01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9

Analysis

max time kernel
45s
max time network
66s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
31-12-2022 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
Size

2.0MB
MD5

c5d373a1954822afcddcc785e6ad6045
SHA1

4db2eea6bd6cf5ea40ea14c3ecbf3845d05dae73
SHA256

01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
SHA512

67a44eef568aa7d3444313256146af4e26a8614326f0b6ecf029f765733c38fb8ab54986f25969a9030de3a3bf9408373e0c1d23b049e0cfb908fa8faf1d981a
SSDEEP

24576:S2IOcUV7/Fbi06CFZZxdhf8T7njJfl0POn2AknzL+STqPeoAt6ae7yStHq+p19Sk:S1UVbRioFZZxT6SOn2AHbSTJA9TyC131

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\DwQIAEgE\\RukowIMY.exe,"	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\DwQIAEgE\\RukowIMY.exe,"	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe

Modifies visibility of file extensions in Explorer 2 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
548	Buwsokww.exe
836	RukowIMY.exe
2016	jiUUAccc.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\CompareSuspend.png.exe	RukowIMY.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	RukowIMY.exe

Loads dropped DLL 32 IoCs

pid	Process
536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RukowIMY.exe = "C:\\ProgramData\\DwQIAEgE\\RukowIMY.exe"	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RukowIMY.exe = "C:\\ProgramData\\DwQIAEgE\\RukowIMY.exe"	RukowIMY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Buwsokww.exe = "C:\\Users\\Admin\\yQEggsIk\\Buwsokww.exe"	Buwsokww.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RukowIMY.exe = "C:\\ProgramData\\DwQIAEgE\\RukowIMY.exe"	jiUUAccc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Buwsokww.exe = "C:\\Users\\Admin\\yQEggsIk\\Buwsokww.exe"	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\yQEggsIk	jiUUAccc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\yQEggsIk\Buwsokww	jiUUAccc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	RukowIMY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 27 IoCs

