02a1abbf1dca88e417498d9c2bd86ef3ead5a71bcee676356e7731371ef73338

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

391da1dc7cd8ccd8438d258fb58eadeb.exe
Size

439KB
MD5

391da1dc7cd8ccd8438d258fb58eadeb
SHA1

16e51750473c116bfa3f1e7f0e345a0d3aae5720
SHA256

02a1abbf1dca88e417498d9c2bd86ef3ead5a71bcee676356e7731371ef73338
SHA512

47d265bf41adca8feb173a43c49bc5bda1c72c277bce2d52f10b7dcaf61f70baf0e22fb613ed4367fa5eca033be992e17a0e1ffff57ae6e81ba85088c4fe2cad
SSDEEP

6144:HrnkP+6bB0H9rj3fMobS1bSKPbSX2heDObS08bSAheDpbSk7HV/B+ybS0ya2heDD:HQ+Qu9piLzwoJZeDuD7ZlyVl5Zk7hck

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	391da1dc7cd8ccd8438d258fb58eadeb.exe

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\W:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\P:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\P:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\E:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\K:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\T:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\Q:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\U:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\M:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\P:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\U:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\N:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\V:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\V:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\K:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\R:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\O:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\R:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\L:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\I:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\J:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\J:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\H:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\E:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\O:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\I:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\S:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\S:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\E:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\P:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\O:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\S:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\R:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\P:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\Q:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\T:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\G:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\U:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\L:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\S:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\T:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\T:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\K:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\E:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\M:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\V:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\I:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\M:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\H:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\O:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\J:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\S:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