ardamax | hxxps://gofile[.]io/d/myrNL2

Analysis

max time kernel
64s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/myrNL2

Score

10^/10

ardamax blackmoon gh0strat xworm banker discovery execution keylogger pyinstaller rat stealer trojan upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023579-1062.dat	family_ardamax

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/5588-312-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral1/memory/5812-352-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023654-1941.dat	family_xworm

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000002360f-931.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
9616	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3880	DoomRat.exe
2616	DoomRat.exe

Loads dropped DLL 20 IoCs

pid	Process
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe
2616	DoomRat.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5588-312-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/5812-352-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x00070000000235df-799.dat	upx
behavioral1/files/0x000700000002363a-1055.dat	upx
behavioral1/files/0x0007000000023664-1167.dat	upx
behavioral1/files/0x0007000000023652-1097.dat	upx
behavioral1/files/0x0007000000023723-2007.dat	upx

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	31.193.3.240
Destination IP	31.193.3.240

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	pastebin.com
50	pastebin.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00070000000234b6-96.dat	pyinstaller

Program crash 7 IoCs

pid	pid_target	Process
11156	6220	WerFault.exe
7128	5448	WerFault.exe
10716	6576	WerFault.exe
7904	5768	WerFault.exe
7784	6576	WerFault.exe
10984	6220	WerFault.exe
9692	8092	WerFault.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry key 1 TTPs 13 IoCs

Modify Registry

T1112

pid	Process
10176	reg.exe
9296	reg.exe
5308	reg.exe
7888	reg.exe
9496	reg.exe
8016	reg.exe
7964	reg.exe
9288	reg.exe
5208	reg.exe
9464	reg.exe
748	reg.exe
9224	reg.exe
928	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 56112.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4284	msedge.exe
4284	msedge.exe
408	msedge.exe
408	msedge.exe
624	identity_helper.exe
624	identity_helper.exe
3620	msedge.exe
3620	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 436	408	msedge.exe	82
PID 408 wrote to memory of 436	408	msedge.exe	82
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 812	408	msedge.exe	83
PID 408 wrote to memory of 4284	408	msedge.exe	84
PID 408 wrote to memory of 4284	408	msedge.exe	84
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85
PID 408 wrote to memory of 5020	408	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/myrNL2
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd171146f8,0x7ffd17114708,0x7ffd17114718
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,16363852562680732308,7889080043305562229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- C:\Users\Admin\Downloads\DoomRat.exe
  "C:\Users\Admin\Downloads\DoomRat.exe"
  2⤵
  - Executes dropped EXE
  PID:3880
- - C:\Users\Admin\Downloads\DoomRat.exe
    "C:\Users\Admin\Downloads\DoomRat.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:5176
  - - C:\Users\Admin\Downloads\240919-txg37ayarb2024-09-19_b096df5d5d6776011b19491e29a31f9e_icedid.exe
      C:\Users\Admin\Downloads\240919-txg37ayarb2024-09-19_b096df5d5d6776011b19491e29a31f9e_icedid.exe
      4⤵
      PID:5480
  - - C:\Users\Admin\Downloads\240919-twl1raydrmd13d413871ac4771735570a2320a26598afe2e74dc24e82a2912e7bbd6185b84N.exe
      C:\Users\Admin\Downloads\240919-twl1raydrmd13d413871ac4771735570a2320a26598afe2e74dc24e82a2912e7bbd6185b84N.exe
      4⤵
      PID:5492
  - - C:\Users\Admin\Downloads\240919-tv9enayala5b676d02b10c730a0a2962ab67729344bb24dc2262c72c43937a9e2513235f34N.exe
      C:\Users\Admin\Downloads\240919-tv9enayala5b676d02b10c730a0a2962ab67729344bb24dc2262c72c43937a9e2513235f34N.exe
      4⤵
      PID:5512
    - - \??\c:\rfrxllr.exe
        
        c:\rfrxllr.exe
        5⤵
        
        PID:5588
  - - C:\Users\Admin\Downloads\240919-trc72sybpnebb6e129de348b668ddaf43bf92979bc_JaffaCakes118.exe
      C:\Users\Admin\Downloads\240919-trc72sybpnebb6e129de348b668ddaf43bf92979bc_JaffaCakes118.exe
      4⤵
      PID:6088
  - - C:\Users\Admin\Downloads\240919-tjj1maxdlaCompanyDetails.exe
      C:\Users\Admin\Downloads\240919-tjj1maxdlaCompanyDetails.exe
      4⤵
      PID:9448
  - - C:\Users\Admin\Downloads\240919-tqqfzsybmm0e240e70aa7630a1035667c979202c410bdbca7ebc05c16cfce7b95906d07283N.exe
      C:\Users\Admin\Downloads\240919-tqqfzsybmm0e240e70aa7630a1035667c979202c410bdbca7ebc05c16cfce7b95906d07283N.exe
      4⤵
      PID:10304
    - - \??\c:\vvvpp.exe
        
        c:\vvvpp.exe
        5⤵
        
        PID:7688
  - - C:\Users\Admin\Downloads\240919-tfelqsxbqdd323537a77efb9ccd15ae5e0008764e079d1898f2986ed4934996723d7f56028N.exe
      C:\Users\Admin\Downloads\240919-tfelqsxbqdd323537a77efb9ccd15ae5e0008764e079d1898f2986ed4934996723d7f56028N.exe
      4⤵
      PID:11136
    - - C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        5⤵
        
        PID:9000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2812

C:\Windows\SysWOW64\Ooejohhq.exe
C:\Windows\system32\Ooejohhq.exe
1⤵
PID:5860

C:\Users\Admin\Downloads\240919-tpvdjsxfrd3d3efe6eff9631fce01812ac06a3ccb7f78a5a3ddf1a60e00b83a9b9ac0703ffN.exe
C:\Users\Admin\Downloads\240919-tpvdjsxfrd3d3efe6eff9631fce01812ac06a3ccb7f78a5a3ddf1a60e00b83a9b9ac0703ffN.exe
1⤵
PID:7312

C:\Windows\System32\HWRcbCr.exe
C:\Windows\System32\HWRcbCr.exe
1⤵
PID:5628

C:\Windows\SysWOW64\Nlmdbh32.exe
C:\Windows\system32\Nlmdbh32.exe
1⤵
PID:6784
- C:\Windows\SysWOW64\Gpgind32.exe
  C:\Windows\system32\Gpgind32.exe
  2⤵
  PID:7584

C:\Windows\SysWOW64\Nlmdbh32.exe
C:\Windows\system32\Nlmdbh32.exe
1⤵
PID:6836

C:\Windows\SysWOW64\Njpdnedf.exe
C:\Windows\system32\Njpdnedf.exe
1⤵
PID:6704
- C:\Windows\SysWOW64\Gflhoo32.exe
  C:\Windows\system32\Gflhoo32.exe
  2⤵
  PID:8496

C:\Windows\SysWOW64\Njpdnedf.exe
C:\Windows\system32\Njpdnedf.exe
1⤵
PID:7088
- C:\Windows\SysWOW64\Aafemk32.exe
  C:\Windows\system32\Aafemk32.exe
  2⤵
  PID:9524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Setup.exe
1⤵
PID:5892

C:\Windows\SysWOW64\Nmnqjp32.exe
C:\Windows\system32\Nmnqjp32.exe
1⤵
PID:5944
- C:\Windows\SysWOW64\Gbchdp32.exe
  C:\Windows\system32\Gbchdp32.exe
  2⤵
  PID:6920
- - C:\Windows\SysWOW64\Nfaemp32.exe
    C:\Windows\system32\Nfaemp32.exe
    3⤵
    PID:4876

C:\Windows\SysWOW64\Najmjokc.exe
C:\Windows\system32\Najmjokc.exe
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 8396 -ip 8396
1⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:928

