ammyyadmin | 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a

Analysis

max time kernel
300s
max time network
300s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20-08-2023 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
Size

1.1MB
MD5

2181684f545183f80560fef4bfc7be5c
SHA1

0a09c859c9ac8a46112249b551ee1a9584762786
SHA256

07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a
SHA512

234b5ce60053d1aa2424939949fbf32317333c709ab58e77c3b846568da3be238652327cac4b14fd5bec3f48eccaa80b0c64eba1df6ec20be0fa34ede2a861f0
SSDEEP

24576:TkGMg7vOg4aI0IciemH9M8+Rbsitm4R9g8I1:F7WgElveQM88sitn

Score

10^/10

ammyyadmin flawedammyy phobos rhadamanthys smokeloader backdoor bootkit evasion persistence ransomware rat stealer trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B635.tmp\svchost.exe	family_ammyyadmin
\Users\Admin\AppData\Local\Temp\B635.tmp\svchost.exe	family_ammyyadmin
\Users\Admin\AppData\Local\Temp\B635.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\B635.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\B635.tmp\svchost.exe	family_ammyyadmin

Detect rhadamanthys stealer shellcode 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1200-1155-0x0000000000AA0000-0x0000000000EA0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1200-1156-0x0000000000AA0000-0x0000000000EA0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1200-1167-0x0000000000AA0000-0x0000000000EA0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1200-1169-0x0000000000AA0000-0x0000000000EA0000-memory.dmp	family_rhadamanthys

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe

description pid process target process

PID 1200 created 1268 1200 07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1084 bcdedit.exe
2580 bcdedit.exe
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

49 2724 rundll32.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2628 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

2812 netsh.exe
1620 netsh.exe
Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

904 certreq.exe
Drops startup file 1 IoCs

Processes:

2lx8.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2lx8.exe 2lx8.exe

description	pid	process	target process
PID 1200 created 1268	1200	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	Explorer.EXE

pid	process
1084	bcdedit.exe
2580	bcdedit.exe

flow	pid	process
49	2724	rundll32.exe

pid	process
2628	wbadmin.exe

pid	process
2812	netsh.exe
1620	netsh.exe

pid	process
904	certreq.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2lx8.exe	2lx8.exe

Executes dropped EXE 13 IoCs

Processes:

jn5Gy9h`.exe2lx8.exeP7eLldF.exeYuK.exe2lx8.exeP7eLldF.exeP7eLldF.exe2lx8.exe2lx8.exe4DE2.exe57F1.exesvchost.execgbujgv

pid	process
3004	jn5Gy9h`.exe
2788	2lx8.exe
2840	P7eLldF.exe
2836	YuK.exe
696	2lx8.exe
1504	P7eLldF.exe
2236	P7eLldF.exe
1904	2lx8.exe
3044	2lx8.exe
2236	4DE2.exe
3056	57F1.exe
1928	svchost.exe
2480	cgbujgv

Loads dropped DLL 8 IoCs

Processes:

Explorer.EXEexplorer.exerundll32.exe

pid process

2412
1268 Explorer.EXE
1528 explorer.exe
1528 explorer.exe
2724 rundll32.exe
2724 rundll32.exe
2724 rundll32.exe
2724 rundll32.exe

pid	process
2412
1268	Explorer.EXE
1528	explorer.exe
1528	explorer.exe
2724	rundll32.exe
2724	rundll32.exe
2724	rundll32.exe
2724	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2lx8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2lx8 = "C:\\Users\\Admin\\AppData\\Local\\2lx8.exe"	2lx8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\2lx8 = "C:\\Users\\Admin\\AppData\\Local\\2lx8.exe"	2lx8.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe2lx8.exeP7eLldF.exe2lx8.exe57F1.exe

description	pid	process	target process
PID 2504 set thread context of 1200	2504	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
PID 2788 set thread context of 696	2788	2lx8.exe	2lx8.exe
PID 2840 set thread context of 2236	2840	P7eLldF.exe	P7eLldF.exe
PID 1904 set thread context of 3044	1904	2lx8.exe	2lx8.exe
PID 3056 set thread context of 2332	3056	57F1.exe	AddInProcess32.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1596 vssadmin.exe

pid	process
1596	vssadmin.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.execertreq.exeP7eLldF.exeP7eLldF.exeExplorer.EXE

