cybergate | f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975

Analysis

max time kernel
151s
max time network
176s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
Size

2.0MB
MD5

27c16af0dc1ca5114f02274e888859d3
SHA1

4dd821ebcb09acbfd94178e36f120b761362b4a3
SHA256

f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975
SHA512

cea40e3fcf7cad69a9cb0aff50b3b6df65a499ce12ba883558a00aebb4e46a7ebc768dc44cb42315e9fe27755865ee313edc81b2157012c174de9076c46b54ab
SSDEEP

24576:CzGZ0XTB9109be930wzdHkh6wFXRDZEZnTuZOklkQQfn+3CvzuvUBMclcLSwU:CaSB910Q3LzdHEPqZ+OzsSSvUmMcWwU

Score

10^/10

cybergate pony vlc collection discovery evasion persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

pony

http://coc.zz.vc/gate.php

Extracted

Family

cybergate

Version

2.6

Botnet

VLC

ligtv.mooo.com:83

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
java
install_file
update.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

SystemFiles2.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SystemFiles2.exe
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

SystemFiles2.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" SystemFiles2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SystemFiles2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	SystemFiles2.exe

NirSoft WebBrowserPassView 7 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe	Nirsoft

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SystemFiles4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	SystemFiles4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\java\\update.exe"	SystemFiles4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	SystemFiles4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\java\\update.exe"	SystemFiles4.exe

Executes dropped EXE 8 IoCs

Processes:

SystemFiles1.exeSystemFiles2.exeSystemFiles3.exeSystemFiles4.exeSystemFiles5.exeNFWCHK.exeSystemFiles4.exeupdate.exe

pid	process
2020	SystemFiles1.exe
632	SystemFiles2.exe
1492	SystemFiles3.exe
904	SystemFiles4.exe
1180	SystemFiles5.exe
316	NFWCHK.exe
364	SystemFiles4.exe
1292	update.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exeSystemFiles4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{I60D8Q76-RX4N-L6KL-143G-OH436R54QBJG}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{I60D8Q76-RX4N-L6KL-143G-OH436R54QBJG}\StubPath = "C:\\Program Files (x86)\\java\\update.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{I60D8Q76-RX4N-L6KL-143G-OH436R54QBJG}	SystemFiles4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{I60D8Q76-RX4N-L6KL-143G-OH436R54QBJG}\StubPath = "C:\\Program Files (x86)\\java\\update.exe Restart"	SystemFiles4.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/904-110-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/904-120-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1564-125-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1564-128-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/904-130-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/904-138-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/364-143-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/364-151-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/364-154-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Loads dropped DLL 29 IoCs

Processes:

f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exeSystemFiles2.exeregsvr32.exeSystemFiles5.exeSystemFiles4.exeSystemFiles4.exeupdate.exe

pid	process
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
632	SystemFiles2.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
1536	regsvr32.exe
632	SystemFiles2.exe
1180	SystemFiles5.exe
904	SystemFiles4.exe
364	SystemFiles4.exe
1292	update.exe
1292	update.exe
1292	update.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

SystemFiles2.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" SystemFiles2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	SystemFiles2.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

SystemFiles3.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	SystemFiles3.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

SystemFiles3.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	SystemFiles3.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SystemFiles2.exeSystemFiles4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SystemFiles2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\msdcsc.exe\""	SystemFiles2.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	SystemFiles2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\msdcsc.exe\""	SystemFiles2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SystemFiles4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\java\\update.exe"	SystemFiles4.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	SystemFiles4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\java\\update.exe"	SystemFiles4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SystemFiles2.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SystemFiles2.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 bot.whatismyipaddress.com
Drops file in System32 directory 1 IoCs

Processes:

SystemFiles2.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\MSWINSCK.OCX SystemFiles2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SystemFiles2.exe

flow	ioc
10	bot.whatismyipaddress.com

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	SystemFiles2.exe

Drops file in Program Files directory 4 IoCs

Processes:

SystemFiles4.exeSystemFiles4.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\java\update.exe	SystemFiles4.exe
File opened for modification	C:\Program Files (x86)\java\update.exe	SystemFiles4.exe
File opened for modification	C:\Program Files (x86)\java\	SystemFiles4.exe
File created	C:\Program Files (x86)\java\update.exe	SystemFiles4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

