Overview

overview

10

Static

static

3

QuarkPC.exe

windows11-21h2-x64

10

$APPDATA/P...gs.vbs

windows11-21h2-x64

3

$APPDATA/P...ns.ps1

windows11-21h2-x64

3

$APPDATA/P...te.dll

windows11-21h2-x64

3

$LOCALAPPD..._R.exe

windows11-21h2-x64

5

$LOCALAPPD...32.exe

windows11-21h2-x64

3

$PLUGINSDI...ns.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDI...ec.dll

windows11-21h2-x64

3

$WINDIR/Text.ps1

windows11-21h2-x64

3

QuarkPC.exe

windows11-21h2-x64

4

Resubmissions

31/03/2025, 15:25

250331-st3p2svps7 10

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250314-en
  • resource tags

    arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31/03/2025, 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QuarkPC.exe

  • Size

    234.0MB

  • MD5

    2668f14280f019ff282536aab3269571

  • SHA1

    177c5d0d1a90233514c10e8c2a91503fb4390b40

  • SHA256

    82f016b7f71f4eb3e5dc93f1dbc8d44f2fca707107e5e86b64de356ffc92ca6b

  • SHA512

    741d52eaa9c6077819c03ea2736751c2a2966089d82dc5e013d79f8f798510c2aa989c0004c95193e0151ecef906ca47d19523f4ee58efacc5cac17db1b0bfa4

  • SSDEEP

    6291456:fuum0tMgaGIOvFH/nF6jxaUsDg9SxsaXnLLgBfNShzbFNsmOLXYfyX:2umADahSp/FIamQx93PglkzBNsmOTL

Score
10/10
valleyrat_s2backdoordiscoveryexecution

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

C2

103.192.179.40:9091

103.192.179.40:9092

103.192.179.40:9093
Attributes
  • campaign_date

    2025. 3.28

Signatures

  • ValleyRat

    ValleyRat stage2 is a backdoor written in C++.

    backdoorvalleyrat_s2
  • Valleyrat_s2 family
    valleyrat_s2
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Invoke Powershell command.

    execution
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates processes with tasklist 1 TTPs 9 IoCs
    discovery
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 9 IoCs
    defense_evasion
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QuarkPC.exe
    "C:\Users\Admin\AppData\Local\Temp\QuarkPC.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -ExclusionPath C:\, D:\, E:\, F:\, G:\, H:\, I:\, J:\, K:\, L:\, M:\, N:\, O:\, P:\, Q:\, R:\, S:\, T:\, U:\, V:\, W:\, X:\, Y:\, Z:\
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5084
    • C:\Windows\SysWOW64\wscript.exe
      wscript //B "C:\Users\Admin\AppData\Roaming\Promotions\Logs.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\Promotions\Promotions.ps1"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Loads dropped DLL
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:6020
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0gqppxl2\0gqppxl2.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5832
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFD3.tmp" "c:\Users\Admin\AppData\Local\Temp\0gqppxl2\CSC689376D3A51B45F8B25779B36CCC2045.TMP"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3560
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /B /c "C:\Users\Admin\AppData\Local\Temp\monitor.bat"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:568
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 6020"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:5620
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "6020"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3752
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:3468
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 6020"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:5376
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "6020"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3628
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:3128
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 6020"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:692
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "6020"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3848
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:5272
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 6020"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1792
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "6020"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1332
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2272
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 6020"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4260
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "6020"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5048
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2356
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 6020"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4980
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "6020"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5068
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:4504
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 6020"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2904
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "6020"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:540
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:4948
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 6020"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:5280
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "6020"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4272
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:3204
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 6020"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4804
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "6020"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3160
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1744
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:816
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3284
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2500
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2968
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
          4⤵
          • System Location Discovery: System Language Discovery
          PID:856
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5784
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c more "C:\Windows\Text" > "C:\Windows\win.ini:Config"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Windows\SysWOW64\more.com
        more "C:\Windows\Text"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2768
    • C:\Users\Admin\AppData\Local\SGuardSvc32.exe
      "C:\Users\Admin\AppData\Local\SGuardSvc32.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Windows\SysWOW64\edpnotify.exe
        C:\Windows\SysWOW64\edpnotify.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5152
    • C:\Users\Admin\AppData\Local\Protected_R.exe
      "C:\Users\Admin\AppData\Local\Protected_R.exe"
      2⤵
      • Executes dropped EXE
      PID:6072
  • C:\Users\Admin\AppData\Local\SGuardSvc32.exe
    C:\Users\Admin\AppData\Local\SGuardSvc32.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\SysWOW64\edpnotify.exe
      C:\Windows\SysWOW64\edpnotify.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5624
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Minimized -c "& {$config=Get-Content -Path 'C:\Windows\win.ini:Config'; Invoke-Command -ScriptBlock([scriptblock]::Create($config)) }"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5928
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ojajdhhc\ojajdhhc.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:488
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3C8.tmp" "c:\Users\Admin\AppData\Local\Temp\ojajdhhc\CSC2B5DBF7D6F4145BE9B9EC61ED408DEA.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2240
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dppcksyk\dppcksyk.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5984
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEC5.tmp" "c:\Users\Admin\AppData\Local\Temp\dppcksyk\CSCA687BD17EA844DA1B448E149563342D.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d0c46cad6c0778401e21910bd6b56b70

