djvu | 0f4d1e6a36a2f6fc4e29b9134a49a081b305501bb6394367f2f48a0387b02c68

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

toolspub1.exe
Size

237KB
MD5

fbba6e587d5700e84b4badbd6fcb3123
SHA1

6f4c4e6b88e7cbf87dc70427513a39725ee3110d
SHA256

0f4d1e6a36a2f6fc4e29b9134a49a081b305501bb6394367f2f48a0387b02c68
SHA512

d76e5b8adb3c01c85b1dd297f53518a47f90668aa73759461d94cf957f6b73a132fa57eac0b0feda4d6a2187e7c1b11ec5ccd662505e3b91f0e57cfa047a732b
SSDEEP

3072:ctBS+BisPLWLi80S9pikUD0I54tP1frogEO1u5Nwinh0/b9r:4LMi80+p5UH54N18g4winh

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdpo
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

45.15.156.60:12050

Extracted

Family

redline

Botnet

YT&TEAM CLOUD

185.172.128.33:8924

Signatures

Detect Poverty Stealer Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1136-164-0x0000000000370000-0x00000000006DD000-memory.dmp	family_povertystealer

Detected Djvu ransomware 9 IoCs

resource	yara_rule
behavioral2/memory/1524-32-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1524-33-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1524-31-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1524-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4348-28-0x00000000049B0000-0x0000000004ACB000-memory.dmp	family_djvu
behavioral2/memory/3596-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3596-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3596-51-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1524-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/memory/1696-80-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
behavioral2/memory/2044-128-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/4608-248-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4608-251-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4608-252-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4608-250-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4608-246-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4608-245-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4608-253-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4608-254-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4608-256-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4608-255-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4608-257-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4608-258-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
78	1136	cmd.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	fi.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/2372-76-0x0000000005120000-0x0000000005184000-memory.dmp	net_reactor
behavioral2/memory/2372-70-0x0000000004A70000-0x0000000004AD4000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	251C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	work.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	AD77.exe

Deletes itself 1 IoCs

pid	Process
3568	Process not Found

Executes dropped EXE 13 IoCs

pid	Process
3208	9599.exe
4348	AD77.exe
1524	AD77.exe
2688	AD77.exe
3596	AD77.exe
4512	sc.exe
2372	C94E.exe
5052	fi.exe
3628	1FBC.exe
2780	251C.exe
4632	work.exe
1136	cmd.exe
540	updater.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3948	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000b00000002322c-110.dat	themida
behavioral2/memory/5052-112-0x00007FF61A3A0000-0x00007FF61B14B000-memory.dmp	themida
behavioral2/memory/5052-111-0x00007FF61A3A0000-0x00007FF61B14B000-memory.dmp	themida
behavioral2/memory/5052-116-0x00007FF61A3A0000-0x00007FF61B14B000-memory.dmp	themida
behavioral2/memory/5052-117-0x00007FF61A3A0000-0x00007FF61B14B000-memory.dmp	themida
behavioral2/files/0x000b00000002322c-109.dat	themida
behavioral2/files/0x000b00000002322c-104.dat	themida
behavioral2/memory/5052-123-0x00007FF61A3A0000-0x00007FF61B14B000-memory.dmp	themida
behavioral2/files/0x0002000000021e19-186.dat	themida
behavioral2/memory/540-188-0x00007FF7C1030000-0x00007FF7C1DDB000-memory.dmp	themida
behavioral2/memory/540-187-0x00007FF7C1030000-0x00007FF7C1DDB000-memory.dmp	themida
behavioral2/files/0x0002000000021e19-185.dat	themida
behavioral2/memory/5052-183-0x00007FF61A3A0000-0x00007FF61B14B000-memory.dmp	themida
behavioral2/memory/540-190-0x00007FF7C1030000-0x00007FF7C1DDB000-memory.dmp	themida
behavioral2/memory/540-191-0x00007FF7C1030000-0x00007FF7C1DDB000-memory.dmp	themida
behavioral2/memory/540-241-0x00007FF7C1030000-0x00007FF7C1DDB000-memory.dmp	themida

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4608-240-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-244-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-242-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-248-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-249-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-251-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-252-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-250-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-246-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-245-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-239-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-238-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-253-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-254-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-256-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-255-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-257-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4608-258-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0c71a03e-0c8d-462c-bc15-d3b1a27cd89a\\AD77.exe\" --AutoStart"	AD77.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	api.2ip.ua
38	api.2ip.ua

