Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2023 20:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    380KB

  • MD5

    4ca2c6f98e9dcd7a4033f8c538a709d3

  • SHA1

    bc4b09303da991614fc7f34ff4ca01b8cf394940

  • SHA256

    6e94d7d6e75439d7112e272506fc394b59e5955c5bb60357beff31a24e6b5bbc

  • SHA512

    3ee08ca3dca33a1bf100e4f6ecb5c44e6f8802ca74028ca04a55065769627369e307ee9d4b302476137fbba716e72ce366fb6514c22bec34187ff38141d57f83

  • SSDEEP

    6144:x/QiQXCKJm+ksmpk3U9jW1U4P9bGOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZogE:pQi3Ks6m6URA3PhGlL//plmW9bTXeVh8

Score
10/10
gcleanerdiscoveryevasionloaderpersistence

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 16 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 48 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Modifies system certificate store 2 TTPs 13 IoCs
    evasionspywaretrojan
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:468
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:884
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k WspService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2192
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1252
      • C:\Users\Admin\AppData\Local\Temp\is-KCHHM.tmp\file.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-KCHHM.tmp\file.tmp" /SL5="$70124,140518,56832,C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Users\Admin\AppData\Local\Temp\is-IIF19.tmp\786fiyon.exe
          "C:\Users\Admin\AppData\Local\Temp\is-IIF19.tmp\786fiyon.exe" /S /UID=95
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies system certificate store
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1224
          • C:\Users\Admin\AppData\Local\Temp\e3-42a75-93c-4e4a1-163208d48928b\Paguwahaely.exe
            "C:\Users\Admin\AppData\Local\Temp\e3-42a75-93c-4e4a1-163208d48928b\Paguwahaely.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1972
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
              5⤵
                PID:1088
            • C:\Users\Admin\AppData\Local\Temp\f9-af4a5-e16-fbcaa-ec0d8291df003\Waelafamymae.exe
              "C:\Users\Admin\AppData\Local\Temp\f9-af4a5-e16-fbcaa-ec0d8291df003\Waelafamymae.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1788
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2p5ozv5x.pbs\gcleaner.exe /mixfive & exit
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2608
                • C:\Users\Admin\AppData\Local\Temp\2p5ozv5x.pbs\gcleaner.exe
                  C:\Users\Admin\AppData\Local\Temp\2p5ozv5x.pbs\gcleaner.exe /mixfive
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  PID:2964
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\2p5ozv5x.pbs\gcleaner.exe" & exit
                    7⤵
                      PID:2348
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /im "gcleaner.exe" /f
                        8⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2392
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zti5pda2.2mv\chenp.exe & exit
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3012
                  • C:\Users\Admin\AppData\Local\Temp\zti5pda2.2mv\chenp.exe
                    C:\Users\Admin\AppData\Local\Temp\zti5pda2.2mv\chenp.exe
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                    PID:3040
                    • C:\Users\Admin\AppData\Local\Temp\zti5pda2.2mv\chenp.exe
                      "C:\Users\Admin\AppData\Local\Temp\zti5pda2.2mv\chenp.exe" -h
                      7⤵
                      • Executes dropped EXE
                      PID:2092
              • C:\Program Files\Windows Photo Viewer\ZREKWIQHEW\poweroff.exe
                "C:\Program Files\Windows Photo Viewer\ZREKWIQHEW\poweroff.exe" /VERYSILENT
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1124
                • C:\Users\Admin\AppData\Local\Temp\is-I3EJG.tmp\poweroff.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-I3EJG.tmp\poweroff.tmp" /SL5="$5014C,490199,350720,C:\Program Files\Windows Photo Viewer\ZREKWIQHEW\poweroff.exe" /VERYSILENT
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Program Files directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of WriteProcessMemory
                  PID:916
                  • C:\Program Files (x86)\powerOff\Power Off.exe
                    "C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
                    6⤵
                    • Executes dropped EXE
                    PID:792
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c start https://iplogger.com/1bvgU4.gif
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1736
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.com/1bvgU4.gif
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:340
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:340 CREDAT:275457 /prefetch:2
                    6⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:1192
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:340 CREDAT:275460 /prefetch:2
                    6⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:700
        • C:\Windows\system32\rundll32.exe
          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
          1⤵
          • Process spawned unexpected child process
          PID:1468
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
            2⤵
            • Loads dropped DLL
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            PID:3044