C:\Windows\SysWOW64\Oacoqnci.exe
C:\Windows\system32\Oacoqnci.exe
1⤵
PID:7588
- C:\Windows\SysWOW64\Geaepk32.exe
  C:\Windows\system32\Geaepk32.exe
  2⤵
  PID:5736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:5208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:7888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSIwEEYI.bat" "C:\Users\Admin\Downloads\240919-tvycdsydpj2024-09-19_43afb202dbb0e27d4a1153918200d70a_virlock.exe""
1⤵
PID:7776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:5308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:9224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyQAIgEg.bat" "C:\Users\Admin\Downloads\240919-tvh8gaxhre2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe""
1⤵
PID:9240

\??\c:\bnhbnn.exe
c:\bnhbnn.exe
1⤵
PID:9260
- \??\c:\jjjdj.exe
  c:\jjjdj.exe
  2⤵
  PID:5376
- - \??\c:\3nttnt.exe
    c:\3nttnt.exe
    3⤵
    PID:5840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:9288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:9296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FegooEYA.bat" "C:\Users\Admin\Downloads\240919-tva7vsxhqg2024-09-19_25a1d0abb30163894729863cf4434732_virlock.exe""
1⤵
PID:9312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6220 -ip 6220
1⤵
PID:9416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:9464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:9496

C:\Windows\System32\IvZXvJn.exe
C:\Windows\System32\IvZXvJn.exe
1⤵
PID:9592

C:\Users\Admin\AppData\Local\173e05a9\X
*0*47*d5b711d9*31.193.3.240:53
1⤵
PID:9700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5768 -ip 5768
1⤵
PID:9796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 9144 -ip 9144
1⤵
PID:9568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5448 -ip 5448
1⤵
PID:9804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 8284 -ip 8284
1⤵
PID:9812

C:\Windows\System32\XISrmKG.exe
C:\Windows\System32\XISrmKG.exe
1⤵
PID:9860

C:\Windows\System32\sdQZhHr.exe
C:\Windows\System32\sdQZhHr.exe
1⤵
PID:9904

C:\Windows\SysWOW64\Fimhjl32.exe
C:\Windows\system32\Fimhjl32.exe
1⤵
PID:10060
- C:\Windows\SysWOW64\Lcgpni32.exe
  C:\Windows\system32\Lcgpni32.exe
  2⤵
  PID:10896

C:\Windows\SysWOW64\Fpgpgfmh.exe
C:\Windows\system32\Fpgpgfmh.exe
1⤵
PID:10108
- C:\Windows\SysWOW64\Jniood32.exe
  C:\Windows\system32\Jniood32.exe
  2⤵
  PID:10496
- - C:\Windows\SysWOW64\Lfjfecno.exe
    C:\Windows\system32\Lfjfecno.exe
    3⤵
    PID:11100

C:\Windows\SysWOW64\Fpgpgfmh.exe
C:\Windows\system32\Fpgpgfmh.exe
1⤵
PID:10124

C:\Windows\SysWOW64\Fpgpgfmh.exe
C:\Windows\system32\Fpgpgfmh.exe
1⤵
PID:10144

C:\Windows\SysWOW64\Flkdfh32.exe
C:\Windows\system32\Flkdfh32.exe
1⤵
PID:10232

C:\Windows\SysWOW64\Flkdfh32.exe
C:\Windows\system32\Flkdfh32.exe
1⤵
PID:3724

C:\backup.exe
\backup.exe \
1⤵
PID:3672
- C:\PerfLogs\backup.exe
  C:\PerfLogs\backup.exe C:\PerfLogs\
  2⤵
  PID:11176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:10176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:7964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:8016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsYMMoUE.bat" "C:\Users\Admin\Downloads\240919-tt7vfaxhqc2024-09-19_1e57dcd7cf9b7d3a215e26a01a84dc00_virlock.exe""
1⤵
PID:8028

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2008_S~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2008_S~2.EXE
1⤵
PID:6108

C:\Users\Admin\Downloads\240919-tg8wzaxcngf8d131fc17ec2f349ab35272c33c980b82fe7f254e4e1de6a3254c9243fd4195N.exe
C:\Users\Admin\Downloads\240919-tg8wzaxcngf8d131fc17ec2f349ab35272c33c980b82fe7f254e4e1de6a3254c9243fd4195N.exe
1⤵
PID:7812

C:\Windows\SysWOW64\Glgcbf32.exe
C:\Windows\system32\Glgcbf32.exe
1⤵
PID:6012

C:\Windows\SysWOW64\Gpbpbecj.exe
C:\Windows\system32\Gpbpbecj.exe
1⤵
PID:8328

C:\Windows\SysWOW64\Gmfplibd.exe
C:\Windows\system32\Gmfplibd.exe
1⤵
PID:8888

C:\Windows\SysWOW64\Glipgf32.exe
C:\Windows\system32\Glipgf32.exe
1⤵
PID:9152
- C:\Windows\SysWOW64\Nfaemp32.exe
  C:\Windows\system32\Nfaemp32.exe
  2⤵
  PID:6804

C:\Windows\SysWOW64\Gpelhd32.exe
C:\Windows\system32\Gpelhd32.exe
1⤵
PID:9192
- C:\Windows\SysWOW64\Nnfpinmi.exe
  C:\Windows\system32\Nnfpinmi.exe
  2⤵
  PID:6568

C:\Windows\SysWOW64\Gpelhd32.exe
C:\Windows\system32\Gpelhd32.exe
1⤵
PID:8080

C:\Windows\SysWOW64\Gmimai32.exe
C:\Windows\system32\Gmimai32.exe
1⤵
PID:1116
- C:\Windows\SysWOW64\Nfohgqlg.exe
  C:\Windows\system32\Nfohgqlg.exe
  2⤵
  PID:5348

C:\Windows\SysWOW64\Glkmmefl.exe
C:\Windows\system32\Glkmmefl.exe
1⤵
PID:5160
- C:\Windows\SysWOW64\Koodbl32.exe
  C:\Windows\system32\Koodbl32.exe
  2⤵
  PID:10524
- - C:\Windows\SysWOW64\Lggejg32.exe
    C:\Windows\system32\Lggejg32.exe
    3⤵
    PID:11044

C:\Windows\SysWOW64\Gflhoo32.exe
C:\Windows\system32\Gflhoo32.exe
1⤵
PID:7712
- C:\Windows\SysWOW64\Jllokajf.exe
  C:\Windows\system32\Jllokajf.exe
  2⤵
  PID:10588

C:\Windows\System32\cMKhKuU.exe
C:\Windows\System32\cMKhKuU.exe
1⤵
PID:5596

C:\Windows\SysWOW64\Hbhboolf.exe
C:\Windows\system32\Hbhboolf.exe
1⤵
PID:9424
- C:\Windows\SysWOW64\Jllokajf.exe
  C:\Windows\system32\Jllokajf.exe
  2⤵
  PID:10604
- - C:\Windows\SysWOW64\Nqmfdj32.exe
    C:\Windows\system32\Nqmfdj32.exe
    3⤵
    PID:9844

C:\Windows\SysWOW64\Hbhboolf.exe
C:\Windows\system32\Hbhboolf.exe
1⤵
PID:5212
- C:\Windows\SysWOW64\Jllokajf.exe
  C:\Windows\system32\Jllokajf.exe
  2⤵
  PID:10616
- - C:\Windows\SysWOW64\Ljeafb32.exe
    C:\Windows\system32\Ljeafb32.exe
    3⤵
    PID:11124
  - - C:\Windows\SysWOW64\Nceefd32.exe
      C:\Windows\system32\Nceefd32.exe
      4⤵
      PID:8704

