66e6e687e685d9425668b3f86d4578b09b4b99e96bab8686bccb01a6c060edd0

Analysis

max time kernel
1980s
max time network
1819s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/10/2023, 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nova pasta.zip
Size

37.0MB
MD5

7a27bf281f883135a77689b471ea6712
SHA1

6dfbcfa74302e7dc1140790aef8e3d9481fa0e08
SHA256

66e6e687e685d9425668b3f86d4578b09b4b99e96bab8686bccb01a6c060edd0
SHA512

7cf014c1094fd160f314d7650282db75bd6060ef3417023f2f1f9b735743409eed4df7473c7b61ea12daf0f32b4099be0639d5c0db04e8da1adefa600a6daa65
SSDEEP

786432:eY3wtSaRK9aTfeiuim8+uqzauvIKOyTpryqHehePvm09gIPmnoUda:e0URK9SeiuimhDzXv11VicmnI+Xda

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 6 IoCs

pid	Process
1564	ph.dat
568	evb4809.tmp
2408	ph.dat
1852	evb3E97.tmp
2020	ph.dat
1316	evb2C9D.tmp

Loads dropped DLL 12 IoCs

pid	Process
2356	Process_Hacker_-_Undetected.exe
1564	ph.dat
568	evb4809.tmp
568	evb4809.tmp
1268	Process not Found
2408	ph.dat
1852	evb3E97.tmp
1852	evb3E97.tmp
2020	ph.dat
1316	evb2C9D.tmp
1316	evb2C9D.tmp
1268	Process not Found

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1564-25-0x000000013FED0000-0x0000000140C7D000-memory.dmp	autoit_exe
behavioral1/memory/1564-27-0x000000013FED0000-0x0000000140C7D000-memory.dmp	autoit_exe
behavioral1/memory/1564-28-0x000000013FED0000-0x0000000140C7D000-memory.dmp	autoit_exe
behavioral1/memory/1564-29-0x000000013FED0000-0x0000000140C7D000-memory.dmp	autoit_exe
behavioral1/memory/1564-41-0x000000013FED0000-0x0000000140C7D000-memory.dmp	autoit_exe
behavioral1/memory/1564-54-0x000000013FED0000-0x0000000140C7D000-memory.dmp	autoit_exe
behavioral1/memory/568-114-0x0000000005660000-0x0000000005C48000-memory.dmp	autoit_exe
behavioral1/memory/2408-1133-0x000000013F470000-0x000000014021D000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2356	Process_Hacker_-_Undetected.exe
2356	Process_Hacker_-_Undetected.exe
1564	ph.dat
1564	ph.dat
568	evb4809.tmp
2356	Process_Hacker_-_Undetected.exe
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
1624	Google.exe
1624	Google.exe
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1564 set thread context of 568	1564	ph.dat	37
PID 2408 set thread context of 1852	2408	ph.dat	127
PID 2020 set thread context of 1316	2020	ph.dat	130

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
812	sc.exe
2892	sc.exe
1036	sc.exe
2872	sc.exe
824	sc.exe
1216	sc.exe
2524	sc.exe
2508	sc.exe
2856	sc.exe
1676	sc.exe
2476	sc.exe
2880	sc.exe
2848	sc.exe
3028	sc.exe
3040	sc.exe
592	sc.exe
576	sc.exe
772	sc.exe
2688	sc.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
2936	taskkill.exe
2016	taskkill.exe
580	taskkill.exe
2292	taskkill.exe
2428	taskkill.exe
2312	taskkill.exe
2772	taskkill.exe
856	taskkill.exe
2504	taskkill.exe
844	taskkill.exe
868	taskkill.exe
1000	taskkill.exe
2264	taskkill.exe
1328	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	Process_Hacker_-_Undetected.exe
2356	Process_Hacker_-_Undetected.exe
2356	Process_Hacker_-_Undetected.exe
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
568	evb4809.tmp
1852	evb3E97.tmp
1316	evb2C9D.tmp