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        3
        T1112

        Install Root Certificate

        1
        T1130

        Credential Access

        Discovery

        Software Discovery

        1
        T1518

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\powerOff\Power Off.exe
          Filesize

          621KB

          MD5

          8d0b18eb87590fa654da3704092b122b

          SHA1

          aaf4417695904bd718def564b2c1dae40623cc1d

          SHA256

          f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

          SHA512

          fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

          Download Submit
        • C:\Program Files (x86)\powerOff\Power Off.exe
          Filesize

          621KB

          MD5

          8d0b18eb87590fa654da3704092b122b

          SHA1

          aaf4417695904bd718def564b2c1dae40623cc1d

          SHA256

          f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

          SHA512

          fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

          Download Submit
        • C:\Program Files\Windows Photo Viewer\ZREKWIQHEW\poweroff.exe
          Filesize

          838KB

          MD5

          c0538198613d60407c75c54c55e69d91

          SHA1

          a2d713a098bc7b6d245c428dcdeb5614af3b8edd

          SHA256

          c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

          SHA512

          121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

          Download Submit
        • C:\Program Files\Windows Photo Viewer\ZREKWIQHEW\poweroff.exe
          Filesize

          838KB

          MD5

          c0538198613d60407c75c54c55e69d91

          SHA1

          a2d713a098bc7b6d245c428dcdeb5614af3b8edd

          SHA256

          c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

          SHA512

          121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          61KB

          MD5

          fc4666cbca561e864e7fdf883a9e6661

          SHA1

          2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

          SHA256

          10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

          SHA512

          c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          4dc37d768405aea66ca4b1c994894198

          SHA1

          f77462e454d09c7a629b46c9f139f16841004afa

          SHA256

          7a0c4c958202dfdac4b7d70ebfe81802ab12854a25139e799b49f24928e31695

          SHA512

          223d7866db39f4a4df9e58f34826f6ed88a102c22775e1b8a0fa399656489c287cf036ccca9ce9981973ca7db1e93589c9597b9198ebffafc90df525efa31a7a

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          6aac4a6a9f95a8979b94e76a68728f17

          SHA1

          0be1ce79630307e9225ce8cd5def75fd247d91d6

          SHA256

          33509745f1179df756798a1ebaf370662b2a608cc44b8e7236d1c8f3819988d9

          SHA512

          8a86380dda6d19f554eaaae36ef07a719ea8dd57f515b5b33576ca2bc38ec6204b3bfa53699ca9a61b399636acfc8cddb37e4b5bceaff2e3f750efb09c7fab01

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          ee7563256753c4815938f185239cfeab

          SHA1

          7650b86c7b9155c46db3594822cf0f468fa1c40b

          SHA256

          47769aec4611a0a28d433cc22e2f779843d3f785bee3d562530a2a2408d3a825

          SHA512

          436cd2bda063faa702de3530c23b7712963fe411bb579d6f67b621997da9ecb4a6b4ba42d25935e1e4e29c0bdac37ed38a21a5d62d7063b0c3f52cb4f5d2e855

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          6c809fca0c9184a1a392966c6aa84e29

          SHA1

          d9f0348f8ea99ca51e1d4544aca9e8e1b6b291ee

          SHA256

          71ce125ee5c511c30f9ceb1036384fa6e5ce26e3cb59e1caf3eb8a7940c00907

          SHA512

          c3cda2a2495567079dfa0ff439f8bf7a1e9edf3d9caff247d64c646fafd818ad7acef4c20c26bcb85fb7c21cd88cd0fae8d48f2992c7025793aac5f98a353a52

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
          Filesize

          5KB

          MD5

          d6a01463e63b14393840f6566418bd60

          SHA1

          10ec1ed3186c31042371ed5634e909758494d9ba

          SHA256

          22fb965980c4a4afc3b976879cecd95bb49c808bbccef69073137a6d786b30f4

          SHA512

          412aa92842d34a809507cfcedb62bde470764fe67ef66fe67f334c44b1ed5cc4e6beff86ead364da7fe7333a23d44af967008963badfd430caa91f398e29fdab

