arkei | 246b27e609ebd8a1ec31b9667addf3b262d6487602209baa9b32c54539a28031

Analysis

max time kernel
56s
max time network
142s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
10-08-2022 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

246b27e609ebd8a1ec31b9667addf3b262d6487602209baa9b32c54539a28031.exe
Size

612KB
MD5

8c4412094e81ec621cdf541631561a2a
SHA1

e177ce3af8b3e68936c307e4c1ed812c71710e8c
SHA256

246b27e609ebd8a1ec31b9667addf3b262d6487602209baa9b32c54539a28031
SHA512

4795a4f64f36aeb90a44ff2b840b072e953d8e6b869f53b64c2a040935254ef0d9967a9fd164b22bc101a9591c2c6133b1785077b99188f38248b50604382619

Score

10^/10

arkei azorult raccoon remcos 8a4fd4b44997ba634230ba5c422ca9f2 default infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

raccoon

Botnet

8a4fd4b44997ba634230ba5c422ca9f2

http://193.106.191.146/

http://185.215.113.89/

rc4.plain

Extracted

Family

arkei

Botnet

Default

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1048-109-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon
behavioral1/memory/1048-110-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon
behavioral1/memory/1048-115-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon
behavioral1/memory/1048-117-0x0000000000406BEA-mapping.dmp	family_raccoon
behavioral1/memory/1048-122-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon
behavioral1/memory/1048-128-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon
behavioral1/memory/1760-146-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon
behavioral1/memory/1504-176-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon
behavioral1/memory/1048-217-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon
behavioral1/memory/1048-272-0x0000000000400000-0x0000000000411000-memory.dmp	family_raccoon

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Downloads MZ/PE file

Executes dropped EXE 18 IoCs

Processes:

dllhost.exeAshampoo-3D-CAD_Pro_Universal_Activation.exeAshampoo-3D-CAD_Pro_Universal_Activation.tmpdllhost.exevsnaad.exeMccegjkqnoydj.exereggsad.exenfdsame.exereggsad.exersgsad.exenfdsame.exeMccegjkqnoydj.exe47wj3oj2.exen3Lmbp5x.exevHfj309R.exevHfj309R.exe1SR6o72c.exedalaydssvcd.exe

pid	process
1908	dllhost.exe
1596	Ashampoo-3D-CAD_Pro_Universal_Activation.exe
1488	Ashampoo-3D-CAD_Pro_Universal_Activation.tmp
1392	dllhost.exe
1168	vsnaad.exe
832	Mccegjkqnoydj.exe
1836	reggsad.exe
836	nfdsame.exe
1760	reggsad.exe
1812	rsgsad.exe
1708	nfdsame.exe
1200	Mccegjkqnoydj.exe
1500	47wj3oj2.exe
1000	n3Lmbp5x.exe
1036	vHfj309R.exe
2016	vHfj309R.exe
1548	1SR6o72c.exe
1184	dalaydssvcd.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1976-83-0x0000000000400000-0x00000000004CC000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

47wj3oj2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Control Panel\International\Geo\Nation	47wj3oj2.exe

Loads dropped DLL 26 IoCs

Processes:

cmd.exeAshampoo-3D-CAD_Pro_Universal_Activation.exedllhost.exedllhost.exevsnaad.exereggsad.exenfdsame.exersgsad.exeInstallUtil.exeInstallUtil.exevHfj309R.exe

pid	process
980	cmd.exe
980	cmd.exe
980	cmd.exe
1596	Ashampoo-3D-CAD_Pro_Universal_Activation.exe
1908	dllhost.exe
1392	dllhost.exe
1168	vsnaad.exe
1392	dllhost.exe
1392	dllhost.exe
1836	reggsad.exe
1836	reggsad.exe
836	nfdsame.exe
1392	dllhost.exe
1812	rsgsad.exe
1048	InstallUtil.exe
1048	InstallUtil.exe
1048	InstallUtil.exe
1452	InstallUtil.exe
1452	InstallUtil.exe
1048	InstallUtil.exe
1048	InstallUtil.exe
1048	InstallUtil.exe
1036	vHfj309R.exe
1048	InstallUtil.exe
1392	dllhost.exe
1392	dllhost.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1SR6o72c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yjlgdlfzs = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dgzivqk\\Yjlgdlfzs.exe\""	1SR6o72c.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

dllhost.exevsnaad.exeMccegjkqnoydj.exereggsad.exenfdsame.exersgsad.exeMccegjkqnoydj.exe47wj3oj2.exevHfj309R.exe1SR6o72c.exe

description	pid	process	target process
PID 1908 set thread context of 1392	1908	dllhost.exe	dllhost.exe
PID 1168 set thread context of 1048	1168	vsnaad.exe	InstallUtil.exe
PID 832 set thread context of 1452	832	Mccegjkqnoydj.exe	InstallUtil.exe
PID 1836 set thread context of 1760	1836	reggsad.exe	reggsad.exe
PID 836 set thread context of 1708	836	nfdsame.exe	nfdsame.exe
PID 1812 set thread context of 1504	1812	rsgsad.exe	InstallUtil.exe
PID 1200 set thread context of 864	1200	Mccegjkqnoydj.exe	InstallUtil.exe
PID 1500 set thread context of 960	1500	47wj3oj2.exe	InstallUtil.exe
PID 1036 set thread context of 2016	1036	vHfj309R.exe	vHfj309R.exe
PID 1548 set thread context of 748	1548	1SR6o72c.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallUtil.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1504 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1736 timeout.exe
340 timeout.exe
1148 timeout.exe

pid	process
1504	schtasks.exe

pid	process
1736	timeout.exe
340	timeout.exe
1148	timeout.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

vsnaad.exeMccegjkqnoydj.exersgsad.exeMccegjkqnoydj.exe47wj3oj2.exevHfj309R.exe1SR6o72c.exe

pid	process
1168	vsnaad.exe
1168	vsnaad.exe
1168	vsnaad.exe
1168	vsnaad.exe
1168	vsnaad.exe
1168	vsnaad.exe
832	Mccegjkqnoydj.exe
832	Mccegjkqnoydj.exe
1812	rsgsad.exe
1812	rsgsad.exe
1200	Mccegjkqnoydj.exe
1200	Mccegjkqnoydj.exe
1500	47wj3oj2.exe
1500	47wj3oj2.exe
1500	47wj3oj2.exe
1500	47wj3oj2.exe
1500	47wj3oj2.exe
1500	47wj3oj2.exe
1036	vHfj309R.exe
1036	vHfj309R.exe
1548	1SR6o72c.exe
1548	1SR6o72c.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

dllhost.exereggsad.exenfdsame.exe

pid process

1908 dllhost.exe
1836 reggsad.exe
836 nfdsame.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

vsnaad.exe47wj3oj2.exevHfj309R.exe1SR6o72c.exen3Lmbp5x.exe

description	pid	process
Token: SeDebugPrivilege	1168	vsnaad.exe
Token: SeDebugPrivilege	1500	47wj3oj2.exe
Token: SeDebugPrivilege	1036	vHfj309R.exe
Token: SeDebugPrivilege	1548	1SR6o72c.exe
Token: SeDebugPrivilege	1000	n3Lmbp5x.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

dllhost.exedllhost.exereggsad.exenfdsame.exedalaydssvcd.exe

pid process

1908 dllhost.exe
1392 dllhost.exe
1836 reggsad.exe
836 nfdsame.exe
1184 dalaydssvcd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