    SHA1

    7be418951ea96326aca445b8dfe449b2bfa0dca6

    SHA256

    9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

    SHA512

    057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    60KB

    MD5

    76b52ccdb5682f80e9830a765e4f9604

    SHA1

    e0f063114a8463b5a6f44858738a7ffdc2fe9061

    SHA256

    2428d24df851b6e7b5cfa7a1d76e19e0f853ae0f63d95675d1e6d2f73685ee7e

    SHA512

    af544fcaf4702a619aeaa1534069fcfd82afd74402d6a58318ebd949ee47d55fc0043aa87a499864174e5cda1b47bd0ba0f90d441f974de1c50840b21a8fefad

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    bb27d0e9c7868fdb8e0880a6407ac61b

    SHA1

    a15730b4cb6503cf8652688945831fd95fb3853b

    SHA256

    93124128b8d9a72722ee5eaf57033463b91a214af542439d648ab6ffe0220ef1

    SHA512

    5f69c6934575c609048eaa6dfbf650fb3c442f7b8b83f6e968fd39d9ea0256a78df98c24f7b40f1f6c1318e913a5b206ed6c2846b3662ff4e63eb8c851b4ab6e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    6946485e1acbb6ebc9591fbeda54c011

    SHA1

    aedc8c211893ec109dcd7d1a0f71725c2f26b40b

    SHA256

    d4391af9569ee7d20d0f6b5e75afe2d831e8b92e9c1eb7e5210269c0a1d65b21

    SHA512

    8c634b0efe14cbb716c1215c53cfcac6c285b859b1c9da5c7973403af8503e358baade78fc1fe65d8e568f6ef30186ab6197f361d554314b44b519de8bcbf7a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    20KB

    MD5

    f2c28dd25c58e00eb10830a982b7aee8

    SHA1

    fb78645726ba179a8e262bb661b164e9cead164e

    SHA256

    8addb21b28a29ee5dd05856b9a34c399c27ecc8075ff3c5c5bd55219a45731c7

    SHA512

    ff919c3eb69f7590e4d190fb677ef53b173cfeb53637963300df5d19e91cc4b6b5b48fdfbce025b3b1303ebfb8519587077578b9a9789b61872ea2c5890a746d

    Download Submit

  • C:\Users\Admin\AppData\Local\Protected.ini
    Filesize

    207KB

    MD5

    ec52fa862a056975e93d2acf7889cfcf

    SHA1

    cc973fc28c8deb59a3c79375e1d247761356874c

    SHA256

    6489e9e620d90228b431544d990a99d1c94ab7f8e68b2daae5e396cf1759bfec

    SHA512

    8e68f6338ddff7abae22d568fbb6a4dc9d4a30e11b1c4d47a3b06496036a3b0437576d681b801114734a53bfcaea48cdd789061ca7d44a0a4fd71384da765a71