\V:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\W:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\X:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\J:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\R:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\P:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\P:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\R:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\Q:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\I:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\U:	391da1dc7cd8ccd8438d258fb58eadeb.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2156	391da1dc7cd8ccd8438d258fb58eadeb.exe
2156	391da1dc7cd8ccd8438d258fb58eadeb.exe
2456	391da1dc7cd8ccd8438d258fb58eadeb.exe
2156	391da1dc7cd8ccd8438d258fb58eadeb.exe
2968	391da1dc7cd8ccd8438d258fb58eadeb.exe
2500	391da1dc7cd8ccd8438d258fb58eadeb.exe
2428	391da1dc7cd8ccd8438d258fb58eadeb.exe
1528	391da1dc7cd8ccd8438d258fb58eadeb.exe
2580	391da1dc7cd8ccd8438d258fb58eadeb.exe
2092	391da1dc7cd8ccd8438d258fb58eadeb.exe
2160	391da1dc7cd8ccd8438d258fb58eadeb.exe
1276	391da1dc7cd8ccd8438d258fb58eadeb.exe
1032	391da1dc7cd8ccd8438d258fb58eadeb.exe
2840	391da1dc7cd8ccd8438d258fb58eadeb.exe
588	391da1dc7cd8ccd8438d258fb58eadeb.exe
1416	391da1dc7cd8ccd8438d258fb58eadeb.exe
1172	391da1dc7cd8ccd8438d258fb58eadeb.exe
2976	391da1dc7cd8ccd8438d258fb58eadeb.exe
1304	391da1dc7cd8ccd8438d258fb58eadeb.exe
920	391da1dc7cd8ccd8438d258fb58eadeb.exe
1968	391da1dc7cd8ccd8438d258fb58eadeb.exe
3028	391da1dc7cd8ccd8438d258fb58eadeb.exe
2448	391da1dc7cd8ccd8438d258fb58eadeb.exe
2472	391da1dc7cd8ccd8438d258fb58eadeb.exe
2508	391da1dc7cd8ccd8438d258fb58eadeb.exe
2552	391da1dc7cd8ccd8438d258fb58eadeb.exe
2420	391da1dc7cd8ccd8438d258fb58eadeb.exe
2440	391da1dc7cd8ccd8438d258fb58eadeb.exe
2232	391da1dc7cd8ccd8438d258fb58eadeb.exe
2612	391da1dc7cd8ccd8438d258fb58eadeb.exe
1912	391da1dc7cd8ccd8438d258fb58eadeb.exe
2092	391da1dc7cd8ccd8438d258fb58eadeb.exe
344	391da1dc7cd8ccd8438d258fb58eadeb.exe
2748	391da1dc7cd8ccd8438d258fb58eadeb.exe
2772	391da1dc7cd8ccd8438d258fb58eadeb.exe
488	391da1dc7cd8ccd8438d258fb58eadeb.exe
708	391da1dc7cd8ccd8438d258fb58eadeb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2456	2156	391da1dc7cd8ccd8438d258fb58eadeb.exe	28
PID 2156 wrote to memory of 2456	2156	391da1dc7cd8ccd8438d258fb58eadeb.exe	28
PID 2156 wrote to memory of 2456	2156	391da1dc7cd8ccd8438d258fb58eadeb.exe	28
PID 2156 wrote to memory of 2456	2156	391da1dc7cd8ccd8438d258fb58eadeb.exe	28
PID 2156 wrote to memory of 2504	2156	391da1dc7cd8ccd8438d258fb58eadeb.exe	29
PID 2156 wrote to memory of 2504	2156	391da1dc7cd8ccd8438d258fb58eadeb.exe	29
PID 2156 wrote to memory of 2504	2156	391da1dc7cd8ccd8438d258fb58eadeb.exe	29
PID 2156 wrote to memory of 2504	2156	391da1dc7cd8ccd8438d258fb58eadeb.exe	29
PID 2456 wrote to memory of 2968	2456	391da1dc7cd8ccd8438d258fb58eadeb.exe	31
PID 2456 wrote to memory of 2968	2456	391da1dc7cd8ccd8438d258fb58eadeb.exe	31
PID 2456 wrote to memory of 2968	2456	391da1dc7cd8ccd8438d258fb58eadeb.exe	31
PID 2456 wrote to memory of 2968	2456	391da1dc7cd8ccd8438d258fb58eadeb.exe	31
PID 2968 wrote to memory of 2500	2968	391da1dc7cd8ccd8438d258fb58eadeb.exe	32
PID 2968 wrote to memory of 2500	2968	391da1dc7cd8ccd8438d258fb58eadeb.exe	32
PID 2968 wrote to memory of 2500	2968	391da1dc7cd8ccd8438d258fb58eadeb.exe	32
PID 2968 wrote to memory of 2500	2968	391da1dc7cd8ccd8438d258fb58eadeb.exe	32
PID 2500 wrote to memory of 2428	2500	391da1dc7cd8ccd8438d258fb58eadeb.exe	33
PID 2500 wrote to memory of 2428	2500	391da1dc7cd8ccd8438d258fb58eadeb.exe	33