pid	process
1200	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
1200	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
1200	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
1200	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
904	certreq.exe
904	certreq.exe
904	certreq.exe
904	certreq.exe
2840	P7eLldF.exe
2840	P7eLldF.exe
2236	P7eLldF.exe
2236	P7eLldF.exe
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE

pid	process
1268	Explorer.EXE

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

P7eLldF.exeExplorer.EXEexplorer.exe

pid	process
2236	P7eLldF.exe
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1528	explorer.exe
1528	explorer.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe2lx8.exeP7eLldF.exeYuK.exe2lx8.exevssvc.exeWMIC.exewbengine.exe4DE2.exe57F1.exeExplorer.EXEcgbujgvrundll32.exe

description	pid	process
Token: SeDebugPrivilege	2504	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
Token: SeDebugPrivilege	2788	2lx8.exe
Token: SeDebugPrivilege	2840	P7eLldF.exe
Token: SeDebugPrivilege	2836	YuK.exe
Token: SeDebugPrivilege	1904	2lx8.exe
Token: SeBackupPrivilege	1056	vssvc.exe
Token: SeRestorePrivilege	1056	vssvc.exe
Token: SeAuditPrivilege	1056	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1892	WMIC.exe
Token: SeSecurityPrivilege	1892	WMIC.exe
Token: SeTakeOwnershipPrivilege	1892	WMIC.exe
Token: SeLoadDriverPrivilege	1892	WMIC.exe
Token: SeSystemProfilePrivilege	1892	WMIC.exe
Token: SeSystemtimePrivilege	1892	WMIC.exe
Token: SeProfSingleProcessPrivilege	1892	WMIC.exe
Token: SeIncBasePriorityPrivilege	1892	WMIC.exe
Token: SeCreatePagefilePrivilege	1892	WMIC.exe
Token: SeBackupPrivilege	1892	WMIC.exe
Token: SeRestorePrivilege	1892	WMIC.exe
Token: SeShutdownPrivilege	1892	WMIC.exe
Token: SeDebugPrivilege	1892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1892	WMIC.exe
Token: SeRemoteShutdownPrivilege	1892	WMIC.exe
Token: SeUndockPrivilege	1892	WMIC.exe
Token: SeManageVolumePrivilege	1892	WMIC.exe
Token: 33	1892	WMIC.exe
Token: 34	1892	WMIC.exe
Token: 35	1892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1892	WMIC.exe
Token: SeSecurityPrivilege	1892	WMIC.exe
Token: SeTakeOwnershipPrivilege	1892	WMIC.exe
Token: SeLoadDriverPrivilege	1892	WMIC.exe
Token: SeSystemProfilePrivilege	1892	WMIC.exe
Token: SeSystemtimePrivilege	1892	WMIC.exe
Token: SeProfSingleProcessPrivilege	1892	WMIC.exe
Token: SeIncBasePriorityPrivilege	1892	WMIC.exe
Token: SeCreatePagefilePrivilege	1892	WMIC.exe
Token: SeBackupPrivilege	1892	WMIC.exe
Token: SeRestorePrivilege	1892	WMIC.exe
Token: SeShutdownPrivilege	1892	WMIC.exe
Token: SeDebugPrivilege	1892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1892	WMIC.exe
Token: SeRemoteShutdownPrivilege	1892	WMIC.exe
Token: SeUndockPrivilege	1892	WMIC.exe
Token: SeManageVolumePrivilege	1892	WMIC.exe
Token: 33	1892	WMIC.exe
Token: 34	1892	WMIC.exe
Token: 35	1892	WMIC.exe
Token: SeBackupPrivilege	532	wbengine.exe
Token: SeRestorePrivilege	532	wbengine.exe
Token: SeSecurityPrivilege	532	wbengine.exe
Token: SeDebugPrivilege	2236	4DE2.exe
Token: SeDebugPrivilege	3056	57F1.exe
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeDebugPrivilege	2480	cgbujgv
Token: SeLockMemoryPrivilege	2724	rundll32.exe
Token: SeLockMemoryPrivilege	2724	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

svchost.exe

pid process

1928 svchost.exe

pid	process
1928	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe2lx8.exeP7eLldF.exe2lx8.execmd.execmd.exe2lx8.exe

