Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2024 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9.exe

  • Size

    315KB

  • MD5

    5fe67781ffe47ec36f91991abf707432

  • SHA1

    137e6d50387a837bf929b0da70ab6b1512e95466

  • SHA256

    a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9

  • SHA512

    0e32d9a72b562d4c4a8c4edbd3d0ece54b67ee87c8ac382c6508c62b04b11a2dcd1fba23c3a78004fcd0c2b623dc854fd2fd82eb372dc7becdcbdd7ec7fe1b68

  • SSDEEP

    3072:Q/uViE3w/D/5q+eF/2HjXuq4wQa+pOhKRIEcwE3G/uWQnDPPWCA6jeCKGAY:Q/uVi35q+bGVO7xSQPPfxahhY

Score
10/10
amadeydcratgluptebalummaredlinesmokeloaderzgratlivetrafficpub1backdoordiscoverydropperevasioninfostealerloaderpersistenceratrootkitspywarestealertrojanupx

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://nidoe.org/tmp/index.php

http://sodez.ru/tmp/index.php

http://uama.com.ua/tmp/index.php

http://talesofpirates.net/tmp/index.php
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

4.185.137.132:1632

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

amadey

Version

4.18

C2

http://193.233.132.56

Attributes
  • strings_key

    443351145ece4966ded809641c77cfa8

  • url_paths

    /Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

lumma

C2

https://relevantvoicelesskw.shop/api

https://resergvearyinitiani.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • DcRat 4 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect ZGRat V1 4 IoCs
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    evasion
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 33 IoCs
  • Identifies Wine through registry keys 2 TTPs 9 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 11 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 7 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 7 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9.exe
    "C:\Users\Admin\AppData\Local\Temp\a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9.exe"
    1⤵
    • DcRat
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4432
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\93E3.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\93E3.dll
      2⤵
      • Loads dropped DLL
      PID:4836
  • C:\Users\Admin\AppData\Local\Temp\A307.exe
    C:\Users\Admin\AppData\Local\Temp\A307.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    PID:4080
  • C:\Users\Admin\AppData\Local\Temp\BD85.exe
    C:\Users\Admin\AppData\Local\Temp\BD85.exe
    1⤵
    • Executes dropped EXE
    PID:4236
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 1116
      2⤵
      • Program crash
      PID:2104
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4236 -ip 4236
    1⤵
      PID:3988
    • C:\Users\Admin\AppData\Local\Temp\DC0B.exe
      C:\Users\Admin\AppData\Local\Temp\DC0B.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4652
      • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
        "C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of WriteProcessMemory
        PID:3956
        • C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
          "C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1796
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
              PID:4812
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1192
                5⤵
                • Program crash
                PID:924
          • C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe
            "C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:456
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              4⤵
                PID:3472
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                4⤵
                  PID:3984
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  4⤵
                    PID:4180
                • C:\Windows\SysWOW64\rundll32.exe
                  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
                  3⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:748
                  • C:\Windows\system32\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
                    4⤵
                    • Blocklisted process makes network request
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:3292
                    • C:\Windows\system32\netsh.exe
                      netsh wlan show profiles
                      5⤵
                        PID:4352
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\757987694264_Desktop.zip' -CompressionLevel Optimal
                        5⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5076
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                    3⤵
                    • Blocklisted process makes network request
                    • Loads dropped DLL
                    PID:2948
                  • C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
                    3⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    PID:3920
                  • C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe"
                    3⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Drops file in Windows directory
                    PID:1444
                    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
                      4⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:2328
                      • C:\Windows\SysWOW64\rundll32.exe
                        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                        5⤵
                        • Loads dropped DLL
                        PID:5368
                        • C:\Windows\system32\rundll32.exe
                          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                          6⤵
                          • Blocklisted process makes network request
                          • Loads dropped DLL
                          PID:5392
                          • C:\Windows\system32\netsh.exe
                            netsh wlan show profiles
                            7⤵
                              PID:5412
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\757987694264_Desktop.zip' -CompressionLevel Optimal
                              7⤵
                                PID:5512
                          • C:\Windows\SysWOW64\rundll32.exe
                            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
                            5⤵
                            • Blocklisted process makes network request
                            • Loads dropped DLL
                            PID:5520
                      • C:\Users\Admin\AppData\Local\Temp\1000978001\fullwork.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000978001\fullwork.exe"
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:4712
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                          4⤵
                            PID:4716
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1236
                              5⤵
                              • Program crash
                              PID:3160
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1140
                              5⤵
                              • Program crash
                              PID:1672
                        • C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe
                          "C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe"
                          3⤵
                          • Executes dropped EXE
                          PID:1172
                        • C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
                          "C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:5968
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                            4⤵
                            • Checks computer location settings
                            PID:6060
                            • C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
                              "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
                              5⤵
                              • Executes dropped EXE
                              • Modifies system certificate store
                              PID:4884
                            • C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
                              "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
                              5⤵
                              • Executes dropped EXE
                              PID:5352
                        • C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe
                          "C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe"
                          3⤵
                          • Executes dropped EXE
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: MapViewOfSection
                          PID:5672
                        • C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe
                          "C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe"
                          3⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:5184
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 784
                            4⤵
                            • Program crash
                            PID:5616
                        • C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe
                          "C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:5452
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                            4⤵
                              PID:4008
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                              4⤵
                                PID:1152
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                4⤵
                                  PID:5652
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5652 -s 1220
                                    5⤵
                                    • Program crash
                                    PID:5228
                              • C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe
                                "C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe"
                                3⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                PID:5960
                                • C:\Users\Admin\AppData\Local\Temp\u4lk.0.exe
                                  "C:\Users\Admin\AppData\Local\Temp\u4lk.0.exe"
                                  4⤵
                                  • Executes dropped EXE