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	568	evb4809.tmp
Token: SeIncBasePriorityPrivilege	568	evb4809.tmp
Token: 33	568	evb4809.tmp
Token: SeLoadDriverPrivilege	568	evb4809.tmp
Token: SeProfSingleProcessPrivilege	568	evb4809.tmp
Token: SeRestorePrivilege	568	evb4809.tmp
Token: SeShutdownPrivilege	568	evb4809.tmp
Token: SeTakeOwnershipPrivilege	568	evb4809.tmp
Token: SeDebugPrivilege	580	taskkill.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1852	evb3E97.tmp
Token: SeIncBasePriorityPrivilege	1852	evb3E97.tmp
Token: 33	1852	evb3E97.tmp
Token: SeLoadDriverPrivilege	1852	evb3E97.tmp
Token: SeProfSingleProcessPrivilege	1852	evb3E97.tmp
Token: SeRestorePrivilege	1852	evb3E97.tmp
Token: SeShutdownPrivilege	1852	evb3E97.tmp
Token: SeTakeOwnershipPrivilege	1852	evb3E97.tmp
Token: SeDebugPrivilege	1316	evb2C9D.tmp
Token: SeIncBasePriorityPrivilege	1316	evb2C9D.tmp
Token: 33	1316	evb2C9D.tmp
Token: SeLoadDriverPrivilege	1316	evb2C9D.tmp
Token: SeProfSingleProcessPrivilege	1316	evb2C9D.tmp
Token: SeRestorePrivilege	1316	evb2C9D.tmp
Token: SeShutdownPrivilege	1316	evb2C9D.tmp
Token: SeTakeOwnershipPrivilege	1316	evb2C9D.tmp
Token: 33	268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	268	AUDIODG.EXE
Token: 33	268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	268	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1564	ph.dat
1564	ph.dat
1564	ph.dat
1564	ph.dat
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1564	ph.dat
1564	ph.dat
1564	ph.dat
1564	ph.dat
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp
568	evb4809.tmp

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2356	Process_Hacker_-_Undetected.exe
568	evb4809.tmp
2548	Process_Hacker_-_Undetected.exe
1852	evb3E97.tmp
1988	Process_Hacker_-_Undetected.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1564	2356	Process_Hacker_-_Undetected.exe	36
PID 2356 wrote to memory of 1564	2356	Process_Hacker_-_Undetected.exe	36
PID 2356 wrote to memory of 1564	2356	Process_Hacker_-_Undetected.exe	36
PID 2356 wrote to memory of 1564	2356	Process_Hacker_-_Undetected.exe	36
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1564 wrote to memory of 568	1564	ph.dat	37
PID 1624 wrote to memory of 688	1624	Google.exe	40
PID 1624 wrote to memory of 688	1624	Google.exe	40
PID 1624 wrote to memory of 688	1624	Google.exe	40
PID 688 wrote to memory of 2980	688	cmd.exe	41
PID 688 wrote to memory of 2980	688	cmd.exe	41
PID 688 wrote to memory of 2980	688	cmd.exe	41
PID 2980 wrote to memory of 1432	2980	net.exe	42
PID 2980 wrote to memory of 1432	2980	net.exe	42
PID 2980 wrote to memory of 1432	2980	net.exe	42
PID 1624 wrote to memory of 1052	1624	Google.exe	43
PID 1624 wrote to memory of 1052	1624	Google.exe	43
PID 1624 wrote to memory of 1052	1624	Google.exe	43
PID 1052 wrote to memory of 368	1052	cmd.exe	44
PID 1052 wrote to memory of 368	1052	cmd.exe	44
PID 1052 wrote to memory of 368	1052	cmd.exe	44
PID 368 wrote to memory of 1216	368	net.exe	45
PID 368 wrote to memory of 1216	368	net.exe	45
PID 368 wrote to memory of 1216	368	net.exe	45
PID 1624 wrote to memory of 2516	1624	Google.exe	46
PID 1624 wrote to memory of 2516	1624	Google.exe	46
PID 1624 wrote to memory of 2516	1624	Google.exe	46
PID 2516 wrote to memory of 2508	2516	cmd.exe	47
PID 2516 wrote to memory of 2508	2516	cmd.exe	47
PID 2516 wrote to memory of 2508	2516	cmd.exe	47
PID 1624 wrote to memory of 2440	1624	Google.exe	48
PID 1624 wrote to memory of 2440	1624	Google.exe	48
PID 1624 wrote to memory of 2440	1624	Google.exe	48
PID 2440 wrote to memory of 2476	2440	cmd.exe	49
PID 2440 wrote to memory of 2476	2440	cmd.exe	49
PID 2440 wrote to memory of 2476	2440	cmd.exe	49
PID 1624 wrote to memory of 2732	1624	Google.exe	50
PID 1624 wrote to memory of 2732	1624	Google.exe	50
PID 1624 wrote to memory of 2732	1624	Google.exe	50
PID 2732 wrote to memory of 3040	2732	cmd.exe	51
PID 2732 wrote to memory of 3040	2732	cmd.exe	51
PID 2732 wrote to memory of 3040	2732	cmd.exe	51
PID 1624 wrote to memory of 2820	1624	Google.exe	52
PID 1624 wrote to memory of 2820	1624	Google.exe	52
PID 1624 wrote to memory of 2820	1624	Google.exe	52
PID 2820 wrote to memory of 2880	2820	cmd.exe	53
PID 2820 wrote to memory of 2880	2820	cmd.exe	53
PID 2820 wrote to memory of 2880	2820	cmd.exe	53
PID 1624 wrote to memory of 2756	1624	Google.exe	54
PID 1624 wrote to memory of 2756	1624	Google.exe	54

