Overview

overview

10

Static

static

3

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    14-02-2024 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    7.1MB

  • MD5

    9a82e4f9ba1881fa411b6473d792f1a3

  • SHA1

    24c48768340c61376d3d5ef99091b456ad1f89fb

  • SHA256

    d823740cca44676c9fa128c25ca53cc16fbf8a1ad23c10d08f997e9e3fcd6655

  • SHA512

    a0819af9c420b188c9f326459ffd23f10d3d038dae0b48a98df34f1ad87d0d08323e184c3cda41ab794b8857f4a3f2c2f1b8c2f42dbc88f375ad87feccba17ec

  • SSDEEP

    98304:biPxK2EIDpN+bKXY/TMTRQOEThYBCvSx/Q1t1rakS9f4X/3mTiVRn:Sx3rQDTj9SCvl4F4uTiVRn

Score
10/10
amadeydcratdjvufabookiegluptebasmokeloaderstealcvidarzgrat13bd7290c1961db27b4ede41bfbf4c5epub1backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwareratrootkitspywarestealertrojanupx

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.79

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://habrafa.com/test1/get.php

Attributes
  • extension

    .lkhy

  • offline_id

    OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://habrafa.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.8

Botnet

13bd7290c1961db27b4ede41bfbf4c5e

C2

https://t.me/karl3on

https://steamcommunity.com/profiles/76561199637071579
Attributes
  • profile_id_v2

    13bd7290c1961db27b4ede41bfbf4c5e

  • user_agent

    Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • DcRat 6 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect Fabookie payload 2 IoCs
  • Detect Vidar Stealer 3 IoCs
    stealer
  • Detect ZGRat V1 1 IoCs
  • Detected Djvu ransomware 13 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 12 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Modifies boot configuration data using bcdedit 14 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 26 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 41 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 6 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 19 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Windows\SysWOW64\chcp.com
            chcp 1251
            5⤵
              PID:2276
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
              5⤵
              • DcRat
              • Creates scheduled task(s)
              PID:1092
        • C:\Users\Admin\AppData\Local\Temp\nsy210A.tmp
          C:\Users\Admin\AppData\Local\Temp\nsy210A.tmp
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:1580
      • C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
        "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:1812
      • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
        "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
        • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
          "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
          3⤵
          • DcRat
          • Windows security bypass
          • Executes dropped EXE
          • Loads dropped DLL
          • Windows security modification
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1044
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3036
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
              5⤵
              • Modifies Windows Firewall
              • Modifies data under HKEY_USERS
              PID:1960
          • C:\Windows\rss\csrss.exe
            C:\Windows\rss\csrss.exe
            4⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Manipulates WinMon driver.
            • Manipulates WinMonFS driver.
            • Drops file in Windows directory
            • Modifies system certificate store
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2300
            • C:\Windows\system32\schtasks.exe
              schtasks /delete /tn ScheduledUpdate /f
              5⤵
                PID:1644
              • C:\Windows\system32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                5⤵
                • DcRat
                • Creates scheduled task(s)
                PID:1980
              • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies system certificate store
                PID:1732
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:2292
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:2152
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:2312
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1724
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:2080
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:2984
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1112
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:2912
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:676
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1640
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -timeout 0
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:900
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1140
                • C:\Windows\system32\bcdedit.exe
                  C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1860
              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:540
              • C:\Windows\system32\bcdedit.exe
                C:\Windows\Sysnative\bcdedit.exe /v
                5⤵
                • Modifies boot configuration data using bcdedit
                PID:2032
              • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                5⤵
                • Executes dropped EXE
                PID:2756
              • C:\Windows\system32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                5⤵
                • DcRat
                • Creates scheduled task(s)
                PID:2568
              • C:\Windows\windefender.exe
                "C:\Windows\windefender.exe"
                5⤵
                • Executes dropped EXE
                PID:2668
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                  6⤵
                    PID:2336
                    • C:\Windows\SysWOW64\sc.exe
                      sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                      7⤵
                      • Launches sc.exe
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2036
          • C:\Users\Admin\AppData\Local\Temp\rty25.exe
            "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
            2⤵
            • Executes dropped EXE
            • Modifies system certificate store
            PID:2784
        • C:\Windows\system32\makecab.exe
          "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240214185408.log C:\Windows\Logs\CBS\CbsPersist_20240214185408.cab
          1⤵
          • Drops file in Windows directory
          PID:1300
        • C:\Users\Admin\AppData\Local\Temp\9F2C.exe
          C:\Users\Admin\AppData\Local\Temp\9F2C.exe
          1⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: MapViewOfSection
          PID:1028
        • C:\Users\Admin\AppData\Local\Temp\BE32.exe
          C:\Users\Admin\AppData\Local\Temp\BE32.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          PID:1612
          • C:\Users\Admin\AppData\Local\Temp\BE32.exe
            C:\Users\Admin\AppData\Local\Temp\BE32.exe
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Modifies system certificate store
            PID:2884
            • C:\Windows\SysWOW64\icacls.exe
              icacls "C:\Users\Admin\AppData\Local\617a797a-9d96-4a71-b7b5-0434128e192d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
              3⤵
              • Modifies file permissions
              PID:2292
            • C:\Users\Admin\AppData\Local\Temp\BE32.exe
              "C:\Users\Admin\AppData\Local\Temp\BE32.exe" --Admin IsNotAutoStart IsNotTask
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              PID:2880
              • C:\Users\Admin\AppData\Local\Temp\BE32.exe
                "C:\Users\Admin\AppData\Local\Temp\BE32.exe" --Admin IsNotAutoStart IsNotTask
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:2088
                • C:\Users\Admin\AppData\Local\23a2e250-b85d-4090-83ee-3eb4792c654f\build2.exe
                  "C:\Users\Admin\AppData\Local\23a2e250-b85d-4090-83ee-3eb4792c654f\build2.exe"
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:1804
                  • C:\Users\Admin\AppData\Local\23a2e250-b85d-4090-83ee-3eb4792c654f\build2.exe
                    "C:\Users\Admin\AppData\Local\23a2e250-b85d-4090-83ee-3eb4792c654f\build2.exe"
                    6⤵
                    • Executes dropped EXE
                    • Modifies system certificate store
                    PID:1096
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1456
                      7⤵
                      • Loads dropped DLL
                      • Program crash
                      PID:3044
                • C:\Users\Admin\AppData\Local\23a2e250-b85d-4090-83ee-3eb4792c654f\build3.exe
                  "C:\Users\Admin\AppData\Local\23a2e250-b85d-4090-83ee-3eb4792c654f\build3.exe"
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:1748
                  • C:\Users\Admin\AppData\Local\23a2e250-b85d-4090-83ee-3eb4792c654f\build3.exe
                    "C:\Users\Admin\AppData\Local\23a2e250-b85d-4090-83ee-3eb4792c654f\build3.exe"
                    6⤵
                    • Executes dropped EXE
                    PID:880
                    • C:\Windows\SysWOW64\schtasks.exe
                      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                      7⤵
                      • DcRat
                      • Creates scheduled task(s)
                      PID:2412
        • C:\Windows\windefender.exe
          C:\Windows\windefender.exe
          1⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          PID:1500
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\456B.bat" "
          1⤵
            PID:1300
            • C:\Windows\system32\reg.exe
              reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
              2⤵
                PID:1808
            • C:\Users\Admin\AppData\Local\Temp\5C89.exe
              C:\Users\Admin\AppData\Local\Temp\5C89.exe
              1⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              PID:1704
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                2⤵
                  PID:2264
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                  2⤵
                    PID:2244
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 92
                      3⤵
                      • Program crash
                      PID:2552
                • C:\Users\Admin\AppData\Local\Temp\6476.exe
                  C:\Users\Admin\AppData\Local\Temp\6476.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Drops file in Windows directory
                  • Suspicious use of FindShellTrayWindow
                  PID:1036
                • C:\Windows\system32\taskeng.exe
                  taskeng.exe {4744688A-421D-46AB-9B90-28941AEC8973} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
                  1⤵
                    PID:2608
                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:2084
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                        3⤵
                        • Executes dropped EXE
                        PID:2056
                        • C:\Windows\SysWOW64\schtasks.exe
                          /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          4⤵
                          • DcRat
                          • Creates scheduled task(s)
                          PID:2576