                                  PID:2652
                          • C:\Users\Admin\AppData\Local\Temp\222D.exe
                            C:\Users\Admin\AppData\Local\Temp\222D.exe
                            1⤵
                            • Executes dropped EXE
                            • Checks SCSI registry key(s)
                            • Suspicious behavior: MapViewOfSection
                            PID:2356
                          • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                            C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                            1⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            PID:4856
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4812 -ip 4812
                            1⤵
                              PID:3988
                            • C:\Users\Admin\AppData\Local\Temp\693A.exe
                              C:\Users\Admin\AppData\Local\Temp\693A.exe
                              1⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              PID:3560
                              • C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
                                "C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"
                                2⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                PID:3984
                                • C:\Users\Admin\AppData\Local\Temp\u32o.0.exe
                                  "C:\Users\Admin\AppData\Local\Temp\u32o.0.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Checks processor information in registry
                                  PID:464
                                • C:\Users\Admin\AppData\Local\Temp\u32o.1.exe
                                  "C:\Users\Admin\AppData\Local\Temp\u32o.1.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4024
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
                                    4⤵
                                      PID:3692
                                      • C:\Windows\SysWOW64\chcp.com
                                        chcp 1251
                                        5⤵
                                          PID:1632
                                        • C:\Windows\SysWOW64\schtasks.exe
                                          schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                                          5⤵
                                          • DcRat
                                          • Creates scheduled task(s)
                                          PID:3548
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1176
                                      3⤵
                                      • Program crash
                                      PID:4048
                                  • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
                                    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4860
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -nologo -noprofile
                                      3⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4092
                                    • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
                                      "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
                                      3⤵
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Checks for VirtualBox DLLs, possible anti-VM trick
                                      • Drops file in Windows directory
                                      • Modifies data under HKEY_USERS
                                      PID:2732
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -nologo -noprofile
                                        4⤵
                                        • Drops file in System32 directory
                                        • Modifies data under HKEY_USERS
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3392
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                        4⤵
                                          PID:4212
                                          • C:\Windows\system32\netsh.exe
                                            netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                            5⤵
                                            • Modifies Windows Firewall
                                            PID:468
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -nologo -noprofile
                                          4⤵
                                          • Drops file in System32 directory
                                          • Modifies data under HKEY_USERS
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4824
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -nologo -noprofile
                                          4⤵
                                          • Drops file in System32 directory
                                          • Modifies data under HKEY_USERS
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3256
                                        • C:\Windows\rss\csrss.exe
                                          C:\Windows\rss\csrss.exe
                                          4⤵
                                          • Executes dropped EXE
                                          • Adds Run key to start application
                                          • Manipulates WinMonFS driver.
                                          • Drops file in Windows directory
                                          PID:2620
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -nologo -noprofile
                                            5⤵
                                            • Drops file in System32 directory
                                            • Modifies data under HKEY_USERS
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4400
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                            5⤵
                                            • DcRat
                                            • Creates scheduled task(s)
                                            PID:5008
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            schtasks /delete /tn ScheduledUpdate /f
                                            5⤵
                                              PID:2472
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -nologo -noprofile
                                              5⤵
                                              • Drops file in System32 directory
                                              • Modifies data under HKEY_USERS
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3512
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -nologo -noprofile
                                              5⤵
                                              • Drops file in System32 directory
                                              • Modifies data under HKEY_USERS
                                              PID:5000
                                            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                              C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                              5⤵
                                              • Executes dropped EXE
                                              PID:4468
                                            • C:\Windows\SYSTEM32\schtasks.exe
                                              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                              5⤵
                                              • DcRat
                                              • Creates scheduled task(s)
                                              PID:4056
                                            • C:\Windows\windefender.exe
                                              "C:\Windows\windefender.exe"
                                              5⤵
                                              • Executes dropped EXE
                                              PID:5732
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                                6⤵
                                                  PID:5804
                                                  • C:\Windows\SysWOW64\sc.exe
                                                    sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                                    7⤵
                                                    • Launches sc.exe
                                                    PID:5820
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4812 -ip 4812
                                        1⤵
                                          PID:2120
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3984 -ip 3984
                                          1⤵
                                            PID:1480
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4716 -ip 4716
                                            1⤵
                                              PID:1148
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4716 -ip 4716
                                              1⤵
                                                PID:2492
                                              • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                1⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                PID:3140
                                              • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                                                C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                                                1⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                PID:4008
                                              • C:\Windows\windefender.exe
                                                C:\Windows\windefender.exe
                                                1⤵
                                                • Executes dropped EXE
                                                PID:5832
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5184 -ip 5184
                                                1⤵
                                                  PID:5436
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 5652 -ip 5652
                                                  1⤵
                                                    PID:5660