SystemFiles4.exe

pid process

904 SystemFiles4.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SystemFiles4.exe

pid process

364 SystemFiles4.exe

pid	process
904	SystemFiles4.exe

pid	process
364	SystemFiles4.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

SystemFiles3.exeSystemFiles2.exeSystemFiles4.exeSystemFiles1.exe

description	pid	process
Token: SeImpersonatePrivilege	1492	SystemFiles3.exe
Token: SeTcbPrivilege	1492	SystemFiles3.exe
Token: SeChangeNotifyPrivilege	1492	SystemFiles3.exe
Token: SeCreateTokenPrivilege	1492	SystemFiles3.exe
Token: SeBackupPrivilege	1492	SystemFiles3.exe
Token: SeRestorePrivilege	1492	SystemFiles3.exe
Token: SeIncreaseQuotaPrivilege	1492	SystemFiles3.exe
Token: SeAssignPrimaryTokenPrivilege	1492	SystemFiles3.exe
Token: SeBackupPrivilege	632	SystemFiles2.exe
Token: SeDebugPrivilege	364	SystemFiles4.exe
Token: SeDebugPrivilege	364	SystemFiles4.exe
Token: SeImpersonatePrivilege	1492	SystemFiles3.exe
Token: SeTcbPrivilege	1492	SystemFiles3.exe
Token: SeChangeNotifyPrivilege	1492	SystemFiles3.exe
Token: SeCreateTokenPrivilege	1492	SystemFiles3.exe
Token: SeBackupPrivilege	1492	SystemFiles3.exe
Token: SeRestorePrivilege	1492	SystemFiles3.exe
Token: SeIncreaseQuotaPrivilege	1492	SystemFiles3.exe
Token: SeAssignPrimaryTokenPrivilege	1492	SystemFiles3.exe
Token: SeImpersonatePrivilege	1492	SystemFiles3.exe
Token: SeTcbPrivilege	1492	SystemFiles3.exe
Token: SeChangeNotifyPrivilege	1492	SystemFiles3.exe
Token: SeCreateTokenPrivilege	1492	SystemFiles3.exe
Token: SeBackupPrivilege	1492	SystemFiles3.exe
Token: SeRestorePrivilege	1492	SystemFiles3.exe
Token: SeIncreaseQuotaPrivilege	1492	SystemFiles3.exe
Token: SeAssignPrimaryTokenPrivilege	1492	SystemFiles3.exe
Token: SeImpersonatePrivilege	1492	SystemFiles3.exe
Token: SeTcbPrivilege	1492	SystemFiles3.exe
Token: SeChangeNotifyPrivilege	1492	SystemFiles3.exe
Token: SeCreateTokenPrivilege	1492	SystemFiles3.exe
Token: SeBackupPrivilege	1492	SystemFiles3.exe
Token: SeRestorePrivilege	1492	SystemFiles3.exe
Token: SeIncreaseQuotaPrivilege	1492	SystemFiles3.exe
Token: SeAssignPrimaryTokenPrivilege	1492	SystemFiles3.exe
Token: SeDebugPrivilege	2020	SystemFiles1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SystemFiles4.exe

pid process

904 SystemFiles4.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exeSystemFiles2.exe

pid process

1016 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
632 SystemFiles2.exe
632 SystemFiles2.exe

pid	process
904	SystemFiles4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exeSystemFiles2.exeSystemFiles5.exeSystemFiles4.exe