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\2p5ozv5x.pbs\gcleaner.exe
          Filesize

          365KB

          MD5

          60d0301fc7167e83b90d1a882b771105

          SHA1

          f73f940aeaab5f0df6133e05257c39e839d29779

          SHA256

          1aeec1ada070c9ae4f48bb8d3d9d783932cd767d765f12e3b5db67ad5224d2fa

          SHA512

          e04079a8e14354f0a54f266cb58aa5a1117427834cd53551a98b09439058181a8268e6e8b74d725e4b3fef8387ad8e476e4fcae3fee40d6c9bf99a9fc2bec58c

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\2p5ozv5x.pbs\gcleaner.exe
          Filesize

          365KB

          MD5

          60d0301fc7167e83b90d1a882b771105

          SHA1

          f73f940aeaab5f0df6133e05257c39e839d29779

          SHA256

          1aeec1ada070c9ae4f48bb8d3d9d783932cd767d765f12e3b5db67ad5224d2fa

          SHA512

          e04079a8e14354f0a54f266cb58aa5a1117427834cd53551a98b09439058181a8268e6e8b74d725e4b3fef8387ad8e476e4fcae3fee40d6c9bf99a9fc2bec58c

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\db.dat
          Filesize

          557KB

          MD5

          76c3dbb1e9fea62090cdf53dadcbe28e

          SHA1

          d44b32d04adc810c6df258be85dc6b62bd48a307

          SHA256

          556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860

          SHA512

          de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\db.dll
          Filesize

          52KB

          MD5

          0b35335b70b96d31633d0caa207d71f9

          SHA1

          996c7804fe4d85025e2bd7ea8aa5e33c71518f84

          SHA256

          ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

          SHA512

          ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\e3-42a75-93c-4e4a1-163208d48928b\Paguwahaely.exe
          Filesize

          586KB

          MD5

          208e4cd441cdd40a55ee0fc96316e331

          SHA1

          cddcd13535391b96c8ec650a22f1503f93ca092c

          SHA256

          2f1a9b94d5fce31cab6e35b22b00e4f73b80582d3635ba113a10b2caa5015431

          SHA512

          bb7891ab9afbe99ce7f0235c155ebe943f8790fcd7bbe1b4420960c2b703f4c96aae84dd8005704fb79bb7edc0f1e4e3270f12bdce060cb8936b6bad0c814651

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\e3-42a75-93c-4e4a1-163208d48928b\Paguwahaely.exe
          Filesize

          586KB

          MD5

          208e4cd441cdd40a55ee0fc96316e331

          SHA1

          cddcd13535391b96c8ec650a22f1503f93ca092c

          SHA256

          2f1a9b94d5fce31cab6e35b22b00e4f73b80582d3635ba113a10b2caa5015431

          SHA512

          bb7891ab9afbe99ce7f0235c155ebe943f8790fcd7bbe1b4420960c2b703f4c96aae84dd8005704fb79bb7edc0f1e4e3270f12bdce060cb8936b6bad0c814651

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\e3-42a75-93c-4e4a1-163208d48928b\Paguwahaely.exe.config
          Filesize

          1KB

          MD5

          98d2687aec923f98c37f7cda8de0eb19

          SHA1

          f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

          SHA256

          8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

          SHA512

          95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\f9-af4a5-e16-fbcaa-ec0d8291df003\Kenessey.txt
          Filesize

          9B

          MD5

          97384261b8bbf966df16e5ad509922db

          SHA1

          2fc42d37fee2c81d767e09fb298b70c748940f86

          SHA256

          9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

          SHA512

          b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\f9-af4a5-e16-fbcaa-ec0d8291df003\Waelafamymae.exe
          Filesize

          377KB

          MD5

          97627b2f5f03f91345b467a2a4b34e1a

          SHA1

          863ef84ed38a90a5141b381d074f417e3ff0b5fc

          SHA256

          45570616c6bc66ad969a2b343240794096ce515103abea1eb7d4fbcf099bcebc

          SHA512

          7a738404b761ad637f0f106144d746d6bc97d03e8adfed4c8a7c60cab22e4b2138dcbf9d185d753b92ad9f3de56689932225fd555ff556dbc6c5269d9600d0c0