    Download Submit

  • C:\Users\Admin\AppData\Local\Protected.json
    Filesize

    194KB

    MD5

    f5088d8e9f74af65dfce439c91ce5fda

    SHA1

    a5b87c273bdf258e746e6e21789e3033cd3eecfb

    SHA256

    459b001e277302d93177a59500f1fa99af2c02354ff296612406055ec62df45f

    SHA512

    f33751016a8ebc961ca979885212f8a7b47ebc8d6b610274f38e06908341ec38393f6b1eac6df412f45b66014254a73b53775ed19f929a7d3b38a62cc8a24f45

    Download Submit

  • C:\Users\Admin\AppData\Local\Protected_R.exe
    Filesize

    2.2MB

    MD5

    c2aa84ef33aed92c14425baa7569b01f

    SHA1

    39e8f13321d4dc528561d0be8f0c21de2166a812

    SHA256

    6a13d71314131a8b92c294b0a658b97de63bb8ab9fb058ae8f60914e9a4ed6f9

    SHA512

    fa806f12fb714ad391d4aa62339edbfbf7b2a765fb9e6091b0bc9f434662fc02cfd6fc99a8dfaee6a014c6412fbe0cf02c3b96bf5e5cf4efa9f0e2390b91e068

    Download Submit

  • C:\Users\Admin\AppData\Local\R.aps
    Filesize

    135KB

    MD5

    95cbb97ee66652931b6856c39431f87d

    SHA1

    7760af0c206c241c502cf5ba79033805a0b827cf

    SHA256

    fb50ccdad8e7b50652b21efba5702fc38fa8c16f59ceb7bd95116f736c1b4b71

    SHA512

    880f13ceaf6065d9871a999a11a9653e56ccabf7fac060e74147dd7bc67a75399dd8f4ce7d16cb70b60955a4d07a0b77792bf90d96c46d19a178d900df9c8a70

    Download Submit

  • C:\Users\Admin\AppData\Local\SGuardSvc32.exe
    Filesize

    725KB

    MD5

    923b08492146a6a3b8bd269eb25f6372

    SHA1

    e263b5265abeae655f0ef5000196dbb80c6eca9b

    SHA256

    2fdf2af92b069e06d9cb1d9713a6e34b7223a60214d17bf3f8ee0a4d6c9a4480

    SHA512

    6f51bfd0d5b195e218231470b4bc8d4700c804252d1af48dde13a2f298e15ff725bb0641fdc868dcaef381bd805b4a7a9433ed695198001c21eafd93c9d5867f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\0gqppxl2\0gqppxl2.dll
    Filesize

    3KB

    MD5

    a4c3e637da80148521cd71ac9fad3a2f

    SHA1

    92332ddb49487d0f8f1cde3a44faf9959774906d

    SHA256

    2725f6c6345661c3ee1ef49dcbd1c3b87206e432e36d85d10e22e1df629319cd

    SHA512

    db2abace0d0e60dd0fb2dc13bc6b1a9c8a313826647b09461fbddf3ce862b8f9b9c1d30bdc540519d3508b83dbf7c01d471eedab61ef6aa4f89a37a514f3a3cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESCEC5.tmp
    Filesize

    1KB

    MD5

    30de6d4f3664fc5e491c84bdd98e0cbe

    SHA1

    33fb2184818a08c60416514d434cd24583d1c44a

    SHA256

    84bc396c7e03f9e0d564830252e0de3080f52e47c17550b1c6ce5624d4f2803d

    SHA512

    1c7446ef138ebcbdb7d0ebb1fa5a3e82fad2d60e9939565a7cde5bfa5f5a47609573bde901b02a4fe4898e8d510ac98626af093be89a1cfc7038243f5f37f6d7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESCFD3.tmp
    Filesize

