amadey | 575e8d98c07947f598032245d513cde6e7e8059c7998e7ee5f0b92a75d10213d

Analysis

max time kernel
152s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2023 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_soft.exe
Size

734.1MB
MD5

9d31e17b11395dc9b2e23b735e3fdb66
SHA1

163fa32c8564013c91caad6801c77b54df758f04
SHA256

94f41bb3d9a7a8b5e0fd58ad4e334d2c923a45cfb42a633b505bd94be8b2c127
SHA512

72fbe9173abb065f20409ce23ce3d3cc6af94468bfae9267926e6acb4203dc5d6fb7bac347c4c5d4ddb91aeff079bb3d87bbb3b2a355310723d6c76e4188b6dd
SSDEEP

98304:Y5I5x3omArylYOI5CAaT+dPas2Yv0zcBWc1fldTRwaykXf1DO4:15xqyoaT+dPB2mwq7T5bXf7

Score

10^/10

amadey dcrat redline smokeloader backdoor infostealer rat spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

3.65

83.217.11.7/8vcWxwwx3/index.php

Extracted

Family

redline

95.217.146.176:4281

Attributes

auth_value
a909e2aaecf96137978fea4f86400b9b

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 17 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepowershell.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4396	schtasks.exe
4724	schtasks.exe
5100	schtasks.exe
4284	schtasks.exe
944	schtasks.exe
4620	schtasks.exe
3220	schtasks.exe
2816	schtasks.exe
1300	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\SystemCertificates\CA	powershell.exe
752	schtasks.exe
4936	schtasks.exe
2504	schtasks.exe
3496	schtasks.exe
372	schtasks.exe
4372	schtasks.exe
712	schtasks.exe

Detects Smokeloader packer 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2228-148-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/2228-149-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/2228-150-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

24 3836 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

ProgramStarter.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts ProgramStarter.exe

flow	pid	process
24	3836	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ProgramStarter.exe

Executes dropped EXE 10 IoCs

Processes:

81B4.exe82AF.exenbveek.exe8734.exe8A81.exeProgramStarter.exeDefendUpdate.exenbveek.exeMicrosoftFIX_error.exenbveek.exe

pid	process
4668	81B4.exe
4012	82AF.exe
4748	nbveek.exe
3860	8734.exe
4052	8A81.exe
2968	ProgramStarter.exe
4276	DefendUpdate.exe
1704	nbveek.exe
1940	MicrosoftFIX_error.exe
1592	nbveek.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8A81.exe	upx
C:\Users\Admin\AppData\Local\Temp\8A81.exe	upx
behavioral2/memory/4052-197-0x0000000000EC0000-0x00000000016A5000-memory.dmp	upx
behavioral2/memory/4052-216-0x0000000000EC0000-0x00000000016A5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\1000043001\DefendUpdate.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000043001\DefendUpdate.exe	upx
behavioral2/memory/4276-229-0x0000000000510000-0x0000000000CF5000-memory.dmp	upx
behavioral2/memory/4276-223-0x0000000000510000-0x0000000000CF5000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

82AF.exenbveek.exe8734.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	82AF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	8734.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

1692 rundll32.exe
4108 rundll32.exe
1004 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

59 api.ipify.org
60 api.ipify.org

pid	process
1692	rundll32.exe
4108	rundll32.exe
1004	rundll32.exe

flow	ioc
59	api.ipify.org
60	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs

Processes:

powershell.exe

pid	process
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exe81B4.exenbveek.exenbveek.exe

description	pid	process	target process
PID 3836 set thread context of 2228	3836	powershell.exe	aspnet_compiler.exe
PID 4668 set thread context of 2536	4668	81B4.exe	AppLaunch.exe
PID 4748 set thread context of 1704	4748	nbveek.exe	nbveek.exe
PID 1704 set thread context of 5056	1704	nbveek.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3520 4108 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3520	4108	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aspnet_compiler.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aspnet_compiler.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aspnet_compiler.exe

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5100	schtasks.exe
712	schtasks.exe
2816	schtasks.exe
752	schtasks.exe
4936	schtasks.exe
4284	schtasks.exe
4724	schtasks.exe
2504	schtasks.exe
4372	schtasks.exe
944	schtasks.exe
372	schtasks.exe
4620	schtasks.exe
1300	schtasks.exe
4396	schtasks.exe
3496	schtasks.exe
3220	schtasks.exe

Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1948 taskkill.exe
1708 taskkill.exe
3112 taskkill.exe
2300 taskkill.exe
3656 taskkill.exe
4764 taskkill.exe

pid	process
1948	taskkill.exe
1708	taskkill.exe
3112	taskkill.exe
2300	taskkill.exe
3656	taskkill.exe
4764	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeaspnet_compiler.exe

pid	process
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
2228	aspnet_compiler.exe
2228	aspnet_compiler.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2648
Suspicious behavior: MapViewOfSection 13 IoCs