Modify Registry

T1112

pid	Process
1672	reg.exe
2792	reg.exe
2724	reg.exe
1680	reg.exe
2396	reg.exe
2176	reg.exe
1888	reg.exe
2376	reg.exe
920	reg.exe
584	reg.exe
2664	reg.exe
1724	reg.exe
1844	reg.exe
2412	reg.exe
2748	reg.exe
1676	reg.exe
1948	reg.exe
1204	reg.exe
2952	reg.exe
2764	reg.exe
2212	reg.exe
2108	reg.exe
3012	reg.exe
2972	reg.exe
1680	reg.exe
780	reg.exe
2672	reg.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
2036	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
2036	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
1068	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
1068	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
1568	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
1568	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
2344	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
2344	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
2640	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
2640	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
3056	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
3056	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
836	RukowIMY.exe
2380	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
2380	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1916	vssvc.exe
Token: SeRestorePrivilege	1916	vssvc.exe
Token: SeAuditPrivilege	1916	vssvc.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe
836	RukowIMY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 548	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	27
PID 536 wrote to memory of 548	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	27
PID 536 wrote to memory of 548	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	27
PID 536 wrote to memory of 548	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	27
PID 536 wrote to memory of 836	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	28
PID 536 wrote to memory of 836	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	28
PID 536 wrote to memory of 836	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	28
PID 536 wrote to memory of 836	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	28
PID 536 wrote to memory of 568	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	30
PID 536 wrote to memory of 568	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	30
PID 536 wrote to memory of 568	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	30
PID 536 wrote to memory of 568	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	30
PID 568 wrote to memory of 1320	568	cmd.exe	32
PID 568 wrote to memory of 1320	568	cmd.exe	32
PID 568 wrote to memory of 1320	568	cmd.exe	32
PID 568 wrote to memory of 1320	568	cmd.exe	32
PID 536 wrote to memory of 1680	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	33
PID 536 wrote to memory of 1680	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	33
PID 536 wrote to memory of 1680	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	33
PID 536 wrote to memory of 1680	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	33
PID 536 wrote to memory of 584	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	38
PID 536 wrote to memory of 584	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	38
PID 536 wrote to memory of 584	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	38
PID 536 wrote to memory of 584	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	38
PID 536 wrote to memory of 920	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	36
PID 536 wrote to memory of 920	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	36
PID 536 wrote to memory of 920	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	36
PID 536 wrote to memory of 920	536	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	36
PID 1320 wrote to memory of 1940	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	42
PID 1320 wrote to memory of 1940	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	42
PID 1320 wrote to memory of 1940	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	42
PID 1320 wrote to memory of 1940	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	42
PID 1940 wrote to memory of 2036	1940	cmd.exe	44
PID 1940 wrote to memory of 2036	1940	cmd.exe	44
PID 1940 wrote to memory of 2036	1940	cmd.exe	44
PID 1940 wrote to memory of 2036	1940	cmd.exe	44
PID 1320 wrote to memory of 1888	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	45
PID 1320 wrote to memory of 1888	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	45
PID 1320 wrote to memory of 1888	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	45
PID 1320 wrote to memory of 1888	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	45
PID 1320 wrote to memory of 780	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	46
PID 1320 wrote to memory of 780	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	46
PID 1320 wrote to memory of 780	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	46
PID 1320 wrote to memory of 780	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	46
PID 1320 wrote to memory of 1724	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	48
PID 1320 wrote to memory of 1724	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	48
PID 1320 wrote to memory of 1724	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	48
PID 1320 wrote to memory of 1724	1320	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	48
PID 2036 wrote to memory of 1336	2036	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	51
PID 2036 wrote to memory of 1336	2036	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	51
PID 2036 wrote to memory of 1336	2036	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	51
PID 2036 wrote to memory of 1336	2036	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	51
PID 1336 wrote to memory of 1068	1336	cmd.exe	53
PID 1336 wrote to memory of 1068	1336	cmd.exe	53
PID 1336 wrote to memory of 1068	1336	cmd.exe	53
PID 1336 wrote to memory of 1068	1336	cmd.exe	53
PID 2036 wrote to memory of 1672	2036	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	54
PID 2036 wrote to memory of 1672	2036	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	54
PID 2036 wrote to memory of 1672	2036	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	54
PID 2036 wrote to memory of 1672	2036	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	54
PID 2036 wrote to memory of 1844	2036	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	55
PID 2036 wrote to memory of 1844	2036	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	55
PID 2036 wrote to memory of 1844	2036	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	55
PID 2036 wrote to memory of 1844	2036	01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe	55

C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
"C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\yQEggsIk\Buwsokww.exe
  "C:\Users\Admin\yQEggsIk\Buwsokww.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:548
- C:\ProgramData\DwQIAEgE\RukowIMY.exe
  "C:\ProgramData\DwQIAEgE\RukowIMY.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks computer location settings
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
    C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9"
        8⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9"
        10⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9"
        12⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9"
        14⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9"
        16⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9.exe
        
        C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1204
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1672
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1844
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:1676
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:1888
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1724
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1680
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:920
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:584

C:\ProgramData\gkkYAAgI\jiUUAccc.exe
C:\ProgramData\gkkYAAgI\jiUUAccc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1156253411-442564650-248895138-337060160-4824722591366137121567468501-160874046"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DwQIAEgE\RukowIMY.exe

Filesize
2.0MB

MD5
4d14fb66cea959ae62a92759aa4fbc87

SHA1
d1e5e1ddfe9ff78c562ff1b53c4a1a526d3ad9db

SHA256
1f8ce66e0357a5db46e26b47e93301507ba130531503a49b725f902f81012b5b

SHA512
58d895291d9a047a68109920b1c9c3fd73e4b59d6bb4ea02191fc559fb020c423840e86f85b1b34b5bffb303b75b314d4715893ee8dd4f5ff6ff661265e6fecb