    1KB

    MD5

    f221826b60a052e33a68d991a34427ad

    SHA1

    f596bf302a9753c044a0b56e0aad186a0ae38431

    SHA256

    f77f71c362ad412ce29af27695a32c25f79d5382f33bbefce0b233eb6a714560

    SHA512

    eb92c1de0bbca2721d3e39b3066e6fed3c9a972f3376f1703e10abc1b029534d15c0ec0184ffe881ad0fb1a095cafbfd28c3594be0d82cb8e8725d23c9a59701

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESE3C8.tmp
    Filesize

    1KB

    MD5

    d5705d6bd01224b6dcabebe2111b8c77

    SHA1

    3e6a09e9141e3380a3eb97d6b74499ea9acc5c94

    SHA256

    eb4e21ebba70b6aa12bd457bb5b5849216c99ee96f76e2b468f43801a4efd745

    SHA512

    3e4f492c435a133a651ac32e770b8b39ac820c5d0e7f6787848e1b89af81352022cf5da563855b9cfc75dbd4586d18e4ddc6afadb69d529fb1533ed98c6dc9e2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qtp5xcco.zzi.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dppcksyk\dppcksyk.dll
    Filesize

    3KB

    MD5

    15b557c0278ff5d33e0ed881add4d584

    SHA1

    19f5a49d7922ce6e210a4c6424af89186ccfe374

    SHA256

    2a87625a6557af1851c9a9b5f48fc6fb4e66f7e5c265f598199bc9f4f0d43abb

    SHA512

    6830a5d0bc4263905157d1901fa8344fecddd14d620980216208d0cfae720eb30581de1702b8fcc274163312e46da422fd00be50ea71e18727da3d402bbcd4c9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\monitor.bat
    Filesize

    309B

    MD5

    ac2862bdc6ef8ab287d3af402e2f8c95

    SHA1

    d858360125c1bd7c55e3c5d26f59c9128219ba61

    SHA256

    2658f2c9a046f775c51de40db794abfe4c8b00ccda48b02920ef2b1fd41539d8

    SHA512

    aea3e8de3d61681dd633883979b0917271072973b6e3bdc5981d6abc995b675c7145d60ae77dff65096336c84dbb21435b0adf0fc164bdd84afef47553388e20

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg881D.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    d095b082b7c5ba4665d40d9c5042af6d

    SHA1

    2220277304af105ca6c56219f56f04e894b28d27

    SHA256

    b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

    SHA512

    61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg881D.tmp\System.dll
    Filesize

    12KB

    MD5

    4add245d4ba34b04f213409bfe504c07

    SHA1

    ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

    SHA256

    9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

    SHA512

    1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg881D.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    bd2e66410969148ce501efd72d0dd00b

    SHA1

    87cb7cf4bb5905854ac27bad13cb425e27165f27

    SHA256

    786281a15230d43a718a11b02ab29ccd6876b778f32bc7e727d35c911735c094

    SHA512

    73bb6a980ea2b6a76f1e75859526f0441426d36dd1de844d1845e7b4499710fed7768080734c0f763261e1f6305564b6606fd9e61117e1388b56809ce5344004

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg881D.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    c4b01269b7ad785f5b97b2364687d6e5

    SHA1

    02d8096dc58d844e4ae377404b0ba79061658b42

    SHA256

    95a263ce379239b809e32810693df4f8635144bbf480f4925ba0928206476404

    SHA512

    1325a9ac0818f61692d8f545613be0b601d93a0882888357d2207c04e35d83074afc8ec2eedddfe82008b4c65b7ce09aedd893520d0908d56a624a0c4d127e98

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg881D.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    1c82e7d24c1b9a6471657d3c9d0d8f70

