djvu | ef1c7df22e071bd236cff6de972f281c9db53e4f247be4cfd341777c03277108

Analysis

max time kernel
78s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2022 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Install.exe
Size

686.7MB
MD5

27653c835f31dcb8aca420f8ef5eb421
SHA1

fe3353e2257cfab6b6320db281acd67702131486
SHA256

80a1fc5830602b1c5ec1fa6439c3b4189558fd4deaa175e732de9f956ddf55c2
SHA512

2149f983b7e4bd123917beb324a8d5b7d60acd718c675a176939378901f5c98ac2b652ec2c095ce723d4de00350c5f9806b1d5a3b8467106075bc8ecf615b879
SSDEEP

98304:kKiI2ZBtRK7IF1RXsMfWMIl6a6KLmKF0rVKwK8kuvG:r2p7OqWRsa6KKKFGRK8dG

Score

10^/10

djvu nymaim privateloader redline smokeloader vidar 517 nam6.5 ruzki19 backdoor discovery infostealer loader main ransomware spyware stealer trojan vmprotect

Malware Config

Extracted

Family

privateloader

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://vipsofts.xyz/files/mega.bmp

Extracted

Family

djvu

http://winnlinne.com/test3/get.php

Attributes

extension
.ofoq
offline_id
xkNzhkB1wvgoDI7Uo0HPNLY3qCuwoFpP7nlhlut1
payload_url
http://rgyui.top/dl/build2.exe
http://winnlinne.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-EWKSsSJiVn Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0568Jhyjd

rsa_pubkey.plain

Extracted

Family

nymaim

208.67.104.97

85.31.46.167

Extracted

Family

redline

Botnet

nam6.5

103.89.90.61:34589

Attributes

auth_value
ea8cbb51ed8a91dcbe95697e8bb9a9d7

Extracted

Family

redline

Botnet

ruzki19

176.113.115.146:9582

Attributes

auth_value
c97cb30de806db62d9a577d3d800e1a4

Extracted

Family

vidar

Version

54.7

Botnet

517

https://t.me/trampapanam

https://nerdculture.de/@yoxhyp

Attributes

profile_id
517

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2364-184-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2364-182-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2004-190-0x0000000002350000-0x000000000246B000-memory.dmp	family_djvu
behavioral2/memory/2364-202-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2364-187-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2364-272-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/98616-279-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/98616-280-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/98616-285-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/98616-316-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1516-204-0x0000000002070000-0x0000000002079000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4636-195-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/101684-284-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Minor Policy\dAs9MmmHLkwDThUKiHbTK7F0.exe	vmprotect
C:\Users\Admin\Pictures\Minor Policy\dAs9MmmHLkwDThUKiHbTK7F0.exe	vmprotect
behavioral2/memory/1480-166-0x0000000140000000-0x000000014060E000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Install.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

356 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ipinfo.io
15 ipinfo.io
121 ipinfo.io
122 ipinfo.io
123 api.2ip.ua
124 api.2ip.ua
196 api.2ip.ua

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Install.exe

pid	process
356	icacls.exe

flow	ioc
14	ipinfo.io
15	ipinfo.io
121	ipinfo.io
122	ipinfo.io
123	api.2ip.ua
124	api.2ip.ua
196	api.2ip.ua

Drops file in System32 directory 4 IoCs

Processes:

Install.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	Install.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2784	1480	WerFault.exe	dAs9MmmHLkwDThUKiHbTK7F0.exe
1808	3712	WerFault.exe	tE2xx3mubQaHnmoJMAwo3exF.exe
3292	3712	WerFault.exe	tE2xx3mubQaHnmoJMAwo3exF.exe
4952	3712	WerFault.exe	tE2xx3mubQaHnmoJMAwo3exF.exe
1936	3712	WerFault.exe	tE2xx3mubQaHnmoJMAwo3exF.exe
380	3712	WerFault.exe	tE2xx3mubQaHnmoJMAwo3exF.exe
8876	3712	WerFault.exe	tE2xx3mubQaHnmoJMAwo3exF.exe
9156	3712	WerFault.exe	tE2xx3mubQaHnmoJMAwo3exF.exe
11148	3712	WerFault.exe	tE2xx3mubQaHnmoJMAwo3exF.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1312 schtasks.exe
4684 schtasks.exe
10292 schtasks.exe
102320 schtasks.exe
4752 schtasks.exe
Modifies registry class 1 IoCs

Processes:

Install.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Install.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Install.exe

pid process

1268 Install.exe
1268 Install.exe

pid	process
1312	schtasks.exe
4684	schtasks.exe
10292	schtasks.exe
102320	schtasks.exe
4752	schtasks.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Install.exe

pid	process
1268	Install.exe
1268	Install.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Install.exe

description	pid	process	target process
PID 1268 wrote to memory of 1516	1268	Install.exe	hahHnTaXyem5_8tpZiU_7ImA.exe
PID 1268 wrote to memory of 1516	1268	Install.exe	hahHnTaXyem5_8tpZiU_7ImA.exe
PID 1268 wrote to memory of 1516	1268	Install.exe	hahHnTaXyem5_8tpZiU_7ImA.exe
PID 1268 wrote to memory of 3712	1268	Install.exe	tE2xx3mubQaHnmoJMAwo3exF.exe
PID 1268 wrote to memory of 3712	1268	Install.exe	tE2xx3mubQaHnmoJMAwo3exF.exe
PID 1268 wrote to memory of 3712	1268	Install.exe	tE2xx3mubQaHnmoJMAwo3exF.exe
PID 1268 wrote to memory of 2796	1268	Install.exe	P5SGQdCuwbN3437EVEdstssI.exe
PID 1268 wrote to memory of 2796	1268	Install.exe	P5SGQdCuwbN3437EVEdstssI.exe
PID 1268 wrote to memory of 2796	1268	Install.exe	P5SGQdCuwbN3437EVEdstssI.exe
PID 1268 wrote to memory of 2004	1268	Install.exe	dYGHgLCoqjt_zXegp6fDwXpR.exe
PID 1268 wrote to memory of 2004	1268	Install.exe	dYGHgLCoqjt_zXegp6fDwXpR.exe
PID 1268 wrote to memory of 2004	1268	Install.exe	dYGHgLCoqjt_zXegp6fDwXpR.exe
PID 1268 wrote to memory of 3400	1268	Install.exe	xaVDv5KrfTuqbAIeJ8HcQJ5v.exe
PID 1268 wrote to memory of 3400	1268	Install.exe	xaVDv5KrfTuqbAIeJ8HcQJ5v.exe
PID 1268 wrote to memory of 3400	1268	Install.exe	xaVDv5KrfTuqbAIeJ8HcQJ5v.exe
PID 1268 wrote to memory of 1480	1268	Install.exe	dAs9MmmHLkwDThUKiHbTK7F0.exe
PID 1268 wrote to memory of 1480	1268	Install.exe	dAs9MmmHLkwDThUKiHbTK7F0.exe
PID 1268 wrote to memory of 4596	1268	Install.exe	nJOCiKdss6tST1w6uVpa9Txm.exe
PID 1268 wrote to memory of 4596	1268	Install.exe	nJOCiKdss6tST1w6uVpa9Txm.exe
PID 1268 wrote to memory of 4596	1268	Install.exe	nJOCiKdss6tST1w6uVpa9Txm.exe