C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
1⤵
PID:9492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6576 -ip 6576
1⤵
PID:552

C:\Windows\System32\DAtNYyT.exe
C:\Windows\System32\DAtNYyT.exe
1⤵
PID:6564

C:\Windows\SysWOW64\Igajal32.exe
C:\Windows\system32\Igajal32.exe
1⤵
PID:3972
- C:\Windows\SysWOW64\Ngndaccj.exe
  C:\Windows\system32\Ngndaccj.exe
  2⤵
  PID:6316

C:\Windows\SysWOW64\Iedjmioj.exe
C:\Windows\system32\Iedjmioj.exe
1⤵
PID:9736
- C:\Windows\SysWOW64\Njmqnobn.exe
  C:\Windows\system32\Njmqnobn.exe
  2⤵
  PID:5932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
1⤵
PID:7772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8092 -s 292
1⤵
- Program crash
PID:9692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Users\Admin\Downloads\240919-twexfayalfInvoiceCformTT175102.exe
1⤵
PID:10336

C:\Users\Admin\AppData\Local\lustring\reindulgence.exe
C:\Users\Admin\Downloads\240919-tmwhtsyajnDHLSHIPPINGDOCSMAWB60733268616HAWBFRA27756732ADSBPO202422070.exe
1⤵
PID:10404
- C:\Windows\SysWOW64\svchost.exe
  C:\Users\Admin\Downloads\240919-tmwhtsyajnDHLSHIPPINGDOCSMAWB60733268616HAWBFRA27756732ADSBPO202422070.exe
  2⤵
  PID:7708

C:\Windows\System32\GSwGuzJ.exe
C:\Windows\System32\GSwGuzJ.exe
1⤵
PID:10448

C:\Windows\SysWOW64\Jlolpq32.exe
C:\Windows\system32\Jlolpq32.exe
1⤵
PID:10560
- C:\Windows\SysWOW64\Ljeafb32.exe
  C:\Windows\system32\Ljeafb32.exe
  2⤵
  PID:11108
- - C:\Windows\SysWOW64\Omnjojpo.exe
    C:\Windows\system32\Omnjojpo.exe
    3⤵
    PID:9376

C:\Program Files\SogouPinyinUp.exe
"C:\Program Files\SogouPinyinUp.exe"
1⤵
PID:10736

C:\Users\Admin\AppData\Local\Temp\3582-490\240919-tpkjcayaqlebb54cc68383349cb347b407cf86c16e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\240919-tpkjcayaqlebb54cc68383349cb347b407cf86c16e_JaffaCakes118.exe"
1⤵
PID:10752

C:\Windows\System32\xBeEsqB.exe
C:\Windows\System32\xBeEsqB.exe
1⤵
PID:10968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 1000
1⤵
- Program crash
PID:10984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 1000
1⤵
- Program crash
PID:11156

C:\Windows\SysWOW64\NSK.exe
"C:\Windows\system32\NSK.exe"
1⤵
PID:10008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 408
1⤵
- Program crash
PID:7784

C:\Windows\System32\WcYKDUM.exe
C:\Windows\System32\WcYKDUM.exe
1⤵
PID:8152

C:\Windows\System32\PYLLzNX.exe
C:\Windows\System32\PYLLzNX.exe
1⤵
PID:5228

C:\Windows\System32\FIkKPyH.exe
C:\Windows\System32\FIkKPyH.exe
1⤵
PID:8760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3724 -ip 3724
1⤵
PID:7744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 292
1⤵
- Program crash
PID:7904

C:\Windows\System32\IbaySXA.exe
C:\Windows\System32\IbaySXA.exe
1⤵
PID:7944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8396 -ip 8396
1⤵
PID:10376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 264
1⤵
- Program crash
PID:7128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 10232 -ip 10232
1⤵
PID:8636

C:\Windows\System32\RtptaxF.exe
C:\Windows\System32\RtptaxF.exe
1⤵
PID:10148

C:\Windows\System32\eZpyMsV.exe
C:\Windows\System32\eZpyMsV.exe
1⤵
PID:11056

C:\Windows\System32\oIaoeiB.exe
C:\Windows\System32\oIaoeiB.exe
1⤵
PID:11076

C:\Windows\System32\rIAxGMv.exe
C:\Windows\System32\rIAxGMv.exe
1⤵
PID:11096

C:\Windows\System32\JNLKjKD.exe
C:\Windows\System32\JNLKjKD.exe
1⤵
PID:8428

C:\Windows\System32\BnGhjUP.exe
C:\Windows\System32\BnGhjUP.exe
1⤵
PID:7732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 8284 -ip 8284
1⤵
PID:10256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 408
1⤵
- Program crash
PID:10716

C:\Windows\System32\iqxEAEI.exe
C:\Windows\System32\iqxEAEI.exe
1⤵
PID:10728

C:\Windows\System32\BZmvTlx.exe
C:\Windows\System32\BZmvTlx.exe
1⤵
PID:8144

C:\Windows\System32\tbqevyl.exe
C:\Windows\System32\tbqevyl.exe
1⤵
PID:5392

C:\Windows\System32\nBJDWnQ.exe
C:\Windows\System32\nBJDWnQ.exe
1⤵
PID:9948

C:\Windows\System32\arEUxrh.exe
C:\Windows\System32\arEUxrh.exe
1⤵
PID:6152

C:\Windows\System32\jFNTNGL.exe
C:\Windows\System32\jFNTNGL.exe
1⤵
PID:11036

C:\Windows\System32\pSqTALo.exe
C:\Windows\System32\pSqTALo.exe
1⤵
PID:11216

C:\Windows\System32\PwytCjj.exe
C:\Windows\System32\PwytCjj.exe
1⤵
PID:11236

C:\Windows\System32\hVWuBCw.exe
C:\Windows\System32\hVWuBCw.exe
1⤵
PID:10196

C:\Windows\System32\yyeaAKd.exe
C:\Windows\System32\yyeaAKd.exe
1⤵
PID:6388

C:\Windows\System32\tUKNkeR.exe
C:\Windows\System32\tUKNkeR.exe
1⤵
PID:6968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
- Command and Scripting Interpreter: PowerShell
PID:9616

C:\Windows\System\EgOtHpZ.exe
C:\Windows\System\EgOtHpZ.exe
1⤵
PID:11600

C:\Windows\System32\XtJrWPl.exe
C:\Windows\System32\XtJrWPl.exe
1⤵
PID:12256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4772 -ip 4772
1⤵
PID:5672

C:\Windows\SysWOW64\Lebijnak.exe
C:\Windows\system32\Lebijnak.exe
1⤵
PID:2884

\??\c:\1lrfxxr.exe
c:\1lrfxxr.exe
1⤵
PID:6924

C:\Windows\SysWOW64\Mcoljagj.exe
C:\Windows\system32\Mcoljagj.exe
1⤵
PID:9688

C:\Windows\SysWOW64\Mablfnne.exe
C:\Windows\system32\Mablfnne.exe
1⤵
PID:10704

C:\Windows\SysWOW64\Njjmni32.exe
C:\Windows\system32\Njjmni32.exe
1⤵
PID:9132

C:\Windows\System\CwEYfck.exe
C:\Windows\System\CwEYfck.exe
1⤵
PID:2724

C:\Windows\SysWOW64\Nofefp32.exe
C:\Windows\system32\Nofefp32.exe
1⤵
PID:10256

C:\Windows\SysWOW64\Nimmifgo.exe
C:\Windows\system32\Nimmifgo.exe
1⤵
PID:11252

C:\Windows\System\ZSwYKoJ.exe
C:\Windows\System\ZSwYKoJ.exe
1⤵
PID:8944

C:\Windows\SysWOW64\Mjidgkog.exe
C:\Windows\system32\Mjidgkog.exe
1⤵
PID:1324

C:\Windows\System\gEPVNxt.exe
C:\Windows\System\gEPVNxt.exe
1⤵
PID:7664

C:\Windows\SysWOW64\Mfnhfm32.exe
C:\Windows\system32\Mfnhfm32.exe
1⤵
PID:7980

C:\Windows\SysWOW64\Nmhijd32.exe
C:\Windows\system32\Nmhijd32.exe
1⤵
PID:11088

C:\Users\Admin\Downloads\240919-tk6wsaxejcebb2ec031e8815109595b8b723591086_JaffaCakes118.exe
1⤵
PID:11884

