gh0strat | 0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455

Analysis

max time kernel
176s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

time.exe
Size

11KB
MD5

d2e9696ec235cec72512dec6e9ce5935
SHA1

dccd11c272d2fa2e700e7b8b51fa6a9a89f9f3ea
SHA256

0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455
SHA512

573cdf5ac0ebacb05b5043c062d237c7ddf202816b04b3938ab3059f0bb5ef9979c17d04ff869cf86646a87b8df0e40f8d2f4955ba13165c8adbfc1d8b2f138a
SSDEEP

192:gzlJOMaLAN+QHzdV4z1ULU87glpK/b26J46667nh5:6lJOM3+qzqULU870gJEM

Score

10^/10

gh0strat purplefox redline stealc zgrat 2024 discovery infostealer rat rootkit stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

2024

195.20.16.103:20440

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Detect PurpleFox Rootkit 11 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/1936-135-0x0000000010000000-0x00000000101B9000-memory.dmp	purplefox_rootkit
behavioral2/memory/1936-136-0x0000000010000000-0x00000000101B9000-memory.dmp	purplefox_rootkit
behavioral2/memory/1936-137-0x0000000010000000-0x00000000101B9000-memory.dmp	purplefox_rootkit
behavioral2/memory/4216-144-0x0000000010000000-0x00000000101B9000-memory.dmp	purplefox_rootkit
behavioral2/memory/4216-145-0x0000000010000000-0x00000000101B9000-memory.dmp	purplefox_rootkit
behavioral2/memory/4216-146-0x0000000010000000-0x00000000101B9000-memory.dmp	purplefox_rootkit
behavioral2/memory/4216-154-0x0000000010000000-0x00000000101B9000-memory.dmp	purplefox_rootkit
behavioral2/memory/556-158-0x0000000010000000-0x00000000101B9000-memory.dmp	purplefox_rootkit
behavioral2/memory/556-163-0x0000000010000000-0x00000000101B9000-memory.dmp	purplefox_rootkit
behavioral2/memory/556-191-0x0000000010000000-0x00000000101B9000-memory.dmp	purplefox_rootkit
behavioral2/memory/556-230-0x0000000010000000-0x00000000101B9000-memory.dmp	purplefox_rootkit

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\main\extracted\MschainblockRef.exe	family_zgrat_v1
behavioral2/memory/724-318-0x0000000000D80000-0x0000000000F72000-memory.dmp	family_zgrat_v1

Gh0st RAT payload 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1936-135-0x0000000010000000-0x00000000101B9000-memory.dmp	family_gh0strat
behavioral2/memory/1936-136-0x0000000010000000-0x00000000101B9000-memory.dmp	family_gh0strat
behavioral2/memory/1936-137-0x0000000010000000-0x00000000101B9000-memory.dmp	family_gh0strat
behavioral2/memory/4216-144-0x0000000010000000-0x00000000101B9000-memory.dmp	family_gh0strat
behavioral2/memory/4216-145-0x0000000010000000-0x00000000101B9000-memory.dmp	family_gh0strat
behavioral2/memory/4216-146-0x0000000010000000-0x00000000101B9000-memory.dmp	family_gh0strat
behavioral2/memory/4216-154-0x0000000010000000-0x00000000101B9000-memory.dmp	family_gh0strat
behavioral2/memory/556-158-0x0000000010000000-0x00000000101B9000-memory.dmp	family_gh0strat
behavioral2/memory/556-163-0x0000000010000000-0x00000000101B9000-memory.dmp	family_gh0strat
behavioral2/memory/556-191-0x0000000010000000-0x00000000101B9000-memory.dmp	family_gh0strat
behavioral2/memory/556-230-0x0000000010000000-0x00000000101B9000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2024.exe.exe	family_redline
behavioral2/memory/3588-226-0x0000000000120000-0x0000000000172000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nbhvygiuhjbkhvyiuhjbhgyi.exe.exehvthvjgfr6tyghgdtrtyigkhvjggft.exe.exe288c47bbc187122b439df19ff4df68f076.exe.exetime.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	nbhvygiuhjbkhvyiuhjbhgyi.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	hvthvjgfr6tyghgdtrtyigkhvjggft.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	288c47bbc187122b439df19ff4df68f076.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	time.exe

Executes dropped EXE 40 IoCs

Processes:

1.exe.exe2.exe.exeluma.exe.exe4.exe.exe3.exe.exeInstallSetup6.exe.exe288c47bbc187122b439df19ff4df68f076.exe.exenbhvygiuhjbkhvyiuhjbhgyi.exe.exesrr.exe.exeGhxyq.exeGhxyq.execryptedgolden123.exe.exe2024.exe.exeBroomSetup.execrypted1234.exe.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exehvthvjgfr6tyghgdtrtyigkhvjggft.exe.exeMschainblockRef.exensk1A43.tmp7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeJTGwusI7cICuEzA3R2d19eyBuulw41ON3P7Png.exeInstallSetup9.exe288c47bbc1871b439df19ff4df68f076.exe