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\Pictures\Minor Policy\nJOCiKdss6tST1w6uVpa9Txm.exe
"C:\Users\Admin\Pictures\Minor Policy\nJOCiKdss6tST1w6uVpa9Txm.exe"
2⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\7zSF1F1.tmp\Install.exe
.\Install.exe
3⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\7zS2E9D.tmp\Install.exe
.\Install.exe /S /site_id "525403"
4⤵
PID:4516

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:1324

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:4628

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:508

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:3624

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:2072

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:3288

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gFuFMSUxg" /SC once /ST 04:57:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:10292

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gFuFMSUxg"
5⤵
PID:10756

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gFuFMSUxg"
5⤵
PID:4472

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 22:13:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\Anfikns.exe\" d8 /site_id 525403 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:4752

C:\Users\Admin\Pictures\Minor Policy\dYGHgLCoqjt_zXegp6fDwXpR.exe
"C:\Users\Admin\Pictures\Minor Policy\dYGHgLCoqjt_zXegp6fDwXpR.exe"
2⤵
PID:2004

C:\Users\Admin\Pictures\Minor Policy\dYGHgLCoqjt_zXegp6fDwXpR.exe
"C:\Users\Admin\Pictures\Minor Policy\dYGHgLCoqjt_zXegp6fDwXpR.exe"
3⤵
PID:2364

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\04ee2d63-56ed-4a08-976c-f8885cc33dcc" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:356

C:\Users\Admin\Pictures\Minor Policy\dYGHgLCoqjt_zXegp6fDwXpR.exe
"C:\Users\Admin\Pictures\Minor Policy\dYGHgLCoqjt_zXegp6fDwXpR.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:70996

C:\Users\Admin\Pictures\Minor Policy\dYGHgLCoqjt_zXegp6fDwXpR.exe
"C:\Users\Admin\Pictures\Minor Policy\dYGHgLCoqjt_zXegp6fDwXpR.exe" --Admin IsNotAutoStart IsNotTask
5⤵
PID:98616

C:\Users\Admin\AppData\Local\8394efe3-b6e0-4cd0-b999-d42388771fdc\build2.exe
"C:\Users\Admin\AppData\Local\8394efe3-b6e0-4cd0-b999-d42388771fdc\build2.exe"
6⤵
PID:102236

C:\Users\Admin\AppData\Local\8394efe3-b6e0-4cd0-b999-d42388771fdc\build2.exe
"C:\Users\Admin\AppData\Local\8394efe3-b6e0-4cd0-b999-d42388771fdc\build2.exe"
7⤵
PID:102396

C:\Users\Admin\AppData\Local\8394efe3-b6e0-4cd0-b999-d42388771fdc\build3.exe
"C:\Users\Admin\AppData\Local\8394efe3-b6e0-4cd0-b999-d42388771fdc\build3.exe"
6⤵
PID:102300

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:102320

C:\Users\Admin\Pictures\Minor Policy\P5SGQdCuwbN3437EVEdstssI.exe
"C:\Users\Admin\Pictures\Minor Policy\P5SGQdCuwbN3437EVEdstssI.exe"
2⤵
PID:2796

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" -y .\QXEL.eg
3⤵
PID:1664

C:\Users\Admin\Pictures\Minor Policy\xaVDv5KrfTuqbAIeJ8HcQJ5v.exe
"C:\Users\Admin\Pictures\Minor Policy\xaVDv5KrfTuqbAIeJ8HcQJ5v.exe"
2⤵
PID:3400

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1312

C:\Users\Admin\Documents\2lFfj997p7CQjKWalw_dSCi9.exe
"C:\Users\Admin\Documents\2lFfj997p7CQjKWalw_dSCi9.exe"
3⤵
PID:184

C:\Users\Admin\Pictures\Adobe Films\BYmGgzzbGBRUFqqSqpi6jd9i.exe
"C:\Users\Admin\Pictures\Adobe Films\BYmGgzzbGBRUFqqSqpi6jd9i.exe"
4⤵
PID:5060

C:\Users\Admin\Pictures\Adobe Films\uZp0aS43YlMeWwlneQYr8j2C.exe
"C:\Users\Admin\Pictures\Adobe Films\uZp0aS43YlMeWwlneQYr8j2C.exe"
4⤵
PID:2536

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4684

C:\Users\Admin\Pictures\Minor Policy\tE2xx3mubQaHnmoJMAwo3exF.exe
"C:\Users\Admin\Pictures\Minor Policy\tE2xx3mubQaHnmoJMAwo3exF.exe"
2⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 448
3⤵
- Program crash
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 772
3⤵
- Program crash
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 780
3⤵
- Program crash
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 796
3⤵
- Program crash
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 784
3⤵
- Program crash
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1004
3⤵
- Program crash
PID:8876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 848
3⤵
- Program crash
PID:9156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1388
3⤵
- Program crash
PID:11148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\qPuB5nvlQzJxa8u6XpKVN\Cleaner.exe"
3⤵
PID:67016

C:\Users\Admin\AppData\Local\Temp\qPuB5nvlQzJxa8u6XpKVN\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\qPuB5nvlQzJxa8u6XpKVN\Cleaner.exe"
4⤵
PID:67632

C:\Users\Admin\Pictures\Minor Policy\dAs9MmmHLkwDThUKiHbTK7F0.exe
"C:\Users\Admin\Pictures\Minor Policy\dAs9MmmHLkwDThUKiHbTK7F0.exe"
2⤵
PID:1480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1480 -s 424
3⤵
- Program crash
PID:2784

C:\Users\Admin\Pictures\Minor Policy\hahHnTaXyem5_8tpZiU_7ImA.exe
"C:\Users\Admin\Pictures\Minor Policy\hahHnTaXyem5_8tpZiU_7ImA.exe"
2⤵
PID:1516

C:\Users\Admin\Pictures\Minor Policy\qoJh11CWf2ynb3wmTExO9A5u.exe
"C:\Users\Admin\Pictures\Minor Policy\qoJh11CWf2ynb3wmTExO9A5u.exe"
2⤵
PID:2000

C:\Users\Admin\Pictures\Minor Policy\qoJh11CWf2ynb3wmTExO9A5u.exe
"C:\Users\Admin\Pictures\Minor Policy\qoJh11CWf2ynb3wmTExO9A5u.exe"
3⤵
PID:4636

C:\Users\Admin\Pictures\Minor Policy\LkZGU1vedRRyDZGFVAKZAWor.exe
"C:\Users\Admin\Pictures\Minor Policy\LkZGU1vedRRyDZGFVAKZAWor.exe"
2⤵
PID:4680

C:\Users\Admin\Pictures\Minor Policy\ESAn3wDrYTwqGjNjf72CgU6o.exe
"C:\Users\Admin\Pictures\Minor Policy\ESAn3wDrYTwqGjNjf72CgU6o.exe"
2⤵
PID:4988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:101684

