amadey | 1996167026f1b47b3abe1e10b266a65101d97e735e7f512431a4670462ffb3b2

Analysis

max time kernel
42s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2023, 08:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1996167026f1b47b3abe1e10b266a65101d97e735e7f512431a4670462ffb3b2.exe
Size

289KB
MD5

0d28a13684fc8d9c7c37e313f0ccddc9
SHA1

f67a34d844311f14f916fb79188aab74998dd60b
SHA256

1996167026f1b47b3abe1e10b266a65101d97e735e7f512431a4670462ffb3b2
SHA512

1e63a652e0b71967d0a887b7a7167bae5f88f79dfbccccddb9f2757d5ce03edb70d55f71aa9547d6910332534e8a388855d3a5b42382708e2a10f85a572a041d
SSDEEP

3072:P62HHzuLIp5I3aiAwbmjeNdMLzYyFb8QV5Fl1nHbzF1:PSLIp5BOmjqmLz/DtldH11

Score

10^/10

amadey djvu fabookie smokeloader pub1 backdoor discovery ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://greenbi.net/tmp/

http://speakdyn.com/tmp/

http://pik96.ru/tmp/

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

amadey

Version

3.83

5.42.65.80/8bmeVwqx/index.php

Extracted

Family

djvu

http://zexeq.com/lancer/get.php

Attributes

extension
.kitu
offline_id
NGHsYuVPwlgoEkG3ENtueNmXtFHSWod7fYayU9t1
payload_url
http://colisumy.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-lOjoPPuBzw Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0748JOsie

rsa_pubkey.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/3948-260-0x0000000002CD0000-0x0000000002E01000-memory.dmp	family_fabookie
behavioral1/memory/3948-335-0x0000000002CD0000-0x0000000002E01000-memory.dmp	family_fabookie

Detected Djvu ransomware 29 IoCs

resource	yara_rule
behavioral1/memory/860-251-0x0000000004250000-0x000000000436B000-memory.dmp	family_djvu
behavioral1/memory/1848-253-0x00000000041B0000-0x0000000004248000-memory.dmp	family_djvu
behavioral1/memory/2356-258-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2356-261-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2356-254-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2356-264-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4420-267-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4420-270-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3160-274-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4420-272-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3160-275-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3160-276-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4420-309-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3160-311-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2356-323-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3204-346-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3204-344-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1456-361-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1456-359-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4044-362-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1456-365-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3204-360-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1456-366-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4044-357-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3204-354-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4044-353-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3204-376-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3204-377-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4044-378-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	FACF.exe

Executes dropped EXE 5 IoCs

pid	Process
3372	EBE6.exe
412	F485.exe
2480	FACF.exe
3948	aafg31.exe
1924	oldplayer.exe

Loads dropped DLL 2 IoCs

pid	Process
1292	regsvr32.exe
4572	regsvr32.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4196	icacls.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
83	api.2ip.ua
84	api.2ip.ua
56	api.2ip.ua
58	api.2ip.ua
59	api.2ip.ua
61	api.2ip.ua
82	api.2ip.ua