pid	process
4680	1.exe.exe
4988	2.exe.exe
1148	luma.exe.exe
2672	4.exe.exe
2488	3.exe.exe
4688	InstallSetup6.exe.exe
4640	288c47bbc187122b439df19ff4df68f076.exe.exe
3216	nbhvygiuhjbkhvyiuhjbhgyi.exe.exe
1936	srr.exe.exe
4216	Ghxyq.exe
556	Ghxyq.exe
4712	cryptedgolden123.exe.exe
3588	2024.exe.exe
1988	BroomSetup.exe
3124	crypted1234.exe.exe
4616	7z.exe
4896	7z.exe
4852	7z.exe
2312	7z.exe
5108	7z.exe
748	7z.exe
3140	7z.exe
1708	7z.exe
1408	7z.exe
1488	7z.exe
4516	hvthvjgfr6tyghgdtrtyigkhvjggft.exe.exe
724	MschainblockRef.exe
4860	nsk1A43.tmp
4628	7z.exe
2072	7z.exe
4664	7z.exe
3384	7z.exe
3808	7z.exe
4432	7z.exe
676	7z.exe
2748	7z.exe
1576	7z.exe
5068	JTGwusI7cICuEzA3R2d19eyBuulw41ON3P7Png.exe
4124	InstallSetup9.exe
4552	288c47bbc1871b439df19ff4df68f076.exe

Loads dropped DLL 22 IoCs

Processes:

InstallSetup6.exe.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid	process
4688	InstallSetup6.exe.exe
4688	InstallSetup6.exe.exe
4688	InstallSetup6.exe.exe
4616	7z.exe
4896	7z.exe
4852	7z.exe
2312	7z.exe
5108	7z.exe
748	7z.exe
3140	7z.exe
1708	7z.exe
1408	7z.exe
1488	7z.exe
4628	7z.exe
2072	7z.exe
4664	7z.exe
3384	7z.exe
3808	7z.exe
4432	7z.exe
676	7z.exe
2748	7z.exe
1576	7z.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1936-133-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral2/memory/1936-135-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral2/memory/1936-136-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral2/memory/1936-137-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral2/memory/4216-142-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral2/memory/4216-144-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral2/memory/4216-145-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral2/memory/4216-146-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral2/memory/4216-154-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral2/memory/556-158-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral2/memory/556-163-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral2/memory/556-191-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral2/memory/556-230-0x0000000010000000-0x00000000101B9000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Ghxyq.exe

description	ioc	process
File opened (read-only)	\??\S:	Ghxyq.exe
File opened (read-only)	\??\U:	Ghxyq.exe
File opened (read-only)	\??\W:	Ghxyq.exe
File opened (read-only)	\??\Z:	Ghxyq.exe
File opened (read-only)	\??\K:	Ghxyq.exe
File opened (read-only)	\??\M:	Ghxyq.exe
File opened (read-only)	\??\Q:	Ghxyq.exe
File opened (read-only)	\??\V:	Ghxyq.exe
File opened (read-only)	\??\Y:	Ghxyq.exe
File opened (read-only)	\??\E:	Ghxyq.exe
File opened (read-only)	\??\O:	Ghxyq.exe
File opened (read-only)	\??\L:	Ghxyq.exe
File opened (read-only)	\??\N:	Ghxyq.exe
File opened (read-only)	\??\P:	Ghxyq.exe
File opened (read-only)	\??\T:	Ghxyq.exe
File opened (read-only)	\??\G:	Ghxyq.exe
File opened (read-only)	\??\H:	Ghxyq.exe
File opened (read-only)	\??\J:	Ghxyq.exe
File opened (read-only)	\??\R:	Ghxyq.exe
File opened (read-only)	\??\X:	Ghxyq.exe
File opened (read-only)	\??\B:	Ghxyq.exe
File opened (read-only)	\??\I:	Ghxyq.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

143 api.ipify.org
Drops file in System32 directory 2 IoCs

Processes:

srr.exe.exe

description ioc process

File created C:\Windows\SysWOW64\Ghxyq.exe srr.exe.exe
File opened for modification C:\Windows\SysWOW64\Ghxyq.exe srr.exe.exe

flow	ioc
143	api.ipify.org

description	ioc	process
File created	C:\Windows\SysWOW64\Ghxyq.exe	srr.exe.exe
File opened for modification	C:\Windows\SysWOW64\Ghxyq.exe	srr.exe.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

crypted1234.exe.execryptedgolden123.exe.exe

description	pid	process	target process
PID 3124 set thread context of 748	3124	crypted1234.exe.exe	RegAsm.exe
PID 4712 set thread context of 3888	4712	cryptedgolden123.exe.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
492	1148	WerFault.exe	luma.exe.exe
4560	1148	WerFault.exe	luma.exe.exe
1044	748	WerFault.exe	RegAsm.exe
3644	4552	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
4852	4552	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
1368	3888	WerFault.exe	RegAsm.exe
4628	4552	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
5108	4552	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ghxyq.exensk1A43.tmp

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ghxyq.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsk1A43.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsk1A43.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ghxyq.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

Ghxyq.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Ghxyq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	Ghxyq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Ghxyq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Ghxyq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Ghxyq.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3496 PING.EXE

pid	process
3496	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Ghxyq.exe

pid	process
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe
556	Ghxyq.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

time.exesrr.exe.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.execryptedgolden123.exe.exeMschainblockRef.exe7z.exe7z.exe7z.exe7z.exe7z.exe