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	fi.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
5052	fi.exe
1136	cmd.exe
540	updater.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4348 set thread context of 1524	4348	AD77.exe	98
PID 2688 set thread context of 3596	2688	AD77.exe	104
PID 2372 set thread context of 1696	2372	C94E.exe	110
PID 3628 set thread context of 2044	3628	1FBC.exe	115
PID 540 set thread context of 1020	540	updater.exe	151
PID 540 set thread context of 4608	540	updater.exe	147

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1516	sc.exe
4864	sc.exe
4512	sc.exe
1412	sc.exe
4492	sc.exe
4140	sc.exe
4412	sc.exe
2996	sc.exe
5056	sc.exe
4644	sc.exe
3376	sc.exe
3388	sc.exe
1540	sc.exe
2992	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4960	3596	WerFault.exe
1440	4512	WerFault.exe	108

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9599.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9599.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9599.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1200	toolspub1.exe
1200	toolspub1.exe
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1200	toolspub1.exe
3208	9599.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeDebugPrivilege	1696	RegAsm.exe
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeShutdownPrivilege	1592	powercfg.exe
Token: SeCreatePagefilePrivilege	1592	powercfg.exe
Token: SeShutdownPrivilege	3552	powercfg.exe
Token: SeCreatePagefilePrivilege	3552	powercfg.exe
Token: SeShutdownPrivilege	4024	powercfg.exe
Token: SeCreatePagefilePrivilege	4024	powercfg.exe
Token: SeShutdownPrivilege	1688	powercfg.exe
Token: SeCreatePagefilePrivilege	1688	powercfg.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeShutdownPrivilege	736	powercfg.exe
Token: SeCreatePagefilePrivilege	736	powercfg.exe
Token: SeShutdownPrivilege	4672	powercfg.exe
Token: SeCreatePagefilePrivilege	4672	powercfg.exe
Token: SeShutdownPrivilege	4336	powercfg.exe
Token: SeCreatePagefilePrivilege	4336	powercfg.exe
Token: SeShutdownPrivilege	3368	Process not Found
Token: SeCreatePagefilePrivilege	3368	Process not Found
Token: SeLockMemoryPrivilege	4608	explorer.exe
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeDebugPrivilege	2044	RegAsm.exe
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1136	cmd.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3568	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 3208	3568	Process not Found	97
PID 3568 wrote to memory of 3208	3568	Process not Found	97
PID 3568 wrote to memory of 3208	3568	Process not Found	97
PID 3568 wrote to memory of 4348	3568	Process not Found	99
PID 3568 wrote to memory of 4348	3568	Process not Found	99
PID 3568 wrote to memory of 4348	3568	Process not Found	99
PID 4348 wrote to memory of 1524	4348	AD77.exe	98
PID 4348 wrote to memory of 1524	4348	AD77.exe	98
PID 4348 wrote to memory of 1524	4348	AD77.exe	98
PID 4348 wrote to memory of 1524	4348	AD77.exe	98
PID 4348 wrote to memory of 1524	4348	AD77.exe	98
PID 4348 wrote to memory of 1524	4348	AD77.exe	98
PID 4348 wrote to memory of 1524	4348	AD77.exe	98
PID 4348 wrote to memory of 1524	4348	AD77.exe	98
PID 4348 wrote to memory of 1524	4348	AD77.exe	98
PID 4348 wrote to memory of 1524	4348	AD77.exe	98
PID 1524 wrote to memory of 3948	1524	AD77.exe	100
PID 1524 wrote to memory of 3948	1524	AD77.exe	100
PID 1524 wrote to memory of 3948	1524	AD77.exe	100
PID 1524 wrote to memory of 2688	1524	AD77.exe	106
PID 1524 wrote to memory of 2688	1524	AD77.exe	106
PID 1524 wrote to memory of 2688	1524	AD77.exe	106
PID 2688 wrote to memory of 3596	2688	AD77.exe	104
PID 2688 wrote to memory of 3596	2688	AD77.exe	104
PID 2688 wrote to memory of 3596	2688	AD77.exe	104
PID 2688 wrote to memory of 3596	2688	AD77.exe	104
PID 2688 wrote to memory of 3596	2688	AD77.exe	104
PID 2688 wrote to memory of 3596	2688	AD77.exe	104
PID 2688 wrote to memory of 3596	2688	AD77.exe	104
PID 2688 wrote to memory of 3596	2688	AD77.exe	104
PID 2688 wrote to memory of 3596	2688	AD77.exe	104
PID 2688 wrote to memory of 3596	2688	AD77.exe	104
PID 3568 wrote to memory of 4512	3568	Process not Found	172
PID 3568 wrote to memory of 4512	3568	Process not Found	172
PID 3568 wrote to memory of 4512	3568	Process not Found	172
PID 3568 wrote to memory of 2372	3568	Process not Found	109
PID 3568 wrote to memory of 2372	3568	Process not Found	109
PID 3568 wrote to memory of 2372	3568	Process not Found	109
PID 2372 wrote to memory of 1696	2372	C94E.exe	110
PID 2372 wrote to memory of 1696	2372	C94E.exe	110
PID 2372 wrote to memory of 1696	2372	C94E.exe	110
PID 2372 wrote to memory of 1696	2372	C94E.exe	110
PID 2372 wrote to memory of 1696	2372	C94E.exe	110
PID 2372 wrote to memory of 1696	2372	C94E.exe	110
PID 2372 wrote to memory of 1696	2372	C94E.exe	110
PID 2372 wrote to memory of 1696	2372	C94E.exe	110
PID 1696 wrote to memory of 5052	1696	RegAsm.exe	113
PID 1696 wrote to memory of 5052	1696	RegAsm.exe	113
PID 3568 wrote to memory of 3628	3568	Process not Found	114
PID 3568 wrote to memory of 3628	3568	Process not Found	114
PID 3568 wrote to memory of 3628	3568	Process not Found	114
PID 3628 wrote to memory of 2044	3628	1FBC.exe	115
PID 3628 wrote to memory of 2044	3628	1FBC.exe	115
PID 3628 wrote to memory of 2044	3628	1FBC.exe	115
PID 3628 wrote to memory of 2044	3628	1FBC.exe	115
PID 3628 wrote to memory of 2044	3628	1FBC.exe	115
PID 3628 wrote to memory of 2044	3628	1FBC.exe	115
PID 3628 wrote to memory of 2044	3628	1FBC.exe	115
PID 3628 wrote to memory of 2044	3628	1FBC.exe	115
PID 3568 wrote to memory of 2780	3568	Process not Found	116
PID 3568 wrote to memory of 2780	3568	Process not Found	116
PID 3568 wrote to memory of 2780	3568	Process not Found	116
PID 2780 wrote to memory of 968	2780	251C.exe	118
PID 2780 wrote to memory of 968	2780	251C.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1200

