amadey | 38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf

Resubmissions

24-01-2024 18:01

240124-wlzj7sehd6 10

23-01-2024 16:21

240123-ttm52acff5 10

Analysis

max time kernel
42s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23-01-2024 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b06437ffb6c87f69539842cd536e78d3.exe
Size

791KB
MD5

b06437ffb6c87f69539842cd536e78d3
SHA1

6799f24d5ff74fe1a045ea9845704bbbd1c818f6
SHA256

38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf
SHA512

b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10
SSDEEP

24576:v/pYwErMbvMnTwQmBaWnBCqKZoYI81IuZ:H6wErMLMnTlmBaWntKZYuZ

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.176:13781

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

amadey

http://185.215.113.68

Attributes

strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdpo
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw

rsa_pubkey.plain

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276�6914c4.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2480-593-0x0000000000230000-0x000000000025C000-memory.dmp	family_vidar_v6

Detected Djvu ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2308-415-0x00000000004C0000-0x00000000005DB000-memory.dmp	family_djvu
behavioral1/memory/936-455-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/692-174-0x0000000002AC0000-0x00000000033AB000-memory.dmp	family_glupteba
behavioral1/memory/692-213-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/692-379-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/692-552-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1680-51-0x00000000022F0000-0x0000000002332000-memory.dmp	family_redline
behavioral1/memory/1680-56-0x0000000002330000-0x000000000236E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe	family_redline
behavioral1/memory/892-173-0x0000000000AB0000-0x0000000000B04000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 19 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2992-188-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2992-191-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2992-194-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2992-197-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2992-201-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2992-219-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2992-202-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2992-221-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2992-225-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2992-251-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2992-262-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2992-265-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2992-268-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1584-274-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2992-267-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1584-275-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1584-297-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1584-298-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1584-299-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

moto.exeiojmibhyhiws.exeiojmibhyhiws.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	moto.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	moto.exe

Executes dropped EXE 14 IoCs

Processes:

explorhe.exelatestrocki.exeleg221.exeInstallSetup7.exemoto.exetoolspub1.exekskskfsf.exe31839b57a4f11171d6abc8bbc4451ee4.exeBroomSetup.exerty25.exeiojmibhyhiws.exepixellslsss.exeiojmibhyhiws.exe

pid	process
2272	explorhe.exe
2480	latestrocki.exe
1680	leg221.exe
2896	InstallSetup7.exe
2656	moto.exe
2168	toolspub1.exe
2400	kskskfsf.exe
692	31839b57a4f11171d6abc8bbc4451ee4.exe
2276	BroomSetup.exe
992	rty25.exe
464
384	iojmibhyhiws.exe
892	pixellslsss.exe
2628	iojmibhyhiws.exe

Loads dropped DLL 24 IoCs

Processes:

b06437ffb6c87f69539842cd536e78d3.exeexplorhe.exelatestrocki.exeInstallSetup7.exeWerFault.exerundll32.exe

pid	process
1888	b06437ffb6c87f69539842cd536e78d3.exe
2272	explorhe.exe
2272	explorhe.exe
2480	latestrocki.exe
2272	explorhe.exe
2272	explorhe.exe
2480	latestrocki.exe
2480	latestrocki.exe
2272	explorhe.exe
2272	explorhe.exe
2480	latestrocki.exe
2480	latestrocki.exe
2896	InstallSetup7.exe
2896	InstallSetup7.exe
2480	latestrocki.exe
464
2272	explorhe.exe
1688	WerFault.exe
1688	WerFault.exe
2904	rundll32.exe
2904	rundll32.exe
2904	rundll32.exe
2904	rundll32.exe
1688	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2376 icacls.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 api.2ip.ua
40 api.2ip.ua
51 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

b06437ffb6c87f69539842cd536e78d3.exeexplorhe.exe

pid process

1888 b06437ffb6c87f69539842cd536e78d3.exe
2272 explorhe.exe
2272 explorhe.exe
2272 explorhe.exe

pid	process
2376	icacls.exe

flow	ioc
39	api.2ip.ua
40	api.2ip.ua
51	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

iojmibhyhiws.exeiojmibhyhiws.exe

description	pid	process	target process
PID 384 set thread context of 1064	384	iojmibhyhiws.exe	conhost.exe
PID 384 set thread context of 2992	384	iojmibhyhiws.exe	conhost.exe
PID 2628 set thread context of 1584	2628	iojmibhyhiws.exe	conhost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2172 sc.exe
268 sc.exe
1288 sc.exe
2132 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1688 2400 WerFault.exe kskskfsf.exe