description	pid	process	target process
PID 1016 wrote to memory of 2020	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles1.exe
PID 1016 wrote to memory of 2020	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles1.exe
PID 1016 wrote to memory of 2020	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles1.exe
PID 1016 wrote to memory of 2020	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles1.exe
PID 1016 wrote to memory of 632	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles2.exe
PID 1016 wrote to memory of 632	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles2.exe
PID 1016 wrote to memory of 632	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles2.exe
PID 1016 wrote to memory of 632	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles2.exe
PID 1016 wrote to memory of 1492	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles3.exe
PID 1016 wrote to memory of 1492	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles3.exe
PID 1016 wrote to memory of 1492	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles3.exe
PID 1016 wrote to memory of 1492	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles3.exe
PID 1016 wrote to memory of 904	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles4.exe
PID 1016 wrote to memory of 904	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles4.exe
PID 1016 wrote to memory of 904	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles4.exe
PID 1016 wrote to memory of 904	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles4.exe
PID 1016 wrote to memory of 1180	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles5.exe
PID 1016 wrote to memory of 1180	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles5.exe
PID 1016 wrote to memory of 1180	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles5.exe
PID 1016 wrote to memory of 1180	1016	f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe	SystemFiles5.exe
PID 632 wrote to memory of 1536	632	SystemFiles2.exe	regsvr32.exe
PID 632 wrote to memory of 1536	632	SystemFiles2.exe	regsvr32.exe
PID 632 wrote to memory of 1536	632	SystemFiles2.exe	regsvr32.exe
PID 632 wrote to memory of 1536	632	SystemFiles2.exe	regsvr32.exe
PID 632 wrote to memory of 1536	632	SystemFiles2.exe	regsvr32.exe
PID 632 wrote to memory of 1536	632	SystemFiles2.exe	regsvr32.exe
PID 632 wrote to memory of 1536	632	SystemFiles2.exe	regsvr32.exe
PID 1180 wrote to memory of 316	1180	SystemFiles5.exe	NFWCHK.exe
PID 1180 wrote to memory of 316	1180	SystemFiles5.exe	NFWCHK.exe
PID 1180 wrote to memory of 316	1180	SystemFiles5.exe	NFWCHK.exe
PID 1180 wrote to memory of 316	1180	SystemFiles5.exe	NFWCHK.exe
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE
PID 904 wrote to memory of 1264	904	SystemFiles4.exe	Explorer.EXE

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

SystemFiles2.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SystemFiles2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SystemFiles2.exe

outlook_win_path 1 IoCs

Processes:

SystemFiles3.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	SystemFiles3.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
"C:\Users\Admin\AppData\Local\Temp\f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\SystemFiles1.exe
"C:\Users\Admin\AppData\Local\Temp\SystemFiles1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe
"C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe"
3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:632

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s MSWINSCK.OCX
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1536

C:\Users\Admin\AppData\Local\Temp\SystemFiles3.exe
"C:\Users\Admin\AppData\Local\Temp\SystemFiles3.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1492

C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
"C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:1564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
"C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Program Files (x86)\java\update.exe
"C:\Program Files (x86)\java\update.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292

C:\Users\Admin\AppData\Local\Temp\SystemFiles5.exe
"C:\Users\Admin\AppData\Local\Temp\SystemFiles5.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
4⤵
- Executes dropped EXE
PID:316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\java\update.exe
Filesize
290KB

MD5
f14836901e0c55968202cb3d80ed660a

SHA1
19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

SHA256
7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

SHA512
f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

Download Submit
C:\Program Files (x86)\java\update.exe
Filesize
290KB

MD5
f14836901e0c55968202cb3d80ed660a

SHA1
19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

SHA256
7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

SHA512
f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemFiles1.exe
Filesize
219KB

MD5
0b60800a42e138e4b1d93889e09ea983

SHA1
c70abecd66083521d754d400a3960f2f41071769

SHA256
33eebd8ee53639d65da114dcb16de4bcd511fa9c4f233cf19599b46614f92cb3

SHA512
6a0429ba2c1b3033bdec00d16cebdc0e2b11d105851df827790bb23102a3224f2e08a5816653c21031083b497d5b43d61c8806ae08f6900299e1b084fc9d236b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemFiles1.exe
Filesize
219KB

MD5
0b60800a42e138e4b1d93889e09ea983

SHA1
c70abecd66083521d754d400a3960f2f41071769

SHA256
33eebd8ee53639d65da114dcb16de4bcd511fa9c4f233cf19599b46614f92cb3

SHA512
6a0429ba2c1b3033bdec00d16cebdc0e2b11d105851df827790bb23102a3224f2e08a5816653c21031083b497d5b43d61c8806ae08f6900299e1b084fc9d236b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe
Filesize
644KB

