f761860dedc916d3ba75130f503d2b6c68469fea0132c4a8a298410c2cbb6d2d

Analysis

max time kernel
150s
max time network
143s
platform
windows10_x64
resource
win10v20201028
submitted
18-01-2021 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

638KB
MD5

2c57749822cc2b1db2ebdd5531cc2ee1
SHA1

ab941b0ea53e92346f379976abac27d737f9576c
SHA256

f761860dedc916d3ba75130f503d2b6c68469fea0132c4a8a298410c2cbb6d2d
SHA512

d8ac819d7588e74c93cdf68f8cd6fb99135f2167264f41f11b06b074ff0f5a554bbd214e7545a76acacbd7a1467872d74940db4a90a79305f7c6ef797ac7c2cd

Score

10^/10

discovery evasion spyware upx

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4508 created 4184 4508 WerFault.exe diasnyoc.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

34 4572 RUNDLL32.EXE
40 576 WScript.exe
42 576 WScript.exe
44 576 WScript.exe
46 576 WScript.exe
Executes dropped EXE 6 IoCs

Processes:

File51.exe4_ico.exe6_ico.exevpn_ico.exeSmartClock.exediasnyoc.exe

pid process

1232 File51.exe
3604 4_ico.exe
1440 6_ico.exe
3176 vpn_ico.exe
1800 SmartClock.exe
4184 diasnyoc.exe

description	pid	process	target process
PID 4508 created 4184	4508	WerFault.exe	diasnyoc.exe

flow	pid	process
34	4572	RUNDLL32.EXE
40	576	WScript.exe
42	576	WScript.exe
44	576	WScript.exe
46	576	WScript.exe

pid	process
1232	File51.exe
3604	4_ico.exe
1440	6_ico.exe
3176	vpn_ico.exe
1800	SmartClock.exe
4184	diasnyoc.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\diasnyoc.exe	upx
C:\Users\Admin\AppData\Local\Temp\diasnyoc.exe	upx
behavioral2/memory/4508-87-0x00000000049E0000-0x00000000049E1000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SmartClock.exe4_ico.exe6_ico.exevpn_ico.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vpn_ico.exe

Drops startup file 1 IoCs

Processes:

4_ico.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4_ico.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4_ico.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	4_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	6_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	vpn_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	SmartClock.exe

Loads dropped DLL 3 IoCs

Processes:

File51.exerundll32.exeRUNDLL32.EXE

pid process

1232 File51.exe
4444 rundll32.exe
4572 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exe

pid process

3604 4_ico.exe
1440 6_ico.exe
3176 vpn_ico.exe
1800 SmartClock.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4508 4184 WerFault.exe diasnyoc.exe

pid	process
1232	File51.exe
4444	rundll32.exe
4572	RUNDLL32.EXE

flow	ioc
18	ip-api.com

pid	pid_target	process	target process
4508	4184	WerFault.exe	diasnyoc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXEfile.exevpn_ico.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn_ico.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1904 timeout.exe
4380 timeout.exe
4452 timeout.exe
Modifies registry class 1 IoCs

Processes:

vpn_ico.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings vpn_ico.exe

pid	process
1904	timeout.exe
4380	timeout.exe
4452	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	vpn_ico.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1800 SmartClock.exe

pid	process
1800	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

4_ico.exe6_ico.exevpn_ico.exeSmartClock.exeWerFault.exepowershell.exeRUNDLL32.EXEpowershell.exe

pid	process
3604	4_ico.exe
3604	4_ico.exe
1440	6_ico.exe
1440	6_ico.exe
3176	vpn_ico.exe
3176	vpn_ico.exe
1800	SmartClock.exe
1800	SmartClock.exe
4508	WerFault.exe
4508	WerFault.exe
4508	WerFault.exe
4508	WerFault.exe
4508	WerFault.exe
4508	WerFault.exe
4508	WerFault.exe
4508	WerFault.exe
4508	WerFault.exe
4508	WerFault.exe
4508	WerFault.exe
4508	WerFault.exe
4508	WerFault.exe
4508	WerFault.exe
4508	WerFault.exe
4508	WerFault.exe
4816	powershell.exe
4816	powershell.exe
4816	powershell.exe
4572	RUNDLL32.EXE
4572	RUNDLL32.EXE
732	powershell.exe
732	powershell.exe
732	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