pid	process
2172	sc.exe
268	sc.exe
1288	sc.exe
2132	sc.exe

pid	pid_target	process	target process
1688	2400	WerFault.exe	kskskfsf.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2620 schtasks.exe
1876 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1520 timeout.exe

pid	process
2620	schtasks.exe
1876	schtasks.exe

pid	process
1520	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

rty25.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rty25.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

moto.exetoolspub1.exeiojmibhyhiws.execonhost.exeiojmibhyhiws.exe

pid	process
2656	moto.exe
2656	moto.exe
2656	moto.exe
2656	moto.exe
2656	moto.exe
2168	toolspub1.exe
2168	toolspub1.exe
384	iojmibhyhiws.exe
384	iojmibhyhiws.exe
1384
1384
1384
1384
1384
1064	conhost.exe
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
2628	iojmibhyhiws.exe
1384
1384
1384
1384
1384
1384
1384
1384
1384

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

toolspub1.exe

pid process

2168 toolspub1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

conhost.exe

description pid process

Token: SeShutdownPrivilege 1384
Token: SeLockMemoryPrivilege 2992 conhost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

b06437ffb6c87f69539842cd536e78d3.exe

pid process

1888 b06437ffb6c87f69539842cd536e78d3.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

b06437ffb6c87f69539842cd536e78d3.exeexplorhe.exeBroomSetup.exe

pid process

1888 b06437ffb6c87f69539842cd536e78d3.exe
2272 explorhe.exe
2276 BroomSetup.exe

pid	process
2168	toolspub1.exe

description	pid	process
Token: SeShutdownPrivilege	1384
Token: SeLockMemoryPrivilege	2992	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b06437ffb6c87f69539842cd536e78d3.exeexplorhe.exelatestrocki.exeInstallSetup7.execmd.exekskskfsf.exeiojmibhyhiws.exe