description	pid	process
Token: SeDebugPrivilege	2000	time.exe
Token: SeIncBasePriorityPrivilege	1936	srr.exe.exe
Token: SeRestorePrivilege	4616	7z.exe
Token: 35	4616	7z.exe
Token: SeSecurityPrivilege	4616	7z.exe
Token: SeSecurityPrivilege	4616	7z.exe
Token: SeRestorePrivilege	4896	7z.exe
Token: 35	4896	7z.exe
Token: SeSecurityPrivilege	4896	7z.exe
Token: SeSecurityPrivilege	4896	7z.exe
Token: SeRestorePrivilege	4852	7z.exe
Token: 35	4852	7z.exe
Token: SeSecurityPrivilege	4852	7z.exe
Token: SeSecurityPrivilege	4852	7z.exe
Token: SeRestorePrivilege	2312	7z.exe
Token: 35	2312	7z.exe
Token: SeSecurityPrivilege	2312	7z.exe
Token: SeSecurityPrivilege	2312	7z.exe
Token: SeRestorePrivilege	5108	7z.exe
Token: 35	5108	7z.exe
Token: SeSecurityPrivilege	5108	7z.exe
Token: SeSecurityPrivilege	5108	7z.exe
Token: SeRestorePrivilege	748	7z.exe
Token: 35	748	7z.exe
Token: SeSecurityPrivilege	748	7z.exe
Token: SeSecurityPrivilege	748	7z.exe
Token: SeRestorePrivilege	3140	7z.exe
Token: 35	3140	7z.exe
Token: SeSecurityPrivilege	3140	7z.exe
Token: SeSecurityPrivilege	3140	7z.exe
Token: SeRestorePrivilege	1708	7z.exe
Token: 35	1708	7z.exe
Token: SeSecurityPrivilege	1708	7z.exe
Token: SeSecurityPrivilege	1708	7z.exe
Token: SeRestorePrivilege	1408	7z.exe
Token: 35	1408	7z.exe
Token: SeSecurityPrivilege	1408	7z.exe
Token: SeSecurityPrivilege	1408	7z.exe
Token: SeRestorePrivilege	1488	7z.exe
Token: 35	1488	7z.exe
Token: SeSecurityPrivilege	1488	7z.exe
Token: SeSecurityPrivilege	1488	7z.exe
Token: SeDebugPrivilege	4712	cryptedgolden123.exe.exe
Token: SeDebugPrivilege	724	MschainblockRef.exe
Token: SeRestorePrivilege	4628	7z.exe
Token: 35	4628	7z.exe
Token: SeSecurityPrivilege	4628	7z.exe
Token: SeSecurityPrivilege	4628	7z.exe
Token: SeRestorePrivilege	2072	7z.exe
Token: 35	2072	7z.exe
Token: SeSecurityPrivilege	2072	7z.exe
Token: SeSecurityPrivilege	2072	7z.exe
Token: SeRestorePrivilege	4664	7z.exe
Token: 35	4664	7z.exe
Token: SeSecurityPrivilege	4664	7z.exe
Token: SeSecurityPrivilege	4664	7z.exe
Token: SeRestorePrivilege	3384	7z.exe
Token: 35	3384	7z.exe
Token: SeSecurityPrivilege	3384	7z.exe
Token: SeSecurityPrivilege	3384	7z.exe
Token: SeRestorePrivilege	3808	7z.exe
Token: 35	3808	7z.exe
Token: SeSecurityPrivilege	3808	7z.exe
Token: SeSecurityPrivilege	3808	7z.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BroomSetup.exe

pid process

1988 BroomSetup.exe

pid	process
1988	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

time.exesrr.exe.exeGhxyq.execmd.exeInstallSetup6.exe.exenbhvygiuhjbkhvyiuhjbhgyi.exe.execmd.exe