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Nova pasta.zip"
1⤵
PID:1444

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1716

C:\Users\Admin\Documents\Nova pasta\Nova pasta\Process_Hacker_-_Undetected.exe
"C:\Users\Admin\Documents\Nova pasta\Nova pasta\Process_Hacker_-_Undetected.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\Documents\Nova pasta\Nova pasta\ph.dat
  "C:\Users\Admin\Documents\Nova pasta\Nova pasta\ph.dat"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\evb4809.tmp
    "C:\Users\Admin\Documents\Nova pasta\Nova pasta\87675643324.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:568

C:\Users\Admin\Documents\Nova pasta\Nova pasta\Google.exe
"C:\Users\Admin\Documents\Nova pasta\Nova pasta\Google.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop FACEIT >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\system32\net.exe
    net stop FACEIT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FACEIT
      4⤵
      PID:1432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop ESEADriver2 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\system32\net.exe
    net stop ESEADriver2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESEADriver2
      4⤵
      PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:2756
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:2652
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop FACEIT >nul 2>&1
  2⤵
  PID:2824
- - C:\Windows\system32\net.exe
    net stop FACEIT
    3⤵
    PID:2832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FACEIT
      4⤵
      PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop ESEADriver2 >nul 2>&1
  2⤵
  PID:2172
- - C:\Windows\system32\net.exe
    net stop ESEADriver2
    3⤵
    PID:2560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESEADriver2
      4⤵
      PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1936
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:2096
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:524
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:2748
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:2644
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:2512
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1108
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1364
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1768
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2884
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1912
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2956
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1852
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:980
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:364
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1088
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  PID:756
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:240
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1684
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2680
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:1324
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:1440
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:1748
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:1164
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:612
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Documents\Nova pasta\Nova pasta\Google.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:1756
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Documents\Nova pasta\Nova pasta\Google.exe" MD5
    3⤵
    PID:2248
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2344
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM Taskmgr.exe
  2⤵
  PID:188
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c MODE CON COLS=55 LINES=12
  2⤵
  PID:1544
- - C:\Windows\system32\mode.com
    MODE CON COLS=55 LINES=12
    3⤵
    PID:2368

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Users\Admin\Documents\Nova pasta\Nova pasta\Process_Hacker_-_Undetected.exe
"C:\Users\Admin\Documents\Nova pasta\Nova pasta\Process_Hacker_-_Undetected.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2548
- C:\Users\Admin\Documents\Nova pasta\Nova pasta\ph.dat
  "C:\Users\Admin\Documents\Nova pasta\Nova pasta\ph.dat"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\evb3E97.tmp
    "C:\Users\Admin\Documents\Nova pasta\Nova pasta\87675643324.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1852

C:\Users\Admin\Documents\Nova pasta\Nova pasta\Process_Hacker_-_Undetected.exe
"C:\Users\Admin\Documents\Nova pasta\Nova pasta\Process_Hacker_-_Undetected.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1988
- C:\Users\Admin\Documents\Nova pasta\Nova pasta\ph.dat
  "C:\Users\Admin\Documents\Nova pasta\Nova pasta\ph.dat"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\evb2C9D.tmp
    "C:\Users\Admin\Documents\Nova pasta\Nova pasta\87675643324.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1316

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x584
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
526f3fc877b92fc910ac752c75254d5c

SHA1
a52d955531718c222ff15ecb1180e0d82a955169

SHA256
93f50dd66dbf80028f2961074e94a452243c646e304114a401180f2ed6066c10

SHA512
637bc2758d173b577ac06e622121f48bcf28e3f151c712cab19597cd7f9c13c40d457c7519edf944884b598f0d3c9358d970c5b551d42d2936827712a5ef4fdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
17f628d7507589290cbdc77db82c9aaf

SHA1
e415147f86d55641b43ecbcbd2e792e59f81fb3a

SHA256
3a8f2bba8e0a5bf34245cd9cbc335bec33cd91215c4330984037d0f1136bf8e6

SHA512
a6110a8a9c2e8077548313341d05570d3f2560e3fb685f6c45b041606c2ae97dad364dca5c2dd49b31483590b2e3da2af2424c99184f7559e021b9009e0b9633

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
526f3fc877b92fc910ac752c75254d5c

SHA1
a52d955531718c222ff15ecb1180e0d82a955169

SHA256
93f50dd66dbf80028f2961074e94a452243c646e304114a401180f2ed6066c10

SHA512
637bc2758d173b577ac06e622121f48bcf28e3f151c712cab19597cd7f9c13c40d457c7519edf944884b598f0d3c9358d970c5b551d42d2936827712a5ef4fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\80EB2F5C

Filesize
14B

MD5
1514505c31c7679e6bfa38be26282518

SHA1
8796d0614c8e6a48ba5ca7e7dac647c5b8287568

SHA256
bb9d058c87a3c722d10632e6a73b5980b6a98a65a9f67eea06d505f3dc7d2754

SHA512
1e27e1075d5afc3c3cd4fbf2c0d384d29b8f4561d2ac430f1736658a917c9afa85ee4dd8507560ff7e53f3d7fe67233b3cf3947d57e94d02081b3810442c0466