MD5
59404595db8d9749dfc0af4361cb0f64

SHA1
76b7c2ee39563c9d736abc48e3208d96ae30a547

SHA256
be22db58c5f688bcb6f9f7f8474a48e036d21dea85518f5514f2227978e2599c

SHA512
2660fb00ed3f01ce65b2f0b57f8e3a4becfc9ffbaa402fcb9f287857d4035abf599c334305b0e4a97ded2e6006b3462aef8b03ab298826740f512dcb08310ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe
Filesize
644KB

MD5
59404595db8d9749dfc0af4361cb0f64

SHA1
76b7c2ee39563c9d736abc48e3208d96ae30a547

SHA256
be22db58c5f688bcb6f9f7f8474a48e036d21dea85518f5514f2227978e2599c

SHA512
2660fb00ed3f01ce65b2f0b57f8e3a4becfc9ffbaa402fcb9f287857d4035abf599c334305b0e4a97ded2e6006b3462aef8b03ab298826740f512dcb08310ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemFiles3.exe
Filesize
81KB

MD5
1d8194a7572393ec1c123abdaa603b08

SHA1
6d57906c1e986dc3614b2e863320c66d28f27836

SHA256
51bb673b478be9281b4ea14b67f97045fcce59446c8787160d3947431002fd12

SHA512
c2400f1930c4731a86e3b45d577cb23a10bda802a94f0fd7e50c059221c2ec75a49d15c7cbfdfb8eeee7c77ec76e88ae60e35a108156b328df03672e1d8daeae

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
Filesize
290KB

MD5
f14836901e0c55968202cb3d80ed660a

SHA1
19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

SHA256
7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

SHA512
f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
Filesize
290KB

MD5
f14836901e0c55968202cb3d80ed660a

SHA1
19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

SHA256
7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

SHA512
f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
Filesize
290KB

MD5
f14836901e0c55968202cb3d80ed660a

SHA1
19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

SHA256
7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

SHA512
f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemFiles5.exe
Filesize
757KB

MD5
7edfb48f6a937f5f3a28c822d2439ef1

SHA1
fc738054aa28a406e3cb7676594aec37cd0a96b2

SHA256
ef42c03aa7d498c830de6a434f8ffb5eed00179283a8434dc355890ccf30c048

SHA512
41e4e01b0787c0d2e807ac84c8b0001428592b3d811f6308fa7d24194ece4d1bd5f2978c43f65c5a62f29da9ec2fe697a6bddbb181fd932a2fcf02169df34daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
810f6f6ae01221ad752cc4f8208b6975

SHA1
8ea3d1c787344a92cdde0b124ffbf3458f4aa9f9

SHA256
101bdc977e963978d57df8c4a84c5444bdb3674be77503d925793afa139d9155

SHA512
fff9785096e9ca5632ea043932aaadee3b8390ff09a8c02587bbfb1b94b382449ea04434a27fc76f895ca1003aa893008b5c4bb4d4400fac89641cb840cab464

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
Filesize
6KB

MD5
b0ef777a6bd0ff0fcf941e530a565572

SHA1
faae7333444748167976448512179ab57d9ae560

SHA256
bdaae5a7c2a20a34f9c975508ffe79f94e2ce7db415b32f04dd876a07620d7b3

SHA512
04c958417f76eb74725c0c559ae00aa96fb2919ae7ee5840ba31b14537d7d17955095672b4e29353f78a37261c529510e132dc5c082281c65d021b9a3ffc8daf

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
Filesize
6KB

MD5
b0ef777a6bd0ff0fcf941e530a565572

SHA1
faae7333444748167976448512179ab57d9ae560

SHA256
bdaae5a7c2a20a34f9c975508ffe79f94e2ce7db415b32f04dd876a07620d7b3

SHA512
04c958417f76eb74725c0c559ae00aa96fb2919ae7ee5840ba31b14537d7d17955095672b4e29353f78a37261c529510e132dc5c082281c65d021b9a3ffc8daf

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX
Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Program Files (x86)\java\update.exe
Filesize
290KB

