djvu | ec763b65e400b9caaf560db4f26600251bd0971c7202a799dc7c3ce732a3717b

Analysis

max time kernel
75s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
13-03-2022 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec763b65e400b9caaf560db4f26600251bd0971c7202a799dc7c3ce732a3717b.exe
Size

3.7MB
MD5

425cc5d7550c8272559d8afae93c69d4
SHA1

af7215eaba152a362c64dc84f7340e2f4a2aca18
SHA256

ec763b65e400b9caaf560db4f26600251bd0971c7202a799dc7c3ce732a3717b
SHA512

eeda5fe2187e0e47264660e1149f0fe32850e5e54074342aab78919f008029c67d35f8d595fadae26afaa76403a41afad8fd324557c7da034a586a2f02293851

Malware Config

Extracted

Family

redline

Botnet

Ani

detuyaluro.xyz:80

Extracted

Family

vidar

Version

39.4

Botnet

933

https://sergeevih43.tumblr.com/

Attributes

profile_id
933

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

ruzki000

86.107.197.196:63065

Attributes

auth_value
80fac7f67bd38aa709bbeef7a44ccb47

Extracted

Family

redline

Botnet

pizzadlyashekera

65.108.101.231:14648

Attributes

auth_value
7d6b3cb15fc835e113d8c22bd7cfe2b4

Extracted

Family

redline

Botnet

ruzki12_03

176.122.23.55:11768

Attributes

auth_value
c51ddc8008e8581a01cec6e8291c5530

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Extracted

Family

redline

Botnet

Installs

94.23.1.92:12857

Attributes

auth_value
c8e146507a5c0004dfcc77a7c5f15bc2

Extracted

Family

redline

Botnet

ruz876

185.215.113.7:5186

Attributes

auth_value
4750f6742a496bbe74a981d51e7680ad

Signatures

Detected Djvu ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4664-327-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4664-332-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4664-326-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2364 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2364	rUNdlL32.eXe

RedLine Payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/64-204-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
C:\Users\Admin\Documents\wlULCRw0OeOIFshfLu8bXTXY.exe	family_redline
C:\Users\Admin\Documents\wlULCRw0OeOIFshfLu8bXTXY.exe	family_redline
behavioral2/memory/1756-248-0x00000000004C0000-0x00000000004E0000-memory.dmp	family_redline
behavioral2/memory/836-271-0x0000000000920000-0x0000000000AD4000-memory.dmp	family_redline
behavioral2/memory/836-280-0x0000000000920000-0x0000000000AD4000-memory.dmp	family_redline
behavioral2/memory/836-277-0x0000000000920000-0x0000000000AD4000-memory.dmp	family_redline
behavioral2/memory/836-273-0x0000000000920000-0x0000000000AD4000-memory.dmp	family_redline
behavioral2/memory/3088-311-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/3532-316-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1656-333-0x00000000003D0000-0x00000000003F0000-memory.dmp	family_redline
behavioral2/memory/336-335-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
suricata
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2472-235-0x00000000020E0000-0x000000000217D000-memory.dmp	family_vidar
behavioral2/memory/2472-236-0x0000000000400000-0x00000000004AD000-memory.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libstdc++-6.dll	aspack_v212_v242

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 20 IoCs

Processes:

setup_installer.exesetup_install.exesahiba_8.exesahiba_2.exesahiba_6.exesahiba_10.exesahiba_1.exesahiba_5.exesahiba_3.exesahiba_7.exesahiba_4.exesahiba_9.exesahiba_5.tmpsahiba_1.exejfiag3g_gg.exesahiba_9.exejfiag3g_gg.exeVu273imVi3OTxxlZ1biVEpRR.exe6uGCBp77fejmOWLrYeRB353u.exeVCdorRzdyhekMM8aEdcLAm91.exe

pid	process
1096	setup_installer.exe
1660	setup_install.exe
1364	sahiba_8.exe
4512	sahiba_2.exe
1452	sahiba_6.exe
3196	sahiba_10.exe
2416	sahiba_1.exe
4016	sahiba_5.exe
2472	sahiba_3.exe
4412	sahiba_7.exe
3232	sahiba_4.exe
3324	sahiba_9.exe
3788	sahiba_5.tmp
3968	sahiba_1.exe
4516	jfiag3g_gg.exe
64	sahiba_9.exe
3580	jfiag3g_gg.exe
4724	Vu273imVi3OTxxlZ1biVEpRR.exe
4020	6uGCBp77fejmOWLrYeRB353u.exe
2720	VCdorRzdyhekMM8aEdcLAm91.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sahiba_7.exeec763b65e400b9caaf560db4f26600251bd0971c7202a799dc7c3ce732a3717b.exesetup_installer.exesahiba_1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	sahiba_7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	ec763b65e400b9caaf560db4f26600251bd0971c7202a799dc7c3ce732a3717b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	sahiba_1.exe

Loads dropped DLL 8 IoCs

Processes:

setup_install.exesahiba_5.tmprundll32.exesahiba_2.exe

pid	process
1660	setup_install.exe
1660	setup_install.exe
1660	setup_install.exe
1660	setup_install.exe
1660	setup_install.exe
3788	sahiba_5.tmp
3864	rundll32.exe
4512	sahiba_2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ipinfo.io
14 ip-api.com
186 ipinfo.io
187 ipinfo.io
12 ipinfo.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

sahiba_9.exe

description pid process target process

PID 3324 set thread context of 64 3324 sahiba_9.exe sahiba_9.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
13	ipinfo.io
14	ip-api.com
186	ipinfo.io
187	ipinfo.io
12	ipinfo.io

description	pid	process	target process
PID 3324 set thread context of 64	3324	sahiba_9.exe	sahiba_9.exe