C:\Users\Admin\Downloads\240919-tvycdsydpj2024-09-19_43afb202dbb0e27d4a1153918200d70a_virlock.exe
C:\Users\Admin\Downloads\240919-tvycdsydpj2024-09-19_43afb202dbb0e27d4a1153918200d70a_virlock
1⤵
PID:13868

C:\Windows\System\JTWlhbE.exe
C:\Windows\System\JTWlhbE.exe
1⤵
PID:9868

C:\Windows\System\BIAtDKi.exe
C:\Windows\System\BIAtDKi.exe
1⤵
PID:3380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
1⤵
PID:5812

C:\Windows\System\dpJlWlt.exe
C:\Windows\System\dpJlWlt.exe
1⤵
PID:12652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\275a1984-24de-4fc4-be56-a79d025657be.tmp

Filesize
10KB

MD5
4743f5a9c595b0e9d052995f1461e58a

SHA1
72e754784f0c50dbc6152344c3854eecffbdb9bf

SHA256
3b6092f86343d889caf4c1b156c9c2af4602cefcad9580ab39e8428f64e9a872

SHA512
8d4cceec29e8f0d42522acdbb27883b8b1e9d0c49d0c404b8bfd35a1ad7445597a52c609ed0fb81795807ef81541677468954dfd8c0ba85adecfc1be3398ef6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
f6df004aad40ed6a5c881ebf248f6312

SHA1
233e709a3266055edc3ed018eb20326b760a9d51

SHA256
dfea81c49befa4904fb86f0d444014559564a9b2bd3904cc2b9f06b4315333cd

SHA512
60525baff4928ada7961b50c81a340a42cf0fad63c182f0cb503c7b2ed4d3714c94e1a1a3c09e2657d41fe6e1c7a5b59e1dd0040d65355d25bac49588aba0ccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
af998463e2371d8e400d6535045a23ae

SHA1
224e51458378112f96a082117bff99065d08e919

SHA256
8bc4d094e79e76e10f773b7014ba6a2572720bee0a5d85594e4e0bf9c9596f75

SHA512
e095dfa049c67d4ced8f25998b0b6932411769209f0f7283d570409c60aa1f37da70b74ffabc701cb51c71e394e651d9033015abee346d4209d403b15c20adf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
21a23a6cfe141cbb6bae94fd45ccb77f

SHA1
126f7f992f987b137a5c100d712d3173ac22fbb6

SHA256
09891dd4632e3e3c7cdfdd1bb5d7abe3a20ce7a09a614982ce8499c4181909c9

SHA512
e05d8c8a4db188d72fe9c3f4fce8ab7478428fe376757c7b38a0d2b72cef5a8737742bc67877f87ed226475479b3bafc6267fb59f2dc7fd779e034d4ab43cf0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96089d1c5b0dec7fe3d1294724265655

SHA1
1bc6777744d9d20d76b2670c6c52691eb55dd925

SHA256
9862a981fdb4aa8bef9e0c61802199601dc465ffad34a9286527d0dd18d565b8

SHA512
1f0c5313111e7ccc0dfc98a1f897c9688d833fb94a4a1955dda520c29c4998bbe2c6a2871c30451feb9c2553091d0f56fc3ab2c91306e9141ab9d22cf7f74874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8adaa8e43d054d4bf263947bc7cf6a18

SHA1
1d5faa54d258630590146b1c4cfb18307055bc56

SHA256
337259b11fb2c4a2ac15eb71eb52a212b64c6163d1e4de47fc7efba8ca8ae8ae

SHA512
7744db70b31eb71a973804c68165c63a8de621cf081fd517d6ef92835980b0ffbc943145473fa972aa9cd1d052acd67b8dc9dca45379e49a62081cce2b1d9944

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\240919-tpkjcayaqlebb54cc68383349cb347b407cf86c16e_JaffaCakes118.exe

Filesize
52KB

MD5
3c5daa92b200992806dd0673d629e4bc

SHA1
cf29a14d69b90558b3fd0ced977ead9453ed1165

SHA256
ce3fca3f56fb0f478a466576d97d0d257d8c6a517b9be89f493c2a902beaf6a6

SHA512
13ea73879715f12aee71607b9331030c65812acd37eff56894ae3a1b763e2f0feaef6a09b63b5523f3a8b3d85572dcea703deb1b08aa18da435ae854b49b37e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FegooEYA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\_ctypes.pyd

Filesize
122KB

MD5
c8afa1ebb28828e1115c110313d2a810

SHA1
1d0d28799a5dbe313b6f4ddfdb7986d2902fa97a

SHA256
8978972cf341ccd0edf8435d63909a739df7ef29ec7dd57ed5cab64b342891f0

SHA512
4d9f41bd23b62600d1eb097d1578ba656b5e13fd2f31ef74202aa511111969bb8cfc2a8e903de73bd6e63fadaa59b078714885b8c5b8ecc5c4128ff9d06c1e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-console-l1-1-0.dll

Filesize
22KB

MD5
a58f3fbbbbb1ecb4260d626b07be2cda

SHA1
aed4398a71905952064fc5da1191f57846bbd2d6

SHA256
89dd6fbea61edb8f1c934b7e5e822b4ce9bea939ff585c83c197e06a1fd8311a

SHA512
7fd371818932384b014d219bb318fb86c1787f3a58a3f08e904b7bbe3486f7ad6bc3776b335c178658c87efd663b913a14fb16d1e52198801659e132fa830d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-datetime-l1-1-0.dll

Filesize
22KB

MD5
adf9263b966cea234762c0782aba6e78

SHA1
e97047edecf92a0b654f7a25efd5484f13ded88f

SHA256
10cd6bf518350f93ab4643f701efdac851cdd7a26a0d8bcabfbb2bd273e1f529

SHA512
56c09d786f4ba401d4827da4148d96b140f28f647a03ac6ab94f64de9be4c75ecb8b583efad28aa0c51356978caa96f0cb9d56cc4883ff42c1ee7f736e481c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-debug-l1-1-0.dll

Filesize
22KB

MD5
28840d7d1ea0a873fb8f91c3e93d6108

SHA1
0856b3ceb5e300510b9791b031fffceaa78ee929

SHA256
d3fad206a52d9b1dd954c37a45e63e691ebc7bfe8af27a87553203fb445224ce

SHA512
93596ec710bd738fcbddf4db0f102f537355bbbaea347d2314d62064d5110cf1deb3ecb6d1e0922f019351acfe2d1c694684d0e62e22c004d5a20a6cae5c7fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
22KB

MD5
586d46d392348ad2ee25404b9d005a4e

SHA1
4bece51a5daacf3c7dcff0edf34bcb813512027f

SHA256
2859fe2fe069e5f4300dd0106733750b1c8c67ee5d8788c4556b7d21c6da651d

SHA512
daad865dbb4ca7542d5bd50186ffa633a709bfe1cf79d0d98e738760634da49afef1c418357d9482dbe33fe995847e05f653b6e3bba00aa42badce47dd072115