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1660	1664	WerFault.exe	137

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1996167026f1b47b3abe1e10b266a65101d97e735e7f512431a4670462ffb3b2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1996167026f1b47b3abe1e10b266a65101d97e735e7f512431a4670462ffb3b2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1996167026f1b47b3abe1e10b266a65101d97e735e7f512431a4670462ffb3b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F485.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F485.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F485.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4440	1996167026f1b47b3abe1e10b266a65101d97e735e7f512431a4670462ffb3b2.exe
4440	1996167026f1b47b3abe1e10b266a65101d97e735e7f512431a4670462ffb3b2.exe
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found
2604	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4440	1996167026f1b47b3abe1e10b266a65101d97e735e7f512431a4670462ffb3b2.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 3372	2604	Process not Found	96
PID 2604 wrote to memory of 3372	2604	Process not Found	96
PID 2604 wrote to memory of 3372	2604	Process not Found	96
PID 2604 wrote to memory of 3964	2604	Process not Found	97
PID 2604 wrote to memory of 3964	2604	Process not Found	97
PID 3964 wrote to memory of 1292	3964	regsvr32.exe	98
PID 3964 wrote to memory of 1292	3964	regsvr32.exe	98
PID 3964 wrote to memory of 1292	3964	regsvr32.exe	98
PID 2604 wrote to memory of 432	2604	Process not Found	99
PID 2604 wrote to memory of 432	2604	Process not Found	99
PID 432 wrote to memory of 4572	432	regsvr32.exe	100
PID 432 wrote to memory of 4572	432	regsvr32.exe	100
PID 432 wrote to memory of 4572	432	regsvr32.exe	100
PID 2604 wrote to memory of 412	2604	Process not Found	101
PID 2604 wrote to memory of 412	2604	Process not Found	101
PID 2604 wrote to memory of 412	2604	Process not Found	101
PID 2604 wrote to memory of 2480	2604	Process not Found	102
PID 2604 wrote to memory of 2480	2604	Process not Found	102
PID 2604 wrote to memory of 2480	2604	Process not Found	102
PID 2480 wrote to memory of 3948	2480	FACF.exe	103
PID 2480 wrote to memory of 3948	2480	FACF.exe	103
PID 2480 wrote to memory of 1924	2480	FACF.exe	104
PID 2480 wrote to memory of 1924	2480	FACF.exe	104
PID 2480 wrote to memory of 1924	2480	FACF.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1996167026f1b47b3abe1e10b266a65101d97e735e7f512431a4670462ffb3b2.exe
"C:\Users\Admin\AppData\Local\Temp\1996167026f1b47b3abe1e10b266a65101d97e735e7f512431a4670462ffb3b2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4440

C:\Users\Admin\AppData\Local\Temp\EBE6.exe
C:\Users\Admin\AppData\Local\Temp\EBE6.exe
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EE2A.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\EE2A.dll
  2⤵
  - Loads dropped DLL
  PID:1292

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EF73.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\EF73.dll
  2⤵
  - Loads dropped DLL
  PID:4572

C:\Users\Admin\AppData\Local\Temp\F485.exe
C:\Users\Admin\AppData\Local\Temp\F485.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:412

C:\Users\Admin\AppData\Local\Temp\FACF.exe
C:\Users\Admin\AppData\Local\Temp\FACF.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\aafg31.exe
  "C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
  "C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
  2⤵
  - Executes dropped EXE
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
    3⤵
    PID:4824
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3732
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
      4⤵
      PID:3100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4144
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:3672
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:N"
        5⤵
        
        PID:3544
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:R" /E
        5⤵
        
        PID:2656
- C:\Users\Admin\AppData\Local\Temp\XandETC.exe
  "C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
  2⤵
  PID:2684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    PID:3728

C:\Users\Admin\AppData\Local\Temp\152E.exe
C:\Users\Admin\AppData\Local\Temp\152E.exe
1⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\1723.exe
C:\Users\Admin\AppData\Local\Temp\1723.exe
1⤵
PID:860
- C:\Users\Admin\AppData\Local\Temp\1723.exe
  C:\Users\Admin\AppData\Local\Temp\1723.exe
  2⤵
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\1723.exe
    "C:\Users\Admin\AppData\Local\Temp\1723.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\1723.exe
      "C:\Users\Admin\AppData\Local\Temp\1723.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:3204
    - - C:\Users\Admin\AppData\Local\5431d480-41cc-496a-893c-56b306ba2ffc\build3.exe
        
        "C:\Users\Admin\AppData\Local\5431d480-41cc-496a-893c-56b306ba2ffc\build3.exe"
        5⤵
        
        PID:4368
    - - C:\Users\Admin\AppData\Local\5431d480-41cc-496a-893c-56b306ba2ffc\build2.exe
        
        "C:\Users\Admin\AppData\Local\5431d480-41cc-496a-893c-56b306ba2ffc\build2.exe"
        5⤵
        