                  Network

                  MITRE ATT&CK Enterprise v15

                  Reconnaissance

                  Resource Development

                  Initial Access

                  Execution

                  Command and Scripting Interpreter

                  1
                  T1059

                  Scheduled Task/Job

                  1
                  T1053

                  Persistence

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Create or Modify System Process

                  1
                  T1543

                  Windows Service

                  1
                  T1543.003

                  Scheduled Task/Job

                  1
                  T1053

                  Privilege Escalation

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Create or Modify System Process

                  1
                  T1543

                  Windows Service

                  1
                  T1543.003

                  Scheduled Task/Job

                  1
                  T1053

                  Defense Evasion

                  File and Directory Permissions Modification

                  1
                  T1222

                  Impair Defenses

                  4
                  T1562

                  Disable or Modify System Firewall

                  1
                  T1562.004

                  Disable or Modify Tools

                  2
                  T1562.001

                  Modify Registry

                  4
                  T1112

                  Subvert Trust Controls

                  1
                  T1553

                  Install Root Certificate

                  1
                  T1553.004

                  Virtualization/Sandbox Evasion

                  2
                  T1497

                  Credential Access

                  Unsecured Credentials

                  3
                  T1552

                  Credentials In Files

                  3
                  T1552.001

                  Discovery

                  Peripheral Device Discovery

                  1
                  T1120

                  Query Registry

                  7
                  T1012

                  System Information Discovery

                  5
                  T1082

                  Virtualization/Sandbox Evasion

                  2
                  T1497

                  Lateral Movement

                  Collection

                  Data from Local System

                  3
                  T1005

                  Command and Control

                  Exfiltration

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
                    Filesize

                    1KB

                    MD5

                    1bac88119d73b08d53ba32ac0ece3388

                    SHA1

                    2c4c95afe28554c557e4635f1e16cc363b8ba618

                    SHA256

                    98c2db5f24c693e7aec5acf5dd3f6642ed602726fb9df94b22342a5fddd11880

                    SHA512

                    5b54d45246920f77c3a333729f3c804afcc902385c0334949e2eb8995d551dad9aafbe4efa08e53889f16cca32cc909ce194d2ea11b7d9b48ee50c9eb54ceb99

