11fd3d0ce09767c0f2883cf119e2635584e9f2bb9d2315f09f0ca28f4ba83327f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\PIL\_imagingft.cp36-win32.pyd

MD5
68dc48c2885af21949374e6f8023a377

SHA1
52967478ccf4feea7449d0662dae3eb962cef839

SHA256
7e0f4c7c226ba1512604b333a26da92f9347e453f28a0169eae3930504e79e9b

SHA512
619c20605379ab9181feaad27ef2e23204e04b5e1aa1f5db07f1db7b0115b713279552e98187647096f91bdd37422b74ae714c254786f3fd12ab0aec795d8fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\VCRUNTIME140.dll

MD5
a2523ea6950e248cbdf18c9ea1a844f6

SHA1
549c8c2a96605f90d79a872be73efb5d40965444

SHA256
6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4

SHA512
2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\_bz2.pyd

MD5
be5a46cc5988ea81cf184a8d642ee268

SHA1
f93ebed180d072c899ce452e057666ba9ee05360

SHA256
fcb85db49557a6879f32d8337962defd9447117a0d051abc03c1e65c3d46a715

SHA512
7275c6d07a4b9a7bedf2295745727793846b5909b27bb4dcb1b1a8eabcfb4d7255b9b2b018e332924f7f21f875027fe779048dd76c0555d6edb436719d4dc32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\_ctypes.pyd

MD5
a16f470d30984e246b3a46c840f58b7f

SHA1
91250423bb9f2ff2605429ca2f6340a98c37649a

SHA256
d0a6d8690846de6645d8874a6f6fe8fdab5c1cdc612ab45ca2bcf23b7eef154b

SHA512
110a884eff8a739f4389eae08b15167e957cf0b45e668a698907b0d82db12e2bcf24e86b4015b103a7a819e95b823017f4855b605b7f29adf93077d1a8de6ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\_hashlib.pyd

MD5
82af68c4200bdfc854297f6d5a343dcc

SHA1
1a620787777d80a85fadaaac02a873ec325360b9

SHA256
7454cf0a1e4c1c30c87f475771ac7a6380f987e60a1f6434e8002cc91bd7cff9

SHA512
8ba35630db915a7a41959f01088900c0a5c994a81d8d3bf1f5eda38ef60514e4c09cc7279798db6baae1302afe98a20740b080b0a0f1db7e0a1b573345d477b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\_lzma.pyd

MD5
ce7ab0346774c1e0e61ab909917901a2

SHA1
69a203e5e411c9595fe18b7195702ec651ff4cf5

SHA256
42b1b6dce588650689cff0caa0d7af7147c5dce5fe0b8c2ce772d001b6616d07

SHA512
ea4d924582dbd0550ed9a8fd4c5f87f5ad96b97c446bcf5cbbb7dd938aafebc173cf56138cd39c87a5185a79876c3cc7898489428c0c1895b948881a5f8f9ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\_socket.pyd

MD5
faf98549fc9628e0c075df0ad08bc55c

SHA1
d50db12060a1fe2e9cf4fc719677ebdfce10048a

SHA256
4094df5353182f0466fcf14846e599bde35974f0ee5c74ff94ae32211bb79e5b

SHA512
9d1603c09da13e0bb70d065ee754a331a0115a84da1dc79b762ad69fe8c755239737fd04071495d55aad18cf9708d1964a5d6b91cd7055f320ce9ce6e52f024c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\_ssl.pyd

MD5
13ae1d7e27fb0a4813c66f59bb819050

SHA1
a955a6aaa91945862e93234739195f5ff9baf06d

SHA256
91fb71ea70a2f2e53634880b552a2a6b279e6c53a29714a2edda9f651e73cb39

SHA512
3554f49109914d6ce76606edf8b9cd766fa96942bbc65f05a953d3209e0c788b85962843cde70bacba29792e31c3be3c119b190f312a22c648f710dd43929d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\_tkinter.pyd