C:\Users\Admin\AppData\Local\Temp\9599.exe
C:\Users\Admin\AppData\Local\Temp\9599.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3208

C:\Users\Admin\AppData\Local\Temp\AD77.exe
C:\Users\Admin\AppData\Local\Temp\AD77.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\0c71a03e-0c8d-462c-bc15-d3b1a27cd89a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\AD77.exe
  "C:\Users\Admin\AppData\Local\Temp\AD77.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2688

C:\Users\Admin\AppData\Local\Temp\AD77.exe
C:\Users\Admin\AppData\Local\Temp\AD77.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3596 -ip 3596
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 568
1⤵
- Program crash
PID:4960

C:\Users\Admin\AppData\Local\Temp\AD77.exe
"C:\Users\Admin\AppData\Local\Temp\AD77.exe" --Admin IsNotAutoStart IsNotTask
1⤵
- Executes dropped EXE
PID:3596

C:\Users\Admin\AppData\Local\Temp\B41F.exe
C:\Users\Admin\AppData\Local\Temp\B41F.exe
1⤵
PID:4512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1080
  2⤵
  - Program crash
  PID:1440

C:\Users\Admin\AppData\Local\Temp\C94E.exe
C:\Users\Admin\AppData\Local\Temp\C94E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\fi.exe
    "C:\Users\Admin\AppData\Local\Temp\fi.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:5052
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4780
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:5056
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:4644
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:3376
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:1516
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:3388
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:1412
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3552
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1592
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4024
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:4864
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Executes dropped EXE
      Launches sc.exe
      PID:4512
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4512 -ip 4512
1⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\1FBC.exe
C:\Users\Admin\AppData\Local\Temp\1FBC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2044

C:\Users\Admin\AppData\Local\Temp\251C.exe
C:\Users\Admin\AppData\Local\Temp\251C.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  PID:968
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4632

C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe"
1⤵
PID:1136
- C:\Windows\system32\wusa.exe
  wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1288

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:540
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1540
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4608
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1020
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:736
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4672
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:3368
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4492
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4140
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4412
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Blocklisted process makes network request
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:1136