description	pid	process	target process
PID 2504 wrote to memory of 1200	2504	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
PID 2504 wrote to memory of 1200	2504	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
PID 2504 wrote to memory of 1200	2504	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
PID 2504 wrote to memory of 1200	2504	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
PID 2504 wrote to memory of 1200	2504	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
PID 2504 wrote to memory of 1200	2504	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
PID 2504 wrote to memory of 1200	2504	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
PID 2504 wrote to memory of 1200	2504	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
PID 2504 wrote to memory of 1200	2504	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
PID 1200 wrote to memory of 904	1200	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	certreq.exe
PID 1200 wrote to memory of 904	1200	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	certreq.exe
PID 1200 wrote to memory of 904	1200	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	certreq.exe
PID 1200 wrote to memory of 904	1200	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	certreq.exe
PID 1200 wrote to memory of 904	1200	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	certreq.exe
PID 1200 wrote to memory of 904	1200	07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe	certreq.exe
PID 2788 wrote to memory of 696	2788	2lx8.exe	2lx8.exe
PID 2788 wrote to memory of 696	2788	2lx8.exe	2lx8.exe
PID 2788 wrote to memory of 696	2788	2lx8.exe	2lx8.exe
PID 2788 wrote to memory of 696	2788	2lx8.exe	2lx8.exe
PID 2788 wrote to memory of 696	2788	2lx8.exe	2lx8.exe
PID 2788 wrote to memory of 696	2788	2lx8.exe	2lx8.exe
PID 2788 wrote to memory of 696	2788	2lx8.exe	2lx8.exe
PID 2788 wrote to memory of 696	2788	2lx8.exe	2lx8.exe
PID 2788 wrote to memory of 696	2788	2lx8.exe	2lx8.exe
PID 2788 wrote to memory of 696	2788	2lx8.exe	2lx8.exe
PID 2788 wrote to memory of 696	2788	2lx8.exe	2lx8.exe
PID 2840 wrote to memory of 1504	2840	P7eLldF.exe	P7eLldF.exe
PID 2840 wrote to memory of 1504	2840	P7eLldF.exe	P7eLldF.exe
PID 2840 wrote to memory of 1504	2840	P7eLldF.exe	P7eLldF.exe
PID 2840 wrote to memory of 1504	2840	P7eLldF.exe	P7eLldF.exe
PID 2840 wrote to memory of 2236	2840	P7eLldF.exe	P7eLldF.exe
PID 2840 wrote to memory of 2236	2840	P7eLldF.exe	P7eLldF.exe
PID 2840 wrote to memory of 2236	2840	P7eLldF.exe	P7eLldF.exe
PID 2840 wrote to memory of 2236	2840	P7eLldF.exe	P7eLldF.exe
PID 2840 wrote to memory of 2236	2840	P7eLldF.exe	P7eLldF.exe
PID 2840 wrote to memory of 2236	2840	P7eLldF.exe	P7eLldF.exe
PID 2840 wrote to memory of 2236	2840	P7eLldF.exe	P7eLldF.exe
PID 696 wrote to memory of 1584	696	2lx8.exe	cmd.exe
PID 696 wrote to memory of 1584	696	2lx8.exe	cmd.exe
PID 696 wrote to memory of 1584	696	2lx8.exe	cmd.exe
PID 696 wrote to memory of 1584	696	2lx8.exe	cmd.exe
PID 696 wrote to memory of 1116	696	2lx8.exe	cmd.exe
PID 696 wrote to memory of 1116	696	2lx8.exe	cmd.exe
PID 696 wrote to memory of 1116	696	2lx8.exe	cmd.exe
PID 696 wrote to memory of 1116	696	2lx8.exe	cmd.exe
PID 1116 wrote to memory of 1620	1116	cmd.exe	netsh.exe
PID 1116 wrote to memory of 1620	1116	cmd.exe	netsh.exe
PID 1116 wrote to memory of 1620	1116	cmd.exe	netsh.exe
PID 1584 wrote to memory of 1596	1584	cmd.exe	vssadmin.exe
PID 1584 wrote to memory of 1596	1584	cmd.exe	vssadmin.exe
PID 1584 wrote to memory of 1596	1584	cmd.exe	vssadmin.exe
PID 1116 wrote to memory of 2812	1116	cmd.exe	netsh.exe
PID 1116 wrote to memory of 2812	1116	cmd.exe	netsh.exe
PID 1116 wrote to memory of 2812	1116	cmd.exe	netsh.exe
PID 1904 wrote to memory of 3044	1904	2lx8.exe	2lx8.exe
PID 1904 wrote to memory of 3044	1904	2lx8.exe	2lx8.exe
PID 1904 wrote to memory of 3044	1904	2lx8.exe	2lx8.exe
PID 1904 wrote to memory of 3044	1904	2lx8.exe	2lx8.exe
PID 1904 wrote to memory of 3044	1904	2lx8.exe	2lx8.exe
PID 1904 wrote to memory of 3044	1904	2lx8.exe	2lx8.exe
PID 1904 wrote to memory of 3044	1904	2lx8.exe	2lx8.exe
PID 1904 wrote to memory of 3044	1904	2lx8.exe	2lx8.exe
PID 1904 wrote to memory of 3044	1904	2lx8.exe	2lx8.exe
PID 1904 wrote to memory of 3044	1904	2lx8.exe	2lx8.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Users\Admin\AppData\Local\Temp\07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
"C:\Users\Admin\AppData\Local\Temp\07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
C:\Users\Admin\AppData\Local\Temp\07aed097a95ee18255106ff1fc36c80356c4db25f53cc2f9693795125498ef8a.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Users\Admin\AppData\Local\Temp\4DE2.exe
C:\Users\Admin\AppData\Local\Temp\4DE2.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Users\Admin\AppData\Local\Temp\57F1.exe
C:\Users\Admin\AppData\Local\Temp\57F1.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
PID:2332