description	pid	process	target process
PID 2000 wrote to memory of 4680	2000	time.exe	1.exe.exe
PID 2000 wrote to memory of 4680	2000	time.exe	1.exe.exe
PID 2000 wrote to memory of 4680	2000	time.exe	1.exe.exe
PID 2000 wrote to memory of 4988	2000	time.exe	2.exe.exe
PID 2000 wrote to memory of 4988	2000	time.exe	2.exe.exe
PID 2000 wrote to memory of 4988	2000	time.exe	2.exe.exe
PID 2000 wrote to memory of 1148	2000	time.exe	luma.exe.exe
PID 2000 wrote to memory of 1148	2000	time.exe	luma.exe.exe
PID 2000 wrote to memory of 1148	2000	time.exe	luma.exe.exe
PID 2000 wrote to memory of 2672	2000	time.exe	4.exe.exe
PID 2000 wrote to memory of 2672	2000	time.exe	4.exe.exe
PID 2000 wrote to memory of 2672	2000	time.exe	4.exe.exe
PID 2000 wrote to memory of 2488	2000	time.exe	3.exe.exe
PID 2000 wrote to memory of 2488	2000	time.exe	3.exe.exe
PID 2000 wrote to memory of 2488	2000	time.exe	3.exe.exe
PID 2000 wrote to memory of 4688	2000	time.exe	InstallSetup6.exe.exe
PID 2000 wrote to memory of 4688	2000	time.exe	InstallSetup6.exe.exe
PID 2000 wrote to memory of 4688	2000	time.exe	InstallSetup6.exe.exe
PID 2000 wrote to memory of 4640	2000	time.exe	288c47bbc187122b439df19ff4df68f076.exe.exe
PID 2000 wrote to memory of 4640	2000	time.exe	288c47bbc187122b439df19ff4df68f076.exe.exe
PID 2000 wrote to memory of 4640	2000	time.exe	288c47bbc187122b439df19ff4df68f076.exe.exe
PID 2000 wrote to memory of 3216	2000	time.exe	nbhvygiuhjbkhvyiuhjbhgyi.exe.exe
PID 2000 wrote to memory of 3216	2000	time.exe	nbhvygiuhjbkhvyiuhjbhgyi.exe.exe
PID 2000 wrote to memory of 3216	2000	time.exe	nbhvygiuhjbkhvyiuhjbhgyi.exe.exe
PID 2000 wrote to memory of 1936	2000	time.exe	srr.exe.exe
PID 2000 wrote to memory of 1936	2000	time.exe	srr.exe.exe
PID 2000 wrote to memory of 1936	2000	time.exe	srr.exe.exe
PID 1936 wrote to memory of 772	1936	srr.exe.exe	cmd.exe
PID 1936 wrote to memory of 772	1936	srr.exe.exe	cmd.exe
PID 1936 wrote to memory of 772	1936	srr.exe.exe	cmd.exe
PID 4216 wrote to memory of 556	4216	Ghxyq.exe	Ghxyq.exe
PID 4216 wrote to memory of 556	4216	Ghxyq.exe	Ghxyq.exe
PID 4216 wrote to memory of 556	4216	Ghxyq.exe	Ghxyq.exe
PID 2000 wrote to memory of 4712	2000	time.exe	cryptedgolden123.exe.exe
PID 2000 wrote to memory of 4712	2000	time.exe	cryptedgolden123.exe.exe
PID 2000 wrote to memory of 4712	2000	time.exe	cryptedgolden123.exe.exe
PID 772 wrote to memory of 3496	772	cmd.exe	PING.EXE
PID 772 wrote to memory of 3496	772	cmd.exe	PING.EXE
PID 772 wrote to memory of 3496	772	cmd.exe	PING.EXE
PID 2000 wrote to memory of 3588	2000	time.exe	2024.exe.exe
PID 2000 wrote to memory of 3588	2000	time.exe	2024.exe.exe
PID 2000 wrote to memory of 3588	2000	time.exe	2024.exe.exe
PID 4688 wrote to memory of 1988	4688	InstallSetup6.exe.exe	BroomSetup.exe
PID 4688 wrote to memory of 1988	4688	InstallSetup6.exe.exe	BroomSetup.exe
PID 4688 wrote to memory of 1988	4688	InstallSetup6.exe.exe	BroomSetup.exe
PID 2000 wrote to memory of 3124	2000	time.exe	crypted1234.exe.exe
PID 2000 wrote to memory of 3124	2000	time.exe	crypted1234.exe.exe
PID 2000 wrote to memory of 3124	2000	time.exe	crypted1234.exe.exe
PID 3216 wrote to memory of 2252	3216	nbhvygiuhjbkhvyiuhjbhgyi.exe.exe	cmd.exe
PID 3216 wrote to memory of 2252	3216	nbhvygiuhjbkhvyiuhjbhgyi.exe.exe	cmd.exe
PID 2252 wrote to memory of 3928	2252	cmd.exe	mode.com
PID 2252 wrote to memory of 3928	2252	cmd.exe	mode.com
PID 2252 wrote to memory of 4616	2252	cmd.exe	7z.exe
PID 2252 wrote to memory of 4616	2252	cmd.exe	7z.exe
PID 2252 wrote to memory of 4896	2252	cmd.exe	7z.exe
PID 2252 wrote to memory of 4896	2252	cmd.exe	7z.exe
PID 2252 wrote to memory of 4852	2252	cmd.exe	7z.exe
PID 2252 wrote to memory of 4852	2252	cmd.exe	7z.exe
PID 2252 wrote to memory of 2312	2252	cmd.exe	7z.exe
PID 2252 wrote to memory of 2312	2252	cmd.exe	7z.exe
PID 2252 wrote to memory of 5108	2252	cmd.exe	7z.exe
PID 2252 wrote to memory of 5108	2252	cmd.exe	7z.exe
PID 2252 wrote to memory of 748	2252	cmd.exe	7z.exe
PID 2252 wrote to memory of 748	2252	cmd.exe	7z.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3756 attrib.exe
2956 attrib.exe

pid	process
3756	attrib.exe
2956	attrib.exe

C:\Users\Admin\AppData\Local\Temp\time.exe
"C:\Users\Admin\AppData\Local\Temp\time.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\1.exe.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe.exe"
2⤵
- Executes dropped EXE
PID:4680

C:\Users\Admin\AppData\Local\Temp\2.exe.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe.exe"
2⤵
- Executes dropped EXE
PID:4988

C:\Users\Admin\AppData\Local\Temp\luma.exe.exe
"C:\Users\Admin\AppData\Local\Temp\luma.exe.exe"
2⤵
- Executes dropped EXE
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1096
3⤵
- Program crash
PID:492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1080
3⤵
- Program crash
PID:4560

C:\Users\Admin\AppData\Local\Temp\4.exe.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe.exe"
2⤵
- Executes dropped EXE
PID:2672

C:\Users\Admin\AppData\Local\Temp\3.exe.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe.exe"
2⤵
- Executes dropped EXE
PID:2488

C:\Users\Admin\AppData\Local\Temp\InstallSetup6.exe.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup6.exe.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Users\Admin\AppData\Local\Temp\nsk1A43.tmp
C:\Users\Admin\AppData\Local\Temp\nsk1A43.tmp
3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4860

C:\Users\Admin\AppData\Local\Temp\288c47bbc187122b439df19ff4df68f076.exe.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc187122b439df19ff4df68f076.exe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4640

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
3⤵
- Executes dropped EXE
PID:4124

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
3⤵
- Executes dropped EXE
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 372
4⤵
- Program crash
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 388
4⤵
- Program crash
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 396
4⤵
- Program crash
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 664
4⤵
- Program crash
PID:5108