MD5
f14836901e0c55968202cb3d80ed660a

SHA1
19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

SHA256
7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

SHA512
f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

Download Submit
\Program Files (x86)\java\update.exe
Filesize
290KB

MD5
f14836901e0c55968202cb3d80ed660a

SHA1
19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

SHA256
7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

SHA512
f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

Download Submit
\Program Files (x86)\java\update.exe
Filesize
290KB

MD5
f14836901e0c55968202cb3d80ed660a

SHA1
19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

SHA256
7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

SHA512
f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

Download Submit
\Program Files (x86)\java\update.exe
Filesize
290KB

MD5
f14836901e0c55968202cb3d80ed660a

SHA1
19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

SHA256
7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

SHA512
f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles1.exe
Filesize
219KB

MD5
0b60800a42e138e4b1d93889e09ea983

SHA1
c70abecd66083521d754d400a3960f2f41071769

SHA256
33eebd8ee53639d65da114dcb16de4bcd511fa9c4f233cf19599b46614f92cb3

SHA512
6a0429ba2c1b3033bdec00d16cebdc0e2b11d105851df827790bb23102a3224f2e08a5816653c21031083b497d5b43d61c8806ae08f6900299e1b084fc9d236b

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles1.exe
Filesize
219KB

MD5
0b60800a42e138e4b1d93889e09ea983

SHA1
c70abecd66083521d754d400a3960f2f41071769

SHA256
33eebd8ee53639d65da114dcb16de4bcd511fa9c4f233cf19599b46614f92cb3

SHA512
6a0429ba2c1b3033bdec00d16cebdc0e2b11d105851df827790bb23102a3224f2e08a5816653c21031083b497d5b43d61c8806ae08f6900299e1b084fc9d236b

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles1.exe
Filesize
219KB

MD5
0b60800a42e138e4b1d93889e09ea983

SHA1
c70abecd66083521d754d400a3960f2f41071769

SHA256
33eebd8ee53639d65da114dcb16de4bcd511fa9c4f233cf19599b46614f92cb3

SHA512
6a0429ba2c1b3033bdec00d16cebdc0e2b11d105851df827790bb23102a3224f2e08a5816653c21031083b497d5b43d61c8806ae08f6900299e1b084fc9d236b

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles1.exe
Filesize
219KB

MD5
0b60800a42e138e4b1d93889e09ea983

SHA1
c70abecd66083521d754d400a3960f2f41071769

SHA256
33eebd8ee53639d65da114dcb16de4bcd511fa9c4f233cf19599b46614f92cb3

SHA512
6a0429ba2c1b3033bdec00d16cebdc0e2b11d105851df827790bb23102a3224f2e08a5816653c21031083b497d5b43d61c8806ae08f6900299e1b084fc9d236b

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe
Filesize
644KB

MD5
59404595db8d9749dfc0af4361cb0f64

SHA1
76b7c2ee39563c9d736abc48e3208d96ae30a547

SHA256
be22db58c5f688bcb6f9f7f8474a48e036d21dea85518f5514f2227978e2599c

SHA512
2660fb00ed3f01ce65b2f0b57f8e3a4becfc9ffbaa402fcb9f287857d4035abf599c334305b0e4a97ded2e6006b3462aef8b03ab298826740f512dcb08310ff9

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe
Filesize
644KB

MD5
59404595db8d9749dfc0af4361cb0f64

SHA1
76b7c2ee39563c9d736abc48e3208d96ae30a547

SHA256
be22db58c5f688bcb6f9f7f8474a48e036d21dea85518f5514f2227978e2599c

SHA512
2660fb00ed3f01ce65b2f0b57f8e3a4becfc9ffbaa402fcb9f287857d4035abf599c334305b0e4a97ded2e6006b3462aef8b03ab298826740f512dcb08310ff9

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe
Filesize
644KB

MD5
59404595db8d9749dfc0af4361cb0f64

SHA1
76b7c2ee39563c9d736abc48e3208d96ae30a547

SHA256
be22db58c5f688bcb6f9f7f8474a48e036d21dea85518f5514f2227978e2599c

SHA512
2660fb00ed3f01ce65b2f0b57f8e3a4becfc9ffbaa402fcb9f287857d4035abf599c334305b0e4a97ded2e6006b3462aef8b03ab298826740f512dcb08310ff9