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
                    Filesize

                    724B

                    MD5

                    8202a1cd02e7d69597995cabbe881a12

                    SHA1

                    8858d9d934b7aa9330ee73de6c476acf19929ff6

                    SHA256

                    58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

                    SHA512

                    97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
                    Filesize

                    1KB

                    MD5

                    a266bb7dcc38a562631361bbf61dd11b

                    SHA1

                    3b1efd3a66ea28b16697394703a72ca340a05bd5

                    SHA256

                    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                    SHA512

                    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
                    Filesize

                    410B

                    MD5

                    877aad55672daa6610c119fdaa334de1

                    SHA1

                    b7221953ab8cf29d0096d31b8e9a555791b88d1b

                    SHA256

                    672f59d86917a61c30f0febe21689889a6301265d08a90ba1037083e136d9b6a

                    SHA512

                    4e06f5cd099e794f667821bf1cd45cf42141665ac9c7ac16a18d6d50396e3086296494af0d766f4f49be86fe338be9ff08e67a68d922a29a259d72935c8c83d0

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                    Filesize

                    344B

                    MD5

                    da3f5a262692ceaffcca9112f377fd91

                    SHA1

                    9e4e2dc69fe67fe09e7e64a2ffa01c2b7be6c4ff

                    SHA256

                    eb5b8614a8c598b4d6a6475794b811646316678703d366612f5a6de08cbf3312

                    SHA512

                    77e067d4e8d35cb57ba06e8426760a1e9924e809a1c59b4aa404f8b40dcb0ab86d63a6733264195350073f503c5016267e0388e1a6746be5c06c63d64de510f0

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                    Filesize

                    344B

                    MD5

                    0f4684384d598853dede94e564923e32

                    SHA1

                    056127b5bc4fa60676959e63a52ceb2902298cdb

                    SHA256

                    9e5355a1597f72cfdcd65d8e91cdb05aa03ad9936ff50c50ae397c9e63f4bd7c

                    SHA512

                    2d48d97f2f33c496e700c3c0b86c494fcd5774fe3c588f3cdc673561e6029d164496cce11f04660112f9c65be722108d04544d5f0243d164ec9cd06a0f7a9d68

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                    Filesize

                    344B

                    MD5

                    96c3ce5cd048c759541fdbdc4aa00b92

                    SHA1

                    2892ac70bd4983e53c88acaee9e2db9fcd690ab7

                    SHA256

                    9275334e2f0e5792e1275cc991a55142ff39f1f73e3fabf5203450197a3d053d

                    SHA512

                    fcd6e3470e92cd180b2a5881630f9a86ce313ac577030e8e18fa483b7cef515ea88b13e84ad253ee0c2a53b8c883fb419ab5f657d38e0e49790561507d2c2584

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                    Filesize

                    344B

                    MD5

                    94679b373bfa106a5adb53d62f74ccb2

                    SHA1

                    943af54e7996b1ed819ffb7fee27fc4c50baa898

                    SHA256

                    9ec061527952ae50b77a64a6993e20310a595447bdccdd94c18ec04bf5c93b66

                    SHA512

                    87aa42053c804d3bd4308fffa6180b0ac0d46462b68f7406c64e446c3a3f0b14e03204c689c61430e87125c3fb1a74127dd8348ae7da0224908c64828f67dc3a

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
                    Filesize

                    392B

                    MD5

                    c5cf1d9d6b1e82c6b22d721bec7e5bee

                    SHA1

                    15b13d4ff4523cf970579a265e3d077cd11a8f59

                    SHA256

                    4987d57c7b3b4f1f40ebaba874fca5a9a971a17cf24e63fcb04250cd671de5c6

                    SHA512

                    c9df09a477fa9208be10eca1b53621ca29a255748a9ec6bd59881526b33d4b4980494b20086aef238dcbda8a90f3277546b93f0cf1e05da2429fb9bf8f570698

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
                    Filesize

                    242B

                    MD5

                    fb78dce89508e72bf68145dd247066c1

                    SHA1

                    8026989a3a1ac355f0dc698a83b79bc7f480a7f9

                    SHA256

                    8873129ad65ab547528f035dfc81907b55ef0b154080ebdf7c8c30b3b360227d

                    SHA512

                    33ffc00f4d191644313db6613e08e0e96f2b51ce6551ec8e08340bae250502d87a5eb2a8be6b82cf143a1b37339e7450665118bde88ab4e0a07f78521f8d4234

                    Download Submit

                  • C:\Users\Admin\AppData\Local\23a2e250-b85d-4090-83ee-3eb4792c654f\build3.exe
                    Filesize

                    299KB

                    MD5

                    41b883a061c95e9b9cb17d4ca50de770

                    SHA1

                    1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

                    SHA256

                    fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

                    SHA512

                    cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                    Filesize

                    4.2MB

                    MD5

                    a81139f25bcb6daca5d21f7c112342bb

                    SHA1

                    c749bbad487af9e54dca3c232bae628b1ee4e01a

                    SHA256

                    5fac6b8c422f2b2d6c3e7ae10a2271ad911eb7c45a6ec838a1050a744ff786be

                    SHA512

                    b963409735ece02eee1f721f34627cd0776ecc7966740bcc3cf9909bfb397154010829223f8918ebfe4a13e3cb1404d38a79e08b895c2665d95d669de7a6fdbb