Processes:

aspnet_compiler.exe

pid process

2228 aspnet_compiler.exe
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648

pid	process
2648

pid	process
2228	aspnet_compiler.exe
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeProgramStarter.exeAppLaunch.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	3656	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	2968	ProgramStarter.exe
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeDebugPrivilege	2536	AppLaunch.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeShutdownPrivilege	3680	powercfg.exe
Token: SeCreatePagefilePrivilege	3680	powercfg.exe
Token: SeShutdownPrivilege	636	powercfg.exe
Token: SeCreatePagefilePrivilege	636	powercfg.exe
Token: SeShutdownPrivilege	3544	powercfg.exe
Token: SeCreatePagefilePrivilege	3544	powercfg.exe
Token: SeShutdownPrivilege	3716	powercfg.exe
Token: SeCreatePagefilePrivilege	3716	powercfg.exe
Token: SeShutdownPrivilege	3812	powercfg.exe
Token: SeCreatePagefilePrivilege	3812	powercfg.exe
Token: SeShutdownPrivilege	3812	powercfg.exe
Token: SeCreatePagefilePrivilege	3812	powercfg.exe
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeDebugPrivilege	5056	AppLaunch.exe
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup_soft.exepowershell.execmd.exe82AF.exe81B4.exenbveek.execmd.exe

description	pid	process	target process
PID 2736 wrote to memory of 3836	2736	Setup_soft.exe	powershell.exe
PID 2736 wrote to memory of 3836	2736	Setup_soft.exe	powershell.exe
PID 2736 wrote to memory of 3836	2736	Setup_soft.exe	powershell.exe
PID 3836 wrote to memory of 2228	3836	powershell.exe	aspnet_compiler.exe
PID 3836 wrote to memory of 2228	3836	powershell.exe	aspnet_compiler.exe
PID 3836 wrote to memory of 2228	3836	powershell.exe	aspnet_compiler.exe
PID 3836 wrote to memory of 2228	3836	powershell.exe	aspnet_compiler.exe
PID 3836 wrote to memory of 2228	3836	powershell.exe	aspnet_compiler.exe
PID 3836 wrote to memory of 2228	3836	powershell.exe	aspnet_compiler.exe
PID 2648 wrote to memory of 936	2648		cmd.exe
PID 2648 wrote to memory of 936	2648		cmd.exe
PID 936 wrote to memory of 3816	936	cmd.exe	cacls.exe
PID 936 wrote to memory of 3816	936	cmd.exe	cacls.exe
PID 936 wrote to memory of 4512	936	cmd.exe	powershell.exe
PID 936 wrote to memory of 4512	936	cmd.exe	powershell.exe
PID 936 wrote to memory of 4796	936	cmd.exe	reg.exe
PID 936 wrote to memory of 4796	936	cmd.exe	reg.exe
PID 936 wrote to memory of 4460	936	cmd.exe	reg.exe
PID 936 wrote to memory of 4460	936	cmd.exe	reg.exe
PID 936 wrote to memory of 3656	936	cmd.exe	taskkill.exe
PID 936 wrote to memory of 3656	936	cmd.exe	taskkill.exe
PID 936 wrote to memory of 4764	936	cmd.exe	taskkill.exe
PID 936 wrote to memory of 4764	936	cmd.exe	taskkill.exe
PID 2648 wrote to memory of 4668	2648		81B4.exe
PID 2648 wrote to memory of 4668	2648		81B4.exe
PID 2648 wrote to memory of 4668	2648		81B4.exe
PID 936 wrote to memory of 1948	936	cmd.exe	taskkill.exe
PID 936 wrote to memory of 1948	936	cmd.exe	taskkill.exe
PID 2648 wrote to memory of 4012	2648		82AF.exe
PID 2648 wrote to memory of 4012	2648		82AF.exe
PID 2648 wrote to memory of 4012	2648		82AF.exe
PID 936 wrote to memory of 1708	936	cmd.exe	taskkill.exe
PID 936 wrote to memory of 1708	936	cmd.exe	taskkill.exe
PID 2648 wrote to memory of 3860	2648		8734.exe
PID 2648 wrote to memory of 3860	2648		8734.exe
PID 2648 wrote to memory of 3860	2648		8734.exe
PID 4012 wrote to memory of 4748	4012	82AF.exe	nbveek.exe
PID 4012 wrote to memory of 4748	4012	82AF.exe	nbveek.exe
PID 4012 wrote to memory of 4748	4012	82AF.exe	nbveek.exe
PID 4668 wrote to memory of 2536	4668	81B4.exe	AppLaunch.exe
PID 4668 wrote to memory of 2536	4668	81B4.exe	AppLaunch.exe
PID 4668 wrote to memory of 2536	4668	81B4.exe	AppLaunch.exe
PID 4668 wrote to memory of 2536	4668	81B4.exe	AppLaunch.exe
PID 4748 wrote to memory of 5100	4748	nbveek.exe	schtasks.exe
PID 4748 wrote to memory of 5100	4748	nbveek.exe	schtasks.exe
PID 4748 wrote to memory of 5100	4748	nbveek.exe	schtasks.exe
PID 4668 wrote to memory of 2536	4668	81B4.exe	AppLaunch.exe
PID 2648 wrote to memory of 4052	2648		8A81.exe
PID 2648 wrote to memory of 4052	2648		8A81.exe
PID 4748 wrote to memory of 3220	4748	nbveek.exe	cmd.exe
PID 4748 wrote to memory of 3220	4748	nbveek.exe	cmd.exe
PID 4748 wrote to memory of 3220	4748	nbveek.exe	cmd.exe
PID 2648 wrote to memory of 4432	2648		explorer.exe
PID 2648 wrote to memory of 4432	2648		explorer.exe
PID 2648 wrote to memory of 4432	2648		explorer.exe
PID 2648 wrote to memory of 4432	2648		explorer.exe
PID 936 wrote to memory of 3112	936	cmd.exe	taskkill.exe
PID 936 wrote to memory of 3112	936	cmd.exe	taskkill.exe
PID 2648 wrote to memory of 1236	2648		explorer.exe
PID 2648 wrote to memory of 1236	2648		explorer.exe
PID 2648 wrote to memory of 1236	2648		explorer.exe
PID 3220 wrote to memory of 2860	3220	cmd.exe	cmd.exe
PID 3220 wrote to memory of 2860	3220	cmd.exe	cmd.exe
PID 3220 wrote to memory of 2860	3220	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Setup_soft.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_soft.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
2⤵
- DcRat
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7976.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:3816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionPath C:\
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Policies\Google\chrome" /v DownloadRestrictions /t REG_DWORD /d 3
2⤵
PID:4796

