djvu | ea641f05f32a47d5d71bc779780448676cf471793214aafba66bcc9da0a141a2

Analysis

max time kernel
29s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f49aa3f4cc246fdf8d11363caecc1591.exe
Size

245KB
MD5

f49aa3f4cc246fdf8d11363caecc1591
SHA1

685e1e0cc4ad59ea582844d2f8746900dc5c0dbd
SHA256

ea641f05f32a47d5d71bc779780448676cf471793214aafba66bcc9da0a141a2
SHA512

c62fa20bbfd70236653fa3d570b2a447cdca4cca9b3b6ca83a3171fb237210cad8ff1a998ecdd47eb579e903b2f8528969d5fac8695d768c44b8a22c31813260
SSDEEP

3072:94rr40JAoRl8vgvNJeEVji7lyRsSBKBD52D3a4p1:Is0JHeQNJe4i7IRsSMuD3

Score

10^/10

djvu fabookie smokeloader vidar a81bcf59d85e6e13257840e65b9d1da8 pub1 backdoor discovery persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://toobussy.com/tmp/

http://wuc11.com/tmp/

http://ladogatur.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/raud/get.php

http://zexeq.com/lancer/get.php

Attributes

extension
.neon
offline_id
0vTA6MA1m5nzrdffOCJC7YmAa4Lp6YNN8lOJ4mt1
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vc50LyB2yb Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0725JOsie

rsa_pubkey.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

vidar

Version

4.2

Botnet

a81bcf59d85e6e13257840e65b9d1da8

https://steamcommunity.com/profiles/76561199511129510

https://t.me/rechnungsbetrag

Attributes

profile_id_v2
a81bcf59d85e6e13257840e65b9d1da8
user_agent
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75

Signatures

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2052-358-0x00000000028E0000-0x0000000002A11000-memory.dmp	family_fabookie

Detected Djvu ransomware 38 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2060-147-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2060-149-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3652-151-0x0000000002450000-0x000000000256B000-memory.dmp	family_djvu
behavioral2/memory/2060-150-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2060-158-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2060-169-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4568-174-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4568-175-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4568-183-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4568-185-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4568-184-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1672-223-0x00000000043A0000-0x00000000044BB000-memory.dmp	family_djvu
behavioral2/memory/2164-226-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2164-225-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1004-238-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2164-250-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1004-251-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2456-252-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1004-231-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2164-220-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4568-289-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4568-291-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4568-293-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4568-305-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1004-309-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2164-310-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2456-336-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2456-326-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4556-364-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1392-368-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4752-370-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1392-372-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4752-406-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1392-407-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4556-403-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4556-369-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4752-367-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4724-421-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1136.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 1136.exe
Executes dropped EXE 3 IoCs

Processes:

1136.exe1136.exe19C3.exe

pid process

3652 1136.exe
2060 1136.exe
2312 19C3.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4988 icacls.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	1136.exe

pid	process
3652	1136.exe
2060	1136.exe
2312	19C3.exe

pid	process
4988	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1136.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ae1b909f-7641-4f0a-a35a-1f1089f647fa\\1136.exe\" --AutoStart"	1136.exe

Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

56 api.2ip.ua
57 api.2ip.ua
93 api.2ip.ua
36 api.2ip.ua
47 api.2ip.ua
59 api.2ip.ua
87 api.2ip.ua
88 api.2ip.ua
94 api.2ip.ua
35 api.2ip.ua
Suspicious use of SetThreadContext 1 IoCs

Processes:

1136.exe

description pid process target process

PID 3652 set thread context of 2060 3652 1136.exe 1136.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

332 4120 WerFault.exe 2C27.exe
2268 1508 WerFault.exe 385E.exe
4344 3436 WerFault.exe B9B4.exe
4552 4920 WerFault.exe D211.exe

flow	ioc
56	api.2ip.ua
57	api.2ip.ua
93	api.2ip.ua
36	api.2ip.ua
47	api.2ip.ua
59	api.2ip.ua
87	api.2ip.ua
88	api.2ip.ua
94	api.2ip.ua
35	api.2ip.ua

description	pid	process	target process
PID 3652 set thread context of 2060	3652	1136.exe	1136.exe

pid	pid_target	process	target process
332	4120	WerFault.exe	2C27.exe
2268	1508	WerFault.exe	385E.exe
4344	3436	WerFault.exe	B9B4.exe
4552	4920	WerFault.exe	D211.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f49aa3f4cc246fdf8d11363caecc1591.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f49aa3f4cc246fdf8d11363caecc1591.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f49aa3f4cc246fdf8d11363caecc1591.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f49aa3f4cc246fdf8d11363caecc1591.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1280 schtasks.exe
2768 schtasks.exe

pid	process
1280	schtasks.exe
2768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f49aa3f4cc246fdf8d11363caecc1591.exe

pid	process
4548	f49aa3f4cc246fdf8d11363caecc1591.exe
4548	f49aa3f4cc246fdf8d11363caecc1591.exe
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508
2508