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3200	3864	WerFault.exe	rundll32.exe
780	2472	WerFault.exe	sahiba_3.exe
3592	364	WerFault.exe	GLjQVzbEOyRwPTgG1S8PC737.exe
4544	2348	WerFault.exe	5I6Jdr2dgImUYo9EgSTxNJHi.exe
3624	364	WerFault.exe	GLjQVzbEOyRwPTgG1S8PC737.exe
1532	2348	WerFault.exe	5I6Jdr2dgImUYo9EgSTxNJHi.exe
5128	4664	WerFault.exe	je5EePAC9mpiKQaqEUMuvMa2.exe
5708	1032	WerFault.exe	nVdVVxvip0X4nRcYR913OoEt.exe
5728	2348	WerFault.exe	5I6Jdr2dgImUYo9EgSTxNJHi.exe
6052	2348	WerFault.exe	5I6Jdr2dgImUYo9EgSTxNJHi.exe
5216	2348	WerFault.exe	5I6Jdr2dgImUYo9EgSTxNJHi.exe
5304	5416	WerFault.exe	program5214.exe
1328	2348	WerFault.exe	5I6Jdr2dgImUYo9EgSTxNJHi.exe
1400	2348	WerFault.exe	5I6Jdr2dgImUYo9EgSTxNJHi.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sahiba_2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

sahiba_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sahiba_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sahiba_3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jfiag3g_gg.exesahiba_2.exe

pid process

3580 jfiag3g_gg.exe
3580 jfiag3g_gg.exe
4512 sahiba_2.exe
4512 sahiba_2.exe
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sahiba_2.exe

pid process

4512 sahiba_2.exe

pid	process
3580	jfiag3g_gg.exe
3580	jfiag3g_gg.exe
4512	sahiba_2.exe
4512	sahiba_2.exe
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8

pid	process
4512	sahiba_2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

sahiba_10.exesahiba_6.exesahiba_9.exesahiba_8.exe

description	pid	process
Token: SeDebugPrivilege	3196	sahiba_10.exe
Token: SeDebugPrivilege	1452	sahiba_6.exe
Token: SeDebugPrivilege	64	sahiba_9.exe
Token: SeDebugPrivilege	1364	sahiba_8.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec763b65e400b9caaf560db4f26600251bd0971c7202a799dc7c3ce732a3717b.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 556 wrote to memory of 1096	556	ec763b65e400b9caaf560db4f26600251bd0971c7202a799dc7c3ce732a3717b.exe	setup_installer.exe
PID 556 wrote to memory of 1096	556	ec763b65e400b9caaf560db4f26600251bd0971c7202a799dc7c3ce732a3717b.exe	setup_installer.exe
PID 556 wrote to memory of 1096	556	ec763b65e400b9caaf560db4f26600251bd0971c7202a799dc7c3ce732a3717b.exe	setup_installer.exe
PID 1096 wrote to memory of 1660	1096	setup_installer.exe	setup_install.exe
PID 1096 wrote to memory of 1660	1096	setup_installer.exe	setup_install.exe
PID 1096 wrote to memory of 1660	1096	setup_installer.exe	setup_install.exe
PID 1660 wrote to memory of 4624	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 4624	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 4624	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 4824	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 4824	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 4824	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 3180	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 3180	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 3180	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 4620	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 4620	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 4620	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 712	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 712	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 712	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 404	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 404	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 404	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 4840	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 4840	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 4840	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 892	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 892	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 892	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 3972	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 3972	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 3972	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 548	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 548	1660	setup_install.exe	cmd.exe
PID 1660 wrote to memory of 548	1660	setup_install.exe	cmd.exe
PID 892 wrote to memory of 1364	892	cmd.exe	sahiba_8.exe
PID 892 wrote to memory of 1364	892	cmd.exe	sahiba_8.exe
PID 892 wrote to memory of 1364	892	cmd.exe	sahiba_8.exe
PID 4824 wrote to memory of 4512	4824	cmd.exe	sahiba_2.exe
PID 4824 wrote to memory of 4512	4824	cmd.exe	sahiba_2.exe
PID 4824 wrote to memory of 4512	4824	cmd.exe	sahiba_2.exe
PID 404 wrote to memory of 1452	404	cmd.exe	sahiba_6.exe
PID 404 wrote to memory of 1452	404	cmd.exe	sahiba_6.exe
PID 548 wrote to memory of 3196	548	cmd.exe	sahiba_10.exe
PID 548 wrote to memory of 3196	548	cmd.exe	sahiba_10.exe
PID 4624 wrote to memory of 2416	4624	cmd.exe	sahiba_1.exe
PID 4624 wrote to memory of 2416	4624	cmd.exe	sahiba_1.exe
PID 4624 wrote to memory of 2416	4624	cmd.exe	sahiba_1.exe
PID 712 wrote to memory of 4016	712	cmd.exe	sahiba_5.exe
PID 712 wrote to memory of 4016	712	cmd.exe	sahiba_5.exe
PID 712 wrote to memory of 4016	712	cmd.exe	sahiba_5.exe
PID 3180 wrote to memory of 2472	3180	cmd.exe	sahiba_3.exe
PID 3180 wrote to memory of 2472	3180	cmd.exe	sahiba_3.exe
PID 3180 wrote to memory of 2472	3180	cmd.exe	sahiba_3.exe
PID 4840 wrote to memory of 4412	4840	cmd.exe	sahiba_7.exe
PID 4840 wrote to memory of 4412	4840	cmd.exe	sahiba_7.exe
PID 4840 wrote to memory of 4412	4840	cmd.exe	sahiba_7.exe
PID 4620 wrote to memory of 3232	4620	cmd.exe	sahiba_4.exe
PID 4620 wrote to memory of 3232	4620	cmd.exe	sahiba_4.exe
PID 4620 wrote to memory of 3232	4620	cmd.exe	sahiba_4.exe
PID 3972 wrote to memory of 3324	3972	cmd.exe	sahiba_9.exe
PID 3972 wrote to memory of 3324	3972	cmd.exe	sahiba_9.exe
PID 3972 wrote to memory of 3324	3972	cmd.exe	sahiba_9.exe

C:\Users\Admin\AppData\Local\Temp\ec763b65e400b9caaf560db4f26600251bd0971c7202a799dc7c3ce732a3717b.exe
"C:\Users\Admin\AppData\Local\Temp\ec763b65e400b9caaf560db4f26600251bd0971c7202a799dc7c3ce732a3717b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_10.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_10.exe
sahiba_10.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_9.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_8.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_8.exe
sahiba_8.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_2.exe
sahiba_2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4512

C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_6.exe
sahiba_6.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_5.exe
sahiba_5.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Users\Admin\AppData\Local\Temp\is-ITMRS.tmp\sahiba_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ITMRS.tmp\sahiba_5.tmp" /SL5="$B0054,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_5.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3788