246b27e609ebd8a1ec31b9667addf3b262d6487602209baa9b32c54539a28031.execmd.exeAshampoo-3D-CAD_Pro_Universal_Activation.exedllhost.exedllhost.exevsnaad.exeMccegjkqnoydj.exe

description	pid	process	target process
PID 1976 wrote to memory of 980	1976	246b27e609ebd8a1ec31b9667addf3b262d6487602209baa9b32c54539a28031.exe	cmd.exe
PID 1976 wrote to memory of 980	1976	246b27e609ebd8a1ec31b9667addf3b262d6487602209baa9b32c54539a28031.exe	cmd.exe
PID 1976 wrote to memory of 980	1976	246b27e609ebd8a1ec31b9667addf3b262d6487602209baa9b32c54539a28031.exe	cmd.exe
PID 1976 wrote to memory of 980	1976	246b27e609ebd8a1ec31b9667addf3b262d6487602209baa9b32c54539a28031.exe	cmd.exe
PID 980 wrote to memory of 1908	980	cmd.exe	dllhost.exe
PID 980 wrote to memory of 1908	980	cmd.exe	dllhost.exe
PID 980 wrote to memory of 1908	980	cmd.exe	dllhost.exe
PID 980 wrote to memory of 1908	980	cmd.exe	dllhost.exe
PID 980 wrote to memory of 1596	980	cmd.exe	Ashampoo-3D-CAD_Pro_Universal_Activation.exe
PID 980 wrote to memory of 1596	980	cmd.exe	Ashampoo-3D-CAD_Pro_Universal_Activation.exe
PID 980 wrote to memory of 1596	980	cmd.exe	Ashampoo-3D-CAD_Pro_Universal_Activation.exe
PID 980 wrote to memory of 1596	980	cmd.exe	Ashampoo-3D-CAD_Pro_Universal_Activation.exe
PID 1596 wrote to memory of 1488	1596	Ashampoo-3D-CAD_Pro_Universal_Activation.exe	Ashampoo-3D-CAD_Pro_Universal_Activation.tmp
PID 1596 wrote to memory of 1488	1596	Ashampoo-3D-CAD_Pro_Universal_Activation.exe	Ashampoo-3D-CAD_Pro_Universal_Activation.tmp
PID 1596 wrote to memory of 1488	1596	Ashampoo-3D-CAD_Pro_Universal_Activation.exe	Ashampoo-3D-CAD_Pro_Universal_Activation.tmp
PID 1596 wrote to memory of 1488	1596	Ashampoo-3D-CAD_Pro_Universal_Activation.exe	Ashampoo-3D-CAD_Pro_Universal_Activation.tmp
PID 1596 wrote to memory of 1488	1596	Ashampoo-3D-CAD_Pro_Universal_Activation.exe	Ashampoo-3D-CAD_Pro_Universal_Activation.tmp
PID 1596 wrote to memory of 1488	1596	Ashampoo-3D-CAD_Pro_Universal_Activation.exe	Ashampoo-3D-CAD_Pro_Universal_Activation.tmp
PID 1596 wrote to memory of 1488	1596	Ashampoo-3D-CAD_Pro_Universal_Activation.exe	Ashampoo-3D-CAD_Pro_Universal_Activation.tmp
PID 1908 wrote to memory of 1392	1908	dllhost.exe	dllhost.exe
PID 1908 wrote to memory of 1392	1908	dllhost.exe	dllhost.exe
PID 1908 wrote to memory of 1392	1908	dllhost.exe	dllhost.exe
PID 1908 wrote to memory of 1392	1908	dllhost.exe	dllhost.exe
PID 1908 wrote to memory of 1392	1908	dllhost.exe	dllhost.exe
PID 1392 wrote to memory of 1168	1392	dllhost.exe	vsnaad.exe
PID 1392 wrote to memory of 1168	1392	dllhost.exe	vsnaad.exe
PID 1392 wrote to memory of 1168	1392	dllhost.exe	vsnaad.exe
PID 1392 wrote to memory of 1168	1392	dllhost.exe	vsnaad.exe
PID 1168 wrote to memory of 832	1168	vsnaad.exe	Mccegjkqnoydj.exe
PID 1168 wrote to memory of 832	1168	vsnaad.exe	Mccegjkqnoydj.exe
PID 1168 wrote to memory of 832	1168	vsnaad.exe	Mccegjkqnoydj.exe
PID 1168 wrote to memory of 832	1168	vsnaad.exe	Mccegjkqnoydj.exe
PID 1168 wrote to memory of 1436	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1436	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1436	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1436	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1436	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1436	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1436	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1048	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1048	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1048	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1048	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1048	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1048	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1048	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1048	1168	vsnaad.exe	InstallUtil.exe
PID 832 wrote to memory of 1452	832	Mccegjkqnoydj.exe	InstallUtil.exe
PID 832 wrote to memory of 1452	832	Mccegjkqnoydj.exe	InstallUtil.exe
PID 832 wrote to memory of 1452	832	Mccegjkqnoydj.exe	InstallUtil.exe
PID 832 wrote to memory of 1452	832	Mccegjkqnoydj.exe	InstallUtil.exe
PID 832 wrote to memory of 1452	832	Mccegjkqnoydj.exe	InstallUtil.exe
PID 832 wrote to memory of 1452	832	Mccegjkqnoydj.exe	InstallUtil.exe
PID 832 wrote to memory of 1452	832	Mccegjkqnoydj.exe	InstallUtil.exe
PID 1168 wrote to memory of 1048	1168	vsnaad.exe	InstallUtil.exe
PID 832 wrote to memory of 1452	832	Mccegjkqnoydj.exe	InstallUtil.exe
PID 1168 wrote to memory of 1048	1168	vsnaad.exe	InstallUtil.exe
PID 1168 wrote to memory of 1048	1168	vsnaad.exe	InstallUtil.exe
PID 832 wrote to memory of 1452	832	Mccegjkqnoydj.exe	InstallUtil.exe
PID 1168 wrote to memory of 1048	1168	vsnaad.exe	InstallUtil.exe
PID 832 wrote to memory of 1452	832	Mccegjkqnoydj.exe	InstallUtil.exe
PID 1168 wrote to memory of 1048	1168	vsnaad.exe	InstallUtil.exe
PID 832 wrote to memory of 1452	832	Mccegjkqnoydj.exe	InstallUtil.exe
PID 832 wrote to memory of 1452	832	Mccegjkqnoydj.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\246b27e609ebd8a1ec31b9667addf3b262d6487602209baa9b32c54539a28031.exe
"C:\Users\Admin\AppData\Local\Temp\246b27e609ebd8a1ec31b9667addf3b262d6487602209baa9b32c54539a28031.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\906.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\246b27e609ebd8a1ec31b9667addf3b262d6487602209baa9b32c54539a28031.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\906.tmp\dllhost.exe
dllhost.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\906.tmp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\906.tmp\dllhost.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Roaming\vsnaad.exe
"C:\Users\Admin\AppData\Roaming\vsnaad.exe" 0
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\Mccegjkqnoydj.exe
"C:\Users\Admin\AppData\Local\Temp\Mccegjkqnoydj.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
7⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" & exit
8⤵
PID:556