Download Submit
C:\Users\Admin\AppData\Local\Temp\80EB2F5C

Filesize
14B

MD5
871af756b648d3639041cf53bef28356

SHA1
7cee8b27855d2d8bec485a499afed0c880f05d23

SHA256
c0f7a8b8ce7afcf80a28238c096bb2c9a850969522cd0d641a669704953a9494

SHA512
bf0f93f9126303a283f5d46cc62d2272af543cc22b49c95ab3aceb791d4d15557c399a316feaee88284609a6f07f1282ddbb750ac2e0b396b6c204e28a6920da

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA1D4.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb2C9D.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb2C9D.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb2C9D.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb3E97.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb3E97.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb3FFF.tmp

Filesize
1KB

MD5
9f9d460676b59c3ff26ce3f2f807a380

SHA1
d24591beff96f3575f1eda590fade0d083a88e61

SHA256
45827ac81bc80e07a13d9e821d4c73f17437986802ca3b30345d7049e4ceef60

SHA512
14814498100273d60097c8432cb5eb0d0f377ce870a2d675f07230e757f518084f7bee4a986d527dbdbd65d9ec5afe78f2f0522386a1ee550d333189112af2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb4809.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb4809.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb4CFA.tmp

Filesize
1KB

MD5
9f9d460676b59c3ff26ce3f2f807a380

SHA1
d24591beff96f3575f1eda590fade0d083a88e61

SHA256
45827ac81bc80e07a13d9e821d4c73f17437986802ca3b30345d7049e4ceef60

SHA512
14814498100273d60097c8432cb5eb0d0f377ce870a2d675f07230e757f518084f7bee4a986d527dbdbd65d9ec5afe78f2f0522386a1ee550d333189112af2f6

Download Submit
C:\Users\Admin\Documents\Nova pasta\Nova pasta\ph.dat

Filesize
7.2MB

MD5
4a0a94325f1a9b6274638d8c59978357

SHA1
10c568775f333c6ce5ac598696c91e9c22c40292

SHA256
e73c3125b302479216e5519456fabffabc5120287ef1cabc3b05b1a6dc9f9187

SHA512
0e8022487ec79c689ee26eb1aae205407bdb16cb54c8ce26b0a532fc8718c8a40e7df8ea75757ab000aac2d64854bb9fb0bc9b090caf06f3a97d9144c1001611

Download Submit
C:\Users\Admin\Documents\Nova pasta\Nova pasta\ph.dat

Filesize
7.2MB

MD5
4a0a94325f1a9b6274638d8c59978357

SHA1
10c568775f333c6ce5ac598696c91e9c22c40292

SHA256
e73c3125b302479216e5519456fabffabc5120287ef1cabc3b05b1a6dc9f9187

SHA512
0e8022487ec79c689ee26eb1aae205407bdb16cb54c8ce26b0a532fc8718c8a40e7df8ea75757ab000aac2d64854bb9fb0bc9b090caf06f3a97d9144c1001611

Download Submit
C:\Users\Admin\Documents\Nova pasta\Nova pasta\ph.dat

Filesize
7.2MB

MD5
4a0a94325f1a9b6274638d8c59978357

SHA1
10c568775f333c6ce5ac598696c91e9c22c40292

SHA256
e73c3125b302479216e5519456fabffabc5120287ef1cabc3b05b1a6dc9f9187

SHA512
0e8022487ec79c689ee26eb1aae205407bdb16cb54c8ce26b0a532fc8718c8a40e7df8ea75757ab000aac2d64854bb9fb0bc9b090caf06f3a97d9144c1001611

Download Submit
C:\Users\Admin\Documents\Nova pasta\Nova pasta\ph.dat

Filesize
7.2MB

MD5
4a0a94325f1a9b6274638d8c59978357

SHA1
10c568775f333c6ce5ac598696c91e9c22c40292

SHA256
e73c3125b302479216e5519456fabffabc5120287ef1cabc3b05b1a6dc9f9187

SHA512
0e8022487ec79c689ee26eb1aae205407bdb16cb54c8ce26b0a532fc8718c8a40e7df8ea75757ab000aac2d64854bb9fb0bc9b090caf06f3a97d9144c1001611

Download Submit
C:\Users\Admin\Pictures\ibif.jy

Filesize
32B

MD5
d42e596defd9109c445cebbaff8d8f9e

SHA1
cdc4f75b4ddea88c6ad0be0372d971fc7fae086d

SHA256
2b10e0941a2423f6776abd0c2375f891bf10b2dd4003d7d37861b57217b45460

SHA512
8b05ec61682e3a191f8af6fa80d90f6b575dc35cad40262a503b33c4722da4f9fc98727da21f89246e67193519f7c858d90d67c3b29ef1f0333ff3e716ffcad1