MD5
8f87b9d2d20b49b9b128fb61cc3b9fbd

SHA1
17c55be980fa127bd7bd910e5e0493b3f0fc2610

SHA256
3b4efbc696d694717f1aacb81164d0a2bd3fb9c47742daae48c543892006b226

SHA512
50283b6f92acd574e4ae97366645a7b844f9f25492c307282ef5ef249da33f5f047fe9638701ec9afc6ca7d17d5a01f0a2eadee69a836f195a4ec9b3c317df4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\base_library.zip

MD5
1cd6043d739d9645d92ba04e100e6577

SHA1
cfe6e8e1c8547f6c4b293931cee350389a36c7c3

SHA256
6b629f68b080d6bacfee69b63c0b3bbd8457f2918b75056268b8a2896e2d0e8e

SHA512
0fe2f15325273c9887a069a48369e174c32f45ba3e3e593e18ff3b15894562aea531357d17e58a9cca3aa1f93c557e6c29b40228ef9f2e1b830673ef5f908433

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\certifi\cacert.pem

MD5
ea4ee2af66c4c57b8a275867e9dc07cd

SHA1
d904976736e6db3c69c304e96172234078242331

SHA256
fa883829ebb8cd2a602f9b21c1f85de24cf47949d520bceb1828b4cd1cb6906c

SHA512
4114105f63e72b54e506d06168b102a9130263576200fb21532140c0e9936149259879ac30a8b78f15ae7cb0b59b043db5154091312da731ac16e67e6314c412

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\pyexpat.pyd

MD5
68632914a8a03b9c5f289344e9cfc999

SHA1
e44a14ab55af8dc9d6cc11abee64ccd64abd8a33

SHA256
83b6f296fd48d972f5f8ea9b220c8dcbf3ba973114c5ad58d4e29cc04a045ea6

SHA512
bfd7f3600ac1a2f04b8bdc14191c4113ad07d116b359d5c429809877f76e5bb0b02c8db545e1c4753dc3d597d40095e79a89bab652f4114459a53fd1f7c4f41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\python3.dll

MD5
4aab95d6e806ab053373c73fec9376d3

SHA1
339f9b41d0a5e13f7e99165db7b61ca3a691492c

SHA256
469a458a295335c359d5253772a79d714d6b1a2b57bf777c29c29c43bde0c1a5

SHA512
93a8e9d9051df42474d87b4f93130d53ed716b9de4249dec01031f9216c221b70c661ec16e34155dc3c7d423d47958f4c384ed185b2ded8da7b649e705ff4182

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\python36.dll

MD5
2d39b8f6be5253417df58439eee5e678

SHA1
0c9041db7969428a8986d5fef36461bf7703503a

SHA256
6408654450e2d6ee4f640fe37e722f0b67d6646daacb1bafb7e4c3b7fc6fca85

SHA512
481475b800528b6526071e5a663e76dbfa2f09ad3b4e429d60aa8dc3d777a78958bd2ce8869cb3ff5a5833e71c9c35a3e1fd0ed17f9ab707cf2b0028f2c46e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\pythoncom36.dll

MD5
ea3d10d64bbfad10990c752c9a68a3b6

SHA1
0a59453d6102e5cc459a15acdee68676b874a7fa

SHA256
85ba7cb916f1851e4b904195129611d3db7002d5f0457e1f30ca0c58183020a9

SHA512
f97593e948335917fdfcaf9453793f45e199c517bd496edb1ffd43fea41088c222ef918db22af4a3cf2131279d8dab4d2abbb5fcc9609a1fcd05b8b786b21e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\pywintypes36.dll

MD5
e4dfa66d95c88a63dc00361b22a518cd

SHA1
b3e0417ed963e26bbe213fa8f1a3b61a885ee1db

SHA256
877a9147b8d77ffa4de7149dc7a07defe324d28faa8cb4673281a2aee94b5d43

SHA512
ebc9108212a8f9f37cef176319c14246809aa17ac40b1d4f1144dedb01c57fd8dea325fe3e09ac90f4a7aeecc240051b96806bda65e4d16f5137ef31b4c39154