C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_9.exe
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_9.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_1.exe" -a
1⤵
- Executes dropped EXE
PID:3968

C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_9.exe
sahiba_9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3324

C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_4.exe
sahiba_4.exe
1⤵
- Executes dropped EXE
PID:3232

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:4516

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3580

C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_7.exe
sahiba_7.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:4412

C:\Users\Admin\Documents\Vu273imVi3OTxxlZ1biVEpRR.exe
"C:\Users\Admin\Documents\Vu273imVi3OTxxlZ1biVEpRR.exe"
2⤵
- Executes dropped EXE
PID:4724

C:\Users\Admin\AppData\Roaming\program5214\program5214.exe
"C:\Users\Admin\AppData\Roaming\program5214\program5214.exe"
3⤵
PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 2232
4⤵
- Program crash
PID:5304

C:\Users\Admin\Documents\6uGCBp77fejmOWLrYeRB353u.exe
"C:\Users\Admin\Documents\6uGCBp77fejmOWLrYeRB353u.exe"
2⤵
- Executes dropped EXE
PID:4020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 6uGCBp77fejmOWLrYeRB353u.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\6uGCBp77fejmOWLrYeRB353u.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:4548

C:\Users\Admin\Documents\VCdorRzdyhekMM8aEdcLAm91.exe
"C:\Users\Admin\Documents\VCdorRzdyhekMM8aEdcLAm91.exe"
2⤵
- Executes dropped EXE
PID:2720

C:\Users\Admin\Documents\_GIfyRRxpFE9_FDtIDerNVgn.exe
"C:\Users\Admin\Documents\_GIfyRRxpFE9_FDtIDerNVgn.exe"
2⤵
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:3088

C:\Users\Admin\Documents\5I6Jdr2dgImUYo9EgSTxNJHi.exe
"C:\Users\Admin\Documents\5I6Jdr2dgImUYo9EgSTxNJHi.exe"
2⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 624
3⤵
- Program crash
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 664
3⤵
- Program crash
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 684
3⤵
- Program crash
PID:5728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 812
3⤵
- Program crash
PID:6052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 780
3⤵
- Program crash
PID:5216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1272
3⤵
- Program crash
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1220
3⤵
- Program crash
PID:1400

C:\Users\Admin\Documents\qapuMYI2vkGAHuRsJGH84p9N.exe
"C:\Users\Admin\Documents\qapuMYI2vkGAHuRsJGH84p9N.exe"
2⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
3⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:4524

C:\Users\Admin\Documents\nVdVVxvip0X4nRcYR913OoEt.exe
"C:\Users\Admin\Documents\nVdVVxvip0X4nRcYR913OoEt.exe"
2⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 836
3⤵
- Program crash
PID:5708

C:\Users\Admin\Documents\vCJ5X_Nut_PLgHFWu8QkMi1H.exe
"C:\Users\Admin\Documents\vCJ5X_Nut_PLgHFWu8QkMi1H.exe"
2⤵
PID:224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:336

C:\Users\Admin\Documents\HiPTfdqKsvjP0W67m7y7f1AN.exe
"C:\Users\Admin\Documents\HiPTfdqKsvjP0W67m7y7f1AN.exe"
2⤵
PID:836

C:\Users\Admin\Documents\GLjQVzbEOyRwPTgG1S8PC737.exe
"C:\Users\Admin\Documents\GLjQVzbEOyRwPTgG1S8PC737.exe"
2⤵
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 432
3⤵
- Program crash
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 440
3⤵
- Program crash
PID:3624

C:\Users\Admin\Documents\kwLAYDIQpcOu5mfSsdtp7HmR.exe
"C:\Users\Admin\Documents\kwLAYDIQpcOu5mfSsdtp7HmR.exe"
2⤵
PID:2536

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
3⤵
PID:5208

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
3⤵
PID:5024

C:\Users\Admin\Documents\je5EePAC9mpiKQaqEUMuvMa2.exe
"C:\Users\Admin\Documents\je5EePAC9mpiKQaqEUMuvMa2.exe"
2⤵
PID:3396

C:\Users\Admin\Documents\je5EePAC9mpiKQaqEUMuvMa2.exe
"C:\Users\Admin\Documents\je5EePAC9mpiKQaqEUMuvMa2.exe"
3⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 556
4⤵
- Program crash
PID:5128

C:\Users\Admin\Documents\ZnQEspK3l9cgf8BfYJLMuzjz.exe
"C:\Users\Admin\Documents\ZnQEspK3l9cgf8BfYJLMuzjz.exe"
2⤵
PID:4924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:3532

C:\Users\Admin\Documents\d2t6OywVQieLSAuuBo8PQ2Qu.exe
"C:\Users\Admin\Documents\d2t6OywVQieLSAuuBo8PQ2Qu.exe"
2⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\7zSB795.tmp\Install.exe
.\Install.exe
3⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\7zSD781.tmp\Install.exe
.\Install.exe /S /site_id "525403"
4⤵
PID:1412

C:\Users\Admin\Documents\61Q3NULWMS8B1oJep5RLqjwC.exe
"C:\Users\Admin\Documents\61Q3NULWMS8B1oJep5RLqjwC.exe"
2⤵
PID:3160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ifoltcxb\
3⤵
PID:5192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\akxfpjno.exe" C:\Windows\SysWOW64\ifoltcxb\
3⤵
PID:5324

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ifoltcxb binPath= "C:\Windows\SysWOW64\ifoltcxb\akxfpjno.exe /d\"C:\Users\Admin\Documents\61Q3NULWMS8B1oJep5RLqjwC.exe\"" type= own start= auto DisplayName= "wifi support"
3⤵
PID:5476

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ifoltcxb "wifi internet conection"
3⤵
PID:5620

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ifoltcxb
3⤵
PID:5848

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
PID:5952

C:\Users\Admin\pvdlqync.exe
"C:\Users\Admin\pvdlqync.exe" /d"C:\Users\Admin\Documents\61Q3NULWMS8B1oJep5RLqjwC.exe"
3⤵
PID:5184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pbkdttxo.exe" C:\Windows\SysWOW64\ifoltcxb\
4⤵
PID:5652