WerFault.exerundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	4508	WerFault.exe
Token: SeBackupPrivilege	4508	WerFault.exe
Token: SeDebugPrivilege	4444	rundll32.exe
Token: SeDebugPrivilege	4508	WerFault.exe
Token: SeDebugPrivilege	4572	RUNDLL32.EXE
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	732	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

file.exeRUNDLL32.EXE

pid process

796 file.exe
796 file.exe
4572 RUNDLL32.EXE

pid	process
796	file.exe
796	file.exe
4572	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

file.exeFile51.execmd.exe4_ico.exevpn_ico.exe6_ico.execmd.execmd.exediasnyoc.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 796 wrote to memory of 1232	796	file.exe	File51.exe
PID 796 wrote to memory of 1232	796	file.exe	File51.exe
PID 796 wrote to memory of 1232	796	file.exe	File51.exe
PID 796 wrote to memory of 3140	796	file.exe	cmd.exe
PID 796 wrote to memory of 3140	796	file.exe	cmd.exe
PID 796 wrote to memory of 3140	796	file.exe	cmd.exe
PID 1232 wrote to memory of 3604	1232	File51.exe	4_ico.exe
PID 1232 wrote to memory of 3604	1232	File51.exe	4_ico.exe
PID 1232 wrote to memory of 3604	1232	File51.exe	4_ico.exe
PID 1232 wrote to memory of 1440	1232	File51.exe	6_ico.exe
PID 1232 wrote to memory of 1440	1232	File51.exe	6_ico.exe
PID 1232 wrote to memory of 1440	1232	File51.exe	6_ico.exe
PID 3140 wrote to memory of 1904	3140	cmd.exe	timeout.exe
PID 3140 wrote to memory of 1904	3140	cmd.exe	timeout.exe
PID 3140 wrote to memory of 1904	3140	cmd.exe	timeout.exe
PID 1232 wrote to memory of 3176	1232	File51.exe	vpn_ico.exe
PID 1232 wrote to memory of 3176	1232	File51.exe	vpn_ico.exe
PID 1232 wrote to memory of 3176	1232	File51.exe	vpn_ico.exe
PID 3604 wrote to memory of 1800	3604	4_ico.exe	SmartClock.exe
PID 3604 wrote to memory of 1800	3604	4_ico.exe	SmartClock.exe
PID 3604 wrote to memory of 1800	3604	4_ico.exe	SmartClock.exe
PID 3176 wrote to memory of 4184	3176	vpn_ico.exe	diasnyoc.exe
PID 3176 wrote to memory of 4184	3176	vpn_ico.exe	diasnyoc.exe
PID 3176 wrote to memory of 4184	3176	vpn_ico.exe	diasnyoc.exe
PID 3176 wrote to memory of 4216	3176	vpn_ico.exe	WScript.exe
PID 3176 wrote to memory of 4216	3176	vpn_ico.exe	WScript.exe
PID 3176 wrote to memory of 4216	3176	vpn_ico.exe	WScript.exe
PID 1440 wrote to memory of 4304	1440	6_ico.exe	cmd.exe
PID 1440 wrote to memory of 4304	1440	6_ico.exe	cmd.exe
PID 1440 wrote to memory of 4304	1440	6_ico.exe	cmd.exe
PID 4304 wrote to memory of 4380	4304	cmd.exe	timeout.exe
PID 4304 wrote to memory of 4380	4304	cmd.exe	timeout.exe
PID 4304 wrote to memory of 4380	4304	cmd.exe	timeout.exe
PID 1440 wrote to memory of 4400	1440	6_ico.exe	cmd.exe
PID 1440 wrote to memory of 4400	1440	6_ico.exe	cmd.exe
PID 1440 wrote to memory of 4400	1440	6_ico.exe	cmd.exe
PID 4400 wrote to memory of 4452	4400	cmd.exe	timeout.exe
PID 4400 wrote to memory of 4452	4400	cmd.exe	timeout.exe
PID 4400 wrote to memory of 4452	4400	cmd.exe	timeout.exe
PID 4184 wrote to memory of 4444	4184	diasnyoc.exe	rundll32.exe
PID 4184 wrote to memory of 4444	4184	diasnyoc.exe	rundll32.exe
PID 4184 wrote to memory of 4444	4184	diasnyoc.exe	rundll32.exe
PID 4444 wrote to memory of 4572	4444	rundll32.exe	RUNDLL32.EXE
PID 4444 wrote to memory of 4572	4444	rundll32.exe	RUNDLL32.EXE
PID 4444 wrote to memory of 4572	4444	rundll32.exe	RUNDLL32.EXE
PID 4572 wrote to memory of 4816	4572	RUNDLL32.EXE	powershell.exe
PID 4572 wrote to memory of 4816	4572	RUNDLL32.EXE	powershell.exe
PID 4572 wrote to memory of 4816	4572	RUNDLL32.EXE	powershell.exe
PID 4572 wrote to memory of 732	4572	RUNDLL32.EXE	powershell.exe
PID 4572 wrote to memory of 732	4572	RUNDLL32.EXE	powershell.exe
PID 4572 wrote to memory of 732	4572	RUNDLL32.EXE	powershell.exe
PID 3176 wrote to memory of 576	3176	vpn_ico.exe	WScript.exe
PID 3176 wrote to memory of 576	3176	vpn_ico.exe	WScript.exe
PID 3176 wrote to memory of 576	3176	vpn_ico.exe	WScript.exe
PID 732 wrote to memory of 4376	732	powershell.exe	nslookup.exe
PID 732 wrote to memory of 4376	732	powershell.exe	nslookup.exe
PID 732 wrote to memory of 4376	732	powershell.exe	nslookup.exe
PID 4572 wrote to memory of 2708	4572	RUNDLL32.EXE	schtasks.exe
PID 4572 wrote to memory of 2708	4572	RUNDLL32.EXE	schtasks.exe
PID 4572 wrote to memory of 2708	4572	RUNDLL32.EXE	schtasks.exe
PID 4572 wrote to memory of 3768	4572	RUNDLL32.EXE	schtasks.exe
PID 4572 wrote to memory of 3768	4572	RUNDLL32.EXE	schtasks.exe
PID 4572 wrote to memory of 3768	4572	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\File51.exe
"C:\Users\Admin\AppData\Local\Temp\File51.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3604