PID 2500 wrote to memory of 2428	2500	391da1dc7cd8ccd8438d258fb58eadeb.exe	33
PID 2500 wrote to memory of 2428	2500	391da1dc7cd8ccd8438d258fb58eadeb.exe	33
PID 2428 wrote to memory of 1528	2428	391da1dc7cd8ccd8438d258fb58eadeb.exe	34
PID 2428 wrote to memory of 1528	2428	391da1dc7cd8ccd8438d258fb58eadeb.exe	34
PID 2428 wrote to memory of 1528	2428	391da1dc7cd8ccd8438d258fb58eadeb.exe	34
PID 2428 wrote to memory of 1528	2428	391da1dc7cd8ccd8438d258fb58eadeb.exe	34
PID 1528 wrote to memory of 2580	1528	391da1dc7cd8ccd8438d258fb58eadeb.exe	35
PID 1528 wrote to memory of 2580	1528	391da1dc7cd8ccd8438d258fb58eadeb.exe	35
PID 1528 wrote to memory of 2580	1528	391da1dc7cd8ccd8438d258fb58eadeb.exe	35
PID 1528 wrote to memory of 2580	1528	391da1dc7cd8ccd8438d258fb58eadeb.exe	35
PID 2580 wrote to memory of 2092	2580	391da1dc7cd8ccd8438d258fb58eadeb.exe	36
PID 2580 wrote to memory of 2092	2580	391da1dc7cd8ccd8438d258fb58eadeb.exe	36
PID 2580 wrote to memory of 2092	2580	391da1dc7cd8ccd8438d258fb58eadeb.exe	36
PID 2580 wrote to memory of 2092	2580	391da1dc7cd8ccd8438d258fb58eadeb.exe	36
PID 2092 wrote to memory of 2160	2092	391da1dc7cd8ccd8438d258fb58eadeb.exe	37
PID 2092 wrote to memory of 2160	2092	391da1dc7cd8ccd8438d258fb58eadeb.exe	37
PID 2092 wrote to memory of 2160	2092	391da1dc7cd8ccd8438d258fb58eadeb.exe	37
PID 2092 wrote to memory of 2160	2092	391da1dc7cd8ccd8438d258fb58eadeb.exe	37
PID 2160 wrote to memory of 1276	2160	391da1dc7cd8ccd8438d258fb58eadeb.exe	38
PID 2160 wrote to memory of 1276	2160	391da1dc7cd8ccd8438d258fb58eadeb.exe	38
PID 2160 wrote to memory of 1276	2160	391da1dc7cd8ccd8438d258fb58eadeb.exe	38
PID 2160 wrote to memory of 1276	2160	391da1dc7cd8ccd8438d258fb58eadeb.exe	38
PID 1276 wrote to memory of 1032	1276	391da1dc7cd8ccd8438d258fb58eadeb.exe	39
PID 1276 wrote to memory of 1032	1276	391da1dc7cd8ccd8438d258fb58eadeb.exe	39
PID 1276 wrote to memory of 1032	1276	391da1dc7cd8ccd8438d258fb58eadeb.exe	39
PID 1276 wrote to memory of 1032	1276	391da1dc7cd8ccd8438d258fb58eadeb.exe	39
PID 1032 wrote to memory of 2840	1032	391da1dc7cd8ccd8438d258fb58eadeb.exe	40
PID 1032 wrote to memory of 2840	1032	391da1dc7cd8ccd8438d258fb58eadeb.exe	40
PID 1032 wrote to memory of 2840	1032	391da1dc7cd8ccd8438d258fb58eadeb.exe	40
PID 1032 wrote to memory of 2840	1032	391da1dc7cd8ccd8438d258fb58eadeb.exe	40
PID 2840 wrote to memory of 588	2840	391da1dc7cd8ccd8438d258fb58eadeb.exe	43
PID 2840 wrote to memory of 588	2840	391da1dc7cd8ccd8438d258fb58eadeb.exe	43
PID 2840 wrote to memory of 588	2840	391da1dc7cd8ccd8438d258fb58eadeb.exe	43
PID 2840 wrote to memory of 588	2840	391da1dc7cd8ccd8438d258fb58eadeb.exe	43
PID 588 wrote to memory of 1416	588	391da1dc7cd8ccd8438d258fb58eadeb.exe	44
PID 588 wrote to memory of 1416	588	391da1dc7cd8ccd8438d258fb58eadeb.exe	44
PID 588 wrote to memory of 1416	588	391da1dc7cd8ccd8438d258fb58eadeb.exe	44
PID 588 wrote to memory of 1416	588	391da1dc7cd8ccd8438d258fb58eadeb.exe	44
PID 1416 wrote to memory of 1172	1416	391da1dc7cd8ccd8438d258fb58eadeb.exe	45
PID 1416 wrote to memory of 1172	1416	391da1dc7cd8ccd8438d258fb58eadeb.exe	45
PID 1416 wrote to memory of 1172	1416	391da1dc7cd8ccd8438d258fb58eadeb.exe	45
PID 1416 wrote to memory of 1172	1416	391da1dc7cd8ccd8438d258fb58eadeb.exe	45
PID 1172 wrote to memory of 2976	1172	391da1dc7cd8ccd8438d258fb58eadeb.exe	46
PID 1172 wrote to memory of 2976	1172	391da1dc7cd8ccd8438d258fb58eadeb.exe	46
PID 1172 wrote to memory of 2976	1172	391da1dc7cd8ccd8438d258fb58eadeb.exe	46
PID 1172 wrote to memory of 2976	1172	391da1dc7cd8ccd8438d258fb58eadeb.exe	46

