amadey | 24eff2bc4ab82c6337f4815505cc1d05e5e88c17f411213c5a926e971d895b67

Analysis

max time kernel
50s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

797.3MB
MD5

67b884b87a049ea9053b89232116fb73
SHA1

2c3bb5d5cdc496a17824d12c76d02c6c95be59ce
SHA256

adae648d3e5026aa206869543d51b6532c9c964e7f047b97b1df1385c1866afc
SHA512

87cd6da48660c6f4805b275413150e7252ce7a55c45bd739a19c51d9b98a3428bd7bc3ddf3f463ff5d7137804432d7b7eb91f419a05ca5244f946bb3af286495
SSDEEP

98304:XZMBNQE6FC/d3s73QWE15+lOG3WX1ILAor+GHzOsqnZkNcMtj:GAC/d3s7gT1zG3WX1mrHXqnZmtj

Score

10^/10

amadey privateloader redline stealc tofsee 4dd39d funny logsdiller cloud (tg: @logsdillabot)discovery evasion execution infostealer loader persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

77.105.135.107:3445

Extracted

Family

stealc

Botnet

funny

http://85.28.47.30

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

setup.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/5480-387-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

dk4BYkYDKQwEv5_z8NgKkv2F.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dk4BYkYDKQwEv5_z8NgKkv2F.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
5260	powershell.exe
5284	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
5432	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exedk4BYkYDKQwEv5_z8NgKkv2F.exeInstall.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dk4BYkYDKQwEv5_z8NgKkv2F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dk4BYkYDKQwEv5_z8NgKkv2F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exeInstall.exeInstall.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Install.exe

Drops startup file 1 IoCs

Processes:

dk4BYkYDKQwEv5_z8NgKkv2F.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk	dk4BYkYDKQwEv5_z8NgKkv2F.exe

Executes dropped EXE 18 IoCs

Processes:

L6HsyAp8wTQ3SJvWzH_5VfnM.exeI7T9XFclfbM0M02o3DyxaFJf.exetYFyS8YqxXMRw6_befi1lsGH.exeeEqqnxQrLX6PmnNLXk3fhYpA.exeWvtkL2WoQidw2qgo1BJrMdcu.exetEgZiA6fElJ_IxIrirjsuWh6.exe5H9Kk7eps2823VbqJwXRHU1d.exe07z5_PWPzXKE9FLSLigfJ8XG.exexHafK2AJZfsDe4I3BBBZvXE0.exeu0nAOm1j598noyva0EWC443M.exedk4BYkYDKQwEv5_z8NgKkv2F.exe07z5_PWPzXKE9FLSLigfJ8XG.tmpInstall.exeInstall.execoncertplayerfree32_64.exeInstall.exeInstall.execoncertplayerfree32_64.exe

pid	Process
3324	L6HsyAp8wTQ3SJvWzH_5VfnM.exe
840	I7T9XFclfbM0M02o3DyxaFJf.exe
996	tYFyS8YqxXMRw6_befi1lsGH.exe
3628	eEqqnxQrLX6PmnNLXk3fhYpA.exe
2572	WvtkL2WoQidw2qgo1BJrMdcu.exe
3460	tEgZiA6fElJ_IxIrirjsuWh6.exe
3552	5H9Kk7eps2823VbqJwXRHU1d.exe
3180	07z5_PWPzXKE9FLSLigfJ8XG.exe
5092	xHafK2AJZfsDe4I3BBBZvXE0.exe
2804	u0nAOm1j598noyva0EWC443M.exe
1220	dk4BYkYDKQwEv5_z8NgKkv2F.exe
1868	07z5_PWPzXKE9FLSLigfJ8XG.tmp
1572	Install.exe
5216	Install.exe
5556	concertplayerfree32_64.exe
5604	Install.exe
5688	Install.exe
5720	concertplayerfree32_64.exe

Loads dropped DLL 1 IoCs

Processes:

07z5_PWPzXKE9FLSLigfJ8XG.tmp

pid	Process
1868	07z5_PWPzXKE9FLSLigfJ8XG.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral4/files/0x00070000000234ff-83.dat	themida
behavioral4/memory/1220-173-0x00000000003A0000-0x0000000000D2F000-memory.dmp	themida
behavioral4/memory/1220-192-0x00000000003A0000-0x0000000000D2F000-memory.dmp	themida
behavioral4/memory/1220-179-0x00000000003A0000-0x0000000000D2F000-memory.dmp	themida
behavioral4/memory/1220-193-0x00000000003A0000-0x0000000000D2F000-memory.dmp	themida
behavioral4/memory/1220-195-0x00000000003A0000-0x0000000000D2F000-memory.dmp	themida
behavioral4/memory/1220-180-0x00000000003A0000-0x0000000000D2F000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dk4BYkYDKQwEv5_z8NgKkv2F.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe"	dk4BYkYDKQwEv5_z8NgKkv2F.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dk4BYkYDKQwEv5_z8NgKkv2F.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dk4BYkYDKQwEv5_z8NgKkv2F.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
99	iplogger.org
100	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
28	ipinfo.io
29	ipinfo.io
22	api.myip.com
23	api.myip.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	Process
3988	powercfg.exe
5156	powercfg.exe
116	powercfg.exe
3080	powercfg.exe
5144	powercfg.exe
3000	powercfg.exe
212	powercfg.exe
1080	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