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Google\Chrome\updater.exe

Filesize
28KB

MD5
5f989de7d9bd8087034e084833b0b2cf

SHA1
97d9264c964d4a5a49597b6bd3c6e5bb746ef8ce

SHA256
97e06e687dcc308e35cc8111466aa665d8d68c08562e0e19230de7467d9fa745

SHA512
9af12157a3fee36ff1625a6b70b43a955c234b0c05e38a3d78f44f40a539cbabdf2176e2436a072c9600e8cd23306e06ca30c25d488b069da7e06b4c3a383dfe

Download Submit
C:\ProgramData\Google\Chrome\updater.exe

Filesize
11KB

MD5
5dc11a515ba9e7f4ed69843c420aa589

SHA1
f1003783f898f7c6eb0d709b21b83dda977c8c83

SHA256
d8c91d464ef509b4656d7154ca98e2bc0eb665a4f3b6cb84ec6ecf8fe66a74ed

SHA512
e7f1bba54b90704cdd930d992a602d31309ab718fae9c0d7f94bdb512e7ec910d72b69de59b205af6f0444402dd8872ffed021c172eabe7e55b4241c482f8145

Download Submit
C:\Users\Admin\AppData\Local\0c71a03e-0c8d-462c-bc15-d3b1a27cd89a\AD77.exe

Filesize
115KB

MD5
6ca77fd724d81998c8ca3b7356367ca3

SHA1
78ffd4b23078edf1c22ad7dee34a630305d84d49

SHA256
4432de50f56dd2f54c2cb5e2e5b38e2c29617b9e84aeece2b363002d63708839

SHA512
f3840606a5d0910bf1b9df36f98ec9066874b364eda18763af43b9b45a7a2b01957cee7bb4297dcbde3d0d35fc4d534e9ccb97fbe710de8d986a4393085144eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
2KB

MD5
f57bf6e78035d7f9150292a466c1a82d

SHA1
58cce014a5e6a6c6d08f77b1de4ce48e31bc4331

SHA256
25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415

SHA512
fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FBC.exe

Filesize
139KB

MD5
87d2ae6d7818334329bb2651b7de69fc

SHA1
784346a4c538e00bf253ecd1f60ebcbf0b977a03

SHA256
e096af77f651162b5350c5fedff678c433d11d5ed026e4b617c81afddaf9a7bb

SHA512
ac9adc60e1e1851b4cb7fbe6a601311783cd81fb12c523a84ad90d9067e9d3b34b7abc1334f4b9505847857b5dcd81c26aab7e73f5da91b2208797319acb5a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FBC.exe

Filesize
161KB

MD5
9adfdaacbb39f7030d4e817d1de8af83

SHA1
d18e2d7c4ef90b0ff18ad55a53187d6a7936f4c0

SHA256
26da6ee81cac73a472f844ddb604731ff523dd5e05e47c94ac57d3a2980e3f2d

SHA512
debd9bc64f8662ca629bd5d9e4ff697de6662b4342f6b3e648f65a5e757651b2099737aef6bb9828ce7d69b595d2ed82e4bbac34033f826bb948c103978c5c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\251C.exe

Filesize
307KB

MD5
df4ce9f674f8fba3e93c0982520748bc

SHA1
842693598611d98311cf27526851b7e0efaa2ed3

SHA256
ab49f89becfba7153c53daacc98be373b05985dafe4258f6c1a21085db73fa68

SHA512
23cb281173a0c941b8204d8eb7048c1c45332f26ae91a610d4718edcbb7a36d9cad96f95cf5c7d011fd984f887498724912f88ae33af3ecac6c0d94bd9d0dcd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\251C.exe

Filesize
64KB

MD5
66a946dc1452646b00f0c8d5c90d6ac7

SHA1
ed7ccaa347bcb4d4359aa297b46667e226ec3bdd

SHA256
2f902f34c5f547eedf32d2bd1ef27bd0e9829f995bebcee8fbabd925b4b045ba

SHA512
dbda3ebf1c9c152b5e4849a56db0186d0f8ed8dc21bf970590b227e09e1648d2a324259d081057dceeab3d4554f92ab52e899a5b99fd2c99efcc7ccf0edc7855

Download Submit
C:\Users\Admin\AppData\Local\Temp\9599.exe

Filesize
170KB

MD5
db81364e76f604bd04564d4887c49af6

SHA1
e97482b053db6d86fc4391b8b94096b772e4c17e

SHA256
640c867a8f664471fd3eaa1f68791627eebbb56f4563ced14ccc06f03208c426

SHA512
f866c4b8186fdfd7edc350c261073e08ffad95295ce3207a96ba84c7cbf0204c2f9391b3e72be85e9daae78f3af80d26d4544ab0fb3b3541a844d58ef9dce179