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Edge" /v DownloadRestrictions /t REG_DWORD /d 3
2⤵
PID:4460

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Users\Admin\AppData\Local\Temp\81B4.exe
C:\Users\Admin\AppData\Local\Temp\81B4.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Users\Admin\AppData\Local\Temp\82AF.exe
C:\Users\Admin\AppData\Local\Temp\82AF.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe" /F
3⤵
- DcRat
- Creates scheduled task(s)
PID:5100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\8682d6c68d" /P "Admin:N"&&CACLS "..\8682d6c68d" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2860

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
4⤵
PID:2912

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
4⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1200

C:\Windows\SysWOW64\cacls.exe
CACLS "..\8682d6c68d" /P "Admin:N"
4⤵
PID:4552

C:\Windows\SysWOW64\cacls.exe
CACLS "..\8682d6c68d" /P "Admin:R" /E
4⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\1000043001\DefendUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\DefendUpdate.exe"
3⤵
- Executes dropped EXE
PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\1000043001\DefendUpdate.exe
4⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe"
3⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe"
3⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Users\Admin\AppData\Local\Temp\1000045001\MicrosoftFIX_error.exe
"C:\Users\Admin\AppData\Local\Temp\1000045001\MicrosoftFIX_error.exe"
3⤵
- Executes dropped EXE
PID:1940

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll, Main
3⤵
- Loads dropped DLL
PID:1692

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:4108

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4108 -s 688
5⤵
- Program crash
PID:3520

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8be7d7b3521979\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:1004

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\8A81.exe
C:\Users\Admin\AppData\Local\Temp\8A81.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\8A81.exe
2⤵
PID:3116

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
3⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\8734.exe
C:\Users\Admin\AppData\Local\Temp\8734.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:3860

C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe
"C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAFQAQQBHAE8AYwB6AFkAUgBVAFIAVwBGAFkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBJAEIAYgBnAGkARgBSAFoAbgB4AGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAFQAdQBSAHUATwBEAFIAUgBmAE0AYgBIAGwAeABXACMAPgAgAEAAKAAgADwAIwBGAFUAWQBtAFEAaQBEAGcAYwBlAGYAcgBxAG4AIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAFMASwBDAHAAUwBZAEYAUwBUAG4AaABtAE0AdwBIAFMAeQBkACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBiAGIAcgBWAFAAZwBkAGYATgB0AFYAYwB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEUAawBQAFUAdQBrAEIAaQBxAGYAaABKACMAPgA="
3⤵
PID:4116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAFQAQQBHAE8AYwB6AFkAUgBVAFIAVwBGAFkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBJAEIAYgBnAGkARgBSAFoAbgB4AGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAFQAdQBSAHUATwBEAFIAUgBmAE0AYgBIAGwAeABXACMAPgAgAEAAKAAgADwAIwBGAFUAWQBtAFEAaQBEAGcAYwBlAGYAcgBxAG4AIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAFMASwBDAHAAUwBZAEYAUwBUAG4AaABtAE0AdwBIAFMAeQBkACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBiAGIAcgBWAFAAZwBkAGYATgB0AFYAYwB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEUAawBQAFUAdQBrAEIAaQBxAGYAaABKACMAPgA="
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:4308