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
9⤵
- Delays execution with timeout.exe
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
- Loads dropped DLL
PID:1048

C:\Users\Admin\AppData\Local\Temp\47wj3oj2.exe
"C:\Users\Admin\AppData\Local\Temp\47wj3oj2.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
8⤵
PID:960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
8⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\n3Lmbp5x.exe
"C:\Users\Admin\AppData\Local\Temp\n3Lmbp5x.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
8⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\vHfj309R.exe
"C:\Users\Admin\AppData\Local\Temp\vHfj309R.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Users\Admin\AppData\Local\Temp\vHfj309R.exe
C:\Users\Admin\AppData\Local\Temp\vHfj309R.exe
8⤵
- Executes dropped EXE
PID:2016

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
9⤵
- Creates scheduled task(s)
PID:1504

C:\Users\Admin\AppData\Local\Temp\1SR6o72c.exe
"C:\Users\Admin\AppData\Local\Temp\1SR6o72c.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
8⤵
PID:748

C:\Users\Admin\AppData\Roaming\reggsad.exe
"C:\Users\Admin\AppData\Roaming\reggsad.exe" 0
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Users\Admin\AppData\Local\Temp\nfdsame.exe
"C:\Users\Admin\AppData\Local\Temp\nfdsame.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:836

C:\Users\Admin\AppData\Local\Temp\nfdsame.exe
"C:\Users\Admin\AppData\Local\Temp\nfdsame.exe"
7⤵
- Executes dropped EXE
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nfdsame.exe" & exit
8⤵
PID:1736

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
9⤵
- Delays execution with timeout.exe
PID:340

C:\Users\Admin\AppData\Roaming\reggsad.exe
"C:\Users\Admin\AppData\Roaming\reggsad.exe"
6⤵
- Executes dropped EXE
PID:1760

C:\Users\Admin\AppData\Roaming\rsgsad.exe
"C:\Users\Admin\AppData\Roaming\rsgsad.exe" 0
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1812

C:\Users\Admin\AppData\Local\Temp\Mccegjkqnoydj.exe
"C:\Users\Admin\AppData\Local\Temp\Mccegjkqnoydj.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
7⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" & exit
8⤵
PID:812

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
9⤵
- Delays execution with timeout.exe
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
PID:1504

C:\Users\Admin\AppData\Roaming\dalaydssvcd.exe
"C:\Users\Admin\AppData\Roaming\dalaydssvcd.exe" 0
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Users\Admin\AppData\Local\Temp\906.tmp\Ashampoo-3D-CAD_Pro_Universal_Activation.exe
Ashampoo-3D-CAD_Pro_Universal_Activation.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\is-L04QO.tmp\Ashampoo-3D-CAD_Pro_Universal_Activation.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L04QO.tmp\Ashampoo-3D-CAD_Pro_Universal_Activation.tmp" /SL5="$6010A,111104,111104,C:\Users\Admin\AppData\Local\Temp\906.tmp\Ashampoo-3D-CAD_Pro_Universal_Activation.exe"
4⤵
- Executes dropped EXE
PID:1488

C:\Windows\system32\taskeng.exe
taskeng.exe {2A0E9907-9BBA-4709-BDC8-7886B59FE37A} S-1-5-21-4084403625-2215941253-1760665084-1000:LDLTPJLN\Admin:Interactive:[1]
1⤵
PID:1608

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
2⤵
PID:1792

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
3⤵
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
Filesize
48KB

MD5
e67afca5fbf9726ed46e4564ea385f77

SHA1
911a24c1dc59fb09ddc792ed97e62d42e1b1da54

SHA256
2bca3f6a618301f1e2d92ff9b5665b31ce78d2ed8e2d0d04ccc03e4eda7c8f2c

SHA512
70b57e2f7344e3e9b311c39ce9e1f7c9db4e6a4061525eb7f5ece6a6147b4b50fc2cbceb282884897b3f523def22a55c2f2339ce43b11ae11ca1e43c61e17163

Download Submit
C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
Filesize
141KB

MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1SR6o72c.exe
Filesize
480KB

MD5
4841f41452ae6adfbfdcaa30e253261f

SHA1
5a51f6bddb0e890a710fe8c13017e8902e7123fd

SHA256
5d97621e71741cf4e2b90ebd16281ddb2c1fe806b3c4e6be5aef738cdf79089b

SHA512
220bca133859810728fc6d2df5ad8f789e4e1138ca76d51c809474ca721259863cbb9b81435fd9e9379a61f615816607eaa9414349625762a02ce60271444e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1SR6o72c.exe
Filesize
480KB

MD5
4841f41452ae6adfbfdcaa30e253261f

SHA1
5a51f6bddb0e890a710fe8c13017e8902e7123fd

SHA256
5d97621e71741cf4e2b90ebd16281ddb2c1fe806b3c4e6be5aef738cdf79089b

SHA512
220bca133859810728fc6d2df5ad8f789e4e1138ca76d51c809474ca721259863cbb9b81435fd9e9379a61f615816607eaa9414349625762a02ce60271444e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\47wj3oj2.exe
Filesize
283KB

MD5
438cbbc5449ace7dc2f23c8f884a51e5

SHA1
e485f4b2797c6e3cb66c0fdcf388a4373b5dc495

SHA256
c56d7650cb69a9ecc1cb26d4324a0708ae5eea20e640b33e32bbcb45b58c0703

SHA512
2c92aea2256975d7eaf2f0c35622a41dfd189961f4fc5f302ec6133cd6aa8e6ab80d089e594afa51fc71c3d7bff4737e8ebafbd7c2c6327d73cd1682f1b6afb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\47wj3oj2.exe
Filesize
283KB