C:\Users\Admin\AppData\Local\Temp\nbhvygiuhjbkhvyiuhjbhgyi.exe.exe
"C:\Users\Admin\AppData\Local\Temp\nbhvygiuhjbkhvyiuhjbhgyi.exe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
3⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\system32\mode.com
mode 65,10
4⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p379128881903629383159398698 -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_9.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\attrib.exe
attrib +H "MschainblockRef.exe"
4⤵
- Views/modifies file attributes
PID:3756

C:\Users\Admin\AppData\Local\Temp\main\MschainblockRef.exe
"MschainblockRef.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:724

C:\Users\Admin\AppData\Local\Temp\srr.exe.exe
"C:\Users\Admin\AppData\Local\Temp\srr.exe.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\SRREXE~1.EXE > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:3496

C:\Users\Admin\AppData\Local\Temp\cryptedgolden123.exe.exe
"C:\Users\Admin\AppData\Local\Temp\cryptedgolden123.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 552
4⤵
- Program crash
PID:1368

C:\Users\Admin\AppData\Local\Temp\2024.exe.exe
"C:\Users\Admin\AppData\Local\Temp\2024.exe.exe"
2⤵
- Executes dropped EXE
PID:3588

C:\Users\Admin\AppData\Local\Temp\crypted1234.exe.exe
"C:\Users\Admin\AppData\Local\Temp\crypted1234.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 560
4⤵
- Program crash
PID:1044

C:\Users\Admin\AppData\Local\Temp\hvthvjgfr6tyghgdtrtyigkhvjggft.exe.exe
"C:\Users\Admin\AppData\Local\Temp\hvthvjgfr6tyghgdtrtyigkhvjggft.exe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
3⤵
PID:1708

C:\Windows\system32\mode.com
mode 65,10
4⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p258012452411327053163919523 -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4432

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576

C:\Windows\system32\attrib.exe
attrib +H "JTGwusI7cICuEzA3R2d19eyBuulw41ON3P7Png.exe"
4⤵
- Views/modifies file attributes
PID:2956

C:\Users\Admin\AppData\Local\Temp\main\JTGwusI7cICuEzA3R2d19eyBuulw41ON3P7Png.exe
"JTGwusI7cICuEzA3R2d19eyBuulw41ON3P7Png.exe"
4⤵
- Executes dropped EXE
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4988 -ip 4988
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1148 -ip 1148
1⤵
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4988 -ip 4988
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4680 -ip 4680
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1148 -ip 1148
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2672 -ip 2672
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4680 -ip 4680
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4680 -ip 4680
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2488 -ip 2488
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2488 -ip 2488
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2672 -ip 2672
1⤵
PID:4408

C:\Windows\SysWOW64\Ghxyq.exe
C:\Windows\SysWOW64\Ghxyq.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\Ghxyq.exe
C:\Windows\SysWOW64\Ghxyq.exe -acsi
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 748 -ip 748
1⤵
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4552 -ip 4552
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4552 -ip 4552
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3888 -ip 3888
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4552 -ip 4552
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4552 -ip 4552
1⤵
PID:3920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe.exe
Filesize
393KB

MD5
0f58955700a934efece7eacadcefc950

SHA1
047b4243a2f1d2894ea4653f166581e871b63639

SHA256
ca0e2e53c24c4339d25101161f12eade64bb8d0624689aff35928ca6cbd3fc2f

SHA512
2ac316f764e88187b4481db08ea1f4fea5caa996d6c2dc6227e21a3db6a2682ed275b8882fe9647eb81630d4a48b09a238603cf0d60036f27f1f2083436f074b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe.exe
Filesize
385KB

MD5
f488790f6608a2e2b7d53e539484a8eb

SHA1
ed26a4faa5e8c285c8ea3af6b62fd86ac1341a66

SHA256
baf1ef6054b6f5218ae5c53b563d80f8a6bfc96a486e25550f613c9a4024634b

SHA512
ee372937647cdc6a9f0d01f2996cc4ab7539c820f1ea96acce2fe5fd3218a1a537d5a197d5b34d396c7d2d6eb8567fd34de1cebe5fa183bd645182914937a664

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024.exe.exe
Filesize
300KB

MD5
2c470494b6dc68b2346e42542d80a0fd

SHA1
87ce1483571bf04d67be4c8cb12fb7dfef4ba299

SHA256
1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9

SHA512
c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc187122b439df19ff4df68f076.exe.exe
Filesize
6.6MB

MD5
d872ad98ce3e3db8497ccd15e0baad33

SHA1
bad90a2ac6545496ced8ecb38e0a589a641c2df3

SHA256
d77a59decea0b458372ccc3ace96fcf3726346ef030fb6dd35e0ba64ba734f0b

SHA512
6ebdfce4d44949a307bbe791306b12a58ab0975a42220297cb750643cf6291acf5a9c3edf15b21e1ad100ee0bdb49442f46abda9433d549907c1f7543963d38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Filesize
4.2MB

MD5
47312991c9f5424763a973014e9cccc7

SHA1
86d3b11e4fd25159d66b9c1b9d2aff35c2d04b1d

SHA256
54d3d2ab4783fc2efa04573800bd422e34cb1fb8a90c56b3e27b94ff007d7a5a

SHA512
50b341ef390fbd89f4436b0f2754a6128ca017483c258551807d317cb9fe0dde8db0f8e355f9e8e569c89bfa85ea4f4c5b442bbb627fa225597aeacbdb2cd87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe.exe
Filesize
572KB