C:\Users\Admin\Pictures\Minor Policy\nMSLZWW3DUAJKd9Jb9ZRZjlk.exe
"C:\Users\Admin\Pictures\Minor Policy\nMSLZWW3DUAJKd9Jb9ZRZjlk.exe"
2⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
3⤵
PID:2820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
4⤵
PID:9316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4444

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 1480 -ip 1480
1⤵
PID:600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3712 -ip 3712
1⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3712 -ip 3712
1⤵
PID:508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3712 -ip 3712
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3712 -ip 3712
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3712 -ip 3712
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3712 -ip 3712
1⤵
PID:8828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3712 -ip 3712
1⤵
PID:9128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:10920

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:101904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3712 -ip 3712
1⤵
PID:11020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:102016

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:102072

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AB10.dll
1⤵
PID:772

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\AB10.dll
2⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\ADD0.exe
C:\Users\Admin\AppData\Local\Temp\ADD0.exe
1⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\B3AD.exe
C:\Users\Admin\AppData\Local\Temp\B3AD.exe
1⤵
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
5f0a548198075b4cd8c891c5c0f45e4c

SHA1
c3dd48a91f5a4dfbecd2a9e5802a8e5d8623aab6

SHA256
bcb8d4f0e605ffe557f9f3d23291e2212f39acfa1df9f24331a4075810555839

SHA512
8ade693197f9ca350f7c549312de77d70ef362dd3772a9ebb86c30dc7311d047bac0b9e1b517001b4e470271f7f181313f87eeae5b7a71ec5b7be5380525e22f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
300B

MD5
bf034518c3427206cc85465dc2e296e5

SHA1
ef3d8f548ad3c26e08fa41f2a74e68707cfc3d3a

SHA256
e5da797df9533a2fcae7a6aa79f2b9872c8f227dd1c901c91014c7a9fa82ff7e

SHA512
c307eaf605bd02e03f25b58fa38ff8e59f4fb5672ef6cb5270c8bdb004bca56e47450777bfb7662797ffb18ab409cde66df4536510bc5a435cc945e662bddb78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\22567EF3F8535D2EAD2260E751D236DA
Filesize
344B

MD5
78aebcc3739235bfefbc2c5a9813b0ea

SHA1
10009ac4cdb0bfdd1527b52e49715157bd940da4

SHA256
90c140fb1e9d421d10f0f2f4bd2d5a5e9b49de6adcc098333e5728deb0da0249

SHA512
df8f4ecfd96c76b674c375e0a0c4ffd2115d1c9251ba147ecd5c04a37e5234adecf8e56e365af302c570f4427152db625aaa30fc021703067bbe47360b321604

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\98E4B9E09258E3C5F565FA64983EE15B
Filesize
1KB

MD5
2785fcb4b077b8e758b6e342ddd5d563

SHA1
bca76fa01ff42e2bdddef5f95d83a06d5d3c734f

SHA256
1578cafbaf90047e1bdb13b54a330c31c8df97e58d1d20b641bad85c3882cf7b

SHA512
a4a92e27fc807a6bcf89f0408352a0881981f9dcf9e9c8307e20e7dba3bbc90a87658de31eb5373dda272b13a9a0d49291ef20c6cac5907104436af34ad0d778

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
Filesize
1KB

MD5
1b7f6fec3188b82965d1a8f8727ca609

SHA1
378428369943c0e4276d85696115956ceff60d91

SHA256
fd6702a42f1c725b6264ade0ec7cdd841e1f789e84a5d4acb01c51a47dff446e

SHA512
83659c73e415e4d1b1ca7e3a7598cfea6aad8d9860c4731270300b0b8619d8e5478f7376bbad031f9ebd33252b7e2e507571fd322bdd539f42a3e24c7b537dab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
cb19ea31ccbd0203dd87e096916c57fa

SHA1
cab9da6765c414006fc24a26afe3d9faed3da46c

SHA256
f2c2e4c4cb0138ea54016a5b4e248a37f10c3ce22ad3ac85f8509a9692d0394b

SHA512
20b5e6d75aa6340e47bb723541ede1ca9a54b8df916e3b9ae6e27ae869dfd13605feb400e0c847974594e126b9852dcb1785f55fc93ba10abcdef93ef71f5b36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0081C45C8F81A550E9B702EAB56EAFB
Filesize
1KB

MD5
a2820a5d6fd1e51b985232e1808e883e

SHA1
3c030961e29fb7fe63f7d965becdc64dce575491

SHA256
1c4c93b8ea9773f801876022baca1024e080aba0802cc0f5114d05105b251a15

SHA512
894694364badfaa2195617104df674cd2a62cb214ad7f2320032d17e6dcd02bf3eecbbb625c0908ceb7cad546c06f6ad02d0928fb53d395fb4161fd54e9584c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CD39ADF7806918A174DD06515F1280A5
Filesize
345B

MD5
4609b4eb1f4c6eb74db8ffe60a974aa1

SHA1
1512ee70f3acefa4351efa926163c53a38fb8dc9

SHA256
3f5ba439ea7892b1e6139154cd01a5b633e88924e21d78a299e0753331b55499

SHA512
1fd75b4e5c09f862bf134f107f17b8f8ce4465de839aec21fa6d47abd03c60a98b697f12a175a71023cd5cd7d547c90f081766be7e7baafde9581ddbaa303aac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
334cea15518fba113014f9517924c4f0

SHA1
eb61a265d6f1d84ceca8fe0b53e76acb16f15c2f

SHA256
96b343967b77375392424cd69b7cb827b3f1329762480877a9052ec4053bc91c

SHA512
0b39346c68898ae3f3967e5954599b0fe4f1b07d86c68b75f00ac1388665b07d14fa7b8ce84411ec098de2615d2242583288f4468d31ccf04af79193b602ff39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
51a9fbc4ae55f6334a0a5c0fc927988d

SHA1
8a06e5bb0866d88043494889af211b6f5f4aea44

SHA256
532e08495171ebb53ae198756181a7867c0d44183c99186ba39fd6abc936fb5b

SHA512
98b0ac6a135fe6500825d526c6e29123aa526ab615ccf6fe431476f8fc6c6650113fd5938e0eb5793ac54e3e5dc2643383b638617c2adb06ee47968a54f22aa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
192B

MD5
db5720dc67cd0aa36525d2f2c292de33

SHA1
a1ebdeb34f8f9a1c51356a57ff5742fffe727893

SHA256
c118b5e11aa2332503aed9cd5a7a28f5e4800b5c9842d181c06e0f40b29dfd2e

SHA512
ab1b82d8902045f8b8328784fd7a86a2c2e35d5675c6f2817402caaea0c2f2e2101fe41fd4e70c637523df4844e1837721035e0f82092dea36abe4e468473240

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\22567EF3F8535D2EAD2260E751D236DA
Filesize
544B

