ramnit | be98f5ab32e873468f2ba2fb45215468b0157f7fe894d9af98313444ec945ef6

Analysis

max time kernel
125s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ЗАебала.exe
Size

144KB
MD5

302a161addf4cad7c6f078b7c5ad916a
SHA1

01450a35f72a6db951fb07fce749508f8aafe153
SHA256

be98f5ab32e873468f2ba2fb45215468b0157f7fe894d9af98313444ec945ef6
SHA512

0c60134a2189554e6d47ef0e4845fe2d661b1d7a021bd530b8a323a2496fa7958dad31feb0022348b9c655a4aac4a9a67b13a1adafcac454a4346fa50796d8bd
SSDEEP

1536:HVK6scO5JV+3tOBPvfbVEaf0Qcf9sm65rvO8S6ROzFkcil31gYDbd:1KRRV+3tOB3fbKXK9vO56kUG6

Score

10^/10

ramnit xworm banker execution persistence rat spyware stealer trojan upx worm

Malware Config

Extracted

Family

xworm

127.0.0.1:53750

involved-delete.gl.at.ply.gg:53750

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2576-1-0x0000000000A00000-0x0000000000A2A000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\svchost.exe	family_xworm
behavioral1/memory/1072-72-0x0000000000D50000-0x0000000000D7A000-memory.dmp	family_xworm
behavioral1/memory/2732-539-0x0000000000360000-0x000000000038A000-memory.dmp	family_xworm

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2720 powershell.exe
2648 powershell.exe
2492 powershell.exe
2988 powershell.exe

Drops startup file 2 IoCs

Processes:

ЗАебала.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	ЗАебала.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	ЗАебала.exe

Executes dropped EXE 8 IoCs

Processes:

waijyx.EXEwecmhc.exewecmhcSrv.exeDesktopLayer.exesvchost.exegzklzr.exesvchost.exebmrfkt.exe

pid process

1584 waijyx.EXE
1312 wecmhc.exe
1272 wecmhcSrv.exe
1144 DesktopLayer.exe
1072 svchost.exe
3028 gzklzr.exe
2732 svchost.exe
1004 bmrfkt.exe
Loads dropped DLL 2 IoCs

Processes:

wecmhc.exewecmhcSrv.exe

pid process

1312 wecmhc.exe
1272 wecmhcSrv.exe

pid	process
1584	waijyx.EXE
1312	wecmhc.exe
1272	wecmhcSrv.exe
1144	DesktopLayer.exe
1072	svchost.exe
3028	gzklzr.exe
2732	svchost.exe
1004	bmrfkt.exe

pid	process
1312	wecmhc.exe
1272	wecmhcSrv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe	upx
behavioral1/memory/1272-59-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1144-68-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ЗАебала.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	ЗАебала.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

wecmhcSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxEFDB.tmp	wecmhcSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wecmhcSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wecmhcSrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2844 schtasks.exe

pid	process
2844	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{265B54E1-1BAB-11EF-B3A2-4205ACB4EED4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000002000000030000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2688 vlc.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeЗАебала.exeDesktopLayer.exe

pid	process
2720	powershell.exe
2648	powershell.exe
2492	powershell.exe
2988	powershell.exe
2576	ЗАебала.exe
1144	DesktopLayer.exe
1144	DesktopLayer.exe
1144	DesktopLayer.exe
1144	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

wecmhc.exevlc.exe

pid process

1312 wecmhc.exe
2688 vlc.exe

pid	process
1312	wecmhc.exe
2688	vlc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

ЗАебала.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2576	ЗАебала.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2576	ЗАебала.exe
Token: SeDebugPrivilege	1072	svchost.exe
Token: SeDebugPrivilege	2732	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exevlc.exe

pid	process
2816	iexplore.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

vlc.exe

pid	process
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe
2688	vlc.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

ЗАебала.exeiexplore.exeIEXPLORE.EXEvlc.exebmrfkt.exe

pid	process
2576	ЗАебала.exe
2816	iexplore.exe
2816	iexplore.exe
696	IEXPLORE.EXE
696	IEXPLORE.EXE
696	IEXPLORE.EXE
696	IEXPLORE.EXE
2688	vlc.exe
1004	bmrfkt.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

ЗАебала.exewecmhc.exewecmhcSrv.exeDesktopLayer.exeiexplore.exetaskeng.exepcwrun.exe