MD5
438cbbc5449ace7dc2f23c8f884a51e5

SHA1
e485f4b2797c6e3cb66c0fdcf388a4373b5dc495

SHA256
c56d7650cb69a9ecc1cb26d4324a0708ae5eea20e640b33e32bbcb45b58c0703

SHA512
2c92aea2256975d7eaf2f0c35622a41dfd189961f4fc5f302ec6133cd6aa8e6ab80d089e594afa51fc71c3d7bff4737e8ebafbd7c2c6327d73cd1682f1b6afb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\906.tmp\Ashampoo-3D-CAD_Pro_Universal_Activation.exe
Filesize
549KB

MD5
9cb973f46dfa16d3943800bf01f2153a

SHA1
87bc73d8e1c3e5feed04eb90270b10dd031313e4

SHA256
44e19c83112fd5e99a5cd9a28fa4bfeb433411deb29ce55183c8eb6341c87dbf

SHA512
031fe0ac658ac6840ae62f31f96d124ca57ffa04355b0addc4805fe5fd2d0cb1fd8c844a63a713dc471a29e16c518ea50166fc77c2546973f25ac23e9e1a2978

Download Submit
C:\Users\Admin\AppData\Local\Temp\906.tmp\Ashampoo-3D-CAD_Pro_Universal_Activation.exe
Filesize
549KB

MD5
9cb973f46dfa16d3943800bf01f2153a

SHA1
87bc73d8e1c3e5feed04eb90270b10dd031313e4

SHA256
44e19c83112fd5e99a5cd9a28fa4bfeb433411deb29ce55183c8eb6341c87dbf

SHA512
031fe0ac658ac6840ae62f31f96d124ca57ffa04355b0addc4805fe5fd2d0cb1fd8c844a63a713dc471a29e16c518ea50166fc77c2546973f25ac23e9e1a2978

Download Submit
C:\Users\Admin\AppData\Local\Temp\906.tmp\dllhost.exe
Filesize
84KB

MD5
d8e0462c633785181b5b31ea98308a0b

SHA1
69809c0237167c9666ef2b50aa1694e2a8ca38ac

SHA256
5ebb3cc4e09a0fb9434d07543cd821538008462dc037c6d6323a32b8bd26dd6e

SHA512
0e63d4e2d765005bca3647109315bbac9bb6ea0a640212ffbbeaa949043dc1f36396265c5c4ad80e1cd0701b03ebcbd1c0938df4fbd1e48528feaf997df65aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\906.tmp\dllhost.exe
Filesize
84KB

MD5
d8e0462c633785181b5b31ea98308a0b

SHA1
69809c0237167c9666ef2b50aa1694e2a8ca38ac

SHA256
5ebb3cc4e09a0fb9434d07543cd821538008462dc037c6d6323a32b8bd26dd6e

SHA512
0e63d4e2d765005bca3647109315bbac9bb6ea0a640212ffbbeaa949043dc1f36396265c5c4ad80e1cd0701b03ebcbd1c0938df4fbd1e48528feaf997df65aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\906.tmp\dllhost.exe
Filesize
84KB

MD5
d8e0462c633785181b5b31ea98308a0b

SHA1
69809c0237167c9666ef2b50aa1694e2a8ca38ac

SHA256
5ebb3cc4e09a0fb9434d07543cd821538008462dc037c6d6323a32b8bd26dd6e

SHA512
0e63d4e2d765005bca3647109315bbac9bb6ea0a640212ffbbeaa949043dc1f36396265c5c4ad80e1cd0701b03ebcbd1c0938df4fbd1e48528feaf997df65aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\906.tmp\start.bat
Filesize
116B

MD5
1546ee45bfbb458f5dda94a38b15ae3d

SHA1
34f8d97bb702560fb1e16cc064a644cccd66917e

SHA256
6a63daff392eb6183a2416fb228eb97bd9bf27d89c1ce00e6527a7a371ddb66c

SHA512
e526b21c0e1224f6a6672e93b8dd8bf9ffe87630e45cea4269c8f96ea495cd74bbe6587a254428165f6f6b0a63d6199aaa620158e44f651e27031033f04930c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mccegjkqnoydj.exe
Filesize
341KB

MD5
e96634c20057c1643a303d6266321035

SHA1
5f074a2f48911fa04995ab2bad95f6e66f228ebe

SHA256
58ca86e49e4dea36ec81072c6e63fb8d6b465447d3c1fc1443d15e897c13d27c

SHA512
0d927b650ef8029636681a4ba16637bda30336756586038818c0b75c2fddba0d83b6e4a51ece8a8c05a4deb13dc93e5bd23ae36024349a901c27909144725ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mccegjkqnoydj.exe
Filesize
341KB

MD5
e96634c20057c1643a303d6266321035

SHA1
5f074a2f48911fa04995ab2bad95f6e66f228ebe

SHA256
58ca86e49e4dea36ec81072c6e63fb8d6b465447d3c1fc1443d15e897c13d27c

SHA512
0d927b650ef8029636681a4ba16637bda30336756586038818c0b75c2fddba0d83b6e4a51ece8a8c05a4deb13dc93e5bd23ae36024349a901c27909144725ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mccegjkqnoydj.exe
Filesize
341KB

MD5
e96634c20057c1643a303d6266321035

SHA1
5f074a2f48911fa04995ab2bad95f6e66f228ebe

SHA256
58ca86e49e4dea36ec81072c6e63fb8d6b465447d3c1fc1443d15e897c13d27c

SHA512
0d927b650ef8029636681a4ba16637bda30336756586038818c0b75c2fddba0d83b6e4a51ece8a8c05a4deb13dc93e5bd23ae36024349a901c27909144725ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mccegjkqnoydj.exe
Filesize
341KB

MD5
e96634c20057c1643a303d6266321035

SHA1
5f074a2f48911fa04995ab2bad95f6e66f228ebe

SHA256
58ca86e49e4dea36ec81072c6e63fb8d6b465447d3c1fc1443d15e897c13d27c

SHA512
0d927b650ef8029636681a4ba16637bda30336756586038818c0b75c2fddba0d83b6e4a51ece8a8c05a4deb13dc93e5bd23ae36024349a901c27909144725ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L04QO.tmp\Ashampoo-3D-CAD_Pro_Universal_Activation.tmp
Filesize
749KB