Download Submit
C:\ProgramData\DwQIAEgE\RukowIMY.exe

Filesize
2.0MB

MD5
4d14fb66cea959ae62a92759aa4fbc87

SHA1
d1e5e1ddfe9ff78c562ff1b53c4a1a526d3ad9db

SHA256
1f8ce66e0357a5db46e26b47e93301507ba130531503a49b725f902f81012b5b

SHA512
58d895291d9a047a68109920b1c9c3fd73e4b59d6bb4ea02191fc559fb020c423840e86f85b1b34b5bffb303b75b314d4715893ee8dd4f5ff6ff661265e6fecb

Download Submit
C:\ProgramData\gkkYAAgI\jiUUAccc.exe

Filesize
2.0MB

MD5
aa6791dd2ed40d6896593160828905e8

SHA1
cc51eb40314807edf29b54e15361e7ccf388bd96

SHA256
35a6ff7aab24421bcdddb902903ef0d47abd09f460371943a97c743d04a1d425

SHA512
e3c28f875c427a80216a01e0da8d2a428fb4589b11e4f5b6dca1ea66d36d7d473142a0b4d49017bf5703ef68a9dcf78ef012b3d7c51c81a8fd7de834dd26ce50

Download Submit
C:\ProgramData\gkkYAAgI\jiUUAccc.exe

Filesize
2.0MB

MD5
aa6791dd2ed40d6896593160828905e8

SHA1
cc51eb40314807edf29b54e15361e7ccf388bd96

SHA256
35a6ff7aab24421bcdddb902903ef0d47abd09f460371943a97c743d04a1d425

SHA512
e3c28f875c427a80216a01e0da8d2a428fb4589b11e4f5b6dca1ea66d36d7d473142a0b4d49017bf5703ef68a9dcf78ef012b3d7c51c81a8fd7de834dd26ce50

Download Submit
C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9

Filesize
6KB

MD5
8243501c8bec7c2fabcac8cb47d98048

SHA1
f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43

SHA256
4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd

SHA512
5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9

Filesize
6KB

MD5
8243501c8bec7c2fabcac8cb47d98048

SHA1
f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43

SHA256
4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd

SHA512
5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9

Filesize
6KB

MD5
8243501c8bec7c2fabcac8cb47d98048

SHA1
f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43

SHA256
4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd

SHA512
5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9

Filesize
6KB

MD5
8243501c8bec7c2fabcac8cb47d98048

SHA1
f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43

SHA256
4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd

SHA512
5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9

Filesize
6KB

MD5
8243501c8bec7c2fabcac8cb47d98048

SHA1
f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43

SHA256
4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd

SHA512
5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9

Filesize
6KB

MD5
8243501c8bec7c2fabcac8cb47d98048

SHA1
f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43

SHA256
4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd

SHA512
5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9

Filesize
6KB

MD5
8243501c8bec7c2fabcac8cb47d98048

SHA1
f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43

SHA256
4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd

SHA512
5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

Download Submit
C:\Users\Admin\yQEggsIk\Buwsokww.exe

Filesize
2.1MB

MD5
ab2a70822ba5da531299445067786a59

SHA1
0e7e0d9e28ae889b85b98b5ee0bdd7b8ecf17862

SHA256
6912ca163ec8283c156f3e8afc1bfd71a503a9e0268f0efb442388ddfcdca663

SHA512
0c7c7d7bca437e4e7a2c147ff0a4a8c971580dea64499283cb8419ca1748eb62851430dc3f0b6d3f59dc12cdcc9a627e993750dba367a03558c2ba088f01711f

Download Submit
C:\Users\Admin\yQEggsIk\Buwsokww.exe

Filesize
2.1MB

MD5
ab2a70822ba5da531299445067786a59

SHA1
0e7e0d9e28ae889b85b98b5ee0bdd7b8ecf17862

SHA256
6912ca163ec8283c156f3e8afc1bfd71a503a9e0268f0efb442388ddfcdca663

SHA512
0c7c7d7bca437e4e7a2c147ff0a4a8c971580dea64499283cb8419ca1748eb62851430dc3f0b6d3f59dc12cdcc9a627e993750dba367a03558c2ba088f01711f