description	pid	process	target process
PID 2576 wrote to memory of 2720	2576	ЗАебала.exe	powershell.exe
PID 2576 wrote to memory of 2720	2576	ЗАебала.exe	powershell.exe
PID 2576 wrote to memory of 2720	2576	ЗАебала.exe	powershell.exe
PID 2576 wrote to memory of 2648	2576	ЗАебала.exe	powershell.exe
PID 2576 wrote to memory of 2648	2576	ЗАебала.exe	powershell.exe
PID 2576 wrote to memory of 2648	2576	ЗАебала.exe	powershell.exe
PID 2576 wrote to memory of 2492	2576	ЗАебала.exe	powershell.exe
PID 2576 wrote to memory of 2492	2576	ЗАебала.exe	powershell.exe
PID 2576 wrote to memory of 2492	2576	ЗАебала.exe	powershell.exe
PID 2576 wrote to memory of 2988	2576	ЗАебала.exe	powershell.exe
PID 2576 wrote to memory of 2988	2576	ЗАебала.exe	powershell.exe
PID 2576 wrote to memory of 2988	2576	ЗАебала.exe	powershell.exe
PID 2576 wrote to memory of 2844	2576	ЗАебала.exe	schtasks.exe
PID 2576 wrote to memory of 2844	2576	ЗАебала.exe	schtasks.exe
PID 2576 wrote to memory of 2844	2576	ЗАебала.exe	schtasks.exe
PID 2576 wrote to memory of 1584	2576	ЗАебала.exe	waijyx.EXE
PID 2576 wrote to memory of 1584	2576	ЗАебала.exe	waijyx.EXE
PID 2576 wrote to memory of 1584	2576	ЗАебала.exe	waijyx.EXE
PID 2576 wrote to memory of 1584	2576	ЗАебала.exe	waijyx.EXE
PID 2576 wrote to memory of 1312	2576	ЗАебала.exe	wecmhc.exe
PID 2576 wrote to memory of 1312	2576	ЗАебала.exe	wecmhc.exe
PID 2576 wrote to memory of 1312	2576	ЗАебала.exe	wecmhc.exe
PID 2576 wrote to memory of 1312	2576	ЗАебала.exe	wecmhc.exe
PID 1312 wrote to memory of 1272	1312	wecmhc.exe	wecmhcSrv.exe
PID 1312 wrote to memory of 1272	1312	wecmhc.exe	wecmhcSrv.exe
PID 1312 wrote to memory of 1272	1312	wecmhc.exe	wecmhcSrv.exe
PID 1312 wrote to memory of 1272	1312	wecmhc.exe	wecmhcSrv.exe
PID 1272 wrote to memory of 1144	1272	wecmhcSrv.exe	DesktopLayer.exe
PID 1272 wrote to memory of 1144	1272	wecmhcSrv.exe	DesktopLayer.exe
PID 1272 wrote to memory of 1144	1272	wecmhcSrv.exe	DesktopLayer.exe
PID 1272 wrote to memory of 1144	1272	wecmhcSrv.exe	DesktopLayer.exe
PID 1144 wrote to memory of 2816	1144	DesktopLayer.exe	iexplore.exe
PID 1144 wrote to memory of 2816	1144	DesktopLayer.exe	iexplore.exe
PID 1144 wrote to memory of 2816	1144	DesktopLayer.exe	iexplore.exe
PID 1144 wrote to memory of 2816	1144	DesktopLayer.exe	iexplore.exe
PID 2816 wrote to memory of 696	2816	iexplore.exe	IEXPLORE.EXE
PID 2816 wrote to memory of 696	2816	iexplore.exe	IEXPLORE.EXE
PID 2816 wrote to memory of 696	2816	iexplore.exe	IEXPLORE.EXE
PID 2816 wrote to memory of 696	2816	iexplore.exe	IEXPLORE.EXE
PID 1128 wrote to memory of 1072	1128	taskeng.exe	svchost.exe
PID 1128 wrote to memory of 1072	1128	taskeng.exe	svchost.exe
PID 1128 wrote to memory of 1072	1128	taskeng.exe	svchost.exe
PID 2576 wrote to memory of 3028	2576	ЗАебала.exe	gzklzr.exe
PID 2576 wrote to memory of 3028	2576	ЗАебала.exe	gzklzr.exe
PID 2576 wrote to memory of 3028	2576	ЗАебала.exe	gzklzr.exe
PID 2576 wrote to memory of 3028	2576	ЗАебала.exe	gzklzr.exe
PID 1128 wrote to memory of 2732	1128	taskeng.exe	svchost.exe
PID 1128 wrote to memory of 2732	1128	taskeng.exe	svchost.exe
PID 1128 wrote to memory of 2732	1128	taskeng.exe	svchost.exe
PID 2576 wrote to memory of 1004	2576	ЗАебала.exe	bmrfkt.exe
PID 2576 wrote to memory of 1004	2576	ЗАебала.exe	bmrfkt.exe
PID 2576 wrote to memory of 1004	2576	ЗАебала.exe	bmrfkt.exe
PID 2576 wrote to memory of 1004	2576	ЗАебала.exe	bmrfkt.exe
PID 2144 wrote to memory of 2896	2144	pcwrun.exe	msdt.exe
PID 2144 wrote to memory of 2896	2144	pcwrun.exe	msdt.exe
PID 2144 wrote to memory of 2896	2144	pcwrun.exe	msdt.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe
"C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ЗАебала.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Creates scheduled task(s)
PID:2844

C:\Users\Admin\AppData\Local\Temp\waijyx.EXE
"C:\Users\Admin\AppData\Local\Temp\waijyx.EXE"
2⤵
- Executes dropped EXE
PID:1584

C:\Users\Admin\AppData\Local\Temp\wecmhc.exe
"C:\Users\Admin\AppData\Local\Temp\wecmhc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe
C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1272

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:696

C:\Users\Admin\AppData\Local\Temp\gzklzr.exe
"C:\Users\Admin\AppData\Local\Temp\gzklzr.exe"
2⤵
- Executes dropped EXE
PID:3028

C:\Users\Admin\AppData\Local\Temp\bmrfkt.exe
"C:\Users\Admin\AppData\Local\Temp\bmrfkt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1004

C:\Users\Admin\AppData\Local\Temp\thpfoa.exe
"C:\Users\Admin\AppData\Local\Temp\thpfoa.exe"
2⤵
PID:2220

C:\Windows\system32\taskeng.exe
taskeng.exe {FA2EF7E5-9269-4717-A341-0E67BD588E91} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1760

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Desktop\GetAdd.rm"
1⤵
PID:2884

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Desktop\GetLimit.scf"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2688

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\System32\msdt.exe
C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW3F7.xml /skip TRUE
2⤵
PID:2896

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:828

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\how1fh96.cmdline"
2⤵
PID:2532

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES742.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC741.tmp"
3⤵
PID:2132

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tt7owjfx.cmdline"
2⤵
PID:1956

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES790.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC780.tmp"
3⤵
PID:2220

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\54s7wm_q.cmdline"
2⤵
PID:1684