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2460

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1904

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:220

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2580

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1700

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2952

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2864

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1884

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2576

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2812

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2788

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2804

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1516

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2736

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1528

C:\Users\Admin\AppData\Local\Temp\B635.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\B635.tmp\svchost.exe -debug
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:1928

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
4⤵
PID:2132

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\B635.tmp\aa_nts.dll",run
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Users\Admin\AppData\Local\Microsoft\jn5Gy9h`.exe
"C:\Users\Admin\AppData\Local\Microsoft\jn5Gy9h`.exe"
1⤵
- Executes dropped EXE
PID:3004

C:\Users\Admin\AppData\Local\Microsoft\2lx8.exe
"C:\Users\Admin\AppData\Local\Microsoft\2lx8.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\AppData\Local\Microsoft\2lx8.exe
C:\Users\Admin\AppData\Local\Microsoft\2lx8.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:696

C:\Users\Admin\AppData\Local\Microsoft\2lx8.exe
"C:\Users\Admin\AppData\Local\Microsoft\2lx8.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Microsoft\2lx8.exe
C:\Users\Admin\AppData\Local\Microsoft\2lx8.exe
4⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1596

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:1084

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:2580

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:2628

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:1620

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:2812

C:\Users\Admin\AppData\Local\Microsoft\P7eLldF.exe
"C:\Users\Admin\AppData\Local\Microsoft\P7eLldF.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

C:\Users\Admin\AppData\Local\Microsoft\P7eLldF.exe
C:\Users\Admin\AppData\Local\Microsoft\P7eLldF.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2236

C:\Users\Admin\AppData\Local\Microsoft\P7eLldF.exe
C:\Users\Admin\AppData\Local\Microsoft\P7eLldF.exe
2⤵
- Executes dropped EXE
PID:1504

C:\Users\Admin\AppData\Local\Microsoft\YuK.exe
"C:\Users\Admin\AppData\Local\Microsoft\YuK.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2304

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1816

C:\Windows\system32\taskeng.exe
taskeng.exe {358E65B5-D0D9-47EA-A6CB-1C82C4BA4DD3} S-1-5-21-377084978-2088738870-2818360375-1000:DSWJWADP\Admin:Interactive:[1]
1⤵
PID:2544

C:\Users\Admin\AppData\Roaming\cgbujgv
C:\Users\Admin\AppData\Roaming\cgbujgv
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\2lx8.exe