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f49aa3f4cc246fdf8d11363caecc1591.exe

pid process

4548 f49aa3f4cc246fdf8d11363caecc1591.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 2508
Token: SeCreatePagefilePrivilege 2508

description	pid	process
Token: SeShutdownPrivilege	2508
Token: SeCreatePagefilePrivilege	2508

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

1136.exe1136.exe

description	pid	process	target process
PID 2508 wrote to memory of 3652	2508		1136.exe
PID 2508 wrote to memory of 3652	2508		1136.exe
PID 2508 wrote to memory of 3652	2508		1136.exe
PID 3652 wrote to memory of 2060	3652	1136.exe	1136.exe
PID 3652 wrote to memory of 2060	3652	1136.exe	1136.exe
PID 3652 wrote to memory of 2060	3652	1136.exe	1136.exe
PID 3652 wrote to memory of 2060	3652	1136.exe	1136.exe
PID 3652 wrote to memory of 2060	3652	1136.exe	1136.exe
PID 3652 wrote to memory of 2060	3652	1136.exe	1136.exe
PID 3652 wrote to memory of 2060	3652	1136.exe	1136.exe
PID 3652 wrote to memory of 2060	3652	1136.exe	1136.exe
PID 3652 wrote to memory of 2060	3652	1136.exe	1136.exe
PID 3652 wrote to memory of 2060	3652	1136.exe	1136.exe
PID 2060 wrote to memory of 4988	2060	1136.exe	icacls.exe
PID 2060 wrote to memory of 4988	2060	1136.exe	icacls.exe
PID 2060 wrote to memory of 4988	2060	1136.exe	icacls.exe
PID 2508 wrote to memory of 2312	2508		19C3.exe
PID 2508 wrote to memory of 2312	2508		19C3.exe
PID 2508 wrote to memory of 2312	2508		19C3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f49aa3f4cc246fdf8d11363caecc1591.exe
"C:\Users\Admin\AppData\Local\Temp\f49aa3f4cc246fdf8d11363caecc1591.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4548

C:\Users\Admin\AppData\Local\Temp\1136.exe
C:\Users\Admin\AppData\Local\Temp\1136.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3652

C:\Users\Admin\AppData\Local\Temp\1136.exe
C:\Users\Admin\AppData\Local\Temp\1136.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ae1b909f-7641-4f0a-a35a-1f1089f647fa" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4988

C:\Users\Admin\AppData\Local\Temp\1136.exe
"C:\Users\Admin\AppData\Local\Temp\1136.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\1136.exe
"C:\Users\Admin\AppData\Local\Temp\1136.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:4568

C:\Users\Admin\AppData\Local\a2b0722c-1776-43f8-ae2a-69524a397424\build2.exe
"C:\Users\Admin\AppData\Local\a2b0722c-1776-43f8-ae2a-69524a397424\build2.exe"
5⤵
PID:4564

C:\Users\Admin\AppData\Local\a2b0722c-1776-43f8-ae2a-69524a397424\build2.exe
"C:\Users\Admin\AppData\Local\a2b0722c-1776-43f8-ae2a-69524a397424\build2.exe"
6⤵
PID:4548

C:\Users\Admin\AppData\Local\a2b0722c-1776-43f8-ae2a-69524a397424\build3.exe
"C:\Users\Admin\AppData\Local\a2b0722c-1776-43f8-ae2a-69524a397424\build3.exe"
5⤵
PID:4832

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:2768

C:\Users\Admin\AppData\Local\Temp\19C3.exe
C:\Users\Admin\AppData\Local\Temp\19C3.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Users\Admin\AppData\Local\Temp\2230.exe
C:\Users\Admin\AppData\Local\Temp\2230.exe
1⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
2⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
2⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
2⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
3⤵
PID:4324