MD5
bf2f40b3ef26293972ae05a112c2f15c

SHA1
84656cc88b61450fefa1ca3589af916285ecd0fb

SHA256
ce58c94531faedbca16e1cb6beff233b5506276a86ab00effbe7a73fd3ae3e86

SHA512
87f65ecede50253d48b58a740c86b13b00f4410f76294b5b0ded47e47daea4cd9611d2691d0f56881b153b99668bcb6bea9260b8a9ba9ec7dd9ffba30b7a11f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3Lmbp5x.exe
Filesize
693KB

MD5
3939c4fed7a0eaf5a6788c5e76ad6a78

SHA1
5a9395e128b488d3f7d3ec66b6522ea9e696a67a

SHA256
ea55619edf8fbf29000be3591014bcf5388b1fd63b2563d18a7d00b834e17ad1

SHA512
32b5c5deb6da30316ef8238b9d42182c978c6c07bad2ae174d5a007f9c1692941a04c17e3bf58d2e95f1b1d0c4ae3dd6e1a381c620767ed81f810418df4ee435

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3Lmbp5x.exe
Filesize
693KB

MD5
3939c4fed7a0eaf5a6788c5e76ad6a78

SHA1
5a9395e128b488d3f7d3ec66b6522ea9e696a67a

SHA256
ea55619edf8fbf29000be3591014bcf5388b1fd63b2563d18a7d00b834e17ad1

SHA512
32b5c5deb6da30316ef8238b9d42182c978c6c07bad2ae174d5a007f9c1692941a04c17e3bf58d2e95f1b1d0c4ae3dd6e1a381c620767ed81f810418df4ee435

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfdsame.exe
Filesize
556KB

MD5
a98781c107b2ace080273819b6686301

SHA1
aec10de615dc75204d257ee743cdc0e0936e8bf9

SHA256
200b2ed6014cf60dbc87aa964adc53304c9731a0ec90122383781b03bfb1f97a

SHA512
cca490fe092d5b7215687daba47b8a79c54e3194af17e14200c544ce0cf24f5b9622611dd230e0111a59736961e836bb8b734bfadf893f3f1ebbf6ea0323f67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfdsame.exe
Filesize
556KB

MD5
a98781c107b2ace080273819b6686301

SHA1
aec10de615dc75204d257ee743cdc0e0936e8bf9

SHA256
200b2ed6014cf60dbc87aa964adc53304c9731a0ec90122383781b03bfb1f97a

SHA512
cca490fe092d5b7215687daba47b8a79c54e3194af17e14200c544ce0cf24f5b9622611dd230e0111a59736961e836bb8b734bfadf893f3f1ebbf6ea0323f67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfdsame.exe
Filesize
556KB

MD5
a98781c107b2ace080273819b6686301

SHA1
aec10de615dc75204d257ee743cdc0e0936e8bf9

SHA256
200b2ed6014cf60dbc87aa964adc53304c9731a0ec90122383781b03bfb1f97a

SHA512
cca490fe092d5b7215687daba47b8a79c54e3194af17e14200c544ce0cf24f5b9622611dd230e0111a59736961e836bb8b734bfadf893f3f1ebbf6ea0323f67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vHfj309R.exe
Filesize
230KB

MD5
af8e56a6c76165480e5755705fbf122f

SHA1
c46407d621a01ae59dc85b88308b58713147ce9e

SHA256
8dbdd7a4e41a4a0d30af17b412ad41c04cad728eddc9c4d4cb89b2522f3f8df6

SHA512
bf4a071c523e573a2ab523d649ee31f383a7f9b2a483bfe30de9d79cb334752e412007de7ecd51d2fb0b44f363ba48829ce18c1a9c551dcb5465265d1e49467c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vHfj309R.exe
Filesize
230KB

MD5
af8e56a6c76165480e5755705fbf122f

SHA1
c46407d621a01ae59dc85b88308b58713147ce9e

SHA256
8dbdd7a4e41a4a0d30af17b412ad41c04cad728eddc9c4d4cb89b2522f3f8df6

SHA512
bf4a071c523e573a2ab523d649ee31f383a7f9b2a483bfe30de9d79cb334752e412007de7ecd51d2fb0b44f363ba48829ce18c1a9c551dcb5465265d1e49467c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vHfj309R.exe
Filesize
230KB

MD5
af8e56a6c76165480e5755705fbf122f

SHA1
c46407d621a01ae59dc85b88308b58713147ce9e

SHA256
8dbdd7a4e41a4a0d30af17b412ad41c04cad728eddc9c4d4cb89b2522f3f8df6

SHA512
bf4a071c523e573a2ab523d649ee31f383a7f9b2a483bfe30de9d79cb334752e412007de7ecd51d2fb0b44f363ba48829ce18c1a9c551dcb5465265d1e49467c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
230KB

MD5
af8e56a6c76165480e5755705fbf122f

SHA1
c46407d621a01ae59dc85b88308b58713147ce9e

SHA256
8dbdd7a4e41a4a0d30af17b412ad41c04cad728eddc9c4d4cb89b2522f3f8df6

SHA512
bf4a071c523e573a2ab523d649ee31f383a7f9b2a483bfe30de9d79cb334752e412007de7ecd51d2fb0b44f363ba48829ce18c1a9c551dcb5465265d1e49467c

Download Submit
C:\Users\Admin\AppData\Roaming\dalaydssvcd.exe
Filesize
1004KB

MD5
08802514f3c2c303d54e4a47a8db54f2

SHA1
ebe7c3ac64ce312ca370bcd07d49de5ad1369d93

SHA256
28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74

SHA512
1ce0f58fa1f50debdff44222b70a4870b7ddb76a21f32d78ccecc2315bf005813bfb37032629e4360a928c61479b72237ac792e904b8c34fc089f73d5721f191

Download Submit
C:\Users\Admin\AppData\Roaming\reggsad.exe
Filesize
1004KB

MD5
08802514f3c2c303d54e4a47a8db54f2

SHA1
ebe7c3ac64ce312ca370bcd07d49de5ad1369d93

SHA256
28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74

SHA512
1ce0f58fa1f50debdff44222b70a4870b7ddb76a21f32d78ccecc2315bf005813bfb37032629e4360a928c61479b72237ac792e904b8c34fc089f73d5721f191

Download Submit
C:\Users\Admin\AppData\Roaming\reggsad.exe
Filesize
1004KB

MD5
08802514f3c2c303d54e4a47a8db54f2

SHA1
ebe7c3ac64ce312ca370bcd07d49de5ad1369d93

SHA256
28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74

SHA512
1ce0f58fa1f50debdff44222b70a4870b7ddb76a21f32d78ccecc2315bf005813bfb37032629e4360a928c61479b72237ac792e904b8c34fc089f73d5721f191