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                    Filesize

                    1.3MB

                    MD5

                    c94a3e362f137547d881e40d59ba5af4

                    SHA1

                    8c7bedaef6f73e7b8e6e69536395157a3c6e701a

                    SHA256

                    567ffb62bf3d10161c3b45b26428fbb06f74ae4db75291bf76541b01e64096e1

                    SHA512

                    6927a2f3bcb70c7415912ccb42e1cd5151a6f735289a7bc6929745f6f01b445976423256671339a8da102f2c121dcc20cb8a8da125505129b097e356270b0876

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                    Filesize

                    3.1MB

                    MD5

                    27c2761ce811a38d30dbad9d3dea5cc3

                    SHA1

                    c816ee4ed111a1617ec6def3f7ba470d4a27de5e

                    SHA256

                    2e39f9ccd45e41eb34748adc785812e41555103a59e169db12f77481ecdeb3c2

                    SHA512

                    15386a7e018cc1e04f597eb9ec2610d35a0c0507d022126154af63deb2472e2c71a2583b32ababc0a439b5ddf0909c004e26c522d1457e806f386d2a0c81ae92

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                    Filesize

                    3.2MB

                    MD5

                    7e4af5dc2408b9f48ec00c4529573816

                    SHA1

                    85bbc4b913796fe0d934a59c094a332b3d0e73b1

                    SHA256

                    ff97ded94988de1b72fb1957401b4f44df5457109b5e8ef3513e6bc34a7aac8d

                    SHA512

                    1172ce18f70190501856e5f25502a81c16232e06934d6bbd4e47f4d9fa82fa9267bdc3f3b0db85dbd19a8bc406bbd474d2a763947491f6572c475872aff6ca67

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\456B.bat
                    Filesize

                    77B

                    MD5

                    55cc761bf3429324e5a0095cab002113

                    SHA1

                    2cc1ef4542a4e92d4158ab3978425d517fafd16d

                    SHA256

                    d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

                    SHA512

                    33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\6476.exe
                    Filesize

                    1.9MB

                    MD5

                    5b1411077afd968b1dfd6b465f8117c0

                    SHA1

                    adbd15191ee0505f09a110c085164e0c85731405

                    SHA256

                    5f4fea43a900ee1cff4c67fc4b08d3fa856e8f9024986ff49cf1a355296e529a

                    SHA512

                    6655a778035fb60201702b80f64e81092c0fd39692e53d1703fb191aff87691d4245cafc6bfa61d47aa68531eab14c554a1d0d6f8081da1e85d5afc6bb92e358

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\9F2C.exe
                    Filesize

                    286KB

                    MD5

                    b70a1bd49d4133d98946486d4ec6bb36

                    SHA1

                    9feed9636e3a411bd1d2a3e80e713fe53376d9c4

                    SHA256

                    3db942a351d54b698e9836bb4a6fd9ddd0ae96e90033549f9f12517a25bf3ede

                    SHA512

                    880b427c04cd532f7f49f496c5fb1f3a4244757deff6495c2b20d7b19631dd296a9a04ae968d9f3d51f3b022ea4c4d16a57e7c2a215c9a0b053b96dcfb290441

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\BE32.exe
                    Filesize

                    815KB

                    MD5

                    7e46a1ead53b47ff775549cb9a2fd835

                    SHA1

                    4d8b025b05958ddfc6a7b5629494e07712ba2c21

                    SHA256

                    be30285fdd967e89fbcf936978d64b298a3d6530704913c60049a84da934d7b7

                    SHA512

                    48f6d4f05eae49d8a2567236e7d41c5b542de568a31fee82e7122f98f8e68c21aec2bdf1f0b183b3e0cf8939312978c56d196e06bf1e1d502ae2f3c52e51ea72

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
                    Filesize

                    2.5MB

                    MD5

                    112a36b50cd748f7bcad42f4357fd73e

                    SHA1

                    f5327753b177b41f28f300894df8e20afb10e5dd

                    SHA256

                    36f3eb4e9fddba136b624586c9492fe638d40f12b4df41a23aa4974f4c40d96f

                    SHA512

                    51dfa73ab99ed3277d7e7ce2c388fa2fdf708a20d39d03d656ae60678e7dc8319d3bb1ea8c377aaa0aab39e751acd5897336d2c12d4d1d2080bf84a8a93ae79c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Cab2648.tmp
                    Filesize

                    65KB

                    MD5

                    ac05d27423a85adc1622c714f2cb6184

                    SHA1

                    b0fe2b1abddb97837ea0195be70ab2ff14d43198

                    SHA256

                    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                    SHA512

                    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
                    Filesize

                    1.2MB

                    MD5

                    2b61140c4e131b691d726acdc209eafb

                    SHA1

                    000043a7b74bd6cec46ab97c671694637a54b026

                    SHA256

                    e584ec5401cc6ab5e0d1de2bcf8350657b80f9fd17ad9fcf8d73ecff1325d420

                    SHA512

                    477f74d3c99587f4e74c9db9590de918d8cb467e0a07267d3473f228bc146bf66ddccecf00d055bf17f38d7b4b63170a733b00321fd65f06a2b3f6790a0d3db5