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:1280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
4⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe"
4⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe"
4⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\2425.exe
C:\Users\Admin\AppData\Local\Temp\2425.exe
1⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\2425.exe
C:\Users\Admin\AppData\Local\Temp\2425.exe
2⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\2425.exe
"C:\Users\Admin\AppData\Local\Temp\2425.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\2425.exe
"C:\Users\Admin\AppData\Local\Temp\2425.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\259D.exe
C:\Users\Admin\AppData\Local\Temp\259D.exe
1⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\259D.exe
C:\Users\Admin\AppData\Local\Temp\259D.exe
2⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\259D.exe
"C:\Users\Admin\AppData\Local\Temp\259D.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\259D.exe
"C:\Users\Admin\AppData\Local\Temp\259D.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\2734.exe
C:\Users\Admin\AppData\Local\Temp\2734.exe
1⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\2734.exe
C:\Users\Admin\AppData\Local\Temp\2734.exe
2⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\2734.exe
"C:\Users\Admin\AppData\Local\Temp\2734.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\2C27.exe
C:\Users\Admin\AppData\Local\Temp\2C27.exe
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 344
2⤵
- Program crash
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4120 -ip 4120
1⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\31C5.exe
C:\Users\Admin\AppData\Local\Temp\31C5.exe
1⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\385E.exe
C:\Users\Admin\AppData\Local\Temp\385E.exe
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 816
2⤵
- Program crash
PID:2268

C:\Users\Admin\AppData\Local\Temp\B9B4.exe
C:\Users\Admin\AppData\Local\Temp\B9B4.exe
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 812
2⤵
- Program crash
PID:4344

C:\Users\Admin\AppData\Local\Temp\BF53.exe
C:\Users\Admin\AppData\Local\Temp\BF53.exe
1⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\BF53.exe
C:\Users\Admin\AppData\Local\Temp\BF53.exe
2⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3436 -ip 3436
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1508 -ip 1508
1⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\C81E.exe
C:\Users\Admin\AppData\Local\Temp\C81E.exe
1⤵
PID:1912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\D211.exe
C:\Users\Admin\AppData\Local\Temp\D211.exe
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 812
2⤵
- Program crash
PID:4552

C:\Users\Admin\AppData\Local\Temp\2734.exe
"C:\Users\Admin\AppData\Local\Temp\2734.exe" --Admin IsNotAutoStart IsNotTask
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4920 -ip 4920
1⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\DADC.exe
C:\Users\Admin\AppData\Local\Temp\DADC.exe
1⤵
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
1⤵
PID:3764

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:2976

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
5563e2e864598039e55b26e807237d0d

SHA1
203a6b56231d9be8a0af47bd1f98d25cc2a1f429

SHA256
21b8e73c4e89932cf644d426fa9590da164b18cf4153e66a6edcd964eedeeccb

SHA512
b9b67d586f905ffb28974a5d33a6b7dc81a6aed325a57918f642c6447a3b92a05fdd72b49f73db27b636975f281e08c912b08852e2468c92daa8693cfa310b51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
e5ef4e3f5fd7934cb9c76b42b58ea45c

SHA1
c76f9fad9a12335d281771454f657036efc5881a

SHA256
3b247db7937565d22f6455fb744771e14de3380d133192e00a8f5fadf6492bdb

SHA512
1f18d5a9aead87cf00682a6fccdfc2896d29a92f808491fb0c1a97a86941734d9c6f1dee6786a9151eba488916d84c220c6ae78a93c1246301de73c2d034373f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
3f222b860645b29da17398583aa4a4be

SHA1
ca260ef3ab063c1b7116a9a8833bd5daf26ea78a

SHA256
1a381a6483c96a6afad8953f3a74d3198fd35f2c65d435186243990eafafcbb2

SHA512
8090a290cbc6a207ef1d5d6bb71132f6409a8786a2f8a113ac3bea85f98cefebf218567f5ddd36e1564dd0d8cb9acf1864636161ac4bd1458148ea69a0babb12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
7c280a479b2f49d83bb4a2ba671afa5e

SHA1
2c1ab3fbc2f475959f0bf0076a8b3769f95b13ae

SHA256
69199d290f368ff6c76c28961db3eb64e84ca61764946fe2fd7d1b29fef681eb

SHA512
99eaa03ce5f3de897ab410009a49404ea49dfd3c1918eba16442c23a30d2b1702761bb891a63a5c6e5287483a3880890df0b72ece9c0354db0543b4e4ced4a01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\geo[1].json
Filesize
651B

MD5
bb0b9f3551beed05c0ec34888817116f

SHA1
50cf2363621131813cc8e0553cb71873e50ad562

SHA256
f2e9fd3ce2e4afaeb2f2d7555fcc0864ebbe05a56e1ca802b06d32020b556de8

SHA512
0b0bf92deef58a1ccfadd19c612be5a8a8b6fda0835612fb61ccaeaf41ca22464a44fb4338441b236dd0d6f5ff097ee5475e4670305af43b35ed4ee2d5a44492