MD5
1133f6762a6f77f8ffb49a4279f12d0e

SHA1
6e816ff3d7748fc4a0217bcb3c671f2a8786c65c

SHA256
6c4d8eaf508e9ad4bb567c3b882a3243aeed6bfa193a167d793472252e9e1701

SHA512
f1dee78b045a6baef4f187d45f5375dbabf7a93ef0c423740e54a36bdc0bc831de07691d79e9d057c742a674f8d6c060cde02ed8678e013777cb08f64a83a6ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\98E4B9E09258E3C5F565FA64983EE15B
Filesize
540B

MD5
a7bb85b579768186ceb63a3113d4cb7c

SHA1
da65a9ec8720b6b1ec0c689bc8bb35568d8ee860

SHA256
a1757d306f68b1ef2ee0826b1c255b0e721094e718853b9422459e818790f37b

SHA512
c1c482be103310bc7c8bf5e7a5c27e72c1ed177fa99be853f66d3a8a9409bd6b6b3968751d8f94fb74b78d53fea67165a0e37f707ec47c15667e1d8bc231ee76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
Filesize
492B

MD5
e0041dc0e5b5b2d4fb9e5b0365c3e47f

SHA1
96acb6af3a04b222a214cc5ce8cb72474670addc

SHA256
6a00cd5595f9855b27807bf3e1c2e2fe84cd5150dd5f858042cb485b53ef9fea

SHA512
76b0dd0aba38c8bc8a8b7fe53c80e3491deb765d771c633f49f08a3fe943fa186703f3be5acfa02539f0b4d1560e58ad08257499011c44f9dcfb193fd091d608

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
8de60e92621eaeff22bcc2b331edc049

SHA1
70f74feb6f84aace09f7d475c6737b437a95d315

SHA256
60731a0a9bcbe7c6aa2479b1d03bbd9524605ce85afe30c0ec311d81f5cd53cb

SHA512
50c49db53938fe3d0859608d0b5a4cd1366955e06b06941ea526a37b232a444d00a051a8a500ba434264a65b20688081112ba627f1aefba2f2a70e66aa017444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0081C45C8F81A550E9B702EAB56EAFB
Filesize
532B

MD5
c817ee3453d9bc32aab1b9a882035b04

SHA1
73deba4a91d8ff378b71344a14495ff6765fba5c

SHA256
bddf7c1035f4d945e0168a1c3d529e1d85f527d6e2cdf78ef4f4d294d3cb0b2b

SHA512
69daaa0693e989154097cc13b2e7dc3075cd2421a1fbafd6a137f950610288881b631a6e2ad0c4f840cd5e1921da9eea760a999bfde5c156b1e79a335c1ac6cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CD39ADF7806918A174DD06515F1280A5
Filesize
548B

MD5
09fec129eb7f4076174fb084bb805c45

SHA1
fb1008e340738c1ced504a2453fd941cbb94ce85

SHA256
be5c7bf5ef827d6b06c58ff62b50ea20ea428ce6824e035d54b8abe9fd7129a3

SHA512
ae0d2eb41f3eabbf25cbf7bedd70fd6e4693f6e6a41b69011169ae9cda9e814d2687af2e1e5df65fb7f8da0679579902c912d4c097b2c7f2581b8f7c5dc42b11

Download Submit
C:\Users\Admin\AppData\Local\04ee2d63-56ed-4a08-976c-f8885cc33dcc\dYGHgLCoqjt_zXegp6fDwXpR.exe
Filesize
660KB

MD5
18d7d05112e5bc55668dbbd5ebff922c

SHA1
0f2fc71a32d002fe731d53b50dc849393d0e2c8a

SHA256
3135e19da8634e86604dcca1c7d8e211e1b79011f01e91b1e4e64b4a2984864e

SHA512
b77bff2864ea7f398cba56910bd92d45142457e693c81f8e8b1bd117d88518d0b92a7cd72675d85bb14320b4aae211308bab9302ecde00b16148aa25becfd85c

Download Submit
C:\Users\Admin\AppData\Local\8394efe3-b6e0-4cd0-b999-d42388771fdc\build2.exe
Filesize
418KB

MD5
bc47d3a0d4a74adc40b3a7035344becb

SHA1
dd80bbe70106b62ea58924173a364cc936a0b1f4

SHA256
06d1366df3628a010416384f7c77c493ac35f13ee05e010751708d681ebe5169

SHA512
4a4ef35c5fcbfc5a6b86dd6235f8b1b4f048ee5b5bd74fd9173a65cd450ec0f58fcf74f5fd2e58dd5dee486c0e41c2523cd6d7528d56fc2627fbdf8b598a29e4

Download Submit
C:\Users\Admin\AppData\Local\8394efe3-b6e0-4cd0-b999-d42388771fdc\build2.exe
Filesize
418KB

MD5
bc47d3a0d4a74adc40b3a7035344becb

SHA1
dd80bbe70106b62ea58924173a364cc936a0b1f4

SHA256
06d1366df3628a010416384f7c77c493ac35f13ee05e010751708d681ebe5169

SHA512
4a4ef35c5fcbfc5a6b86dd6235f8b1b4f048ee5b5bd74fd9173a65cd450ec0f58fcf74f5fd2e58dd5dee486c0e41c2523cd6d7528d56fc2627fbdf8b598a29e4

Download Submit
C:\Users\Admin\AppData\Local\8394efe3-b6e0-4cd0-b999-d42388771fdc\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qoJh11CWf2ynb3wmTExO9A5u.exe.log
Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2E9D.tmp\Install.exe
Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2E9D.tmp\Install.exe
Filesize
6.8MB

MD5
6f52a47480dae7c97a64dd5aebb8e426

SHA1
204fe492e1cdeacea89a4f3b2cf41626053bc992

SHA256
a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879

SHA512
994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1F1.tmp\Install.exe
Filesize
6.2MB

MD5
7e4eb639826abd968b22ebfad0410eb0

SHA1
be1bfee5d2636d926686a1b3ca0b73e205082147

SHA256
9424316254ef6a35b522ebb53ca472634e3801af34dde206c508b3de04981618

SHA512
a9d5881b4bfd0ade67e8a8799531582e94d62a3430da70156ac5fc7ee435275b48c1809bc1e0ff9930442310e224afaa40c22955f402d2933827777df5873309

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1F1.tmp\Install.exe
Filesize
6.2MB

MD5
7e4eb639826abd968b22ebfad0410eb0

SHA1
be1bfee5d2636d926686a1b3ca0b73e205082147

SHA256
9424316254ef6a35b522ebb53ca472634e3801af34dde206c508b3de04981618

SHA512
a9d5881b4bfd0ade67e8a8799531582e94d62a3430da70156ac5fc7ee435275b48c1809bc1e0ff9930442310e224afaa40c22955f402d2933827777df5873309

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
Filesize
45.4MB

MD5
2edcef640bf436f64f353c1231122253

SHA1
564d2be28c2aa56978d4efef889948a650a0e507

SHA256
0aa008e3754163853a931fe1bba68125a1c5b082a172ca878be790328ebb003c

SHA512
d3c70b2e0dbb8c6e659ef46eb6f823ba454bc88179b99e44e5822c507773132279af3efe2171e8280537108c4c390c8e1e9baa6cadd6e8e6be820bb91ee9d449