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:752

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:4324

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4396

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:1964

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:372

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:2580

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:944

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:4888

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4284

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:2688

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4936

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:2800

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:3496

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:3732

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:2504

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk913" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:4516

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk913" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4724

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk588" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:2656

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk588" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4372

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk36" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:1084

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk36" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:3220

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk158" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:2912

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk158" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4620

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:100

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\SysWOW64\powercfg.exe
powercfg /hibernate off
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:2816

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk126" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:4192

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk126" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:1300

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
3⤵
PID:4216

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:712

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1236

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1736

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:984

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
1⤵
PID:1768

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4572

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 4108 -ip 4108
1⤵
PID:3220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
2KB

MD5
09f87ebf033076d4019bf0a9ee1eb2e9

SHA1
b6f912c024056fd8b8353010f948dcbf3836e54a

SHA256
e9328bdf85ab57bacc3b598afe0f3f5da4bab5fbe43f60a8e11df110ecbb949a

SHA512
c7fd8c5b4a770a85c96da0b4dda5953398456f0d5ed9164b0d795835b338e6e5bb194dbfdde25372813e651730da3ccbd4eacd18f9a8524aa804209fb38d5618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
814947989ba650b60f865ed993f70214

SHA1
86be855bd98709bcb9b002de6f44afe14beb83ff

SHA256
f367cdeda228c76b9184d0a11d5697c9f0daf0bbeccf45dba77b1327da7aeed6

SHA512
312f4f57a91f8f29daf9756af729dc8cd1cd789a22c34b67baad1e503a7e77b3492d87ce05eff1922e8745eeedbb2ef263f05d8433d781929b3b5226433c6113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
3337d66209faa998d52d781d0ff2d804

SHA1
6594b85a70f998f79f43cdf1ca56137997534156

SHA256
9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

SHA512
8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d260b9113078da49af4677c7901f5a03

SHA1
7d0778773d3d1e765a884bb03acdbccdeece582c

SHA256
e4e51ddb68b0d36fd0d284c35a13e24dcd60b405fde030db98d73e5035fc028a

SHA512
e89c9b953aca2f489affeacc6392459f55ae78658a65d78802f4468c0dddd1689092c84bed3d7cb199bb508558fd1997f757422d76b82d55b1c070f64845d356

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\DefendUpdate.exe
Filesize
2.4MB

MD5
b9095b36aebb1f46d374f13267900ce0

SHA1
5f824bd9f4e878055aa595d6d1abdda00ba04aa4

SHA256
747783ba8520d5a835da98c2d9cf3f1a85ee3d57693d7d35c43a2c9ac5dc4375

SHA512
b9737d6b393a0e8d97f93d19c2d03e738ede54cfc35bdb479f52e351daccfc3236855d24796b17b643d2209fb4dc0200837bd55a228ddf03098f37ba53bbb785

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\DefendUpdate.exe
Filesize
2.4MB

MD5
b9095b36aebb1f46d374f13267900ce0

SHA1
5f824bd9f4e878055aa595d6d1abdda00ba04aa4

SHA256
747783ba8520d5a835da98c2d9cf3f1a85ee3d57693d7d35c43a2c9ac5dc4375

SHA512
b9737d6b393a0e8d97f93d19c2d03e738ede54cfc35bdb479f52e351daccfc3236855d24796b17b643d2209fb4dc0200837bd55a228ddf03098f37ba53bbb785

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000045001\MicrosoftFIX_error.exe
Filesize
2.7MB

MD5
7d95e6447af860d34ca00dc9d5448882

SHA1
32d48ea0445920e44a8dd44674060ac4f6dd3906

SHA256
69671aa20e3af82c516d46bc255ec99867f171c9531fc74d4be75fc9c7b39e8f

SHA512
57d9e2584c7b4ea5d44d17f1ebe1a34a99ab3fbf47bd14bfbe67ccc52997e2d12feeed493625d390889b5f38c0354c0213de90817ec462ce57a8df7d00ea1219

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000045001\MicrosoftFIX_error.exe
Filesize
2.7MB

MD5
7d95e6447af860d34ca00dc9d5448882

SHA1
32d48ea0445920e44a8dd44674060ac4f6dd3906

SHA256
69671aa20e3af82c516d46bc255ec99867f171c9531fc74d4be75fc9c7b39e8f

SHA512
57d9e2584c7b4ea5d44d17f1ebe1a34a99ab3fbf47bd14bfbe67ccc52997e2d12feeed493625d390889b5f38c0354c0213de90817ec462ce57a8df7d00ea1219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7976.bat
Filesize
998B