    SHA1

    d6fc306f315ee7798aa9e9c976def835db8d0132

    SHA256

    55d639b26f282caf87606ced1fe73b27b47c4d5ab3188e06aaa23c40cc938b0c

    SHA512

    1935a8aea8c8b61e5283da77f1444ac9a1a014dca4aa85d781a1938b941c4775ec6f139247cf6b33b498f8a5b3efb31e886448112d23c70613d59c65da80cac6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg881D.tmp\nsExec.dll
    Filesize

    7KB

    MD5

    b4579bc396ace8cafd9e825ff63fe244

    SHA1

    32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c

    SHA256

    01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b

    SHA512

    3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ojajdhhc\ojajdhhc.dll
    Filesize

    3KB

    MD5

    0313d0538fa2acf41bdbb9b5a216f230

    SHA1

    0e3a9f5f4b3904f844175cc9db7f7979602fc357

    SHA256

    a527b71820d42886c0750ab0f887f2845b02ff693f2d9050ca1da3d6410a7005

    SHA512

    5a777ec4a0f610e6004952ee6b4001b18c8fd8ebea17bb144d828bbc8b7beb4eefc6becbf4020bf80d9e1a254124b0d1f189eee5d91f14069bbc1899004cb6cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\target.pid
    Filesize

    4B

    MD5

    ac2a728f9f17b5d860b6dabd80a5162f

    SHA1

    b6f645f796048a40fcb0f120373dbb2712f298c6

    SHA256

    dde66966c76b6d0589037b6610b5cbcb58582228339a4b6117592d62874a8638

    SHA512

    082a6611d31a99c83f1d535ba9f754784a9092c440d96526d5881cabc3ee179dae21b87e4c8dbd5810d9e8a265e07f8913ce54f9c933a2919882de038400c5e5

    Download Submit

  • C:\Users\Admin\AppData\Local\updated.ps1
    Filesize

    151B

    MD5

    aa0e1012d3b7c24fad1be4806756c2cf

    SHA1

    fe0d130af9105d9044ff3d657d1abeaf0b750516

    SHA256

    fc47e1fa89397c3139d9047dc667531a9153a339f8e29ac713e518d51a995897

    SHA512

    15fae192951747a0c71059f608700f88548f3e60bb5c708b206bf793a7e3d059a278f2058d4ac86b86781b202037401a29602ee4d6c0cbaaff532cef311975f4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Promotions\Config.ini
    Filesize

    259KB

    MD5

    3ee2a24115a5884e08a62e5eaaba423b

    SHA1

    114218558a89eb3d475ac421b2c022ab926eb197

    SHA256

    3aee3e39b32d6234ac4895e69693c83756e3911595921bdcf23e534e38164784

    SHA512

    0de7aa8a63e8cc98daee4df2316e5b903366e25c93a87bda1c084fe1924ee186b17220be9c82c13058b69bc1e08fbbce6bba53a33f7f2c88da50aef447e0a49c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Promotions\Logs.vbs
    Filesize

    298B

    MD5

    3a8b3e03abf3fe595d12574597ee61c7

    SHA1

    1b67b2d4bbd3287587b5ccab1970dfbdf1c8d7df

    SHA256

    9d3d7eb30d1e992076d4d481d769fa6df93f1cd355e0599dc51090518ae05ad5

    SHA512

    af068f7a21101b4900d0bf40cfc0b888101aa994078f43f629a8e2cfd2d74ca101cd87fbd6731a6ad0c546278c1caef5cecb7d2ca54fb2fe6b1d927990d9caaf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Promotions\Promotions.ps1
    Filesize

    1KB

    MD5

    b582c83dc8ef6202e1d0495aa152e4c2

    SHA1

    beca619e1c0e0e987395002a797f08dc3657d1fd

    SHA256

    e07d9c1dfa78fa62b7fe0e9aeaa5b6b41d97ca82aead6a92dbfae24e135075f1

    SHA512

    9ec4f95d47890802d9cb2ca889db7ad28dc65c5a710ffbc4fdb7ce63cd9fec308be6e86b2e31ee9e671df4c17afbe01fd329953b0d185e3d502ae462c97b6daf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Promotions\Update.dll
    Filesize