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-fibers-l1-1-0.dll

Filesize
22KB

MD5
221f63ee94e3ffb567d2342df588bebc

SHA1
4831d769ebe1f44bf4c1245ee319f1452d45f3cd

SHA256
fd7c5503aa81dea1de9baee318e6a53663f7a4634f42e116e83c6a0f36d11143

SHA512
3d36175eaa6dc035f2b26b5638e332408579aa461d663f1cf5a3e9df20e11a7cca982b80c9dcf35ba9a8bc4203ac2f64f5dc043b60a6f16720f4d4ce052096c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-file-l1-1-0.dll

Filesize
26KB

MD5
6ee268f365dc48d407c337d1c7924b0c

SHA1
3eb808e972ae127c5cfcd787c473526a0caee699

SHA256
eb50cc53863c5a1c0b2fe805d9ecefef3f2dbd0e749a6cc142f89406f4ffdb10

SHA512
914da19994d7c9b1b02adb118d0b9cb2fdd5433ee448b15e21445ecfc30941045246b7c389a2d9c59fb6487bb00426579b054c946e52982516d09b095279c4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-file-l1-2-0.dll

Filesize
22KB

MD5
852904535068e569e2b157f3bca0c08f

SHA1
c79b4d109178f4ab8c19ab549286eee4edf6eddb

SHA256
202b77cd363fce7c09d9a59b5779f701767c8734cc17bbe8b9ece5a0619f2225

SHA512
3e814678c7aa0d3d3a637ce3048e3b472dbb01b2e2a5932e5b257aa76bf8de8117a38e2a352daff66939a73c1b971b302f5635ea1d826b8a3afa49f9b543a541

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-file-l2-1-0.dll

Filesize
22KB

MD5
cdfc83e189bda0ac9eab447671754e87

SHA1
cf597ee626366738d0ea1a1d8be245f26abbea72

SHA256
f4811f251c49c9ae75f9fe25890bacede852e4f1bfdc6685f49096253a43f007

SHA512
659ee46e210fcad6c778988a164ce3f69a137d05fb2699ff662540cbb281b38719017f1049d5189fafdae06c07a48d3d29dd98e11c1cae5d47768c243af37fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-handle-l1-1-0.dll

Filesize
22KB

MD5
c79ccd7c5b752b1289980b0be29804c4

SHA1
2054a8f9ebf739adfcfc23534759ae52901c189f

SHA256
8e910589f3f9a27ed6ce1d4f2d579b4ef99cfa80c0bf6f59b48ba6556e1578a0

SHA512
92de7aec7f91f6f4f7cc3dd575b11ea0f4fe516682ba2d05d605380a785597bc953b575cf0ff722980f0849a65d8c4a14c7717eeed8631a7aac0cb626d050e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-heap-l1-1-0.dll

Filesize
22KB

MD5
aa20afdb5cbf1041d355a4234c2c1d45

SHA1
811f508bd33e89bbd13e37623b6e2e9e88fdcd7c

SHA256
ef6657aac4aa97a57e034fd5baf4490706128ffafce7c285dc8736b1f7ee4d09

SHA512
06740552875ff2df234ec76f45cce3c66b7d5280a3d1b90874799780ff534437e5dffacf9e40bfddc301507d833235e25eab8119ac80d2587a43a80d4f0068b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
22KB

MD5
f8203547595aa86bfe2cf85e579de087

SHA1
ca31fc30201196931595ac90f87c53e736f64acf

SHA256
e2d698823ba78b85d221744f38d3f9e8acccd0eedbb62c13e7d0dff4a04bd2b1

SHA512
d0818ee6b1a775793305828ba59c6c0f721d3fe2fcaca5bbfe047f25a500243ab4486c368302636e1c3934becc88c8178606a29871fe019d68b932ad1be3ee1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
22KB

MD5
0ccdef1404dbe551cd48604ff4252055

SHA1
38a8d492356dc2b1f1376bdeacab82d266a9d658

SHA256
4863006b0c2aa2a39dff2050b64fbbe448b3e28a239e9e58a9a6d32f5f5a3549

SHA512
0846489a418d2480e65f7bef4a564fe68fe554f4a603a6f372ddd03eed7ee6299649b61172a7a9ca9a9500a924c2642493cce1040fcd6601d5862c248c902e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
f1d0595773886d101e684e772118d1ef

SHA1
290276053a75cbeb794441965284b18311ab355d

SHA256
040e1572da9a980392184b1315f27ebcdaf07a0d94ddf49cbd0d499f7cdb099a

SHA512
db57f4ae78f7062cfe392d6829c5975be91d0062ff06725c45c06a74e04ade8bcaf709cfebeba8146fb4396206141aa49572968ea240aa1cba909e43985dc3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-memory-l1-1-0.dll

Filesize
22KB

MD5
3abf2eb0c597131b05ee5b8550a13079

SHA1
5197da49b5e975675d1b954febb3738d6141f0c8

SHA256
ff611cc2cb492c84748fa148eda80dec0cb23fc3b71828475ecea29597c26cd8

SHA512
656213a8785fe937c38c58f0f01f693dc10dff1192b232f00fb18aa32c05c76a95566a9148462ea39b39f1740a7fee1c9ac9a90c6810f38512b3103d18c89b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
22KB

MD5
83a0b483d37ed23c6e67896d91cea3f0

SHA1
6b5045ed8717c5b9f50e6a23643357c8c024abdb

SHA256
d7511eb9191a63eb293af941667aa2318fa6da79f06119b280e0b11e6b6b1d25

SHA512
dab0203fc26c0249b7a8882d41365d82690d908db359c3a6880f41a1c4eebde51ae084bd123864c32d8574cb0a22cfbc94bcd8e33b51f37f49575e2b9de93807

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
22KB

MD5
8b0fe1a0ea86820020d2662873425bc4

SHA1
3c2292c34a2b53b29f62cc57838e087e98498012

SHA256
070d8827798ee2aa4c2dc70d7faef8ef680eca4c46ecc2dad3ce16380cab1f82

SHA512
0c29c8fae6c5a8de2f0047cbe66e0b2ae7c30cbeced6df1ea2e472ba123bf9e542d9e6cd8eb06b4f0cbe2e343b7929cf25bce1e79937076bf1d0480d91d2c9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
22KB

MD5
eaa2228507c1fbde1698256c01cd97b7

SHA1
c98936c79b769cf03e2163624b195c152324c88a

SHA256
4297033ef8061c797127f0382df24f69264dca5c14d4f5b6cd2bcca33e26c1f5

SHA512
8319949a1e1acca312dbe99dfd9eedd1b5e4a13946a6ff829d6792d72f0a3a618ce10140954c035a5390a5a6e3b8ae2f23513629007cd3b7a88d5fb6fd81d763

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
22KB

MD5
e26a5e364a76bf00feaab920c535adbb

SHA1
411eaf1ca1d8f1aebcd816d93933561c927f2754

SHA256
b3c0356f64e583c8aca3b1284c6133540a8a12f94b74568fb78ddc36eac6ab15

SHA512
333e42eeea07a46db46f222e27429facaaf2ce8a433f0c39f5d5c72e67d894c813d3cf77880434f6373e0d8fffa3ef96d5f37e38dd4775491f3da2b569e9df59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-profile-l1-1-0.dll

Filesize
22KB

MD5
82e58246846b6daf6ad4e4b208d322d4

SHA1
80f3b8460ab80d9abe54886417a6bc53fd9289fa

SHA256
f6eb755c146d0a0ebf59d24fb9e1e87dc0220b31b33c6acbc8bebaf31493c785

SHA512
e1a032846c6110758fbc8eb84dbd3d228e83b3200bf5820c67d9740f6f8c7e926e4c89b92e8d34721d84fd597ab64455fd3029138e35f22329af23f599afdadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
22KB