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.2MB

MD5
1d5c8c5f65ece8bd6c534c2a4dab103f

SHA1
cb982786f558208767bc171a4c3b718b0db0ce3f

SHA256
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

SHA512
92d814721e2a699ca50dc2a8da642d9f405c09efb7731103624eaede318b46f4803e8501aa8437b70040a8da10b97b81d64023c0111b03339a5c96f7c2c665ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.2MB

MD5
1d5c8c5f65ece8bd6c534c2a4dab103f

SHA1
cb982786f558208767bc171a4c3b718b0db0ce3f

SHA256
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

SHA512
92d814721e2a699ca50dc2a8da642d9f405c09efb7731103624eaede318b46f4803e8501aa8437b70040a8da10b97b81d64023c0111b03339a5c96f7c2c665ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.2MB

MD5
1d5c8c5f65ece8bd6c534c2a4dab103f

SHA1
cb982786f558208767bc171a4c3b718b0db0ce3f

SHA256
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

SHA512
92d814721e2a699ca50dc2a8da642d9f405c09efb7731103624eaede318b46f4803e8501aa8437b70040a8da10b97b81d64023c0111b03339a5c96f7c2c665ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
365KB

MD5
d96a975ad533ddad6c1f07f03dc6f519

SHA1
4a0a9e2a723c7bcde21c62e23006329f5c0d2144

SHA256
eca00bf18be6fbab8750a2530402b780a77385eaf3b995036309f360a97fa602

SHA512
5d7231dc1b8bcecdf888eeeca72844df4402d8d14f4fbc23e7d4b54fd0017fa0ebae5cb5bcd9fd39fa737656b27d237d53ea8f5ab842f40edc29383cae2ae47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1136.exe
Filesize
722KB

MD5
1b77297c1fb9ab3f9442138ba2d2eead

SHA1
441d299667867cf15a3ad16d2fb7e5c45f7499b5

SHA256
d0a32b9264b3466ffbba4c803c3866778dfe96494a93049a0a6f984ff675cf37

SHA512
67f95246ad2dff6ab8b6c0f9fc93d88bfe695f311dd03dc8b01bb568752f530b2aa1e20d4fe126cfbbb1ad0750c6fc4e23511b908b24ae8202ba0c15a4a835d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1136.exe
Filesize
722KB

MD5
1b77297c1fb9ab3f9442138ba2d2eead

SHA1
441d299667867cf15a3ad16d2fb7e5c45f7499b5

SHA256
d0a32b9264b3466ffbba4c803c3866778dfe96494a93049a0a6f984ff675cf37

SHA512
67f95246ad2dff6ab8b6c0f9fc93d88bfe695f311dd03dc8b01bb568752f530b2aa1e20d4fe126cfbbb1ad0750c6fc4e23511b908b24ae8202ba0c15a4a835d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1136.exe
Filesize
722KB

MD5
1b77297c1fb9ab3f9442138ba2d2eead

SHA1
441d299667867cf15a3ad16d2fb7e5c45f7499b5

SHA256
d0a32b9264b3466ffbba4c803c3866778dfe96494a93049a0a6f984ff675cf37

SHA512
67f95246ad2dff6ab8b6c0f9fc93d88bfe695f311dd03dc8b01bb568752f530b2aa1e20d4fe126cfbbb1ad0750c6fc4e23511b908b24ae8202ba0c15a4a835d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1136.exe
Filesize
722KB

MD5
1b77297c1fb9ab3f9442138ba2d2eead

SHA1
441d299667867cf15a3ad16d2fb7e5c45f7499b5

SHA256
d0a32b9264b3466ffbba4c803c3866778dfe96494a93049a0a6f984ff675cf37

SHA512
67f95246ad2dff6ab8b6c0f9fc93d88bfe695f311dd03dc8b01bb568752f530b2aa1e20d4fe126cfbbb1ad0750c6fc4e23511b908b24ae8202ba0c15a4a835d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1136.exe
Filesize
722KB

MD5
1b77297c1fb9ab3f9442138ba2d2eead

SHA1
441d299667867cf15a3ad16d2fb7e5c45f7499b5

SHA256
d0a32b9264b3466ffbba4c803c3866778dfe96494a93049a0a6f984ff675cf37

SHA512
67f95246ad2dff6ab8b6c0f9fc93d88bfe695f311dd03dc8b01bb568752f530b2aa1e20d4fe126cfbbb1ad0750c6fc4e23511b908b24ae8202ba0c15a4a835d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\19C3.exe
Filesize
223KB