Filesize
982KB

MD5
99c0b4a65e1062bb44126f15551d5c19

SHA1
9280c2e84fa0dd7512418b6e4523844a56fe384d

SHA256
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2

SHA512
408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\2lx8.exe

Filesize
982KB

MD5
99c0b4a65e1062bb44126f15551d5c19

SHA1
9280c2e84fa0dd7512418b6e4523844a56fe384d

SHA256
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2

SHA512
408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\2lx8.exe

Filesize
982KB

MD5
99c0b4a65e1062bb44126f15551d5c19

SHA1
9280c2e84fa0dd7512418b6e4523844a56fe384d

SHA256
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2

SHA512
408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\2lx8.exe

Filesize
982KB

MD5
99c0b4a65e1062bb44126f15551d5c19

SHA1
9280c2e84fa0dd7512418b6e4523844a56fe384d

SHA256
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2

SHA512
408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\2lx8.exe

Filesize
982KB

MD5
99c0b4a65e1062bb44126f15551d5c19

SHA1
9280c2e84fa0dd7512418b6e4523844a56fe384d

SHA256
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2

SHA512
408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\P7eLldF.exe

Filesize
972KB

MD5
47256545cece43ea73fe4ec88302dc56

SHA1
66580efe3eb9e7103212ae914232b653443197f4

SHA256
3c67a185e46d3670081925a950f92fd596e6a3e1e89ce5b15986593f35a58430

SHA512
b85e0d83102737b25e3e44b1c0d27716672ed80e4fe4da723c288427661d4d758bb21430e15a54ca023af1b782da32e6e5599f19291a01b27ec872a46e8d6697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\P7eLldF.exe

Filesize
972KB

MD5
47256545cece43ea73fe4ec88302dc56

SHA1
66580efe3eb9e7103212ae914232b653443197f4

SHA256
3c67a185e46d3670081925a950f92fd596e6a3e1e89ce5b15986593f35a58430

SHA512
b85e0d83102737b25e3e44b1c0d27716672ed80e4fe4da723c288427661d4d758bb21430e15a54ca023af1b782da32e6e5599f19291a01b27ec872a46e8d6697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\P7eLldF.exe

Filesize
972KB

MD5
47256545cece43ea73fe4ec88302dc56

SHA1
66580efe3eb9e7103212ae914232b653443197f4

SHA256
3c67a185e46d3670081925a950f92fd596e6a3e1e89ce5b15986593f35a58430

SHA512
b85e0d83102737b25e3e44b1c0d27716672ed80e4fe4da723c288427661d4d758bb21430e15a54ca023af1b782da32e6e5599f19291a01b27ec872a46e8d6697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\P7eLldF.exe

Filesize
972KB

MD5
47256545cece43ea73fe4ec88302dc56

SHA1
66580efe3eb9e7103212ae914232b653443197f4

SHA256
3c67a185e46d3670081925a950f92fd596e6a3e1e89ce5b15986593f35a58430

SHA512
b85e0d83102737b25e3e44b1c0d27716672ed80e4fe4da723c288427661d4d758bb21430e15a54ca023af1b782da32e6e5599f19291a01b27ec872a46e8d6697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\YuK.exe

Filesize
252KB

MD5
754824bc45c86a9f9ead00ece1841faa

SHA1
0f0a2374fb400f7995880208e4af6fc4705795ca

SHA256
538d19dc992df1d967a95ac3071aefb205d686eb975e05a2ded7d0579a35e03f

SHA512
ab3f2769e9d0821680198882a48a59a4dd40aa5db725133e06efff99149c2dced2e098b66ada732d1ed8a8d1343bb35477b649d638a79a1d4e7c3c4f3fbfbde8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\YuK.exe

Filesize
252KB

MD5
754824bc45c86a9f9ead00ece1841faa

SHA1
0f0a2374fb400f7995880208e4af6fc4705795ca

SHA256
538d19dc992df1d967a95ac3071aefb205d686eb975e05a2ded7d0579a35e03f

SHA512
ab3f2769e9d0821680198882a48a59a4dd40aa5db725133e06efff99149c2dced2e098b66ada732d1ed8a8d1343bb35477b649d638a79a1d4e7c3c4f3fbfbde8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\jn5Gy9h`.exe

Filesize
863KB

MD5
f6e85642fc09e19439f74e1ee1898a26

SHA1
ad145352ea54048915731d5a67e811859d1fb7d5

SHA256
7cf2bc581c27ed9df235303a4306d875f54a62715f842cd98a6aa8d8afb873f5

SHA512
6cc95d9b43ad0db94caee19fabb61fb4f3e062cfeb84b318750a28f3a31f9f3f01b156a413d16d9a09cf1f48085337cd5643827a896c50f7e94b10c103cc7166