    17.6MB

    MD5

    7f6fbf1250943e68f8bcabeb6cd755ed

    SHA1

    141fed89a60cdf8c63dd7f45ad5c76fd03fdf3bd

    SHA256

    979648b33f010940b58a6499b36708729c6cacda1a7861b228da843a2108fa27

    SHA512

    4176e3d9817c0e072906987ac2c6521c382c31d0b19901f329b7f23581d874c26aec1841d7233e222debe357e20a2731bdf78c737b30731f194d5b814b05cdf3

    Download Submit

  • C:\Windows\Text
    Filesize

    3KB

    MD5

    d81a1c714c1e6c3ec4d4eb8c3649a336

    SHA1

    4a4e9167989b8d637f36a3201b18ca4767acb8fe

    SHA256

    d5da1e586d322da67f0c1136968ab5dab2acf387e145acc199027c343630bc2d

    SHA512

    94e6b437e05f8ded151f9303a25321307a246b7373908450b4272da1b9e7b6305bf7e2a7980d190fe73f261c92a9cc18e42e4bee94ce9e085b23dbc06b8314c5

    Download Submit

  • C:\Windows\win.ini:Config
    Filesize

    3KB

    MD5

    6fa39871a24e08e300b2e32a2593f221

    SHA1

    8901dc38e138a6000091bb1fe7bcce6dd3c05700

    SHA256

    04d26f251c62a3e1afc5e0a5c2d2ddcab05c17f4c0e48520b390888c931d74fe

    SHA512

    6ca18c47a41745a0e217f309cfcc6c26e0ef6b8728d0113eab76b5b4b4517cf5065e22c0418540ddafb520284426e46bfaae733d39d2a88cd08774b5c984ec1a

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\0gqppxl2\0gqppxl2.0.cs
    Filesize

    267B

    MD5

    aec6e734a848ecbe165ae3e66cc98f33

    SHA1

    1ff3a36995c27422af9e6694ce219de98690597b

    SHA256

    290e34b62c47a02f197451e89699d8e24ed6e8b8d69038fd834a34b3546b3ba3

    SHA512

    c1033992cf9c4ecb6a7170f7995a0e4d87a91cf240e6cc48054b6157e380c83c68087b05de90a401e4fc91b3434d8679c23eb8a8147cbc6e1009ae7318dc5188

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\0gqppxl2\0gqppxl2.cmdline
    Filesize

    369B

    MD5

    ff53db8f1d177fc1c29cab6e5a23ce5b

    SHA1

    6916a3d9ed9782907bcf40e08b2d3fe2583d9921

    SHA256

    5b8dab6767b00cb77f1ed889aa7d5801c965a25284585517561dc266bddc7aec

    SHA512

    c04a18238ce2ab41d8aefd67b0560ff0f29c4b0a19271d10346b90136746171a9d45bbba8ba954791c7f98d157012cdf0b7d4d8018e49136b364e1c4d408aada

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\0gqppxl2\CSC689376D3A51B45F8B25779B36CCC2045.TMP
    Filesize

    652B

    MD5

    f677e7431c7efe65f0300cd7b9e564fa

    SHA1

    d6dd129d9c0890f4aed8432201efa1480bd28dcb

    SHA256

    53c96b288d8b6addcdecdea7a915fb0142bda59fdfecb9906409445c7f135238

    SHA512

    fe9b105942145c144ddec82fc1e4cf46820f3df7cf3b64fb9be89a4495908bdf18fd8eb8dab554e639ca63e9af06a6a3b73ff4a6dbbd2d4ecc59f1f90b702cd8

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\dppcksyk\CSCA687BD17EA844DA1B448E149563342D.TMP
    Filesize