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config ifoltcxb binPath= "C:\Windows\SysWOW64\ifoltcxb\pbkdttxo.exe /d\"C:\Users\Admin\pvdlqync.exe\""
4⤵
PID:4868

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ifoltcxb
4⤵
PID:5840

C:\Users\Admin\Documents\xa1KLSXL0qo9Y9PXuXJmlZDs.exe
"C:\Users\Admin\Documents\xa1KLSXL0qo9Y9PXuXJmlZDs.exe"
2⤵
PID:3184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1656

C:\Users\Admin\Documents\oRHvEg8IX0ceajk8qvyoxPIA.exe
"C:\Users\Admin\Documents\oRHvEg8IX0ceajk8qvyoxPIA.exe"
2⤵
PID:5048

C:\Users\Admin\Documents\SAvOdqXw4nXtzI1AUJXbMEri.exe
"C:\Users\Admin\Documents\SAvOdqXw4nXtzI1AUJXbMEri.exe"
2⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\12760fd3-f54c-49d2-be85-7c7b68b43ed0.exe
"C:\Users\Admin\AppData\Local\Temp\12760fd3-f54c-49d2-be85-7c7b68b43ed0.exe"
3⤵
PID:2140

C:\Users\Admin\Documents\wlULCRw0OeOIFshfLu8bXTXY.exe
"C:\Users\Admin\Documents\wlULCRw0OeOIFshfLu8bXTXY.exe"
2⤵
PID:1756

C:\Users\Admin\Documents\tDFxvuAZzr0fRfv1C1Y2BT2q.exe
"C:\Users\Admin\Documents\tDFxvuAZzr0fRfv1C1Y2BT2q.exe"
2⤵
PID:4904

C:\Users\Admin\Documents\s02PAMa4a5xxZ0akT5Ki75OU.exe
"C:\Users\Admin\Documents\s02PAMa4a5xxZ0akT5Ki75OU.exe"
2⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_3.exe
sahiba_3.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1032
2⤵
- Program crash
PID:780

C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_1.exe
sahiba_1.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:2416

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:2260

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 604
3⤵
- Program crash
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3864 -ip 3864
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2472 -ip 2472
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 364 -ip 364
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2348 -ip 2348
1⤵
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 364 -ip 364
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2348 -ip 2348
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4664 -ip 4664
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2348 -ip 2348
1⤵
PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1032 -ip 1032
1⤵
PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2348 -ip 2348
1⤵
PID:6016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2348 -ip 2348
1⤵
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5416 -ip 5416
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2348 -ip 2348
1⤵
PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2348 -ip 2348
1⤵
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sahiba_9.exe.log
MD5
3654bd2c6957761095206ffdf92b0cb9

SHA1
6f10f7b5867877de7629afcff644c265e79b4ad3

SHA256
c2a4be94cf4ed33d698d9838f4ffb47047da796e733ec11562463a1621212ab4

SHA512
e2a81248cca7732ce098088d5237897493fd3629e28d66bc13e5f9191f72cd52893f4a53905906af12d5c6de475738b6c7f6b718a32869e9ee0deb3a54672f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_1.exe
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_1.exe
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_1.txt
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_10.exe
MD5
15f026de10ed9719180b4ac9cf013060

SHA1
126d2fb521d710c93747f30bc4744f920d6543b9

SHA256
d5bb1038daf71c40429b13628305b5d10b868325346ca7c611c1dd4f14754636

SHA512
5856e492fc68ca7b08ac1fce869ade70a00e790d31f4402e1cd49ff3aee93f3a9dd618cc45288a36f4e32af0debb1f289b8f8f20541cd16bb0754b436891a2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_10.txt
MD5
15f026de10ed9719180b4ac9cf013060

SHA1
126d2fb521d710c93747f30bc4744f920d6543b9

SHA256
d5bb1038daf71c40429b13628305b5d10b868325346ca7c611c1dd4f14754636

SHA512
5856e492fc68ca7b08ac1fce869ade70a00e790d31f4402e1cd49ff3aee93f3a9dd618cc45288a36f4e32af0debb1f289b8f8f20541cd16bb0754b436891a2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_2.exe
MD5
e016d956a972aa286faaadfc8a99eb87

SHA1
99ed89edee1ef0330c60447ae384e213575b3a15

SHA256
cb36ab94000b26787456b5280adabc362315bda86f5fdb5b0894a765fc9fdc0c

SHA512
7721bc95d130b271b765929cb1c4a4c8f5e1ee54c52e1ab31b5e7e12bb9a927c019ea3d5761fd05417400d5eef54003ecb592c160cbbf279fef9b3a0428f12dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_2.txt
MD5
e016d956a972aa286faaadfc8a99eb87

SHA1
99ed89edee1ef0330c60447ae384e213575b3a15

SHA256
cb36ab94000b26787456b5280adabc362315bda86f5fdb5b0894a765fc9fdc0c

SHA512
7721bc95d130b271b765929cb1c4a4c8f5e1ee54c52e1ab31b5e7e12bb9a927c019ea3d5761fd05417400d5eef54003ecb592c160cbbf279fef9b3a0428f12dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_3.exe
MD5
c5eacbc61ceedd2e7c69f9527251ee20

SHA1
8efc09819a556c34ab1a8cadfb4b412b2e83ec7a

SHA256
499c8242161f040a7006ce6ddfbc36036a7251cbef5de30d300b712465c05427

SHA512
9a2c339d1f53d972a80fe3a31918b00bfa5e73df01f135055aaaaaaa4257b7c22b35b9bf8525d29afa0cf93e99dc91376d7c7cc2a24e5ef0171839b18e770421

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_3.txt
MD5
c5eacbc61ceedd2e7c69f9527251ee20

SHA1
8efc09819a556c34ab1a8cadfb4b412b2e83ec7a

SHA256
499c8242161f040a7006ce6ddfbc36036a7251cbef5de30d300b712465c05427

SHA512
9a2c339d1f53d972a80fe3a31918b00bfa5e73df01f135055aaaaaaa4257b7c22b35b9bf8525d29afa0cf93e99dc91376d7c7cc2a24e5ef0171839b18e770421

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_4.exe
MD5
5668cb771643274ba2c375ec6403c266