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\wactaiimwtm & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:4380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\wactaiimwtm & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:4452

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\diasnyoc.exe
"C:\Users\Admin\AppData\Local\Temp\diasnyoc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DIASNY~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\diasnyoc.exe
5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DIASNY~1.DLL,lTdeLDZzBQ==
6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpC190.tmp.ps1"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE69F.tmp.ps1"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
8⤵
PID:4376

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
7⤵
PID:2708

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
7⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 544
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\kdhhjqd.vbs"
4⤵
PID:4216

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\biiecastlfar.vbs"
4⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\OaUseZKWD & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wactaiimwtm\46173476.txt
MD5
457f47fac2202c276518561a367e6b25

SHA1
ea94f29a8c98900fb4d32c481e4dc8deeeca6e5b

SHA256
35263953708657cad51a61c2837e6d1bbe15103f0475295612c874d15a4ef46e

SHA512
e6583064a90b7bf286dcea50b47e2927d47c228bf161e39f77a2b549c3485168aeac5a47320005670f9c950d7d7058a8e04737de6c087ce81307a63389db1b83

Download Submit
C:\ProgramData\wactaiimwtm\8372422.txt
MD5
550cc6486c1ac1d65c8f1b14517a8294

SHA1
6f7b60b1f5b90ac815ab56c78cd7a5de05311fe1

SHA256
176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b

SHA512
eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726

Download Submit
C:\ProgramData\wactaiimwtm\Files\_INFOR~1.TXT
MD5
c34a41c9fa74e5952d888b16829aa44f

SHA1
5cede3294d280f6c3a40eb2f7afc1e7a6abfefdb

SHA256
cf47cd2d2be93167ad2efddab042eb171b5373e534c3e7a823abf5d2334cb32f

SHA512
720840817c731daf291ea670ba91dca16f9160eb291450c99da4e1fece4fe38324121015c8ad90a3930632f34a9526e47df2cd3c19e6a7c09f11e6aaeace0a14

Download Submit
C:\ProgramData\wactaiimwtm\NL_202~1.ZIP
MD5
dd83b01f82d4105f8fdf62399f4f09b8