setup.exe

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

dk4BYkYDKQwEv5_z8NgKkv2F.exexHafK2AJZfsDe4I3BBBZvXE0.exe

pid	Process
1220	dk4BYkYDKQwEv5_z8NgKkv2F.exe
5092	xHafK2AJZfsDe4I3BBBZvXE0.exe
5092	xHafK2AJZfsDe4I3BBBZvXE0.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

eEqqnxQrLX6PmnNLXk3fhYpA.exeI7T9XFclfbM0M02o3DyxaFJf.exeL6HsyAp8wTQ3SJvWzH_5VfnM.exetEgZiA6fElJ_IxIrirjsuWh6.exe

description	pid	Process	procid_target
PID 3628 set thread context of 4928	3628	eEqqnxQrLX6PmnNLXk3fhYpA.exe	115
PID 840 set thread context of 4020	840	I7T9XFclfbM0M02o3DyxaFJf.exe	117
PID 3324 set thread context of 5480	3324	L6HsyAp8wTQ3SJvWzH_5VfnM.exe	121
PID 3460 set thread context of 5628	3460	tEgZiA6fElJ_IxIrirjsuWh6.exe	124

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
5280	sc.exe
216	sc.exe
3564	sc.exe
996	sc.exe
4608	sc.exe
5300	sc.exe
5248	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
5664	996	WerFault.exe	103
2816	2556	WerFault.exe	156

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xHafK2AJZfsDe4I3BBBZvXE0.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	xHafK2AJZfsDe4I3BBBZvXE0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	xHafK2AJZfsDe4I3BBBZvXE0.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1648	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exeInstall.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
5932	schtasks.exe
6004	schtasks.exe
6012	schtasks.exe
5444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

setup.exedk4BYkYDKQwEv5_z8NgKkv2F.exeI7T9XFclfbM0M02o3DyxaFJf.exeMSBuild.exe5H9Kk7eps2823VbqJwXRHU1d.exexHafK2AJZfsDe4I3BBBZvXE0.exetaskmgr.exe

pid	Process
3204	setup.exe
3204	setup.exe
1220	dk4BYkYDKQwEv5_z8NgKkv2F.exe
1220	dk4BYkYDKQwEv5_z8NgKkv2F.exe
840	I7T9XFclfbM0M02o3DyxaFJf.exe
840	I7T9XFclfbM0M02o3DyxaFJf.exe
4928	MSBuild.exe
4928	MSBuild.exe
3552	5H9Kk7eps2823VbqJwXRHU1d.exe
3552	5H9Kk7eps2823VbqJwXRHU1d.exe
5092	xHafK2AJZfsDe4I3BBBZvXE0.exe
5092	xHafK2AJZfsDe4I3BBBZvXE0.exe
5888	taskmgr.exe
5888	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

I7T9XFclfbM0M02o3DyxaFJf.exeeEqqnxQrLX6PmnNLXk3fhYpA.exetaskmgr.exeRegAsm.exe

description	pid	Process
Token: SeDebugPrivilege	840	I7T9XFclfbM0M02o3DyxaFJf.exe
Token: SeDebugPrivilege	3628	eEqqnxQrLX6PmnNLXk3fhYpA.exe
Token: SeDebugPrivilege	5888	taskmgr.exe
Token: SeSystemProfilePrivilege	5888	taskmgr.exe
Token: SeCreateGlobalPrivilege	5888	taskmgr.exe
Token: SeDebugPrivilege	5628	RegAsm.exe
Token: SeBackupPrivilege	5628	RegAsm.exe
Token: SeSecurityPrivilege	5628	RegAsm.exe
Token: SeSecurityPrivilege	5628	RegAsm.exe
Token: SeSecurityPrivilege	5628	RegAsm.exe
Token: SeSecurityPrivilege	5628	RegAsm.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

07z5_PWPzXKE9FLSLigfJ8XG.tmptaskmgr.exe

pid	Process
1868	07z5_PWPzXKE9FLSLigfJ8XG.tmp
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe

Suspicious use of SendNotifyMessage 14 IoCs

Processes:

taskmgr.exe

pid	Process
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe
5888	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

xHafK2AJZfsDe4I3BBBZvXE0.exe

pid	Process
5092	xHafK2AJZfsDe4I3BBBZvXE0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup.exe07z5_PWPzXKE9FLSLigfJ8XG.exeI7T9XFclfbM0M02o3DyxaFJf.exeeEqqnxQrLX6PmnNLXk3fhYpA.exeu0nAOm1j598noyva0EWC443M.exeWvtkL2WoQidw2qgo1BJrMdcu.exedk4BYkYDKQwEv5_z8NgKkv2F.exe