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\f9-af4a5-e16-fbcaa-ec0d8291df003\Waelafamymae.exe
          Filesize

          377KB

          MD5

          97627b2f5f03f91345b467a2a4b34e1a

          SHA1

          863ef84ed38a90a5141b381d074f417e3ff0b5fc

          SHA256

          45570616c6bc66ad969a2b343240794096ce515103abea1eb7d4fbcf099bcebc

          SHA512

          7a738404b761ad637f0f106144d746d6bc97d03e8adfed4c8a7c60cab22e4b2138dcbf9d185d753b92ad9f3de56689932225fd555ff556dbc6c5269d9600d0c0

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\f9-af4a5-e16-fbcaa-ec0d8291df003\Waelafamymae.exe.config
          Filesize

          1KB

          MD5

          98d2687aec923f98c37f7cda8de0eb19

          SHA1

          f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

          SHA256

          8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

          SHA512

          95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\is-I3EJG.tmp\poweroff.tmp
          Filesize

          981KB

          MD5

          01515376348a54ecef04f45b436cb104

          SHA1

          111e709b21bf56181c83057dafba7b71ed41f1b2

          SHA256

          8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

          SHA512

          8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\is-I3EJG.tmp\poweroff.tmp
          Filesize

          981KB

          MD5

          01515376348a54ecef04f45b436cb104

          SHA1

          111e709b21bf56181c83057dafba7b71ed41f1b2

          SHA256

          8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

          SHA512

          8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\is-IIF19.tmp\786fiyon.exe
          Filesize

          575KB

          MD5

          6e622962e3b594986c6fb741209dae50

          SHA1

          d3494b77672360358ca5b7cf8b71aab9efaac3c6

          SHA256

          20abfee8beab1d2162dff8f81023f1c0678cd16c0aeaf6d1d0eada5331a52279

          SHA512

          4498cea1decb1aa8f1fba950b3de00572a2d5171c858470011267106e0423c1d16ff06766518be67ca7fd3aa9bdb3f5750032a1acb3a4ac445487271317f03ae

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\is-IIF19.tmp\786fiyon.exe
          Filesize

          575KB

          MD5

          6e622962e3b594986c6fb741209dae50

          SHA1

          d3494b77672360358ca5b7cf8b71aab9efaac3c6

          SHA256

          20abfee8beab1d2162dff8f81023f1c0678cd16c0aeaf6d1d0eada5331a52279

          SHA512

          4498cea1decb1aa8f1fba950b3de00572a2d5171c858470011267106e0423c1d16ff06766518be67ca7fd3aa9bdb3f5750032a1acb3a4ac445487271317f03ae

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\is-KCHHM.tmp\file.tmp
          Filesize

          694KB

          MD5

          ffcf263a020aa7794015af0edee5df0b

          SHA1

          bce1eb5f0efb2c83f416b1782ea07c776666fdab

          SHA256

          1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

          SHA512

          49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\zti5pda2.2mv\chenp.exe
          Filesize

          160KB

          MD5

          861253a1ff4bdacab4ddd1a1df3efc50

          SHA1

          5512ad9b91d5c5972ac0a4c5f0f28d966054807c

          SHA256

          9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d

          SHA512

          39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\zti5pda2.2mv\chenp.exe
          Filesize

          160KB

          MD5

          861253a1ff4bdacab4ddd1a1df3efc50

          SHA1

          5512ad9b91d5c5972ac0a4c5f0f28d966054807c

          SHA256

          9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d

          SHA512

          39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\zti5pda2.2mv\chenp.exe
          Filesize

          160KB

          MD5

          861253a1ff4bdacab4ddd1a1df3efc50

          SHA1

          5512ad9b91d5c5972ac0a4c5f0f28d966054807c

          SHA256

          9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d

          SHA512

          39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F7A5MBCO.txt
          Filesize

          2KB

          MD5

          0b50d2afb8f0fc0430cd87b7fcc7a1c8

          SHA1

          6f6c8c195fbe915b6660f39fef5c14bc701a1639

          SHA256

          5fa274696a93218720de3842bb99b6a3d19de1c689ead6dd18d63fb127879b7e

          SHA512

          be5b227de66285d5a042d6b6a1bbfde1c0256ba3f105df6469ed36eca900bc1239cb5e5d8fa0041b90f12dd48072d42ef62b419f730448f1a01bacf618c13efa