Download Submit
\??\c:\users\admin\appdata\local\temp\80EB2F5C

Filesize
14B

MD5
1514505c31c7679e6bfa38be26282518

SHA1
8796d0614c8e6a48ba5ca7e7dac647c5b8287568

SHA256
bb9d058c87a3c722d10632e6a73b5980b6a98a65a9f67eea06d505f3dc7d2754

SHA512
1e27e1075d5afc3c3cd4fbf2c0d384d29b8f4561d2ac430f1736658a917c9afa85ee4dd8507560ff7e53f3d7fe67233b3cf3947d57e94d02081b3810442c0466

Download Submit
\??\c:\users\admin\appdata\local\temp\80EB2F5C

Filesize
14B

MD5
871af756b648d3639041cf53bef28356

SHA1
7cee8b27855d2d8bec485a499afed0c880f05d23

SHA256
c0f7a8b8ce7afcf80a28238c096bb2c9a850969522cd0d641a669704953a9494

SHA512
bf0f93f9126303a283f5d46cc62d2272af543cc22b49c95ab3aceb791d4d15557c399a316feaee88284609a6f07f1282ddbb750ac2e0b396b6c204e28a6920da

Download Submit
\??\c:\users\admin\appdata\local\temp\80EB2F5C

Filesize
14B

MD5
871af756b648d3639041cf53bef28356

SHA1
7cee8b27855d2d8bec485a499afed0c880f05d23

SHA256
c0f7a8b8ce7afcf80a28238c096bb2c9a850969522cd0d641a669704953a9494

SHA512
bf0f93f9126303a283f5d46cc62d2272af543cc22b49c95ab3aceb791d4d15557c399a316feaee88284609a6f07f1282ddbb750ac2e0b396b6c204e28a6920da

Download Submit
\??\c:\users\admin\appdata\local\temp\80EB2F5C

Filesize
14B

MD5
1514505c31c7679e6bfa38be26282518

SHA1
8796d0614c8e6a48ba5ca7e7dac647c5b8287568

SHA256
bb9d058c87a3c722d10632e6a73b5980b6a98a65a9f67eea06d505f3dc7d2754

SHA512
1e27e1075d5afc3c3cd4fbf2c0d384d29b8f4561d2ac430f1736658a917c9afa85ee4dd8507560ff7e53f3d7fe67233b3cf3947d57e94d02081b3810442c0466

Download Submit
\??\c:\users\admin\appdata\local\temp\80EB2F5C

Filesize
14B

MD5
871af756b648d3639041cf53bef28356

SHA1
7cee8b27855d2d8bec485a499afed0c880f05d23

SHA256
c0f7a8b8ce7afcf80a28238c096bb2c9a850969522cd0d641a669704953a9494

SHA512
bf0f93f9126303a283f5d46cc62d2272af543cc22b49c95ab3aceb791d4d15557c399a316feaee88284609a6f07f1282ddbb750ac2e0b396b6c204e28a6920da

Download Submit
\??\c:\users\admin\appdata\local\temp\80EB2F5C

Filesize
14B

MD5
871af756b648d3639041cf53bef28356

SHA1
7cee8b27855d2d8bec485a499afed0c880f05d23

SHA256
c0f7a8b8ce7afcf80a28238c096bb2c9a850969522cd0d641a669704953a9494

SHA512
bf0f93f9126303a283f5d46cc62d2272af543cc22b49c95ab3aceb791d4d15557c399a316feaee88284609a6f07f1282ddbb750ac2e0b396b6c204e28a6920da

Download Submit
\??\c:\users\admin\appdata\local\temp\80EB2F5C

Filesize
14B

MD5
871af756b648d3639041cf53bef28356

SHA1
7cee8b27855d2d8bec485a499afed0c880f05d23

SHA256
c0f7a8b8ce7afcf80a28238c096bb2c9a850969522cd0d641a669704953a9494

SHA512
bf0f93f9126303a283f5d46cc62d2272af543cc22b49c95ab3aceb791d4d15557c399a316feaee88284609a6f07f1282ddbb750ac2e0b396b6c204e28a6920da

Download Submit
\??\c:\users\admin\appdata\local\temp\80EB2F5C

Filesize
14B

MD5
871af756b648d3639041cf53bef28356

SHA1
7cee8b27855d2d8bec485a499afed0c880f05d23

SHA256
c0f7a8b8ce7afcf80a28238c096bb2c9a850969522cd0d641a669704953a9494

SHA512
bf0f93f9126303a283f5d46cc62d2272af543cc22b49c95ab3aceb791d4d15557c399a316feaee88284609a6f07f1282ddbb750ac2e0b396b6c204e28a6920da