MD5
03ad944d6ba8497c2e69598371b03852

SHA1
fd768cc75ac280b6c0275ee97320916fcc6737a8

SHA256
fc5cd844cdaa40e4f8a522316fcc1d1120877014490aa20a2e0555064fea05fe

SHA512
6ae9f80aa827dfbadaa8f5ab6862beb2d1f937ba9135a180bcf278b1d364ff998eb99f4e8f2cd4f1c61370fdcdab6ce03aebf3d2dc046724aa35e34cc059ef00

Download Submit
C:\Users\Admin\AppData\Local\Temp\81B4.exe
Filesize
3.7MB

MD5
2f0599fdbe497ee53cc19e931dfc488e

SHA1
461437da78493d25efb3e43f5a101af90e9f1a4f

SHA256
e0a6c0ae0e3208dd0dd780a48da43aac97936ed980550be30c22ade79bed4fdb

SHA512
927342d4638bc146c04d5521228b50e2b982dcdb44bf5fb03cac234ad31a48433139834d1a3537c24ffdbaa6ae1269ce5fefe2afb5a521339c10744bf62f2326

Download Submit
C:\Users\Admin\AppData\Local\Temp\81B4.exe
Filesize
3.7MB

MD5
2f0599fdbe497ee53cc19e931dfc488e

SHA1
461437da78493d25efb3e43f5a101af90e9f1a4f

SHA256
e0a6c0ae0e3208dd0dd780a48da43aac97936ed980550be30c22ade79bed4fdb

SHA512
927342d4638bc146c04d5521228b50e2b982dcdb44bf5fb03cac234ad31a48433139834d1a3537c24ffdbaa6ae1269ce5fefe2afb5a521339c10744bf62f2326

Download Submit
C:\Users\Admin\AppData\Local\Temp\82AF.exe
Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\82AF.exe
Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8734.exe
Filesize
2.7MB

MD5
7d95e6447af860d34ca00dc9d5448882

SHA1
32d48ea0445920e44a8dd44674060ac4f6dd3906

SHA256
69671aa20e3af82c516d46bc255ec99867f171c9531fc74d4be75fc9c7b39e8f

SHA512
57d9e2584c7b4ea5d44d17f1ebe1a34a99ab3fbf47bd14bfbe67ccc52997e2d12feeed493625d390889b5f38c0354c0213de90817ec462ce57a8df7d00ea1219

Download Submit
C:\Users\Admin\AppData\Local\Temp\8734.exe
Filesize
2.7MB

MD5
7d95e6447af860d34ca00dc9d5448882

SHA1
32d48ea0445920e44a8dd44674060ac4f6dd3906

SHA256
69671aa20e3af82c516d46bc255ec99867f171c9531fc74d4be75fc9c7b39e8f

SHA512
57d9e2584c7b4ea5d44d17f1ebe1a34a99ab3fbf47bd14bfbe67ccc52997e2d12feeed493625d390889b5f38c0354c0213de90817ec462ce57a8df7d00ea1219

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A81.exe
Filesize
2.4MB

MD5
b9095b36aebb1f46d374f13267900ce0

SHA1
5f824bd9f4e878055aa595d6d1abdda00ba04aa4

SHA256
747783ba8520d5a835da98c2d9cf3f1a85ee3d57693d7d35c43a2c9ac5dc4375

SHA512
b9737d6b393a0e8d97f93d19c2d03e738ede54cfc35bdb479f52e351daccfc3236855d24796b17b643d2209fb4dc0200837bd55a228ddf03098f37ba53bbb785

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A81.exe
Filesize
2.4MB

MD5
b9095b36aebb1f46d374f13267900ce0

SHA1
5f824bd9f4e878055aa595d6d1abdda00ba04aa4

SHA256
747783ba8520d5a835da98c2d9cf3f1a85ee3d57693d7d35c43a2c9ac5dc4375

SHA512
b9737d6b393a0e8d97f93d19c2d03e738ede54cfc35bdb479f52e351daccfc3236855d24796b17b643d2209fb4dc0200837bd55a228ddf03098f37ba53bbb785

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe
Filesize
546KB

MD5
55d37f67671ab37b0c0a395e135ec1ad

SHA1
b533192ff541d4b0df5f79e9c554730ce660c5d0

SHA256
6235750e75a07d6cd69deebe1880a6e2e1173e2b020f45d6eec8344104368f3e

SHA512
dea08d9144fd6613e909b1e7b07d8d6079708b2ff88a957ab2a07c59f42de0e50110086b5b6120e84b0babb591bfe3fcf29753ce5d0a38f1dfc50af5e4d4f832