SHA1
dd78b03428b99368906fe62fc46aaaf1db07a8b9

SHA256
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

SHA512
135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_4.txt
MD5
5668cb771643274ba2c375ec6403c266

SHA1
dd78b03428b99368906fe62fc46aaaf1db07a8b9

SHA256
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

SHA512
135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_5.exe
MD5
8c4df9d37195987ede03bf8adb495686

SHA1
010626025ca791720f85984a842c893b78f439d2

SHA256
5207c76c2e29a2f9951dc4697199a89fdd9516a324f4df7fa04184c3942cc185

SHA512
8fcb279c27682e13ec716e250c9d87cd3d9447b6376e4e6b97e8a283994c02eeac112f2e2c60d4e6316ece5e11fd992cd06efa48c72ee7b0c306b16347698655

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_5.txt
MD5
8c4df9d37195987ede03bf8adb495686

SHA1
010626025ca791720f85984a842c893b78f439d2

SHA256
5207c76c2e29a2f9951dc4697199a89fdd9516a324f4df7fa04184c3942cc185

SHA512
8fcb279c27682e13ec716e250c9d87cd3d9447b6376e4e6b97e8a283994c02eeac112f2e2c60d4e6316ece5e11fd992cd06efa48c72ee7b0c306b16347698655

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_6.exe
MD5
16c9dde1611731ebe9effd1facec9839

SHA1
e5d43d3bfc8fdf9b99e7ae6ee1f820a79909e9b0

SHA256
0eeb59191283964857f15bfab13ce4824ff63017334d9b4c70ef038b682b995e

SHA512
2d59e2081f9fd4c5593116384b5735f818f6d175855f43448b4fa4938953d3bd394165fa2248b975f3baf921990008972f0faea1d813d23e50b7bff1b0e8ac00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_6.txt
MD5
16c9dde1611731ebe9effd1facec9839

SHA1
e5d43d3bfc8fdf9b99e7ae6ee1f820a79909e9b0

SHA256
0eeb59191283964857f15bfab13ce4824ff63017334d9b4c70ef038b682b995e

SHA512
2d59e2081f9fd4c5593116384b5735f818f6d175855f43448b4fa4938953d3bd394165fa2248b975f3baf921990008972f0faea1d813d23e50b7bff1b0e8ac00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_7.exe
MD5
f8fdccdc4cc17f6781497d69742aeb58

SHA1
026edf00ad6a4f77a99a8100060184caeb9a58ba

SHA256
97f751d8e067a8ff661e6f4cb0eb7cd3033abdb89d5e87e50581e011ff4f4144

SHA512
ee4969810435ab43fd7fe1cfc42667544cdb9766dacca2258cc4a860983b6477a9c8c74e6e41ef6230a89fd016f8f044eb83ca5e96796a6375dacd28e7254ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_7.txt
MD5
f8fdccdc4cc17f6781497d69742aeb58

SHA1
026edf00ad6a4f77a99a8100060184caeb9a58ba

SHA256
97f751d8e067a8ff661e6f4cb0eb7cd3033abdb89d5e87e50581e011ff4f4144

SHA512
ee4969810435ab43fd7fe1cfc42667544cdb9766dacca2258cc4a860983b6477a9c8c74e6e41ef6230a89fd016f8f044eb83ca5e96796a6375dacd28e7254ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_8.exe
MD5
7ee79237b75dc06b31e8897811396731

SHA1
37a8af1c232544396b3ab08b6cc11badcb9176f8

SHA256
740021ce57fecaf5044b6dc2993c7b38b79ec954d428384959ec049db28ab8e7

SHA512
e167af1556e78b1374c45f78ac9e3a02674863a25248f39e7948429df83cadf51282a3b1d92a8182e776c69e32dd8725f11aa1d1f6d5d3e401268d7b0a28297d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_8.txt
MD5
7ee79237b75dc06b31e8897811396731

SHA1
37a8af1c232544396b3ab08b6cc11badcb9176f8

SHA256
740021ce57fecaf5044b6dc2993c7b38b79ec954d428384959ec049db28ab8e7

SHA512
e167af1556e78b1374c45f78ac9e3a02674863a25248f39e7948429df83cadf51282a3b1d92a8182e776c69e32dd8725f11aa1d1f6d5d3e401268d7b0a28297d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_9.exe
MD5
941888d7dc7810199fc9d7fe45b29947

SHA1
5f384b58763b8d3035a158d6d8d55e001af61c34

SHA256
d883da922360a751ea8b780ac7b3a5aedc4b09258fdd2c156bfa60593885071c

SHA512
9d0acb24f66115f48a320841f66d1b9efa483f78684d11724541ce650701ac88cf82b5624bae362d036a42b2f177e3d3819926e0bf297502853e5d62302c7967

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_9.exe
MD5
941888d7dc7810199fc9d7fe45b29947

SHA1
5f384b58763b8d3035a158d6d8d55e001af61c34

SHA256
d883da922360a751ea8b780ac7b3a5aedc4b09258fdd2c156bfa60593885071c

SHA512
9d0acb24f66115f48a320841f66d1b9efa483f78684d11724541ce650701ac88cf82b5624bae362d036a42b2f177e3d3819926e0bf297502853e5d62302c7967

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\sahiba_9.txt
MD5
941888d7dc7810199fc9d7fe45b29947

SHA1
5f384b58763b8d3035a158d6d8d55e001af61c34

SHA256
d883da922360a751ea8b780ac7b3a5aedc4b09258fdd2c156bfa60593885071c

SHA512
9d0acb24f66115f48a320841f66d1b9efa483f78684d11724541ce650701ac88cf82b5624bae362d036a42b2f177e3d3819926e0bf297502853e5d62302c7967

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\setup_install.exe
MD5
e4a69cd4fbed33bbbf8c35834469e7b5

SHA1
51676ac097c0c1bc4a7426a84380bce4cf166530

SHA256
01e87e0bb96b39f6bfc51ac77bd6e53b3c1a1a72b403813c5587680d375dbf14

SHA512
6f0c0416c42ea840f6518525151e7eac6575909f164b25e0edb93745ae47e99193e25927f50106fa4d294b8f4dd1c5a83165ed38f8f38122ea79946242c854df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844A8E3D\setup_install.exe
MD5
e4a69cd4fbed33bbbf8c35834469e7b5