Download Submit
C:\Users\Admin\AppData\Roaming\reggsad.exe
Filesize
1004KB

MD5
08802514f3c2c303d54e4a47a8db54f2

SHA1
ebe7c3ac64ce312ca370bcd07d49de5ad1369d93

SHA256
28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74

SHA512
1ce0f58fa1f50debdff44222b70a4870b7ddb76a21f32d78ccecc2315bf005813bfb37032629e4360a928c61479b72237ac792e904b8c34fc089f73d5721f191

Download Submit
C:\Users\Admin\AppData\Roaming\rsgsad.exe
Filesize
586KB

MD5
131a32033cf88976a8df48361b90207d

SHA1
ce260393460fa5d4cbfa17d3329fd33594810add

SHA256
d75d7b0534ff648f16f5751be79a2c23158b6412a780180aec78c77c7e95071d

SHA512
120a4ef120c7b2d4c07af7e6418eaf83d7f3d41ba13f41ce2e494f76182c4b07fd16ec2ceaf1937ba3e76ecb9149cc42edba315e818dad09882cf77a62f6c708

Download Submit
C:\Users\Admin\AppData\Roaming\rsgsad.exe
Filesize
586KB

MD5
131a32033cf88976a8df48361b90207d

SHA1
ce260393460fa5d4cbfa17d3329fd33594810add

SHA256
d75d7b0534ff648f16f5751be79a2c23158b6412a780180aec78c77c7e95071d

SHA512
120a4ef120c7b2d4c07af7e6418eaf83d7f3d41ba13f41ce2e494f76182c4b07fd16ec2ceaf1937ba3e76ecb9149cc42edba315e818dad09882cf77a62f6c708

Download Submit
C:\Users\Admin\AppData\Roaming\vsnaad.exe
Filesize
586KB

MD5
131a32033cf88976a8df48361b90207d

SHA1
ce260393460fa5d4cbfa17d3329fd33594810add

SHA256
d75d7b0534ff648f16f5751be79a2c23158b6412a780180aec78c77c7e95071d

SHA512
120a4ef120c7b2d4c07af7e6418eaf83d7f3d41ba13f41ce2e494f76182c4b07fd16ec2ceaf1937ba3e76ecb9149cc42edba315e818dad09882cf77a62f6c708

Download Submit
C:\Users\Admin\AppData\Roaming\vsnaad.exe
Filesize
586KB

MD5
131a32033cf88976a8df48361b90207d

SHA1
ce260393460fa5d4cbfa17d3329fd33594810add

SHA256
d75d7b0534ff648f16f5751be79a2c23158b6412a780180aec78c77c7e95071d

SHA512
120a4ef120c7b2d4c07af7e6418eaf83d7f3d41ba13f41ce2e494f76182c4b07fd16ec2ceaf1937ba3e76ecb9149cc42edba315e818dad09882cf77a62f6c708

Download Submit
\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Local\Temp\1SR6o72c.exe
Filesize
480KB

MD5
4841f41452ae6adfbfdcaa30e253261f

SHA1
5a51f6bddb0e890a710fe8c13017e8902e7123fd

SHA256
5d97621e71741cf4e2b90ebd16281ddb2c1fe806b3c4e6be5aef738cdf79089b

SHA512
220bca133859810728fc6d2df5ad8f789e4e1138ca76d51c809474ca721259863cbb9b81435fd9e9379a61f615816607eaa9414349625762a02ce60271444e1d

Download Submit
\Users\Admin\AppData\Local\Temp\47wj3oj2.exe
Filesize
283KB

MD5
438cbbc5449ace7dc2f23c8f884a51e5

SHA1
e485f4b2797c6e3cb66c0fdcf388a4373b5dc495

SHA256
c56d7650cb69a9ecc1cb26d4324a0708ae5eea20e640b33e32bbcb45b58c0703

SHA512
2c92aea2256975d7eaf2f0c35622a41dfd189961f4fc5f302ec6133cd6aa8e6ab80d089e594afa51fc71c3d7bff4737e8ebafbd7c2c6327d73cd1682f1b6afb2

Download Submit
\Users\Admin\AppData\Local\Temp\906.tmp\Ashampoo-3D-CAD_Pro_Universal_Activation.exe
Filesize
549KB

MD5
9cb973f46dfa16d3943800bf01f2153a

SHA1
87bc73d8e1c3e5feed04eb90270b10dd031313e4

SHA256
44e19c83112fd5e99a5cd9a28fa4bfeb433411deb29ce55183c8eb6341c87dbf

SHA512
031fe0ac658ac6840ae62f31f96d124ca57ffa04355b0addc4805fe5fd2d0cb1fd8c844a63a713dc471a29e16c518ea50166fc77c2546973f25ac23e9e1a2978

Download Submit
\Users\Admin\AppData\Local\Temp\906.tmp\dllhost.exe
Filesize
84KB

MD5
d8e0462c633785181b5b31ea98308a0b

SHA1
69809c0237167c9666ef2b50aa1694e2a8ca38ac

SHA256
5ebb3cc4e09a0fb9434d07543cd821538008462dc037c6d6323a32b8bd26dd6e

SHA512
0e63d4e2d765005bca3647109315bbac9bb6ea0a640212ffbbeaa949043dc1f36396265c5c4ad80e1cd0701b03ebcbd1c0938df4fbd1e48528feaf997df65aee

Download Submit
\Users\Admin\AppData\Local\Temp\906.tmp\dllhost.exe
Filesize
84KB

MD5
d8e0462c633785181b5b31ea98308a0b

SHA1
69809c0237167c9666ef2b50aa1694e2a8ca38ac

SHA256
5ebb3cc4e09a0fb9434d07543cd821538008462dc037c6d6323a32b8bd26dd6e

SHA512
0e63d4e2d765005bca3647109315bbac9bb6ea0a640212ffbbeaa949043dc1f36396265c5c4ad80e1cd0701b03ebcbd1c0938df4fbd1e48528feaf997df65aee

Download Submit
\Users\Admin\AppData\Local\Temp\906.tmp\dllhost.exe
Filesize
84KB

MD5
d8e0462c633785181b5b31ea98308a0b

SHA1
69809c0237167c9666ef2b50aa1694e2a8ca38ac

SHA256
5ebb3cc4e09a0fb9434d07543cd821538008462dc037c6d6323a32b8bd26dd6e

SHA512
0e63d4e2d765005bca3647109315bbac9bb6ea0a640212ffbbeaa949043dc1f36396265c5c4ad80e1cd0701b03ebcbd1c0938df4fbd1e48528feaf997df65aee