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe
Filesize
546KB

MD5
55d37f67671ab37b0c0a395e135ec1ad

SHA1
b533192ff541d4b0df5f79e9c554730ce660c5d0

SHA256
6235750e75a07d6cd69deebe1880a6e2e1173e2b020f45d6eec8344104368f3e

SHA512
dea08d9144fd6613e909b1e7b07d8d6079708b2ff88a957ab2a07c59f42de0e50110086b5b6120e84b0babb591bfe3fcf29753ce5d0a38f1dfc50af5e4d4f832

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\clip64.dll
Filesize
89KB

MD5
8ee29b714ba490ec4a0828816f15ed4f

SHA1
0556df48a668c35c6611ffce1425f1d9e89d0cd7

SHA256
fff252c139b136ba131fab2db7880c79856d39fce2e9d0d15cd19de8f4b52bc5

SHA512
df90bb9497ff20f13c4d19324af91ec9f6bbf3f9b5055e24e3bae0f77c7df6db58384bff8dbdd88104c05e7c586c489968bcb6b3ef86436704aa4cd2f5c8acc8

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\clip64.dll
Filesize
89KB

MD5
8ee29b714ba490ec4a0828816f15ed4f

SHA1
0556df48a668c35c6611ffce1425f1d9e89d0cd7

SHA256
fff252c139b136ba131fab2db7880c79856d39fce2e9d0d15cd19de8f4b52bc5

SHA512
df90bb9497ff20f13c4d19324af91ec9f6bbf3f9b5055e24e3bae0f77c7df6db58384bff8dbdd88104c05e7c586c489968bcb6b3ef86436704aa4cd2f5c8acc8

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll
Filesize
1.0MB

MD5
8e524997f4a2265864cd0b6c4cc450d8

SHA1
234ac78268e7a35d8ca995289f4a8dc27aa1c443

SHA256
95192297102c514f23926e934b0981c8aa8d42195f941a44c49cde1a21a809b0

SHA512
504872731cb14e3b643d039e39f00881be0cf1ba97f8e0077b2a6429f608f05b582531c52e4fa456661da9dade3e1b9f5c9b62326fb03d7b4636ea1db630c6ea

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll
Filesize
1.0MB

MD5
8e524997f4a2265864cd0b6c4cc450d8

SHA1
234ac78268e7a35d8ca995289f4a8dc27aa1c443

SHA256
95192297102c514f23926e934b0981c8aa8d42195f941a44c49cde1a21a809b0

SHA512
504872731cb14e3b643d039e39f00881be0cf1ba97f8e0077b2a6429f608f05b582531c52e4fa456661da9dade3e1b9f5c9b62326fb03d7b4636ea1db630c6ea

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll
Filesize
1.0MB

MD5
8e524997f4a2265864cd0b6c4cc450d8

SHA1
234ac78268e7a35d8ca995289f4a8dc27aa1c443

SHA256
95192297102c514f23926e934b0981c8aa8d42195f941a44c49cde1a21a809b0

SHA512
504872731cb14e3b643d039e39f00881be0cf1ba97f8e0077b2a6429f608f05b582531c52e4fa456661da9dade3e1b9f5c9b62326fb03d7b4636ea1db630c6ea

Download Submit
memory/100-266-0x0000000000000000-mapping.dmp

Download
memory/372-271-0x0000000000000000-mapping.dmp

Download
memory/752-269-0x0000000000000000-mapping.dmp

Download
memory/836-232-0x0000000000000000-mapping.dmp

Download
memory/936-151-0x0000000000000000-mapping.dmp

Download
memory/944-273-0x0000000000000000-mapping.dmp

Download
memory/984-285-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/984-235-0x0000000000550000-0x000000000055B000-memory.dmp

Filesize
44KB

Download
memory/984-222-0x0000000000000000-mapping.dmp

Download
memory/984-234-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/1084-259-0x0000000000000000-mapping.dmp

Download
memory/1200-228-0x0000000000000000-mapping.dmp

Download
memory/1236-206-0x0000000000CF0000-0x0000000000CF6000-memory.dmp

Filesize
24KB

Download
memory/1236-207-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/1236-265-0x0000000000CF0000-0x0000000000CF6000-memory.dmp

Filesize
24KB

Download
memory/1236-202-0x0000000000000000-mapping.dmp

Download
memory/1516-227-0x0000000000000000-mapping.dmp

Download
memory/1704-289-0x0000000000400000-0x00000000009A3000-memory.dmp

Filesize
5.6MB

Download
memory/1704-278-0x0000000000400000-0x00000000009A3000-memory.dmp

Filesize
5.6MB

Download
memory/1704-308-0x0000000000400000-0x00000000009A3000-memory.dmp

Filesize
5.6MB

Download
memory/1704-284-0x0000000000400000-0x00000000009A3000-memory.dmp

Filesize
5.6MB

Download
memory/1708-173-0x0000000000000000-mapping.dmp

Download
memory/1736-225-0x0000000001400000-0x0000000001427000-memory.dmp

Filesize
156KB

Download
memory/1736-224-0x0000000001430000-0x0000000001452000-memory.dmp

Filesize
136KB

Download
memory/1736-276-0x0000000001430000-0x0000000001452000-memory.dmp

Filesize
136KB

Download
memory/1736-212-0x0000000000000000-mapping.dmp

Download
memory/1768-230-0x0000000000000000-mapping.dmp

Download
memory/1948-169-0x0000000000000000-mapping.dmp

Download
memory/1964-251-0x0000000000000000-mapping.dmp

Download
memory/2228-148-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2228-149-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2228-150-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2228-147-0x0000000000000000-mapping.dmp