description	pid	Process	procid_target
PID 3204 wrote to memory of 3324	3204	setup.exe	100
PID 3204 wrote to memory of 3324	3204	setup.exe	100
PID 3204 wrote to memory of 3324	3204	setup.exe	100
PID 3204 wrote to memory of 840	3204	setup.exe	101
PID 3204 wrote to memory of 840	3204	setup.exe	101
PID 3204 wrote to memory of 840	3204	setup.exe	101
PID 3204 wrote to memory of 996	3204	setup.exe	103
PID 3204 wrote to memory of 996	3204	setup.exe	103
PID 3204 wrote to memory of 996	3204	setup.exe	103
PID 3204 wrote to memory of 3628	3204	setup.exe	102
PID 3204 wrote to memory of 3628	3204	setup.exe	102
PID 3204 wrote to memory of 3628	3204	setup.exe	102
PID 3204 wrote to memory of 3460	3204	setup.exe	105
PID 3204 wrote to memory of 3460	3204	setup.exe	105
PID 3204 wrote to memory of 3460	3204	setup.exe	105
PID 3204 wrote to memory of 2572	3204	setup.exe	104
PID 3204 wrote to memory of 2572	3204	setup.exe	104
PID 3204 wrote to memory of 2572	3204	setup.exe	104
PID 3204 wrote to memory of 3552	3204	setup.exe	106
PID 3204 wrote to memory of 3552	3204	setup.exe	106
PID 3204 wrote to memory of 1220	3204	setup.exe	107
PID 3204 wrote to memory of 1220	3204	setup.exe	107
PID 3204 wrote to memory of 1220	3204	setup.exe	107
PID 3204 wrote to memory of 3180	3204	setup.exe	108
PID 3204 wrote to memory of 3180	3204	setup.exe	108
PID 3204 wrote to memory of 3180	3204	setup.exe	108
PID 3204 wrote to memory of 5092	3204	setup.exe	110
PID 3204 wrote to memory of 5092	3204	setup.exe	110
PID 3204 wrote to memory of 5092	3204	setup.exe	110
PID 3204 wrote to memory of 2804	3204	setup.exe	109
PID 3204 wrote to memory of 2804	3204	setup.exe	109
PID 3204 wrote to memory of 2804	3204	setup.exe	109
PID 3180 wrote to memory of 1868	3180	07z5_PWPzXKE9FLSLigfJ8XG.exe	113
PID 3180 wrote to memory of 1868	3180	07z5_PWPzXKE9FLSLigfJ8XG.exe	113
PID 3180 wrote to memory of 1868	3180	07z5_PWPzXKE9FLSLigfJ8XG.exe	113
PID 840 wrote to memory of 692	840	I7T9XFclfbM0M02o3DyxaFJf.exe	114
PID 840 wrote to memory of 692	840	I7T9XFclfbM0M02o3DyxaFJf.exe	114
PID 840 wrote to memory of 692	840	I7T9XFclfbM0M02o3DyxaFJf.exe	114
PID 3628 wrote to memory of 4928	3628	eEqqnxQrLX6PmnNLXk3fhYpA.exe	115
PID 3628 wrote to memory of 4928	3628	eEqqnxQrLX6PmnNLXk3fhYpA.exe	115
PID 3628 wrote to memory of 4928	3628	eEqqnxQrLX6PmnNLXk3fhYpA.exe	115
PID 840 wrote to memory of 4020	840	I7T9XFclfbM0M02o3DyxaFJf.exe	117
PID 840 wrote to memory of 4020	840	I7T9XFclfbM0M02o3DyxaFJf.exe	117
PID 840 wrote to memory of 4020	840	I7T9XFclfbM0M02o3DyxaFJf.exe	117
PID 3628 wrote to memory of 4928	3628	eEqqnxQrLX6PmnNLXk3fhYpA.exe	115
PID 3628 wrote to memory of 4928	3628	eEqqnxQrLX6PmnNLXk3fhYpA.exe	115
PID 3628 wrote to memory of 4928	3628	eEqqnxQrLX6PmnNLXk3fhYpA.exe	115
PID 3628 wrote to memory of 4928	3628	eEqqnxQrLX6PmnNLXk3fhYpA.exe	115
PID 3628 wrote to memory of 4928	3628	eEqqnxQrLX6PmnNLXk3fhYpA.exe	115
PID 3628 wrote to memory of 4928	3628	eEqqnxQrLX6PmnNLXk3fhYpA.exe	115
PID 3628 wrote to memory of 4928	3628	eEqqnxQrLX6PmnNLXk3fhYpA.exe	115
PID 2804 wrote to memory of 1572	2804	u0nAOm1j598noyva0EWC443M.exe	116
PID 2804 wrote to memory of 1572	2804	u0nAOm1j598noyva0EWC443M.exe	116
PID 2804 wrote to memory of 1572	2804	u0nAOm1j598noyva0EWC443M.exe	116
PID 840 wrote to memory of 4020	840	I7T9XFclfbM0M02o3DyxaFJf.exe	117
PID 840 wrote to memory of 4020	840	I7T9XFclfbM0M02o3DyxaFJf.exe	117
PID 840 wrote to memory of 4020	840	I7T9XFclfbM0M02o3DyxaFJf.exe	117
PID 840 wrote to memory of 4020	840	I7T9XFclfbM0M02o3DyxaFJf.exe	117
PID 840 wrote to memory of 4020	840	I7T9XFclfbM0M02o3DyxaFJf.exe	117
PID 840 wrote to memory of 4020	840	I7T9XFclfbM0M02o3DyxaFJf.exe	117
PID 2572 wrote to memory of 5216	2572	WvtkL2WoQidw2qgo1BJrMdcu.exe	118
PID 2572 wrote to memory of 5216	2572	WvtkL2WoQidw2qgo1BJrMdcu.exe	118
PID 2572 wrote to memory of 5216	2572	WvtkL2WoQidw2qgo1BJrMdcu.exe	118
PID 1220 wrote to memory of 5444	1220	dk4BYkYDKQwEv5_z8NgKkv2F.exe	119