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
Filesize
48.8MB

MD5
e6d0f2d863413a011dcfe6f6e799d421

SHA1
fd37be0d1ed6c96d3c93f8fceb904054887b3bee

SHA256
b4dba91287e32662aa7be332f72d58fb53c7f9b82dc5b32d65db71cdffbee662

SHA512
e8d5fb7a71c96f349f7d41993ac9632682e3c5473f6042be59bc06b7bc93e9f2bf7d6d7005cb9fd0d509cb28797f242ddd75644d1360c02d00f2901ab61e29fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QXEL.eg
Filesize
1.9MB

MD5
201937dc39808b79e26256345afafba7

SHA1
a817c1b8440177c8a55f9a6eb9a96fdb15ec8e59

SHA256
74c28f23b1579da86b5dc8b2afcf1ac3e977d41e79e6b9e264d2a892bd697f7c

SHA512
0d16dde23455edf805ba2fe53c090f0ec209991c5f40e78c831e0363aed35efd04c879c1f248f2081747b252cff3f5f718d92c31335b5ee23e57eab4ad25fe52

Download Submit
C:\Users\Admin\AppData\Local\Temp\QXEl.eg
Filesize
1.9MB

MD5
201937dc39808b79e26256345afafba7

SHA1
a817c1b8440177c8a55f9a6eb9a96fdb15ec8e59

SHA256
74c28f23b1579da86b5dc8b2afcf1ac3e977d41e79e6b9e264d2a892bd697f7c

SHA512
0d16dde23455edf805ba2fe53c090f0ec209991c5f40e78c831e0363aed35efd04c879c1f248f2081747b252cff3f5f718d92c31335b5ee23e57eab4ad25fe52

Download Submit
C:\Users\Admin\AppData\Local\Temp\qPuB5nvlQzJxa8u6XpKVN\Bunifu_UI_v1.5.3.dll
Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qPuB5nvlQzJxa8u6XpKVN\Cleaner.exe
Filesize
4.0MB

MD5
a1a19faf0af29841daeeaad999d899bd

SHA1
f67b9afdab167d5bcc544358b0e7fd2858784508

SHA256
f349739486dcb45f7cd39440784224c66a5d2c4bd2a47c48606e2f481a0fabe7

SHA512
a66ec486262e797bafd4fa032a719e499217993479fa78938e43db13289fe6fefc0ef3c3359e3cacb6223134396852be7cc9122c46ae74db3e9842d7f4fe65a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qPuB5nvlQzJxa8u6XpKVN\Cleaner.exe
Filesize
4.0MB

MD5
a1a19faf0af29841daeeaad999d899bd

SHA1
f67b9afdab167d5bcc544358b0e7fd2858784508

SHA256
f349739486dcb45f7cd39440784224c66a5d2c4bd2a47c48606e2f481a0fabe7

SHA512
a66ec486262e797bafd4fa032a719e499217993479fa78938e43db13289fe6fefc0ef3c3359e3cacb6223134396852be7cc9122c46ae74db3e9842d7f4fe65a8

Download Submit
C:\Users\Admin\Desktop\Cleaner.lnk
Filesize
2KB

MD5
a451207edeed8e35b2b1b1399151d47b

SHA1
6fc7a000311f4b302ab974160da4d7c3530ab683

SHA256
8aefd1a29f1c8ddd5e6f1e004047ad847faa96599816036fbbea3ac5227ae7ee

SHA512
7007e600261b4da17118cddae35dabfe08394790d9713acbefc6e28e32c2de94dbe9c0f8313fbfbcf6d0524ee0a0f2d06cbb3bc6f07861979649fa8f30e72c35

Download Submit
C:\Users\Admin\Documents\2lFfj997p7CQjKWalw_dSCi9.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\Documents\2lFfj997p7CQjKWalw_dSCi9.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\Pictures\Minor Policy\ESAn3wDrYTwqGjNjf72CgU6o.exe
Filesize
2.7MB

MD5
3fc9261a33782d872bdf55ee89cc238c

SHA1
f0eae08f5394fd23f52be292259a3ddbc8f04185

SHA256
aaa9390e55b509c0bcea76971bbb1fce89580980d84e5bad3e925a39b183caf8

SHA512
79e66d85419ca7915bb915aed69d58ff3807057baa867ceac0fd04943af3880982d3f39c9f34a1cbaee07829c21cc406e4a2529784178ec7d31498f40e7c0646

Download Submit
C:\Users\Admin\Pictures\Minor Policy\ESAn3wDrYTwqGjNjf72CgU6o.exe
Filesize
2.7MB

MD5
3fc9261a33782d872bdf55ee89cc238c

SHA1
f0eae08f5394fd23f52be292259a3ddbc8f04185

SHA256
aaa9390e55b509c0bcea76971bbb1fce89580980d84e5bad3e925a39b183caf8

SHA512
79e66d85419ca7915bb915aed69d58ff3807057baa867ceac0fd04943af3880982d3f39c9f34a1cbaee07829c21cc406e4a2529784178ec7d31498f40e7c0646

Download Submit
C:\Users\Admin\Pictures\Minor Policy\LkZGU1vedRRyDZGFVAKZAWor.exe
Filesize
369KB

MD5
095ea376185f14059ddb07073003e56c

SHA1
fe64a20fdf9325d7d5b14258e77aba1b5502550e

SHA256
f08b3a925566dc86f7be4986161b016083df3b388bd60ddd41acd29090af565c

SHA512
11244b3939873a81903d74bcb58a6c357228c3e314586cb6c8a65b71d02d943aa6b9b5d96b483306d6310c41231d028fefc0c30d18cc50874ffb51843af15c34

Download Submit
C:\Users\Admin\Pictures\Minor Policy\LkZGU1vedRRyDZGFVAKZAWor.exe
Filesize
369KB

MD5
095ea376185f14059ddb07073003e56c

SHA1
fe64a20fdf9325d7d5b14258e77aba1b5502550e

SHA256
f08b3a925566dc86f7be4986161b016083df3b388bd60ddd41acd29090af565c

SHA512
11244b3939873a81903d74bcb58a6c357228c3e314586cb6c8a65b71d02d943aa6b9b5d96b483306d6310c41231d028fefc0c30d18cc50874ffb51843af15c34

Download Submit
C:\Users\Admin\Pictures\Minor Policy\P5SGQdCuwbN3437EVEdstssI.exe
Filesize
1.7MB

MD5
1855b61226b173a39393d70f3174b917

SHA1
69f67bb008b2a9c74dc4278f17d5946a57eda37b

SHA256
32eb4fd8d61229e8e4fe3c3e372140e3b246a39a2562fae06a86b7dac1203255

SHA512
78c0a02e6515601607fa1ad5006b7075fee97462c2160fc2d12bb7793acf9e008c51ce940e2ac60475809b8826857a441181f674fa9f8956dfa10e09fdc99d09