C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
"C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
  C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
    C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
    3⤵
    - Drops file in Drivers directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
      C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
      4⤵
      Drops file in Drivers directory
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        5⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        6⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        7⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        8⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        9⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        10⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        11⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        12⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        13⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        14⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        15⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        16⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        17⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        18⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        19⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        20⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        21⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        22⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        23⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        24⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        25⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        26⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        27⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        28⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        29⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        30⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        31⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        32⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        33⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        34⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        35⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        36⤵
        
        PID:2700
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
  2⤵
  - Installs/modifies Browser Helper Object
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
450KB

MD5
cfe131ab87ea025f67746f0a63ae3a9d

SHA1
204f07ad0c913e387e65615ceab32dfe40d533e2

SHA256
0a3e55a4c5986039f8e05d074d7a4858b7e4bdc68aec0b29347fdc6f7b457d2b

SHA512
d9d222a434b4ce46e8f725a8466c837825161acb6cc25db8f6ea984c0c38f38cbff9adb48825a391751b858bc0e35fbf627c0a8436578c80bc188c0eadc49a8a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
446KB

MD5
9239eb03a85c95060d738a3ced0ea3cc

SHA1
efa795ed3028fe5d6e95c831261c0af380b31d50

SHA256
67d0c839be2cc9b2935612b2fbcb93cedc1bfceeca7c6083cf5a464ca18f5914

SHA512
604d23e6ff8f6b1a4bd6369a1acf743089c588628c1c53e690b393af71c6ed6b872775bb6fc1f468f6b8a47a2906fbb9c35c0e9f4b7cf2773de4162146d01b18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
471KB

MD5
675901ccb288c119392e1baf45b66362

SHA1
e5afb149520f2e0295cc1f4b2ac6229a72355805

SHA256
e93b018236dd6444f2697a421f58515b2c429d69431849fbf525fa7a5333bfa3

SHA512
b1026574c35f5f23637104f9567cd1d451fe07a89495f3bcb1d44d72b5033253f279be34ec0584370a857ff63a4eb2c2fd8fb435b963e2fdfb3c6ade400b3851

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
446KB

MD5
8f2c33baf2c5cdf9bb858ae2541cadc3

SHA1
0c9dddff24bbf1f44cb21ce8ebb0995e703dcd85

SHA256
ae15701fea7f542c5dad70ce6c6dd2f8b9d3eb7e8b9f0c0eb2f6dd50339ed2a7

SHA512
ecbb9d7d9ca6ea47b2e400b14f3c990b4f456d4b35715c688f8e05a648f4a014aee218113b5e5b08a55f3475ab1dc2243c3b954f78cc5696f9655e99998e16ac

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
468KB

MD5
1fa9de4136b0cda3bc21de685d1a29e2

SHA1
91910d5e304fee491e2d25091aa122b61b6f8ae8

SHA256
378b74e7a3757ed95050c399bdd8c53db6b2fdfb8f058f4aa9c918f59af879a4

SHA512
29331355aa6708ec416e9a16ad0d7a1224f4d9688c77b4105fbe2d294584515fbad5b7b716bbaffda2d9a0ea41ac851c61d45e72935f60faf7f22fdf164ff8f8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
453KB

MD5
006edc86c44dc1d5821d72993c7cccfc

SHA1
3bf68ef6296428a1e8de1ca6ab211f394343f1a2

SHA256
f8aba48215db64a2a718a55d6010d6cf065394ad1dd5a349e84ca36573e630d5

SHA512
0706525eeb4eab5e7db4955a87f9bc9070b3ab36426623d823fa29db7f352eb555c329c75c82d255fe0d36608d313a2ed09d6f9e13ac44dcf288689988d0afab

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
460KB

MD5
78fe22f4140483ac19b193a4488a31ce

SHA1
1044b29f7bfecdbf89f26afd36f711cdc991b99a

SHA256
f968829ed2d1614b89ad710a88ce51fefa88b09e4ff66364af91d4f5df0bf273

SHA512
9b24663dcd85ca930ffc105809b42506c7e29debd4b27c0ff4595e0eeb8af1f8ef653b8ea711a10b0a34d89d15b14c941152ad5be222efd7709980d3a78d3a99

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
462KB

MD5
55e101c56042ce95f1d5c3e2771aea68

SHA1
69fcfb1d191bec6696c0b7bbf6641e8ccbeee4d0

SHA256
f0f2b93fbc0df9a936815ed89200eb66bd9f719d8089d80430586fcaabeb3faf

SHA512
2a74ebd482bbbf58b6cce8023acb0836ab30ebc45266c5971a3709a853527203704e55463ceb7aa61fa732e77e7ec29eb0f3578e9582da3e47d52e7ae3d944e4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
464KB