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\select.pyd

MD5
bda10646fa5b6e94b7bdc3fad9108aaf

SHA1
1f4924d1e045180058a4d2279b171b7c724acdb0

SHA256
6c72bd02609b55c3adba1964185ab73bdc62438132f23cf726c874989f6e8691

SHA512
4b741ef5a63d7d0ffbf457e85b7298f638c55279bfcde6b2fe8bdfd4396bc166b5dcda2fad809db4c6918f8110b8a500ad0ea43898ad4290e16bf09bdf796050

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\tcl86t.dll

MD5
99775237eb7110c454b5504b18818f06

SHA1
7f4237cac7702a44688806d73ed65579983fca54

SHA256
08e6f51b7ec78f1b237d170680df99d65c4a5773cf9bfdff54bb77a00cd68538

SHA512
0786b30c94590e1a2fc3ffb8ccba1988dedb1ab5809e8a7f9cecf4845af59cb4f270ddf46250ac8185e09ef3edbf26abc78c4432788e9ae92141f5e41d9d75e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\tcl\encoding\cp932.enc

MD5
aa4398630883066c127aa902832c82e4

SHA1
d0b3deb0ee6539ce5f28a51464bfbb3aa03f28e5

SHA256
9d33df6e1cfdd2cf2553f5e2758f457d710caff5f8c69968f2665accd6e9a6fd

SHA512
77794e74b0e6b5855773ee9e1f3b1da9db7661d66485dae6f61ca69f6da9fd308a55b3a76c9b887135949c60fc3888e6f9a45c6bc481418737aa452a0d9cae64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\tk86t.dll

MD5
ca9b04de324291146e5a037c6d280c46

SHA1
31a299b50ef51fcb171c295a66eef767de7266f8

SHA256
0162809a736b3d1f9b574ce36e3bc78306c874ccc1b6b214ce578d7aaf95fe8f

SHA512
2cd7c7836ff574739bf6df981131148a26ee880fa38bc3525c6f0df6369acc0fc4c1795d8da49a77c01c284f90675d6a14e9222e397ebd7375f1dc8f478d1dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\ucrtbase.dll

MD5
8ed02a1a11cec72b6a6a4989bf03cfcc

SHA1
172908ff0f8d7e1c0cbf107f7075ed1dba4b36c8

SHA256
4fd02f2699c49579319079b963425991198f59cb1589b8afa8795b5d6a0e5db3

SHA512
444fe62a5c324d38bdc055d298b5784c741f3ca8faaeaed591bd6dcf94205dbf28c7d7f7d3825ccb99eff04e3ffd831e3f98d9b314820841a0c0960ae6a5e416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\unicodedata.pyd

MD5
7346506dcae5847ba56026efd2d61d71

SHA1
99145914f3515c5484270fe963ffd2e6f5ea9d30

SHA256
4f8ac3aa55021ad454de5300fb5b4e76af4a32a2d86bdd8522efce3659705c2c

SHA512
768870ab51cda87b0545d34426fb9253826a50afed002bc4e122922f2d812aafa97506bbb509a207f417fde19f55d0371df657a04c962b7dfb2858980b838d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\win32api.pyd

MD5
97863eaca9e47a2d22e33b17471e9a29

SHA1
2e7f4790054adc23063d1ef6254d986bbfb1b59d

SHA256
f779df4671db5132b9bcfaac03557210c6bd2d24099a319eedb89143d1fcdbc5

SHA512
712bfd0544ea137a96b9d3e5e3261e1117e1a8e71894941134a68706d13f4239810840d64ba3760b3d8355bc9c7db93a9496ef858243082ceeb5a4aa2fb71e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8122\win32gui.pyd

MD5
7de372b34275055318b7616f12b80a09

SHA1
6ee0aff6ed85463222c73db83405a1ec5f522234

SHA256
67b8ae91109a021364fcda3379626f5efcd9e32ff633a898e4794d6a9fd2f8aa

SHA512
829e8b1f1c439f62a885ad9a492f42ec357e790b22f6052252ced599b9dd0f4cdc55a33e1040ae1f13772bada1bc9ffe608c998cde993aceb1e54dbef9396ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhost.exe