SHA1
a06ae568a82407fa2b28fd500c0c81da879410e6

SHA256
cf14307c8abfaa73a0cdabc66fcd2042bde39568ccbbf002fec13737f4891556

SHA512
a8bfa5f7d4d951917367af9af3f171fc398c3dc603a8ce320e471cb6a84dcdd30eed2cae86546c1691909095b3d2038f9aa42871086053ed84c0983bb48c0495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
54176ec6eaef90744f5c2f7bb7614825

SHA1
3b302e4d62cb5811779cd18939f7b40484e7dead

SHA256
c7baa57ca88fe15a03be7bbd16f8b0b87c76482291302de57bc1410e360992ef

SHA512
28a0f7e32cd291bdead87fa5f3d24512d32e372fc442d142628a681eabb6701ebeaaae3d6782d6e2d1ba438414479dec93a5afd43b7773fdcac18991008a26cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
17d35098974e650781e3ede1ec7df037

SHA1
b667d5a12e59ee091d82126c8d76ab53f3e43c4f

SHA256
bfe4c1d4443d42d41ef6d4ed13494e066863f2907b88853a804d8ca36585b890

SHA512
afddc83ae1252c1ecac17cd0d2d225a606e630f2ff4cd58838fdc0c74183e9b5534fc398ab3829fa1ae7c8395cee4ae791949d21c135770d92407d2dc355c464

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFBD.tmp
MD5
3fd0409edb0392305ab48894a74d9142

SHA1
064d6730e3aca090b2c8831e5ca6c13ed7a339a9

SHA256
5fb7cc3ccfb3707adbb4b906dc4fd118ff6067e4fc9a22901b278342cfbf8e27

SHA512
c18a7fb01c03b219cf497614483517e5c7de10db6115b3539e8457fe0368b3d4077b73d7b90b3fef510dd7cba7456296a008daafba7aa2d1b14594356bdb1277

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIASNY~1.DLL
MD5
172575774e2f59cc02f10380717e7fb3

SHA1
bea6ca450e7cef5af22605ca1ee74cc816bb9058

SHA256
00cbb4405a38539a62e3b91fdc967ad6c2a4c6844bf10fd66f4dece7b1d5dd87

SHA512
25dad4befa0d9c96611955798c614498589060353845a132870a0f37f97d31885b8c8cf75aef456e333b94dc2995e439f797a7de2a73737639085e25ce2845cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\File51.exe
MD5
2ebe80e99870dad48dc81b56b3b2d0d0

SHA1
51940c58e7ee8d651eb85904a410b753fbcdeef8

SHA256
e45a3ed92d97f94869e330797fd03e29a1d50b5041ff04adb4c4c39606f50833

SHA512
1aa823adef705c2a9dc94a5c99cbb19f75b9680f6797207b4e71ee77277804644beb56c30ff3b9148234846c3d8ceaed65f62285a732e3fa0e5d1479218c514f

Download Submit
C:\Users\Admin\AppData\Local\Temp\File51.exe
MD5
2ebe80e99870dad48dc81b56b3b2d0d0

SHA1
51940c58e7ee8d651eb85904a410b753fbcdeef8

SHA256
e45a3ed92d97f94869e330797fd03e29a1d50b5041ff04adb4c4c39606f50833

SHA512
1aa823adef705c2a9dc94a5c99cbb19f75b9680f6797207b4e71ee77277804644beb56c30ff3b9148234846c3d8ceaed65f62285a732e3fa0e5d1479218c514f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
MD5
f807550ed868461e52b3af2669f1688a

SHA1
5f1fa80f631e9e479677cea73078089d8995ce9c

SHA256
d595f5dad24c64f6135214b3f8dad1f2ebf01b49f58b16c6588e9ec5f9da9f25

SHA512
28349ee7354ed4932f0957a0e14b57123f932d85bea6baa32c2094062b8360011a0f3690561367331448362c5c002dee9a0304cfd6e4a54023c6d98d36494a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
MD5
f807550ed868461e52b3af2669f1688a