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC81C.tmp"
3⤵
PID:888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RepairNew.html
1⤵
PID:2928

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
2⤵
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fdb4bfd11aa6b5c57bf8cc92ceb35e15

SHA1
d2acabaceb797eeb3ff144440300aea31073deb9

SHA256
8d832a9f0492967d6e630f6fa94edf683ab994ecce02b4dcaf7e014e1701e4f5

SHA512
5fe9fbc79278fbac996f6e4ebc5c5b2376f15158a2fee04b4185be099f1c98262a71248438ce0ffb729a62e2a82a7caea9e5bdf020c5eba1be67dc160f4dbfda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0d25fb6bc4fa2d000b5b3c18a0e7e5ee

SHA1
2a5a2d9d8f9910461d093abe7fbecd6741a34b3b

SHA256
60bc44af09ffa101d511ca5f053d49ad7c9298e7201f8696cbb412e3a0ff8ba6

SHA512
12490365dc7559eedfd9128fba3194a3690375b736c3ef62e0fb36a2f00b529c018ce14008436ed6a5957f8e9963fab977938d2be2dc23a36ffeb14db594a794

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
105b09476ab86df3d0a76b38595a2e47

SHA1
910645fbb8bd61957435521d12314a0b09c2df38

SHA256
c5d579cfe1c82bc2af79a7fabe5cd9d749c3baf3e5288b72356af35a6462f141

SHA512
d5c3d877a4eef401f92e9d4d076dcd446a2baf4c7062db293dec834f4c6e5b4db8ccc225af6ac9658aa7883df2f78770616de13d552c0a8de71a470e76d381cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5b0e9a11600e86830bb148adfc9c6fe9

SHA1
bfbe98f8eaf91dcd49e9341d91b94e98998d42ba

SHA256
dd024d95533d00e7ed804e9fe60e3aae92ccedaf23a03290034a1ccf003db5e6

SHA512
0fda71b757669a15a4e9da2907afac2f23ff5b9fdbf5572f52e7a52bbe83300e073416569d106a1d2fe901ec8f6888ce96dfd49567518c37aa8e1e81aca0fcda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8f4d2320f3e4cdd26c27387a9febd1fd

SHA1
a02125b2ba3dd005aba7ca1222b5de29a0777a86

SHA256
6952a12310ae47c4ebfbc3f1902eeb07f341a31040cf7726f7f5c3669b176f35

SHA512
048a18c2eccc07c401bc01069c2a9f421bbf2d63b3384a852949c3f87cf2514b188e4126e77bd422af6cc8c14d40c2fd8b680216df1ce8845445b2114916a18b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c65158032e71097b72c612be9d97ae3c

SHA1
bdf404fa7e2ee31b397e08f171ccfc788e45aee3

SHA256
f70a9bf1647acc24110e3c6e8cf0dd0414d3cf72657f35f98e0c218bb08f69ee

SHA512
632e629ddacf2ba6cd0a93a99fd40a461e40533fb499232f13c66d060a94861a59ce73be655ab7165f7ecb57ae5387fc3d7ef229ffb3457e6be2d084d29bb472

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ea84c9b3e5214276a80548d68eb4339d

SHA1
47b8f2718f89b15741a1e6fd9e9465ba5e1caba5

SHA256
8fc64071e73c8b7f858968b31ba54925edac9ebe138e835f9f081ab53ad4fa9f

SHA512
66ab70a79391d8993b8d0eb09836d2ec755ee112af37e2c2da07a4b66a2830a871d086f71fd7d1b0a98eab9944f1f43af14bf0457bb0a5b36b399e6addf6d9ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
be70bd4205e3f906931f841a509f3d06

SHA1
0ba100b11b50db4aa118289090e9c764c94858de

SHA256
139825ba23f8de61a37505ae4f43c85da84a72ef842ed923669ba8958293294e

SHA512
dfb9a3263263930a74f728448ae758e6d7bde75ee7ed5fb2c661572b93e791ddb2903f9aac7c6d4ef026f544ad2fea568aa1d0d09ca2d05e6cb5eb92c1ad43a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
73b145553c80d94b415d7d8664381c57

SHA1
b598875276cf4e12cf82a7ab4dcfcad238b3b514

SHA256
4d07b9b394615a5a6f1b5c874882482291bead3aff6b82056440ca260b0c1b0e

SHA512
bc7f0b818e35ffa36691ed829a2acf3729c355710d31e4a4c10090179557bdb86d2eeeb3d6820b4f20701ed7fe73857686c20194d7c97e7344113dd77bcbc316

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
06b666534662d91e0e18ece334392144

SHA1
692bdc63d8153f2b6f15cd88be77eb0a245d1f8c

SHA256
9e764e1585c10a4bfd76b787327c3a0d1f6077bd47b98b0f14ca31ddd22e648a

SHA512
c7ec253731aa0bf2439afd0f8af04f7d0cb6c76930788ce30ffeb54cdeaae906820382175aa28e768471d1fbc5cff6d296274dba7309c30afc8f61ce625aa027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b5ef2182b6e04718ebea76fe145cbae8

SHA1
5d6acccdb2fee757679e1b1f1db2a5eca6b07bbe

SHA256
23a68971be09ea08485de13bb88e92588ff2923c4a1fedc800a29ae87effbab0

SHA512
cb82e0f0746ef8a8ea64f2cee0a9d74ff7275a69cb91566c582c5e7ce673cc06d066e3d48594cb2a16dbe76bde15bb5a69fec14796c486907194e3ef3d0ff619

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7979e8cbdba0a48853efcfe4ff94c191

SHA1
2da1fbaa425642fe9a3321a80529e8e5e8d9fe33

SHA256
cb30479034a5fc20883bed533cbf0286dc8413326002d23109577f7728c5aac1

SHA512
af52d17c4cfce3551a19e44e226fd4965b36484c77e657a29b994c260b089450a573af5917b60d93443543c1f953f523c54d334bee470f3d39ea51eba6801151