MD5
25a38bb100ce11661f2afd3ccaf68e47

SHA1
e336aa72ea330852b5a2e709250437b64e7e815d

SHA256
07097419c0b16b85c0d5b2c7f70deb72a150f2a91982c0b6f09fb1b38a4e7993

SHA512
2a312afd33970da6d8f197c41c2d6e9308809202593c7db97e49a0993655bdcb35d154607f28c2b7c43ab07e2ce79cffb6326e17ce98ee206563bb3ed8e3526b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19C3.exe
Filesize
223KB

MD5
25a38bb100ce11661f2afd3ccaf68e47

SHA1
e336aa72ea330852b5a2e709250437b64e7e815d

SHA256
07097419c0b16b85c0d5b2c7f70deb72a150f2a91982c0b6f09fb1b38a4e7993

SHA512
2a312afd33970da6d8f197c41c2d6e9308809202593c7db97e49a0993655bdcb35d154607f28c2b7c43ab07e2ce79cffb6326e17ce98ee206563bb3ed8e3526b

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\2230.exe
Filesize
4.2MB

MD5
4179238c49a009468a87403bc51a3d48

SHA1
4ba7cab7aafd77a37a2352abe7216e8f30c588a5

SHA256
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746

SHA512
73328b77b3be07c082e15fbb9882e678ab757a31563ba4614a0d0ff5b362d503fac6588278b7d50f2383187d733cbc804b9700b6a26e4d345f07b65dbd73081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2230.exe
Filesize
4.2MB

MD5
4179238c49a009468a87403bc51a3d48

SHA1
4ba7cab7aafd77a37a2352abe7216e8f30c588a5

SHA256
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746

SHA512
73328b77b3be07c082e15fbb9882e678ab757a31563ba4614a0d0ff5b362d503fac6588278b7d50f2383187d733cbc804b9700b6a26e4d345f07b65dbd73081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2425.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\2425.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\2425.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\2425.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\2425.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\259D.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\259D.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\259D.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\259D.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\259D.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\2734.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\2734.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\2734.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\2734.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\2734.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\2734.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C27.exe
Filesize
223KB

MD5
25a38bb100ce11661f2afd3ccaf68e47

SHA1
e336aa72ea330852b5a2e709250437b64e7e815d

SHA256
07097419c0b16b85c0d5b2c7f70deb72a150f2a91982c0b6f09fb1b38a4e7993

SHA512
2a312afd33970da6d8f197c41c2d6e9308809202593c7db97e49a0993655bdcb35d154607f28c2b7c43ab07e2ce79cffb6326e17ce98ee206563bb3ed8e3526b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C27.exe
Filesize
223KB

MD5
25a38bb100ce11661f2afd3ccaf68e47

SHA1
e336aa72ea330852b5a2e709250437b64e7e815d

SHA256
07097419c0b16b85c0d5b2c7f70deb72a150f2a91982c0b6f09fb1b38a4e7993

SHA512
2a312afd33970da6d8f197c41c2d6e9308809202593c7db97e49a0993655bdcb35d154607f28c2b7c43ab07e2ce79cffb6326e17ce98ee206563bb3ed8e3526b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31C5.exe
Filesize
223KB

MD5
25a38bb100ce11661f2afd3ccaf68e47

SHA1
e336aa72ea330852b5a2e709250437b64e7e815d

SHA256
07097419c0b16b85c0d5b2c7f70deb72a150f2a91982c0b6f09fb1b38a4e7993

SHA512
2a312afd33970da6d8f197c41c2d6e9308809202593c7db97e49a0993655bdcb35d154607f28c2b7c43ab07e2ce79cffb6326e17ce98ee206563bb3ed8e3526b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31C5.exe
Filesize
223KB

MD5
25a38bb100ce11661f2afd3ccaf68e47

SHA1
e336aa72ea330852b5a2e709250437b64e7e815d

SHA256
07097419c0b16b85c0d5b2c7f70deb72a150f2a91982c0b6f09fb1b38a4e7993

SHA512
2a312afd33970da6d8f197c41c2d6e9308809202593c7db97e49a0993655bdcb35d154607f28c2b7c43ab07e2ce79cffb6326e17ce98ee206563bb3ed8e3526b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31C5.exe
Filesize
223KB