MD5
cd9f4feea7d60108a85cc69682cddfae

SHA1
447faf5c3e8894b8e48869cc163b597947caa5a6

SHA256
cf648c23c6d626c0331dd50ac0e513964e0ce77d9f1d65a1300efd43d8c350ef

SHA512
8058d6eb541442a9b06c4f04ece4650d1e56604bb4516ac21ee333a8975e085eac1f1d63e126f8042eb128dce4c0cb0014189f56bfcc2d7521e97dccace2a2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhost.exe

MD5
cd9f4feea7d60108a85cc69682cddfae

SHA1
447faf5c3e8894b8e48869cc163b597947caa5a6

SHA256
cf648c23c6d626c0331dd50ac0e513964e0ce77d9f1d65a1300efd43d8c350ef

SHA512
8058d6eb541442a9b06c4f04ece4650d1e56604bb4516ac21ee333a8975e085eac1f1d63e126f8042eb128dce4c0cb0014189f56bfcc2d7521e97dccace2a2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbg-data.exe

MD5
b02d4e82a25a6aea9ceb6bdb17c97d0b

SHA1
ce1dc1cde7908d4d05bef1d17b7823b02515787d

SHA256
e3b6fd7d28e42225738543884a89b435adf1a279d9bd692e8c216b309d8fc3bb

SHA512
7ebe5653ce61dc6f7fe83703a7745cdbaa0a7e8c0e0d4dffb4a57e8468a51a3d1ce4ce5c4990cade461198da7d03a8b69ae922699763b545ee1299c46a5d009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbg-data.exe

MD5
b02d4e82a25a6aea9ceb6bdb17c97d0b

SHA1
ce1dc1cde7908d4d05bef1d17b7823b02515787d

SHA256
e3b6fd7d28e42225738543884a89b435adf1a279d9bd692e8c216b309d8fc3bb

SHA512
7ebe5653ce61dc6f7fe83703a7745cdbaa0a7e8c0e0d4dffb4a57e8468a51a3d1ce4ce5c4990cade461198da7d03a8b69ae922699763b545ee1299c46a5d009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbg-data.exe

MD5
b02d4e82a25a6aea9ceb6bdb17c97d0b

SHA1
ce1dc1cde7908d4d05bef1d17b7823b02515787d

SHA256
e3b6fd7d28e42225738543884a89b435adf1a279d9bd692e8c216b309d8fc3bb

SHA512
7ebe5653ce61dc6f7fe83703a7745cdbaa0a7e8c0e0d4dffb4a57e8468a51a3d1ce4ce5c4990cade461198da7d03a8b69ae922699763b545ee1299c46a5d009a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12162\VCRUNTIME140.dll

MD5
e4ca3dce43b1184bb18ff01f3a0f1a40

SHA1
604611d559ca41e73b12c362de6acf84db9aee43

SHA256
0778c7e17016895bb6962a9774acc5568afa1a50ba309b7d9726c89dad70bdbf

SHA512
137c884afa1b0b731bbd523abb47b83f31487a6ca051487292bc2a9eb7f103a0d3974fa743014018bd564be957210bdcd62c822f4ffb6441aee23b444c23e812

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12162\_ctypes.pyd

MD5
97c703c86e9cf46876330db4bccc2796

SHA1
7719b2993ec530b2cdaabd1b19a367fa34f67d54

SHA256
6e1848fc6dbc3ca3eab702dd917dac65438d694fae06216ba0140bbfac984616

SHA512
d810ccad5bf4d088911e184d38b0f08e52a026ea92f3f87b76bd5241c4a33825feff3999c6c1da0788e1c13b80249ea973db0de8f62f3be15452b5dedaa0be65

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12162\python39.dll

MD5
b28171046f2d50c645b076b6ebac220e

SHA1
4fb1ca03eb372592e0b20d5e7aceedb501bbb64c

SHA256
6366bcf2e53e6f3dc588779b3b7401b7ad955759c03d722221595e26a8d8f347

SHA512
7b9cd051ec42e23110020ed75281eec7854ad7f885c150377885663bee2a0e5b1eece6d7a54837b60e622fa8f56c2d1dbcb62bc8c086c017d9831db8717cd0c5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12162\ucrtbase.dll