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\DwQIAEgE\RukowIMY.exe

Filesize
2.0MB

MD5
4d14fb66cea959ae62a92759aa4fbc87

SHA1
d1e5e1ddfe9ff78c562ff1b53c4a1a526d3ad9db

SHA256
1f8ce66e0357a5db46e26b47e93301507ba130531503a49b725f902f81012b5b

SHA512
58d895291d9a047a68109920b1c9c3fd73e4b59d6bb4ea02191fc559fb020c423840e86f85b1b34b5bffb303b75b314d4715893ee8dd4f5ff6ff661265e6fecb

Download Submit
\ProgramData\DwQIAEgE\RukowIMY.exe

Filesize
2.0MB

MD5
4d14fb66cea959ae62a92759aa4fbc87

SHA1
d1e5e1ddfe9ff78c562ff1b53c4a1a526d3ad9db

SHA256
1f8ce66e0357a5db46e26b47e93301507ba130531503a49b725f902f81012b5b

SHA512
58d895291d9a047a68109920b1c9c3fd73e4b59d6bb4ea02191fc559fb020c423840e86f85b1b34b5bffb303b75b314d4715893ee8dd4f5ff6ff661265e6fecb

Download Submit
\ProgramData\DwQIAEgE\RukowIMY.exe

Filesize
2.0MB

MD5
4d14fb66cea959ae62a92759aa4fbc87

SHA1
d1e5e1ddfe9ff78c562ff1b53c4a1a526d3ad9db

SHA256
1f8ce66e0357a5db46e26b47e93301507ba130531503a49b725f902f81012b5b

SHA512
58d895291d9a047a68109920b1c9c3fd73e4b59d6bb4ea02191fc559fb020c423840e86f85b1b34b5bffb303b75b314d4715893ee8dd4f5ff6ff661265e6fecb

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
634KB

MD5
3cfb3ae4a227ece66ce051e42cc2df00

SHA1
0a2bb202c5ce2aa8f5cda30676aece9a489fd725

SHA256
54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf

SHA512
60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

Download Submit
\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
634KB

MD5
3cfb3ae4a227ece66ce051e42cc2df00

SHA1
0a2bb202c5ce2aa8f5cda30676aece9a489fd725

SHA256
54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf

SHA512
60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

Download Submit
\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
634KB

MD5
3cfb3ae4a227ece66ce051e42cc2df00

SHA1
0a2bb202c5ce2aa8f5cda30676aece9a489fd725

SHA256
54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf

SHA512
60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

Download Submit
\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
634KB

MD5
3cfb3ae4a227ece66ce051e42cc2df00

SHA1
0a2bb202c5ce2aa8f5cda30676aece9a489fd725

SHA256
54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf

SHA512
60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

Download Submit
\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
455KB

MD5
6503c081f51457300e9bdef49253b867

SHA1
9313190893fdb4b732a5890845bd2337ea05366e

SHA256
5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea

SHA512
4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

Download Submit
\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
455KB

MD5
6503c081f51457300e9bdef49253b867

SHA1
9313190893fdb4b732a5890845bd2337ea05366e

SHA256
5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea

SHA512
4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
455KB

MD5
e9e67cfb6c0c74912d3743176879fc44

SHA1
c6b6791a900020abf046e0950b12939d5854c988

SHA256
bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c

SHA512
9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

Download Submit
\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
455KB

MD5
e9e67cfb6c0c74912d3743176879fc44

SHA1
c6b6791a900020abf046e0950b12939d5854c988

SHA256
bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c

SHA512
9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

Download Submit
\ProgramData\gkkYAAgI\jiUUAccc.exe

Filesize
2.0MB

MD5
aa6791dd2ed40d6896593160828905e8

SHA1
cc51eb40314807edf29b54e15361e7ccf388bd96

SHA256
35a6ff7aab24421bcdddb902903ef0d47abd09f460371943a97c743d04a1d425

SHA512
e3c28f875c427a80216a01e0da8d2a428fb4589b11e4f5b6dca1ea66d36d7d473142a0b4d49017bf5703ef68a9dcf78ef012b3d7c51c81a8fd7de834dd26ce50