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Reconnaissance

                                                  Resource Development

                                                  Initial Access

                                                  Execution

                                                  Scheduled Task/Job

                                                  1
                                                  T1053

                                                  Persistence

                                                  Boot or Logon Autostart Execution

                                                  1
                                                  T1547

                                                  Registry Run Keys / Startup Folder

                                                  1
                                                  T1547.001

                                                  Create or Modify System Process

                                                  1
                                                  T1543

                                                  Windows Service

                                                  1
                                                  T1543.003

                                                  Scheduled Task/Job

                                                  1
                                                  T1053

                                                  Privilege Escalation

                                                  Boot or Logon Autostart Execution

                                                  1
                                                  T1547

                                                  Registry Run Keys / Startup Folder

                                                  1
                                                  T1547.001

                                                  Create or Modify System Process

                                                  1
                                                  T1543

                                                  Windows Service

                                                  1
                                                  T1543.003

                                                  Scheduled Task/Job

                                                  1
                                                  T1053

                                                  Defense Evasion

                                                  Impair Defenses

                                                  1
                                                  T1562

                                                  Disable or Modify System Firewall

                                                  1
                                                  T1562.004

                                                  Modify Registry

                                                  2
                                                  T1112

                                                  Subvert Trust Controls

                                                  1
                                                  T1553

                                                  Install Root Certificate

                                                  1
                                                  T1553.004

                                                  Virtualization/Sandbox Evasion

                                                  2
                                                  T1497

                                                  Credential Access

                                                  Unsecured Credentials

                                                  5
                                                  T1552

                                                  Credentials In Files

                                                  4
                                                  T1552.001

                                                  Credentials in Registry

                                                  1
                                                  T1552.002

                                                  Discovery

                                                  Peripheral Device Discovery

                                                  1
                                                  T1120

                                                  Query Registry

                                                  8
                                                  T1012

                                                  System Information Discovery

                                                  6
                                                  T1082

                                                  Virtualization/Sandbox Evasion

                                                  2
                                                  T1497

                                                  Lateral Movement

                                                  Collection

                                                  Data from Local System

                                                  5
                                                  T1005

                                                  Command and Control

                                                  Exfiltration

                                                  Impact

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\ProgramData\mozglue.dll
                                                    Filesize

                                                    593KB

                                                    MD5

                                                    c8fd9be83bc728cc04beffafc2907fe9

                                                    SHA1

                                                    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                    SHA256

                                                    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                    SHA512

                                                    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                    Download Submit

                                                  • C:\ProgramData\nss3.dll
                                                    Filesize

                                                    2.0MB

                                                    MD5

                                                    1cc453cdf74f31e4d913ff9c10acdde2

                                                    SHA1

                                                    6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                    SHA256

                                                    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                    SHA512

                                                    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                    Filesize

                                                    3KB

                                                    MD5

                                                    fe3aab3ae544a134b68e881b82b70169

                                                    SHA1

                                                    926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

                                                    SHA256

                                                    bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

                                                    SHA512

                                                    3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\alex1234.exe.log
                                                    Filesize

                                                    425B

                                                    MD5

                                                    4eaca4566b22b01cd3bc115b9b0b2196

                                                    SHA1

                                                    e743e0792c19f71740416e7b3c061d9f1336bf94

                                                    SHA256

                                                    34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

                                                    SHA512

                                                    bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    0bcdda713f998c3a83ec9a882a5b4f99

                                                    SHA1

                                                    17481397006eee6abf312941f614d80286256a42

                                                    SHA256

                                                    b95cc317c3b0492b59c90e2ece963cc980c633d2043cfd4ac387719a20b7b5c1

                                                    SHA512

                                                    2eb9bb39a9011100a6f0ef7611d423ed353abd26de47d1d35748bf9bcbe2f8f0782ac3ffce89390652db02eea488d5ea3347704bf33dbe6b28191471eebcffb8

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                                                    Filesize

                                                    1.6MB

                                                    MD5

                                                    9ec78be1903b277ccee5294d001449c5

                                                    SHA1

                                                    a38a6e4c64eb229daa2369ab2d879b426356ff36

                                                    SHA256

                                                    cdea4b0f5bf8f1984c8b1e2b9f31ef98a097ac83159d090baf098527becfb3fe

                                                    SHA512

                                                    8ad14fe98b8d0122f6b00ac3b21fb8b66e76960eb16eb30924f899fbebe26265f2de8cab3e09af3610ef47dfeee411af6cd04c8d1d82bc78618da44c7e8c8ac3

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
                                                    Filesize

                                                    534KB

                                                    MD5

                                                    a3f8b60a08da0f600cfce3bb600d5cb3

                                                    SHA1

                                                    b00d7721767b717b3337b5c6dade4ebf2d56345e

                                                    SHA256

                                                    0c608a9b1e70bf8b51a681a8390c8e4743501c45b84cf4d59727aba2fc33cadb

                                                    SHA512

                                                    14f63e415133ca438d3c217d5fb3ecf0ad76e19969c54d356f46282230230f1b254fbfc8ae5f78809dc189a9648be2dc1398927b3f089c525cd1105a3843f60d

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe
                                                    Filesize

                                                    464KB

                                                    MD5

                                                    c084d6f6ba40534fbfc5a64b21ef99ab

                                                    SHA1

                                                    0b4a17da83c0a8abbc8fab321931d5447b32b720

                                                    SHA256

                                                    afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624

                                                    SHA512

                                                    a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
                                                    Filesize

                                                    3.0MB

                                                    MD5

                                                    2a97d69c23b0a81e38a5ed7ac631f665

                                                    SHA1

                                                    40d5da73f370ea259cf3bdb5deebd26d4d4d81c8

                                                    SHA256

                                                    2cad1ea96fe233507340f2a690b5ace0d2eb06bb3943defa751f3bc194bf59e1

                                                    SHA512

                                                    181f24fdf779c6c4ccf857de3837ac487903e9830ede93696f5a3121ae21703a830be0c870f6074b7ce120d2cb28e9e66680b8b075745728e0d423c88e09cb09

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe
                                                    Filesize

                                                    1.8MB

                                                    MD5

                                                    4f365869462de9d773aa837e8ce894ee

                                                    SHA1

                                                    5eba7252e51d50e2966795aeeb5d4a7b90a6c586

                                                    SHA256

                                                    8f445bcfeaf41e0ce20103011ea416152ccc81669a3563aa5a7c7d55a50bd99d

                                                    SHA512

                                                    1e0aacd11d9708a87eefc9c1c2ed2a7931c13605be514571371e34f9c7fde5a28f33fa90c02ef7eb8de7f710a148037811c9d0283c01fc78a769e5e861608b25

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\1000978001\fullwork.exe
                                                    Filesize

                                                    451KB

                                                    MD5

                                                    b2b60c50903a73efffcb4e33ce49238f

                                                    SHA1

                                                    9b6f27fc410748ae1570978d7a6aba95a1041eea

                                                    SHA256

                                                    29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1

                                                    SHA512

                                                    2c66a1615de77157f57c662de2e3ec97deb8cb6aadc0a03ff0acc3b269affd5ae0d50dfef85939ca9c1a8c6d47ff915061157e7da92dc286cb6ddd9b06a88126