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\Documents\SimpleAdobe\L6HsyAp8wTQ3SJvWzH_5VfnM.exe
  C:\Users\Admin\Documents\SimpleAdobe\L6HsyAp8wTQ3SJvWzH_5VfnM.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5480
- C:\Users\Admin\Documents\SimpleAdobe\I7T9XFclfbM0M02o3DyxaFJf.exe
  C:\Users\Admin\Documents\SimpleAdobe\I7T9XFclfbM0M02o3DyxaFJf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4020
- C:\Users\Admin\Documents\SimpleAdobe\eEqqnxQrLX6PmnNLXk3fhYpA.exe
  C:\Users\Admin\Documents\SimpleAdobe\eEqqnxQrLX6PmnNLXk3fhYpA.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JECGIIIDAKJD" & exit
      4⤵
      PID:1012
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:1648
- C:\Users\Admin\Documents\SimpleAdobe\tYFyS8YqxXMRw6_befi1lsGH.exe
  C:\Users\Admin\Documents\SimpleAdobe\tYFyS8YqxXMRw6_befi1lsGH.exe
  2⤵
  - Executes dropped EXE
  PID:996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dnixnfxa\
    3⤵
    PID:5540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bvvnqaeq.exe" C:\Windows\SysWOW64\dnixnfxa\
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" create dnixnfxa binPath= "C:\Windows\SysWOW64\dnixnfxa\bvvnqaeq.exe /d\"C:\Users\Admin\Documents\SimpleAdobe\tYFyS8YqxXMRw6_befi1lsGH.exe\"" type= own start= auto DisplayName= "wifi support"
    3⤵
    - Launches sc.exe
    PID:4608
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" description dnixnfxa "wifi internet conection"
    3⤵
    - Launches sc.exe
    PID:5300
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start dnixnfxa
    3⤵
    - Launches sc.exe
    PID:5248
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
    3⤵
    - Modifies Windows Firewall
    PID:5432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 1036
    3⤵
    - Program crash
    PID:5664
- C:\Users\Admin\Documents\SimpleAdobe\WvtkL2WoQidw2qgo1BJrMdcu.exe
  C:\Users\Admin\Documents\SimpleAdobe\WvtkL2WoQidw2qgo1BJrMdcu.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\7zS5B0C.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    PID:5216
  - - C:\Users\Admin\AppData\Local\Temp\7zS6915.tmp\Install.exe
      .\Install.exe /THdidEyZM "525403" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      PID:5688
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:920
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5260
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:1336
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bhUbGthiAMRPkmWnMY" /SC once /ST 20:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS6915.tmp\Install.exe\" yE /PdidPaOc 525403 /S" /V1 /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6004
- C:\Users\Admin\Documents\SimpleAdobe\tEgZiA6fElJ_IxIrirjsuWh6.exe
  C:\Users\Admin\Documents\SimpleAdobe\tEgZiA6fElJ_IxIrirjsuWh6.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3460
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5628
- C:\Users\Admin\Documents\SimpleAdobe\5H9Kk7eps2823VbqJwXRHU1d.exe
  C:\Users\Admin\Documents\SimpleAdobe\5H9Kk7eps2823VbqJwXRHU1d.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3552
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:5156
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:116
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3080
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:5144
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:5280
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:216
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3564
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:996
- C:\Users\Admin\Documents\SimpleAdobe\dk4BYkYDKQwEv5_z8NgKkv2F.exe
  C:\Users\Admin\Documents\SimpleAdobe\dk4BYkYDKQwEv5_z8NgKkv2F.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5444
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5932
- C:\Users\Admin\Documents\SimpleAdobe\07z5_PWPzXKE9FLSLigfJ8XG.exe
  C:\Users\Admin\Documents\SimpleAdobe\07z5_PWPzXKE9FLSLigfJ8XG.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Users\Admin\AppData\Local\Temp\is-KJIGP.tmp\07z5_PWPzXKE9FLSLigfJ8XG.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KJIGP.tmp\07z5_PWPzXKE9FLSLigfJ8XG.tmp" /SL5="$E0044,4777797,54272,C:\Users\Admin\Documents\SimpleAdobe\07z5_PWPzXKE9FLSLigfJ8XG.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:1868
  - - C:\Users\Admin\AppData\Local\Concert Player Free\concertplayerfree32_64.exe
      "C:\Users\Admin\AppData\Local\Concert Player Free\concertplayerfree32_64.exe" -i
      4⤵
      Executes dropped EXE
      PID:5556
  - - C:\Users\Admin\AppData\Local\Concert Player Free\concertplayerfree32_64.exe
      "C:\Users\Admin\AppData\Local\Concert Player Free\concertplayerfree32_64.exe" -s
      4⤵
      Executes dropped EXE
      PID:5720
- C:\Users\Admin\Documents\SimpleAdobe\u0nAOm1j598noyva0EWC443M.exe
  C:\Users\Admin\Documents\SimpleAdobe\u0nAOm1j598noyva0EWC443M.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\7zS5ADD.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\7zS684A.tmp\Install.exe
      .\Install.exe /lqkUBdidS "385132" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      PID:5604
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:2612
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5284
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:400
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bwEqyGssAhLbgFUKbl" /SC once /ST 20:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS684A.tmp\Install.exe\" eE /cPcrdidPaO 385132 /S" /V1 /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6012
- C:\Users\Admin\Documents\SimpleAdobe\xHafK2AJZfsDe4I3BBBZvXE0.exe
  C:\Users\Admin\Documents\SimpleAdobe\xHafK2AJZfsDe4I3BBBZvXE0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe"
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe
      "C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe"
      4⤵
      PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
        5⤵
        