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
64ee5dcb8d9ade0c36bb78074853efe4

SHA1
c66b439c6ddf88518e02e480f7d247c7d3a2407a

SHA256
c3a89ea60f8eafcb67e10f9cd9f7cbb13685efaa15d7d6420521158cac8b1eb2

SHA512
e025b164312a17e8037c8f9e2ccc6ce82cb80eb90086c53f93a43d79863c7571852e283201d230000584d6cdb00d9a5750bb311a2bc352911801608e77a83670

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3028a2a607e4329d888760e254ff12dd

SHA1
9e8b5c5e2e11bfe18e32154b054c045a0a666a5b

SHA256
f51db88cc8fcdf2b2123679b4928683401da799968904e8ba0317456e6895f7c

SHA512
1e2ed9ac6458ed8797e04c75b464995bf4e8cc8c4208674e09befc4e3a52d5653eac98b2736d67e39f62bbecde1ea803f8f0ecbfb46ae1f6a5ad9efd07be2294

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ec1a34dddb9dd9c6585e2bd351c13c83

SHA1
aea8efd40a6929dcacfea2be1b1409f1d9974a0a

SHA256
18bad3e0aa98eb13a0bbb8dc9e2a5cf2747b413561f00383df475c216b452f0e

SHA512
6b0b441a53f922539671b96a283b176428934dd10898b5b8340fa4f8ee0133f4e61737833ba0bef0ad1135347095b7b1ede72af80e3f4cf9852ee0df69164b85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bd26489bcaf2e22988027140f18e63b0

SHA1
33b029526bee4d433c13953cfc03eed3a735299b

SHA256
2a8901813b5d760a7cb0aa7f3354588eded59fa7d71914426e475cbf84afa398

SHA512
2f0dc1dedb98c936a743dc77fc6edb71302ca80d7536549197b69ecce4bd2079130fb8de7195a1ff5c15fb7dc0a6fe087458df85e1785ed3ec373e1a7a52bb44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
24ac2afc0ba9c37f7a04c96e05bb7159

SHA1
13f383a8f97f0fd4a9be649c3d3305cf6fdae546

SHA256
94fb2a42df1f72b64ed3c5cef36e5c651fae1b5d6f989702c2175dac716d02a6

SHA512
7f00014159e5c432fdb744a1bbf9cd6ee20acba545ccde8c09526eaf9375fab8d7264e9a6dc956307435d88d21f5af3da8a5fc75547598430ee426c77d0ff410

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5aaadd86a0b7c51ad2a40a8b82ba061b

SHA1
a6a9875a4c1f118b17a12fad1cc290d430e90f1c

SHA256
f416fe4aa3bb8eaa10659ec94f0b74f9787d55384460756f5673d1acb4dda1eb

SHA512
2ca6d79dccc8c8c06d82b08a9c2b7ace95a0e54fd671c72a46122b24799313c6ad233f0f266389fed6575746adb41fd3048360102577ce779a2c98c49a90eaaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b4e593a07e37bb42d4cca08800f384f9

SHA1
36880dcbf1a7a491688c2d0d1979dc75123b2f91

SHA256
640c2c2df4d4b555214792919082bc20ce375e7a4303d1e7d984fbf8883cd958

SHA512
153a8aa2f718250a8dd2e323836870ddd32ff188b29b9992bffc2b1d94a8e6bbcba94be2ab5febbc8b7d1bc2b0c503a0a6ba40c1f082a696902d5f1f1f67bc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\54s7wm_q.dll
Filesize
6KB

MD5
d196c51bc80b2b6a1b001af9fade340e

SHA1
4123ad5b99248afde39365f73b53203226b5b513

SHA256
262203ba6008cb8ddb879760e9d0f74f950f0b8f3deecffad5e1c7bde1c7973f

SHA512
7f76b4ae8c1feaaf1c59121d259ea870b14c38f4f9ea16bb190a5c88dd53c6bff4b54d683593c97ff3993989fead289c56f5db1df384a433ac2745cbf420d19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\54s7wm_q.pdb
Filesize
15KB

MD5
e608b117ca442382dda1c379546f19f6

SHA1
85ae3a36e7074db0e9175227722d5fad08239446

SHA256
53fddb85408dbc7f931eafead07823fec604e9611b27af0ab0e97a8ad0518cb6

SHA512
62b4128a21eb7d9e55c50722e87d2e7733f423e56a72c0427185028e23c1ec8840cc8105d8b727b538b87bed23e1acadf2a76461929b731100c4835a751e803e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab649.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCW3F7.xml
Filesize
728B

MD5
6168825440dcc34b6c6e904579b13bc1

SHA1
c69fb94feba5e6c0d9cb2b7421c1f1caa5a46112

SHA256
0ffbd8da85b2d7fdee6f1a9487582ca1b5e66c37b702ac070f49443e0a83c888

SHA512
a8e7bef4452ababb4bdda886c01fcbeda67ab4ae2a451d9bc19c7510305e424d734f45ffb3385bb2ac5abb8a5ffa645f4327b05a45e987b0b81c6745ac172a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES742.tmp
Filesize
1KB

MD5
fdb27e1e32093f063454b5eac4b50148

SHA1
9c1a03f30ac2cadb9e88ebd25e468b497a5f4112

SHA256
24a80eb47cc6027e685a37123c26924776c2788c6205496e3c2e6b00e885084d

SHA512
e8090cee776873096256397f7f5ed517d5e072d8f98708ff799496cd2a12701cb9cbe772d049a34e4992e5c0a6aae60accb18a1222d380ee8d8e8ca3154fc4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES790.tmp
Filesize
1KB