        PID:4168

C:\Users\Admin\AppData\Local\Temp\188B.exe
C:\Users\Admin\AppData\Local\Temp\188B.exe
1⤵
PID:1848
- C:\Users\Admin\AppData\Local\Temp\188B.exe
  C:\Users\Admin\AppData\Local\Temp\188B.exe
  2⤵
  PID:2356
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\6cb140d2-c56a-48f3-be9e-af3ee615dc70" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4196

C:\Users\Admin\AppData\Local\Temp\1A32.exe
C:\Users\Admin\AppData\Local\Temp\1A32.exe
1⤵
PID:896
- C:\Users\Admin\AppData\Local\Temp\1A32.exe
  C:\Users\Admin\AppData\Local\Temp\1A32.exe
  2⤵
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\1A32.exe
    "C:\Users\Admin\AppData\Local\Temp\1A32.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\1A32.exe
      "C:\Users\Admin\AppData\Local\Temp\1A32.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:1456
    - - C:\Users\Admin\AppData\Local\3eedcce6-2047-4255-aa64-fa1c4a873035\build2.exe
        
        "C:\Users\Admin\AppData\Local\3eedcce6-2047-4255-aa64-fa1c4a873035\build2.exe"
        5⤵
        
        PID:2016

C:\Users\Admin\AppData\Local\Temp\2B5A.exe
C:\Users\Admin\AppData\Local\Temp\2B5A.exe
1⤵
PID:4476

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2D9D.dll
1⤵
PID:336
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\2D9D.dll
  2⤵
  PID:2568

C:\Users\Admin\AppData\Local\Temp\2ED6.exe
C:\Users\Admin\AppData\Local\Temp\2ED6.exe
1⤵
PID:4588
- C:\Users\Admin\AppData\Local\Temp\2ED6.exe
  C:\Users\Admin\AppData\Local\Temp\2ED6.exe
  2⤵
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\2ED6.exe
    "C:\Users\Admin\AppData\Local\Temp\2ED6.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:3932

C:\Users\Admin\AppData\Local\Temp\8285.exe
C:\Users\Admin\AppData\Local\Temp\8285.exe
1⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\8824.exe
C:\Users\Admin\AppData\Local\Temp\8824.exe
1⤵
PID:1664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 820
  2⤵
  - Program crash
  PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1664 -ip 1664
1⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\CA6E.exe
C:\Users\Admin\AppData\Local\Temp\CA6E.exe
1⤵
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
1⤵
PID:4116

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:1336

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\83FB.exe
C:\Users\Admin\AppData\Local\Temp\83FB.exe
1⤵
PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SystemID\PersonalID.txt

Filesize
42B

MD5
dbe3661a216d9e3b599178758fadacb4

SHA1
29fc37cce7bc29551694d17d9eb82d4d470db176

SHA256
134967887ca1c9c78f4760e5761c11c2a8195671abccba36fcf3e76df6fff03b

SHA512
da90c77c47790b3791ee6cee8aa7d431813f2ee0c314001015158a48a117342b990aaac023b36e610cef71755e609cbf1f6932047c3b4ad4df8779544214687f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
debbf14f3483068c85dbb41089275387

SHA1
53c67f0496489a8bf83e645035b9e030fe22f052

SHA256
d62934313eec30d6276854f81ed0ad0fa455c13032f23c49dc5e931e53aa24fd

SHA512
ef0f3231d777612c12fa32f6d9fd8c24f3147ab0d44e660ceb86d6cd43120be1396ae351d14305ad41d10799cb1fba9ae7626e6970ec840f4e30b4934a49971d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
debbf14f3483068c85dbb41089275387

SHA1
53c67f0496489a8bf83e645035b9e030fe22f052

SHA256
d62934313eec30d6276854f81ed0ad0fa455c13032f23c49dc5e931e53aa24fd

SHA512
ef0f3231d777612c12fa32f6d9fd8c24f3147ab0d44e660ceb86d6cd43120be1396ae351d14305ad41d10799cb1fba9ae7626e6970ec840f4e30b4934a49971d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
debbf14f3483068c85dbb41089275387