    652B

    MD5

    4d9aa215c321789e2991a9410499d3c5

    SHA1

    95713461ec9bc22036ec2c69bc6017b77995d55e

    SHA256

    a39e215128fc6f793ebc83bfa548d9a899fb2c1292866ecc7c9208619270c100

    SHA512

    8f059e876d46d8dd5481d04962844887b906b755c42c4a94455afe03e3f5b6af600692b6f1eef35437584450c59b7d184663ab34d2bfdeef4b5371b5c23e0db7

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\dppcksyk\dppcksyk.0.cs
    Filesize

    367B

    MD5

    76d788553a4becd5f838c741a68606c3

    SHA1

    a40d6a544a571f458b49bc172daf1506bf1eb80d

    SHA256

    c2bac7c24bcd668e460b65edacd7b458d0307e9403d1ff3e3b3a06be6f20e33c

    SHA512

    ccb77317a95b8159454d9aa920a4eaf20e05c7d461bf7d2d085ccf6ee9100c8171f218e7f71eee3ce0268484b9aabd4ebb2065640d5898a5a1088a5de17cbb84

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\dppcksyk\dppcksyk.cmdline
    Filesize

    369B

    MD5

    42e0717837c8b941f6def775db78f25a

    SHA1

    40bab62f6a57e971852d64b9767317b9db69047c

    SHA256

    5c27d9fcb277df6f85d635888a70a7bda7decdf99a356b13c295e51c54a89a1d

    SHA512

    a438eb443facfe833501e19a0232b5250537a4aff5a9a7c0863dfeac52c84ff85103ae9a64acb946d9656750f74fe8d6abfd355e554c4ae50df26022f1c98a6b

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\ojajdhhc\CSC2B5DBF7D6F4145BE9B9EC61ED408DEA.TMP
    Filesize

    652B

    MD5

    fed926cfb583e61f1c80668518bd4b64

    SHA1

    0efa43ecb91813a51fdfe4ecb757a58befc40f14

    SHA256

    a114981c6a89c2a4935a2fa075b4a6932258913165fdc030d3d1040a5d889d17

    SHA512

    dadbc0ed30abb2013a91eb328bc102c3d9fef3417c2452e51134f17b5b0d0f48a7af9752f41a322491e90e399880837b596ceaecc45cb90fb158e1bae3434b45

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\ojajdhhc\ojajdhhc.0.cs
    Filesize

    400B

    MD5

    c62e9d98205e8931873feeadf9d05f79

    SHA1

    d9b9dbb2cfe76d2f2e1e67114ceed22feed31f2e

    SHA256

    14b29bc0d217e928264a97843c602431bb7e8b4df986b5605003dded602db410

    SHA512

    43294d4afdfc7e0e14bb83ad024665684709941de12426fdc155c6c77916102eacba551e6d0dd2f077c28e225cd7f5bf6d52cd550086c010d2ed00fc63490d89

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\ojajdhhc\ojajdhhc.cmdline
    Filesize

    369B

    MD5

    a961fa46670936ff97b4baa95885cd22

    SHA1

    354d409a9d97bf717f1b019896c02dcf2cd116d9

    SHA256

    e4a17412734bbc9399d9a240fd9a6848c289faf45f8e8150c284eb2960f6834c

    SHA512

    7a3e02cd107b24f9c5edf2bd3993aebc70d39ddc49d4715001512e2c9d344a31f4540bd5ed6509b660cba0ea2786c6e3d186e65d95558fd9ab39350030040498

    Download Submit

  • memory/2256-191-0x0000000010000000-0x0000000010034000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2968-290-0x0000000070390000-0x00000000703DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3284-299-0x0000000007090000-0x00000000070A5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3284-289-0x0000000007050000-0x0000000007061000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3284-287-0x0000000006D00000-0x0000000006DA4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/3284-278-0x0000000070390000-0x00000000703DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5084-121-0x00000000072C0000-0x00000000072CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5084-119-0x0000000007890000-0x0000000007F0A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/5084-130-0x00000000739C0000-0x0000000074171000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5084-127-0x0000000007590000-0x0000000007598000-memory.dmp