MD5
d6326267ae77655f312d2287903db4d3

SHA1
1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f

SHA256
0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9

SHA512
11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\MSVCP140.dll

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\PIL\_imaging.cp36-win32.pyd

MD5
363b9c3038742ead3449fb920194c0b1

SHA1
0bcfeba9fb37928edb33255931243e01244a061c

SHA256
32f54f8683662925e030dd77990ae8b49fbff3df76a56e54a5f7d52a464e3894

SHA512
378674670cebf4a3620b48950b9e18d11fb6a2b34985c13336fd2587d5f1c11fd3d0ce09767c0f2883cf119e2635584e9f2bb9d2315f09f0ca28f4ba83327f8c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\PIL\_imagingft.cp36-win32.pyd

MD5
68dc48c2885af21949374e6f8023a377

SHA1
52967478ccf4feea7449d0662dae3eb962cef839

SHA256
7e0f4c7c226ba1512604b333a26da92f9347e453f28a0169eae3930504e79e9b

SHA512
619c20605379ab9181feaad27ef2e23204e04b5e1aa1f5db07f1db7b0115b713279552e98187647096f91bdd37422b74ae714c254786f3fd12ab0aec795d8fac

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\VCRUNTIME140.dll

MD5
a2523ea6950e248cbdf18c9ea1a844f6

SHA1
549c8c2a96605f90d79a872be73efb5d40965444

SHA256
6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4

SHA512
2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\_bz2.pyd

MD5
be5a46cc5988ea81cf184a8d642ee268

SHA1
f93ebed180d072c899ce452e057666ba9ee05360

SHA256
fcb85db49557a6879f32d8337962defd9447117a0d051abc03c1e65c3d46a715

SHA512
7275c6d07a4b9a7bedf2295745727793846b5909b27bb4dcb1b1a8eabcfb4d7255b9b2b018e332924f7f21f875027fe779048dd76c0555d6edb436719d4dc32c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\_ctypes.pyd

MD5
a16f470d30984e246b3a46c840f58b7f

SHA1
91250423bb9f2ff2605429ca2f6340a98c37649a

SHA256
d0a6d8690846de6645d8874a6f6fe8fdab5c1cdc612ab45ca2bcf23b7eef154b

SHA512
110a884eff8a739f4389eae08b15167e957cf0b45e668a698907b0d82db12e2bcf24e86b4015b103a7a819e95b823017f4855b605b7f29adf93077d1a8de6ea9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\_hashlib.pyd

MD5
82af68c4200bdfc854297f6d5a343dcc

SHA1
1a620787777d80a85fadaaac02a873ec325360b9

SHA256
7454cf0a1e4c1c30c87f475771ac7a6380f987e60a1f6434e8002cc91bd7cff9

SHA512
8ba35630db915a7a41959f01088900c0a5c994a81d8d3bf1f5eda38ef60514e4c09cc7279798db6baae1302afe98a20740b080b0a0f1db7e0a1b573345d477b3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\_lzma.pyd

MD5
ce7ab0346774c1e0e61ab909917901a2

SHA1
69a203e5e411c9595fe18b7195702ec651ff4cf5

SHA256
42b1b6dce588650689cff0caa0d7af7147c5dce5fe0b8c2ce772d001b6616d07

SHA512
ea4d924582dbd0550ed9a8fd4c5f87f5ad96b97c446bcf5cbbb7dd938aafebc173cf56138cd39c87a5185a79876c3cc7898489428c0c1895b948881a5f8f9ade

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\_socket.pyd

MD5
faf98549fc9628e0c075df0ad08bc55c

SHA1
d50db12060a1fe2e9cf4fc719677ebdfce10048a

SHA256
4094df5353182f0466fcf14846e599bde35974f0ee5c74ff94ae32211bb79e5b

SHA512
9d1603c09da13e0bb70d065ee754a331a0115a84da1dc79b762ad69fe8c755239737fd04071495d55aad18cf9708d1964a5d6b91cd7055f320ce9ce6e52f024c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\_ssl.pyd