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe
                                                    Filesize

                                                    541KB

                                                    MD5

                                                    3b069f3dd741e4360f26cb27cb10320a

                                                    SHA1

                                                    6a9503aaf1e297f2696482ddf1bd4605a8710101

                                                    SHA256

                                                    f63bdc068c453e7e22740681a0c280d02745807b1695ce86e5067069beca533e

                                                    SHA512

                                                    bda58c074f7bd5171d7e3188a48cbdc457607ff06045e64a9e8e33fcb6f66f941d75a7bf57eb0ef262491622b4a9936342384237fa61c1add3365d5006c6d0d9

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
                                                    Filesize

                                                    1.7MB

                                                    MD5

                                                    85a15f080b09acace350ab30460c8996

                                                    SHA1

                                                    3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

                                                    SHA256

                                                    3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

                                                    SHA512

                                                    ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe
                                                    Filesize

                                                    315KB

                                                    MD5

                                                    5fe67781ffe47ec36f91991abf707432

                                                    SHA1

                                                    137e6d50387a837bf929b0da70ab6b1512e95466

                                                    SHA256

                                                    a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9

                                                    SHA512

                                                    0e32d9a72b562d4c4a8c4edbd3d0ece54b67ee87c8ac382c6508c62b04b11a2dcd1fba23c3a78004fcd0c2b623dc854fd2fd82eb372dc7becdcbdd7ec7fe1b68

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe
                                                    Filesize

                                                    832KB

                                                    MD5

                                                    e3c0b0533534c6517afc94790d7b760c

                                                    SHA1

                                                    4de96db92debb740d007422089bed0bcddf0e974

                                                    SHA256

                                                    198edf9613054f8a569ac804bf23081fbfa8566270fff05bba9dc3c9a32d9952

                                                    SHA512

                                                    d12631796afca877c710b9308d1236fca1bfe3abe6582445d9df1bbb404160cff220316e3f600b3a87b46dd3bfb859734008b5c668e410466e82be9dc033249e

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe
                                                    Filesize

                                                    350KB

                                                    MD5

                                                    04df085b57814d1a1accead4e153909e

                                                    SHA1

                                                    6d277da314ef185ba9072a9b677b599b1f46c35b

                                                    SHA256

                                                    91a36d137ebfa812b055728807e11338d15d3a5d869cb4babdf779266688e4dd

                                                    SHA512

                                                    f37678424e46e4f28e1047161db60ad737515558c8c8905ed598ca96b198304da7356e49e7bb9d1e77fe75372f0b5a7f670a353d093749c37bb85c40ec7fdafa

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe
                                                    Filesize

                                                    460KB

                                                    MD5

                                                    47fbab674ef5ca115974543c038ae930

                                                    SHA1

                                                    d8262313d6723fa95247489b47ac2235d5e6f531

                                                    SHA256

                                                    bd187a70c29cb32b5b88d9898e2dc841cdd49b415a53a27dae75cfc449f63f79

                                                    SHA512

                                                    b4e22fb921580c86e77737a5a1163c954a51469f53dc8db01da40bf0331559c4abc639fc3f354e3938671f5452595b8629059568232250f570a975acfa8c7120

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\222D.exe
                                                    Filesize

                                                    316KB

                                                    MD5

                                                    b681d4df6f62eeef91cb17e65c97e292

                                                    SHA1

                                                    59b370577a69cb8643af5e9cd51ec48dc28067d9

                                                    SHA256

                                                    da6cffb343fdc6f7a7d629f92422be4f882ffbdfa8efbb9a5f6626930a164f03

                                                    SHA512

                                                    cfafd3824ae920536d42dff94cfd8397bbe78cf1d3543f0d12b5b166593eeb11f1c1a31254bc99b43bbd5d74ede1b1da15a139cccf655cf11a852bfd28c38395

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
                                                    Filesize

                                                    4.2MB

                                                    MD5

                                                    43b4b9050e5b237de2d1412de8781f36

                                                    SHA1

                                                    125cd51af3ca81d4c3e517b8405b9afae92b86f2

                                                    SHA256

                                                    97bb5c78c753aa5e39ffc3d4c1058f584d0241e9b19aff20a248f1f159fdca6d

                                                    SHA512

                                                    24e90d5a5d4a06e0d62ff2b5bc91e686f5cdb2e77fb4c31ef3b6a59f62afae9fc6642bb57576c334e46e234d10300a2814cca747cc315b52ea63b0226a6695d3

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
                                                    Filesize

                                                    1.9MB

                                                    MD5

                                                    c6eeb7b692e2048777812e99e6273cb3

                                                    SHA1

                                                    9112dc66f655e86a123ac78b8136d50d2f1c4cc1

                                                    SHA256

                                                    acc93cd0f01a8ae5c4a08e17da89d96e31952b9b99ce0d1fe7a2db0526a219b0

                                                    SHA512

                                                    3f332431e809c98e29ab825e58c4683c9311cdcf1b8fc3e0670f5d1df1f667841a81c7e454bcb141d25e2a6631c7a1b03bed85eca33b89c6369bf5b99d3deef5

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\693A.exe
                                                    Filesize

                                                    4.7MB

                                                    MD5

                                                    4645adc87acf83b55edff3c5ce2fc28e

                                                    SHA1

                                                    4953795cc90315cf7004b8f71718f117887b8c91

                                                    SHA256

                                                    5a03eb8534caf92f4c3d7896d1af7fe61292b5f0995567be8c783ab28c3b74f8

                                                    SHA512

                                                    3d8853dd1f28062f7554628565bc62e42296b0ab69da28665bf29771d78c50fdcdb2432aea09dbeb69d935e0dcf6d3b703af8ba1b7a0aed70b5be93b7959c602