        PID:2520
      - C:\Users\Admin\AppData\Local\Temp\1000006001\3f0209e872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\3f0209e872.exe"
        6⤵
        
        PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBFIIEHJDB.exe"
    3⤵
    PID:5128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4236

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5888

C:\Windows\SysWOW64\dnixnfxa\bvvnqaeq.exe
C:\Windows\SysWOW64\dnixnfxa\bvvnqaeq.exe /d"C:\Users\Admin\Documents\SimpleAdobe\tYFyS8YqxXMRw6_befi1lsGH.exe"
1⤵
PID:2556
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:4716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 560
  2⤵
  - Program crash
  PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 996 -ip 996
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2556 -ip 2556
1⤵
PID:3228

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
PID:4400
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:3988
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1080
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:212
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3000
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5408
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\JECGIIIDAKJD\GIIIEC

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\JECGIIIDAKJD\KEGCBK

Filesize
114KB

MD5
6191e080ad75978d49b69b6e5a6d6b5e

SHA1
2754253e1f98e035477b21c764f14d0bf5f64c1c

SHA256
8d4cb42aacaa5d137dbdb326061d3fdeca51b138fa20dbd342ae66c90d25ea98

SHA512
cfd6392871c187085a612125d44573093a6b3a650b04afe5754674d871cb79c1440bcb8ce1dd68de164f47b7b3ff344f750110ff3b9d10287aed3e10e4f6a049

Download Submit
C:\ProgramData\freebl3.dll

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\nss3.dll

Filesize
64KB

MD5
8522d68e2f3685042af5ccdc5c3d72c7

SHA1
78baa0a9e336d7d9103347cf94f46a60e15703b9

SHA256
4996f5f97f1526d8052e6ccb5581db8f37b86ff138951bba12141d0f6462741f

SHA512
c623b6ef03dde5b3dbd11b6872b257af3a3aa8999d7e72d9eff578a01760162ca950e4c2cf5ede5035a50f68e93cd856ec609368196c66854e68a84db29d6748

Download Submit
C:\Users\Admin\AppData\Local\Concert Player Free\concertplayerfree32_64.exe

Filesize
3.2MB

MD5
177d7dfd3e3514210effe976ad0ce2fe

SHA1
89955b061cbbe9329019275e6645b42b6a0fc96c

SHA256
3f4db67d1dec97c0a7cf4caddb25b557e7d9931748f248c8c7c34bc729b8ede5

SHA512
08c76978a15a71b05e9b55aec264db9a572ac9fd75784d8f49bddf5c780bf41f5741840c01176ca5f8bbf720ff174b5984b35b064b46eea51e59c9b90e9f9f94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
2KB

MD5
f57bf6e78035d7f9150292a466c1a82d

SHA1
58cce014a5e6a6c6d08f77b1de4ce48e31bc4331

SHA256
25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415

SHA512
fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
28854213fdaa59751b2b4cfe772289cc

SHA1
fa7058052780f4b856dc2d56b88163ed55deb6ab

SHA256
7c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915

SHA512
1e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
1a81a4123f2a45644f91b9ab5fecdef4

SHA1
351bb837a15d5309421cc42abdb9a8dbbb05d1e2

SHA256
38227390a53162d22b0b20c85b3752b65e80417e352935afadca960e7cc6ac58

SHA512
6d3adf643fc12afd8d92205315a9f2b1299126e1e9194e2e6cfd2667666788f4479e8552b9eb0dfd1c43ac12a2fb36068e57e720ed5a1599490f4335e9b33879

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5ADD.tmp\Install.exe

Filesize
6.4MB

MD5
1f6aa501879892b8551d78db4ef14bcd

SHA1
bb6d5f46faa218df5fd25ced3a44dcc46e8dcd9b

SHA256
3c166672ca698084bee2657436df56dd97f9de3849693bf712ab415008b74479

SHA512
64628d9823fd143efa995f04a529df31db6bafa45d0afd3714cae8b58d4586f45086d22239947ab9c56104057babf5d3fbde24a1ed344bfe7690f7a84005b5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B0C.tmp\Install.exe

Filesize
6.4MB

MD5
18cfbb1dd965ec9646ac5aaa0fc85f11

SHA1
f0a574713f4b206e8298eb9ebdb6c354281d56c0

SHA256
bc3642220bf34566930446907c28191a63ad13bae64a93bc05652b30a540bbfd

SHA512
149fb199894b2f3d78a1b5ef6938a825788aaec0de54984dc085f96f9fa024bb6832930149b71a1a8d11bd69be368f7accb36b29430ea7dc52888b0e4b17512e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS684A.tmp\Install.exe