description	pid	process	target process
PID 1888 wrote to memory of 2272	1888	b06437ffb6c87f69539842cd536e78d3.exe	explorhe.exe
PID 1888 wrote to memory of 2272	1888	b06437ffb6c87f69539842cd536e78d3.exe	explorhe.exe
PID 1888 wrote to memory of 2272	1888	b06437ffb6c87f69539842cd536e78d3.exe	explorhe.exe
PID 1888 wrote to memory of 2272	1888	b06437ffb6c87f69539842cd536e78d3.exe	explorhe.exe
PID 2272 wrote to memory of 2620	2272	explorhe.exe	schtasks.exe
PID 2272 wrote to memory of 2620	2272	explorhe.exe	schtasks.exe
PID 2272 wrote to memory of 2620	2272	explorhe.exe	schtasks.exe
PID 2272 wrote to memory of 2620	2272	explorhe.exe	schtasks.exe
PID 2272 wrote to memory of 2480	2272	explorhe.exe	latestrocki.exe
PID 2272 wrote to memory of 2480	2272	explorhe.exe	latestrocki.exe
PID 2272 wrote to memory of 2480	2272	explorhe.exe	latestrocki.exe
PID 2272 wrote to memory of 2480	2272	explorhe.exe	latestrocki.exe
PID 2272 wrote to memory of 1680	2272	explorhe.exe	leg221.exe
PID 2272 wrote to memory of 1680	2272	explorhe.exe	leg221.exe
PID 2272 wrote to memory of 1680	2272	explorhe.exe	leg221.exe
PID 2272 wrote to memory of 1680	2272	explorhe.exe	leg221.exe
PID 2480 wrote to memory of 2896	2480	latestrocki.exe	InstallSetup7.exe
PID 2480 wrote to memory of 2896	2480	latestrocki.exe	InstallSetup7.exe
PID 2480 wrote to memory of 2896	2480	latestrocki.exe	InstallSetup7.exe
PID 2480 wrote to memory of 2896	2480	latestrocki.exe	InstallSetup7.exe
PID 2480 wrote to memory of 2896	2480	latestrocki.exe	InstallSetup7.exe
PID 2480 wrote to memory of 2896	2480	latestrocki.exe	InstallSetup7.exe
PID 2480 wrote to memory of 2896	2480	latestrocki.exe	InstallSetup7.exe
PID 2272 wrote to memory of 2656	2272	explorhe.exe	moto.exe
PID 2272 wrote to memory of 2656	2272	explorhe.exe	moto.exe
PID 2272 wrote to memory of 2656	2272	explorhe.exe	moto.exe
PID 2272 wrote to memory of 2656	2272	explorhe.exe	moto.exe
PID 2480 wrote to memory of 2168	2480	latestrocki.exe	toolspub1.exe
PID 2480 wrote to memory of 2168	2480	latestrocki.exe	toolspub1.exe
PID 2480 wrote to memory of 2168	2480	latestrocki.exe	toolspub1.exe
PID 2480 wrote to memory of 2168	2480	latestrocki.exe	toolspub1.exe
PID 2272 wrote to memory of 2400	2272	explorhe.exe	kskskfsf.exe
PID 2272 wrote to memory of 2400	2272	explorhe.exe	kskskfsf.exe
PID 2272 wrote to memory of 2400	2272	explorhe.exe	kskskfsf.exe
PID 2272 wrote to memory of 2400	2272	explorhe.exe	kskskfsf.exe
PID 2480 wrote to memory of 692	2480	latestrocki.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2480 wrote to memory of 692	2480	latestrocki.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2480 wrote to memory of 692	2480	latestrocki.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2480 wrote to memory of 692	2480	latestrocki.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2896 wrote to memory of 2276	2896	InstallSetup7.exe	BroomSetup.exe
PID 2896 wrote to memory of 2276	2896	InstallSetup7.exe	BroomSetup.exe
PID 2896 wrote to memory of 2276	2896	InstallSetup7.exe	BroomSetup.exe
PID 2896 wrote to memory of 2276	2896	InstallSetup7.exe	BroomSetup.exe
PID 2896 wrote to memory of 2276	2896	InstallSetup7.exe	BroomSetup.exe
PID 2896 wrote to memory of 2276	2896	InstallSetup7.exe	BroomSetup.exe
PID 2896 wrote to memory of 2276	2896	InstallSetup7.exe	BroomSetup.exe
PID 2480 wrote to memory of 992	2480	latestrocki.exe	rty25.exe
PID 2480 wrote to memory of 992	2480	latestrocki.exe	rty25.exe
PID 2480 wrote to memory of 992	2480	latestrocki.exe	rty25.exe
PID 2480 wrote to memory of 992	2480	latestrocki.exe	rty25.exe
PID 2272 wrote to memory of 892	2272	explorhe.exe	pixellslsss.exe
PID 2272 wrote to memory of 892	2272	explorhe.exe	pixellslsss.exe
PID 2272 wrote to memory of 892	2272	explorhe.exe	pixellslsss.exe
PID 2272 wrote to memory of 892	2272	explorhe.exe	pixellslsss.exe
PID 960 wrote to memory of 2056	960	cmd.exe	choice.exe
PID 960 wrote to memory of 2056	960	cmd.exe	choice.exe
PID 960 wrote to memory of 2056	960	cmd.exe	choice.exe
PID 2400 wrote to memory of 1688	2400	kskskfsf.exe	WerFault.exe
PID 2400 wrote to memory of 1688	2400	kskskfsf.exe	WerFault.exe
PID 2400 wrote to memory of 1688	2400	kskskfsf.exe	WerFault.exe
PID 2400 wrote to memory of 1688	2400	kskskfsf.exe	WerFault.exe
PID 384 wrote to memory of 1064	384	iojmibhyhiws.exe	conhost.exe
PID 384 wrote to memory of 1064	384	iojmibhyhiws.exe	conhost.exe
PID 384 wrote to memory of 1064	384	iojmibhyhiws.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe
"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:2620

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
6⤵
PID:2192

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:1504

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
7⤵
- Creates scheduled task(s)
PID:1876

C:\Users\Admin\AppData\Local\Temp\nsj2BE4.tmp
C:\Users\Admin\AppData\Local\Temp\nsj2BE4.tmp
5⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsj2BE4.tmp" & del "C:\ProgramData\*.dll"" & exit
6⤵
PID:2560

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
7⤵
- Delays execution with timeout.exe
PID:1520

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2168

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
PID:692

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
5⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:992

C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe"
3⤵
- Executes dropped EXE
PID:1680

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
4⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2656

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Launches sc.exe
PID:2172

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2056

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Launches sc.exe
PID:1288

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:2132

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
"C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 144
4⤵
- Loads dropped DLL
- Program crash
PID:1688

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
"C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe"
3⤵
- Executes dropped EXE
PID:892

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:2904

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Windows\system32\conhost.exe
conhost.exe
4⤵
PID:1584

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Users\Admin\AppData\Local\Temp\40E7.exe
C:\Users\Admin\AppData\Local\Temp\40E7.exe
1⤵
PID:1656