SHA1
53c67f0496489a8bf83e645035b9e030fe22f052

SHA256
d62934313eec30d6276854f81ed0ad0fa455c13032f23c49dc5e931e53aa24fd

SHA512
ef0f3231d777612c12fa32f6d9fd8c24f3147ab0d44e660ceb86d6cd43120be1396ae351d14305ad41d10799cb1fba9ae7626e6970ec840f4e30b4934a49971d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
9f4dbb9c92a85c4ef5093a2df64ac230

SHA1
83acdef3b775ddcea8a50a04e8f1e8afaa6e0d22

SHA256
f29be229662b3201af3c58d4fcccb93da75f9cc44a2b7c2e3086302bb2bc1425

SHA512
25a85055583e7d008a25add9d4976e8255b01e2dce1a90b75c63c8eff8ee56a94ef35852210cbec1298fc905325d295c73a78f9a8e85ffdfc98d8a2b0896150b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
9f4dbb9c92a85c4ef5093a2df64ac230

SHA1
83acdef3b775ddcea8a50a04e8f1e8afaa6e0d22

SHA256
f29be229662b3201af3c58d4fcccb93da75f9cc44a2b7c2e3086302bb2bc1425

SHA512
25a85055583e7d008a25add9d4976e8255b01e2dce1a90b75c63c8eff8ee56a94ef35852210cbec1298fc905325d295c73a78f9a8e85ffdfc98d8a2b0896150b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
9f4dbb9c92a85c4ef5093a2df64ac230

SHA1
83acdef3b775ddcea8a50a04e8f1e8afaa6e0d22

SHA256
f29be229662b3201af3c58d4fcccb93da75f9cc44a2b7c2e3086302bb2bc1425

SHA512
25a85055583e7d008a25add9d4976e8255b01e2dce1a90b75c63c8eff8ee56a94ef35852210cbec1298fc905325d295c73a78f9a8e85ffdfc98d8a2b0896150b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
e46cc47a1e4c5c3943d5ec09552b4c15

SHA1
717601c057712809d51f22e5d21eb714feac8fbc

SHA256
6f8546a5cd3f6c260d9998978d23b86444e5893b4b13634ed07f01767dfab3f1

SHA512
86a4fd6b86046606c5fbdd1b96439aac7b8321d33ec7834093881bd30fadef427c5453db71f7cd2f6445f8da7bb8461deec3bfb0b30e873261f2bd452fd13a32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
e46cc47a1e4c5c3943d5ec09552b4c15

SHA1
717601c057712809d51f22e5d21eb714feac8fbc

SHA256
6f8546a5cd3f6c260d9998978d23b86444e5893b4b13634ed07f01767dfab3f1

SHA512
86a4fd6b86046606c5fbdd1b96439aac7b8321d33ec7834093881bd30fadef427c5453db71f7cd2f6445f8da7bb8461deec3bfb0b30e873261f2bd452fd13a32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
98ebc0a7b8aae75967e7d9fb40291e4c

SHA1
b8cfaaca33ea11e23229f303f2523afbe8fed2df

SHA256
cae9aa653c3521f0be49ba631f4d7d0f022849d369b89bd9693f1d0d3c131be6

SHA512
1eee326a07a3343d1cf2797140c766ff6c521b8aef57ec08c4b64ead8eb050724a39f58e0a33dccf7ebce5769f858ee6035007fcbec76d1a609222df05a00e30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
51d2413a41cbfaf022516fcf8f224e1e

SHA1
31c3263be054cb0f905ca2530e2f7fcdae75712f

SHA256
c6e450166da885951d43824c95890dcfab879f510915e4e4931199e61142b004

SHA512
29b4c42f0b3c4e1e7aa5e5709066c130f293a6cb9f1536b47dbe01773829ca8d26b8a892daa7e73ca5aee8e181f747ee6bd4f1e93b06c149a2db9983c353ce8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
d090d60ce98617250b2be082d2a87bd8

SHA1
937c5a44b8f3729d9c0ec2d9dc837861a04a6177

SHA256
15861bce3523ffa26ef2747f1e86c3fcc250ac0b0bc0be9664d5996f3b88dac5

SHA512
780c7422f3552e69bbdd649c8a7afa3c53715ba4ae973a70dbaf2924f06a0d6ccc9a8dce77d1be95b1453253aed3ba11a2a14ba04e24268bc919e7be274a8462