Download Submit
C:\Users\Admin\AppData\Local\Temp\9599.exe

Filesize
210KB

MD5
9dd82ee63cf9340f356108ba1321f315

SHA1
063db88bf3bb53ca88df4c310bc189beb1dc1235

SHA256
f366508cfc17bc852aa1afa8605f8db3db0e982276daffeb3ea3e1dd371f29e3

SHA512
2d52d5b35b1dbc3096e689c0911fcdc2d489a829e29f8eb69236403bf09951dc002b54eae21954a798d9cbaab5e2d78a0b79ada99baafe6b4a9a3146a954e071

Download Submit
C:\Users\Admin\AppData\Local\Temp\9599.exe

Filesize
210KB

MD5
99ec9b850db674bf404dd0cb22f63b5f

SHA1
f51bfc2e74dc9784e7f5739268c9602af2cc80a0

SHA256
37242d800a4ce167b0ef6e263e2adee66f37c6406b2b63128e19f298fb8099f6

SHA512
4e8315a2cb3a2bce24f0c9bc45295513df2c8410168438d5e0e67486d0fa371842da40c34fee3631dab7a5bd0ea9786df32f72f5b93adeae6ba21a45f646218c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD77.exe

Filesize
61KB

MD5
3e81e91757795848ab8c8e7222b2e610

SHA1
fc67d06c65cb7e7b22b8accf46c64dfaddf855f6

SHA256
51fa740b39892fe0d81f70f27618f9e0e24263c987ccc8f8f8e564cba2d06c23

SHA512
749d7a0cecb630b17106850b88792dcb3b9bed70329409a55d6d0dae04dc41e36bf262015116fa409cfa0e12a6854f8d5890850d75dd8cdf8d0d385ea6730318

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD77.exe

Filesize
56KB

MD5
11b2f0e067e652407b86654a4ace7985

SHA1
b60f1af2fb43f5b92b5627df0d1d5b2aee7f124e

SHA256
d8d8afc3c72931d7719ea188c795e13ac57e73db20614a244c77d6f5d328d595

SHA512
075da337950d88cd7934897640dfc9418ab059803b82c4ba37ec721c9b474f2ef15e2b1ca107e6e70973770540439eeb72dcf6b4e1673b9a5e4cd09c167e0f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD77.exe

Filesize
33KB

MD5
c32b49a10032f5ffab3804177df945f3

SHA1
5f72c09636b94ca2b1d2d2235085fb3edc66b7f4

SHA256
e93a97d8e7ffa068cbf8bac2b63e333a375a766e2b803ed8c1c87b754a12bf3e

SHA512
fa88a46be313e27644752f76c09523731a5de65e2cda20aa773631df337db7a42756e50b352df4e534f49ee63abd127de3733b24eadf76d67ada8682698e5819

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD77.exe

Filesize
103KB

MD5
361686b78367ca3cbb1b3115e8e076f3

SHA1
0ee56c5eb5a9c535d209d836ee1d3b6fbb51ae76

SHA256
11f372a139b78e21c730a8bc3d3cd3268bd949abbe1f9602d696728db3050ea5

SHA512
caf456a6ff7413bff4fbda9c2549b3118844711b38299129b6e4c038cbeef8456fab7181412a38056aa334cc93cbd9ced88e7b9660df45bde60cbb7aac8f4a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD77.exe

Filesize
134KB

MD5
f2244c041d7e92e6c7d122a0fc59a52b

SHA1
c5de5ab05d3bce5ac676af6015772431ad6400df

SHA256
ca8da999ce18667f882244f02372a3b7a6f6d459174ef1477a2c7f29138fbafd

SHA512
4c473f7bb76010edd9e2c2284b65b3a0ebb08d528a3a43b384fcd0166540c49ff643615b08e5aa507da9e5382e10e630f8d9b6af776d5eba38a1c77d6c466c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\B41F.exe

Filesize
41KB

MD5
467c81849e87c72384d31d4bf57a42e0

SHA1
d79f5b598313aff81a5ed0903b64906169998811

SHA256
104e4dd2be88208d1e4563360b70bd2ce9acbfee8ecf67719a135e3c4af42fe1

SHA512
3531e85dc758623b1c4a1621383b356e5227d3546220c82660727252c14bc25cfecd217a2c56cbede3f16c49ec0c54365c839283058786431cff55b950245c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\B41F.exe