SHA1
5f1fa80f631e9e479677cea73078089d8995ce9c

SHA256
d595f5dad24c64f6135214b3f8dad1f2ebf01b49f58b16c6588e9ec5f9da9f25

SHA512
28349ee7354ed4932f0957a0e14b57123f932d85bea6baa32c2094062b8360011a0f3690561367331448362c5c002dee9a0304cfd6e4a54023c6d98d36494a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
MD5
ce187c8e140d6f1329877a2ae0128a7c

SHA1
96106084440083c434929ff1414f28198665a26b

SHA256
df2df3fba35989757ae3921fa819543aa63f305385ee8d4a3d1e682e751db045

SHA512
f3d5d7d9c681dd9f5f3e4c3108e3899a04d0905581b31008e65a1da235665a3c86716211042f32c96ed6b251075458efdbe83c446edbf8c5a936348089f8f636

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
MD5
ce187c8e140d6f1329877a2ae0128a7c

SHA1
96106084440083c434929ff1414f28198665a26b

SHA256
df2df3fba35989757ae3921fa819543aa63f305385ee8d4a3d1e682e751db045

SHA512
f3d5d7d9c681dd9f5f3e4c3108e3899a04d0905581b31008e65a1da235665a3c86716211042f32c96ed6b251075458efdbe83c446edbf8c5a936348089f8f636

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
MD5
239bdf56b4a121cba18cc5aaa8c2f6a4

SHA1
f543dea6be05c6ca9bffceaf3999e0c68d323f99

SHA256
6f2381314fdc3741357a5549422f00587a2f25241c4976bbe1d0e902288740ad

SHA512
9cd12f58a27e7b83e14d4e58091ed206a3a90a82ba2007ddd3f6d811ed22e5ee937d2fe2f54d1a9283342500086c142f7bd6767748b95e3cae1d120f89f361be

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
MD5
239bdf56b4a121cba18cc5aaa8c2f6a4

SHA1
f543dea6be05c6ca9bffceaf3999e0c68d323f99

SHA256
6f2381314fdc3741357a5549422f00587a2f25241c4976bbe1d0e902288740ad

SHA512
9cd12f58a27e7b83e14d4e58091ed206a3a90a82ba2007ddd3f6d811ed22e5ee937d2fe2f54d1a9283342500086c142f7bd6767748b95e3cae1d120f89f361be

Download Submit
C:\Users\Admin\AppData\Local\Temp\OaUseZKWD\AKRPTM~1.ZIP
MD5
50d781525e47bdbd998ac866e138f106

SHA1
256b480e01eb85032a0dbae69529795ff2f6bb35

SHA256
39c14d1a9f1e3cfb10c40adeb397b09da4873d30f5986581bd9ecf7d0f11ac07

SHA512
1636e37e03f6cecde95e54e6bc1f52a530dfb5e4b29609e5399f8f61122f3363b5ab4c6550eef08011800a0dfed77cea1dbed78d64200fcd6fc905032b05370f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OaUseZKWD\WLJCRG~1.ZIP
MD5
1579ee6d79cbf7936a516e3a6dac1f92

SHA1
05b5ddd1c0e13a21e4c7d71db9c3a1ee3f4da1c1

SHA256
6c859b984cf5b9a52eac82cb96b6af887f3ead39f99ffa7f337ca46643fd44cc

SHA512
69422e57ade36eaf877f735005eca4e2c1e7ae89e77bb05c3e15f89811c7e3fe444d2d9477e0a2b721fb74ac9321c0f40e0999b68e1255a6b7185c8979fe3dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OaUseZKWD\_Files\_Files\GetSkip.txt
MD5
7806095c16911fd3e0324870122babc9

SHA1
f2244e9df844f77f5401f52a47b972a196a5fa08

SHA256
c95691b4396fbdfad5fec9fde7c01522dbd7cbdb3197a91ce7a1227d4b6551b9

SHA512
80918b32640146c09ff0e6f4d751943327c1a21c961611487e7f8f556a8024e40a7dcbf490e6d633daf86cb5651e12f007106f0d8095881b92c8602aed04e991

Download Submit
C:\Users\Admin\AppData\Local\Temp\OaUseZKWD\_Files\_INFOR~1.TXT
MD5
ea8afc8f9e805f737f27969bfa22adc1