MD5
a91845abe1fd8868ee7dd76ff81488c3

SHA1
bc3494ce8f42a566d047216b5b16d213f7ea51e2

SHA256
4d768976bff7647a362fcdf4bdf9790c8e00f1cfbb80c7027b45af875ced4ebb

SHA512
60e3c5f982ccb03457856097a6d5c2c879b4b8e5874338ea7522bbfeedae12e03b7f11cf08f344137b6f00954f718b2efc1d1f326430141e1b286933906c098b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
452KB

MD5
52c7ba11fed46184b9ebc5965cbf07f4

SHA1
efd5067708565359dc41b17482f31d3fd6664fe9

SHA256
751aff02edf6889ba481090e52b7f141a5ca2c0c8e6bdecca7a11aa1bc50354b

SHA512
a221a027d98a2cb8fee825005568015aebad1bda0ea69b81a8a6f58d541fc8588c2b5a831411f57bf0be8bbbf8fe6a6b2a930b8ac4940232232548929e6f780c

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
454KB

MD5
99c0d682bc0d49542a4f279682f6abea

SHA1
bed1b7ae98170bb802dfd17e850a5ac0fd1236d9

SHA256
b04b784e641d94f0df9ae87dc4ef6de29d1ed12721e7f36806351cb67ecc82b4

SHA512
fe93edab41ccc92246adefbf38195851a00695e42118fbb45564b01ed34a3b4af6007bc866ef197a7ed2b0eadd2967bd7837e195d201b109d750d67605efc706

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
450KB

MD5
83ac7f8cbaa6eec47cc32a422456fcde

SHA1
e85a53bd3e9c4a236273ba823fe0da0cc134e5c5

SHA256
c105b94707bb3157e5fc063924c766bee1ccbf63c81687202d60536a77bf4809

SHA512
e1229f6a94c08e7c5bca8084841b954dd35520cee1c9e5f7c48952e1fa775a7157173dd61160cff0915fe2a0d354288c8c39cba062eb55e328a97c10c0dd3da4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
451KB

MD5
218f9c8fc1d89db4b0ab4e33fd7555c7

SHA1
9f2e3ec03ad14d8ee9fd674020bf85853ae875c1

SHA256
d8b784a409d0cc6c741e9afbd49ee383befe68505eec4e701dfa60e6a8b12b33

SHA512
5c38274ba247fac9273a592ae896480f99e69e990fd9281893ed671e74109f73c9f081561bbd8e0a5a369313de6bf9e093fab4b8b062c69dccd905f32d52697f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
471KB

MD5
d0347f75a8ae5db853bb9bfae136a67c

SHA1
fa5bd28c84da538ddcc33ad5d1409cf8a6a66329

SHA256
1c897342727c2e57912508fb58a246ccd1c90246ebb4391930b5f0a62ac6f7e9

SHA512
61c5aa3945d963a4b33652b5b946cfba412c3f7b7bc69e1457a79cade6eec8e30adc44366488c635b0ca1ff7789d9c1913341ca64587872530a37e283d0f1803

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
452KB

MD5
12f186af6a2fb0ce62cf91968fa5a740

SHA1
65b1e44fd10d019cada86fd10dba1853070c8d1f

SHA256
2a868dc72815fc18822651d5e065842bffe7a7a0520f9d723d4a43daf25bd441

SHA512
ec91d4c64324e5200bda0e031ef1f30b4c14bc383d0bb4f10df66fa2fb86d32c8eea10af6bc7f4652cdd1c2127701b3a7ac5ecd9b70676724cb8ef21158bf115

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
463KB

MD5
986e942b575466ef3f6f1bba5aa0a57f

SHA1
2bad541861ec7317a341bd32fc4b1083aae416b0

SHA256
3526fdf2708c33307701f1b639bdbe1456bfc3bdb0ca1a16e61317108b486d7c

SHA512
63ad040890fb5c91cf3518adbd6d083c12f1f316c7ebea222d610a28fe98d4da445e6e38ee872c82a71f4065510c2ed80e96069d8ff28721fcb0f4afa1c7df47

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
451KB

MD5
e82a24934e5ef937d6e6a203d0c3537e

SHA1
aed5b2dd391c66fc35c5b464c7767d1f468ebb7c

SHA256
3978aa08bdfa7bf0465bd0f44359fab88dbe44e2a596269c03b25e7064091083

SHA512
43c6d5a012a837b93930aed7afc6a66f6694d1ce1785b86d9d81fdd4f8f0d5d0886fca552e3195a0d261ae60b8a3d0a935cbd736528b4993effc77feec1f4b8a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
459KB