MD5
25a38bb100ce11661f2afd3ccaf68e47

SHA1
e336aa72ea330852b5a2e709250437b64e7e815d

SHA256
07097419c0b16b85c0d5b2c7f70deb72a150f2a91982c0b6f09fb1b38a4e7993

SHA512
2a312afd33970da6d8f197c41c2d6e9308809202593c7db97e49a0993655bdcb35d154607f28c2b7c43ab07e2ce79cffb6326e17ce98ee206563bb3ed8e3526b

Download Submit
C:\Users\Admin\AppData\Local\Temp\385E.exe
Filesize
4.2MB

MD5
4179238c49a009468a87403bc51a3d48

SHA1
4ba7cab7aafd77a37a2352abe7216e8f30c588a5

SHA256
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746

SHA512
73328b77b3be07c082e15fbb9882e678ab757a31563ba4614a0d0ff5b362d503fac6588278b7d50f2383187d733cbc804b9700b6a26e4d345f07b65dbd73081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\385E.exe
Filesize
4.2MB

MD5
4179238c49a009468a87403bc51a3d48

SHA1
4ba7cab7aafd77a37a2352abe7216e8f30c588a5

SHA256
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746

SHA512
73328b77b3be07c082e15fbb9882e678ab757a31563ba4614a0d0ff5b362d503fac6588278b7d50f2383187d733cbc804b9700b6a26e4d345f07b65dbd73081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9B4.exe
Filesize
4.2MB

MD5
4179238c49a009468a87403bc51a3d48

SHA1
4ba7cab7aafd77a37a2352abe7216e8f30c588a5

SHA256
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746

SHA512
73328b77b3be07c082e15fbb9882e678ab757a31563ba4614a0d0ff5b362d503fac6588278b7d50f2383187d733cbc804b9700b6a26e4d345f07b65dbd73081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9B4.exe
Filesize
4.2MB

MD5
4179238c49a009468a87403bc51a3d48

SHA1
4ba7cab7aafd77a37a2352abe7216e8f30c588a5

SHA256
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746

SHA512
73328b77b3be07c082e15fbb9882e678ab757a31563ba4614a0d0ff5b362d503fac6588278b7d50f2383187d733cbc804b9700b6a26e4d345f07b65dbd73081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9B4.exe
Filesize
4.2MB

MD5
4179238c49a009468a87403bc51a3d48

SHA1
4ba7cab7aafd77a37a2352abe7216e8f30c588a5

SHA256
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746

SHA512
73328b77b3be07c082e15fbb9882e678ab757a31563ba4614a0d0ff5b362d503fac6588278b7d50f2383187d733cbc804b9700b6a26e4d345f07b65dbd73081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF53.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF53.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF53.exe
Filesize
798KB

MD5
9a1787a698fc6e4e4879fa5536f2e725

SHA1
4ebf44eb76a386cac8b8049683b42b6b28b864b7

SHA256
a1c86b10a1cffdb98448da47caa53a2c43603c70782b3ab72273fd368abab59f

SHA512
66efad49acdfae2364d24d25e281df1ec7a25c6878ec76103bd84e0d21c6733cadaaaa7692efd2739f246d14f692387618c76ce208d766968219c06aedcf1901

Download Submit
C:\Users\Admin\AppData\Local\Temp\C81E.exe
Filesize
223KB

MD5
25a38bb100ce11661f2afd3ccaf68e47

SHA1
e336aa72ea330852b5a2e709250437b64e7e815d

SHA256
07097419c0b16b85c0d5b2c7f70deb72a150f2a91982c0b6f09fb1b38a4e7993

SHA512
2a312afd33970da6d8f197c41c2d6e9308809202593c7db97e49a0993655bdcb35d154607f28c2b7c43ab07e2ce79cffb6326e17ce98ee206563bb3ed8e3526b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C81E.exe
Filesize
223KB

MD5
25a38bb100ce11661f2afd3ccaf68e47

SHA1
e336aa72ea330852b5a2e709250437b64e7e815d

SHA256
07097419c0b16b85c0d5b2c7f70deb72a150f2a91982c0b6f09fb1b38a4e7993

SHA512
2a312afd33970da6d8f197c41c2d6e9308809202593c7db97e49a0993655bdcb35d154607f28c2b7c43ab07e2ce79cffb6326e17ce98ee206563bb3ed8e3526b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D211.exe
Filesize
4.2MB

MD5
4179238c49a009468a87403bc51a3d48

SHA1
4ba7cab7aafd77a37a2352abe7216e8f30c588a5

SHA256
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746

SHA512
73328b77b3be07c082e15fbb9882e678ab757a31563ba4614a0d0ff5b362d503fac6588278b7d50f2383187d733cbc804b9700b6a26e4d345f07b65dbd73081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D211.exe
Filesize
4.2MB