Download Submit
\??\c:\users\admin\documents\nova pasta\nova pasta\ph.dat

Filesize
7.2MB

MD5
4a0a94325f1a9b6274638d8c59978357

SHA1
10c568775f333c6ce5ac598696c91e9c22c40292

SHA256
e73c3125b302479216e5519456fabffabc5120287ef1cabc3b05b1a6dc9f9187

SHA512
0e8022487ec79c689ee26eb1aae205407bdb16cb54c8ce26b0a532fc8718c8a40e7df8ea75757ab000aac2d64854bb9fb0bc9b090caf06f3a97d9144c1001611

Download Submit
\??\c:\users\admin\documents\nova pasta\nova pasta\ph.dat

Filesize
7.2MB

MD5
4a0a94325f1a9b6274638d8c59978357

SHA1
10c568775f333c6ce5ac598696c91e9c22c40292

SHA256
e73c3125b302479216e5519456fabffabc5120287ef1cabc3b05b1a6dc9f9187

SHA512
0e8022487ec79c689ee26eb1aae205407bdb16cb54c8ce26b0a532fc8718c8a40e7df8ea75757ab000aac2d64854bb9fb0bc9b090caf06f3a97d9144c1001611

Download Submit
\??\c:\users\admin\documents\nova pasta\nova pasta\ph.dat

Filesize
7.2MB

MD5
4a0a94325f1a9b6274638d8c59978357

SHA1
10c568775f333c6ce5ac598696c91e9c22c40292

SHA256
e73c3125b302479216e5519456fabffabc5120287ef1cabc3b05b1a6dc9f9187

SHA512
0e8022487ec79c689ee26eb1aae205407bdb16cb54c8ce26b0a532fc8718c8a40e7df8ea75757ab000aac2d64854bb9fb0bc9b090caf06f3a97d9144c1001611

Download Submit
\??\c:\users\admin\pictures\ibif.jy

Filesize
32B

MD5
d42e596defd9109c445cebbaff8d8f9e

SHA1
cdc4f75b4ddea88c6ad0be0372d971fc7fae086d

SHA256
2b10e0941a2423f6776abd0c2375f891bf10b2dd4003d7d37861b57217b45460

SHA512
8b05ec61682e3a191f8af6fa80d90f6b575dc35cad40262a503b33c4722da4f9fc98727da21f89246e67193519f7c858d90d67c3b29ef1f0333ff3e716ffcad1

Download Submit
\??\c:\users\admin\pictures\ibif.jy

Filesize
32B

MD5
d42e596defd9109c445cebbaff8d8f9e

SHA1
cdc4f75b4ddea88c6ad0be0372d971fc7fae086d

SHA256
2b10e0941a2423f6776abd0c2375f891bf10b2dd4003d7d37861b57217b45460

SHA512
8b05ec61682e3a191f8af6fa80d90f6b575dc35cad40262a503b33c4722da4f9fc98727da21f89246e67193519f7c858d90d67c3b29ef1f0333ff3e716ffcad1

Download Submit
\??\c:\users\admin\pictures\ibif.jy

Filesize
32B

MD5
d42e596defd9109c445cebbaff8d8f9e

SHA1
cdc4f75b4ddea88c6ad0be0372d971fc7fae086d

SHA256
2b10e0941a2423f6776abd0c2375f891bf10b2dd4003d7d37861b57217b45460

SHA512
8b05ec61682e3a191f8af6fa80d90f6b575dc35cad40262a503b33c4722da4f9fc98727da21f89246e67193519f7c858d90d67c3b29ef1f0333ff3e716ffcad1

Download Submit
\??\c:\users\admin\pictures\ibif.jy

Filesize
32B

MD5
d42e596defd9109c445cebbaff8d8f9e

SHA1
cdc4f75b4ddea88c6ad0be0372d971fc7fae086d

SHA256
2b10e0941a2423f6776abd0c2375f891bf10b2dd4003d7d37861b57217b45460

SHA512
8b05ec61682e3a191f8af6fa80d90f6b575dc35cad40262a503b33c4722da4f9fc98727da21f89246e67193519f7c858d90d67c3b29ef1f0333ff3e716ffcad1

Download Submit
\??\c:\users\admin\pictures\ibif.jy

Filesize
32B

MD5
d42e596defd9109c445cebbaff8d8f9e

SHA1
cdc4f75b4ddea88c6ad0be0372d971fc7fae086d

SHA256
2b10e0941a2423f6776abd0c2375f891bf10b2dd4003d7d37861b57217b45460

SHA512
8b05ec61682e3a191f8af6fa80d90f6b575dc35cad40262a503b33c4722da4f9fc98727da21f89246e67193519f7c858d90d67c3b29ef1f0333ff3e716ffcad1

Download Submit
\??\c:\users\admin\pictures\ibif.jy

Filesize
32B

MD5
d42e596defd9109c445cebbaff8d8f9e

SHA1
cdc4f75b4ddea88c6ad0be0372d971fc7fae086d

SHA256
2b10e0941a2423f6776abd0c2375f891bf10b2dd4003d7d37861b57217b45460

SHA512
8b05ec61682e3a191f8af6fa80d90f6b575dc35cad40262a503b33c4722da4f9fc98727da21f89246e67193519f7c858d90d67c3b29ef1f0333ff3e716ffcad1