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\93E3.dll
                                                    Filesize

                                                    2.2MB

                                                    MD5

                                                    e69125300a060d1eb870d352de33e4c3

                                                    SHA1

                                                    60f2c2e6f2a4289a05b5c6212cdaf0d02dad82ea

                                                    SHA256

                                                    009de0571eb77c7ed594b9e5cda731e2953fd2198e00b25a0e2c4c4ef7414355

                                                    SHA512

                                                    257d3b61b2c85c1e71d2a80a5fbf44436e9734785fe6b0a643c1939dd01c1d8b98f1c454695296f7137ff035ec6c0118f053e4833e0be91618f2a9066a8cace9

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\A307.exe
                                                    Filesize

                                                    1.8MB

                                                    MD5

                                                    b8b5138dc6f97136cfebece16f80203d

                                                    SHA1

                                                    e020d3ac6d101791801e8ce8c921a5f54f78abf5

                                                    SHA256

                                                    7d1e736b876ad9f4effc5736323bbb1db9d53b49abda5a13d238cbe5f56e136c

                                                    SHA512

                                                    f26e295c0845b57520ee8392761c532527ca41974f68f189bb37637b45455edceb098ca23d2952e495635719a8da8a39d86d880467bc6ad79071afd870dd9877

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\BD85.exe
                                                    Filesize

                                                    2.3MB

                                                    MD5

                                                    038f01c7ab34d20394b657ce5d5f3152

                                                    SHA1

                                                    7f82fb84c6c0aff1012675d48ba95b0558d3230f

                                                    SHA256

                                                    28119987147a63910d12662c2008089f85571817695dcd443d02303d52479c55

                                                    SHA512

                                                    4e0e25bfabb8882b58341205ee60f3f5dd83a9b93518aa3badd433b784531244fcc9bb07981461a6a382dbd2d1c4de211731156f8768f7cc8e61e0a7c0689a86

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
                                                    Filesize

                                                    464KB

                                                    MD5

                                                    44f814be76122897ef325f8938f8e4cf

                                                    SHA1

                                                    5f338e940d1ee1fa89523d13a0b289912e396d23

                                                    SHA256

                                                    2899d533753918409ab910b70ba92f8740f76c8e8ac74f4c890e53b258e3bff6

                                                    SHA512

                                                    daeb1a81dd4fe1578502d0c681c7e723273d06297c2fad7aeb74b1a06cd05f72a418af9571c82188525af329b3fef9785d588f1416d6ccf45ab58b589d8f0d79

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\Tmp2DCD.tmp
                                                    Filesize

                                                    2KB

                                                    MD5

                                                    1420d30f964eac2c85b2ccfe968eebce

                                                    SHA1

                                                    bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                                    SHA256

                                                    f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                                    SHA512

                                                    6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iucvsu4g.nj3.ps1
                                                    Filesize

                                                    60B

                                                    MD5

                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                    SHA1

                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                    SHA256

                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                    SHA512

                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                                    Filesize

                                                    281KB

                                                    MD5

                                                    d98e33b66343e7c96158444127a117f6

                                                    SHA1

                                                    bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                                                    SHA256

                                                    5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                                                    SHA512

                                                    705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\u32o.0.exe
                                                    Filesize

                                                    315KB

                                                    MD5

                                                    e542798822b185ea0de255c6a1df0010

                                                    SHA1

                                                    0a56f6a271f4621ad71df3342827a0c7efb5b44c

                                                    SHA256

                                                    ff0f7e87bd743483944bbec0af0afb14052db893a924152f15ebc979a4ebf2bb

                                                    SHA512

                                                    ccd069717c86f52093a81cb8b5235667825496c727ec6bdc1b7f501213419f920346a078c3c74d0685291c4fbfae2ce78bed02f3418fbaef886928a3f108aa33

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\u32o.1.exe
                                                    Filesize

                                                    1.7MB

                                                    MD5

                                                    eee5ddcffbed16222cac0a1b4e2e466e

                                                    SHA1

                                                    28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

                                                    SHA256

                                                    2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

                                                    SHA512

                                                    8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                                                    Filesize

                                                    109KB

                                                    MD5

                                                    2afdbe3b99a4736083066a13e4b5d11a

                                                    SHA1

                                                    4d4856cf02b3123ac16e63d4a448cdbcb1633546

                                                    SHA256

                                                    8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

                                                    SHA512

                                                    d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
                                                    Filesize

                                                    1.2MB

                                                    MD5

                                                    92fbdfccf6a63acef2743631d16652a7

                                                    SHA1

                                                    971968b1378dd89d59d7f84bf92f16fc68664506

                                                    SHA256

                                                    b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

                                                    SHA512

                                                    b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
                                                    Filesize

                                                    704KB

                                                    MD5

                                                    5912b08021e3ec663c4293f1165dae12

                                                    SHA1

                                                    40b9f2fbf8877abf9787bed3a3c0e12aa667bd73

                                                    SHA256

                                                    d8754e789362c58117c9df39c61caa78a27c4228dacf016fb2e55924ca330d5a

                                                    SHA512

                                                    d104fd4ab94d664c3c2192d4d6d5aed8739f449897c50e66459fc0fee3da27e9e98c1d36ce81d6f20add527547c89e51173719d8bb6db3ab330435276408fdc8

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Temp\Task.bat
                                                    Filesize

                                                    128B

                                                    MD5

                                                    11bb3db51f701d4e42d3287f71a6a43e

                                                    SHA1

                                                    63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

                                                    SHA256

                                                    6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

                                                    SHA512

                                                    907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
                                                    Filesize

                                                    109KB

                                                    MD5

                                                    726cd06231883a159ec1ce28dd538699

                                                    SHA1

                                                    404897e6a133d255ad5a9c26ac6414d7134285a2

                                                    SHA256

                                                    12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

                                                    SHA512

                                                    9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
                                                    Filesize