Download Submit
\Users\Admin\AppData\Local\Temp\Mccegjkqnoydj.exe
Filesize
341KB

MD5
e96634c20057c1643a303d6266321035

SHA1
5f074a2f48911fa04995ab2bad95f6e66f228ebe

SHA256
58ca86e49e4dea36ec81072c6e63fb8d6b465447d3c1fc1443d15e897c13d27c

SHA512
0d927b650ef8029636681a4ba16637bda30336756586038818c0b75c2fddba0d83b6e4a51ece8a8c05a4deb13dc93e5bd23ae36024349a901c27909144725ebb

Download Submit
\Users\Admin\AppData\Local\Temp\Mccegjkqnoydj.exe
Filesize
341KB

MD5
e96634c20057c1643a303d6266321035

SHA1
5f074a2f48911fa04995ab2bad95f6e66f228ebe

SHA256
58ca86e49e4dea36ec81072c6e63fb8d6b465447d3c1fc1443d15e897c13d27c

SHA512
0d927b650ef8029636681a4ba16637bda30336756586038818c0b75c2fddba0d83b6e4a51ece8a8c05a4deb13dc93e5bd23ae36024349a901c27909144725ebb

Download Submit
\Users\Admin\AppData\Local\Temp\is-L04QO.tmp\Ashampoo-3D-CAD_Pro_Universal_Activation.tmp
Filesize
749KB

MD5
bf2f40b3ef26293972ae05a112c2f15c

SHA1
84656cc88b61450fefa1ca3589af916285ecd0fb

SHA256
ce58c94531faedbca16e1cb6beff233b5506276a86ab00effbe7a73fd3ae3e86

SHA512
87f65ecede50253d48b58a740c86b13b00f4410f76294b5b0ded47e47daea4cd9611d2691d0f56881b153b99668bcb6bea9260b8a9ba9ec7dd9ffba30b7a11f3

Download Submit
\Users\Admin\AppData\Local\Temp\n3Lmbp5x.exe
Filesize
693KB

MD5
3939c4fed7a0eaf5a6788c5e76ad6a78

SHA1
5a9395e128b488d3f7d3ec66b6522ea9e696a67a

SHA256
ea55619edf8fbf29000be3591014bcf5388b1fd63b2563d18a7d00b834e17ad1

SHA512
32b5c5deb6da30316ef8238b9d42182c978c6c07bad2ae174d5a007f9c1692941a04c17e3bf58d2e95f1b1d0c4ae3dd6e1a381c620767ed81f810418df4ee435

Download Submit
\Users\Admin\AppData\Local\Temp\nfdsame.exe
Filesize
556KB

MD5
a98781c107b2ace080273819b6686301

SHA1
aec10de615dc75204d257ee743cdc0e0936e8bf9

SHA256
200b2ed6014cf60dbc87aa964adc53304c9731a0ec90122383781b03bfb1f97a

SHA512
cca490fe092d5b7215687daba47b8a79c54e3194af17e14200c544ce0cf24f5b9622611dd230e0111a59736961e836bb8b734bfadf893f3f1ebbf6ea0323f67a

Download Submit
\Users\Admin\AppData\Local\Temp\nfdsame.exe
Filesize
556KB

MD5
a98781c107b2ace080273819b6686301

SHA1
aec10de615dc75204d257ee743cdc0e0936e8bf9

SHA256
200b2ed6014cf60dbc87aa964adc53304c9731a0ec90122383781b03bfb1f97a

SHA512
cca490fe092d5b7215687daba47b8a79c54e3194af17e14200c544ce0cf24f5b9622611dd230e0111a59736961e836bb8b734bfadf893f3f1ebbf6ea0323f67a

Download Submit
\Users\Admin\AppData\Local\Temp\nfdsame.exe
Filesize
556KB

MD5
a98781c107b2ace080273819b6686301

SHA1
aec10de615dc75204d257ee743cdc0e0936e8bf9

SHA256
200b2ed6014cf60dbc87aa964adc53304c9731a0ec90122383781b03bfb1f97a

SHA512
cca490fe092d5b7215687daba47b8a79c54e3194af17e14200c544ce0cf24f5b9622611dd230e0111a59736961e836bb8b734bfadf893f3f1ebbf6ea0323f67a

Download Submit
\Users\Admin\AppData\Local\Temp\vHfj309R.exe
Filesize
230KB

MD5
af8e56a6c76165480e5755705fbf122f

SHA1
c46407d621a01ae59dc85b88308b58713147ce9e

SHA256
8dbdd7a4e41a4a0d30af17b412ad41c04cad728eddc9c4d4cb89b2522f3f8df6

SHA512
bf4a071c523e573a2ab523d649ee31f383a7f9b2a483bfe30de9d79cb334752e412007de7ecd51d2fb0b44f363ba48829ce18c1a9c551dcb5465265d1e49467c

Download Submit
\Users\Admin\AppData\Local\Temp\vHfj309R.exe
Filesize
230KB

MD5
af8e56a6c76165480e5755705fbf122f

SHA1
c46407d621a01ae59dc85b88308b58713147ce9e

SHA256
8dbdd7a4e41a4a0d30af17b412ad41c04cad728eddc9c4d4cb89b2522f3f8df6

SHA512
bf4a071c523e573a2ab523d649ee31f383a7f9b2a483bfe30de9d79cb334752e412007de7ecd51d2fb0b44f363ba48829ce18c1a9c551dcb5465265d1e49467c

Download Submit
\Users\Admin\AppData\Roaming\dalaydssvcd.exe
Filesize
1004KB

MD5
08802514f3c2c303d54e4a47a8db54f2

SHA1
ebe7c3ac64ce312ca370bcd07d49de5ad1369d93

SHA256
28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74

SHA512
1ce0f58fa1f50debdff44222b70a4870b7ddb76a21f32d78ccecc2315bf005813bfb37032629e4360a928c61479b72237ac792e904b8c34fc089f73d5721f191

Download Submit
\Users\Admin\AppData\Roaming\dalaydssvcd.exe
Filesize
1004KB

MD5
08802514f3c2c303d54e4a47a8db54f2

SHA1
ebe7c3ac64ce312ca370bcd07d49de5ad1369d93

SHA256
28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74

SHA512
1ce0f58fa1f50debdff44222b70a4870b7ddb76a21f32d78ccecc2315bf005813bfb37032629e4360a928c61479b72237ac792e904b8c34fc089f73d5721f191

Download Submit
\Users\Admin\AppData\Roaming\reggsad.exe
Filesize
1004KB

MD5
08802514f3c2c303d54e4a47a8db54f2

SHA1
ebe7c3ac64ce312ca370bcd07d49de5ad1369d93

SHA256
28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74

SHA512
1ce0f58fa1f50debdff44222b70a4870b7ddb76a21f32d78ccecc2315bf005813bfb37032629e4360a928c61479b72237ac792e904b8c34fc089f73d5721f191