C:\Windows\system32\taskeng.exe
taskeng.exe {E3F137C3-06F9-47A3-8CA9-0A3868410082} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
2⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\88E0.exe
C:\Users\Admin\AppData\Local\Temp\88E0.exe
1⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\88E0.exe
C:\Users\Admin\AppData\Local\Temp\88E0.exe
2⤵
PID:936

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d88f5157-c769-474b-90c8-6318755fcfeb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2376

C:\Users\Admin\AppData\Local\Temp\88E0.exe
"C:\Users\Admin\AppData\Local\Temp\88E0.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\88E0.exe
"C:\Users\Admin\AppData\Local\Temp\88E0.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:2460

C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe
"C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe"
5⤵
PID:2480

C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe
"C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe"
6⤵
PID:2832

C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build3.exe
"C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build3.exe"
5⤵
PID:1552

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240123162238.log C:\Windows\Logs\CBS\CbsPersist_20240123162238.cab
1⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\B2A.exe
C:\Users\Admin\AppData\Local\Temp\B2A.exe
1⤵
PID:2968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
1.8MB

MD5
af868c83b88a7437ab8d50f4a6de7877

SHA1
25affd2a2f5c2928f557e1000eac02ec369f42d4

SHA256
a82c49e1ec60b682ed9cd31e7218a1c3d2e73b98f00d470c1f82ce9302a85daf

SHA512
e04aa5dccce2e3edcdd47082c1769f144fd028989582f904c8e27984067871663843b3a68bc1a21cd570a1b824d961147ff248b4c014bfbba1288e093ca559ce

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
768KB

MD5
924e62af7c379f8b668a67152942954d

SHA1
13b875f3b08118445a652ee86a59f89583524d4b

SHA256
a42b84387b361e0bfece96748d9b36c91b76504a5848459f3951da6f67f454bd

SHA512
6e179822005b08336e0734e51e47f1da936f14a535a3dee15db181ebfa53fd7a48ed8c71d1e9a1476a8d0f39b3de90909ddbc86cdde2bc88d9abf7f5a0f9c416

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2547824e95b4c9733672dc77772594e7

SHA1
8a863c0f64149372b1962ab000a6c37ecdc84c13

SHA256
32a0f9a67aacae7de41f94ff3d66095963f407f4b571ee7e5c544d53e99e6210

SHA512
e0641d16ec80a5112aa26c727533a3c33cfe3cabd71980b4ee30fe432ee3061419ea87c1b5692856d4a8da06faf2936ffdcd4898f4db41a48e07521e859d54b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
Filesize
6.4MB

MD5
4bf40a595b37b88d2f0967eb52a30d7d

SHA1
4ae12b7d109b46943121a6ee5feeff34b454e5f6

SHA256
1cf4a4b0f9432f78cd76b30cf8e6070d2d49b70d42ec4e2192da86d09a0a02fa

SHA512
01f49988f45eabe58fb2b33cd5e367d83373a87a7afe1bbc032e60d2cc5938b23b43fd39203179bdccd10f54217d20dad1339a372108a07cdf2b4611044ea2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
Filesize
292KB

MD5
d177caf6762f5eb7e63e33d19c854089

SHA1
f25cf817e3272302c2b319cedf075cb69e8c1670

SHA256
4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0

SHA512
9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
Filesize
1022KB

MD5
a74b4aa5091c1e38b60b8e98471b5330

SHA1
18342862ba9b0d9a71e311bccaa56624fb6ae465

SHA256
a0b67e7e8b23a89d3039561ba19b3ac17b31149dc5edc3c6fb7543aebff3c588

SHA512
b165c15d92bcbd0a7b11d604cee02b5404213fed9575590f9fbbd10aad569a75872df2f7807fba3e8a747b79efed33a3db33b102976d69c16aa6ebdad84f2f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
Filesize
832KB

MD5
774510bcff294f80e47a210a19483749

SHA1
0de009eca6fe604d132b052a424479b76ca72448

SHA256
207e61d940900c1a17cc112b66072482aa0f11d4933f0387bf9d9b8f6487f955

SHA512
076c64b82bf55e174f2283829292f5a21c072f57fa107900f9f013f82e94c833264e4cfe5a83d81830162d054b35c21f67778dcf25f7fadd6168d70b0b511741

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
Filesize
512KB

MD5
f693118d35022f48a92b629d26b0d7ab

SHA1
342bcbacbdf8f7b89411bf142f7fcc845927c8a6

SHA256
9d532d05ae4bd069328e2f41174de31e75d09e4139eab0832543c69f0853381b

SHA512
2ed2a6fdec52853b7a07f3cc99b34222a65ab355a71eef377ae173680b2a60287f2f6891c91bf12632c967ff099823ded7799bb4e633396f6c6083f94e26060e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
Filesize
64KB