MD5
a8dace7c846f4ef07bb755707a0dd1b0

SHA1
e5660ab0f3cbe65474d8859ed28a4e89547ff3cc

SHA256
f2ac390b52f206b054befdf6b04f717b98df64eeb74c83629a75a93f09b1a6c7

SHA512
be5dc0f71498d3c8ea7bf6091dc5f61e28e0895301406481182d7ca3cf3540cdd1ed1ae7accb5bc1a8ea0099644583950be367f0a9a75b52a69af55daca846e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe.exe
Filesize
579KB

MD5
913edccd8dd523f0c257a7f55598a19f

SHA1
97037d7d5e66266458e6a25659731c0df75aeb35

SHA256
d0088d5fbd159e1d0c51bd9a069382acb3d246a5f94bcd19bcd32897b85d91c1

SHA512
ec773de1b317337e8a5498df2de4cefd80a626c2edb3877be0a310bd5e6387511f5576be3a1c28502ec7fbe2dd3743dbbba9aaf6279293fdf813924291b273aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup6.exe.exe
Filesize
2.4MB

MD5
aabd69ba023d8a43654a3d93013f4006

SHA1
4e7d22e88ba6dc2ffc65c1d6d06f9e750d81960c

SHA256
a5c3953bc98a6e0d255ef2349c578fe7d9c3acb9484c5d2c9c34673d1392c431

SHA512
174544ad65560475d5ff024717a0ff856bd391d96d38739ea21469a723edc28668805d685dda5b8371ca7496c1e3d766b50ce115adefb07807658a99f201d524

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypted1234.exe.exe
Filesize
1.1MB

MD5
91181ab80e0f828910908cb623f59430

SHA1
059fcc2220889d0942a54f0062eaa90ef25519e3

SHA256
5805ba05b4054885a03cfcfaa9a114a9779f588ed93f2ca4ba7a0398645434de

SHA512
489da9fa9b7ddd4a3098d83a9c63df5d499fd5c61feace6c9300c73b1889d496d0671ebcd755e0b30d0627265f96185f06853f67159be8a2ff311d0263f32392

Download Submit
C:\Users\Admin\AppData\Local\Temp\cryptedgolden123.exe.exe
Filesize
1.0MB

MD5
c4c53c2ab7df21cbe96c00e9fc0831bb

SHA1
783ce7295012d5d92b55b64cb83560378492dae8

SHA256
1f61c34deddf39f3fecab0644ad6c9cf59e8cf9b1795d05def642914c1c6bbe2

SHA512
5d66b9cd60da5469ddd592cc6446a4fb24b3ce620343a63010104d81a3238a77333d21ca25d1d9f97e5e7f16ddf9680400d146bf6cb2e745a889c16113f755cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\elonraisedtheworldccc176.jpg.exe
Filesize
92KB

MD5
b99820617e519f36acc1a55a1761adbe

SHA1
e521543f9961ecb48975cde1c8d64bfe416c4433

SHA256
ad92e208a67e755765c022bdb68d15441c607e1da2f66ab24c9606c875d3bc7d

SHA512
07a79691edf6b479382451c2bc2b56b8ee3221938662d44cdde77edeaef702cef9295b11fac76105fd4ea9571f7f170dc3fd97f08dae0615390c1c3eb75bc09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvthvjgfr6tyghgdtrtyigkhvjggft.exe.exe
Filesize
3.0MB

MD5
c566575477a2c9f70f2ad5481bc81fe1

SHA1
c2454c32d02e5151c0ff34ac70697fc0dbf500e8

SHA256
97f65a11f372b7cfdace34c1aac4b114f3d04bbc73b4c1dc3be743d506532b5d

SHA512
f911a6f6ea1f93a05c7268984237ace06fada72c394370acce0158a573a9f6e6d992a4a5612a554575f5a7c640d767870cd0746b5fd5e82bb98da0ed37440095

Download Submit
C:\Users\Admin\AppData\Local\Temp\luma.exe.exe
Filesize
689KB

MD5
d9ce29995b57c7d3a1e4e7901db22bc7

SHA1
40b2690da143bf386537c53c4b7dad034caf8dcc

SHA256
539471f0ad07c5b7ad10b55ed4f9ded8f481384f3fdb1a7395e657010e00986a

SHA512
eb1c09418ed9e8aca8cb1698b9cb6e90567cd49fd2f6c7d12e8c78922199b0b1721f30edfdf15040b724eb956d41a2e68b9e1bdd38eae4bb0054952033bc435f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\MschainblockRef.exe
Filesize
1.9MB

MD5
1fa79ca7b31c7948dc71b3e4e6b9e623

SHA1
4373ba465f3c4c8c5ccb9fbc233233480f7ff096

SHA256
45fb9b86719b53d85128fd3a64b19acadbe10d78bab4f22bc16b69a12d518264

SHA512
6f170e77f0115513d334b81910d22af6f0aceeff361b25cccaaddb379642950ab3083b0c1b8984365743791e57edf360b84cc36aad23db12b89ad061358d559f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
Filesize
1.5MB

MD5
3f1222e285434994a4db770a093efffe

SHA1
e239cc408e0e7626b566ae5c30e9ad21c7311007

SHA256
ab5a91ce0d4071d1d3e17895996686754d00d5657ea1d1e51f0f85d14929db5c

SHA512
1b3dddca39fdaba1f32c5a0d232481edc74a6bf8378a1f1bb48830fef5f2517628b94f78513664bf8a2964fe8148db672750728e759b7cb31b7dc168108aab49