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe
Filesize
644KB

MD5
59404595db8d9749dfc0af4361cb0f64

SHA1
76b7c2ee39563c9d736abc48e3208d96ae30a547

SHA256
be22db58c5f688bcb6f9f7f8474a48e036d21dea85518f5514f2227978e2599c

SHA512
2660fb00ed3f01ce65b2f0b57f8e3a4becfc9ffbaa402fcb9f287857d4035abf599c334305b0e4a97ded2e6006b3462aef8b03ab298826740f512dcb08310ff9

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles2.exe
Filesize
644KB

MD5
59404595db8d9749dfc0af4361cb0f64

SHA1
76b7c2ee39563c9d736abc48e3208d96ae30a547

SHA256
be22db58c5f688bcb6f9f7f8474a48e036d21dea85518f5514f2227978e2599c

SHA512
2660fb00ed3f01ce65b2f0b57f8e3a4becfc9ffbaa402fcb9f287857d4035abf599c334305b0e4a97ded2e6006b3462aef8b03ab298826740f512dcb08310ff9

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles3.exe
Filesize
81KB

MD5
1d8194a7572393ec1c123abdaa603b08

SHA1
6d57906c1e986dc3614b2e863320c66d28f27836

SHA256
51bb673b478be9281b4ea14b67f97045fcce59446c8787160d3947431002fd12

SHA512
c2400f1930c4731a86e3b45d577cb23a10bda802a94f0fd7e50c059221c2ec75a49d15c7cbfdfb8eeee7c77ec76e88ae60e35a108156b328df03672e1d8daeae

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles3.exe
Filesize
81KB

MD5
1d8194a7572393ec1c123abdaa603b08

SHA1
6d57906c1e986dc3614b2e863320c66d28f27836

SHA256
51bb673b478be9281b4ea14b67f97045fcce59446c8787160d3947431002fd12

SHA512
c2400f1930c4731a86e3b45d577cb23a10bda802a94f0fd7e50c059221c2ec75a49d15c7cbfdfb8eeee7c77ec76e88ae60e35a108156b328df03672e1d8daeae

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles3.exe
Filesize
81KB

MD5
1d8194a7572393ec1c123abdaa603b08

SHA1
6d57906c1e986dc3614b2e863320c66d28f27836

SHA256
51bb673b478be9281b4ea14b67f97045fcce59446c8787160d3947431002fd12

SHA512
c2400f1930c4731a86e3b45d577cb23a10bda802a94f0fd7e50c059221c2ec75a49d15c7cbfdfb8eeee7c77ec76e88ae60e35a108156b328df03672e1d8daeae

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles3.exe
Filesize
81KB

MD5
1d8194a7572393ec1c123abdaa603b08

SHA1
6d57906c1e986dc3614b2e863320c66d28f27836

SHA256
51bb673b478be9281b4ea14b67f97045fcce59446c8787160d3947431002fd12

SHA512
c2400f1930c4731a86e3b45d577cb23a10bda802a94f0fd7e50c059221c2ec75a49d15c7cbfdfb8eeee7c77ec76e88ae60e35a108156b328df03672e1d8daeae

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
Filesize
290KB

MD5
f14836901e0c55968202cb3d80ed660a

SHA1
19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

SHA256
7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

SHA512
f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
Filesize
290KB

MD5
f14836901e0c55968202cb3d80ed660a

SHA1
19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

SHA256
7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

SHA512
f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
Filesize
290KB

MD5
f14836901e0c55968202cb3d80ed660a

SHA1
19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

SHA256
7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

SHA512
f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
Filesize
290KB

MD5
f14836901e0c55968202cb3d80ed660a

SHA1
19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

SHA256
7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

SHA512
f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
Filesize
290KB

MD5
f14836901e0c55968202cb3d80ed660a

SHA1
19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

SHA256
7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

SHA512
f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles5.exe
Filesize
757KB