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
                    Filesize

                    2.8MB

                    MD5

                    36f8b98ee5471f3658d5b9092c4e100d

                    SHA1

                    918157455b8e7dc7108a3d3911b909320d3f8daa

                    SHA256

                    bd7656fb4c76276d3de5ad28a397bf0c051b4ba31895cebf76854b584f4ccccb

                    SHA512

                    299ceea584ebf5c620cfe3639b0d4ccc96879cdeb09c6d6724cf815933cfbd66bd78a5e8812643d67a3408d1ae62edc91406b4a03e114f5940315da86922fa37

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
                    Filesize

                    492KB

                    MD5

                    fafbf2197151d5ce947872a4b0bcbe16

                    SHA1

                    a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

                    SHA256

                    feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

                    SHA512

                    acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Tar2715.tmp
                    Filesize

                    171KB

                    MD5

                    9c0c641c06238516f27941aa1166d427

                    SHA1

                    64cd549fb8cf014fcd9312aa7a5b023847b6c977

                    SHA256

                    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                    SHA512

                    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\nsy210A.tmp
                    Filesize

                    328KB

                    MD5

                    27f37fa93c3f218d90a4b9d1c769b225

                    SHA1

                    208d502169a49edfc23cedb7bf26b3f7a0030add

                    SHA256

                    bb9397786f7314931ced6370ceacf505923dfa835988c306342efc061341dabd

                    SHA512

                    4f303ea2a90d71b7d064c097ba52611c287c68c958e4272d83c303c4450b418dfe3a3d5c4e0a3526cf20caa2985866bcd68ad5f877216effae96110ea76d4123

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
                    Filesize

                    3.3MB

                    MD5

                    3f0d5901b08a6cf8689a94b8bca21a04

                    SHA1

                    59180d5ae0d5beeb8aafe36fd93c7f1c01569b7c

                    SHA256

                    00e6195e1fb7d108531f56ecf2f862fbee5679da1f8b76220c2126e4259e2649

                    SHA512

                    a8ae5c94ce38af2d6c025efa6ffd1edeace0bff74aecebb2fa5d91d7467830cc8dc98f6773c5bdd88e525e8c93f6076f7420a1bb3262d0795376dc0e9a461da4

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\osloader.exe
                    Filesize

                    64KB

                    MD5

                    367011d594a7f38c1e1d0e88f5028fbb

                    SHA1

                    d7ee26a3ed4ce1de0943a843b3e72a722da90698

                    SHA256

                    cce834eea99a6757290c5a9e560f88aa1e4b58c529fff4909c9b1a62753f9849

                    SHA512

                    a5a33f0640b80075878c604410eac19bd8add41e0bd5baf4bb9a052b26ab2e3af424203aec358809368fd4d53caf670cab25a272e1af7591cc0e20f548b3faa7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\rty25.exe
                    Filesize

                    715KB

                    MD5

                    0b374be36fee0eae8b1e305f1e4073f5

                    SHA1

                    3e5f24441b9f00c3e5beb7ef2438d1868259d852

                    SHA256

                    bbd48c58bc41696a56c317d9650057c725642e5c1dee71a8b4f0b9cbd9095ad4

                    SHA512

                    f8abf77020dfe9cba6c8afb6535a86338a8923dac7d3a81ce78110302708611109c3b80104178ec6dcd95ce7d9e60829fa8b88c7411aa726699aec04eaaccb9c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
                    Filesize

                    175KB

                    MD5

                    01fb175d82c6078ebfe27f5de4d8d2aa

                    SHA1

                    ff655d5908a109af47a62670ff45008cc9e430c4

                    SHA256

                    a07112e236e0136b43294b31a43fb4456072941a135853e761680d04315841c3

                    SHA512

                    c388d632c5274aa47d605f3c49a6754d4ad581eb375c54ce82424cffa2ad86410a2ad646867a571dcf153e494b4e7ca7a7cf6952b99ddcf5940a443f7039f2fe

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Temp\Task.bat
                    Filesize

                    128B

                    MD5

                    11bb3db51f701d4e42d3287f71a6a43e

                    SHA1

                    63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

                    SHA256

                    6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

                    SHA512

                    907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

                    Download Submit

                  • C:\Windows\rss\csrss.exe
                    Filesize

                    3.6MB

                    MD5

                    0cf9ba56c0f44c9f18f42d205694372f

                    SHA1

                    273bf2e51b20f392bc6ef889a69554d2384a4ce8

                    SHA256

                    17e6a5a8a53e3a337a51bd8dea410cf5aaca166c8c9539e70457ddd9e5a7e88c

                    SHA512

                    afd6291c3c9d531328fe4de90107645d7cb4b7c443c1d23e214b612b40ffe946c4b694e1aaf4ba0fb2b84c14f0a7878736c9ea5e33dadf8af548d4b01fe82f4e

                    Download Submit

                  • \ProgramData\mozglue.dll
                    Filesize

                    593KB

                    MD5

                    c8fd9be83bc728cc04beffafc2907fe9

                    SHA1

                    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                    SHA256

                    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                    SHA512

                    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                    Download Submit