MD5
b98d7f995439b9436dd1c14a85778c9c

SHA1
87a4b44e8f2755ced8fe45e7407a3d8317e58816

SHA256
c13b3ffccca5f64d0c0e79ba7cdc442d111176f5c9290912f0ba097e96a21b0e

SHA512
a9e50d429546dbf13d07153ef39a306e137d65ebd11e31eca3bb687c635ce9e3ab51403c221f46f745bfbc3ae34d81209e63b32066ce8638e8539b51ee5262f5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
471KB

MD5
44143bdf9790478332a424b3db04addd

SHA1
4e33dc979b17f6052949b86dca9e4caebe3d49be

SHA256
5a86708e888721f127902920b9e354c20d131c5d3a1838086a0448fe39d9c0cb

SHA512
d833dbf136a640c5acf42ff67a8970ed5e33bcbb6e218f8d005d4b778b3980d152fae978f9595f7521622dd42c1fbb05abffb23fb9e3c7e6dbb357853719b464

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
450KB

MD5
6c52a3a26b528c6f41959b2772bfaa8a

SHA1
6ec5ec9fbb11caa05e1c18dc45204890ec11d4c0

SHA256
3cf14854f43ef44726f768b961241aa6bf8fc9e4cafc1654eeba46ebedc9d515

SHA512
d291e9d5496d7e812c835131d1ebf1a9346e044e0dd49e20628ba4698d2692de0e92fa7ecafffcedb9596c497229b6c7d6fe025a4a7fb2c64df0069af121f0cb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
470KB

MD5
2208867025bd8822ebd1d1473bbdd0b3

SHA1
c29be9d6ae33c89bad0563ca790add49f19ddace

SHA256
ca3e1ef1b8d1ed427529b3e89e1c1b4eb5216ac77349ecb4246b1d0d71e69d74

SHA512
e0d4484b92012c660c1376b22a00600f9a5c5bbaa3ea4930216171ceea33f9a5a01598eda3ff4023c5b0c750dce475070bcfc239945dbe826d0a7419efd573d6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
457KB

MD5
390e832992899089a49d27a300de010e

SHA1
2f8253d6eaea4408f4ba46a8bf13facafa1c224a

SHA256
3155ce7ba23cf0153221b53fa631dead2a0f6cf3897cb2981ac31669a3ad8a73

SHA512
3458014d61915eb51a7fe47a21ffedcc18a4a2b3a2de1b09c5fd3cdd2969f86b841b9f4e1f0e145ac704c3646a6bc63b5b92d4d998822d1647082ad53e750420

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
468KB

MD5
fe57f1cc3b5d0032964d91ddd60dd4c7

SHA1
f00203590cc4f7ffe2604694dfc0030d3c59f98b

SHA256
4e33b79b366f01211a3be6a164cdf3f089dc3990029ee01032745a09664f92d1

SHA512
f5808eb92fe464a00f97a5549d9dc70361a49bb7a21c029356eccae086d9d61182a05aa9df302203130414711ba378f4f8e9ec9c35b4f812e3957184233143ad

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
445KB

MD5
fea6a91d7aec31b9d2a157b5f86b7243

SHA1
312967d2e48a8db1ad8608c5f84505113fe2990b

SHA256
530cacf02a8936dedc34f58b9e6b29a3e8cb37ff2b7b725124cd2ac11b8b9bef

SHA512
de6ea250057896e3a3642892996716a62ea5cd4ea346dda6a2457b3594f9369e9d069c202c87d66b1d388c4890fbffbf15288ea2cd7323266776e5eff9a44f6f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
462KB

MD5
00c69af346fef3953ff8db62eebdfba6

SHA1
6a1d7bcbd1f3c23eaa317f9a4a846333cf8e36ea

SHA256
2cccbd9a4844843429301864414db1aba7f16e31b9bb834ccaa2aa09f7f205da

SHA512
15cb63661c264c764b30011f89ea37bdeb275ffb8593a2d39c8c0237ea18714b31f439c9561798493e1972a34947af2a8caf4919ac539ef6edce26130325ea77