Download Submit
\Users\Admin\AppData\Roaming\reggsad.exe
Filesize
1004KB

MD5
08802514f3c2c303d54e4a47a8db54f2

SHA1
ebe7c3ac64ce312ca370bcd07d49de5ad1369d93

SHA256
28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74

SHA512
1ce0f58fa1f50debdff44222b70a4870b7ddb76a21f32d78ccecc2315bf005813bfb37032629e4360a928c61479b72237ac792e904b8c34fc089f73d5721f191

Download Submit
\Users\Admin\AppData\Roaming\rsgsad.exe
Filesize
586KB

MD5
131a32033cf88976a8df48361b90207d

SHA1
ce260393460fa5d4cbfa17d3329fd33594810add

SHA256
d75d7b0534ff648f16f5751be79a2c23158b6412a780180aec78c77c7e95071d

SHA512
120a4ef120c7b2d4c07af7e6418eaf83d7f3d41ba13f41ce2e494f76182c4b07fd16ec2ceaf1937ba3e76ecb9149cc42edba315e818dad09882cf77a62f6c708

Download Submit
\Users\Admin\AppData\Roaming\vsnaad.exe
Filesize
586KB

MD5
131a32033cf88976a8df48361b90207d

SHA1
ce260393460fa5d4cbfa17d3329fd33594810add

SHA256
d75d7b0534ff648f16f5751be79a2c23158b6412a780180aec78c77c7e95071d

SHA512
120a4ef120c7b2d4c07af7e6418eaf83d7f3d41ba13f41ce2e494f76182c4b07fd16ec2ceaf1937ba3e76ecb9149cc42edba315e818dad09882cf77a62f6c708

Download Submit
memory/340-357-0x0000000000000000-mapping.dmp

Download
memory/556-219-0x0000000000000000-mapping.dmp

Download
memory/748-298-0x000000000043133D-mapping.dmp

Download
memory/812-358-0x0000000000000000-mapping.dmp

Download
memory/832-100-0x0000000000470000-0x00000000004D6000-memory.dmp

Filesize
408KB

Download
memory/832-95-0x0000000000000000-mapping.dmp

Download
memory/832-98-0x0000000000910000-0x000000000096C000-memory.dmp

Filesize
368KB

Download
memory/836-139-0x0000000000000000-mapping.dmp

Download
memory/836-151-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/864-359-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/864-194-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/864-187-0x000000000043C0B2-mapping.dmp

Download
memory/960-242-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/960-237-0x000000000041A684-mapping.dmp

Download
memory/960-241-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/980-354-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/980-55-0x0000000000000000-mapping.dmp

Download
memory/980-364-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/980-301-0x0000000000000000-mapping.dmp

Download
memory/1000-244-0x0000000000000000-mapping.dmp

Download
memory/1000-254-0x000000013F180000-0x000000013F232000-memory.dmp

Filesize
712KB

Download
memory/1000-277-0x000000001B630000-0x000000001B6EE000-memory.dmp

Filesize
760KB

Download
memory/1036-253-0x0000000000390000-0x00000000003DA000-memory.dmp

Filesize
296KB

Download
memory/1036-251-0x0000000001060000-0x00000000010A0000-memory.dmp

Filesize
256KB

Download
memory/1036-248-0x0000000000000000-mapping.dmp

Download
memory/1048-110-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1048-128-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1048-101-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1048-115-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1048-109-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1048-217-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1048-117-0x0000000000406BEA-mapping.dmp

Download
memory/1048-122-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1048-104-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1048-102-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1048-272-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1148-360-0x0000000000000000-mapping.dmp

Download
memory/1168-87-0x0000000000000000-mapping.dmp

Download
memory/1168-90-0x00000000009A0000-0x0000000000A38000-memory.dmp

Filesize
608KB

Download
memory/1168-92-0x00000000043B0000-0x0000000004454000-memory.dmp

Filesize
656KB

Download
memory/1168-93-0x0000000000860000-0x00000000008AC000-memory.dmp

Filesize
304KB

Download
memory/1184-280-0x0000000000000000-mapping.dmp

Download
memory/1200-161-0x0000000000000000-mapping.dmp

Download
memory/1200-167-0x00000000010A0000-0x00000000010FC000-memory.dmp

Filesize
368KB

Download
memory/1392-361-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1392-77-0x000000000040106C-mapping.dmp

Download
memory/1392-85-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1392-116-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1452-106-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1452-114-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1452-105-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1452-121-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1452-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1452-218-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1452-123-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1452-220-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1452-125-0x000000000043C0B2-mapping.dmp

Download
memory/1452-127-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1452-129-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1452-118-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1452-196-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1488-73-0x0000000000000000-mapping.dmp

Download
memory/1500-228-0x00000000010F0000-0x0000000001148000-memory.dmp

Filesize
352KB

Download
memory/1500-226-0x00000000013B0000-0x00000000013FC000-memory.dmp

Filesize
304KB

Download
memory/1500-223-0x0000000000000000-mapping.dmp

Download
memory/1504-176-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1504-175-0x0000000000406BEA-mapping.dmp

Download
memory/1504-267-0x0000000000000000-mapping.dmp

Download
memory/1548-270-0x0000000000000000-mapping.dmp

Download
memory/1548-276-0x0000000004C60000-0x0000000004CEA000-memory.dmp

Filesize
552KB

Download
memory/1548-274-0x0000000000B90000-0x0000000000C0E000-memory.dmp

Filesize
504KB

Download
memory/1596-68-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1596-64-0x0000000000000000-mapping.dmp

Download
memory/1596-84-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1708-356-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1708-306-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1708-153-0x000000000043C0B2-mapping.dmp

Download
memory/1708-195-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1736-355-0x0000000000000000-mapping.dmp

Download
memory/1736-221-0x0000000000000000-mapping.dmp

Download
memory/1760-142-0x0000000000406BEA-mapping.dmp

Download
memory/1760-146-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1792-363-0x0000000000B10000-0x0000000000B50000-memory.dmp

Filesize
256KB

Download
memory/1792-308-0x0000000000000000-mapping.dmp

Download
memory/1812-154-0x0000000000000000-mapping.dmp

Download
memory/1812-158-0x0000000000E50000-0x0000000000EE8000-memory.dmp

Filesize
608KB

Download
memory/1836-132-0x0000000000000000-mapping.dmp

Download
memory/1908-79-0x0000000000240000-0x0000000000245000-memory.dmp

Filesize
20KB

Download
memory/1908-60-0x0000000000000000-mapping.dmp

Download
memory/1976-83-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1976-54-0x0000000076A21000-0x0000000076A23000-memory.dmp

Filesize
8KB

Download
memory/2016-268-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2016-262-0x0000000000402354-mapping.dmp

Download