SHA1
51676ac097c0c1bc4a7426a84380bce4cf166530

SHA256
01e87e0bb96b39f6bfc51ac77bd6e53b3c1a1a72b403813c5587680d375dbf14

SHA512
6f0c0416c42ea840f6518525151e7eac6575909f164b25e0edb93745ae47e99193e25927f50106fa4d294b8f4dd1c5a83165ed38f8f38122ea79946242c854df

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
99ab358c6f267b09d7a596548654a6ba

SHA1
d5a643074b69be2281a168983e3f6bef7322f676

SHA256
586339f93c9c0eed8a42829ab307f2c5381a636edbcf80df3770c27555034380

SHA512
952040785a3c1dcaea613d2e0d46745d5b631785d26de018fd9f85f8485161d056bf67b19c96ae618d35de5d5991a0dd549d749949faea7a2e0f9991a1aa2b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
cb6184df94bc7132c456250a3428699a

SHA1
965a92174a45e1f334007e40f2e7d2f833d6fd63

SHA256
6045e46b14180002970d69eaff92ddbd7f9551ccfa1b06efe7941f76d78073f5

SHA512
17e7e4fd6d34bd59fa437cc8ec188b80dfbad5b35f002df95f43bf564dd8f6528857786a3e2e462bfc9e12439e173236e2b1bac12949f04b952abe6c803ca72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H87BT.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ITMRS.tmp\sahiba_5.tmp
MD5
ace50bc58251a21ff708c2a45b166905

SHA1
3acac0fbed800fe76722b781b7add2cbb7510849

SHA256
af5dd65e23533ed506a34f3a98f1255fccb480c88615ed7cfd0c157fb3f21f9d

SHA512
b484af4387dc5f149b785db515521e10f6a9047cd838130f45745dac000c822766a163c8e988d3763a1a79e93b7436c8cb0ba5cb38e175b8e49b523677746514

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
3709c94b62877ac64642ac5dca823c30

SHA1
1cceddde38d52493b062210422ca1356c177b859

SHA256
87abe84bdc68dce8321272552c079b1d31c8014fc01c943f64134138d472b358

SHA512
28a263fbdbf12e5f6222631499b4af578504c03e79a2058e90f1faf4fe83f527bbe4328ee72310be8dfb09205b776a61b345ec7538c793ccfadcc58e794f7e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
3709c94b62877ac64642ac5dca823c30

SHA1
1cceddde38d52493b062210422ca1356c177b859

SHA256
87abe84bdc68dce8321272552c079b1d31c8014fc01c943f64134138d472b358

SHA512
28a263fbdbf12e5f6222631499b4af578504c03e79a2058e90f1faf4fe83f527bbe4328ee72310be8dfb09205b776a61b345ec7538c793ccfadcc58e794f7e43

Download Submit
C:\Users\Admin\Documents\6uGCBp77fejmOWLrYeRB353u.exe
MD5
9310bfb1db35bc14cabf2cfc8361d327

SHA1
df86c90c95948eecca7091ce46393ebbb3276d73

SHA256
ef61eeadbb81008ac7b88d5cd151e4215815674dc3d4e4e12f49f33775f4ed95

SHA512
83a301b864c5a3d4336222a525388c5c5ee89dcebc695788edb41144adcc9eca2616bc8d8dfe35af7c119195eaf2cf9e502b9b98f01581a86f6e9b1550f077df

Download Submit
C:\Users\Admin\Documents\6uGCBp77fejmOWLrYeRB353u.exe
MD5
9310bfb1db35bc14cabf2cfc8361d327

SHA1
df86c90c95948eecca7091ce46393ebbb3276d73

SHA256
ef61eeadbb81008ac7b88d5cd151e4215815674dc3d4e4e12f49f33775f4ed95

SHA512
83a301b864c5a3d4336222a525388c5c5ee89dcebc695788edb41144adcc9eca2616bc8d8dfe35af7c119195eaf2cf9e502b9b98f01581a86f6e9b1550f077df

Download Submit
C:\Users\Admin\Documents\SAvOdqXw4nXtzI1AUJXbMEri.exe
MD5
7d80ac7ac7ba5c1ec4933315c73f7e67

SHA1
31ca3d22fe8ae5fdd6eb13ae840d63e087ce50f3

SHA256
d69c95a1ec3c2e8bbf8860112ce51602ad104b2dae4cc02496349258b8d0d674

SHA512
bdf2dc705cb250477cd6eb86f916cd46e35b32d542fba6f70f4fef8cfdf4606675d8f92d7d20c912898067d3f557a0a247a0d2e4d493a864cbd73e69de2d9827

Download Submit
C:\Users\Admin\Documents\SAvOdqXw4nXtzI1AUJXbMEri.exe
MD5
7d80ac7ac7ba5c1ec4933315c73f7e67

SHA1
31ca3d22fe8ae5fdd6eb13ae840d63e087ce50f3

SHA256
d69c95a1ec3c2e8bbf8860112ce51602ad104b2dae4cc02496349258b8d0d674

SHA512
bdf2dc705cb250477cd6eb86f916cd46e35b32d542fba6f70f4fef8cfdf4606675d8f92d7d20c912898067d3f557a0a247a0d2e4d493a864cbd73e69de2d9827

Download Submit
C:\Users\Admin\Documents\VCdorRzdyhekMM8aEdcLAm91.exe
MD5
9fb37cc652ccad19b7dece0befdc5615

SHA1
e42cf389e6e9d362e41ef1ba3b1dc40f158142f4

SHA256
e29248c36534625b32c5063b6437d3eb4964a7a6e8cd90a01783537929ad8f44

SHA512
66ecce8c4e504b6e9bc2a4103eccda31a9a7d2b60e5a6b55a838ee153df850b08048fa35fcf1b062e0790f6175c36bc6be2e6162d876a85f4923645e52095fc8

Download Submit
C:\Users\Admin\Documents\VCdorRzdyhekMM8aEdcLAm91.exe
MD5
9fb37cc652ccad19b7dece0befdc5615

SHA1
e42cf389e6e9d362e41ef1ba3b1dc40f158142f4

SHA256
e29248c36534625b32c5063b6437d3eb4964a7a6e8cd90a01783537929ad8f44

SHA512
66ecce8c4e504b6e9bc2a4103eccda31a9a7d2b60e5a6b55a838ee153df850b08048fa35fcf1b062e0790f6175c36bc6be2e6162d876a85f4923645e52095fc8