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
455KB

MD5
25546459bce7618757cd2b4ec3f04d87

SHA1
960875ccaacdc97fcf96980ae02a2c3656d15311

SHA256
77d4dceb6383c8dcfb7d72faf8f4da3b2eb8c7c4450163d430cc3f260b7797fa

SHA512
2ed453f2265e43b5d95384e89824de011ce9adfbd8895b8b93cb9fd5559f81379974e2b2d1508658037083c93f5b67bf8483da2c0e1731c0dbadd76c7bd03fa3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
450KB

MD5
68a02b725d106b7b94e1979094793efe

SHA1
17c946e188972a006a076e47de11075c0c56c39a

SHA256
97277cf3b7e5ddd3285272f413982198762c60920ff4ab8ac266db525978f427

SHA512
1c7208b3cdb964cd5ce248fac1fb2c2796ab817f07bcb7e6c5939da1284c1644add5cf00bce72df2935cfa399baf575d0ed7ef93f0dbc9694927ddb2d2cdb6e7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
459KB

MD5
54a4e4170d06e573bd57d3fa1115c76c

SHA1
904ec62b9b9639e3fda1379c9cf3200a556aa023

SHA256
1ef6e1934dd6cf18b55413e7d1870416159d9e1d686e1a7e51b1051a11c85595

SHA512
2b1cd707520c5a92649992b641fc97af57317a99c985c9ab7a1fa46511da81271632e3b762a19ace029b8847ff9157013f8984aa423245bb8730935ff56e7a98

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
444KB

MD5
72896b95bdd77f6334c3aac74668a991

SHA1
31e6f91faef0da921ccc3b0a3c76a04384f1782e

SHA256
a3c999b43bcca217841bfa18683e16753b2633c644d4a613fa6473b688e4a8c9

SHA512
82df9cb64f4fa38f15651a9139f96df7503e3f2c1b37532a0fd07cc5c45fe9fe32238121b1cb298791af87c2d6c59a5c3c839a8e19fa21437fb9ce0930df3f63

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
463KB

MD5
717bffd0a76371ff5acd390503cef303

SHA1
3319b2395e1831db386a6b0d9fb1026c977c1bec

SHA256
0663eab9f4f329d7bd3018341ebc389cc791b9f8550805e1709a848467065799

SHA512
f99070bc282deacf46cb7ebdae008a58867a7b08eb659fa6a7d513426619e3728ddefd3ea5795e7a19e40e9d495bb6b281856cc2ae7426e937c0074e90966012

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
456KB

MD5
a9d520edbe9aba4850c1cd1c551d9f47

SHA1
cd353493304056dae53a0f2210c8360a258dfd1a

SHA256
da6cd8f61f34d4d60b94353ee37c9d3cbf1313226625d0baca7e14a78b7be455

SHA512
9a724ed1f6ee0daf3daa541de7bb937070684d2fd3da69d08e3110db5a00330c40b9905f9967e42078f0ec41067a92fe5f8e180d33698b791ddf0298bd26900d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
440KB

MD5
45526f4e4198282f24389759765ad77e

SHA1
afc8fc1e2fb0a750c255d2cba7a3b53c5d60c4fc

SHA256
f29a4b4a7943067a9b60a962be622dab673871b7cb01f4cb57746d2944b56da0

SHA512
a05dd0d18da910acfa641460a5b3a4926e022b2d76e1c050863f5fd48e9f91f54ab83f2daa4328d2d30dc8a3c46c974cd7d61636a8178693705256aeef841020

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
460KB

MD5
95ab6ab6564b4f002acf920416d5b132

SHA1
ea66ef37b1fcfd68ee7ce61014207d283c472e12

SHA256
1ea45ae214c18f3138c02e0f80fe42a676802cebd6902489f4dbc066e9b5b97d

SHA512
d767b5293d53465bfb367e78ed8a132dee42a21f1e85ec02cf0b6837ec7ed339a3f2490fb40334b2ef2acdff9ab70924b70e1c912be10e4b6eb41638c8773a16

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
445KB

MD5
bdb339765cb7fc6788e0652d93c2dfe7

SHA1
e8e7e546d7e7bcde5ac78a60d4b05b5c39c0e566

SHA256
f0de533c1badec903a61ba66d0904f8b31354c97b2d83308942e57becb133d31

SHA512
c0c5dfe2ec17852089d84f16e22a7bfcd3947bab67874ce8af12c310f0e61406db4ac9289ea2be0494647a23629c2c09efd4f7fa8376c0b9f13c7820068bdd28