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
Filesize
1.5MB

MD5
24dc000600cd1ec46f5cafff2db29657

SHA1
f79dd21aaabebe476d77ca8776d97987262d30ad

SHA256
6cbc34d0eeac4dc5ba47e87c60759e59099c54fa238aa11be1239e40cdd40ff6

SHA512
83e0bc35662bd4abbb28cbaa2893f83526226c1657bd384a66bb95694776249fb134ec424c3fdc4b6ad753150edd15cc8f9bbcb6268ee094079ff52548019ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
Filesize
1.5MB

MD5
43182df23c8b9d9d07fc7cc287b593c5

SHA1
a9fc978ca8486e742741fea1b8242250561e1946

SHA256
9ff03453cd6a575695c203ad35c3145291e96e06be23970836fdb0470d2ff571

SHA512
1b7e53048866e833749596c4cc3f20c95ad8c7be6acb2bd1eb9a260bd15045af5aade5bfd5ac2b2de9e7078a424accba8ac2652270f4c0288057446f9c8140e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
Filesize
1.5MB

MD5
aa239c3a085d7621ab986f0589e35bb9

SHA1
45d9d1d0bee949fc23dfe3f1b93a677d85e5f553

SHA256
dc295efe5b9d73ff4865973025ec30eaefebb7d6f4d0e879fce498179ecdbec8

SHA512
0a69f8de10d609f07a2f6345f1ffcab75fbeed47e26bf50d0648eaeb27dfae88604eba36dc275ed3565ddbb2ce4c5e12a54970c0382278bfd325d6ffd9a2965a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
Filesize
1.5MB

MD5
4fe15e1668c7e82a13285313c14a9b91

SHA1
b71db0606c8e05af75bf7f9589d386378a5accb1

SHA256
bc4c68efd93cf8b589e606ae16ba4dfc0b56195bcedf45c534415d29a6355074

SHA512
282a27cbdc0f655733aef65d0fa6bc6a47becafb9bc227d287df9b1ddbd6f7b9b45a885c2d2eac94d535c799942e6226dca57443c8b738e043d6af30bdc168d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
Filesize
1.5MB

MD5
f52b32cb2d23b5dde77dc555c52fcfd5

SHA1
2f6de787951b2369b02d14391c4a9fde787000cf

SHA256
73fedb6eb1b2412af1029b1124782ee946c8393cf8ec382a8d5f21208600789f

SHA512
18c3a37e5b51d88a4773e02e6ef6ebe2992a7326e2910dfe40cccc0e5073267e21b174b22837cd14f51b6332916027752fd654a4733b09072a07351cbb6a792e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
Filesize
1.5MB

MD5
54b367a164a8916da65795105d3992a4

SHA1
feec664d2e36819f9ecc8911d6849c3851ce794b

SHA256
325004023f8c8991bc1c3098533278b95036e61221adad828db4aed9e03271b4

SHA512
421e24aa935f5408774a298539af3e7f60eb51b414fb2098c5409cad304aaa03ecf9f4fe2243e905f98f3b68ca50deaddac68cf0831293362628927e0d056f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip
Filesize
1.5MB

MD5
377414d6dc3600960f1be5f56f77fe29

SHA1
41471943b56cd6b8e54cdd22d76a2d315b46221b

SHA256
144bf11d61a6bfc88d2f308ed582a69ea27d2f2a66ab237816322dfc88dd2098

SHA512
0fd169a2d114399a3ec6de0f71700356d135f9a067380e17397893c1b46596026c7a7e6ffd792375adb56ba7b94ac883919e16d9ec1593eb2c9a4ea3670e616c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip
Filesize
3.1MB

MD5
66eececfdbe3ac9faa02904780e9f1c5

SHA1
6211dc2ec8da4dda2ca54f08c317ed539d3ea9fe

SHA256
ad3baa8a49b360935b9f2ce2629ecca1898b9cafc0fb24137a4276790b9bfae9

SHA512
70faa04bd6cd05ed8c57ce9d6c8e1acd41923f7d1e15b16b73ab243ecf63fd714c638ab0b089ca2dc9e316f3982df5ca4f46fb3e21458759570e1bfe461b2dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin
Filesize
3.1MB

MD5
b82cf0feafb9dc0e8aeb70d00ded1b00

SHA1
5c854dc8b050847361773801c7f0932beeb2217f

SHA256
c96bc73446aa9e5da3a95ba38040d371b3b64975f700b9de738d18764d6e4a30

SHA512
5e690516d7a81d1164d7f4a71f4b2ccbc58a8aed73d07ddb08b16f4556c4bdf2fc847758c2ad503d97c50400f1ddf3a84f516e5f13a5de03437679bd2a3eb904

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat
Filesize
503B

MD5
85aecc97cf639ec7d7bb3c96d927e24e

SHA1
d2b0185e4e7a1ba83b09a950b5272d43707ddf04

SHA256
5f27fa4e4f7c8b27350a677e615cea3d23e02370a2e2472ade1a17d0655b0604

SHA512
71e548f7d7de020cfdda4b92c3dd40bbada8366070a636e5828ccfe826972d9d2b305ccc93a6c78694dd75c12dbfa24ebdf9279a0737abdea16d232ec9fb7d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdm.jpg.exe
Filesize
421KB