Download Submit
\??\c:\users\admin\pictures\ibif.jy

Filesize
32B

MD5
d42e596defd9109c445cebbaff8d8f9e

SHA1
cdc4f75b4ddea88c6ad0be0372d971fc7fae086d

SHA256
2b10e0941a2423f6776abd0c2375f891bf10b2dd4003d7d37861b57217b45460

SHA512
8b05ec61682e3a191f8af6fa80d90f6b575dc35cad40262a503b33c4722da4f9fc98727da21f89246e67193519f7c858d90d67c3b29ef1f0333ff3e716ffcad1

Download Submit
\??\c:\users\admin\pictures\ibif.jy

Filesize
32B

MD5
d42e596defd9109c445cebbaff8d8f9e

SHA1
cdc4f75b4ddea88c6ad0be0372d971fc7fae086d

SHA256
2b10e0941a2423f6776abd0c2375f891bf10b2dd4003d7d37861b57217b45460

SHA512
8b05ec61682e3a191f8af6fa80d90f6b575dc35cad40262a503b33c4722da4f9fc98727da21f89246e67193519f7c858d90d67c3b29ef1f0333ff3e716ffcad1

Download Submit
\Users\Admin\AppData\Local\Temp\evb2C9D.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
\Users\Admin\AppData\Local\Temp\evb2C9D.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
\Users\Admin\AppData\Local\Temp\evb2C9D.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
\Users\Admin\AppData\Local\Temp\evb2C9D.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
\Users\Admin\AppData\Local\Temp\evb3E97.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
\Users\Admin\AppData\Local\Temp\evb3E97.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
\Users\Admin\AppData\Local\Temp\evb3E97.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
\Users\Admin\AppData\Local\Temp\evb4809.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
\Users\Admin\AppData\Local\Temp\evb4809.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
\Users\Admin\AppData\Local\Temp\evb4809.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
\Users\Admin\AppData\Local\Temp\evb4809.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
\Users\Admin\Documents\Nova pasta\Nova pasta\ph.dat

Filesize
7.2MB

MD5
4a0a94325f1a9b6274638d8c59978357

SHA1
10c568775f333c6ce5ac598696c91e9c22c40292

SHA256
e73c3125b302479216e5519456fabffabc5120287ef1cabc3b05b1a6dc9f9187

SHA512
0e8022487ec79c689ee26eb1aae205407bdb16cb54c8ce26b0a532fc8718c8a40e7df8ea75757ab000aac2d64854bb9fb0bc9b090caf06f3a97d9144c1001611

Download Submit
memory/568-121-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-1073-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-89-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-90-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-32-0x0000000000430000-0x0000000000527000-memory.dmp

Filesize
988KB

Download
memory/568-34-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/568-86-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-94-0x0000000077830000-0x0000000077840000-memory.dmp

Filesize
64KB

Download
memory/568-95-0x0000000005660000-0x0000000005C48000-memory.dmp

Filesize
5.9MB

Download
memory/568-96-0x0000000005660000-0x0000000005C48000-memory.dmp

Filesize
5.9MB

Download
memory/568-97-0x0000000005D50000-0x0000000006DB3000-memory.dmp

Filesize
16.4MB

Download
memory/568-98-0x0000000005D50000-0x0000000006DB3000-memory.dmp

Filesize
16.4MB

Download
memory/568-99-0x0000000005660000-0x0000000005C48000-memory.dmp

Filesize
5.9MB

Download
memory/568-53-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

Filesize
4KB

Download
memory/568-108-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-109-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-110-0x0000000000430000-0x0000000000527000-memory.dmp

Filesize
988KB

Download
memory/568-111-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/568-112-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/568-113-0x0000000005660000-0x0000000005C48000-memory.dmp

Filesize
5.9MB

Download
memory/568-114-0x0000000005660000-0x0000000005C48000-memory.dmp

Filesize
5.9MB

Download
memory/568-115-0x0000000005D50000-0x0000000006DB3000-memory.dmp

Filesize
16.4MB

Download
memory/568-116-0x0000000005D50000-0x0000000006DB3000-memory.dmp

Filesize
16.4MB

Download
memory/568-117-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-118-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-119-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-120-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-56-0x0000000000430000-0x0000000000527000-memory.dmp

Filesize
988KB

Download
memory/568-122-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-123-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-124-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-57-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-50-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/568-60-0x0000000000430000-0x0000000000527000-memory.dmp

Filesize
988KB

Download
memory/568-62-0x0000000000430000-0x0000000000527000-memory.dmp

Filesize
988KB

Download
memory/568-64-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/568-66-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/568-67-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/568-69-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/568-70-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/568-139-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-143-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-1075-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/568-1074-0x0000000000430000-0x0000000000527000-memory.dmp