Download Submit
C:\Users\Admin\Documents\Vu273imVi3OTxxlZ1biVEpRR.exe
MD5
5d8d5f15fffb32e789c4f5e4f439d25f

SHA1
818867f91eea5f82852fb6b1b1e66cf851541c53

SHA256
69d9619a442c10ccc5eb2157e045775f9c0e23c4874a0c2c211f3d8350d4269b

SHA512
84ec218df3438b11c96e70f79b7666d316016459df201743a38fb357348eead311241e304ead2b5cd45460179f9395f67275b91a4db8b17fecbe3c722d18ccec

Download Submit
C:\Users\Admin\Documents\Vu273imVi3OTxxlZ1biVEpRR.exe
MD5
5d8d5f15fffb32e789c4f5e4f439d25f

SHA1
818867f91eea5f82852fb6b1b1e66cf851541c53

SHA256
69d9619a442c10ccc5eb2157e045775f9c0e23c4874a0c2c211f3d8350d4269b

SHA512
84ec218df3438b11c96e70f79b7666d316016459df201743a38fb357348eead311241e304ead2b5cd45460179f9395f67275b91a4db8b17fecbe3c722d18ccec

Download Submit
C:\Users\Admin\Documents\ZnQEspK3l9cgf8BfYJLMuzjz.exe
MD5
b812c190f2b4f0a3b0d52f2b5f128dc4

SHA1
4e3734da736235fd336c0fb64019d3c81209dcef

SHA256
776d285d1ed74d121d9c578e169a3a95a4977267c1289a86efec21bbf9769b1e

SHA512
7f7ee3d887afc46b6f4d70d182966e60494b16cf97adf08c1e6ba5604e3834002109b0c303aa72768ebbdf670b4338e500d2849e9879b2a0fb2da36511a53184

Download Submit
C:\Users\Admin\Documents\_GIfyRRxpFE9_FDtIDerNVgn.exe
MD5
f43492db13513789dd46619891d05b61

SHA1
385b2953b953ac130c1ce8b3a57b7847fcfde587

SHA256
9da5211e8672995c4804f6418c40d95f147cb7e4c64d718defdde8f75314791b

SHA512
e86c127ed3df2e587208e2cf1d46f5fc8dfd08a5c9b74dd1bf0717d05ce348ddd40f0d74a2febee6c8406a70fc9ff38acadec2bde631b51e5e3633393f2a2988

Download Submit
C:\Users\Admin\Documents\d2t6OywVQieLSAuuBo8PQ2Qu.exe
MD5
a4ee85b793aa8f186042558b4683141f

SHA1
6a44e19edd3f96366aaadb88ccee241911149343

SHA256
e1bde0bf324286be6ae86fb06208621c630d4d437168a438871e7fe81bba20cc

SHA512
5d201d4220b655bea2f3dc78637ece6993b8cf9d4e80845d924bf280a4e36a7350822924a07dca227cb4d2f5f91840d1cd7f7b2a890dc0c54e1029db715132b2

Download Submit
C:\Users\Admin\Documents\d2t6OywVQieLSAuuBo8PQ2Qu.exe
MD5
b0c7af8ede3f8be5b1bf57791bb7124f

SHA1
331560f90bca948fbfa70c2c735479df5453093d

SHA256
ba157033e7ad4b819c1b560e3485c5e1025896ac351a61707eb09f3c6c44951f

SHA512
4992145012c2ec3463415513b709f1dfc29a6b07fc663aca42527e90b4745396fef63cbf27b216f3704b8851e567865e36c093bb9a936a3bf3fba801b0a682ac

Download Submit
C:\Users\Admin\Documents\oRHvEg8IX0ceajk8qvyoxPIA.exe
MD5
a472f871bc99d5b6e4d15acadcb33133

SHA1
90e6395fae93941bcc6f403f488425df65ed9915

SHA256
8259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246

SHA512
4e09ba57c4a6d0b83e623f319f5323b019c087a11ef449e92ccd7cbd0d9bd7fad210f8cd89cfab99664a9485b45793ea3eef93995a25d72e4b0cfa2a34546c62

Download Submit
C:\Users\Admin\Documents\wlULCRw0OeOIFshfLu8bXTXY.exe
MD5
332a794b5b556efc15e60b76a7f271d5

SHA1
7d3bf89e875f1b520ee8cf7d1b47b9119a43b485

SHA256
1d15eb4f6ec787f3e17936cb8689796ee7ee5fa041ec8a6ab8b5d1aa91bbfe60

SHA512
037915e51bebe0f67d2c85a135e02fe9f0b46f3b229b6139c05f15a533fbf8f38ae87c8c02783329350c0ea81e5558d9eaa1dfce1428fff4bd452a3ed5e64f38

Download Submit
C:\Users\Admin\Documents\wlULCRw0OeOIFshfLu8bXTXY.exe
MD5
332a794b5b556efc15e60b76a7f271d5

SHA1
7d3bf89e875f1b520ee8cf7d1b47b9119a43b485

SHA256
1d15eb4f6ec787f3e17936cb8689796ee7ee5fa041ec8a6ab8b5d1aa91bbfe60

SHA512
037915e51bebe0f67d2c85a135e02fe9f0b46f3b229b6139c05f15a533fbf8f38ae87c8c02783329350c0ea81e5558d9eaa1dfce1428fff4bd452a3ed5e64f38

Download Submit
memory/8-238-0x0000000000F50000-0x0000000000F65000-memory.dmp

Filesize
84KB

Download
memory/64-207-0x00000000054F0000-0x0000000005B08000-memory.dmp

Filesize
6.1MB

Download
memory/64-204-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/64-209-0x0000000005030000-0x000000000506C000-memory.dmp

Filesize
240KB

Download
memory/64-210-0x0000000073210000-0x00000000739C0000-memory.dmp

Filesize
7.7MB

Download
memory/64-211-0x0000000004ED0000-0x00000000054E8000-memory.dmp

Filesize
6.1MB

Download
memory/64-212-0x0000000005330000-0x000000000543A000-memory.dmp

Filesize
1.0MB

Download
memory/64-208-0x0000000004FD0000-0x0000000004FE2000-memory.dmp

Filesize
72KB

Download
memory/336-335-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/836-263-0x0000000001190000-0x00000000011D6000-memory.dmp