MD5
0918dfeeaa139ad6c8a0575b385f8563

SHA1
602f762714d11aa2988008fba2252cdec16e4838

SHA256
0e362ad7c7340a464abc8d029d4c349cf91aa1a908b1c725a4b8d128e3418608

SHA512
95c16daeed0368edcf9dc7cb8bd09a017c18fc350636cc8e639eb0772a95458d51131b0e0f59524f02e9fd21acc75210194c481b9845152d7a3eedd67fbf847f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
Filesize
313KB

MD5
8244f65c3a732ddf4f1efd3e5fd6b518

SHA1
1d144dd4af5bc24596da2cdf4e83d69b6cbf1b64

SHA256
769dca9ebcfe2a0ae9060d97a9b91d159dcab16debb2dffe9b06d28ae6425f01

SHA512
5549a81d1a85b475ef0e59b33b59b4377f07c56547c99ab35f671b76d948c70259d98dd75df4f9456814cced8f47205031579b9e6c764b5d3df15735e7b21a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1.2MB

MD5
edb1a2ac1db70af6e289c164379fb9aa

SHA1
617f104ecec828d0856d570e512e1d6139a98f1d

SHA256
7a9bdf15b71c44702e4d63397a7bd294515513be0b13b8145273647257cc16f1

SHA512
4a6d1bdd5ef87cc901bdf41bb17c3acbeb6ef7ab091dd9b099a9755557cab3de1b76a80f44f41ab3b40f0064b429c7cd2b881de53e232f1bfd452497ef9b4758

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
896KB

MD5
83458e80259fe3eb7207a48a114dd2be

SHA1
10b5baa484579758b01a488feeb4848e0fe6481e

SHA256
225cae9da2f2b33aa2dc9442d45e3e0abd577a9dfe3943adf85fadb9c80ef708

SHA512
cdde07939ef32c01f24abf9ebe344d20dfee3410b86708716e3c851855b2bc86d1d9b9b9fa758c56b6044675ec3efb4c8a8fb113fa6757a8c4fa9f1ea2aa00c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1.9MB

MD5
9c14d143bf307db75f0be6cb02566d37

SHA1
f93a5aab1f090dc04cf914a8f8e1aeed4dc5db27

SHA256
7f1e729a90fbf1d0148f48698e7c556dd465dfa28d4e01a052503d7b589b8131

SHA512
1b201f4fa6b1c508b48f4df3fab50fe2a4430f115add188db1b3eda3b29b6279d934bbdd9f242d39608429ad1439712036991e948aad6c9053c9e6bd60a1eb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\40E7.exe
Filesize
222KB

MD5
11ac7990dacb8fed9a583f69660a8310

SHA1
a891612189e2db49a16704a9ac08850c5a76be3d

SHA256
b6d7d2ab6d7e66ba154aac8266fd5e0f6667c11d3cc682b241da586a5577581a

SHA512
7613b538549467fb21b3d3a4c25c82a6ab44a384b832efc6cd420b32083bf81e4563f4e558cf316532cc7d8fed68f5d232c9bfeb4335230e8c6db20c036a20d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\40E7.exe
Filesize
192KB

MD5
6458e97f4cb7ca9cdefcb340181013da

SHA1
ebe4b363ed437ce641fdebd62d088fe43a5062e2

SHA256
271a2f38e28d72be33ded761655fe69065ccb13b1ec268511b4e40057d4ee23b

SHA512
2d4ac8766e882b77ab7de6efa9a4e45ff446b22df5ed6b42068be5e22a52553d7e4da74c0632755417cba756a38f8e17b7973e16ed69a70c10535a7279068505

Download Submit
C:\Users\Admin\AppData\Local\Temp\88E0.exe
Filesize
750KB

MD5
fb41f20c1783dee1ff3ff24e9320ef44

SHA1
873e409ee8fd52a51031269bee1b5e56207b8cf8

SHA256
3f8c53cc5aff0effc748241349db40bff4d9c3004b557c091c00ed192d8f4226

SHA512
b83682f64c79dab3ac134a2f42fa111882a6e7555d59b112599953a532091e67b76a1fd0da3426e516912c3e650ebed79d0bdc0ba9b4317f0bfb341e0b4cd481

Download Submit
C:\Users\Admin\AppData\Local\Temp\88E0.exe
Filesize
576KB

MD5
3392ef91665cb1e912d5e132417e7755

SHA1
a454a1e8f6ab9b777393d7150a9ede196c205b46

SHA256
ad6471ac5ecd739c889762207c151623cd59272c82fa5c971ab586516a995f98

SHA512
99b76c81dca910f47a78fd0c65d1cf80a4714150f3fbe096d5f061caa3bfdd0acd7c09db9879a1d51fd7557eb5533dc4235a34cdbd21f3454928fd5bd6ec657f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
1.4MB