Filesize
988KB

Download
memory/568-146-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-147-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-76-0x0000000000610000-0x0000000000810000-memory.dmp

Filesize
2.0MB

Download
memory/568-149-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-150-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-151-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-152-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-153-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/568-74-0x0000000000610000-0x0000000000810000-memory.dmp

Filesize
2.0MB

Download
memory/568-73-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/568-72-0x0000000000610000-0x0000000000810000-memory.dmp

Filesize
2.0MB

Download
memory/568-87-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/1564-33-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/1564-58-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/1564-37-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/1564-38-0x0000000004170000-0x00000000051D3000-memory.dmp

Filesize
16.4MB

Download
memory/1564-41-0x000000013FED0000-0x0000000140C7D000-memory.dmp

Filesize
13.7MB

Download
memory/1564-42-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/1564-44-0x0000000077830000-0x0000000077840000-memory.dmp

Filesize
64KB

Download
memory/1564-54-0x000000013FED0000-0x0000000140C7D000-memory.dmp

Filesize
13.7MB

Download
memory/1564-26-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/1564-31-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/1564-29-0x000000013FED0000-0x0000000140C7D000-memory.dmp

Filesize
13.7MB

Download
memory/1564-65-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1564-28-0x000000013FED0000-0x0000000140C7D000-memory.dmp

Filesize
13.7MB

Download
memory/1564-15-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1564-24-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/1564-25-0x000000013FED0000-0x0000000140C7D000-memory.dmp

Filesize
13.7MB

Download
memory/1564-27-0x000000013FED0000-0x0000000140C7D000-memory.dmp

Filesize
13.7MB

Download
memory/1624-134-0x0000000077860000-0x0000000077862000-memory.dmp

Filesize
8KB

Download
memory/1624-145-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/1624-132-0x0000000077860000-0x0000000077862000-memory.dmp

Filesize
8KB

Download
memory/1624-127-0x0000000077830000-0x0000000077832000-memory.dmp

Filesize
8KB

Download
memory/1624-144-0x000000013FC30000-0x0000000142831000-memory.dmp

Filesize
44.0MB

Download
memory/1624-136-0x0000000077860000-0x0000000077862000-memory.dmp

Filesize
8KB

Download
memory/1624-125-0x0000000077830000-0x0000000077832000-memory.dmp

Filesize
8KB

Download
memory/1624-137-0x000000013FC30000-0x0000000142831000-memory.dmp

Filesize
44.0MB

Download
memory/1624-130-0x0000000077830000-0x0000000077832000-memory.dmp

Filesize
8KB

Download
memory/1624-131-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/1624-129-0x000000013FC30000-0x0000000142831000-memory.dmp

Filesize
44.0MB

Download
memory/1852-1130-0x0000000000430000-0x0000000000527000-memory.dmp

Filesize
988KB

Download
memory/1852-1140-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/2356-13-0x00000000039C0000-0x000000000476D000-memory.dmp

Filesize
13.7MB

Download
memory/2356-0-0x0000000000400000-0x0000000000C81456-memory.dmp

Filesize
8.5MB

Download
memory/2356-68-0x0000000000400000-0x0000000000C81456-memory.dmp

Filesize
8.5MB

Download
memory/2356-101-0x0000000000400000-0x0000000000C81456-memory.dmp

Filesize
8.5MB

Download
memory/2356-88-0x00000000FFBD0000-0x00000000FFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2356-91-0x00000000039C0000-0x000000000476D000-memory.dmp

Filesize
13.7MB

Download
memory/2356-3-0x0000000077880000-0x0000000077881000-memory.dmp

Filesize
4KB

Download
memory/2356-1-0x00000000FFBD0000-0x00000000FFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2356-71-0x0000000000400000-0x0000000000C81456-memory.dmp

Filesize
8.5MB

Download
memory/2408-1092-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2408-1093-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/2408-1136-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/2408-1134-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2408-1133-0x000000013F470000-0x000000014021D000-memory.dmp

Filesize
13.7MB

Download
memory/2408-1115-0x00000000041C0000-0x0000000005223000-memory.dmp

Filesize
16.4MB

Download
memory/2408-1110-0x0000000077830000-0x0000000077840000-memory.dmp

Filesize
64KB

Download
memory/2408-1090-0x000000013F470000-0x000000014021D000-memory.dmp

Filesize
13.7MB

Download
memory/2408-1106-0x00000000012E0000-0x00000000012F0000-memory.dmp

Filesize
64KB

Download
memory/2408-1103-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/2548-1116-0x00000000FFBD0000-0x00000000FFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2548-1109-0x0000000000400000-0x0000000000C81456-memory.dmp

Filesize
8.5MB

Download
memory/2548-1078-0x00000000FFBD0000-0x00000000FFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2548-1076-0x0000000000400000-0x0000000000C81456-memory.dmp

Filesize
8.5MB

Download