MD5
99c23706a4bd973ebda4bdb88b87c834

SHA1
672a6a80bd7484229111364c73ca1973e76803f3

SHA256
83babee77db36512c0eab8ea6b35e981aa4288a4095985d69b3841f8b684fe11

SHA512
e2ebfe843379bb7608a542f42828c187dcb78769c165af9add3c3426c464f6613c1a9b19c5b38064ce4e1228a67970bdd1d1f23b7d3024e3006bb22b06c85a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbhvygiuhjbkhvyiuhjbhgyi.exe.exe
Filesize
4.0MB

MD5
15f1d514f044c09b23254d2c6a7afc30

SHA1
157b9cec25720fcab4e98f1a517d3f31b7907988

SHA256
13e063bc39be5c694f3bb67deead2b8a4781d98a0c26cc2d8ec68e0a72726dc7

SHA512
253e0ca0594baba04267f92c2130b7d714589cf95eaa5f672e94317688fa25c02f0e86e49a3ab5cf71c87dbdb54181d45ee4648818feae1e39eee735e889f9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj97F3.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\srr.exe.exe
Filesize
396KB

MD5
33bede7ea0b8b8c42e877d069a40c357

SHA1
5cca20082b4fda84f6fad7446d0d3e7c969edc56

SHA256
c0da527625e48ff867196f7d0cb29117d5a8db42d7f802604fd20eaffa2b8f4d

SHA512
72a85b79c650997f463c3de979618883c18a9b62054cf33b232cf31454d24cabd608d150e0df21815c1da728253053f7c73935181810a9c55d4564ab49267d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wt.jpg.exe
Filesize
421KB

MD5
99fb1e2d57c957ada0f593837aad137a

SHA1
93e537b48d68597ff71a78f0d15303d08853cea8

SHA256
e324ff0e54acb33d1210d92b9fd2b5d5a017916cad01aef7656f538fa7c21bf5

SHA512
8e430765ad7a1b2cb9f8fddf5ed39ecd97ae4d5193a06bfc83d4e47a6068aa6e9593a7109199885bfff484c37da7dc86b19d5ffb1e0a3eab423d3e7390aa5364

Download Submit
memory/556-158-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/556-191-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/556-163-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/556-230-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/724-321-0x00007FFA21F40000-0x00007FFA22A01000-memory.dmp

Filesize
10.8MB

Download
memory/724-410-0x00007FFA21F40000-0x00007FFA22A01000-memory.dmp

Filesize
10.8MB

Download
memory/724-318-0x0000000000D80000-0x0000000000F72000-memory.dmp

Filesize
1.9MB

Download
memory/724-349-0x0000000001710000-0x0000000001711000-memory.dmp

Filesize
4KB

Download
memory/724-337-0x000000001BD40000-0x000000001BD50000-memory.dmp

Filesize
64KB

Download
memory/748-345-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/748-348-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/748-346-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/748-335-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1148-39-0x0000000000850000-0x00000000008E3000-memory.dmp

Filesize
588KB

Download
memory/1148-45-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1148-44-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1148-212-0x0000000000850000-0x00000000008E3000-memory.dmp

Filesize
588KB

Download
memory/1148-70-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1936-133-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/1936-137-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/1936-136-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/1936-135-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/1988-229-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1988-363-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1988-235-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1988-319-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1988-198-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1988-211-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2000-2-0x000000001AC10000-0x000000001AC20000-memory.dmp

Filesize
64KB

Download
memory/2000-0-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2000-3-0x00007FFA21F40000-0x00007FFA22A01000-memory.dmp

Filesize
10.8MB

Download
memory/2000-1-0x00007FFA21F40000-0x00007FFA22A01000-memory.dmp

Filesize
10.8MB

Download
memory/2000-13-0x000000001AC10000-0x000000001AC20000-memory.dmp

Filesize
64KB

Download
memory/2488-102-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/2672-54-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/3124-225-0x00000000007D0000-0x00000000008FC000-memory.dmp

Filesize
1.2MB

Download
memory/3124-336-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/3124-334-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/3124-392-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/3124-333-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/3124-332-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/3124-322-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3124-224-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/3588-242-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/3588-315-0x0000000004A40000-0x0000000004AD2000-memory.dmp

Filesize
584KB

Download
memory/3588-226-0x0000000000120000-0x0000000000172000-memory.dmp

Filesize
328KB

Download
memory/3588-231-0x0000000004FF0000-0x0000000005594000-memory.dmp

Filesize
5.6MB

Download
memory/3588-201-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/3888-405-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3888-400-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3888-407-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3888-404-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4216-145-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/4216-146-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/4216-154-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/4216-142-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/4216-144-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/4552-411-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4552-409-0x0000000002E00000-0x00000000036EB000-memory.dmp

Filesize
8.9MB

Download
memory/4552-408-0x0000000001160000-0x000000000155F000-memory.dmp

Filesize
4.0MB

Download
memory/4640-200-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/4640-241-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/4640-397-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/4640-228-0x0000000000E20000-0x00000000014C0000-memory.dmp

Filesize
6.6MB

Download
memory/4680-65-0x0000000002070000-0x00000000020A2000-memory.dmp

Filesize
200KB

Download
memory/4680-66-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/4712-364-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/4712-401-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4712-403-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/4712-199-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/4712-240-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/4712-227-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/4860-387-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/4860-344-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/4860-325-0x00000000007C0000-0x00000000007DC000-memory.dmp

Filesize
112KB

Download
memory/4860-324-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/4988-37-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/4988-55-0x0000000000710000-0x0000000000742000-memory.dmp

Filesize
200KB

Download
memory/4988-64-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download