Filesize
93KB

MD5
18ed5351c57f74e39100ec943aa4fa34

SHA1
def4a621bbcadf4b1bac4950f9fdaa2ce9927816

SHA256
778dc49ee58c5dae350fa7d4e6ec5da14ed9e7f087786e175daaa5af7fca749e

SHA512
5b9c983f0c793f6c9dd64ba07658721f95a0139bf3e4b0478bf3fb808669fedf46f5d68f9a01d2552ddc93e36b0c78f555bff5cfb5f04f06513fa167b8977971

Download Submit
C:\Users\Admin\AppData\Local\Temp\C94E.exe

Filesize
6KB

MD5
555f65ebb33de9376e3dd9b73ab3edb3

SHA1
6f9a5d30277920754780d8bb3e08b3154b30fa7f

SHA256
22d48839d93b6144c69cbc1a6e28012520740e2fd724ae9573dd1dffe6841d3b

SHA512
aa88fafa77fd6c7fde4c0d3c08d1a236052fc1563ed911819376ef1b63874ed5c3b17e6b450aa94c71d5ecb75b9fc727a7d6f01c53e9d76218c046fc3fc9f17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C94E.exe

Filesize
56KB

MD5
f451c56ace29245538079ea1070d5e1a

SHA1
305ebde35516d1c6871628e389177e1f4aeb82e8

SHA256
1001fc9e07f5452c176416138171718fae3caa35bfaf1bac45cb53f732cf619e

SHA512
2abccafaf730924608f537ba59bd7b5aee90192ab5533d290c868435c33f14114889b3a73a6d11ec2a28755fdf6f4d1131a4262bae8ec04603b8055b4052b50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
29KB

MD5
771647f809d145dee0ab0c00db13fee1

SHA1
cd03f90e91ee5d131e6296ea8bc283b55f55d32b

SHA256
a7662c2e5ae150e5c2aa6e1cfb073335b10c362b5d138361911a90a24c689f53

SHA512
61e1d2fd679121775b069337f827118d8101e9e8d1666a7d0e994ed400c02f4cf095ce1bc0490ae66c674458ab5a45432906aaa2c80a0d53c6653cce772ea3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
190KB

MD5
1780ee17e838f1d65805b4705505011b

SHA1
44b762bd2a84912465152fc5bf4225cd3174abdc

SHA256
025356708f826e8e55f50b799b730915731bde93af530b6937f283be2c8e3d9c

SHA512
b5c013a0276a35a746bb0ca9a9e9190d6b0b985cd4310433ecc520a3b48a7a2460e71919b95ab43ff57ebd902b7349cdc238b81e58b84c0764814d759e4e8bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

Filesize
83KB

MD5
12e7e47dbd51bffe868de6afed2c706e

SHA1
a4d2d9450cfa9ec1894d431c1a83a468a7ee9274

SHA256
accb69764bd3077b7d415db0fcbb68bd7c7ae60f5a18c66c498c93716f49bd63

SHA512
f0809a4b383792ee16c240d0af1bdca390bf79f8c36225a4c71d04f73704319210bb28b076870a70fb99c2f90386dd1cc2bdee4015f97dd9e2ea89121cff40c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

Filesize
65KB

MD5
24d4305a14382cd05b0a9dd9dbaa6518

SHA1
41462cb11948ef7fe2c53cc0c3ff719aa57d03f9

SHA256
38f8e46e6b0172d06960510656b06392a076c1f24f974903564bc9a939030fad

SHA512
b292a9b0a8e30ee7c3f6cecae865130582ec1e01b469240e59db428963b9e9a319ac97fb242e45d6e7e377b8a0196d408c71270792c019a8f2705dc67e5262a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

Filesize
216KB

MD5
d35f32e94cd809a4df546e204de3eeae

SHA1
56f69ff71160cce2fd7ea9fa59e69e2fa24bf1de

SHA256
0c7b5177e58a7573e13bbf2f01848cc0cdc3b93a45244df5740a967007fcd574

SHA512
40047b07c5d05af8980ffd157d7b55ae44bcd2d4c5cef8eaf7aba59320bde88c813efb62a79e4c215a4337000c68b9e752763e2650dcadbe8255c1d06666a17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvd0l5so.yls.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fi.exe

Filesize
226KB

MD5
e82bd935e2c9745363357bc88753c0e3

SHA1
2f800ed45083a6fbe96384c86b75c8cc806b6d5b

SHA256
c64955b43e778f128c105986267abe93714f688851917cc8a1e799b99274784c

SHA512
b4e12c6efcb14241ed092e107a0bcdbefbbc702d02a644dd4d9b6e08972bbb64392cc520d2e2905e4e79300d6a5b6c9aae9c19304d25911d72759f64bdd4a462