SHA1
36199220be9ee0d3892d48eb512d5b69808cdb41

SHA256
bbbf6e0f694e4efb90674e595ca7ce34c530abe1d0b379370b7bacf95b403e90

SHA512
dcc674c6ae38312eafa1af351a3787f4b3a06b3d42c3fc1039e7e2bf953c835f2a24c2b3544ee3a16965999ddb2e03217c0b2dda65440646db857df42ef1f235

Download Submit
C:\Users\Admin\AppData\Local\Temp\OaUseZKWD\_Files\_SCREE~1.JPE
MD5
5cb8fbccddb6fe58835e6a84588a2666

SHA1
1644259fe6ad47cff50f16df7ef38dfd7c129013

SHA256
5ba5ee69f7223aea8b0deed0d11149790a37e5a46193b51b6f4913c31fe95c1d

SHA512
de80fd57ef4273916deab2c451a3dc984d3d9cf168eacf1cba721b910a8072e8e2f5c823e762644e04fdbcbd20a7c454d607c1abf1248ed5ef3f2b74264c185c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OaUseZKWD\files_\SCREEN~1.JPG
MD5
5cb8fbccddb6fe58835e6a84588a2666

SHA1
1644259fe6ad47cff50f16df7ef38dfd7c129013

SHA256
5ba5ee69f7223aea8b0deed0d11149790a37e5a46193b51b6f4913c31fe95c1d

SHA512
de80fd57ef4273916deab2c451a3dc984d3d9cf168eacf1cba721b910a8072e8e2f5c823e762644e04fdbcbd20a7c454d607c1abf1248ed5ef3f2b74264c185c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OaUseZKWD\files_\SYSTEM~1.TXT
MD5
6b8fe4a0675da8d676aca04328bc80ca

SHA1
8f97c63f94ffd0bfe31274234c1000e59d6c9a33

SHA256
9be231ef6b63d9323084dbf93e3a748f90954cba876ba866004b9538ddc45371

SHA512
046e1e4b369569e53a45ccf6f926c8dbc6b0cb51559702b3c0f74b475ad18661cafd3269399b4e4138b53a227367531edcd12b64b8210a2beb7467f03d603a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OaUseZKWD\files_\files\GetSkip.txt
MD5
7806095c16911fd3e0324870122babc9

SHA1
f2244e9df844f77f5401f52a47b972a196a5fa08

SHA256
c95691b4396fbdfad5fec9fde7c01522dbd7cbdb3197a91ce7a1227d4b6551b9

SHA512
80918b32640146c09ff0e6f4d751943327c1a21c961611487e7f8f556a8024e40a7dcbf490e6d633daf86cb5651e12f007106f0d8095881b92c8602aed04e991

Download Submit
C:\Users\Admin\AppData\Local\Temp\biiecastlfar.vbs
MD5
330e348a903a061caddb6e487d93a9c9

SHA1
323cd3ab9817cf06b5150797c870138bcc7a82fa

SHA256
785976e433b08c20910a8b45bbfd71bea2027a8c12daa7fbfc368f97c1b8ed4c

SHA512
65bf72ba150fcf6858321bb5c81301f06e25ab9913c4299a69a041392644a63cd2fab1a84b150d6a5cef7f79f92aa45c929d80ff357ec07bf6328fb0a18629c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\diasnyoc.exe
MD5
7ae8447db714441c8a0b0e239cadfe89

SHA1
63764c23149a819d12e367708d7735b0fd9fb110

SHA256
de1cbe12d46e3e92a45715972a3ef5b030260fc0e900f8d79f221c2330e24aba

SHA512
31f55f0d57e3a8ce2e830929dbcef5a9ba43625a6dd7310bbb4dcfd513084df9cd76873950a5fea50cf5b031055c2e05b2a5a21a027e79be0ef05470462b8670

Download Submit
C:\Users\Admin\AppData\Local\Temp\diasnyoc.exe
MD5
7ae8447db714441c8a0b0e239cadfe89

SHA1
63764c23149a819d12e367708d7735b0fd9fb110

SHA256
de1cbe12d46e3e92a45715972a3ef5b030260fc0e900f8d79f221c2330e24aba

SHA512
31f55f0d57e3a8ce2e830929dbcef5a9ba43625a6dd7310bbb4dcfd513084df9cd76873950a5fea50cf5b031055c2e05b2a5a21a027e79be0ef05470462b8670