MD5
1913b231befaea2db8094a4d70bd89c5

SHA1
60ef639f20ef29c76e1bf68430305db3e381bd19

SHA256
ec2e3c808a2048e56b6285da45d1a1d8a4312167cd01a8d458e06432b7efa496

SHA512
16f58c74dc7cc8a7e6dc2bf7920b512ebffe064ac992f3ab32cb397d1de7f52903c6bcb69faa1589002589b02d0a92fec87541a81f02d0f3a8216622df2dd47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES82C.tmp
Filesize
1KB

MD5
396c68d152adf245a367ec03c295b979

SHA1
132fcca384815bd6421b71524f174716ee56e837

SHA256
0794b80e2ee1e89bf43fe70f017c2fcf68c0ca5ef97af9042baa77eb016d852c

SHA512
0356e48d4f39a4b4669189ef4098903909b229c477a9cc2c665da1906071a1209e1c247b1afd17bf7d5fca672b0acfa5a750e227e5ee38b1cb151f58a6b9fcd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6BB.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmrfkt.exe
Filesize
32KB

MD5
464d1821f7a15ad61364180aa38bf33b

SHA1
941ef8750a84b4cdfe1b5f9aefb862aa95276515

SHA256
cfb20098a65630d4488e23032169ea4564f92deeac6638a7607c19333e44dd65

SHA512
96cc0daa0dab9aed1c6f51c9033ae21e8c26f83002a8d77428e13b6cdee05968447c2fb2b76bcbaa984c8f87be03561c08d915fd7335ddcfeedb769e8a20acc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gzklzr.exe
Filesize
360KB

MD5
2f0c1f93f38047e74921bfd00599c37a

SHA1
a052301f981f4ab4c8667b543e16bd407e23348b

SHA256
70d56bc08d401f0903a9421fa2434a82df7e72d30774fa21a51b822148c51cce

SHA512
fc962d66fd5d0ae865ad53bd5d914789e83304b1fb2cef3bbe32630ad0680a34faf580a8e10e646329a169e31cf98e1d42e02ab5a88cc333fa57f65779e1fc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\how1fh96.dll
Filesize
4KB

MD5
5e27546c9aaeae42fbad909ccbcbf45a

SHA1
a98c5188fd9774b3aee2991bae460bf63cf9cca2

SHA256
57dcbe01ac150028243a64a7c36ec492ae3f39d3652bf6a74333dad85a455ec5

SHA512
61abd7306537e853479094db04f6821553314ec7714851d73d3e984ed9ad4f6106b7026ef1607a919a2a452b78a5fb44bc88fa32760e250810b4f4dcad84656f

Download Submit
C:\Users\Admin\AppData\Local\Temp\how1fh96.pdb
Filesize
11KB

MD5
d3fa2486f2e74d214883dff0a0be3c53

SHA1
0630776393ac9874581fb54355b965de6a3a0676

SHA256
a70e728e65060febfaf21c8c974228adc98e8ff24b7c1239f79614b2a5cf8787

SHA512
7ddf200b3adc31b844a1134619d0ef7938014ff7caf3e3d853878fe5c5137e15b80326d922e86e4a0da7f6173c835fc18567c3de6c6c61ff0b2cb4fe942fde8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\thpfoa.exe
Filesize
398KB

MD5
cdc5de14efb4fb2c0bae2db79b88c054

SHA1
e5d7c97d11a2d5803c670bb06596eaa93551bd99

SHA256
9ef6728c8a51744786ab767b921f50484820c4a4a92792e57884024b1a04a4e8

SHA512
e528d0d8eae7b22daea61a1074992101b2cac172d036904fb6766c8d48d53983d59aae4dc364f40b6fbddff727209e336c8547313502f0ed180c7943b171c94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tt7owjfx.dll
Filesize
4KB

MD5
73c211f4c6a420979322bab3a914444c

SHA1
8ebfa6b260e855f6b985aeffb7cb85c39db0ad4f

SHA256
59d8f22556d99d235a063e3fd95360a7ad17cd137643c0d98864caecab1ba0e4

SHA512
666977720f267b86112f33855ea331a9cb4487ed46f5ed36d062412148745ad2c0d95f0d13abbf4626e4a72555d9a79141d4926602443b990063d8bf77c4f73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tt7owjfx.pdb
Filesize
11KB

MD5
69bd2c11dc42a6b4f139d4440fed8eb5

SHA1
62711306e20755bc89074674f514c5a454152a07

SHA256
0302303f12db9e0841430b04b6f1028ea19aa48cf9874e069952013703b491fe

SHA512
83e6e10d5e0c5da60d9e1943eb9b5e1ca122513f7754d98a911050ad75ec648f0ecd036667af1af9e481480ea784875b18d4b979552ef968b160428487cf8538

Download Submit
C:\Users\Admin\AppData\Local\Temp\waijyx.EXE
Filesize
287KB

MD5
2d07f1732527ea206a20d48372994458

SHA1
9886fc5cc285f2250ae500daa98ad72d4afd8e72

SHA256
a4ea663aa319447d49c40a6f825fe9d557977a633c263449f60d5d6768e39abd

SHA512
c30869e0b3ad77979feaa00f97f3a7440e8b66b238c1e1403e61745a06f215c18f6e6895ebbccdf862fed8f5f4e746a17e1e1d97edbac09fbfd59efe232d3e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\wecmhc.exe
Filesize
201KB