MD5
7edfb48f6a937f5f3a28c822d2439ef1

SHA1
fc738054aa28a406e3cb7676594aec37cd0a96b2

SHA256
ef42c03aa7d498c830de6a434f8ffb5eed00179283a8434dc355890ccf30c048

SHA512
41e4e01b0787c0d2e807ac84c8b0001428592b3d811f6308fa7d24194ece4d1bd5f2978c43f65c5a62f29da9ec2fe697a6bddbb181fd932a2fcf02169df34daa

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles5.exe
Filesize
757KB

MD5
7edfb48f6a937f5f3a28c822d2439ef1

SHA1
fc738054aa28a406e3cb7676594aec37cd0a96b2

SHA256
ef42c03aa7d498c830de6a434f8ffb5eed00179283a8434dc355890ccf30c048

SHA512
41e4e01b0787c0d2e807ac84c8b0001428592b3d811f6308fa7d24194ece4d1bd5f2978c43f65c5a62f29da9ec2fe697a6bddbb181fd932a2fcf02169df34daa

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles5.exe
Filesize
757KB

MD5
7edfb48f6a937f5f3a28c822d2439ef1

SHA1
fc738054aa28a406e3cb7676594aec37cd0a96b2

SHA256
ef42c03aa7d498c830de6a434f8ffb5eed00179283a8434dc355890ccf30c048

SHA512
41e4e01b0787c0d2e807ac84c8b0001428592b3d811f6308fa7d24194ece4d1bd5f2978c43f65c5a62f29da9ec2fe697a6bddbb181fd932a2fcf02169df34daa

Download Submit
\Users\Admin\AppData\Local\Temp\SystemFiles5.exe
Filesize
757KB

MD5
7edfb48f6a937f5f3a28c822d2439ef1

SHA1
fc738054aa28a406e3cb7676594aec37cd0a96b2

SHA256
ef42c03aa7d498c830de6a434f8ffb5eed00179283a8434dc355890ccf30c048

SHA512
41e4e01b0787c0d2e807ac84c8b0001428592b3d811f6308fa7d24194ece4d1bd5f2978c43f65c5a62f29da9ec2fe697a6bddbb181fd932a2fcf02169df34daa

Download Submit
\Users\Public\Documents\Wondershare\NFWCHK.exe
Filesize
6KB

MD5
b0ef777a6bd0ff0fcf941e530a565572

SHA1
faae7333444748167976448512179ab57d9ae560

SHA256
bdaae5a7c2a20a34f9c975508ffe79f94e2ce7db415b32f04dd876a07620d7b3

SHA512
04c958417f76eb74725c0c559ae00aa96fb2919ae7ee5840ba31b14537d7d17955095672b4e29353f78a37261c529510e132dc5c082281c65d021b9a3ffc8daf

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX
Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX
Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
memory/316-103-0x0000000000000000-mapping.dmp

Download
memory/316-119-0x000007FEEE900000-0x000007FEEF996000-memory.dmp

Filesize
16.6MB

Download
memory/316-106-0x000007FEF4310000-0x000007FEF4D33000-memory.dmp

Filesize
10.1MB

Download
memory/364-154-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/364-151-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/364-143-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/364-135-0x0000000000000000-mapping.dmp

Download
memory/632-68-0x0000000000000000-mapping.dmp

Download
memory/904-110-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/904-83-0x0000000000000000-mapping.dmp

Download
memory/904-130-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/904-138-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/904-120-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1016-56-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1180-94-0x0000000000000000-mapping.dmp

Download
memory/1264-113-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1292-145-0x0000000000000000-mapping.dmp

Download
memory/1492-74-0x0000000000000000-mapping.dmp

Download
memory/1536-93-0x0000000000000000-mapping.dmp

Download
memory/1564-128-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1564-125-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1564-118-0x0000000073DB1000-0x0000000073DB3000-memory.dmp

Filesize
8KB

Download
memory/1564-116-0x0000000000000000-mapping.dmp

Download
memory/2020-107-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-61-0x0000000000000000-mapping.dmp

Download
memory/2020-152-0x0000000000A66000-0x0000000000A77000-memory.dmp

Filesize
68KB

Download
memory/2020-153-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-155-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-156-0x0000000000A66000-0x0000000000A77000-memory.dmp

Filesize
68KB

Download