                  • \ProgramData\nss3.dll
                    Filesize

                    2.0MB

                    MD5

                    1cc453cdf74f31e4d913ff9c10acdde2

                    SHA1

                    6e85eae544d6e965f15fa5c39700fa7202f3aafe

                    SHA256

                    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                    SHA512

                    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                    Download Submit

                  • \Users\Admin\AppData\Local\23a2e250-b85d-4090-83ee-3eb4792c654f\build2.exe
                    Filesize

                    255KB

                    MD5

                    c57c76d6dc6ed6b6e534d8180294fc2d

                    SHA1

                    6c164812674571f84eeba36d07e47241ca22c40e

                    SHA256

                    4e8d80a17217b51fde5079a5c195b4dc24890797cf6346c366a59c9c35847a2b

                    SHA512

                    6f92fe7f51aeecc12c216b4b801cc6320e70f89ac1bf5f9905df6bf2f753b7045da78d238cceddb0d93bac0feabaf8f4ffbb65acded8ba679515444f166a56a3

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                    Filesize

                    2.9MB

                    MD5

                    e7bab92f19dcfcb97035c4f6deea24d7

                    SHA1

                    a4f1cd05f45f78267b5b1546d16b5595ec9abe24

                    SHA256

                    40e71dd85f9496b70a04da990117b555fddfff38f7887c25e57875364095700e

                    SHA512

                    f5b008c05f934bfc53596b0f38922e64047304aa4d5789946a8647718376784efab69c00dec3f8da13ad09cd8c3fc519163046b8bc8876f70ee58188c763bdd2

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                    Filesize

                    3.3MB

                    MD5

                    21b6987ba3226441618254bb3ae7157d

                    SHA1

                    36ff55efd678d97ce58caaba822a1c983f1d6ad4

                    SHA256

                    2fa51f092f80337273c7d546819c371f65fd766c4e28c6cb39368c63909c83c6

                    SHA512

                    f2db28eb4152abad4dfe7ba8927b64be821bf0ed457e259a9532f3fbd708ba4338e84c3b3071b134d4aa87004776baeaef18943fa1c41fee58c68fea5024847c

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\BE32.exe
                    Filesize

                    192KB

                    MD5

                    4ee58d141601d032bd6153b2b4a5662b

                    SHA1

                    f7d3567b0e2e2f684e6ae8e1c4e4d83f3c261caa

                    SHA256

                    73de43354e382328b0bca6ba18deebd4e4a50941b9e5cb917b7ce3c809cc2528

                    SHA512

                    a1d47e8e1cd37ff61bfa76240831cd0215fade59ebb2f88850ac71638fcfdc149d35f528d6e831f0f7adfef2d5d401c8de381b92deb5d23800a256097bcd1b99

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\BroomSetup.exe
                    Filesize

                    2.9MB

                    MD5

                    d4b9944f32a176a9a88488c22e1e9d98

                    SHA1

                    34e77872376ca245a3210980ce2a32e8bd8c918d

                    SHA256

                    9cf574b5179ae2c5a0688500dab90f698121341bb23ec808e9b9f1655d2b532e

                    SHA512

                    388c0bb634d03f5ab39f82db48226f9bdc9bdc41fe5854149119a89a2a79b513142334a5555628300859b85acae5f2d4852869da54e1bbd8ace80fe23403d1f2

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\InstallSetup8.exe
                    Filesize

                    2.0MB

                    MD5

                    1bf708425e397e8cd7784d14322f0435

                    SHA1

                    77e4209e868eb1115dda3ebb64e37ddddd2a825c

                    SHA256

                    8a94354407a01f31848af8bea6aa9fc300a852e66c096e78015585fa3eea546a

                    SHA512

                    93b58cea1c32f9b76b91b8e1f3422a4e8a9e95f30ddca2fee0a309640f6137b8f52a82d6d05ba33dd3aa3bb91208762edf12f0d26c4c38771e23297ab0d3a29a

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    Filesize

                    281KB

                    MD5

                    d98e33b66343e7c96158444127a117f6

                    SHA1

                    bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                    SHA256

                    5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                    SHA512

                    705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\csrss\patch.exe
                    Filesize

                    1.7MB

                    MD5

                    13aaafe14eb60d6a718230e82c671d57

                    SHA1

                    e039dd924d12f264521b8e689426fb7ca95a0a7b

                    SHA256

                    f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

                    SHA512

                    ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\dbghelp.dll
                    Filesize

                    1.5MB

                    MD5

                    f0616fa8bc54ece07e3107057f74e4db

                    SHA1

                    b33995c4f9a004b7d806c4bb36040ee844781fca

                    SHA256

                    6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

                    SHA512

                    15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\nsd18EE.tmp\INetC.dll
                    Filesize

                    25KB

                    MD5

                    40d7eca32b2f4d29db98715dd45bfac5

                    SHA1

                    124df3f617f562e46095776454e1c0c7bb791cc7

                    SHA256

                    85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

                    SHA512

                    5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
                    Filesize

                    3.8MB

                    MD5

                    7a78d0a736ff106286c9ce71a0a6fce9

                    SHA1

                    040b7e40534346d33914de6b2a6b60e22c5fb9e0

                    SHA256

                    1047442611e65070fe69d17c4b6e2116a3027e7e871a8899c15ec64da750eb93

                    SHA512

                    622695c6a55a457ea18e463a1b531f996627502299577aca01ad7e203ae0e98571501bc9e68828c2ad30a0b17fdf580091bf79a24ab2c9110698041d91d8bca0