Download Submit
C:\Users\Admin\Pictures\Minor Policy\P5SGQdCuwbN3437EVEdstssI.exe
Filesize
1.7MB

MD5
1855b61226b173a39393d70f3174b917

SHA1
69f67bb008b2a9c74dc4278f17d5946a57eda37b

SHA256
32eb4fd8d61229e8e4fe3c3e372140e3b246a39a2562fae06a86b7dac1203255

SHA512
78c0a02e6515601607fa1ad5006b7075fee97462c2160fc2d12bb7793acf9e008c51ce940e2ac60475809b8826857a441181f674fa9f8956dfa10e09fdc99d09

Download Submit
C:\Users\Admin\Pictures\Minor Policy\dAs9MmmHLkwDThUKiHbTK7F0.exe
Filesize
3.5MB

MD5
c579ffbbe8d6604d01318d6a08e24324

SHA1
0f42f48139f2577a17b12fb210cee143301d8e08

SHA256
34fd3c1727be1ac43b214e07a1a9c71965e8f06053a5b32919abd362f0df6240

SHA512
d0d7d6eb65bfa5fa66575fe87bceb1955cfe9b91d34812d87e289222fa6440578f3b18ecbc6bce5bbe352140a5551fe39ae1772996a0097dfda0a942c05b62d5

Download Submit
C:\Users\Admin\Pictures\Minor Policy\dAs9MmmHLkwDThUKiHbTK7F0.exe
Filesize
3.5MB

MD5
c579ffbbe8d6604d01318d6a08e24324

SHA1
0f42f48139f2577a17b12fb210cee143301d8e08

SHA256
34fd3c1727be1ac43b214e07a1a9c71965e8f06053a5b32919abd362f0df6240

SHA512
d0d7d6eb65bfa5fa66575fe87bceb1955cfe9b91d34812d87e289222fa6440578f3b18ecbc6bce5bbe352140a5551fe39ae1772996a0097dfda0a942c05b62d5

Download Submit
C:\Users\Admin\Pictures\Minor Policy\dYGHgLCoqjt_zXegp6fDwXpR.exe
Filesize
660KB

MD5
18d7d05112e5bc55668dbbd5ebff922c

SHA1
0f2fc71a32d002fe731d53b50dc849393d0e2c8a

SHA256
3135e19da8634e86604dcca1c7d8e211e1b79011f01e91b1e4e64b4a2984864e

SHA512
b77bff2864ea7f398cba56910bd92d45142457e693c81f8e8b1bd117d88518d0b92a7cd72675d85bb14320b4aae211308bab9302ecde00b16148aa25becfd85c

Download Submit
C:\Users\Admin\Pictures\Minor Policy\dYGHgLCoqjt_zXegp6fDwXpR.exe
Filesize
660KB

MD5
18d7d05112e5bc55668dbbd5ebff922c

SHA1
0f2fc71a32d002fe731d53b50dc849393d0e2c8a

SHA256
3135e19da8634e86604dcca1c7d8e211e1b79011f01e91b1e4e64b4a2984864e

SHA512
b77bff2864ea7f398cba56910bd92d45142457e693c81f8e8b1bd117d88518d0b92a7cd72675d85bb14320b4aae211308bab9302ecde00b16148aa25becfd85c

Download Submit
C:\Users\Admin\Pictures\Minor Policy\dYGHgLCoqjt_zXegp6fDwXpR.exe
Filesize
660KB

MD5
18d7d05112e5bc55668dbbd5ebff922c

SHA1
0f2fc71a32d002fe731d53b50dc849393d0e2c8a

SHA256
3135e19da8634e86604dcca1c7d8e211e1b79011f01e91b1e4e64b4a2984864e

SHA512
b77bff2864ea7f398cba56910bd92d45142457e693c81f8e8b1bd117d88518d0b92a7cd72675d85bb14320b4aae211308bab9302ecde00b16148aa25becfd85c

Download Submit
C:\Users\Admin\Pictures\Minor Policy\dYGHgLCoqjt_zXegp6fDwXpR.exe
Filesize
660KB

MD5
18d7d05112e5bc55668dbbd5ebff922c

SHA1
0f2fc71a32d002fe731d53b50dc849393d0e2c8a

SHA256
3135e19da8634e86604dcca1c7d8e211e1b79011f01e91b1e4e64b4a2984864e

SHA512
b77bff2864ea7f398cba56910bd92d45142457e693c81f8e8b1bd117d88518d0b92a7cd72675d85bb14320b4aae211308bab9302ecde00b16148aa25becfd85c

Download Submit
C:\Users\Admin\Pictures\Minor Policy\dYGHgLCoqjt_zXegp6fDwXpR.exe
Filesize
660KB

MD5
18d7d05112e5bc55668dbbd5ebff922c

SHA1
0f2fc71a32d002fe731d53b50dc849393d0e2c8a

SHA256
3135e19da8634e86604dcca1c7d8e211e1b79011f01e91b1e4e64b4a2984864e

SHA512
b77bff2864ea7f398cba56910bd92d45142457e693c81f8e8b1bd117d88518d0b92a7cd72675d85bb14320b4aae211308bab9302ecde00b16148aa25becfd85c

Download Submit
C:\Users\Admin\Pictures\Minor Policy\hahHnTaXyem5_8tpZiU_7ImA.exe
Filesize
141KB

MD5
6a99031a0e0060edd7fe677df72f678a

SHA1
943b2d93b6578d9970a6067853a77f65537fa7f6

SHA256
76a0f76bfda841ed6e838d21248f7eee27b3ade108f9f289b4046c3863963871

SHA512
a1b9d2df17c66f8d0f6a3f8541815347044dbb75fd526cf0e583f93ada858482c92eb6f62755eefa36298e9dd36b8748188e1033eb63e4f32e9ed83990259f46

Download Submit
C:\Users\Admin\Pictures\Minor Policy\hahHnTaXyem5_8tpZiU_7ImA.exe
Filesize
141KB

MD5
6a99031a0e0060edd7fe677df72f678a

SHA1
943b2d93b6578d9970a6067853a77f65537fa7f6

SHA256
76a0f76bfda841ed6e838d21248f7eee27b3ade108f9f289b4046c3863963871

SHA512
a1b9d2df17c66f8d0f6a3f8541815347044dbb75fd526cf0e583f93ada858482c92eb6f62755eefa36298e9dd36b8748188e1033eb63e4f32e9ed83990259f46

Download Submit
C:\Users\Admin\Pictures\Minor Policy\nJOCiKdss6tST1w6uVpa9Txm.exe
Filesize
7.3MB

MD5
d55e7c43a81b43f08aec09164b9d51d1

SHA1
12b49a341ef353cc2c72e4456d50591e9a29bc64

SHA256
ada2b6a4b33962e1688f6f05643226582180fbc514a33178801609c1b969a8ca

SHA512
fd3d22a51a4427eddefc6bafe9cab7873ab4ee381c4410eef71db11f816fb8c535fa52da45b153267ec34375a8307e4b6e56ac8fcad7cfdd699dfcc774bf6604