MD5
13ae1d7e27fb0a4813c66f59bb819050

SHA1
a955a6aaa91945862e93234739195f5ff9baf06d

SHA256
91fb71ea70a2f2e53634880b552a2a6b279e6c53a29714a2edda9f651e73cb39

SHA512
3554f49109914d6ce76606edf8b9cd766fa96942bbc65f05a953d3209e0c788b85962843cde70bacba29792e31c3be3c119b190f312a22c648f710dd43929d7e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\_tkinter.pyd

MD5
8f87b9d2d20b49b9b128fb61cc3b9fbd

SHA1
17c55be980fa127bd7bd910e5e0493b3f0fc2610

SHA256
3b4efbc696d694717f1aacb81164d0a2bd3fb9c47742daae48c543892006b226

SHA512
50283b6f92acd574e4ae97366645a7b844f9f25492c307282ef5ef249da33f5f047fe9638701ec9afc6ca7d17d5a01f0a2eadee69a836f195a4ec9b3c317df4c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\pyexpat.pyd

MD5
68632914a8a03b9c5f289344e9cfc999

SHA1
e44a14ab55af8dc9d6cc11abee64ccd64abd8a33

SHA256
83b6f296fd48d972f5f8ea9b220c8dcbf3ba973114c5ad58d4e29cc04a045ea6

SHA512
bfd7f3600ac1a2f04b8bdc14191c4113ad07d116b359d5c429809877f76e5bb0b02c8db545e1c4753dc3d597d40095e79a89bab652f4114459a53fd1f7c4f41c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\python3.dll

MD5
4aab95d6e806ab053373c73fec9376d3

SHA1
339f9b41d0a5e13f7e99165db7b61ca3a691492c

SHA256
469a458a295335c359d5253772a79d714d6b1a2b57bf777c29c29c43bde0c1a5

SHA512
93a8e9d9051df42474d87b4f93130d53ed716b9de4249dec01031f9216c221b70c661ec16e34155dc3c7d423d47958f4c384ed185b2ded8da7b649e705ff4182

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\python36.dll

MD5
2d39b8f6be5253417df58439eee5e678

SHA1
0c9041db7969428a8986d5fef36461bf7703503a

SHA256
6408654450e2d6ee4f640fe37e722f0b67d6646daacb1bafb7e4c3b7fc6fca85

SHA512
481475b800528b6526071e5a663e76dbfa2f09ad3b4e429d60aa8dc3d777a78958bd2ce8869cb3ff5a5833e71c9c35a3e1fd0ed17f9ab707cf2b0028f2c46e81

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\pythoncom36.dll

MD5
ea3d10d64bbfad10990c752c9a68a3b6

SHA1
0a59453d6102e5cc459a15acdee68676b874a7fa

SHA256
85ba7cb916f1851e4b904195129611d3db7002d5f0457e1f30ca0c58183020a9

SHA512
f97593e948335917fdfcaf9453793f45e199c517bd496edb1ffd43fea41088c222ef918db22af4a3cf2131279d8dab4d2abbb5fcc9609a1fcd05b8b786b21e96

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\pywintypes36.dll

MD5
e4dfa66d95c88a63dc00361b22a518cd

SHA1
b3e0417ed963e26bbe213fa8f1a3b61a885ee1db

SHA256
877a9147b8d77ffa4de7149dc7a07defe324d28faa8cb4673281a2aee94b5d43

SHA512
ebc9108212a8f9f37cef176319c14246809aa17ac40b1d4f1144dedb01c57fd8dea325fe3e09ac90f4a7aeecc240051b96806bda65e4d16f5137ef31b4c39154

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\select.pyd

MD5
bda10646fa5b6e94b7bdc3fad9108aaf

SHA1
1f4924d1e045180058a4d2279b171b7c724acdb0

SHA256
6c72bd02609b55c3adba1964185ab73bdc62438132f23cf726c874989f6e8691

SHA512
4b741ef5a63d7d0ffbf457e85b7298f638c55279bfcde6b2fe8bdfd4396bc166b5dcda2fad809db4c6918f8110b8a500ad0ea43898ad4290e16bf09bdf796050