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
d21947f07b0710a5386489be98652e37

SHA1
ef1c59b6d0017b66579c412b6dd71b8d8b4a331b

SHA256
37b28af5dbfd66ebdc8081ba24b94d9a0deb2a2c9eab1d04b99e5e723b7ebe54

SHA512
9ec52788d0c548395a14800ed0572cbc20a4a86ae008f97bd5f94741d8aca74de8c196fc88faaa1aa5b2b9b9d5c7bee4c1a240b81595be7c000378a23e83ae4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
2486c3c3d70f9cf5d94f53418fb8e37c

SHA1
f07474c7a849e349983a6b93d1ed88af9835a32e

SHA256
66cd064b635bc05b76ea2ed701b274e1da21ac54414fea24c951fe90b40f2885

SHA512
e8b8639e0149f6483564806a4be87aaf77b15351561a73092cfcc1bc68d85667d67fa239b8fe42bc615c3d09323726da34315001c815ae0c72630e348604128e

Download Submit
C:\Users\Admin\AppData\Local\5431d480-41cc-496a-893c-56b306ba2ffc\build2.exe

Filesize
524KB

MD5
5c08a40f82908735b187705b49de1fc3

SHA1
6e108f3f6611f46941869d7fcbe02c47219c0523

SHA256
7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b

SHA512
76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

Download Submit
C:\Users\Admin\AppData\Local\6cb140d2-c56a-48f3-be9e-af3ee615dc70\188B.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\152E.exe

Filesize
787KB

MD5
9bb7aaf9c934e145cf3a6f826a55c56b

SHA1
2300a50a642e79ed2e43f18585f7f813d9d5f2f0

SHA256
189941099c193b7580d1f07ad1520800706fe5dedeb5ff074db34cfb54295519

SHA512
5df41c469ddbabfbe2045fba92a39a365599bfc196e970e1b1f4759fbf14c1d3c3357ac6b8ba9196941e257152d174e715565833a2069f0aceb6133ebd01f62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\152E.exe

Filesize
787KB

MD5
9bb7aaf9c934e145cf3a6f826a55c56b

SHA1
2300a50a642e79ed2e43f18585f7f813d9d5f2f0

SHA256
189941099c193b7580d1f07ad1520800706fe5dedeb5ff074db34cfb54295519

SHA512
5df41c469ddbabfbe2045fba92a39a365599bfc196e970e1b1f4759fbf14c1d3c3357ac6b8ba9196941e257152d174e715565833a2069f0aceb6133ebd01f62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1723.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1723.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1723.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1723.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1723.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\188B.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\188B.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\188B.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A32.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A32.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A32.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A32.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A32.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A32.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B5A.exe

Filesize
787KB

MD5
9bb7aaf9c934e145cf3a6f826a55c56b

SHA1
2300a50a642e79ed2e43f18585f7f813d9d5f2f0

SHA256
189941099c193b7580d1f07ad1520800706fe5dedeb5ff074db34cfb54295519

SHA512
5df41c469ddbabfbe2045fba92a39a365599bfc196e970e1b1f4759fbf14c1d3c3357ac6b8ba9196941e257152d174e715565833a2069f0aceb6133ebd01f62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B5A.exe

Filesize
787KB

MD5
9bb7aaf9c934e145cf3a6f826a55c56b

SHA1
2300a50a642e79ed2e43f18585f7f813d9d5f2f0

SHA256
189941099c193b7580d1f07ad1520800706fe5dedeb5ff074db34cfb54295519

SHA512
5df41c469ddbabfbe2045fba92a39a365599bfc196e970e1b1f4759fbf14c1d3c3357ac6b8ba9196941e257152d174e715565833a2069f0aceb6133ebd01f62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B5A.exe