                                                    1.2MB

                                                    MD5

                                                    15a42d3e4579da615a384c717ab2109b

                                                    SHA1

                                                    22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

                                                    SHA256

                                                    3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

                                                    SHA512

                                                    1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
                                                    Filesize

                                                    576KB

                                                    MD5

                                                    0dbf7be9756a1527348b822603b77d03

                                                    SHA1

                                                    15c815137220fd4fadaf2752b91c991149a7910f

                                                    SHA256

                                                    8bc98d48ba8672dd85aa33a7dfe0178553a3705d42f84359f047cf57fab21284

                                                    SHA512

                                                    a0f4b373e13ef062806b63bce74acfc237d5c696386b8af741354ff0a2eda80ef4a8bfa6859ffb7f26cc2a7e16ce2802baeeb3aa6c2f9afe482186b81690ce3a

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
                                                    Filesize

                                                    541KB

                                                    MD5

                                                    1fc4b9014855e9238a361046cfbf6d66

                                                    SHA1

                                                    c17f18c8246026c9979ab595392a14fe65cc5e9f

                                                    SHA256

                                                    f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

                                                    SHA512

                                                    2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
                                                    Filesize

                                                    304KB

                                                    MD5

                                                    cc90e3326d7b20a33f8037b9aab238e4

                                                    SHA1

                                                    236d173a6ac462d85de4e866439634db3b9eeba3

                                                    SHA256

                                                    bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

                                                    SHA512

                                                    b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

                                                    Download Submit

                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                    Filesize

                                                    2KB

                                                    MD5

                                                    3d086a433708053f9bf9523e1d87a4e8

                                                    SHA1

                                                    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                                                    SHA256

                                                    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                                                    SHA512

                                                    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                                                    Download Submit

                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                    Filesize

                                                    19KB

                                                    MD5

                                                    8d49627aadbc88e530f2630deec06bae

                                                    SHA1

                                                    20634adacb8aa1260915a2b90348cb89b9e82162

                                                    SHA256

                                                    520fecf440bcc5fc4df9fe20c45f304f5bee5884da422be68e810404c11da147

                                                    SHA512

                                                    3f81d376c30ef8c0cb8e7af78f169620f2ffbbb450f8aa66e4b17033d96f65b1708bb3cb56cf5bf72a0c06d5dbca39a99b1eff1af0ca35b81d7aabc17c15044c

                                                    Download Submit

                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                    Filesize

                                                    19KB

                                                    MD5

                                                    74c9cd1465f169c426478affe6256c5f

                                                    SHA1

                                                    ebe15e7cd727c3fb8e178fbcade29327335d8f9e

                                                    SHA256

                                                    3fa7f30daf9339998fb69e9110902d3f92942459715f02d200c7f32730014a10

                                                    SHA512

                                                    1fe060d09812c7c8405c34f98c21180b84e77d8405b2ffcbe0a72d2e3f521c422080cdda7759dcadad2f01fbbdd91111afa136cb521fe0aac4770dc1229851de

                                                    Download Submit

                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                    Filesize

                                                    19KB

                                                    MD5

                                                    55e355c500436c6c7cb5608c021a5648

                                                    SHA1

                                                    8b55eba190ecf9d2a356e069862038ff38c14fd2

                                                    SHA256

                                                    68c97bfec54a1cda81d885c7d60fcee9be54b7f9d3d09527ea7c66252193c85f

                                                    SHA512

                                                    0d3507dcab5dcfa4994ffe4b97fa7258418c9b2aa04e24ef8842670b2447e8f4766666396a92b48ca5fdf02244a59227ae83e9d28bcf020f25198267a7ea2585

                                                    Download Submit

                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                    Filesize

                                                    19KB

                                                    MD5

                                                    1946da69ed4d654b8f63d81e2d6afb5d

                                                    SHA1

                                                    ac95cfb01fa954e9794c7abda49fde98f51f9427

                                                    SHA256

                                                    e340e87e157bee13d6a2d066841d654d6c44a88b4ea24d8f2cb385ed73e6a7f4

                                                    SHA512

                                                    b2aecac9993b3368091aece79ea3a2d9702000da850561c76987f1ae5bf6c7b476984cd9f67ac93ec3bb737dea23fcd80a59fac36b1b2c4cff74e42f9766c654

                                                    Download Submit

                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                    Filesize

                                                    19KB

                                                    MD5

                                                    d86769e97b13b8fd22dd980de7d7fe0a

                                                    SHA1

                                                    e0ae4506df8f8e518079dcfb1698b823b9b547e3

                                                    SHA256

                                                    3ace6731efedce7ceee46a880b3453b246cb9eb20a5fb37846c6143f757a8817

                                                    SHA512

                                                    65f6a9919cefa5fec93f2fc681b6cdceda1b982db78418b9639117617d3cfa056aa4e41120d818ba06de84fed767b273e27033d0ba0f3b599e1fd3331a7583bc

                                                    Download Submit

                                                  • C:\Windows\Tasks\explorgu.job
                                                    Filesize

                                                    288B

                                                    MD5

                                                    c18470df979dfbd8c22e1dcd0733428f

                                                    SHA1

                                                    209bc0e5a492fca7a625f967d641829d92a6ca6d

                                                    SHA256

                                                    0ff67b7456d5e70fe49fd07b164880a507938359182d5689c320c1235e03796c

                                                    SHA512

                                                    fe4ac63b619394683ad703ab32bca37294f441aca6557ad5340f7cb9a21e901341855a8dba84df0f9b5e411373b159b8d274a87939a616c67f132c6986d0f2f6

                                                    Download Submit

                                                  • C:\Windows\rss\csrss.exe
                                                    Filesize