Download Submit
C:\Users\Admin\AppData\Local\Temp\fi.exe

Filesize
105KB

MD5
d47934ce663df0ba6d5b9daeefb63438

SHA1
ff0508b391f20f5bb54614b16a3086eb91096b01

SHA256
e7986506fc3c05c16236677c592dfb806e66c56979a9992790d4fd5b89d9cf87

SHA512
ee5062235c3f28d93168bf1177e047e745c00192106bda3d07e8c7e9a8a7eb21ed822d811dcc73cc2b9c304aeb0839c1aec7835b03506f56e15c67156b5f96c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fi.exe

Filesize
57KB

MD5
9fa00d8d99aa765638b2e0f7329144c0

SHA1
05875b560a14f8525e29d18f06aaea99d1c5539f

SHA256
8878773a4dc210406608b130f9d2147b22f1a10f58499e6bb6dc0d727c39ad9f

SHA512
1d8141e4ea0f7fb4f8aade81bb070550862eabdf1f325786806616d9a1f6d411d6eaa436f510e0f515e56a85f9c4f8c4faa10b10ce52d0729a110679d01a71f0

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2d29fd3ae57f422e2b2121141dc82253

SHA1
c2464c857779c0ab4f5e766f5028fcc651a6c6b7

SHA256
80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

SHA512
077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Download Submit
memory/540-191-0x00007FF7C1030000-0x00007FF7C1DDB000-memory.dmp

Filesize
13.7MB

Download
memory/540-188-0x00007FF7C1030000-0x00007FF7C1DDB000-memory.dmp

Filesize
13.7MB

Download
memory/540-190-0x00007FF7C1030000-0x00007FF7C1DDB000-memory.dmp

Filesize
13.7MB

Download
memory/540-187-0x00007FF7C1030000-0x00007FF7C1DDB000-memory.dmp

Filesize
13.7MB

Download
memory/540-189-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/540-241-0x00007FF7C1030000-0x00007FF7C1DDB000-memory.dmp

Filesize
13.7MB

Download
memory/1020-232-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1020-233-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1020-234-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1020-231-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1020-230-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1020-237-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1136-163-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/1136-161-0x0000000000370000-0x00000000006DD000-memory.dmp

Filesize
3.4MB

Download
memory/1136-164-0x0000000000370000-0x00000000006DD000-memory.dmp

Filesize
3.4MB

Download
memory/1200-3-0x0000000000400000-0x0000000002B13000-memory.dmp

Filesize
39.1MB

Download
memory/1200-5-0x0000000000400000-0x0000000002B13000-memory.dmp

Filesize
39.1MB

Download
memory/1200-1-0x0000000002D70000-0x0000000002E70000-memory.dmp

Filesize
1024KB

Download
memory/1200-2-0x0000000002F80000-0x0000000002F8B000-memory.dmp

Filesize
44KB

Download
memory/1524-32-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1524-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1524-31-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1524-33-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1524-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1696-80-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1696-89-0x00000000067E0000-0x0000000006DF8000-memory.dmp

Filesize
6.1MB

Download
memory/1696-91-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

Filesize
72KB

Download
memory/1696-95-0x00000000064F0000-0x0000000006556000-memory.dmp

Filesize
408KB

Download
memory/1696-96-0x0000000007430000-0x0000000007480000-memory.dmp

Filesize
320KB

Download
memory/1696-98-0x0000000008410000-0x00000000085D2000-memory.dmp

Filesize
1.8MB

Download
memory/1696-99-0x0000000008B10000-0x000000000903C000-memory.dmp

Filesize
5.2MB

Download
memory/1696-93-0x0000000005B90000-0x0000000005BDC000-memory.dmp

Filesize
304KB

Download
memory/1696-92-0x0000000005B40000-0x0000000005B7C000-memory.dmp

Filesize
240KB

Download
memory/1696-90-0x00000000061C0000-0x00000000062CA000-memory.dmp

Filesize
1.0MB

Download
memory/1696-88-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/1696-115-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/1696-86-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/1696-85-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/1696-87-0x00000000058B0000-0x00000000058BA000-memory.dmp

Filesize
40KB

Download
memory/2044-214-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/2044-128-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2044-135-0x0000000005160000-0x00000000051AC000-memory.dmp

Filesize
304KB

Download
memory/2044-136-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2044-133-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/2372-70-0x0000000004A70000-0x0000000004AD4000-memory.dmp