Filesize
787KB

MD5
9bb7aaf9c934e145cf3a6f826a55c56b

SHA1
2300a50a642e79ed2e43f18585f7f813d9d5f2f0

SHA256
189941099c193b7580d1f07ad1520800706fe5dedeb5ff074db34cfb54295519

SHA512
5df41c469ddbabfbe2045fba92a39a365599bfc196e970e1b1f4759fbf14c1d3c3357ac6b8ba9196941e257152d174e715565833a2069f0aceb6133ebd01f62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D9D.dll

Filesize
1.2MB

MD5
7292b17c8fa8000b5d7c36279669f96e

SHA1
ca0d9ce9d737bde5a2e1a1639cd9e3762f7c9a1b

SHA256
b2f3ad76def35672309bb9ef2f951b58d37d5010327cbe70b89d756c01d22fc2

SHA512
37d0f05b96b2c837b5cdbe98b160a2168c2d2da2c470f60ab749c4a3fed236c08e47e8ced9a5e799a980ccfa9e362b3d343e28fd36db26ee99dcb8e8f7bbd5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D9D.dll

Filesize
1.2MB

MD5
7292b17c8fa8000b5d7c36279669f96e

SHA1
ca0d9ce9d737bde5a2e1a1639cd9e3762f7c9a1b

SHA256
b2f3ad76def35672309bb9ef2f951b58d37d5010327cbe70b89d756c01d22fc2

SHA512
37d0f05b96b2c837b5cdbe98b160a2168c2d2da2c470f60ab749c4a3fed236c08e47e8ced9a5e799a980ccfa9e362b3d343e28fd36db26ee99dcb8e8f7bbd5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ED6.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ED6.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ED6.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ED6.exe

Filesize
769KB

MD5
329d7c6568113a9cc2904037638bb518

SHA1
1044bb723ad24a89bab8875879db06ac4435362d

SHA256
27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55

SHA512
9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

Download Submit
C:\Users\Admin\AppData\Local\Temp\8285.exe

Filesize
258KB

MD5
c9de9148f899b175350adb5cd3d077e5

SHA1
9de7bf5a1f2bed9a48e505e88efdd164453afc44

SHA256
c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e

SHA512
ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

Download Submit
C:\Users\Admin\AppData\Local\Temp\8285.exe

Filesize
258KB

MD5
c9de9148f899b175350adb5cd3d077e5

SHA1
9de7bf5a1f2bed9a48e505e88efdd164453afc44

SHA256
c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e

SHA512
ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

Download Submit
C:\Users\Admin\AppData\Local\Temp\8824.exe

Filesize
4.5MB

MD5
c43cbad7257cba5352f8b9eaa19c7709

SHA1
04179590b7da86e2bc79425d544d347c7de7b0fc

SHA256
f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4

SHA512
a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8824.exe

Filesize
4.5MB

MD5
c43cbad7257cba5352f8b9eaa19c7709

SHA1
04179590b7da86e2bc79425d544d347c7de7b0fc

SHA256
f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4

SHA512
a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA6E.exe

Filesize
787KB

MD5
9bb7aaf9c934e145cf3a6f826a55c56b

SHA1
2300a50a642e79ed2e43f18585f7f813d9d5f2f0

SHA256
189941099c193b7580d1f07ad1520800706fe5dedeb5ff074db34cfb54295519

SHA512
5df41c469ddbabfbe2045fba92a39a365599bfc196e970e1b1f4759fbf14c1d3c3357ac6b8ba9196941e257152d174e715565833a2069f0aceb6133ebd01f62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBE6.exe

Filesize
787KB

MD5
9bb7aaf9c934e145cf3a6f826a55c56b

SHA1
2300a50a642e79ed2e43f18585f7f813d9d5f2f0

SHA256
189941099c193b7580d1f07ad1520800706fe5dedeb5ff074db34cfb54295519

SHA512
5df41c469ddbabfbe2045fba92a39a365599bfc196e970e1b1f4759fbf14c1d3c3357ac6b8ba9196941e257152d174e715565833a2069f0aceb6133ebd01f62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBE6.exe