Download
memory/2300-213-0x0000000000000000-mapping.dmp

Download
memory/2536-242-0x0000000006E90000-0x0000000007052000-memory.dmp

Filesize
1.8MB

Download
memory/2536-243-0x0000000007590000-0x0000000007ABC000-memory.dmp

Filesize
5.2MB

Download
memory/2536-201-0x00000000049C0000-0x00000000049FC000-memory.dmp

Filesize
240KB

Download
memory/2536-199-0x0000000004A00000-0x0000000004B0A000-memory.dmp

Filesize
1.0MB

Download
memory/2536-198-0x0000000004EA0000-0x00000000054B8000-memory.dmp

Filesize
6.1MB

Download
memory/2536-184-0x0000000000000000-mapping.dmp

Download
memory/2536-185-0x0000000000150000-0x0000000000182000-memory.dmp

Filesize
200KB

Download
memory/2536-200-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/2580-250-0x0000000000000000-mapping.dmp

Download
memory/2656-257-0x0000000000000000-mapping.dmp

Download
memory/2680-237-0x0000000000000000-mapping.dmp

Download
memory/2680-301-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/2680-240-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/2680-239-0x0000000000960000-0x000000000096B000-memory.dmp

Filesize
44KB

Download
memory/2688-253-0x0000000000000000-mapping.dmp

Download
memory/2736-133-0x0000000007E10000-0x00000000083B4000-memory.dmp

Filesize
5.6MB

Download
memory/2736-134-0x0000000007900000-0x0000000007992000-memory.dmp

Filesize
584KB

Download
memory/2736-135-0x0000000007A20000-0x0000000007A2A000-memory.dmp

Filesize
40KB

Download
memory/2736-221-0x0000000000000000-mapping.dmp

Download
memory/2736-132-0x0000000000370000-0x00000000009DC000-memory.dmp

Filesize
6.4MB

Download
memory/2800-254-0x0000000000000000-mapping.dmp

Download
memory/2860-203-0x0000000000000000-mapping.dmp

Download
memory/2912-261-0x0000000000000000-mapping.dmp

Download
memory/2912-208-0x0000000000000000-mapping.dmp

Download
memory/2968-215-0x0000000000BE0000-0x0000000000C6E000-memory.dmp

Filesize
568KB

Download
memory/2968-209-0x0000000000000000-mapping.dmp

Download
memory/3112-196-0x0000000000000000-mapping.dmp

Download
memory/3116-214-0x0000000000000000-mapping.dmp

Download
memory/3176-226-0x0000000000000000-mapping.dmp

Download
memory/3220-192-0x0000000000000000-mapping.dmp

Download
memory/3244-280-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

Filesize
104KB

Download
memory/3244-258-0x0000000006BE0000-0x0000000006C12000-memory.dmp

Filesize
200KB

Download
memory/3244-260-0x000000006C800000-0x000000006C84C000-memory.dmp

Filesize
304KB

Download
memory/3244-262-0x0000000006B50000-0x0000000006B6E000-memory.dmp

Filesize
120KB

Download
memory/3244-245-0x0000000000000000-mapping.dmp

Download
memory/3244-274-0x00000000079A0000-0x00000000079AA000-memory.dmp

Filesize
40KB

Download
memory/3244-286-0x0000000007BC0000-0x0000000007BC8000-memory.dmp

Filesize
32KB

Download
memory/3244-275-0x0000000007C10000-0x0000000007CA6000-memory.dmp

Filesize
600KB

Download
memory/3244-277-0x0000000007B70000-0x0000000007B7E000-memory.dmp

Filesize
56KB

Download
memory/3496-272-0x0000000000000000-mapping.dmp

Download
memory/3656-165-0x0000000000000000-mapping.dmp

Download
memory/3680-268-0x0000000000000000-mapping.dmp

Download
memory/3732-255-0x0000000000000000-mapping.dmp

Download
memory/3816-153-0x0000000000000000-mapping.dmp

Download
memory/3836-142-0x0000000006130000-0x000000000614E000-memory.dmp

Filesize
120KB

Download
memory/3836-143-0x00000000065A0000-0x00000000065E4000-memory.dmp

Filesize
272KB

Download
memory/3836-146-0x00000000072C0000-0x00000000072DA000-memory.dmp

Filesize
104KB

Download
memory/3836-144-0x0000000007240000-0x00000000072B6000-memory.dmp

Filesize
472KB

Download
memory/3836-141-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/3836-140-0x0000000005300000-0x0000000005366000-memory.dmp