Download Submit
C:\Users\Admin\Pictures\Minor Policy\nJOCiKdss6tST1w6uVpa9Txm.exe
Filesize
7.3MB

MD5
d55e7c43a81b43f08aec09164b9d51d1

SHA1
12b49a341ef353cc2c72e4456d50591e9a29bc64

SHA256
ada2b6a4b33962e1688f6f05643226582180fbc514a33178801609c1b969a8ca

SHA512
fd3d22a51a4427eddefc6bafe9cab7873ab4ee381c4410eef71db11f816fb8c535fa52da45b153267ec34375a8307e4b6e56ac8fcad7cfdd699dfcc774bf6604

Download Submit
C:\Users\Admin\Pictures\Minor Policy\nMSLZWW3DUAJKd9Jb9ZRZjlk.exe
Filesize
611KB

MD5
742b5f10679cf48e2ecedaace71e4750

SHA1
8b2a9eb43d14617e07c15af550351be18196b778

SHA256
a010dbebffc12636e3f3269758969ca314b2a893f62a304aa77ed7683d6acabb

SHA512
ccd2d6a09aa5e97558a86a701113924d5ab2124ebb4b91aa0f69615d6090909dadca7a46106e896ac4cf9d9a87d7fcc98251c4f26d9c6aae91c9fe0d0eedfc1c

Download Submit
C:\Users\Admin\Pictures\Minor Policy\qoJh11CWf2ynb3wmTExO9A5u.exe
Filesize
714KB

MD5
086fe35804c1c397aa0c338f4ba5b485

SHA1
72fb0c1301676f43269dafdd9a0b878d7b6bad97

SHA256
de53e9a94cf357293dc9fe81b8ddb4d2e42208db9ef231e9a8ba15987ebc79d2

SHA512
790b287fce52834927a46b77bb2164f2618151b269a0426019cfaf3430539fc3a6a6fc147bd982583a0724988d483a0f2b2d9d213e68ff1dee56630160a8e897

Download Submit
C:\Users\Admin\Pictures\Minor Policy\qoJh11CWf2ynb3wmTExO9A5u.exe
Filesize
714KB

MD5
086fe35804c1c397aa0c338f4ba5b485

SHA1
72fb0c1301676f43269dafdd9a0b878d7b6bad97

SHA256
de53e9a94cf357293dc9fe81b8ddb4d2e42208db9ef231e9a8ba15987ebc79d2

SHA512
790b287fce52834927a46b77bb2164f2618151b269a0426019cfaf3430539fc3a6a6fc147bd982583a0724988d483a0f2b2d9d213e68ff1dee56630160a8e897

Download Submit
C:\Users\Admin\Pictures\Minor Policy\qoJh11CWf2ynb3wmTExO9A5u.exe
Filesize
714KB

MD5
086fe35804c1c397aa0c338f4ba5b485

SHA1
72fb0c1301676f43269dafdd9a0b878d7b6bad97

SHA256
de53e9a94cf357293dc9fe81b8ddb4d2e42208db9ef231e9a8ba15987ebc79d2

SHA512
790b287fce52834927a46b77bb2164f2618151b269a0426019cfaf3430539fc3a6a6fc147bd982583a0724988d483a0f2b2d9d213e68ff1dee56630160a8e897

Download Submit
C:\Users\Admin\Pictures\Minor Policy\tE2xx3mubQaHnmoJMAwo3exF.exe
Filesize
229KB

MD5
ee681ff8a455d5e1f057de0f0d887b2f

SHA1
b9baec15bdf4c01ff6b2f8fbc94f9de59d358841

SHA256
6a0077d90d64ead80108d4966c919112c787a5a13036099b36bc82759f7a1133

SHA512
e79a88290009f0de7f1728802b03481865d1b58448a1537cc8bbaf5c4f322439dddbecf04751bd25c31120fe8e246f0b7f5d295fe5b90908c56f673e7e083c7e

Download Submit
C:\Users\Admin\Pictures\Minor Policy\tE2xx3mubQaHnmoJMAwo3exF.exe
Filesize
229KB

MD5
ee681ff8a455d5e1f057de0f0d887b2f

SHA1
b9baec15bdf4c01ff6b2f8fbc94f9de59d358841

SHA256
6a0077d90d64ead80108d4966c919112c787a5a13036099b36bc82759f7a1133

SHA512
e79a88290009f0de7f1728802b03481865d1b58448a1537cc8bbaf5c4f322439dddbecf04751bd25c31120fe8e246f0b7f5d295fe5b90908c56f673e7e083c7e

Download Submit
C:\Users\Admin\Pictures\Minor Policy\xaVDv5KrfTuqbAIeJ8HcQJ5v.exe
Filesize
400KB

MD5
9519c85c644869f182927d93e8e25a33

SHA1
eadc9026e041f7013056f80e068ecf95940ea060

SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

Download Submit
C:\Users\Admin\Pictures\Minor Policy\xaVDv5KrfTuqbAIeJ8HcQJ5v.exe
Filesize
400KB

MD5
9519c85c644869f182927d93e8e25a33

SHA1
eadc9026e041f7013056f80e068ecf95940ea060

SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
memory/184-237-0x00000000033F0000-0x0000000003644000-memory.dmp

Filesize
2.3MB

Download
memory/184-211-0x0000000000000000-mapping.dmp

Download
memory/184-301-0x00000000033F0000-0x0000000003644000-memory.dmp

Filesize
2.3MB

Download
memory/356-213-0x0000000000000000-mapping.dmp

Download
memory/508-224-0x0000000000000000-mapping.dmp

Download
memory/772-319-0x0000000000000000-mapping.dmp

Download
memory/988-339-0x0000000000000000-mapping.dmp

Download
memory/1268-132-0x0000000000F30000-0x00000000017EB000-memory.dmp

Filesize
8.7MB

Download
memory/1312-216-0x0000000000000000-mapping.dmp

Download
memory/1324-218-0x0000000000000000-mapping.dmp

Download
memory/1480-166-0x0000000140000000-0x000000014060E000-memory.dmp

Filesize
6.1MB

Download
memory/1480-140-0x0000000000000000-mapping.dmp

Download
memory/1496-212-0x0000000000000000-mapping.dmp

Download
memory/1516-206-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1516-204-0x0000000002070000-0x0000000002079000-memory.dmp

Filesize
36KB

Download
memory/1516-203-0x00000000006EC000-0x00000000006FD000-memory.dmp

Filesize
68KB

Download
memory/1516-135-0x0000000000000000-mapping.dmp

Download
memory/1516-225-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1664-254-0x00000000030A0000-0x0000000003197000-memory.dmp