                                                    3.8MB

                                                    MD5

                                                    79cd92c0e5137c4435a4db87adf43777

                                                    SHA1

                                                    c8c561400fe51314123282f5f85650bcd776253d

                                                    SHA256

                                                    c8610b4e5fab98ef5ef81aa5a49e7a6888a89805faaaff5883c0b75ecf9d9621

                                                    SHA512

                                                    eac943dfebb10758cbd47095454253355f555ffe490aa4d567ecced6db7c20f2121466d5c7810627f00492436cac093293dc7a17e10099929a47f76cbe6cd19b

                                                    Download Submit

                                                  • C:\Windows\rss\csrss.exe
                                                    Filesize

                                                    2.6MB

                                                    MD5

                                                    695cbc97399b7e0d5c8a0ea43a85c4d8

                                                    SHA1

                                                    74ed26ce6bb461ea62e27fcf45ae98e63ecb360f

                                                    SHA256

                                                    92293688080ce3dc1abfd147a2c60ecc38353b1fc12d00d62f96487a8051d3d7

                                                    SHA512

                                                    8c2bad82f1403ba37bc1af5e612b94d63353164bdc9454be93fdb27a5dbc1f649e7a075b60cb2d55c41c53a927044606c29ed088b4df54ee9d2cd4063670124c

                                                    Download Submit

                                                  • memory/456-138-0x0000000072E10000-0x00000000735C0000-memory.dmp

                                                    Filesize

                                                    7.7MB

                                                    Download

                                                  • memory/456-134-0x00000000023C0000-0x00000000043C0000-memory.dmp

                                                    Filesize

                                                    32.0MB

                                                    Download

                                                  • memory/456-131-0x0000000004960000-0x0000000004970000-memory.dmp

                                                    Filesize

                                                    64KB

                                                    Download

                                                  • memory/456-129-0x0000000072E10000-0x00000000735C0000-memory.dmp

                                                    Filesize

                                                    7.7MB

                                                    Download

                                                  • memory/456-127-0x0000000000100000-0x000000000017A000-memory.dmp

                                                    Filesize

                                                    488KB

                                                    Download

                                                  • memory/464-389-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                    Filesize

                                                    972KB

                                                    Download

                                                  • memory/1796-104-0x0000000072E10000-0x00000000735C0000-memory.dmp

                                                    Filesize

                                                    7.7MB

                                                    Download

                                                  • memory/1796-107-0x0000000005540000-0x0000000005550000-memory.dmp

                                                    Filesize

                                                    64KB

                                                    Download

                                                  • memory/1796-172-0x0000000072E10000-0x00000000735C0000-memory.dmp

                                                    Filesize

                                                    7.7MB

                                                    Download

                                                  • memory/1796-105-0x0000000000B20000-0x0000000000BAC000-memory.dmp

                                                    Filesize

                                                    560KB

                                                    Download

                                                  • memory/2356-168-0x0000000002DA0000-0x0000000002DAB000-memory.dmp

                                                    Filesize

                                                    44KB

                                                    Download

                                                  • memory/2356-170-0x0000000000400000-0x0000000002D4D000-memory.dmp

                                                    Filesize

                                                    41.3MB

                                                    Download

                                                  • memory/2356-167-0x0000000002E90000-0x0000000002F90000-memory.dmp

                                                    Filesize

                                                    1024KB

                                                    Download

                                                  • memory/2356-201-0x0000000000400000-0x0000000002D4D000-memory.dmp

                                                    Filesize

                                                    41.3MB

                                                    Download

                                                  • memory/3436-4-0x0000000002950000-0x0000000002966000-memory.dmp

                                                    Filesize

                                                    88KB

                                                    Download

                                                  • memory/3436-197-0x0000000002D10000-0x0000000002D26000-memory.dmp

                                                    Filesize

                                                    88KB

                                                    Download

                                                  • memory/3956-81-0x0000000005550000-0x0000000005551000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/3956-80-0x0000000005540000-0x0000000005541000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/3956-76-0x0000000005570000-0x0000000005571000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/3956-75-0x0000000000BC0000-0x0000000001073000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download

                                                  • memory/3956-78-0x0000000005560000-0x0000000005561000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/3956-250-0x0000000000BC0000-0x0000000001073000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download

                                                  • memory/3956-152-0x0000000000BC0000-0x0000000001073000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download

                                                  • memory/3956-73-0x0000000000BC0000-0x0000000001073000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download

                                                  • memory/3956-79-0x00000000055B0000-0x00000000055B1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/3956-77-0x0000000005580000-0x0000000005581000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/3956-84-0x00000000055C0000-0x00000000055C1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/3956-82-0x00000000055A0000-0x00000000055A1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/3956-184-0x0000000000BC0000-0x0000000001073000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download

                                                  • memory/3956-128-0x0000000000BC0000-0x0000000001073000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download

                                                  • memory/3956-83-0x00000000055D0000-0x00000000055D1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/3956-166-0x0000000000BC0000-0x0000000001073000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download

                                                  • memory/3984-362-0x0000000000400000-0x0000000002D72000-memory.dmp

                                                    Filesize

                                                    41.4MB

                                                    Download

                                                  • memory/4080-29-0x0000000005240000-0x0000000005241000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4080-24-0x0000000005260000-0x0000000005261000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4080-26-0x0000000005250000-0x0000000005251000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4080-23-0x0000000000890000-0x0000000000D43000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download

                                                  • memory/4080-27-0x0000000005290000-0x0000000005291000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4080-22-0x0000000077784000-0x0000000077786000-memory.dmp

                                                    Filesize

                                                    8KB

                                                    Download

                                                  • memory/4080-25-0x0000000005270000-0x0000000005271000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4080-21-0x0000000000890000-0x0000000000D43000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download

                                                  • memory/4080-28-0x0000000005230000-0x0000000005231000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4080-31-0x00000000052B0000-0x00000000052B1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4080-41-0x0000000000890000-0x0000000000D43000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download