MD5
650c005113599fb8b0b2e0d357756ac7

SHA1
56791db00766dc400df477dcb4bd59c6fa509de6

SHA256
5f16a1131c8f00ebbe3c4b108bd772071a2d9b4ca01b669b8aeb3ffb43dabcda

SHA512
4bc54ad70b75f550e623311dc48ea0fd8ff71207f64127379fcd48027ee2458d27a2aaa454637b4f09d713cc9e1f2cc09bb6cd55b0c6b7ed25e52cb46827fff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-string-l1-1-0.dll

Filesize
22KB

MD5
f6afbc523b86f27b93074bc04668d3f2

SHA1
6311708ab0f04cb82accc6c06ae6735a2c691c1d

SHA256
71c0c7c163d1a3d35e74f8d7299eb38ef7268af1fa276e9a3966761212c570f0

SHA512
9ab0c2d025525fe047e27769c3b2be7526ad0d0cbe76eb1e3a84dc2cff60ab3c4a218388892f600f7b3b003909ae133b0e7da19c9ba96b624fa8f5123c3a97cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-synch-l1-1-0.dll

Filesize
22KB

MD5
445571331c2fc8a153952a6980c1950a

SHA1
bea310d6243f2b25f2de8d8d69abaeb117cf2b82

SHA256
1dda55027f7d215442e11c88a82c95f312673b7e7454569e5c969c1c24047915

SHA512
853797dd50d0ad6018e7e7d11aefbca61653baa8c60b22fdd34133fce6bf6f02ed0c747457c2783e699e8e7097f14429286904267c13521ee9cb255d3ea79806

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-synch-l1-2-0.dll

Filesize
22KB

MD5
5da5938e0d3a9024f42d55e1fd4c0cd7

SHA1
7e83fec64b4c4a96cfcae26ced9a48d4447f12b7

SHA256
0ea1cf78c0be94554ff7cd17a9c863c951c1e1eaa54191d7f2b0e043697c8d00

SHA512
9a302c664bfddf509c0489af24a238b15612802c7d6dccbbfb57b39691b80af79ed35cab31e84424a34e0de32179054277ca09a0457b90c72af195f8328c82dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
22KB

MD5
c1919eacf044d5c47cc2c83d3d9c9cd9

SHA1
0a80158c5999ea9f1c4ca11988456634d7491fcc

SHA256
9b82643497092524e0aed6cfbaf7467849cde82292313bbd745c61ed2fd32ea8

SHA512
ad2ccabbdc769cbeb3c0b4d8d647647c8f43d3c3f3c85ab638ce00665379f9a0f5bfc24fe25184003d180143c29da0c36c6d2c7ffeae68a81c27b90f69336cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-timezone-l1-1-0.dll

Filesize
22KB

MD5
566232dabd645dcd37961d7ec8fde687

SHA1
88a7a8c777709ae4b6d47bed6678d0192eb3bc3f

SHA256
1290d332718c47961052ebc97a3a71db2c746a55c035a32b72e5ff00eb422f96

SHA512
e5d549c461859445006a4083763ce855adbb72cf9a0bcb8958daa99e20b1ca8a82dec12e1062787e2ae8aee94224b0c92171a4d99ed348b94eab921ede205220

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-core-util-l1-1-0.dll

Filesize
22KB

MD5
0793ca01735f1d6a40dd6767e06dbb67

SHA1
6abea799a4a6e94d5a68fab51e79734751e940c5

SHA256
cdf7915f619a728fb64c257bfaa8257ee2353bf3c0b88214d5624931a1ac247b

SHA512
33f703cea3b6cef3fcbd973812635129ef204c2b1590ffe027dbd55ba35cbd481cf769de16634bd02acbdbd59e6af52cad0964d4d36327606c1948f38048703f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-crt-conio-l1-1-0.dll

Filesize
22KB

MD5
eeafb70f56cc0052435c2268021588e9

SHA1
89c89278c2ac4846ac7b8bd4177965e6f8f3a750

SHA256
b529fed3875c6f4eecf2d9c012bc0e27cb2d124c2dd1da155f8337b4cb002030

SHA512
ce211b79f4d0dc942dbe1544d7e26e8e6f2c116dce6bc678aede9cb2104771758c0bd670e1eca2d5a9a6728346d093f44459e9791317b215c6ff73e47d1203f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-crt-convert-l1-1-0.dll

Filesize
26KB

MD5
17680cd553168e9126ca9d7437caecc7

SHA1
8acafcb5f01d3b01a7c48a3b91bdeeb8bf1cf841

SHA256
6438c683e376583f6368c582ce3caab274cf3f7d7320e7f6cda427ba338847ca

SHA512
146ae3230c213ffab4b2c7805374ccb5f53155266ba9213d8f22e073deef0bd733b9488c2091c3db037c1d1dfaa4bbfb90e2afd041a447603c25690681239ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-crt-environment-l1-1-0.dll

Filesize
22KB

MD5
e9d4a1374a200a6e195e3c5ab42e6bbd

SHA1
c0c79309a6ab14592b91087bec0cc519979e5ebf

SHA256
612df2aaf3435c2be575581d1b2deddcef33f1b53179acff3e4ac24a0fcd3d50

SHA512
1de9d70036eb5211184b3b40f671608cf75b539f6fd36b812facdd9722927eb8e5c4c579db6a360003d06cc139f2ddbda8d19de17cb3a36fcfb53e462a9d7b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
22KB

MD5
10a42548fcf16732d354a6ed24f53ec5

SHA1
b6b28307c0cc79e0abef15ed25758947c1ccab85

SHA256
ca3e5b21f83d87a958ba7934c5e4d8e7939b2e9013fe2deaeba1f9088b4277bb

SHA512
ecebb5973ecf8f34115985ae24061c29a9d943592389a4e8f215df7408c770a1f7c6c8927d30403d5c43814a4b64ac622ec018be02532f88dbbca6d6208266ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-crt-heap-l1-1-0.dll

Filesize
22KB

MD5
5d3da2f634470ab215345829c1518456

SHA1
fec712a88415e68925f63257d3a20ab496c2aac0

SHA256
d2ed53111a652fde26c08504803f76301fce2fba04f33a7f250b5b2569e4f240

SHA512
16079ce0bcc9816297f23c95573bd52da08b29b90da4855b4315b3fa98947b1b35ffd30760064144f3f5647c27e0c1bd3aba623d17364fff45c9b2fa598a2ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\api-ms-win-crt-locale-l1-1-0.dll

Filesize
22KB

MD5
c74e10b82c8e652efdec8e4d6ad6deaa

SHA1
bad903bb9f9ecfda83f0db58d4b281ea458a06bd

SHA256
d42b2d466a81e8e64d8132fad0f4df61d33875449ead8d4f76732b04f74bbce6

SHA512
5cc4b0d7e862fd32e8374501d1b8798e369b19dc483cdb568915b48a956e4f0a79b1d2c59322394128a330fea7c939161a7af1787b4dc5f250e74f8df8805f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\base_library.zip

Filesize
1.3MB

MD5
763d1a751c5d47212fbf0caea63f46f5

SHA1
845eaa1046a47b5cf376b3dbefcf7497af25f180

SHA256
378a4b40f4fa4a8229c93e0afee819085251af03402ccefa3b469651e50e60b7

SHA512
bb356dd610e6035f4002671440ce96624addf9a89fd952a6419647a528a551a6ccd0eca0ee2eeb080d9aad683b5afc9415c721fa62c3bcddcb7f1923f59d9c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\python3.DLL

Filesize
66KB

MD5
8dbe9bbf7118f4862e02cd2aaf43f1ab

SHA1
935bc8c5cea4502d0facf0c49c5f2b9c138608ed

SHA256
29f173e0147390a99f541ba0c0231fdd7dfbca84d0e2e561ef352bf1ec72f5db

SHA512
938f8387dcc356012ac4a952d371664700b110f7111fcc24f5df7d79791ae95bad0dbaf77d2d6c86c820bfd48a6bdbe8858b7e7ae1a77df88e596556c7135ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\python312.dll