Download Submit
\ProgramData\gkkYAAgI\jiUUAccc.exe

Filesize
2.0MB

MD5
aa6791dd2ed40d6896593160828905e8

SHA1
cc51eb40314807edf29b54e15361e7ccf388bd96

SHA256
35a6ff7aab24421bcdddb902903ef0d47abd09f460371943a97c743d04a1d425

SHA512
e3c28f875c427a80216a01e0da8d2a428fb4589b11e4f5b6dca1ea66d36d7d473142a0b4d49017bf5703ef68a9dcf78ef012b3d7c51c81a8fd7de834dd26ce50

Download Submit
\Users\Admin\yQEggsIk\Buwsokww.exe

Filesize
2.1MB

MD5
ab2a70822ba5da531299445067786a59

SHA1
0e7e0d9e28ae889b85b98b5ee0bdd7b8ecf17862

SHA256
6912ca163ec8283c156f3e8afc1bfd71a503a9e0268f0efb442388ddfcdca663

SHA512
0c7c7d7bca437e4e7a2c147ff0a4a8c971580dea64499283cb8419ca1748eb62851430dc3f0b6d3f59dc12cdcc9a627e993750dba367a03558c2ba088f01711f

Download Submit
\Users\Admin\yQEggsIk\Buwsokww.exe

Filesize
2.1MB

MD5
ab2a70822ba5da531299445067786a59

SHA1
0e7e0d9e28ae889b85b98b5ee0bdd7b8ecf17862

SHA256
6912ca163ec8283c156f3e8afc1bfd71a503a9e0268f0efb442388ddfcdca663

SHA512
0c7c7d7bca437e4e7a2c147ff0a4a8c971580dea64499283cb8419ca1748eb62851430dc3f0b6d3f59dc12cdcc9a627e993750dba367a03558c2ba088f01711f

Download Submit
\Users\Admin\yQEggsIk\Buwsokww.exe

Filesize
2.1MB

MD5
ab2a70822ba5da531299445067786a59

SHA1
0e7e0d9e28ae889b85b98b5ee0bdd7b8ecf17862

SHA256
6912ca163ec8283c156f3e8afc1bfd71a503a9e0268f0efb442388ddfcdca663

SHA512
0c7c7d7bca437e4e7a2c147ff0a4a8c971580dea64499283cb8419ca1748eb62851430dc3f0b6d3f59dc12cdcc9a627e993750dba367a03558c2ba088f01711f

Download Submit
memory/536-60-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/536-54-0x00000000002B0000-0x0000000000342000-memory.dmp

Filesize
584KB

Download
memory/536-55-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/536-126-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/548-131-0x0000000000220000-0x0000000000282000-memory.dmp

Filesize
392KB

Download
memory/548-71-0x0000000000400000-0x0000000000613000-memory.dmp

Filesize
2.1MB

Download
memory/548-153-0x0000000000400000-0x0000000000613000-memory.dmp

Filesize
2.1MB

Download
memory/548-58-0x0000000000000000-mapping.dmp

Download
memory/548-65-0x0000000000220000-0x0000000000282000-memory.dmp

Filesize
392KB

Download
memory/568-72-0x0000000000000000-mapping.dmp

Download
memory/584-86-0x0000000000000000-mapping.dmp

Download
memory/780-116-0x0000000000000000-mapping.dmp

Download
memory/780-93-0x0000000000000000-mapping.dmp

Download
memory/836-67-0x00000000002C0000-0x0000000000349000-memory.dmp

Filesize
548KB

Download
memory/836-63-0x0000000000000000-mapping.dmp

Download
memory/836-184-0x0000000009C40000-0x0000000009D9C000-memory.dmp

Filesize
1.4MB

Download
memory/836-136-0x00000000002C0000-0x0000000000349000-memory.dmp

Filesize
548KB

Download
memory/836-70-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/836-174-0x0000000009C40000-0x0000000009D9C000-memory.dmp