Filesize
400KB

Download
memory/2372-118-0x00000000025F0000-0x00000000045F0000-memory.dmp

Filesize
32.0MB

Download
memory/2372-83-0x00000000025F0000-0x00000000045F0000-memory.dmp

Filesize
32.0MB

Download
memory/2372-84-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/2372-71-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/2372-79-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2372-72-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2372-75-0x0000000004B70000-0x0000000005114000-memory.dmp

Filesize
5.6MB

Download
memory/2372-76-0x0000000005120000-0x0000000005184000-memory.dmp

Filesize
400KB

Download
memory/2372-73-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2372-74-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2688-48-0x0000000002CD0000-0x0000000002D65000-memory.dmp

Filesize
596KB

Download
memory/2728-213-0x0000024075BC0000-0x0000024075BDC000-memory.dmp

Filesize
112KB

Download
memory/2728-201-0x00007FFE588C0000-0x00007FFE59381000-memory.dmp

Filesize
10.8MB

Download
memory/2728-202-0x0000024073640000-0x0000024073650000-memory.dmp

Filesize
64KB

Download
memory/2728-215-0x0000024075BE0000-0x0000024075C95000-memory.dmp

Filesize
724KB

Download
memory/2728-203-0x0000024073640000-0x0000024073650000-memory.dmp

Filesize
64KB

Download
memory/3208-19-0x0000000000400000-0x0000000002B13000-memory.dmp

Filesize
39.1MB

Download
memory/3208-17-0x0000000000400000-0x0000000002B13000-memory.dmp

Filesize
39.1MB

Download
memory/3208-16-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/3568-4-0x0000000002730000-0x0000000002746000-memory.dmp

Filesize
88KB

Download
memory/3568-18-0x0000000007870000-0x0000000007886000-memory.dmp

Filesize
88KB

Download
memory/3596-51-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3596-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3596-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3628-134-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3628-126-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3628-124-0x0000000000A30000-0x0000000000A96000-memory.dmp

Filesize
408KB

Download
memory/3628-132-0x0000000002E10000-0x0000000004E10000-memory.dmp

Filesize
32.0MB

Download
memory/4348-27-0x0000000003090000-0x0000000003130000-memory.dmp

Filesize
640KB

Download
memory/4348-28-0x00000000049B0000-0x0000000004ACB000-memory.dmp

Filesize
1.1MB

Download
memory/4512-94-0x0000000000400000-0x0000000002B4C000-memory.dmp

Filesize
39.3MB

Download
memory/4512-62-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

Filesize
1024KB

Download
memory/4512-63-0x00000000047F0000-0x0000000004878000-memory.dmp

Filesize
544KB

Download
memory/4512-65-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/4512-64-0x0000000000400000-0x0000000002B4C000-memory.dmp

Filesize
39.3MB

Download
memory/4608-240-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-239-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-258-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-257-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-255-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-256-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-254-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-244-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-242-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-247-0x0000000001A10000-0x0000000001A30000-memory.dmp

Filesize
128KB

Download
memory/4608-248-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-249-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-251-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-252-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-250-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-246-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-245-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-253-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-238-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4780-180-0x00007FFE588C0000-0x00007FFE59381000-memory.dmp

Filesize
10.8MB

Download
memory/4780-177-0x000001771B420000-0x000001771B430000-memory.dmp

Filesize
64KB

Download
memory/4780-170-0x00000177359A0000-0x00000177359C2000-memory.dmp

Filesize
136KB

Download
memory/4780-176-0x000001771B420000-0x000001771B430000-memory.dmp

Filesize
64KB

Download
memory/4780-175-0x00007FFE588C0000-0x00007FFE59381000-memory.dmp

Filesize
10.8MB

Download
memory/5052-113-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5052-111-0x00007FF61A3A0000-0x00007FF61B14B000-memory.dmp

Filesize
13.7MB

Download
memory/5052-112-0x00007FF61A3A0000-0x00007FF61B14B000-memory.dmp

Filesize
13.7MB

Download
memory/5052-123-0x00007FF61A3A0000-0x00007FF61B14B000-memory.dmp

Filesize
13.7MB

Download
memory/5052-183-0x00007FF61A3A0000-0x00007FF61B14B000-memory.dmp

Filesize
13.7MB

Download
memory/5052-116-0x00007FF61A3A0000-0x00007FF61B14B000-memory.dmp

Filesize
13.7MB

Download
memory/5052-117-0x00007FF61A3A0000-0x00007FF61B14B000-memory.dmp

Filesize
13.7MB

Download
memory/5052-184-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5052-162-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download