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
                    Filesize

                    3.3MB

                    MD5

                    88576a6c3468790e14427e7ef3a6963e

                    SHA1

                    d27267b0b98ed70ac13bb0bf7ddf0a8a2eac3a50

                    SHA256

                    9a835c0e29fabc2af1fe70de94b67a714d7a5988b096266079fa93ad775480f8

                    SHA512

                    d7f19ce7bb08f37604950bc77d00daa09b47ed3e0bd9f63ef4a0d2c935d1e6857ce7e1a1a056d0bae1e174fcf9da238c6210354adde23e90348b407ad43962fb

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
                    Filesize

                    3.0MB

                    MD5

                    e3a74eaafc2474cf492ca0e1f62a19d4

                    SHA1

                    3595beb47162b7b45018ee4f967d1f69596dda77

                    SHA256

                    3fb12b43d068a59878fd5f76712c91e3933af34b02ff78bd5cfd67ec53be33b5

                    SHA512

                    74eb418cd61ccba3cedb1314c0edc1e7af6a64c55c996c53a473fe0e1eae3ddf45d8aea0a7d2a506ad9a9345c6fdfd505ed0cdf08ffdc1827213fa750de79029

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\symsrv.dll
                    Filesize

                    163KB

                    MD5

                    5c399d34d8dc01741269ff1f1aca7554

                    SHA1

                    e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

                    SHA256

                    e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

                    SHA512

                    8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\toolspub1.exe
                    Filesize

                    5KB

                    MD5

                    362054e1bb3e402c4b3fc0813f14e97c

                    SHA1

                    cbe4350ab7d1c8219b879cddb951d6805e6f6c15

                    SHA256

                    e572b929b876297bf0980620b95578a5a273dd63d9a2631f4a74c818d127f7c8

                    SHA512

                    13e7ec6f7bef4019368c6f53f8ad80aa5d149945b8dbfd358eb9bbfc44027c0686a6c3fc4599f1206205b7c21392458ce2647195a83b43d2f8949f27feed3e1f

                    Download Submit

                  • \Windows\rss\csrss.exe
                    Filesize

                    2.1MB

                    MD5

                    971db295e8d116b40020b6f2b60e3a6c

                    SHA1

                    d4814fde1620869e2dcb970782eeb9625210e73b

                    SHA256

                    030f077bc697bb83397c1ba14d08121d9a6150cb11f14533f057a000f3983c4d

                    SHA512

                    00f8997d8dc492ff3784f4563a9d0cbdcb17b677f8d6ff89c0a06002acf098be02c025c32217e40e9dd6108ffd238de483801c4904a97898b6f681c64fe9d672

                    Download Submit

                  • \Windows\rss\csrss.exe
                    Filesize

                    2.3MB

                    MD5

                    a3133c79a9e0b274a064b6cd8db7e481

                    SHA1

                    b7f31af95255268906854228cf2029a7f5e95b4b

                    SHA256

                    5f37d92e1f7ef6006dcf2e0a4d2a8827be0c0f4f4887f35705ffb9694f7faa5e

                    SHA512

                    6e3e9959ebba7e201c561fa708f5910627927cabe6224f24cd125203f58961da44b3a31eb09a8347ae596f8b80e4c0b7c17109cf09c1d2b204621bb42cac2c47

                    Download Submit

                  • memory/112-0-0x0000000074C30000-0x000000007531E000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/112-1-0x0000000001350000-0x0000000001A7C000-memory.dmp

                    Filesize

                    7.2MB

                    Download

                  • memory/112-34-0x0000000074C30000-0x000000007531E000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/880-626-0x0000000000400000-0x0000000000406000-memory.dmp

                    Filesize

                    24KB

                    Download

                  • memory/1028-389-0x0000000000400000-0x0000000002BF4000-memory.dmp

                    Filesize

                    40.0MB

                    Download

                  • memory/1028-384-0x0000000000400000-0x0000000002BF4000-memory.dmp

                    Filesize

                    40.0MB

                    Download

                  • memory/1028-383-0x0000000003060000-0x0000000003160000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/1036-718-0x00000000028F0000-0x00000000028F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1036-714-0x0000000000030000-0x00000000004FE000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/1036-715-0x0000000002590000-0x0000000002591000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1036-717-0x0000000002420000-0x0000000002421000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1036-726-0x0000000000B40000-0x0000000000B41000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1036-716-0x00000000026F0000-0x00000000026F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1036-725-0x0000000002860000-0x0000000002861000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1036-719-0x0000000000A90000-0x0000000000A91000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1036-712-0x0000000000030000-0x00000000004FE000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/1036-724-0x0000000002700000-0x0000000002701000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1036-713-0x0000000077C20000-0x0000000077C22000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/1036-723-0x0000000002570000-0x0000000002571000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1036-722-0x0000000002580000-0x0000000002581000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1036-721-0x0000000002310000-0x0000000002311000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1036-720-0x0000000000B90000-0x0000000000B91000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1044-181-0x0000000000F40000-0x0000000001338000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/1044-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/1044-179-0x0000000000F40000-0x0000000001338000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/1044-184-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/1044-245-0x0000000000F40000-0x0000000001338000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/1096-485-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1096-493-0x0000000000400000-0x0000000000644000-memory.dmp