Filesize
1.4MB

Download
memory/836-172-0x0000000006510000-0x0000000006513000-memory.dmp

Filesize
12KB

Download
memory/836-152-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/920-87-0x0000000000000000-mapping.dmp

Download
memory/1068-111-0x0000000000000000-mapping.dmp

Download
memory/1068-117-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1068-179-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1204-120-0x0000000000000000-mapping.dmp

Download
memory/1320-88-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1320-77-0x0000000000000000-mapping.dmp

Download
memory/1320-84-0x0000000001DA0000-0x0000000001E32000-memory.dmp

Filesize
584KB

Download
memory/1320-162-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1336-110-0x0000000000000000-mapping.dmp

Download
memory/1568-118-0x0000000000000000-mapping.dmp

Download
memory/1568-127-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/1568-180-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1568-132-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1672-112-0x0000000000000000-mapping.dmp

Download
memory/1676-114-0x0000000000000000-mapping.dmp

Download
memory/1680-121-0x0000000000000000-mapping.dmp

Download
memory/1680-85-0x0000000000000000-mapping.dmp

Download
memory/1724-94-0x0000000000000000-mapping.dmp

Download
memory/1844-113-0x0000000000000000-mapping.dmp

Download
memory/1888-92-0x0000000000000000-mapping.dmp

Download
memory/1940-90-0x0000000000000000-mapping.dmp

Download
memory/1948-119-0x0000000000000000-mapping.dmp

Download
memory/2016-137-0x0000000000220000-0x00000000002AB000-memory.dmp

Filesize
556KB

Download
memory/2016-69-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/2016-151-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/2016-68-0x0000000000220000-0x00000000002AB000-memory.dmp

Filesize
556KB

Download
memory/2036-91-0x0000000000000000-mapping.dmp

Download
memory/2036-169-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2036-95-0x0000000001D90000-0x0000000001E22000-memory.dmp

Filesize
584KB

Download
memory/2036-108-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2108-168-0x0000000000000000-mapping.dmp

Download
memory/2176-167-0x0000000000000000-mapping.dmp

Download
memory/2212-171-0x0000000000000000-mapping.dmp

Download
memory/2280-165-0x0000000000000000-mapping.dmp

Download
memory/2300-129-0x0000000000000000-mapping.dmp

Download
memory/2344-181-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2344-130-0x0000000000000000-mapping.dmp

Download
memory/2344-138-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2376-133-0x0000000000000000-mapping.dmp

Download
memory/2380-166-0x0000000000000000-mapping.dmp

Download
memory/2380-178-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2380-173-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2380-170-0x0000000000230000-0x00000000002C2000-memory.dmp

Filesize
584KB

Download
memory/2396-134-0x0000000000000000-mapping.dmp

Download
memory/2412-135-0x0000000000000000-mapping.dmp

Download
memory/2608-140-0x0000000000000000-mapping.dmp

Download
memory/2640-182-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2640-141-0x0000000000000000-mapping.dmp

Download
memory/2640-154-0x0000000001D30000-0x0000000001DC2000-memory.dmp

Filesize
584KB

Download
memory/2640-155-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2664-160-0x0000000000000000-mapping.dmp

Download
memory/2672-161-0x0000000000000000-mapping.dmp

Download
memory/2724-159-0x0000000000000000-mapping.dmp

Download
memory/2748-148-0x0000000000000000-mapping.dmp

Download
memory/2764-149-0x0000000000000000-mapping.dmp

Download
memory/2792-150-0x0000000000000000-mapping.dmp

Download
memory/2952-175-0x0000000000000000-mapping.dmp

Download
memory/2972-176-0x0000000000000000-mapping.dmp

Download
memory/2976-157-0x0000000000000000-mapping.dmp

Download
memory/3012-177-0x0000000000000000-mapping.dmp

Download
memory/3056-163-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/3056-158-0x0000000000000000-mapping.dmp

Download
memory/3056-183-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download