MD5
4179238c49a009468a87403bc51a3d48

SHA1
4ba7cab7aafd77a37a2352abe7216e8f30c588a5

SHA256
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746

SHA512
73328b77b3be07c082e15fbb9882e678ab757a31563ba4614a0d0ff5b362d503fac6588278b7d50f2383187d733cbc804b9700b6a26e4d345f07b65dbd73081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DADC.exe
Filesize
1.9MB

MD5
46178eb024d5a5070d0b28f46c7faa7d

SHA1
8e20a475be5a463268941efe8e94db9bc28444ed

SHA256
f0b68fa153b50554e35c2a40e81f7b06059a1cb1945881031e5030588033a3fe

SHA512
c0f309ba0611aedfebba791315268f2dfbf9dee26762ba089eef0630567c68ff770e139f37c90000c388f72b9f3ea7c6ffd91bc9887bfc333c564e4a0391f972

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
312KB

MD5
f7fb4ae423a2915641dab591592496ef

SHA1
7f7a321867a971cc24867f23a7d3b498df60e21e

SHA256
965498ede96248de22734c6e80d4ca2680454be6d1a3b65665b2abe0d6b55ddd

SHA512
f2c943d520fe028acd8976d276e4ca0168411f17a9904907f08df818edd3afef86cd685127ad4de086fe599314205881b4e91c04462c71760303b1a98f69f719

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
312KB

MD5
f7fb4ae423a2915641dab591592496ef

SHA1
7f7a321867a971cc24867f23a7d3b498df60e21e

SHA256
965498ede96248de22734c6e80d4ca2680454be6d1a3b65665b2abe0d6b55ddd

SHA512
f2c943d520fe028acd8976d276e4ca0168411f17a9904907f08df818edd3afef86cd685127ad4de086fe599314205881b4e91c04462c71760303b1a98f69f719

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
312KB

MD5
f7fb4ae423a2915641dab591592496ef

SHA1
7f7a321867a971cc24867f23a7d3b498df60e21e

SHA256
965498ede96248de22734c6e80d4ca2680454be6d1a3b65665b2abe0d6b55ddd

SHA512
f2c943d520fe028acd8976d276e4ca0168411f17a9904907f08df818edd3afef86cd685127ad4de086fe599314205881b4e91c04462c71760303b1a98f69f719

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\a2b0722c-1776-43f8-ae2a-69524a397424\build2.exe
Filesize
352KB

MD5
f76b7a03bc4db7e669adc6a0eb80322a

SHA1
ad3ef2ea2dcf95e805c7be56a7d63f654328121e

SHA256
c2c5560cede5fe447363e0d432707fc287312c20e92715b59700888e77eab92d

SHA512
626465ba82f07cdfc0f86496e5f2e0f95aea64fd7b1c90708f99eaae78cc3f04ecf3fb22de85b647837009edb62d1125673073ec083cd82e1dd61f8ddc235e5c

Download Submit
C:\Users\Admin\AppData\Local\a2b0722c-1776-43f8-ae2a-69524a397424\build2.exe
Filesize
352KB

MD5
f76b7a03bc4db7e669adc6a0eb80322a

SHA1
ad3ef2ea2dcf95e805c7be56a7d63f654328121e

SHA256
c2c5560cede5fe447363e0d432707fc287312c20e92715b59700888e77eab92d

SHA512
626465ba82f07cdfc0f86496e5f2e0f95aea64fd7b1c90708f99eaae78cc3f04ecf3fb22de85b647837009edb62d1125673073ec083cd82e1dd61f8ddc235e5c

Download Submit
C:\Users\Admin\AppData\Local\a2b0722c-1776-43f8-ae2a-69524a397424\build2.exe
Filesize
352KB

MD5
f76b7a03bc4db7e669adc6a0eb80322a

SHA1
ad3ef2ea2dcf95e805c7be56a7d63f654328121e

SHA256
c2c5560cede5fe447363e0d432707fc287312c20e92715b59700888e77eab92d

SHA512
626465ba82f07cdfc0f86496e5f2e0f95aea64fd7b1c90708f99eaae78cc3f04ecf3fb22de85b647837009edb62d1125673073ec083cd82e1dd61f8ddc235e5c

Download Submit
C:\Users\Admin\AppData\Local\a2b0722c-1776-43f8-ae2a-69524a397424\build2.exe
Filesize
352KB