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdhhjqd.vbs
MD5
f3fa622c30bb955c6bf8c9ae7ce12f21

SHA1
b5fdcb617785ca745194e31a091c96cbd70b0d14

SHA256
8694f7f8ae1bb845d163cbbb404dec2b6017454182a2087c230576684c082e48

SHA512
17da756121a7dc461e09ceda4e34168cdf1a958cca1a5778e8168e65f0da5972034853d2b48bcdc10a8f1b67340f98431351878f67bd1b33febcfe2261745952

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC190.tmp.ps1
MD5
d6964680f98bc66e5e630b41c41fc67e

SHA1
3e78928afb7bb6a86fc9764738c725be99871e4b

SHA256
9fdff9d49d283c3bba1e45a291d8bc2b8e3310764dd205d51826683a75b73473

SHA512
73096715e5b45538507d1e9f447c37d3a5a62ce9771a9d1022a577ae49a5ca1a75a3d85d5958bc0ccdce8ee8e73262860bc73ea5b81ba6c9764fd575a73cfdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC191.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE69F.tmp.ps1
MD5
137047fe10e8536b33c2cd64b39fcaa7

SHA1
e119363a1a3b4417577fdd373d2abeffc59eb9c1

SHA256
75c38b8d127b3514aa1ac5dcb532b457977e881b28c1bf110d7a3678426664ae

SHA512
a1820c388c09e53649de422ef3a11ee89b8e665c27b5bd4255b32b3aa3fd19152281eeb70b09b5ba7f27254b90b7aef0ee8b4febcd5e6b894f8dd6f6551c129c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6A0.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
f807550ed868461e52b3af2669f1688a

SHA1
5f1fa80f631e9e479677cea73078089d8995ce9c

SHA256
d595f5dad24c64f6135214b3f8dad1f2ebf01b49f58b16c6588e9ec5f9da9f25

SHA512
28349ee7354ed4932f0957a0e14b57123f932d85bea6baa32c2094062b8360011a0f3690561367331448362c5c002dee9a0304cfd6e4a54023c6d98d36494a77

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
f807550ed868461e52b3af2669f1688a

SHA1
5f1fa80f631e9e479677cea73078089d8995ce9c

SHA256
d595f5dad24c64f6135214b3f8dad1f2ebf01b49f58b16c6588e9ec5f9da9f25

SHA512
28349ee7354ed4932f0957a0e14b57123f932d85bea6baa32c2094062b8360011a0f3690561367331448362c5c002dee9a0304cfd6e4a54023c6d98d36494a77

Download Submit
\Users\Admin\AppData\Local\Temp\DIASNY~1.DLL
MD5
172575774e2f59cc02f10380717e7fb3

SHA1
bea6ca450e7cef5af22605ca1ee74cc816bb9058

SHA256
00cbb4405a38539a62e3b91fdc967ad6c2a4c6844bf10fd66f4dece7b1d5dd87

SHA512
25dad4befa0d9c96611955798c614498589060353845a132870a0f37f97d31885b8c8cf75aef456e333b94dc2995e439f797a7de2a73737639085e25ce2845cf

Download Submit
\Users\Admin\AppData\Local\Temp\DIASNY~1.DLL
MD5
172575774e2f59cc02f10380717e7fb3

SHA1
bea6ca450e7cef5af22605ca1ee74cc816bb9058

SHA256
00cbb4405a38539a62e3b91fdc967ad6c2a4c6844bf10fd66f4dece7b1d5dd87

SHA512
25dad4befa0d9c96611955798c614498589060353845a132870a0f37f97d31885b8c8cf75aef456e333b94dc2995e439f797a7de2a73737639085e25ce2845cf

Download Submit
\Users\Admin\AppData\Local\Temp\nse8331.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/576-119-0x0000000000000000-mapping.dmp

Download
memory/732-120-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/732-123-0x0000000007592000-0x0000000007593000-memory.dmp