                                                  • memory/4180-154-0x00000000051D0000-0x00000000051DA000-memory.dmp

                                                    Filesize

                                                    40KB

                                                    Download

                                                  • memory/4180-160-0x00000000060D0000-0x000000000611C000-memory.dmp

                                                    Filesize

                                                    304KB

                                                    Download

                                                  • memory/4180-133-0x0000000000400000-0x0000000000450000-memory.dmp

                                                    Filesize

                                                    320KB

                                                    Download

                                                  • memory/4180-137-0x0000000072E10000-0x00000000735C0000-memory.dmp

                                                    Filesize

                                                    7.7MB

                                                    Download

                                                  • memory/4180-139-0x0000000005610000-0x0000000005BB4000-memory.dmp

                                                    Filesize

                                                    5.6MB

                                                    Download

                                                  • memory/4180-155-0x0000000005270000-0x0000000005280000-memory.dmp

                                                    Filesize

                                                    64KB

                                                    Download

                                                  • memory/4180-140-0x0000000005110000-0x00000000051A2000-memory.dmp

                                                    Filesize

                                                    584KB

                                                    Download

                                                  • memory/4180-157-0x0000000007F60000-0x000000000806A000-memory.dmp

                                                    Filesize

                                                    1.0MB

                                                    Download

                                                  • memory/4180-156-0x00000000064F0000-0x0000000006B08000-memory.dmp

                                                    Filesize

                                                    6.1MB

                                                    Download

                                                  • memory/4180-158-0x0000000007E90000-0x0000000007EA2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/4180-159-0x0000000006050000-0x000000000608C000-memory.dmp

                                                    Filesize

                                                    240KB

                                                    Download

                                                  • memory/4236-53-0x0000000000D70000-0x0000000000D71000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4236-52-0x0000000000D70000-0x0000000000D71000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4236-46-0x0000000000F50000-0x00000000012E7000-memory.dmp

                                                    Filesize

                                                    3.6MB

                                                    Download

                                                  • memory/4236-50-0x0000000000D70000-0x0000000000D71000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4236-51-0x0000000000D70000-0x0000000000D71000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4432-2-0x0000000004A90000-0x0000000004A9B000-memory.dmp

                                                    Filesize

                                                    44KB

                                                    Download

                                                  • memory/4432-3-0x0000000000400000-0x0000000002D4D000-memory.dmp

                                                    Filesize

                                                    41.3MB

                                                    Download

                                                  • memory/4432-5-0x0000000000400000-0x0000000002D4D000-memory.dmp

                                                    Filesize

                                                    41.3MB

                                                    Download

                                                  • memory/4432-1-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

                                                    Filesize

                                                    1024KB

                                                    Download

                                                  • memory/4652-61-0x00000000050E0000-0x00000000050E1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4652-57-0x0000000000740000-0x0000000000BF3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download

                                                  • memory/4652-59-0x0000000000740000-0x0000000000BF3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download

                                                  • memory/4652-74-0x0000000000740000-0x0000000000BF3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download

                                                  • memory/4652-71-0x0000000005120000-0x0000000005121000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4652-69-0x0000000005130000-0x0000000005131000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4652-65-0x00000000050B0000-0x00000000050B1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4652-62-0x00000000050C0000-0x00000000050C1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4652-64-0x00000000050A0000-0x00000000050A1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4652-63-0x0000000005100000-0x0000000005101000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4652-60-0x00000000050D0000-0x00000000050D1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4812-219-0x0000000000400000-0x0000000000448000-memory.dmp

                                                    Filesize

                                                    288KB

                                                    Download

                                                  • memory/4812-224-0x0000000000400000-0x0000000000448000-memory.dmp

                                                    Filesize

                                                    288KB

                                                    Download

                                                  • memory/4836-243-0x0000000000660000-0x0000000000672000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/4836-36-0x0000000002A80000-0x0000000002B88000-memory.dmp

                                                    Filesize

                                                    1.0MB

                                                    Download

                                                  • memory/4836-218-0x0000000003850000-0x000000000394A000-memory.dmp

                                                    Filesize

                                                    1000KB

                                                    Download

                                                  • memory/4836-228-0x0000000003950000-0x0000000003A47000-memory.dmp

                                                    Filesize

                                                    988KB

                                                    Download

                                                  • memory/4836-234-0x0000000003950000-0x0000000003A47000-memory.dmp

                                                    Filesize

                                                    988KB

                                                    Download

                                                  • memory/4836-49-0x0000000010000000-0x0000000010239000-memory.dmp

                                                    Filesize

                                                    2.2MB

                                                    Download

                                                  • memory/4836-214-0x0000000002A80000-0x0000000002B88000-memory.dmp

                                                    Filesize

                                                    1.0MB

                                                    Download

                                                  • memory/4836-215-0x0000000002B90000-0x0000000003842000-memory.dmp

                                                    Filesize

                                                    12.7MB

                                                    Download

                                                  • memory/4836-33-0x0000000002A80000-0x0000000002B88000-memory.dmp

                                                    Filesize

                                                    1.0MB

                                                    Download

                                                  • memory/4836-30-0x0000000002950000-0x0000000002A73000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                    Download

                                                  • memory/4836-14-0x0000000000CF0000-0x0000000000CF6000-memory.dmp

                                                    Filesize

                                                    24KB

                                                    Download

                                                  • memory/4836-15-0x0000000010000000-0x0000000010239000-memory.dmp

                                                    Filesize

                                                    2.2MB

                                                    Download

                                                  • memory/4836-244-0x0000000058630000-0x0000000058680000-memory.dmp

                                                    Filesize

                                                    320KB

                                                    Download

                                                  • memory/4856-171-0x0000000000BC0000-0x0000000001073000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download

                                                  • memory/4856-180-0x0000000000BC0000-0x0000000001073000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                    Download