Filesize
6.8MB

MD5
080e5ed2bd3892a84cc1b63687cff569

SHA1
497168f94744e7109c4ec83d4e2b9b4c3a5f7f05

SHA256
8ef13deac25120ed64d9d4685c9de8012728dfd89d1f41f48491af3a59da5ea9

SHA512
324a89ca8f94f22b7706b83a5d832a7cc4102543bfadb4a3816b0252152f9bc1bc46b2bec1003a18ad0c5d1b6355e46f8170eedda887d7f7ace5659273f0c1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6915.tmp\Install.exe

Filesize
6.7MB

MD5
28233431ecce9eeb655875f0dae4ff1c

SHA1
d9007d9a4539bdac35931b16eedc3adb9ea60998

SHA256
ac438722efaebae88783430ddda11386fb077c99d28a12d8334da537b7f3d110

SHA512
2610ff7482e59c54b3264641d20eaa8e1700967277c8f4e051c3248edb496b9999a0c07822c345e1e41e35377098cf37f75d6cad515d435e1aaf8d9199995a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\JECGIIIDAK.exe

Filesize
1.8MB

MD5
7d13ce71a1b579108ab43bac4464cd67

SHA1
166abc066e6049fa24559f7b23810d19eace9cdb

SHA256
f39c3ec3bc38daf17b3d0ac0d36d469e36ec93837a7c6c71635fca9a59d15cf0

SHA512
f849d782fbb9571cfcf59ca303c7f0ae0c6a7342ac09992aa27e61f528dfe4683fdcc8d44af4ec34db7038613059a4eab64fa43ec4e84f14e203df2cbfb61436

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_erqhnrcu.cif.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvvnqaeq.exe

Filesize
10.1MB

MD5
0c817ab399291b3bd523c66c72d9ce51

SHA1
f71235d33df4c8831faad4dfbbc3b26ebe5a3a0f

SHA256
09f71132319c819d12d8402490cec7c429f1f5b3d0a283a7ebdf7ed134df1e49

SHA512
19a122cba2994476424afb574c690c37f84d4e279c6f6f7e125410335091890e5cb5c86b9f29cc8eb3f732e5cec08d919381c5b4ad32943287ed7f018c02071b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KJIGP.tmp\07z5_PWPzXKE9FLSLigfJ8XG.tmp

Filesize
680KB

MD5
1b5802b228ada8632b0cc9daed3bf5c0

SHA1
2907533ec55358a90a07820661c525b516c96f8f

SHA256
ad45a851abd7054a796a6279d43bfc2874db5f33f8b48611f56de53d75fa5289

SHA512
032fd3df39efa28f2d9a4d0222847a72d6fcf1373e3834a9cdeefff4f37d2e33f5f47b7d66d0f4322be6595df7be21fdb4625c2a460a92ce0ee64d78c857c1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VATRQ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk

Filesize
1KB

MD5
afe07976b51920c2627121a92f7dbb32

SHA1
017819523d868ac8b44f09f4328bbfb31f1f6cee

SHA256
4696c309247ca324eb61963a392a81ee0eded9b022c297f42edb0263951de8c9

SHA512
fb4a0e667dbbe9fca4c162264d247dfff49fc3cb9237129ee5912efa90eea67c9ad79135352a9f369316a062c68827b78537c0af34272b665058e21b9e4a451f

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\07z5_PWPzXKE9FLSLigfJ8XG.exe

Filesize
4.8MB

MD5
362ba70ed166d28e7e89edff1be0f9ce

SHA1
a6c6c4c357cf57be6d31e386eede805207f89570

SHA256
2dfd86c6bf5a0921bb01cec6775e379b96eb80e0ae3735a76b53de486cdca6ba

SHA512
58c1b1175c47da73701b92460eea6001101d9bd322c34104b38642de984a975179e840364a8d1d2a1b4e917408f369a8331cbbe5baf656866b0759c4f6e872b4

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\5H9Kk7eps2823VbqJwXRHU1d.exe

Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\I7T9XFclfbM0M02o3DyxaFJf.exe

Filesize
3.7MB

MD5
82a3c776eae4f6a5d3a81700234805c4

SHA1
585e8db74b2fe63afd8ef04f41558bbf9cdc9f66

SHA256
925d25b27a4a6cdfb2616b3cb64e258aaa63d7e8b19517a437cb5b5a2efd247a

SHA512
74aed6d5a071fc6e60fc43a5cca250b12db0079ba09a0d8b20abadd2e6cedf20e873bb2f84867938b3667cb343386b6a96e650dc2d44c38b0a7fb0284dc9295b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\L6HsyAp8wTQ3SJvWzH_5VfnM.exe

Filesize
507KB

MD5
b511a938c3da1d394dadd5c5c67bb48b

SHA1
be36fc316ed3362fbc5b57050bfcbd1d7b7775cd

SHA256
7010eb737bc8cbc8598ae5de392f485406f7fd1e821f0d7e6649f3022fcf8ac8

SHA512
005e86636948bf7de4d5f10425bd35bf5cafec5183683c752579ca446e67bcbecf45b7d68502bbf1ded862f8f2640f077bbe04e3565f804970dfc3644788e94b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\WvtkL2WoQidw2qgo1BJrMdcu.exe