                    Filesize

                    2.3MB

                    Download

                  • memory/1096-665-0x0000000000400000-0x0000000000644000-memory.dmp

                    Filesize

                    2.3MB

                    Download

                  • memory/1208-263-0x0000000002E80000-0x0000000002E96000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1208-388-0x0000000002E50000-0x0000000002E66000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1500-667-0x0000000000400000-0x00000000008DF000-memory.dmp

                    Filesize

                    4.9MB

                    Download

                  • memory/1580-185-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                    Filesize

                    972KB

                    Download

                  • memory/1580-106-0x0000000000220000-0x0000000000254000-memory.dmp

                    Filesize

                    208KB

                    Download

                  • memory/1580-105-0x0000000002D40000-0x0000000002E40000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/1580-116-0x0000000000400000-0x0000000002BFF000-memory.dmp

                    Filesize

                    40.0MB

                    Download

                  • memory/1580-347-0x0000000002D40000-0x0000000002E40000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/1580-346-0x0000000000400000-0x0000000002BFF000-memory.dmp

                    Filesize

                    40.0MB

                    Download

                  • memory/1580-244-0x0000000000400000-0x0000000002BFF000-memory.dmp

                    Filesize

                    40.0MB

                    Download

                  • memory/1612-399-0x0000000000310000-0x00000000003A2000-memory.dmp

                    Filesize

                    584KB

                    Download

                  • memory/1612-403-0x0000000000310000-0x00000000003A2000-memory.dmp

                    Filesize

                    584KB

                    Download

                  • memory/1612-405-0x0000000002E60000-0x0000000002F7B000-memory.dmp

                    Filesize

                    1.1MB

                    Download

                  • memory/1704-704-0x0000000004F10000-0x0000000004F50000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/1704-703-0x00000000723C0000-0x0000000072AAE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/1704-702-0x0000000000800000-0x0000000000CBA000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/1732-278-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/1732-292-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/1748-606-0x00000000001B0000-0x00000000001B4000-memory.dmp

                    Filesize

                    16KB

                    Download

                  • memory/1748-604-0x00000000002B0000-0x00000000003B0000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/1804-487-0x0000000000550000-0x0000000000650000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/1804-488-0x0000000000230000-0x0000000000261000-memory.dmp

                    Filesize

                    196KB

                    Download

                  • memory/1812-230-0x0000000000220000-0x000000000022B000-memory.dmp

                    Filesize

                    44KB

                    Download

                  • memory/1812-229-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/1812-220-0x0000000000400000-0x0000000002B04000-memory.dmp

                    Filesize

                    39.0MB

                    Download

                  • memory/1812-266-0x0000000000400000-0x0000000002B04000-memory.dmp

                    Filesize

                    39.0MB

                    Download

                  • memory/2088-467-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2088-469-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2088-470-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2088-463-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2088-462-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2088-660-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2088-447-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2088-446-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2300-357-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/2300-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/2300-483-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/2300-243-0x0000000001010000-0x0000000001408000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/2300-380-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/2300-252-0x0000000001010000-0x0000000001408000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/2300-381-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/2300-436-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/2600-228-0x0000000000400000-0x00000000008E2000-memory.dmp

                    Filesize

                    4.9MB

                    Download

                  • memory/2600-356-0x00000000001D0000-0x00000000001D1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2600-49-0x00000000001D0000-0x00000000001D1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2668-666-0x0000000000400000-0x00000000008DF000-memory.dmp

                    Filesize

                    4.9MB

                    Download

                  • memory/2668-669-0x0000000000400000-0x00000000008DF000-memory.dmp

                    Filesize

                    4.9MB

                    Download

                  • memory/2784-194-0x00000000039C0000-0x0000000003AEC000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2784-36-0x00000000FF630000-0x00000000FF6E7000-memory.dmp

                    Filesize

                    732KB

                    Download

                  • memory/2784-192-0x0000000003780000-0x000000000388A000-memory.dmp

                    Filesize

                    1.0MB

                    Download

                  • memory/2784-224-0x00000000039C0000-0x0000000003AEC000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2872-182-0x0000000002AB0000-0x000000000339B000-memory.dmp

                    Filesize

                    8.9MB

                    Download

                  • memory/2872-38-0x0000000002AB0000-0x000000000339B000-memory.dmp

                    Filesize

                    8.9MB

                    Download

                  • memory/2872-180-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/2872-35-0x0000000001120000-0x0000000001518000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/2872-183-0x0000000001120000-0x0000000001518000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/2872-37-0x0000000001120000-0x0000000001518000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/2872-48-0x0000000000400000-0x0000000000D1C000-memory.dmp

                    Filesize

                    9.1MB

                    Download

                  • memory/2880-435-0x0000000004470000-0x0000000004502000-memory.dmp

                    Filesize

                    584KB

                    Download

                  • memory/2880-438-0x0000000004470000-0x0000000004502000-memory.dmp

                    Filesize

                    584KB

                    Download

                  • memory/2884-410-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2884-409-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2884-406-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2884-402-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2884-434-0x0000000000400000-0x0000000000537000-memory.dmp

                    Filesize

                    1.2MB

                    Download