Filesize
6.6MB

MD5
cae8fa4e7cb32da83acf655c2c39d9e1

SHA1
7a0055588a2d232be8c56791642cb0f5abbc71f8

SHA256
8ad53c67c2b4db4387d5f72ee2a3ca80c40af444b22bf41a6cfda2225a27bb93

SHA512
db2190da2c35bceed0ef91d7553ff0dea442286490145c3d0e89db59ba1299b0851e601cc324b5f7fd026414fc73755e8eff2ef5fb5eeb1c54a9e13e7c66dd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38802\ucrtbase.dll

Filesize
1.1MB

MD5
a9f5b06fae677c9eb5be8b37d5fb1cb9

SHA1
5c37b880a1479445dd583f85c58a8790584f595d

SHA256
4e9e93fd6486571e1b5dce381fa536fb6c5593584d3330368ccd47ee6107bf52

SHA512
5d7664716fa52f407d56771862262317ac7f4a03f31f209333c3eea7f1c8cf3d5dbafc1942122948d19208d023df220407014f47e57694e70480a878822b779a

Download Submit
C:\Users\Admin\Downloads\240919-ta886awhpf4329601f529015b897fb24102ca67a4a8f0f2d45e35060b9c47927ee63b80f26N.exe

Filesize
1.9MB

MD5
d91d52675edd5a58889556bb243e2270

SHA1
707eb701aeddd2949e9fabe398507daf0896ff04

SHA256
4329601f529015b897fb24102ca67a4a8f0f2d45e35060b9c47927ee63b80f26

SHA512
283f9f80b8e4ff75f9caace198c14222bdb93410cfce1d9c3e51c30dc04fc14e2234e44de697931d98aa2c09a904b64d23b3a9e2a9cbdfc7a4d8f8ea605f4e27

Download Submit
C:\Users\Admin\Downloads\240919-tdwggaxargf2896b8b5d70f79db81ad413d35883fc814bfbdcc9e8c371e31222ed4b9d00ffN.exe

Filesize
654KB

MD5
80080d36027a44b78a71b54f59955740

SHA1
892f655e67dbacd0e2957aa9d408c9fc2e1c4510

SHA256
f2896b8b5d70f79db81ad413d35883fc814bfbdcc9e8c371e31222ed4b9d00ff

SHA512
02eccb476cd0e1341c5f1c262053d95efd3fe24122a9878363a80b315f4d401db337d151a20feb7be9d144ee50b3491ff33647afe8ba690c4a299c5ef4728938

Download Submit
C:\Users\Admin\Downloads\240919-tdya3axbjc2fd9bfc31a011e4e58de682924647da6391c6fae450bcc36f04e0d427fe15db0.exe

Filesize
51KB

MD5
f492a5ca0fb2abca6d4708ed45cdfeae

SHA1
66e5b08d0007399be744fa7f944f1835b995befc

SHA256
2fd9bfc31a011e4e58de682924647da6391c6fae450bcc36f04e0d427fe15db0

SHA512
1906af8dfa019640fb3d211e8a5b092d5d09141293ea6e106ad38513b87b1f11cd10f3b6465df182c0f71d9aeb19fd0836547cd777ffee61ea5fdb91bb17146f

Download Submit
C:\Users\Admin\Downloads\240919-tnamraxerf8ca3b4f4728c7d2c3582ab175d11b85a008cc097c821a445b96d21e152acfeb1N.exe

Filesize
1.5MB

MD5
9c32d1fa0428de9766dcb6408fd86fc0

SHA1
02e39902d4e69cc51dc9d078f9cacaadc02b734c

SHA256
8ca3b4f4728c7d2c3582ab175d11b85a008cc097c821a445b96d21e152acfeb1

SHA512
3b5510b1d313257b661d603e3c47eae0a8bc6022a218af954db403eb6c417ca3283a996013df6ccba3beb7a1ecb28c7fdde3f8390910711c622c8eed8d1d972c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 56112.crdownload

Filesize
12.1MB

MD5
26bce0f1183dab786991e1c581c9c2e0

SHA1
afda81fc27a20904605c75ab8107907301ba439e

SHA256
27438f8631781222a9a465766ed97fb8ba9830a42a29611c0e0a69ca500499af

SHA512
ad54bf0bb7b4389c4f5c66bc8e694a8e9d62b077d0245d6659f98475676c314790614b8c11d5741316d1ba883362dedc792459f287da98baf5cb7d6ef590eb73

Download Submit
C:\Users\Admin\Downloads\temp.zip

Filesize
34KB

MD5
66348576ab3aae1e79048a4db40cb762

SHA1
806b7505f8ea24bec3e98a8715314f1adf4c8b09

SHA256
5279667ea96565aaa77c09df079a20ca4505dae073f782b55e5d93462e79dcc4

SHA512
71b5b9de55877ff06c65e37de3b1eaa3b79c60e50005502441c056ae40c757f20d7549210674f4b5cd116bee7a67ffbf563917358e49a2f3b84332e6eab9b18d

Download Submit
C:\Users\Admin\cenut.exe

Filesize
320KB

MD5
5164a10d231b847eb53fc123d88207cd

SHA1
38867bbfd3d9662cf7f9c8a40339c8842b991162

SHA256
388ca9706d6d4a0e04a49090808adb35db6c7154c970f26c9a9c1d55413d1563

SHA512
a03584c9037840e3ba561727a06b4470e549bd00f34db7064a4a5a361fb1816eba0d899dda403144d949516dcec1d840e4a4df8c931f6899643a2285e6d7b74c

Download Submit
C:\Users\Admin\vaoevit.exe

Filesize
232KB

MD5
559f95cb897586bbad7fdb868bcace39

SHA1
cc322839616c267e46b5fa57a048e3f99638afa1

SHA256
845577d7fb97c5006fbf4eea8134e4fb0694306699fb67a03789e658bf7ee5dd

SHA512
64413310851dced08394b3654f5f24d9b7e3798ebf2c3fbee067dc278ba357dc111d814937f1377c372b0e744316670765f3ddc4c3149d90e2f34a711776a66b

Download Submit
C:\Users\Public\DeadXClient.exe

Filesize
35KB

MD5
f1976ea02bffaef5ac943c2abbb7426c

SHA1
deeee7d4f336d0ba898b5579720aaf630951a72f

SHA256
4353e37a3d60dd30beeec61a812a07ba6bfc174a18cdd5a95be98666db2f7cf6

SHA512
2b21c93ee09865a5c5f365cb945ebc2473a5b8ddce009302e8f03815d7784ad3a95d615678b3b49e272d235d10c03262f2ddaaec9de8a373c0487b7904bd7858

Download Submit
C:\Windows\SysWOW64\Fknajfhe.dll

Filesize
7KB

MD5
db0cd2ced75744d3eb2c803462ed9045

SHA1
b0b21e579428205b9194edeafbfee8338ef90b7b

SHA256
e322b7dfda6477f912da2cd42aed04a95d16a663fdace1d45edf4dbc4adeb3ae

SHA512
7672dfe30beb749001d4511582de83b72c8ab891de600de6f545077cbebd4fa4b6a8f522755ceb21896806397b0df763ec4ebb569e0ddda2a3e440e5a137866f

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
112KB

MD5
a5883f133a1d6878ae02916b781d7342

SHA1
c1c2095b21d5501b2c8512231bff1e39dfcfabc1

SHA256
eaf76ee40ff9ba45a3a4f39928a120c53c5bcf84c3b7faa1fe397f83883a7a99

SHA512
ca478b627a7aa6fda646ca2d54d612ce45f7c67519851f001d8b4c108bfc9175a55f4ebc53476ecd846b8ad39f830782161b68d8f1cf4bbc69e0bb8f7e8de1b4