Filesize
787KB

MD5
9bb7aaf9c934e145cf3a6f826a55c56b

SHA1
2300a50a642e79ed2e43f18585f7f813d9d5f2f0

SHA256
189941099c193b7580d1f07ad1520800706fe5dedeb5ff074db34cfb54295519

SHA512
5df41c469ddbabfbe2045fba92a39a365599bfc196e970e1b1f4759fbf14c1d3c3357ac6b8ba9196941e257152d174e715565833a2069f0aceb6133ebd01f62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE2A.dll

Filesize
1.2MB

MD5
f81fc87a82e628512761653d103abfba

SHA1
7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822

SHA256
aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d

SHA512
2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE2A.dll

Filesize
1.2MB

MD5
f81fc87a82e628512761653d103abfba

SHA1
7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822

SHA256
aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d

SHA512
2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF73.dll

Filesize
1.2MB

MD5
f81fc87a82e628512761653d103abfba

SHA1
7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822

SHA256
aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d

SHA512
2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF73.dll

Filesize
1.2MB

MD5
f81fc87a82e628512761653d103abfba

SHA1
7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822

SHA256
aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d

SHA512
2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\F485.exe

Filesize
258KB

MD5
c9de9148f899b175350adb5cd3d077e5

SHA1
9de7bf5a1f2bed9a48e505e88efdd164453afc44

SHA256
c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e

SHA512
ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

Download Submit
C:\Users\Admin\AppData\Local\Temp\F485.exe

Filesize
258KB

MD5
c9de9148f899b175350adb5cd3d077e5

SHA1
9de7bf5a1f2bed9a48e505e88efdd164453afc44

SHA256
c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e

SHA512
ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

Download Submit
C:\Users\Admin\AppData\Local\Temp\FACF.exe

Filesize
4.5MB

MD5
c43cbad7257cba5352f8b9eaa19c7709

SHA1
04179590b7da86e2bc79425d544d347c7de7b0fc

SHA256
f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4

SHA512
a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FACF.exe

Filesize
4.5MB

MD5
c43cbad7257cba5352f8b9eaa19c7709

SHA1
04179590b7da86e2bc79425d544d347c7de7b0fc

SHA256
f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4

SHA512
a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe

Filesize
591KB

MD5
1aa31a69c809b61505813ebcb6486efa

SHA1
77e08b93154d5d49ad845ced0ab9ab8a397ae106

SHA256
ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4

SHA512
6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe

Filesize
591KB

MD5
1aa31a69c809b61505813ebcb6486efa

SHA1
77e08b93154d5d49ad845ced0ab9ab8a397ae106

SHA256
ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4

SHA512
6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe

Filesize
591KB

MD5
1aa31a69c809b61505813ebcb6486efa

SHA1
77e08b93154d5d49ad845ced0ab9ab8a397ae106

SHA256
ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4

SHA512
6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\bowsakkdestx.txt

Filesize
560B

MD5
6ab37c6fd8c563197ef79d09241843f1

SHA1
cb9bd05e2fc8cc06999a66b7b2d396ff4b5157e5

SHA256
d4849ec7852d9467f06fde6f25823331dad6bc76e7838d530e990b62286a754f

SHA512
dd1fae67d0f45ba1ec7e56347fdfc2a53f619650892c8a55e7fba80811b6c66d56544b1946a409eaaca06fa9503de20e160360445d959122e5ba3aa85b751cde

Download Submit
C:\Users\Admin\AppData\Roaming\satitau

Filesize
258KB

MD5
c9de9148f899b175350adb5cd3d077e5

SHA1
9de7bf5a1f2bed9a48e505e88efdd164453afc44

SHA256
c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e

SHA512
ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

Download Submit
memory/412-173-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/412-174-0x0000000000550000-0x0000000000559000-memory.dmp

Filesize
36KB

Download
memory/412-175-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/412-230-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/860-251-0x0000000004250000-0x000000000436B000-memory.dmp