    Filesize

    32KB

    Download

  • memory/5084-126-0x00000000075B0000-0x00000000075CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5084-125-0x00000000074B0000-0x00000000074C5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/5084-124-0x00000000074A0000-0x00000000074AE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/5084-123-0x0000000007460000-0x0000000007471000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5084-90-0x0000000005040000-0x0000000005062000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5084-92-0x0000000005160000-0x00000000051C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5084-122-0x00000000074F0000-0x0000000007586000-memory.dmp

    Filesize

    600KB

    Download

  • memory/5084-91-0x00000000050F0000-0x0000000005156000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5084-88-0x0000000005210000-0x000000000583A000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/5084-89-0x00000000739C0000-0x0000000074171000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5084-120-0x0000000007250000-0x000000000726A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5084-118-0x00000000739C0000-0x0000000074171000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5084-117-0x00000000739C0000-0x0000000074171000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5084-116-0x0000000006F10000-0x0000000006FB4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/5084-101-0x0000000005990000-0x0000000005CE7000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/5084-104-0x0000000006520000-0x0000000006554000-memory.dmp

    Filesize

    208KB

    Download

  • memory/5084-102-0x0000000005F20000-0x0000000005F3E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5084-103-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5084-105-0x0000000070380000-0x00000000703CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5084-115-0x0000000006500000-0x000000000651E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5084-87-0x00000000739C0000-0x0000000074171000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5084-86-0x00000000026F0000-0x0000000002726000-memory.dmp

    Filesize

    216KB

    Download

  • memory/5084-85-0x00000000739CE000-0x00000000739CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5084-114-0x00000000739C0000-0x0000000074171000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5152-198-0x0000000010000000-0x0000000010037000-memory.dmp

    Filesize

    220KB

    Download

  • memory/5152-197-0x00000000004E0000-0x0000000000514000-memory.dmp

    Filesize

    208KB

    Download

  • memory/5784-385-0x0000000070390000-0x00000000703DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5784-386-0x00000000704F0000-0x0000000070847000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/5928-443-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/5928-246-0x00000000059B0000-0x00000000059B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/6020-409-0x0000000005380000-0x00000000053A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/6020-415-0x0000000007E00000-0x0000000007E37000-memory.dmp

    Filesize

    220KB

    Download

  • memory/6020-154-0x0000000007EB0000-0x0000000008456000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/6020-153-0x0000000006BA0000-0x0000000006BC2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/6020-403-0x0000000005380000-0x00000000053A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/6020-408-0x0000000005380000-0x00000000053A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/6020-410-0x0000000005380000-0x00000000053A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/6020-255-0x0000000010000000-0x0000000010043000-memory.dmp

    Filesize

    268KB

    Download

  • memory/6020-412-0x0000000005380000-0x00000000053A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/6020-413-0x0000000007E00000-0x0000000007E37000-memory.dmp

    Filesize

    220KB

    Download

  • memory/6020-414-0x0000000007E00000-0x0000000007E37000-memory.dmp

    Filesize

    220KB

    Download

  • memory/6020-384-0x0000000010000000-0x0000000010043000-memory.dmp

    Filesize

    268KB

    Download

  • memory/6020-416-0x0000000007E00000-0x0000000007E37000-memory.dmp

    Filesize

    220KB

    Download

  • memory/6020-417-0x0000000005380000-0x00000000053A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/6020-418-0x0000000005380000-0x00000000053A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/6020-175-0x0000000010000000-0x0000000010043000-memory.dmp

    Filesize

    268KB

    Download

  • memory/6020-146-0x0000000006240000-0x0000000006597000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/6020-170-0x0000000007970000-0x0000000007978000-memory.dmp

    Filesize

    32KB

    Download

  • memory/6020-149-0x00000000067A0000-0x00000000067EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/6020-248-0x0000000010000000-0x0000000010043000-memory.dmp

    Filesize

    268KB

    Download

  • memory/6072-207-0x0000000180000000-0x0000000180026000-memory.dmp

    Filesize

    152KB

    Download