MD5
3303bc5c1120a0e3c2c564a7a66078ae

SHA1
b7f57efcdd0e4abb312d199c77057b7baf339235

SHA256
b49a568e976108e10721372a2beb5b5e29e3693021b46dc2edb81659d10f7224

SHA512
e7faa1578c7952a6035e01b3d6c1f6b3c5b52b54eaee19a2f8e32c7aa0ce520580e7f15f6bbfd8d732256f93cbdc764c2f5a7505b664df557bc666a4da676e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2187.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
704KB

MD5
d6e77d67486a5e3247322f43493fcff0

SHA1
8a92dc307033dfc92d366a2161383b0d7c68ca2b

SHA256
1c771a4f61baffe42b6988a2c8573ca291babd9ed8c273d0efe8e8a595171bc5

SHA512
49b7af597ed9a60a2390f388f29a3dd0e1fb007642c40fa5c84fa423f955adec4a4c7060affd3c2d17d7f54cc6abca17fff3e8d0128c5e3c41a41b1c99c750f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2DBA.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
791KB

MD5
b06437ffb6c87f69539842cd536e78d3

SHA1
6799f24d5ff74fe1a045ea9845704bbbd1c818f6

SHA256
38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf

SHA512
b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
313KB

MD5
be5dd8b7ee665c298c372c4883c3c15e

SHA1
f996f23d5a9d9702e564b94a658dddba4e185660

SHA256
ecc729d531520e7efb7fc1f228032466412c913df6bba13bdab252813dd01098

SHA512
6cf239a6c29ce95def999c786d5b3836e7355f56fe7fc3210f6e1123e83d97a3badc5a5e1afe7b1718195bfd4d0a7223f2fa9af6214e2af5a0922532d5078930

Download Submit
C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe
Filesize
262KB

MD5
9b00df1cca53e81d90dfc2548f8d9114

SHA1
a783bde9346c8ece56aa6fec12348fea40fdf6ec

SHA256
1ae4509fb8949fab80d4cc0fefec087af17e7c5654f2a66ac04f7372edaec5fe

SHA512
406e14898fadc9aa63021d15c1e23cc812f472c6dd1fb59a29de2c4660b573e26ba13b892b2d3755e29d6fe5fe30a4d1c0550e0aca9d0bf5ae936e59d3141ffc

Download Submit
C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\TEMP\zamrbllfjgdb.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
85adfc825e1e654524565fa313b7ddbd

SHA1
f92418c2f842c6441dc00eea517edae7a3989aef

SHA256
980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089

SHA512
e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0

Download Submit
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
2.6MB

MD5
cd02c76f399bdbf3ac0f25b22ce219a6

SHA1
657a7b63251605be541a889f4f0cc02e99715230

SHA256
61cdd12897c8b6913ddef4bf9b0c0166abe6f7e74a71935d12c563d7e43a3a44

SHA512
b5007d43744c25d938b6b7b9ba70ab81c64d3fc7f73894946fafb73130bfecb3e3cb41362e42474f1636174dfd0d51f32a05976f3a7392e4963129f0781f96ec

Download Submit
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
2.5MB

MD5
8daa51b3d4d9801f29dff71e9bc4dd67

SHA1
2722c1b4f5165e21d9b2a3670f6ace5bc36d9ecf

SHA256
e049e4fbda75c0cf404d2a755cca8cdb1831803fd4fdcf34b07b2eeaec39704d

SHA512
6efb6c10e25ed723a863c75d153e3c52e5aac0df4527bd1699e4785b5974af241b008693702b89372ea6ac9a049291150a464ff3ad963482e3fe73ae594b370b

Download Submit
\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
Filesize
514KB

MD5
c4b5cccdf66906511e422b3277a1b0bf

SHA1
da2b11737abe0cfd2974c1c3c73453dae386ceac

SHA256
fe0b82eddbbe38bcc126c975a14ef0606d1f3e716ba77edee6e3bbd64d719ca3

SHA512
060c383ffe13b5d28b90dcebe7549a1b4c27c29e0895669e10939d9747a4f11409baed4d0b23007d2f4bcb4fd48033f41ac9e715d14ec676b5f1868a79904da0

Download Submit
\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
Filesize
704KB