Filesize
280KB

Download
memory/836-280-0x0000000000920000-0x0000000000AD4000-memory.dmp

Filesize
1.7MB

Download
memory/836-271-0x0000000000920000-0x0000000000AD4000-memory.dmp

Filesize
1.7MB

Download
memory/836-272-0x00000000761B0000-0x00000000763C5000-memory.dmp

Filesize
2.1MB

Download
memory/836-268-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/836-275-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/836-273-0x0000000000920000-0x0000000000AD4000-memory.dmp

Filesize
1.7MB

Download
memory/836-282-0x00000000742B0000-0x0000000074339000-memory.dmp

Filesize
548KB

Download
memory/836-286-0x00000000766D0000-0x0000000076C83000-memory.dmp

Filesize
5.7MB

Download
memory/836-295-0x0000000074A40000-0x0000000074A8C000-memory.dmp

Filesize
304KB

Download
memory/836-277-0x0000000000920000-0x0000000000AD4000-memory.dmp

Filesize
1.7MB

Download
memory/1032-269-0x00000000006D0000-0x0000000000720000-memory.dmp

Filesize
320KB

Download
memory/1364-226-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1364-237-0x00000000023C4000-0x00000000023C6000-memory.dmp

Filesize
8KB

Download
memory/1364-232-0x00000000023C2000-0x00000000023C3000-memory.dmp

Filesize
4KB

Download
memory/1364-213-0x0000000000778000-0x000000000079A000-memory.dmp

Filesize
136KB

Download
memory/1364-231-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1364-230-0x0000000073210000-0x00000000739C0000-memory.dmp

Filesize
7.7MB

Download
memory/1364-233-0x00000000023C3000-0x00000000023C4000-memory.dmp

Filesize
4KB

Download
memory/1364-223-0x0000000004A80000-0x0000000005024000-memory.dmp

Filesize
5.6MB

Download
memory/1364-224-0x0000000000778000-0x000000000079A000-memory.dmp

Filesize
136KB

Download
memory/1364-225-0x00000000005B0000-0x00000000005DF000-memory.dmp

Filesize
188KB

Download
memory/1412-358-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/1452-178-0x0000000000010000-0x0000000000040000-memory.dmp

Filesize
192KB

Download
memory/1452-278-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/1452-196-0x000000001AD10000-0x000000001AD12000-memory.dmp

Filesize
8KB

Download
memory/1452-276-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/1452-191-0x00007FFCDD9A0000-0x00007FFCDE461000-memory.dmp

Filesize
10.8MB

Download
memory/1656-333-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/1660-153-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1660-147-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1660-184-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1660-186-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1660-144-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1660-185-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1660-183-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1660-180-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1660-145-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1660-156-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1660-157-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1660-155-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1660-146-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1660-148-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1660-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1660-154-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1660-150-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1660-152-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1660-151-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1756-265-0x0000000073210000-0x00000000739C0000-memory.dmp

Filesize
7.7MB

Download
memory/1756-248-0x00000000004C0000-0x00000000004E0000-memory.dmp

Filesize
128KB

Download
memory/2348-290-0x00000000005AD000-0x00000000005D4000-memory.dmp

Filesize
156KB

Download
memory/2472-234-0x0000000000548000-0x00000000005AD000-memory.dmp

Filesize
404KB

Download
memory/2472-235-0x00000000020E0000-0x000000000217D000-memory.dmp

Filesize
628KB

Download
memory/2472-217-0x0000000000548000-0x00000000005AD000-memory.dmp

Filesize
404KB

Download
memory/2472-236-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2536-329-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/2720-274-0x0000000005120000-0x000000000512A000-memory.dmp

Filesize
40KB

Download
memory/2720-251-0x0000000000110000-0x0000000000190000-memory.dmp

Filesize
512KB

Download
memory/2720-261-0x0000000073210000-0x00000000739C0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-267-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/2720-262-0x0000000005080000-0x0000000005112000-memory.dmp

Filesize
584KB

Download
memory/3088-311-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3160-270-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/3180-283-0x0000000000310000-0x0000000000328000-memory.dmp

Filesize
96KB

Download
memory/3180-284-0x0000000073210000-0x00000000739C0000-memory.dmp

Filesize
7.7MB

Download
memory/3196-174-0x0000000000E20000-0x0000000000E52000-memory.dmp

Filesize
200KB

Download
memory/3196-192-0x00007FFCDD9A0000-0x00007FFCDE461000-memory.dmp

Filesize
10.8MB

Download
memory/3196-194-0x000000001BAF0000-0x000000001BAF2000-memory.dmp

Filesize
8KB

Download
memory/3324-187-0x0000000073210000-0x00000000739C0000-memory.dmp

Filesize
7.7MB

Download
memory/3324-188-0x0000000000C90000-0x0000000000CF6000-memory.dmp

Filesize
408KB

Download
memory/3324-195-0x0000000002F90000-0x0000000002FAE000-memory.dmp

Filesize
120KB

Download
memory/3324-197-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/3324-190-0x00000000054D0000-0x0000000005546000-memory.dmp

Filesize
472KB

Download
memory/3532-316-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3788-200-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4016-193-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4016-175-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4020-249-0x000000000063E000-0x00000000006AA000-memory.dmp

Filesize
432KB

Download
memory/4104-264-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/4104-256-0x00000000001D0000-0x00000000001FC000-memory.dmp

Filesize
176KB

Download
memory/4104-257-0x0000000073210000-0x00000000739C0000-memory.dmp

Filesize
7.7MB

Download
memory/4512-227-0x0000000000498000-0x00000000004A9000-memory.dmp

Filesize
68KB

Download
memory/4512-214-0x0000000000498000-0x00000000004A9000-memory.dmp

Filesize
68KB

Download
memory/4512-228-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/4512-229-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4664-327-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4664-332-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4664-326-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4724-245-0x00000000008A0000-0x00000000008C8000-memory.dmp

Filesize
160KB

Download
memory/4724-255-0x0000000073210000-0x00000000739C0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-279-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/4924-281-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download