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DE2.exe

Filesize
982KB

MD5
99c0b4a65e1062bb44126f15551d5c19

SHA1
9280c2e84fa0dd7512418b6e4523844a56fe384d

SHA256
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2

SHA512
408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DE2.exe

Filesize
982KB

MD5
99c0b4a65e1062bb44126f15551d5c19

SHA1
9280c2e84fa0dd7512418b6e4523844a56fe384d

SHA256
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2

SHA512
408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DE2.exe

Filesize
982KB

MD5
99c0b4a65e1062bb44126f15551d5c19

SHA1
9280c2e84fa0dd7512418b6e4523844a56fe384d

SHA256
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2

SHA512
408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\57F1.exe

Filesize
245KB

MD5
d743b737c248670e3c103bceeff882af

SHA1
a24061e5c9bcd147106b8ecc3cfb4aa847c65c6f

SHA256
1137c048a4a828cd3641bd84d27ea60357ff161c7389913513c7193e5b9fbc40

SHA512
8fe48b1943d3e8f540af17864de892d9d2de96fa86134164e346b0a53310ab9b0b065158824b91abec7a575686cf14b292d5d91e0dcf8dc13959f4b1ccdf5e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\57F1.exe

Filesize
245KB

MD5
d743b737c248670e3c103bceeff882af

SHA1
a24061e5c9bcd147106b8ecc3cfb4aa847c65c6f

SHA256
1137c048a4a828cd3641bd84d27ea60357ff161c7389913513c7193e5b9fbc40

SHA512
8fe48b1943d3e8f540af17864de892d9d2de96fa86134164e346b0a53310ab9b0b065158824b91abec7a575686cf14b292d5d91e0dcf8dc13959f4b1ccdf5e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B635.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\B635.tmp\aa_nts.log

Filesize
4KB

MD5
1bf13b56349686f9ca0ead19e950e8a3

SHA1
e741417739f197b24d3789262083994310c3e11c

SHA256
66cd9728cce08a2ca77d87d52bbdaf9d606ba0e5ed5d9c63bfa9741cd92cd383

SHA512
6f982dc316459819106d89b68ec473c41cdcf295ca04075d8fa84c66e8dc1f247b728a2a148ad9f18ba4cd2e49319dad3a3f727e5d36af5566f11d5efee0430d

Download Submit
C:\Users\Admin\AppData\Local\Temp\B635.tmp\aa_nts.msg

Filesize
46B

MD5
3f05819f995b4dafa1b5d55ce8d1f411

SHA1
404449b79a16bfc4f64f2fd55cd73d5d27a85d71

SHA256
7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0

SHA512
34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

Download Submit
C:\Users\Admin\AppData\Local\Temp\B635.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\B635.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\B635.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabED7C.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF32A.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\cgbujgv

Filesize
972KB

MD5
47256545cece43ea73fe4ec88302dc56

SHA1
66580efe3eb9e7103212ae914232b653443197f4

SHA256
3c67a185e46d3670081925a950f92fd596e6a3e1e89ce5b15986593f35a58430

SHA512
b85e0d83102737b25e3e44b1c0d27716672ed80e4fe4da723c288427661d4d758bb21430e15a54ca023af1b782da32e6e5599f19291a01b27ec872a46e8d6697

Download Submit
C:\Users\Admin\AppData\Roaming\cgbujgv

Filesize
972KB

MD5
47256545cece43ea73fe4ec88302dc56

SHA1
66580efe3eb9e7103212ae914232b653443197f4

SHA256
3c67a185e46d3670081925a950f92fd596e6a3e1e89ce5b15986593f35a58430

SHA512
b85e0d83102737b25e3e44b1c0d27716672ed80e4fe4da723c288427661d4d758bb21430e15a54ca023af1b782da32e6e5599f19291a01b27ec872a46e8d6697

Download Submit
\Users\Admin\AppData\Local\Microsoft\YuK.exe

Filesize
252KB

MD5
754824bc45c86a9f9ead00ece1841faa

SHA1
0f0a2374fb400f7995880208e4af6fc4705795ca

SHA256
538d19dc992df1d967a95ac3071aefb205d686eb975e05a2ded7d0579a35e03f

SHA512
ab3f2769e9d0821680198882a48a59a4dd40aa5db725133e06efff99149c2dced2e098b66ada732d1ed8a8d1343bb35477b649d638a79a1d4e7c3c4f3fbfbde8

Download Submit
\Users\Admin\AppData\Local\Microsoft\YuK.exe

Filesize
252KB

MD5
754824bc45c86a9f9ead00ece1841faa

SHA1
0f0a2374fb400f7995880208e4af6fc4705795ca

SHA256
538d19dc992df1d967a95ac3071aefb205d686eb975e05a2ded7d0579a35e03f

SHA512
ab3f2769e9d0821680198882a48a59a4dd40aa5db725133e06efff99149c2dced2e098b66ada732d1ed8a8d1343bb35477b649d638a79a1d4e7c3c4f3fbfbde8