Download Submit
C:\Windows\SysWOW64\Fohfbpgi.exe

Filesize
237KB

MD5
8be76cad3e702b6ba876f711e5de96f0

SHA1
cba58491b006e6dd55969ff7695dfeed197b472b

SHA256
f1c9125eac2a21b4fc3f29cb0bbdbfdac9ca0af2dcee2e1fdef267a0a21b9ee0

SHA512
5e716ac97f9bb8adf18b7f358ea21249e628132f7daea486c5196595aa56cf66e24572fc8725d9b49450c4a276300317b204675432aa1bd9bb5b5f92ef3155fa

Download Submit
C:\Windows\SysWOW64\Fpgpgfmh.exe

Filesize
89KB

MD5
121a71cb88429a1e1ebe6ce49765c1b7

SHA1
e4ede0b56a3a4205b0bab9433191535b7fd32b0c

SHA256
17f00795b6e2f6ff2784063924395912c6c1846b62be349534d60c4021d9c029

SHA512
9d6692dc50b0820970a3bdeeb943ca8a39f8a2a93c4cbb99c04b302fcefe0969392278fb30a7e8cb97997075a147bc6035b6ed3d291b8a1609b9a66c04aba3d2

Download Submit
C:\Windows\SysWOW64\Gflhoo32.exe

Filesize
96KB

MD5
4eb0a596695f78385c773b3236636b7f

SHA1
28f61344bec9d980c85e2e88821ab5fd5bdd4be4

SHA256
8b34749818430c1ef89119732ead19754826d9768e513d8df1a5953b58dc4971

SHA512
0945da0047396c9cfd3ec0a667c3e5303beb78246dbcaeabf0ef235d3eaa3d5744f825dcd6e63c50d32aecac02df5317ecc5f99f8c8938eae0c98833a9e41bc0

Download Submit
C:\Windows\SysWOW64\Jniood32.exe

Filesize
89KB

MD5
f42705a5bcccf71e1eba4a6c0db879d5

SHA1
e80f2eb17b0e6024717e9035cba7849125fa5f3b

SHA256
f2c3a51e57905b682030a7a198c4857142008a1255a152c7bda9323c14b8859e

SHA512
d4d783c784dd6ac537192169a91e356af9a4cdfa1bac33849d009648cb77513300eb752c99442701c3c6e8389acbf0127ab8194d10489d7870bbca1479c4dcec

Download Submit
C:\Windows\SysWOW64\Lfjfecno.exe

Filesize
89KB

MD5
79e46d4a360e64ec73b5b87d7ed232b6

SHA1
9e37d3bd2572b8c2ca2bceda80ccc683ad50ac99

SHA256
ac8a17b9aad999e8c1c22e8d6654adc3ced0658d8cf17c48884a456525bba0c1

SHA512
253048b5df84819f62a5c7d9f780faf0e63e4960c6f69c83ffe1ba28583a73a464b31efc874bc46629eb26d22bddae22d8c693da222626afcf5e29b2ee55bc68

Download Submit
C:\Windows\SysWOW64\NSK.exe

Filesize
239KB

MD5
2bada91f44e2a5133a5c056b31866112

SHA1
9fbe664832d04d79f96fa090191b73d9811ef08d

SHA256
c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02

SHA512
dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
320KB

MD5
0dfbdea05d059bbac964305a2930f167

SHA1
d2d5ec2608ce793353bb32f9d4e1df802dd08a02

SHA256
829135cc304627dc7a1b1c282e56533baeb994b73d01f45dd382396abef2040f

SHA512
32282565fe74a0170420d9d281df3a1024def3bc2b352f442a28ec4320eca269f751bff90d6df1fb3ab1b337234d615c4d49bf5a7b027ec757ddc084a5a71f69

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
96KB

MD5
f379b7cf127617c86a02c9ac8c1c05dc

SHA1
b50ccded21b1af01af585b0edeacb4f6bf6af131

SHA256
1b509c95c6f0d62e9277bfa8c6271aa0e3e8c3784c60d7639ef675e318045a89

SHA512
27142ebb317e1a53e5eb681966c3b7a7657f71c6908259c02570ee0a81e0f8ba8af9e80bd592633b5ac24a0bfe7164f1c3fd3975bba698a56a6989d271180f06

Download Submit
C:\Windows\SysWOW64\ntos.exe

Filesize
215KB

MD5
7e979c8ef84d8c82114e69e6d69de99b

SHA1
72e584b1f594d18308f7bea3c64b59e88af70db2

SHA256
d0bc6e03ea73519270cc32fb6d7d24bc45073acdc2690a334262fa97871ffb2c

SHA512
c391d936cba82efc864a2b44ce9fc5318bd69192368ae3629cbb7deea86ae8b851df02fb952bd8079d5825c6677fa0e5e1f0461066a86239925b731481d3ce64

Download Submit
C:\Windows\System\yNvRkRN.exe

Filesize
448KB

MD5
2264ad6cf2c3feda241e32c18cc63613

SHA1
6cf1d5079287ae747430510102276a5d8553f195

SHA256
aab1acd918f567ff34b418fd2971ffb7ad7f9284ea4d62c517c015f2e4f1d70f

SHA512
51d3f07b3e2d80ac627998a5fc071e41f8cd34e52e9d27ee547393019213fb2b53ce77d281d07d4df20e449416034194d3a784391c6fc788a552c1cba010098f

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
206KB

MD5
00ccada1d1e9669ed3a047bc8b23f13d

SHA1
1e7b6b472a395a17de4bc25caab0c463aca0465c

SHA256
3e3f132663a16f38ae4533ca1f382d24f5c825af305484fefdf0fbd6f4f84b3a

SHA512
bdc79d239b4a0215c1e1d875896e8940974b482b6a42492c52e04085eb82ea5a9968b3ef47489c171365b6a5127c4348c1c46445d4e9d423b151a51f97bddd42

Download Submit
C:\backup.exe

Filesize
450KB

MD5
4099817cc48d83ba50d1a54133966839

SHA1
6f375dadbda29f52253acdc3ff715f12b6810e7c

SHA256
0645205f7bb8428c1a4dfcbb4847cb0b93a3afad9530f6fe7926cc3938502868

SHA512
70bbd2408a635e4b1f48e0de1a489ef63ea3ec40a8f176f3b4bf3685b861c0c3e360dafb7c9d269ae21c15ed7cfa1259fce24d43f183b613f584f43de882cbb0

Download Submit
C:\bhbbtt.exe

Filesize
115KB

MD5
45b37fffff1b32453bedc1603a76d846

SHA1
ef33dfb7c626f2c4f3ea7f7388ea0b24a81041a0

SHA256
fef2a94c8c684413911be149edde06a383ec878d7e0b54d9b261569c1a13403a

SHA512
18bf9b255ae5733b316e51ae481a226febb6271d1ee1cdb6764c0e95b7723b3c31714e37ec0b5d1da537ed8b0af2edc8e48c1777afbaa33189f6c2c442aaa572

Download Submit
memory/600-940-0x0000000010360000-0x0000000010385000-memory.dmp

Filesize
148KB

Download
memory/5252-907-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5492-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5512-259-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5588-312-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5724-448-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5812-352-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5916-906-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7032-910-0x0000000005070000-0x000000000507A000-memory.dmp

Filesize
40KB

Download
memory/7524-753-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/8248-919-0x00000000007B0000-0x000000000086C000-memory.dmp

Filesize
752KB

Download
memory/8836-915-0x00000000005B0000-0x0000000000648000-memory.dmp

Filesize
608KB

Download