Filesize
7.3MB

MD5
7ad49e14029a42a78f09d7c0429cf1b6

SHA1
f78d5ad756054b63818b2805829af2fbf02afa9b

SHA256
8b30a057f8ea7345f72b4afc59603116ff223995516458bc48462c1aacf84997

SHA512
c4ad5e43c8094e4c63fb8936f338042dda1a20b0b8727b96d9ace75ecfed3d055ceb6349460e2a87033783ecde601461b0449945b546f93ccaea9a6c410856a6

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\dk4BYkYDKQwEv5_z8NgKkv2F.exe

Filesize
3.7MB

MD5
2ab891d9c6b24c5462e32a0bab3d1fec

SHA1
4dbb387d2fce2b47ff3699468590466505ba7554

SHA256
6ffd157eb781504eadd72996c2cdbd4881034ffb7f7d2bc4b96d4daa61fb4d86

SHA512
0317a30e9e70d0ac8416f14a91119504fc40e9a72ee34d358741ebf820367abb3b18e2c64987f6d86d3c4a8952621aebeca83fa027d66edb456c749e56d42d89

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\eEqqnxQrLX6PmnNLXk3fhYpA.exe

Filesize
5.3MB

MD5
ceb30eeedfc8a3ec47ab32932937a258

SHA1
cd7b3450205111b5f9a39e83c71c34f498ac3262

SHA256
2ccc095e2b7de720513d290dea7ad6cde991ebd3773f5140489a461873cb2ba6

SHA512
1c735264adc4a78af8a454120cb43ecc9a99b8df621af4cc8127ddb84584e5a90db7ffc8f456fdbdfa1c705b62c5abd609faa9b8f0f85c051327a0bd0b34949f

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\eEqqnxQrLX6PmnNLXk3fhYpA.exe

Filesize
5.3MB

MD5
284772e9ed77e22e2b57773915ea8eed

SHA1
01d2c594d15cc74b6812a697ecd3f399070841c6

SHA256
6f8280c9c17e6680132d17aea47f9156ca20751083d3c943966d00d56a230cb7

SHA512
6e309b907a5760529bf029667c179055114673fc6b8acef72eaa8a121685e0e2eed634951d35f0662948780b5eb53ed38fb2e95a9d6bf7334fb6a4b317f41b13

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\tEgZiA6fElJ_IxIrirjsuWh6.exe

Filesize
585KB

MD5
6d33ed8234fa05857cd4cd7ffbad4086

SHA1
643f5175b9e89f153a5fa8772603d0883cff9030

SHA256
4aff6f753361faf1f93bf5cf4b12684940e42626034e197e8c3a84ae37c2a6bb

SHA512
0083c09e0c9d03f3d8bed4b7bcab829e1a00690130de744ea52b4b3488e6c1e4344678c6f2e7ffd36b69cc4d1267cfe99140932b1545f7dc825f76ab0c74a34b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\tYFyS8YqxXMRw6_befi1lsGH.exe

Filesize
234KB

MD5
61867a71161ae87b02413bad06e53446

SHA1
eb375d9b4b9089457e0b480f12d977ceb1655b07

SHA256
c5cd4932ea8f02c3f8af95ab80eb1612329a657b6c1ed35982e3310e4ebd7b03

SHA512
43e7cfb44fd61e9182fddeab13add5cd6e6cb8ce3e5c7a728daecdf2bb6bc3f157c7c1ab666ae3bf5fb191341b5b43f9e3a4a9d98936b9881c4fc3c1b0be30bd

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\u0nAOm1j598noyva0EWC443M.exe

Filesize
7.3MB

MD5
2137abd595893f37477636f00f1af9fd

SHA1
3a03fa85ca93a9998d5780941be8d97b74e53c7a

SHA256
3c9b5bd9d88b884fce5ca58cfa1c7269d5bb4e4baf01a7f67ba4b883e3fde5d6

SHA512
08822c4dcdd78f62ecbd1a828a448e5f7d847a0e75c448f59b88bb8591c059f5d666f7713aa3a6d2d295669c5c37bcd3417d4b3b5323cd9fc9af1cb70b351c4a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\xHafK2AJZfsDe4I3BBBZvXE0.exe

Filesize
1.1MB

MD5
3b3ee6b0630f8e798a08e8286ee1c5ff

SHA1
015c8b7ba76eb74cc86586856c6fa8da7b0cca37

SHA256
dc8c0ddd922c916fc7aa2c425f0a5a32abcf71f251d0cb813a9474af7df8be46

SHA512
670d12ec11affd134cb32967e949f0689573d8a8595301b7c6bf00f452b5cd9f12203306444810dae53e4827c2fa6407bd801e7ed072a6cf2fd99d4c7ff83f89

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/840-216-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-174-0x0000000005B30000-0x0000000005BCC000-memory.dmp

Filesize
624KB

Download
memory/840-172-0x0000000000E90000-0x0000000001240000-memory.dmp

Filesize
3.7MB

Download
memory/840-178-0x0000000005C40000-0x0000000005D54000-memory.dmp

Filesize
1.1MB

Download
memory/840-182-0x00000000035C0000-0x00000000035DC000-memory.dmp

Filesize
112KB

Download
memory/840-197-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-198-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-248-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-246-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-244-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-242-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-240-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-238-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-236-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-234-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-232-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-230-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-228-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-226-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-224-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-222-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-220-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-218-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-200-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-214-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-212-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-210-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-206-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-204-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-202-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/840-208-0x00000000035C0000-0x00000000035D5000-memory.dmp