MD5
f76b7a03bc4db7e669adc6a0eb80322a

SHA1
ad3ef2ea2dcf95e805c7be56a7d63f654328121e

SHA256
c2c5560cede5fe447363e0d432707fc287312c20e92715b59700888e77eab92d

SHA512
626465ba82f07cdfc0f86496e5f2e0f95aea64fd7b1c90708f99eaae78cc3f04ecf3fb22de85b647837009edb62d1125673073ec083cd82e1dd61f8ddc235e5c

Download Submit
C:\Users\Admin\AppData\Local\a2b0722c-1776-43f8-ae2a-69524a397424\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\a2b0722c-1776-43f8-ae2a-69524a397424\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\a2b0722c-1776-43f8-ae2a-69524a397424\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\ae1b909f-7641-4f0a-a35a-1f1089f647fa\1136.exe
Filesize
722KB

MD5
1b77297c1fb9ab3f9442138ba2d2eead

SHA1
441d299667867cf15a3ad16d2fb7e5c45f7499b5

SHA256
d0a32b9264b3466ffbba4c803c3866778dfe96494a93049a0a6f984ff675cf37

SHA512
67f95246ad2dff6ab8b6c0f9fc93d88bfe695f311dd03dc8b01bb568752f530b2aa1e20d4fe126cfbbb1ad0750c6fc4e23511b908b24ae8202ba0c15a4a835d1

Download Submit
C:\Users\Admin\AppData\Local\bowsakkdestx.txt
Filesize
557B

MD5
505bae640b279494aab7d20ac474288a

SHA1
39a90376ca6f1e543358d35b6eb03ca81da03597

SHA256
1f60e10a7223f4d6e6944f12bbf34fadedc22a208338199d2847ece4dd82797d

SHA512
f4a7a0a6eca386752168cf68f2c0a40c4492d56718a17ec5cf3d2c3ba038110b04df09c9a2f9130964489e84550862dcea7cf4a4c1bdeba1bec540f4fa41bd1a

Download Submit
memory/8-190-0x00000000000F0000-0x000000000052E000-memory.dmp

Filesize
4.2MB

Download
memory/1004-251-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1004-231-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1004-309-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1004-238-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1392-368-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1392-407-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1392-372-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1672-223-0x00000000043A0000-0x00000000044BB000-memory.dmp

Filesize
1.1MB

Download
memory/1992-323-0x00007FF6EDD50000-0x00007FF6EE10D000-memory.dmp

Filesize
3.7MB

Download
memory/2052-361-0x0000000002760000-0x00000000028D1000-memory.dmp

Filesize
1.4MB

Download
memory/2052-358-0x00000000028E0000-0x0000000002A11000-memory.dmp

Filesize
1.2MB

Download
memory/2060-169-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2060-158-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2060-147-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2060-149-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2060-150-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2084-328-0x0000000000400000-0x00000000006DF000-memory.dmp

Filesize
2.9MB

Download
memory/2164-310-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2164-225-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2164-226-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2164-220-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2164-250-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2312-182-0x0000000000830000-0x0000000000839000-memory.dmp

Filesize
36KB

Download
memory/2312-273-0x0000000000400000-0x00000000006DF000-memory.dmp

Filesize
2.9MB

Download
memory/2456-326-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2456-336-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2456-252-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2508-320-0x0000000008990000-0x00000000089A6000-memory.dmp

Filesize
88KB

Download
memory/2508-135-0x0000000000FA0000-0x0000000000FB6000-memory.dmp

Filesize
88KB

Download
memory/2508-267-0x0000000008950000-0x0000000008966000-memory.dmp

Filesize
88KB

Download
memory/3652-151-0x0000000002450000-0x000000000256B000-memory.dmp

Filesize
1.1MB

Download
memory/4120-335-0x0000000000400000-0x00000000006DF000-memory.dmp

Filesize
2.9MB

Download
memory/4548-352-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4548-134-0x00000000025E0000-0x00000000025E9000-memory.dmp

Filesize
36KB

Download
memory/4548-401-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4548-354-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4548-136-0x0000000000400000-0x0000000002569000-memory.dmp

Filesize
33.4MB

Download
memory/4548-356-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4556-403-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4556-364-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4556-369-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4564-357-0x0000000004970000-0x00000000049C6000-memory.dmp

Filesize
344KB

Download
memory/4568-183-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4568-185-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4568-305-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4568-174-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4568-293-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4568-289-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4568-291-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4568-184-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4568-175-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4724-421-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4752-370-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4752-367-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4752-406-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download