Filesize
1.1MB

Download
memory/860-250-0x00000000041B0000-0x0000000004248000-memory.dmp

Filesize
608KB

Download
memory/896-263-0x0000000004150000-0x00000000041E7000-memory.dmp

Filesize
604KB

Download
memory/1292-203-0x0000000003160000-0x0000000003241000-memory.dmp

Filesize
900KB

Download
memory/1292-177-0x0000000003060000-0x000000000315B000-memory.dmp

Filesize
1004KB

Download
memory/1292-207-0x0000000003160000-0x0000000003241000-memory.dmp

Filesize
900KB

Download
memory/1292-210-0x0000000003160000-0x0000000003241000-memory.dmp

Filesize
900KB

Download
memory/1292-212-0x0000000003160000-0x0000000003241000-memory.dmp

Filesize
900KB

Download
memory/1292-155-0x00000000014B0000-0x00000000014B6000-memory.dmp

Filesize
24KB

Download
memory/1292-156-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1456-366-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1456-361-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1456-365-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1456-359-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1664-364-0x0000000072850000-0x0000000073000000-memory.dmp

Filesize
7.7MB

Download
memory/1848-253-0x00000000041B0000-0x0000000004248000-memory.dmp

Filesize
608KB

Download
memory/2356-264-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2356-254-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2356-258-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2356-261-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2356-323-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2480-172-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2480-171-0x0000000000F10000-0x0000000001394000-memory.dmp

Filesize
4.5MB

Download
memory/2480-211-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2568-327-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2568-331-0x0000000001020000-0x0000000001026000-memory.dmp

Filesize
24KB

Download
memory/2604-224-0x00000000032C0000-0x00000000032D6000-memory.dmp

Filesize
88KB

Download
memory/2604-138-0x0000000001280000-0x0000000001296000-memory.dmp

Filesize
88KB

Download
memory/2684-320-0x00007FF665AC0000-0x00007FF665E7D000-memory.dmp

Filesize
3.7MB

Download
memory/3160-276-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3160-311-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3160-274-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3160-275-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3204-346-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3204-376-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3204-377-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3204-344-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3204-354-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3204-360-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3440-341-0x0000000004050000-0x00000000040E5000-memory.dmp

Filesize
596KB

Download
memory/3948-259-0x0000000002B60000-0x0000000002CD0000-memory.dmp

Filesize
1.4MB

Download
memory/3948-188-0x00007FF689CE0000-0x00007FF689D77000-memory.dmp

Filesize
604KB

Download
memory/3948-335-0x0000000002CD0000-0x0000000002E01000-memory.dmp

Filesize
1.2MB

Download
memory/3948-260-0x0000000002CD0000-0x0000000002E01000-memory.dmp

Filesize
1.2MB

Download
memory/4044-362-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4044-378-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4044-357-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4044-353-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4340-371-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4340-369-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/4420-272-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4420-309-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4420-270-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4420-267-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4440-134-0x0000000002650000-0x0000000002750000-memory.dmp

Filesize
1024KB

Download
memory/4440-139-0x0000000000400000-0x0000000002419000-memory.dmp

Filesize
32.1MB

Download
memory/4440-137-0x0000000000400000-0x0000000002419000-memory.dmp

Filesize
32.1MB

Download
memory/4440-136-0x0000000004160000-0x0000000004169000-memory.dmp

Filesize
36KB

Download
memory/4440-135-0x0000000000400000-0x0000000002419000-memory.dmp

Filesize
32.1MB

Download
memory/4492-337-0x0000000004110000-0x00000000041A2000-memory.dmp

Filesize
584KB

Download
memory/4572-160-0x0000000000E30000-0x0000000000E36000-memory.dmp

Filesize
24KB

Download
memory/4572-222-0x0000000002C30000-0x0000000002D11000-memory.dmp

Filesize
900KB

Download
memory/4572-228-0x0000000002C30000-0x0000000002D11000-memory.dmp

Filesize
900KB

Download
memory/4572-192-0x0000000002B30000-0x0000000002C2B000-memory.dmp

Filesize
1004KB

Download
memory/4572-231-0x0000000002C30000-0x0000000002D11000-memory.dmp

Filesize
900KB

Download
memory/4588-345-0x0000000004150000-0x00000000041EC000-memory.dmp

Filesize
624KB

Download