Filesize
408KB

Download
memory/3836-139-0x0000000005260000-0x0000000005282000-memory.dmp

Filesize
136KB

Download
memory/3836-145-0x0000000007940000-0x0000000007FBA000-memory.dmp

Filesize
6.5MB

Download
memory/3836-138-0x0000000005490000-0x0000000005AB8000-memory.dmp

Filesize
6.2MB

Download
memory/3836-137-0x0000000002840000-0x0000000002876000-memory.dmp

Filesize
216KB

Download
memory/3836-136-0x0000000000000000-mapping.dmp

Download
memory/3860-177-0x0000000000000000-mapping.dmp

Download
memory/3860-183-0x0000000000320000-0x00000000005D6000-memory.dmp

Filesize
2.7MB

Download
memory/4012-170-0x0000000000000000-mapping.dmp

Download
memory/4052-216-0x0000000000EC0000-0x00000000016A5000-memory.dmp

Filesize
7.9MB

Download
memory/4052-191-0x0000000000000000-mapping.dmp

Download
memory/4052-197-0x0000000000EC0000-0x00000000016A5000-memory.dmp

Filesize
7.9MB

Download
memory/4116-244-0x0000000000000000-mapping.dmp

Download
memory/4192-264-0x0000000000000000-mapping.dmp

Download
memory/4216-267-0x0000000000000000-mapping.dmp

Download
memory/4276-217-0x0000000000000000-mapping.dmp

Download
memory/4276-229-0x0000000000510000-0x0000000000CF5000-memory.dmp

Filesize
7.9MB

Download
memory/4276-223-0x0000000000510000-0x0000000000CF5000-memory.dmp

Filesize
7.9MB

Download
memory/4308-248-0x0000000000000000-mapping.dmp

Download
memory/4324-249-0x0000000000000000-mapping.dmp

Download
memory/4432-204-0x0000000001490000-0x0000000001495000-memory.dmp

Filesize
20KB

Download
memory/4432-195-0x0000000000000000-mapping.dmp

Download
memory/4432-205-0x0000000001480000-0x0000000001489000-memory.dmp

Filesize
36KB

Download
memory/4432-263-0x0000000001490000-0x0000000001495000-memory.dmp

Filesize
20KB

Download
memory/4444-220-0x0000000000000000-mapping.dmp

Download
memory/4460-241-0x0000000000000000-mapping.dmp

Download
memory/4460-164-0x0000000000000000-mapping.dmp

Download
memory/4512-161-0x000001C360CB0000-0x000001C360CBA000-memory.dmp

Filesize
40KB

Download
memory/4512-158-0x000001C360810000-0x000001C36082C000-memory.dmp

Filesize
112KB

Download
memory/4512-162-0x00007FFA19D10000-0x00007FFA1A7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-154-0x0000000000000000-mapping.dmp

Download
memory/4512-159-0x000001C347070000-0x000001C34707A000-memory.dmp

Filesize
40KB

Download
memory/4512-157-0x00007FFA19D10000-0x00007FFA1A7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-155-0x000001C346BA0000-0x000001C346BC2000-memory.dmp

Filesize
136KB

Download
memory/4512-160-0x000001C347080000-0x000001C347088000-memory.dmp

Filesize
32KB

Download
memory/4516-256-0x0000000000000000-mapping.dmp

Download
memory/4552-231-0x0000000000000000-mapping.dmp

Download
memory/4572-233-0x0000000000000000-mapping.dmp

Download
memory/4572-238-0x00000000003A0000-0x00000000003AD000-memory.dmp

Filesize
52KB

Download
memory/4572-236-0x00000000003B0000-0x00000000003B7000-memory.dmp

Filesize
28KB

Download
memory/4572-295-0x00000000003B0000-0x00000000003B7000-memory.dmp

Filesize
28KB

Download
memory/4668-167-0x0000000000000000-mapping.dmp

Download
memory/4668-175-0x00000000007A0000-0x0000000000D43000-memory.dmp

Filesize
5.6MB

Download
memory/4748-178-0x0000000000000000-mapping.dmp

Download
memory/4764-166-0x0000000000000000-mapping.dmp

Download
memory/4796-163-0x0000000000000000-mapping.dmp

Download
memory/4888-252-0x0000000000000000-mapping.dmp

Download
memory/4936-270-0x0000000000000000-mapping.dmp

Download
memory/5056-302-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5100-188-0x0000000000000000-mapping.dmp

Download