MD5
34927273ba25cc3bf5f055bcff675c8d

SHA1
a56bf2edccde62cc69f9ebcf460473e11217f03d

SHA256
07cfd9bbbdee052d89283b60f3a282617f7d2659df8d43743b409d337fef7e14

SHA512
7a8626ba16f03508ce262c6b48b0d0f726485fdeb44270267eda97fc6cbc8c66a6b516b97808756caa0145654ad109b4eac3e6e0fe7ec9d9652ea40731a33504

Download Submit
\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
Filesize
633KB

MD5
d75a38987ba68363fb67861537749274

SHA1
f0b3f8c862c01dc1d419ae9dd24b6c03e88b9969

SHA256
cfc25ec5eeba4d8b6ab70bc0ce66492119f07739ac34fbe97048d5d253547c05

SHA512
1153bbb754163200198e7355cd9e6a5362830246492b9872bd4034267910ca63f41a873839597d2c4549042baf142fcd766ba6617d0bc7e2b28582171994d324

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1.8MB

MD5
fa3122d5bc0476463ab4563dee952b49

SHA1
0b64eff88f600ea54657ebab4e198edd764ef778

SHA256
2d6ca111af09f2801bb9f8160c062c2cd29381b1fbb3ec1d11a32dca1d5d9cef

SHA512
4ffaaa21eaa9d7f7ef107ec47e0f97463e7b9c0201bb709334e169020771e7b34720e22b8b0fdd002b1a0ff625366d7fc73944cac95ebc78b963a58b2755aba2

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1.5MB

MD5
cdd020ea8a89c902685596b5c4b1fc05

SHA1
703ae5dec7b9a7b9aeb4f704be342502857c7ba2

SHA256
ad7ff70620043f4c063dfe2b2ab4716ef1bcd537a7a5cb3b8a831223364cc875

SHA512
851d485624ee80ed47af820cd594d19b5a1c017c90a0c42cb63c931cfb3eb8050d01a846988c215a17135a78c32803c68f21ac607187ddda6fb4cafe9014cfe4

Download Submit
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
1.7MB

MD5
4451bf12dc7be6aa2448561086570c8a

SHA1
5296cd7413ca23953e13759ede1cc787aa53794c

SHA256
f59a5b0febbfb403478dc41ba4089ef7d9a383d9d191e3e9aedd43d52c70230f

SHA512
4b2d3950b6685a7451db250ff5ec67ba13d6749e56c410e0051d0f0b0e2df826d7f58d8f80cf06e48424788c19f804cfea09f05d0f91de95c62d7ea8c3eaa85b

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
1.7MB

MD5
a1617c549a3b92d7d32bd0c41cd41d19

SHA1
af85c83f5a4b40beaff01f63a66a1d0870ed8b50

SHA256
595e2af731c20a0f3b7c427103a382cb4edd79451713619917df82e1dcb519cb

SHA512
f119f7d2bb090ec2ec0446ec41b5cbb285c49ca69fba9029407bf793f678f38805f3d6d0f758d0bc9ea07cddba0d99a530c8e9a5257263a975a6bca123466999

Download Submit
\Users\Admin\AppData\Local\Temp\nsdCC65.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2BE4.tmp
Filesize
225KB

MD5
379fbc100c50379dae4dd1a7ea5782af

SHA1
a2079a19b40e117dbc115936fb37eeb0759a0074

SHA256
c8e870c9649b4dcd70e73cd9ecadce2f5f247b37f240a3eca9564048c56d2b36

SHA512
ded939694aee266fe260d185fb113ef581cda6d7a8e28bd8575a80c48028a5a226ce0f71b99bc20bef8da284dfae47acc5d43c8f2d50b826fdc1d1b91c196a7b

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
230KB

MD5
219e7425b61f8b9f627e1a4659901f2d

SHA1
651ef7d25f58ddcc3d71d2d43078a9112929cde9

SHA256
137aaf991507d90ad86343ea960b798f349504fcbdc3b004ffd9a50366b6c1b9

SHA512
70c20cad836330c262939882b31456c17e19c7fb120f64642910f69cdb68a4bf9a97b9fc46e337f3715b73ba7e7415ac7454b38d97124d98c626a6b6a4243694

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
memory/384-224-0x000000013FF60000-0x000000014099D000-memory.dmp

Filesize
10.2MB

Download
memory/692-379-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/692-174-0x0000000002AC0000-0x00000000033AB000-memory.dmp

Filesize
8.9MB

Download
memory/692-552-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/692-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/692-171-0x0000000000E10000-0x0000000001208000-memory.dmp