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\G4S7CE4R.txt
          Filesize

          116B

          MD5

          55abc4ef2cbd3be4ba41a65a77ea75c9

          SHA1

          853c9af0e2577f21927a283549c4e37136e8946f

          SHA256

          2414bef17b4e0e2f1eb09837619964f157652218eb142c68edd9e409afe2c408

          SHA512

          ed20e38976ce491ffcadf9fad91c65da5f3dbd8ff272aea803de4169d13a6921a4ee816c65cbadfcd1267498e8a4f49289c3bc166e0c97df35e7a0d2c57bc305

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q8FJE881.txt
          Filesize

          608B

          MD5

          2299ca2a2506c95e237ae1d382956cbb

          SHA1

          fa890356b31f39834d93724f0862dd442ce707b3

          SHA256

          c9858dba057b875ef1cf4a9b00c16ac013fedf63ea73083836a8013e4f50dee4

          SHA512

          3cf084f596c9c2a7d1e9bb0bf40b52c6daf99b6e588ab7cc05af33c1a5244687259a48a1b5ab6fa4358e65d3cce85879aafd4d000334fc4a2f45a14e7e996b52

          Download Submit
        • \Program Files (x86)\powerOff\Power Off.exe
          Filesize

          621KB

          MD5

          8d0b18eb87590fa654da3704092b122b

          SHA1

          aaf4417695904bd718def564b2c1dae40623cc1d

          SHA256

          f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

          SHA512

          fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

          Download Submit
        • \Program Files (x86)\powerOff\Power Off.exe
          Filesize

          621KB

          MD5

          8d0b18eb87590fa654da3704092b122b

          SHA1

          aaf4417695904bd718def564b2c1dae40623cc1d

          SHA256

          f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

          SHA512

          fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

          Download Submit
        • \Program Files (x86)\powerOff\Power Off.exe
          Filesize

          621KB

          MD5

          8d0b18eb87590fa654da3704092b122b

          SHA1

          aaf4417695904bd718def564b2c1dae40623cc1d

          SHA256

          f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

          SHA512

          fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

          Download Submit
        • \Users\Admin\AppData\Local\Temp\db.dll
          Filesize

          52KB

          MD5

          0b35335b70b96d31633d0caa207d71f9

          SHA1

          996c7804fe4d85025e2bd7ea8aa5e33c71518f84

          SHA256

          ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

          SHA512

          ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

          Download Submit
        • \Users\Admin\AppData\Local\Temp\db.dll
          Filesize

          52KB

          MD5

          0b35335b70b96d31633d0caa207d71f9

          SHA1

          996c7804fe4d85025e2bd7ea8aa5e33c71518f84

          SHA256

          ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

          SHA512

          ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

          Download Submit
        • \Users\Admin\AppData\Local\Temp\db.dll
          Filesize

          52KB

          MD5

          0b35335b70b96d31633d0caa207d71f9

          SHA1

          996c7804fe4d85025e2bd7ea8aa5e33c71518f84

          SHA256

          ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

          SHA512

          ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

          Download Submit
        • \Users\Admin\AppData\Local\Temp\db.dll
          Filesize

          52KB

          MD5

          0b35335b70b96d31633d0caa207d71f9

          SHA1

          996c7804fe4d85025e2bd7ea8aa5e33c71518f84

          SHA256

          ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

          SHA512

          ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

          Download Submit
        • \Users\Admin\AppData\Local\Temp\is-BCV1S.tmp\_isetup\_shfoldr.dll
          Filesize

          22KB

          MD5

          92dc6ef532fbb4a5c3201469a5b5eb63

          SHA1

          3e89ff837147c16b4e41c30d6c796374e0b8e62c

          SHA256

          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

          SHA512

          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

          Download Submit
        • \Users\Admin\AppData\Local\Temp\is-BCV1S.tmp\_isetup\_shfoldr.dll
          Filesize

          22KB

          MD5

          92dc6ef532fbb4a5c3201469a5b5eb63

          SHA1

          3e89ff837147c16b4e41c30d6c796374e0b8e62c

          SHA256

          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

          SHA512

          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

          Download Submit
        • \Users\Admin\AppData\Local\Temp\is-I3EJG.tmp\poweroff.tmp
          Filesize