Download Submit
\Users\Admin\AppData\Local\Temp\B635.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\B635.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\B635.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\B635.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\B635.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
\Users\Admin\AppData\Local\Temp\B635.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
memory/696-3398-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/904-1469-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/904-1158-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/904-1199-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download
memory/904-1472-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download
memory/904-1180-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/904-1189-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/904-1184-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download
memory/904-1177-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/904-1172-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/904-1195-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/1200-1156-0x0000000000AA0000-0x0000000000EA0000-memory.dmp

Filesize
4.0MB

Download
memory/1200-1166-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1200-1167-0x0000000000AA0000-0x0000000000EA0000-memory.dmp

Filesize
4.0MB

Download
memory/1200-1168-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1200-1169-0x0000000000AA0000-0x0000000000EA0000-memory.dmp

Filesize
4.0MB

Download
memory/1200-1155-0x0000000000AA0000-0x0000000000EA0000-memory.dmp

Filesize
4.0MB

Download
memory/1200-1150-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1904-3408-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/1904-4518-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/1904-4498-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/1904-4443-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1904-4398-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-3405-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2236-4533-0x0000000000520000-0x0000000000560000-memory.dmp

Filesize
256KB

Download
memory/2236-4532-0x0000000000190000-0x000000000028C000-memory.dmp

Filesize
1008KB

Download
memory/2236-4531-0x0000000072FF0000-0x00000000736DE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-4319-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2504-89-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-83-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-119-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-117-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-55-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-56-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/2504-57-0x0000000005DE0000-0x0000000005ECE000-memory.dmp

Filesize
952KB

Download
memory/2504-59-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-113-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-115-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-111-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-58-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-109-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-107-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-61-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-65-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-63-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-69-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-67-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-71-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-105-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-73-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-75-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-77-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-79-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-81-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-121-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-85-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-1138-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/2504-103-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-87-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-101-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-99-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-1151-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-97-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-1137-0x0000000000D40000-0x0000000000D8C000-memory.dmp

Filesize
304KB

Download
memory/2504-95-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-54-0x0000000001200000-0x000000000132C000-memory.dmp

Filesize
1.2MB

Download
memory/2504-1136-0x0000000004DA0000-0x0000000004E0A000-memory.dmp

Filesize
424KB

Download
memory/2504-91-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2504-1135-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2504-1134-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-93-0x0000000005DE0000-0x0000000005EC9000-memory.dmp

Filesize
932KB

Download
memory/2788-2036-0x00000000003E0000-0x0000000000420000-memory.dmp

Filesize
256KB

Download
memory/2788-3369-0x0000000000B40000-0x0000000000B76000-memory.dmp

Filesize
216KB

Download
memory/2788-1196-0x0000000000DA0000-0x0000000000E9C000-memory.dmp

Filesize
1008KB

Download
memory/2788-2080-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/2788-1198-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/2788-1201-0x0000000005AF0000-0x0000000005BAC000-memory.dmp

Filesize
752KB

Download
memory/2788-3396-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/2788-1197-0x00000000003E0000-0x0000000000420000-memory.dmp

Filesize
256KB

Download
memory/2788-3365-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2836-1854-0x000000001BFA0000-0x000000001C020000-memory.dmp

Filesize
512KB

Download
memory/2836-2230-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-2676-0x000000001BFA0000-0x000000001C020000-memory.dmp

Filesize
512KB

Download
memory/2836-2278-0x000000001BFA0000-0x000000001C020000-memory.dmp

Filesize
512KB

Download
memory/2836-1282-0x0000000000D00000-0x0000000000D44000-memory.dmp

Filesize
272KB

Download
memory/2836-1849-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-2232-0x000000001BFA0000-0x000000001C020000-memory.dmp

Filesize
512KB

Download
memory/2840-1217-0x0000000002100000-0x00000000021BA000-memory.dmp

Filesize
744KB

Download
memory/2840-2084-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-2172-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/2840-3406-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-3388-0x0000000002240000-0x0000000002274000-memory.dmp

Filesize
208KB

Download
memory/2840-3385-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2840-1210-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/2840-1208-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-1206-0x0000000000C00000-0x0000000000CFA000-memory.dmp

Filesize
1000KB

Download
memory/3044-4517-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download