MD5
f1a97729b6e7401062abb8a05266aa8f

SHA1
522eb9ba7abfaccb84c1c5318da5eb879d05ca7c

SHA256
5a0aeea01f95dd75eadfb2dcd684c615d828aaa6881703bac633921f1fa00074

SHA512
9ec6fe3a90b254708ccb155279ef8fc989882691c69ecc2d2701a86880a2776fe5d96aba9da39e30e319438d24c9fcfd76353d1e22a148400729df225dafc5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFBC8E15547DB57B0D.TMP
Filesize
16KB

MD5
85b44a9773ba4e0df6892c6c6ce7da51

SHA1
897be9a2e21b24f697cb9f3d0b34e62294ea5873

SHA256
456b2e6f43c97dc71a4be326283c7d1b77652322dbff1d68290b42f4d7bfd9d2

SHA512
1f2f83f3e87a7c34ab8f683564dfd47d13b6f988a5165ce0e2b22d5cbc9d86c49891356cfeb9782282015a92f3236af7b2d343c7a598f44b4998a2be86318825

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
2325bbf08a96516b1520e8be4c468e68

SHA1
7d070f1fc06b481af36ee6667f63060643aee520

SHA256
7656ca2e48c5f2408d3b33399482fc8142f74acfbea587ecaa110597db248e53

SHA512
334bf34256fa8a371ab99683370457e1a0f1ab35eaa1a1be2ecc609feb21ff0db61ce39dfd4de0bb22831bbc6b263c32caef629b2181b72dd64be4008a4f6793

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
144KB

MD5
302a161addf4cad7c6f078b7c5ad916a

SHA1
01450a35f72a6db951fb07fce749508f8aafe153

SHA256
be98f5ab32e873468f2ba2fb45215468b0157f7fe894d9af98313444ec945ef6

SHA512
0c60134a2189554e6d47ef0e4845fe2d661b1d7a021bd530b8a323a2496fa7958dad31feb0022348b9c655a4aac4a9a67b13a1adafcac454a4346fa50796d8bd

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
Filesize
5KB

MD5
ef75ec94cb6bea1251a45ddcefb427ca

SHA1
7a1480688e0e210b7072047e06b617c941cf9ffb

SHA256
15cbcb9b02e41380a9174ae8e8ac94a98f6562d44bb3930541756b41537bd927

SHA512
599e833d5abcb2de193d20bfe7c44cd4a81ec367e0169fbd4005ce40ba05daeea527308c150a71fe5b7d32323b547fd28141f6dd7c8a46bf89dead581ce0efe4

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
Filesize
5KB

MD5
9853c62a5f33b33d6edf3d512ce69037

SHA1
c14ae4b1c3923c4f6f788318dfb636e5e8d80210

SHA256
ef15967bf09fd04560562d05f5c89318296844feda8351e612690e6b5755e595

SHA512
ce8fde8229f05b6826eb439f1e9186f904ac97837f2f97b20654d11b14dd12cfab067741bed9c2fb2555c668993dfefddc864094c4430c2f300ba46aeddcea24

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock
Filesize
18B

MD5
b34f8e4c385af6107873364f3079572c

SHA1
91bb7bfd0ee61b8a362baedff7af442ebf014f24

SHA256
e891d6ffb1b43524d5288a757f1562aec2a3d9cb2e06ed73d6aee82fa9f67de0

SHA512
460a3cd11cb2bb48391e3005f7e3a6003912639826aa7d68268ac42618eba10b930b9c1f8d5a35175f5325127529c757b1d6c310072da1f52432ce0186154855

Download Submit
C:\Windows\TEMP\SDIAG_7fe5e8f1-95a2-44b0-af7e-fcd19e1e46fa\RS_ProgramCompatibilityWizard.ps1
Filesize
37KB

MD5
367fe5f4c6db87e1600f46687e5aac54

SHA1
9807dc03ea1ecf6ab12f36feec43e2a635ebe145

SHA256
177625ac9b07bbffcbbb47101c2d1121f47b03b42226861bfd7974b9cebc0c98

SHA512
694e1a2c2c508aa6105872d867981431ef895834703ab498c2483630a97a46cbc1ecff9a62857fbebeb85cf2ef9c4dc51e4b6f20cf74c65c1b67f68acabfa303

Download Submit
C:\Windows\TEMP\SDIAG_7fe5e8f1-95a2-44b0-af7e-fcd19e1e46fa\TS_ProgramCompatibilityWizard.ps1
Filesize
9KB

MD5
46e22c2582b54be56d80d7a79fec9bb5

SHA1
604fac637a35f60f5c89d1367c695feb68255ccd

SHA256
459af2960b08e848573d45a7350223657adb2115f24a3c37e69ffe61dea647f9

SHA512
a9a24df3fb391738405d2ea32cd3ef8657d8d00d7366858a39c624dc9ebbf0b64d2817355d41eed6ad3cc7703d264d2921c8a2590ff95601d89f3cca72ba786f

Download Submit
C:\Windows\TEMP\SDIAG_7fe5e8f1-95a2-44b0-af7e-fcd19e1e46fa\en-US\CL_LocalizationData.psd1
Filesize
6KB

MD5
5e03d8afb0fae97904a14d6b2d1cac9a

SHA1
78f401b1944ed92965d7a48dba036413688f949a

SHA256
538a5f22a12b0be59a7a83e0381c6ff661932f07643a87c2d3a542eade741671

SHA512
884c0494728dd9f1a4fc8092152b2253350304b745d6fc1e4b02c9cd2366bc8c92a169c549cd77bcd67e5e2e515d89d46c1d11de5eeb500d531d87839365cd19

Download Submit
C:\Windows\Temp\SDIAG_7fe5e8f1-95a2-44b0-af7e-fcd19e1e46fa\DiagPackage.dll
Filesize
64KB