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\tcl86t.dll

MD5
99775237eb7110c454b5504b18818f06

SHA1
7f4237cac7702a44688806d73ed65579983fca54

SHA256
08e6f51b7ec78f1b237d170680df99d65c4a5773cf9bfdff54bb77a00cd68538

SHA512
0786b30c94590e1a2fc3ffb8ccba1988dedb1ab5809e8a7f9cecf4845af59cb4f270ddf46250ac8185e09ef3edbf26abc78c4432788e9ae92141f5e41d9d75e1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\tk86t.dll

MD5
ca9b04de324291146e5a037c6d280c46

SHA1
31a299b50ef51fcb171c295a66eef767de7266f8

SHA256
0162809a736b3d1f9b574ce36e3bc78306c874ccc1b6b214ce578d7aaf95fe8f

SHA512
2cd7c7836ff574739bf6df981131148a26ee880fa38bc3525c6f0df6369acc0fc4c1795d8da49a77c01c284f90675d6a14e9222e397ebd7375f1dc8f478d1dcf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\ucrtbase.dll

MD5
8ed02a1a11cec72b6a6a4989bf03cfcc

SHA1
172908ff0f8d7e1c0cbf107f7075ed1dba4b36c8

SHA256
4fd02f2699c49579319079b963425991198f59cb1589b8afa8795b5d6a0e5db3

SHA512
444fe62a5c324d38bdc055d298b5784c741f3ca8faaeaed591bd6dcf94205dbf28c7d7f7d3825ccb99eff04e3ffd831e3f98d9b314820841a0c0960ae6a5e416

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\unicodedata.pyd

MD5
7346506dcae5847ba56026efd2d61d71

SHA1
99145914f3515c5484270fe963ffd2e6f5ea9d30

SHA256
4f8ac3aa55021ad454de5300fb5b4e76af4a32a2d86bdd8522efce3659705c2c

SHA512
768870ab51cda87b0545d34426fb9253826a50afed002bc4e122922f2d812aafa97506bbb509a207f417fde19f55d0371df657a04c962b7dfb2858980b838d64

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\win32api.pyd

MD5
97863eaca9e47a2d22e33b17471e9a29

SHA1
2e7f4790054adc23063d1ef6254d986bbfb1b59d

SHA256
f779df4671db5132b9bcfaac03557210c6bd2d24099a319eedb89143d1fcdbc5

SHA512
712bfd0544ea137a96b9d3e5e3261e1117e1a8e71894941134a68706d13f4239810840d64ba3760b3d8355bc9c7db93a9496ef858243082ceeb5a4aa2fb71e98

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8122\win32gui.pyd

MD5
7de372b34275055318b7616f12b80a09

SHA1
6ee0aff6ed85463222c73db83405a1ec5f522234

SHA256
67b8ae91109a021364fcda3379626f5efcd9e32ff633a898e4794d6a9fd2f8aa

SHA512
829e8b1f1c439f62a885ad9a492f42ec357e790b22f6052252ced599b9dd0f4cdc55a33e1040ae1f13772bada1bc9ffe608c998cde993aceb1e54dbef9396ba5

Download Submit
memory/948-118-0x0000000000000000-mapping.dmp

Download
memory/960-192-0x0000000000000000-mapping.dmp

Download
memory/1216-173-0x0000000000000000-mapping.dmp

Download
memory/1316-170-0x0000000000000000-mapping.dmp

Download
memory/1820-188-0x0000000000000000-mapping.dmp

Download
memory/1900-193-0x0000000000000000-mapping.dmp

Download
memory/2240-176-0x0000000000000000-mapping.dmp

Download
memory/2364-169-0x0000000000000000-mapping.dmp

Download
memory/3044-189-0x0000000000000000-mapping.dmp

Download
memory/3252-191-0x0000000000000000-mapping.dmp

Download
memory/3284-190-0x0000000000000000-mapping.dmp

Download
memory/3884-168-0x0000000000000000-mapping.dmp

Download