          981KB

          MD5

          01515376348a54ecef04f45b436cb104

          SHA1

          111e709b21bf56181c83057dafba7b71ed41f1b2

          SHA256

          8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

          SHA512

          8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

          Download Submit
        • \Users\Admin\AppData\Local\Temp\is-IIF19.tmp\786fiyon.exe
          Filesize

          575KB

          MD5

          6e622962e3b594986c6fb741209dae50

          SHA1

          d3494b77672360358ca5b7cf8b71aab9efaac3c6

          SHA256

          20abfee8beab1d2162dff8f81023f1c0678cd16c0aeaf6d1d0eada5331a52279

          SHA512

          4498cea1decb1aa8f1fba950b3de00572a2d5171c858470011267106e0423c1d16ff06766518be67ca7fd3aa9bdb3f5750032a1acb3a4ac445487271317f03ae

          Download Submit
        • \Users\Admin\AppData\Local\Temp\is-IIF19.tmp\_isetup\_shfoldr.dll
          Filesize

          22KB

          MD5

          92dc6ef532fbb4a5c3201469a5b5eb63

          SHA1

          3e89ff837147c16b4e41c30d6c796374e0b8e62c

          SHA256

          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

          SHA512

          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

          Download Submit
        • \Users\Admin\AppData\Local\Temp\is-IIF19.tmp\_isetup\_shfoldr.dll
          Filesize

          22KB

          MD5

          92dc6ef532fbb4a5c3201469a5b5eb63

          SHA1

          3e89ff837147c16b4e41c30d6c796374e0b8e62c

          SHA256

          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

          SHA512

          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

          Download Submit
        • \Users\Admin\AppData\Local\Temp\is-IIF19.tmp\idp.dll
          Filesize

          216KB

          MD5

          8f995688085bced38ba7795f60a5e1d3

          SHA1

          5b1ad67a149c05c50d6e388527af5c8a0af4343a

          SHA256

          203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

          SHA512

          043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

          Download Submit
        • \Users\Admin\AppData\Local\Temp\is-KCHHM.tmp\file.tmp
          Filesize

          694KB

          MD5

          ffcf263a020aa7794015af0edee5df0b

          SHA1

          bce1eb5f0efb2c83f416b1782ea07c776666fdab

          SHA256

          1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

          SHA512

          49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

          Download Submit
        • \Users\Admin\AppData\Local\Temp\zti5pda2.2mv\chenp.exe
          Filesize

          160KB

          MD5

          861253a1ff4bdacab4ddd1a1df3efc50

          SHA1

          5512ad9b91d5c5972ac0a4c5f0f28d966054807c

          SHA256

          9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d

          SHA512

          39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927

          Download Submit
        • memory/792-131-0x000007FEEACF0000-0x000007FEEBD86000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/792-130-0x000007FEEC680000-0x000007FEED0A3000-memory.dmp
          Filesize

          10.1MB

          Download
        • memory/792-127-0x0000000000000000-mapping.dmp
          Download
        • memory/792-135-0x0000000000BE6000-0x0000000000C05000-memory.dmp
          Filesize

          124KB

          Download
        • memory/792-193-0x0000000000BE6000-0x0000000000C05000-memory.dmp
          Filesize

          124KB

          Download
        • memory/844-58-0x0000000000000000-mapping.dmp
          Download
        • memory/884-166-0x0000000000FF0000-0x0000000001062000-memory.dmp
          Filesize

          456KB

          Download
        • memory/884-200-0x0000000000A30000-0x0000000000A7D000-memory.dmp
          Filesize

          308KB

          Download
        • memory/916-100-0x00000000742F1000-0x00000000742F3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/916-92-0x0000000000000000-mapping.dmp
          Download
        • memory/1124-101-0x0000000000400000-0x000000000045C000-memory.dmp
          Filesize

          368KB

          Download
        • memory/1124-85-0x0000000000400000-0x000000000045C000-memory.dmp
          Filesize

          368KB

          Download
        • memory/1124-82-0x0000000000000000-mapping.dmp
          Download
        • memory/1224-71-0x0000000001F70000-0x0000000001FCE000-memory.dmp
          Filesize