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
464KB

MD5
0870ce946eea0a1578fb7ff2b7b7d5cc

SHA1
cfb75e9f4ada48690aae8edd43a8d0e6051b29f1

SHA256
ae90fc3b454fa8077e094a7818eef6fd7b8c09525aac53e319cd499e013e29c8

SHA512
e60f51991b81bdd27b239d8a688efd5c402522fccb62a3a661f150be9deb136114743bd0379457b67c07bbd2a49d926e8f7814a96511e24f77f4d6c547c5c7a6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
449KB

MD5
ad2c2c16489dd292335e25ea60a1ae3e

SHA1
ea778c198c333236e499c7044819e03467c02334

SHA256
cc5e383dafd4845d191acffa961b2beb0515ab1d8ef14f46cbca65762d73c984

SHA512
76782163f35a6a57b827a438f367149dfbd52e38c3ce3c5fa63045492a32be6d672bc5a9b0fa11b969911915bdde4fb1ee3a867e886a178b8e0fa825e44f810c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
457KB

MD5
28365a78713b897fe4fe87af1ba7eb50

SHA1
9dd753fa5412576de8683d14f6a7c1ce94ad5027

SHA256
aeb06ced7884122ad8cea4ba164ba5b87d2c8a2be77e881822a48b81905cdc98

SHA512
289c19fc48c6ecb68fa366bbe01ebb10452b8d28d4da572fff5be8b3292ede6ba6243ffa3284681b4ee4756556e28ec1c0f784f89dfdf54ff8dd34e8e6dfaa44

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
453KB

MD5
9d3b6c9f70786e04674cd86bd8863768

SHA1
b1aa39b453f021dedfad0fd1f08bced5f7c35c33

SHA256
a879302edb88ed41beacfa0230b207b2cc91cf7585d28c1dfe0d5db50beb8633

SHA512
35e2daf41f1417936be224a53637b5766d8f118461d68cab8b31182bf383ea51702eda0b6f080819ba88ad98a4cbe9695182a224b7060ee650758532b74bebb0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
462KB

MD5
c9aca3cdce43ca0e3c34b4291f3ec5a6

SHA1
27e55a543a91ace23d59aa2356f189550ee896e4

SHA256
84492da7b88ac7fe7a663fe0b6308554b171231c6cb642ecd284b36ee6f92133

SHA512
3c86fb6e7f78ffa50f83ecba4a39fc4caacd913e44ab12c01dc3149aaf2b389512b3b1a2f0ea4400f6c15de2b54a13e7d7706df883deee9dd2b1ebfdc24068bd

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/344-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/344-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/488-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/488-290-0x0000000001F50000-0x0000000001F84000-memory.dmp

Filesize
208KB

Download
memory/488-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/588-105-0x0000000000390000-0x00000000003C4000-memory.dmp

Filesize
208KB

Download
memory/588-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/588-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/708-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/708-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-153-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/920-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1276-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1276-83-0x0000000000380000-0x00000000003B4000-memory.dmp

Filesize
208KB

Download
memory/1276-126-0x0000000000380000-0x00000000003B4000-memory.dmp

Filesize
208KB

Download
memory/1276-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-145-0x0000000000380000-0x00000000003B4000-memory.dmp

Filesize
208KB

Download
memory/1304-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-115-0x0000000001FB0000-0x0000000001FE4000-memory.dmp

Filesize
208KB

Download
memory/1416-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-251-0x0000000000380000-0x00000000003B4000-memory.dmp

Filesize
208KB

Download
memory/1912-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-162-0x0000000001F50000-0x0000000001F84000-memory.dmp

Filesize
208KB

Download
memory/1968-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-261-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download
memory/2092-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-65-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2156-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-1-0x0000000000510000-0x0000000000544000-memory.dmp

Filesize
208KB

Download
memory/2156-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-215-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2420-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-227-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2440-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-2-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-27-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/2500-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-53-0x0000000001F60000-0x0000000001F94000-memory.dmp

Filesize
208KB

Download
memory/2580-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-245-0x0000000001D40000-0x0000000001D74000-memory.dmp

Filesize
208KB

Download
memory/2612-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-282-0x0000000001FC0000-0x0000000001FF4000-memory.dmp

Filesize
208KB

Download
memory/2840-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-136-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download
memory/2976-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-174-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/3028-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download