Filesize
4.0MB

Download
memory/692-140-0x0000000000E10000-0x0000000001208000-memory.dmp

Filesize
4.0MB

Download
memory/892-173-0x0000000000AB0000-0x0000000000B04000-memory.dmp

Filesize
336KB

Download
memory/892-196-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/936-455-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/992-189-0x00000000FF860000-0x00000000FF8B2000-memory.dmp

Filesize
328KB

Download
memory/1064-181-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1064-178-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1064-176-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1064-175-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1064-179-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1064-177-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1108-480-0x00000000004C0000-0x0000000000551000-memory.dmp

Filesize
580KB

Download
memory/1384-195-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/1580-422-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/1584-275-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1584-274-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1584-299-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1584-298-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1584-297-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1656-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1656-394-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/1680-51-0x00000000022F0000-0x0000000002332000-memory.dmp

Filesize
264KB

Download
memory/1680-70-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/1680-52-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/1680-54-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/1680-55-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/1680-423-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/1680-56-0x0000000002330000-0x000000000236E000-memory.dmp

Filesize
248KB

Download
memory/1888-4-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1888-12-0x0000000000F40000-0x0000000001348000-memory.dmp

Filesize
4.0MB

Download
memory/1888-1-0x0000000000F40000-0x0000000001348000-memory.dmp

Filesize
4.0MB

Download
memory/1888-13-0x00000000045F0000-0x00000000049F8000-memory.dmp

Filesize
4.0MB

Download
memory/1888-2-0x0000000000F40000-0x0000000001348000-memory.dmp

Filesize
4.0MB

Download
memory/1888-0-0x0000000000F40000-0x0000000001348000-memory.dmp

Filesize
4.0MB

Download
memory/2168-198-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/2168-192-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/2168-193-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2272-17-0x00000000003C0000-0x00000000007C8000-memory.dmp

Filesize
4.0MB

Download
memory/2272-69-0x00000000003C0000-0x00000000007C8000-memory.dmp

Filesize
4.0MB

Download
memory/2272-234-0x00000000003C0000-0x00000000007C8000-memory.dmp

Filesize
4.0MB

Download
memory/2272-383-0x00000000003C0000-0x00000000007C8000-memory.dmp

Filesize
4.0MB

Download
memory/2272-187-0x00000000003C0000-0x00000000007C8000-memory.dmp

Filesize
4.0MB

Download
memory/2272-377-0x00000000003C0000-0x00000000007C8000-memory.dmp

Filesize
4.0MB

Download
memory/2272-82-0x0000000004930000-0x000000000536D000-memory.dmp

Filesize
10.2MB

Download
memory/2272-81-0x0000000004930000-0x000000000536D000-memory.dmp

Filesize
10.2MB

Download
memory/2272-16-0x00000000003C0000-0x00000000007C8000-memory.dmp

Filesize
4.0MB

Download
memory/2276-165-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2276-222-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2308-413-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2308-415-0x00000000004C0000-0x00000000005DB000-memory.dmp

Filesize
1.1MB

Download
memory/2400-190-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2400-126-0x0000000000300000-0x0000000000388000-memory.dmp

Filesize
544KB

Download
memory/2480-50-0x0000000000D60000-0x00000000013CE000-memory.dmp

Filesize
6.4MB

Download
memory/2480-593-0x0000000000230000-0x000000000025C000-memory.dmp

Filesize
176KB

Download
memory/2480-592-0x0000000000551000-0x0000000000569000-memory.dmp

Filesize
96KB

Download
memory/2480-53-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/2608-548-0x00000000007C0000-0x00000000007CF000-memory.dmp

Filesize
60KB

Download
memory/2608-551-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2608-550-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2628-264-0x000000013FF60000-0x000000014099D000-memory.dmp

Filesize
10.2MB

Download
memory/2628-232-0x000000013FF60000-0x000000014099D000-memory.dmp

Filesize
10.2MB

Download
memory/2656-162-0x000000013F1C0000-0x000000013FBFD000-memory.dmp

Filesize
10.2MB

Download
memory/2656-99-0x000000013F1C0000-0x000000013FBFD000-memory.dmp

Filesize
10.2MB

Download
memory/2968-549-0x0000000001250000-0x0000000001B04000-memory.dmp

Filesize
8.7MB

Download
memory/2992-221-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2992-251-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2992-194-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2992-225-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2992-202-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2992-191-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2992-228-0x0000000000100000-0x0000000000120000-memory.dmp

Filesize
128KB

Download
memory/2992-268-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2992-219-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2992-262-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2992-265-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2992-184-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2992-201-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2992-197-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2992-267-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2992-188-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download