          376KB

          Download
        • memory/1224-66-0x0000000000000000-mapping.dmp
          Download
        • memory/1224-69-0x00000000003A0000-0x0000000000434000-memory.dmp
          Filesize

          592KB

          Download
        • memory/1224-70-0x0000000001F00000-0x0000000001F66000-memory.dmp
          Filesize

          408KB

          Download
        • memory/1252-98-0x0000000000400000-0x0000000000414000-memory.dmp
          Filesize

          80KB

          Download
        • memory/1252-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1252-55-0x0000000000400000-0x0000000000414000-memory.dmp
          Filesize

          80KB

          Download
        • memory/1252-64-0x0000000000400000-0x0000000000414000-memory.dmp
          Filesize

          80KB

          Download
        • memory/1736-99-0x000007FEFB741000-0x000007FEFB743000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1736-97-0x0000000000000000-mapping.dmp
          Download
        • memory/1788-144-0x0000000002096000-0x00000000020B5000-memory.dmp
          Filesize

          124KB

          Download
        • memory/1788-77-0x0000000000000000-mapping.dmp
          Download
        • memory/1788-81-0x000007FEEC680000-0x000007FEED0A3000-memory.dmp
          Filesize

          10.1MB

          Download
        • memory/1788-88-0x000007FEEACF0000-0x000007FEEBD86000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/1788-196-0x0000000002096000-0x00000000020B5000-memory.dmp
          Filesize

          124KB

          Download
        • memory/1788-136-0x000000001C930000-0x000000001CC2F000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/1972-76-0x000007FEEC680000-0x000007FEED0A3000-memory.dmp
          Filesize

          10.1MB

          Download
        • memory/1972-72-0x0000000000000000-mapping.dmp
          Download
        • memory/1972-113-0x000000001CA50000-0x000000001CD4F000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/2092-151-0x0000000000000000-mapping.dmp
          Download
        • memory/2192-164-0x0000000000060000-0x00000000000AD000-memory.dmp
          Filesize

          308KB

          Download
        • memory/2192-203-0x0000000002010000-0x0000000002030000-memory.dmp
          Filesize

          128KB

          Download
        • memory/2192-167-0x00000000FF15246C-mapping.dmp
          Download
        • memory/2192-169-0x0000000000060000-0x00000000000AD000-memory.dmp
          Filesize

          308KB

          Download
        • memory/2192-170-0x0000000000470000-0x00000000004E2000-memory.dmp
          Filesize

          456KB

          Download
        • memory/2192-202-0x0000000002D30000-0x0000000002E3A000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2192-204-0x0000000002030000-0x000000000204B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/2192-201-0x0000000001FF0000-0x000000000200B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/2192-206-0x0000000000470000-0x00000000004E2000-memory.dmp
          Filesize

          456KB

          Download
        • memory/2192-216-0x0000000002D30000-0x0000000002E3A000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2348-178-0x0000000000000000-mapping.dmp
          Download
        • memory/2392-181-0x0000000000000000-mapping.dmp
          Download
        • memory/2608-140-0x0000000000000000-mapping.dmp
          Download
        • memory/2964-174-0x0000000000220000-0x0000000000260000-memory.dmp
          Filesize

          256KB

          Download
        • memory/2964-180-0x0000000000400000-0x0000000000477000-memory.dmp
          Filesize

          476KB

          Download
        • memory/2964-179-0x000000000061B000-0x0000000000642000-memory.dmp
          Filesize

          156KB

          Download
        • memory/2964-175-0x0000000000400000-0x0000000000477000-memory.dmp
          Filesize

          476KB

          Download
        • memory/2964-173-0x000000000061B000-0x0000000000642000-memory.dmp
          Filesize

          156KB

          Download
        • memory/2964-142-0x0000000000000000-mapping.dmp
          Download
        • memory/3012-145-0x0000000000000000-mapping.dmp
          Download
        • memory/3040-147-0x0000000000000000-mapping.dmp
          Download
        • memory/3044-162-0x00000000009A0000-0x0000000000AA1000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3044-163-0x0000000000260000-0x00000000002BE000-memory.dmp
          Filesize

          376KB

          Download
        • memory/3044-155-0x0000000000000000-mapping.dmp
          Download