Filesize
988KB

Download
memory/1664-176-0x0000000000000000-mapping.dmp

Download
memory/1664-251-0x0000000003270000-0x000000000331C000-memory.dmp

Filesize
688KB

Download
memory/1664-252-0x0000000003270000-0x000000000331C000-memory.dmp

Filesize
688KB

Download
memory/1664-242-0x00000000031A0000-0x0000000003263000-memory.dmp

Filesize
780KB

Download
memory/1664-233-0x0000000002EA0000-0x0000000002F9C000-memory.dmp

Filesize
1008KB

Download
memory/1664-234-0x00000000030A0000-0x0000000003197000-memory.dmp

Filesize
988KB

Download
memory/1960-340-0x0000000000000000-mapping.dmp

Download
memory/2000-165-0x0000000004EC0000-0x0000000005464000-memory.dmp

Filesize
5.6MB

Download
memory/2000-147-0x0000000000000000-mapping.dmp

Download
memory/2000-164-0x0000000000070000-0x0000000000128000-memory.dmp

Filesize
736KB

Download
memory/2004-190-0x0000000002350000-0x000000000246B000-memory.dmp

Filesize
1.1MB

Download
memory/2004-138-0x0000000000000000-mapping.dmp

Download
memory/2004-186-0x00000000022B2000-0x0000000002344000-memory.dmp

Filesize
584KB

Download
memory/2072-222-0x0000000000000000-mapping.dmp

Download
memory/2364-182-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2364-272-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2364-187-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2364-179-0x0000000000000000-mapping.dmp

Download
memory/2364-184-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2364-202-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2536-341-0x0000000000000000-mapping.dmp

Download
memory/2796-137-0x0000000000000000-mapping.dmp

Download
memory/2820-193-0x00000000004D0000-0x00000000004F0000-memory.dmp

Filesize
128KB

Download
memory/2820-226-0x0000000005950000-0x0000000005972000-memory.dmp

Filesize
136KB

Download
memory/2820-189-0x0000000000000000-mapping.dmp

Download
memory/3108-173-0x0000000000000000-mapping.dmp

Download
memory/3288-223-0x0000000000000000-mapping.dmp

Download
memory/3400-139-0x0000000000000000-mapping.dmp

Download
memory/3624-220-0x0000000000000000-mapping.dmp

Download
memory/3712-196-0x0000000000650000-0x000000000068F000-memory.dmp

Filesize
252KB

Download
memory/3712-199-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3712-194-0x000000000070C000-0x0000000000733000-memory.dmp

Filesize
156KB

Download
memory/3712-273-0x000000000070C000-0x0000000000733000-memory.dmp

Filesize
156KB

Download
memory/3712-274-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3712-136-0x0000000000000000-mapping.dmp

Download
memory/4280-219-0x0000000000000000-mapping.dmp

Download
memory/4472-315-0x0000000000000000-mapping.dmp

Download
memory/4516-197-0x0000000010000000-0x0000000010B5F000-memory.dmp

Filesize
11.4MB

Download
memory/4516-181-0x0000000000000000-mapping.dmp

Download
memory/4596-141-0x0000000000000000-mapping.dmp

Download
memory/4628-221-0x0000000000000000-mapping.dmp

Download
memory/4636-180-0x0000000000000000-mapping.dmp

Download
memory/4636-299-0x0000000009CA0000-0x0000000009E62000-memory.dmp

Filesize
1.8MB

Download
memory/4636-207-0x00000000060A0000-0x00000000066B8000-memory.dmp

Filesize
6.1MB

Download
memory/4636-238-0x0000000005C60000-0x0000000005CF2000-memory.dmp

Filesize
584KB

Download
memory/4636-300-0x000000000AAE0000-0x000000000B00C000-memory.dmp

Filesize
5.2MB

Download
memory/4636-209-0x0000000006040000-0x0000000006052000-memory.dmp

Filesize
72KB

Download
memory/4636-210-0x0000000008FB0000-0x0000000008FEC000-memory.dmp

Filesize
240KB

Download
memory/4636-195-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4636-208-0x0000000007A30000-0x0000000007B3A000-memory.dmp

Filesize
1.0MB

Download
memory/4636-298-0x0000000005F00000-0x0000000005F50000-memory.dmp

Filesize
320KB

Download
memory/4636-297-0x0000000009A50000-0x0000000009AC6000-memory.dmp

Filesize
472KB

Download
memory/4680-146-0x0000000000000000-mapping.dmp

Download
memory/4684-217-0x0000000000000000-mapping.dmp

Download
memory/4752-318-0x0000000000000000-mapping.dmp

Download
memory/4788-323-0x0000000000000000-mapping.dmp

Download
memory/4988-158-0x0000000000000000-mapping.dmp

Download
memory/5044-157-0x0000000000000000-mapping.dmp

Download
memory/5060-342-0x0000000000000000-mapping.dmp

Download
memory/9316-229-0x00000000059D0000-0x0000000005FF8000-memory.dmp

Filesize
6.2MB

Download
memory/9316-241-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

Filesize
104KB

Download
memory/9316-227-0x0000000000000000-mapping.dmp

Download
memory/9316-228-0x0000000005360000-0x0000000005396000-memory.dmp

Filesize
216KB

Download
memory/9316-230-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/9316-231-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/9316-232-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/9316-240-0x0000000007EB0000-0x000000000852A000-memory.dmp

Filesize
6.5MB

Download
memory/10292-236-0x0000000000000000-mapping.dmp

Download
memory/10756-239-0x0000000000000000-mapping.dmp

Download
memory/10920-294-0x000002185BBD0000-0x000002185BBF2000-memory.dmp

Filesize
136KB

Download
memory/10920-296-0x00007FFBFE3D0000-0x00007FFBFEE91000-memory.dmp

Filesize
10.8MB

Download
memory/67016-259-0x0000000000000000-mapping.dmp

Download
memory/67632-275-0x00007FFBFE3D0000-0x00007FFBFEE91000-memory.dmp

Filesize
10.8MB

Download
memory/67632-268-0x00000212F0650000-0x00000212F0692000-memory.dmp

Filesize
264KB

Download
memory/67632-266-0x00000212D4F70000-0x00000212D50C8000-memory.dmp

Filesize
1.3MB

Download
memory/67632-308-0x00007FFBFE3D0000-0x00007FFBFEE91000-memory.dmp

Filesize
10.8MB

Download
memory/67632-261-0x0000000000000000-mapping.dmp

Download
memory/70996-283-0x0000000002333000-0x00000000023C5000-memory.dmp

Filesize
584KB

Download
memory/70996-270-0x0000000000000000-mapping.dmp

Download
memory/98616-276-0x0000000000000000-mapping.dmp

Download
memory/98616-316-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/98616-280-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/98616-285-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/98616-279-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/101684-281-0x0000000000000000-mapping.dmp

Download
memory/101684-284-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/101904-295-0x0000000000000000-mapping.dmp

Download
memory/102236-314-0x00000000005B0000-0x00000000005F7000-memory.dmp

Filesize
284KB

Download
memory/102236-311-0x000000000075F000-0x0000000000789000-memory.dmp

Filesize
168KB

Download
memory/102236-302-0x0000000000000000-mapping.dmp

Download
memory/102300-305-0x0000000000000000-mapping.dmp

Download
memory/102320-307-0x0000000000000000-mapping.dmp

Download
memory/102396-312-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/102396-320-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/102396-317-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/102396-309-0x0000000000000000-mapping.dmp

Download
memory/102396-310-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/102396-313-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download