MD5
e382ec1c184e7d7d6da1e0b3eacfa84b

SHA1
9a0d95eb339774874f4f0da35d10fd326438b56c

SHA256
786d95dc0d59089e14055385cce8765888f55236b5220fdfd28cf2d9b07e63ee

SHA512
019bcb4f41b5bc5853db2fa528ef126e839c5b0d0dc096dd441ba02d8c71e7913efd16b74aed93952ad2cc5422b151c12d3017fc22a65ae5ce2e7e1fc72a396c

Download Submit
C:\Windows\Temp\SDIAG_7fe5e8f1-95a2-44b0-af7e-fcd19e1e46fa\en-US\DiagPackage.dll.mui
Filesize
8KB

MD5
526bcf713fe4662e9f8a245a3a57048f

SHA1
cf0593c3a973495c395bbce779aef8764719abf7

SHA256
c8190f45d62c5c03013ffc66b3f9bf60f52a32464fa271d2fad5fd10432da606

SHA512
df7e93617461c2fd25b5b684311126e66b7cf9f1ecfbf4c8a944f65fb2c904194ec635a9c7b962d4583ea77b0312435c7dc1b5ecbcb1fb3a5a74fc1eb2c21d04

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\54s7wm_q.0.cs
Filesize
5KB

MD5
252f38959fe104203e386334ad7affc2

SHA1
2c8d8a8f2952d79afbb9f1c39407aed139a6ca60

SHA256
32d6b5a428a39416d88b77bcb7569c68ece04d78805ee8200275ba37b4648216

SHA512
7a7cb397908f0b68255f44d13b56f24b98566445f48f609c04093e9f319b3b1e06df22a5a0783faa59c12e221d3597a8a950d1c10f5a3502ddb091ebdd362421

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\54s7wm_q.cmdline
Filesize
309B

MD5
ef1d03c21213f300b30b4465795e6870

SHA1
f4dfa1f39c4d687dab226c3d21a22280a230f381

SHA256
e117c7dc48ceab9962459e61618b5812a5c6ce45497f01829cc7701c4338b82c

SHA512
b806e53f232c2c310c5ef781cac7f1a9ae13cd7799c3390bb430d02848fbf01a9af437ab27fdbb7fcc330b65eafba06f8c81787742bba9418b1a30f8f4d5bb59

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC741.tmp
Filesize
652B

MD5
311a4a4f5b38c9094ae35c9192a03f86

SHA1
983a51f9199bc48e9ce3b859f465ddf6408b26ef

SHA256
4acabd74823b16ed607cf7364fcc2c7847a3986d3fcc380fe018d4f1f65602fe

SHA512
c4d0c53f78012dc2f7c3d40f1198b30d688d9240f17996a08541a33be7d85b29e7146d1edc4e6dec83551ec928937213d1a081ae599ef13255a0a655ab92d08c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC780.tmp
Filesize
652B

MD5
68aa6e3c982102d04faccde4237fa00c

SHA1
abad59cfb75a05bf4d3123e19d7b0efb0e9a2d5c

SHA256
aebf83eb816beb17ce85497d937ab8d4e5eb64346e7359a706bfbc80d4de830d

SHA512
9675dace4d89a88e6989474eb4a4eb78a6ebfd28e60ba55297ab567fdb4217b4b8b009e5ee9f0083380f7d957ca91345dfad378e07f2d270611a8246d99bdc8a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC81C.tmp
Filesize
652B

MD5
558088e3d31dee7f0c1bb28b4cc1ad6f

SHA1
4d213362f2665ce3ac66a7d6f9bace6f5049eb49

SHA256
aca0f2e1f90fd67cdde48be7f573d20ae0cd00541f931b894d9cbd1086eed385

SHA512
b8517646e9fd8982e65d9a96b81b9adf6cba91fa7040e7e71be07eea83a00c782ae52200fea3200b4742c0371aadee07502dc9476cd8e6f69cb7fef1958f4fd3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\how1fh96.0.cs
Filesize
965B

MD5
b0dc59b099ca7c12fb8ad72d3c50c82c

SHA1
f19e28849921cf51e322824c5a8ae8bc00014cd1

SHA256
e75eaaa3d7908fb05000c0a957048d20091a0d2575e87d091d11cdb3a5b562e5

SHA512
852c937d36afe3b6df5826b9f1877d511259e2a0ffcdf229c8c655ced7346b36e526928537386121e3ecbc8b1285144dabe3b760db1873cb3baaf70a0f21c364

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\how1fh96.cmdline
Filesize
309B

MD5
3099d4f0b88bfbda04824384cac95c92

SHA1
f6318b8168ac2d2fed9fc1d03653e299935bda6a

SHA256
e41cca6781453970de1beabac8f33e8a6ce28573d02b2d44a0aa485ed45408f4

SHA512
8e709762289232a810973b7d91e93d760e4b62be1444c7cd003690691dbd5627dfa5bb5c5ebd0a93b64139e2bdbd4741f8cfa6111e822758e797d6b07db4af3c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tt7owjfx.0.cs
Filesize
791B

MD5
3880de647b10555a534f34d5071fe461

SHA1
38b108ee6ea0f177b5dd52343e2ed74ca6134ca1

SHA256
f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e

SHA512
2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tt7owjfx.cmdline
Filesize
309B

MD5
cdf96e383da9bb3225834c3922f503c3

SHA1
39256686059ca00b004e9e422f11ebba8bf0b272

SHA256
babe2f250b831f3f182b9817f30978a0cf4a43f10e084055d7b82972a2f7b88c

SHA512
bf7d068ee79178d5d54610d84b57e04cf0df12dff0b206ea109568f74a913b468ac412b71f67467889d644ec138df86ff16178130f6d99cd0e2cb61bf465162a

Download Submit
\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/828-871-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/828-854-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download
memory/828-838-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/1072-72-0x0000000000D50000-0x0000000000D7A000-memory.dmp