Filesize
4KB

Download
memory/732-116-0x000000006F7F0000-0x000000006FEDE000-memory.dmp

Filesize
6.9MB

Download
memory/732-115-0x0000000000000000-mapping.dmp

Download
memory/732-129-0x00000000087B0000-0x00000000087B1000-memory.dmp

Filesize
4KB

Download
memory/732-137-0x0000000007593000-0x0000000007594000-memory.dmp

Filesize
4KB

Download
memory/732-126-0x00000000083E0000-0x00000000083E1000-memory.dmp

Filesize
4KB

Download
memory/796-2-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/796-4-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/796-3-0x0000000004730000-0x00000000047D0000-memory.dmp

Filesize
640KB

Download
memory/1232-5-0x0000000000000000-mapping.dmp

Download
memory/1440-32-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/1440-64-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/1440-30-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/1440-72-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/1440-51-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/1440-53-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/1440-56-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/1440-15-0x0000000000000000-mapping.dmp

Download
memory/1800-50-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/1800-63-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/1800-62-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/1800-61-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/1800-59-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/1800-52-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/1800-60-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/1800-58-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/1800-36-0x0000000000000000-mapping.dmp

Download
memory/1800-57-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/1904-24-0x0000000000000000-mapping.dmp

Download
memory/2708-136-0x0000000000000000-mapping.dmp

Download
memory/3140-8-0x0000000000000000-mapping.dmp

Download
memory/3176-31-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/3176-48-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/3176-34-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/3176-47-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/3176-49-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/3176-46-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/3176-25-0x0000000000000000-mapping.dmp

Download
memory/3604-40-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/3604-43-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/3604-44-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/3604-42-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/3604-35-0x0000000076F14000-0x0000000076F15000-memory.dmp

Filesize
4KB

Download
memory/3604-33-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/3604-45-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/3604-29-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/3604-10-0x0000000000000000-mapping.dmp

Download
memory/3604-28-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/3768-138-0x0000000000000000-mapping.dmp

Download
memory/4184-70-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/4184-75-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/4184-74-0x0000000005960000-0x0000000005D3C000-memory.dmp

Filesize
3.9MB

Download
memory/4184-73-0x0000000005590000-0x000000000595A000-memory.dmp

Filesize
3.8MB

Download
memory/4184-65-0x0000000000000000-mapping.dmp

Download
memory/4216-68-0x0000000000000000-mapping.dmp

Download
memory/4304-71-0x0000000000000000-mapping.dmp

Download
memory/4376-134-0x0000000000000000-mapping.dmp

Download
memory/4380-80-0x0000000000000000-mapping.dmp

Download
memory/4400-81-0x0000000000000000-mapping.dmp

Download
memory/4444-90-0x0000000004EF1000-0x000000000554E000-memory.dmp

Filesize
6.4MB

Download
memory/4444-83-0x0000000000000000-mapping.dmp

Download
memory/4452-82-0x0000000000000000-mapping.dmp

Download
memory/4508-86-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/4508-87-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/4572-89-0x0000000000000000-mapping.dmp

Download
memory/4572-93-0x0000000004F61000-0x00000000055BE000-memory.dmp

Filesize
6.4MB

Download
memory/4816-104-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download
memory/4816-110-0x0000000009600000-0x0000000009601000-memory.dmp

Filesize
4KB

Download
memory/4816-102-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/4816-101-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/4816-107-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/4816-106-0x0000000008080000-0x0000000008081000-memory.dmp

Filesize
4KB

Download
memory/4816-105-0x0000000007B20000-0x0000000007B21000-memory.dmp

Filesize
4KB

Download
memory/4816-112-0x00000000069C0000-0x00000000069C1000-memory.dmp

Filesize
4KB

Download
memory/4816-111-0x0000000008B90000-0x0000000008B91000-memory.dmp

Filesize
4KB

Download
memory/4816-114-0x00000000067C3000-0x00000000067C4000-memory.dmp

Filesize
4KB

Download
memory/4816-109-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/4816-100-0x00000000067C2000-0x00000000067C3000-memory.dmp

Filesize
4KB

Download
memory/4816-99-0x0000000006E00000-0x0000000006E01000-memory.dmp

Filesize
4KB

Download
memory/4816-98-0x00000000066A0000-0x00000000066A1000-memory.dmp

Filesize
4KB

Download
memory/4816-97-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/4816-96-0x000000006FD50000-0x000000007043E000-memory.dmp

Filesize
6.9MB

Download
memory/4816-94-0x0000000000000000-mapping.dmp

Download
memory/4816-103-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download