Filesize
84KB

Download
memory/1220-179-0x00000000003A0000-0x0000000000D2F000-memory.dmp

Filesize
9.6MB

Download
memory/1220-192-0x00000000003A0000-0x0000000000D2F000-memory.dmp

Filesize
9.6MB

Download
memory/1220-173-0x00000000003A0000-0x0000000000D2F000-memory.dmp

Filesize
9.6MB

Download
memory/1220-193-0x00000000003A0000-0x0000000000D2F000-memory.dmp

Filesize
9.6MB

Download
memory/1220-180-0x00000000003A0000-0x0000000000D2F000-memory.dmp

Filesize
9.6MB

Download
memory/1220-195-0x00000000003A0000-0x0000000000D2F000-memory.dmp

Filesize
9.6MB

Download
memory/1608-696-0x0000000000D80000-0x0000000001311000-memory.dmp

Filesize
5.6MB

Download
memory/1608-671-0x0000000000D80000-0x0000000001311000-memory.dmp

Filesize
5.6MB

Download
memory/2244-629-0x0000000000800000-0x0000000000CC4000-memory.dmp

Filesize
4.8MB

Download
memory/2244-649-0x0000000000800000-0x0000000000CC4000-memory.dmp

Filesize
4.8MB

Download
memory/2520-650-0x00000000008B0000-0x0000000000D74000-memory.dmp

Filesize
4.8MB

Download
memory/3180-159-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3204-2-0x00007FF696F80000-0x00007FF6976A3000-memory.dmp

Filesize
7.1MB

Download
memory/3204-1-0x00007FF951B50000-0x00007FF951B52000-memory.dmp

Filesize
8KB

Download
memory/3204-13-0x00007FF696F80000-0x00007FF6976A3000-memory.dmp

Filesize
7.1MB

Download
memory/3204-113-0x00007FF6970E6000-0x00007FF6972CB000-memory.dmp

Filesize
1.9MB

Download
memory/3204-123-0x00007FF696F80000-0x00007FF6976A3000-memory.dmp

Filesize
7.1MB

Download
memory/3204-259-0x00007FF6970E6000-0x00007FF6972CB000-memory.dmp

Filesize
1.9MB

Download
memory/3204-0-0x00007FF6970E6000-0x00007FF6972CB000-memory.dmp

Filesize
1.9MB

Download
memory/3204-260-0x00007FF696F80000-0x00007FF6976A3000-memory.dmp

Filesize
7.1MB

Download
memory/3628-194-0x0000000005100000-0x0000000005252000-memory.dmp

Filesize
1.3MB

Download
memory/3628-175-0x0000000000150000-0x00000000006A8000-memory.dmp

Filesize
5.3MB

Download
memory/5092-624-0x0000000000830000-0x0000000000DC1000-memory.dmp

Filesize
5.6MB

Download
memory/5092-168-0x0000000000830000-0x0000000000DC1000-memory.dmp

Filesize
5.6MB

Download
memory/5260-489-0x0000000005380000-0x00000000053A2000-memory.dmp

Filesize
136KB

Download
memory/5260-500-0x0000000005C40000-0x0000000005F94000-memory.dmp

Filesize
3.3MB

Download
memory/5260-511-0x0000000006150000-0x000000000616E000-memory.dmp

Filesize
120KB

Download
memory/5260-490-0x0000000005A60000-0x0000000005AC6000-memory.dmp

Filesize
408KB

Download
memory/5260-488-0x0000000005430000-0x0000000005A58000-memory.dmp

Filesize
6.2MB

Download
memory/5260-481-0x0000000004CB0000-0x0000000004CE6000-memory.dmp

Filesize
216KB

Download
memory/5480-438-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/5480-410-0x0000000005290000-0x00000000052CC000-memory.dmp

Filesize
240KB

Download
memory/5480-387-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5480-405-0x0000000005A30000-0x0000000005B3A000-memory.dmp

Filesize
1.0MB

Download
memory/5480-565-0x0000000006C10000-0x0000000006C60000-memory.dmp

Filesize
320KB

Download
memory/5480-412-0x0000000005300000-0x000000000534C000-memory.dmp

Filesize
304KB

Download
memory/5480-393-0x0000000005480000-0x0000000005A24000-memory.dmp

Filesize
5.6MB

Download
memory/5480-406-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/5480-397-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/5480-400-0x0000000005160000-0x000000000516A000-memory.dmp

Filesize
40KB

Download
memory/5480-403-0x0000000006050000-0x0000000006668000-memory.dmp

Filesize
6.1MB

Download
memory/5556-392-0x0000000000400000-0x0000000000736000-memory.dmp

Filesize
3.2MB

Download
memory/5628-573-0x0000000009FC0000-0x000000000A4EC000-memory.dmp

Filesize
5.2MB

Download
memory/5628-436-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5628-571-0x00000000098C0000-0x0000000009A82000-memory.dmp

Filesize
1.8MB

Download
memory/5628-564-0x0000000008AA0000-0x0000000008ABE000-memory.dmp

Filesize
120KB

Download
memory/5628-563-0x0000000008F40000-0x0000000008FB6000-memory.dmp

Filesize
472KB

Download
memory/5720-413-0x0000000000400000-0x0000000000736000-memory.dmp

Filesize
3.2MB

Download