Filesize
168KB

Download
memory/1144-66-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1144-68-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1272-59-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1312-503-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1312-519-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1312-518-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1312-520-0x00000000002B0000-0x00000000002DE000-memory.dmp

Filesize
184KB

Download
memory/1312-721-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1312-522-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1312-531-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1312-913-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1312-534-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1312-50-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1312-537-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1312-58-0x00000000002B0000-0x00000000002DE000-memory.dmp

Filesize
184KB

Download
memory/1584-41-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1584-517-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1584-502-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2576-33-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-32-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

Filesize
4KB

Download
memory/2576-2-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-1-0x0000000000A00000-0x0000000000A2A000-memory.dmp

Filesize
168KB

Download
memory/2576-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

Filesize
4KB

Download
memory/2648-15-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download
memory/2648-14-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2688-881-0x000007FEED3A0000-0x000007FEED656000-memory.dmp

Filesize
2.7MB

Download
memory/2688-903-0x000007FEEFB20000-0x000007FEEFB37000-memory.dmp

Filesize
92KB

Download
memory/2688-887-0x000007FEF2640000-0x000007FEF265D000-memory.dmp

Filesize
116KB

Download
memory/2688-886-0x000007FEF2660000-0x000007FEF2671000-memory.dmp

Filesize
68KB

Download
memory/2688-891-0x000007FEF2560000-0x000007FEF25A1000-memory.dmp

Filesize
260KB

Download
memory/2688-889-0x000007FEED190000-0x000007FEED39B000-memory.dmp

Filesize
2.0MB

Download
memory/2688-890-0x000007FEF25B0000-0x000007FEF2617000-memory.dmp

Filesize
412KB

Download
memory/2688-885-0x000007FEF6680000-0x000007FEF6697000-memory.dmp

Filesize
92KB

Download
memory/2688-884-0x000007FEF6760000-0x000007FEF6771000-memory.dmp

Filesize
68KB

Download
memory/2688-883-0x000007FEF6780000-0x000007FEF6797000-memory.dmp

Filesize
92KB

Download
memory/2688-882-0x000007FEF67A0000-0x000007FEF67B8000-memory.dmp

Filesize
96KB

Download
memory/2688-879-0x000000013F610000-0x000000013F708000-memory.dmp

Filesize
992KB

Download
memory/2688-880-0x000007FEF6930000-0x000007FEF6964000-memory.dmp

Filesize
208KB

Download
memory/2688-893-0x000007FEF2530000-0x000007FEF2551000-memory.dmp

Filesize
132KB

Download
memory/2688-892-0x000007FEEC0E0000-0x000007FEED190000-memory.dmp

Filesize
16.7MB

Download
memory/2688-894-0x000007FEF2510000-0x000007FEF2528000-memory.dmp

Filesize
96KB

Download
memory/2688-898-0x000007FEF2490000-0x000007FEF24AB000-memory.dmp

Filesize
108KB

Download
memory/2688-902-0x000007FEEFBE0000-0x000007FEEFC5C000-memory.dmp

Filesize
496KB

Download
memory/2688-901-0x000007FEEFC60000-0x000007FEEFC90000-memory.dmp

Filesize
192KB

Download
memory/2688-900-0x000007FEEFC90000-0x000007FEEFCA8000-memory.dmp

Filesize
96KB

Download
memory/2688-899-0x000007FEEFCB0000-0x000007FEEFCC1000-memory.dmp

Filesize
68KB

Download
memory/2688-904-0x000007FEEFB00000-0x000007FEEFB11000-memory.dmp

Filesize
68KB

Download
memory/2688-905-0x000007FEEC080000-0x000007FEEC0D7000-memory.dmp

Filesize
348KB

Download
memory/2688-888-0x000007FEF2620000-0x000007FEF2631000-memory.dmp

Filesize
68KB

Download
memory/2688-897-0x000007FEF24B0000-0x000007FEF24C1000-memory.dmp

Filesize
68KB

Download
memory/2688-908-0x000007FEEF9A0000-0x000007FEEF9B8000-memory.dmp

Filesize
96KB

Download
memory/2688-907-0x000007FEEC050000-0x000007FEEC074000-memory.dmp

Filesize
144KB

Download
memory/2688-906-0x000007FEEE530000-0x000007FEEE558000-memory.dmp

Filesize
160KB

Download
memory/2688-896-0x000007FEF24D0000-0x000007FEF24E1000-memory.dmp

Filesize
68KB

Download
memory/2688-895-0x000007FEF24F0000-0x000007FEF2501000-memory.dmp

Filesize
68KB

Download
memory/2688-910-0x000007FEEC000000-0x000007FEEC011000-memory.dmp

Filesize
68KB

Download
memory/2688-909-0x000007FEEC020000-0x000007FEEC043000-memory.dmp

Filesize
140KB

Download
memory/2720-8-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2720-7-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2732-539-0x0000000000360000-0x000000000038A000-memory.dmp

Filesize
168KB

Download
memory/2884-540-0x000000013F610000-0x000000013F708000-memory.dmp

Filesize
992KB

Download
memory/2884-541-0x000007FEF6930000-0x000007FEF6964000-memory.dmp

Filesize
208KB

Download
memory/2884-544-0x000007FEF6780000-0x000007FEF6797000-memory.dmp

Filesize
92KB

Download
memory/2884-543-0x000007FEF67A0000-0x000007FEF67B8000-memory.dmp

Filesize
96KB

Download
memory/2884-542-0x000007FEED3A0000-0x000007FEED656000-memory.dmp

Filesize
2.7MB

Download
memory/2884-545-0x000007FEF6760000-0x000007FEF6771000-memory.dmp

Filesize
68KB

Download
memory/3028-911-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3028-535-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3028-532-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3028-694-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download