32e4914c308b62fe328d5cf926d70002bce706e0ab87c33c9889c7f125a0c309

Analysis

max time kernel
107s
max time network
133s
platform
windows10_x64
resource
win10v20210410
submitted
19-04-2021 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Order Shipment No.00187.exe
Size

33KB
MD5

7ae5b36bc9bd69a8323a1b0d0f9fe9ad
SHA1

78917f008a7c2e96e183a6194081b1e719839602
SHA256

32e4914c308b62fe328d5cf926d70002bce706e0ab87c33c9889c7f125a0c309
SHA512

7265eaeaf31f1d2bc734b364d09dd238a8cf559db056814ab3b5fc2a4ae05b5c5ec5eac1bae489fefac83d60ed32c58dc1337b4c0d60daada6d1ffc669c08432

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

New Order Shipment No.00187.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	New Order Shipment No.00187.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	New Order Shipment No.00187.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe = "0"	New Order Shipment No.00187.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe = "0"	New Order Shipment No.00187.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

New Order Shipment No.00187.exe

pid	process
3540	New Order Shipment No.00187.exe
3540	New Order Shipment No.00187.exe
3540	New Order Shipment No.00187.exe
3540	New Order Shipment No.00187.exe
3540	New Order Shipment No.00187.exe
3540	New Order Shipment No.00187.exe
3540	New Order Shipment No.00187.exe
3540	New Order Shipment No.00187.exe
3540	New Order Shipment No.00187.exe
3540	New Order Shipment No.00187.exe
3540	New Order Shipment No.00187.exe
3540	New Order Shipment No.00187.exe
3540	New Order Shipment No.00187.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

New Order Shipment No.00187.exe

description pid process target process

PID 3540 set thread context of 4924 3540 New Order Shipment No.00187.exe New Order Shipment No.00187.exe

description	pid	process	target process
PID 3540 set thread context of 4924	3540	New Order Shipment No.00187.exe	New Order Shipment No.00187.exe

Drops file in Windows directory 2 IoCs

Processes:

New Order Shipment No.00187.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe	New Order Shipment No.00187.exe
File created	C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe	New Order Shipment No.00187.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5088 3540 WerFault.exe New Order Shipment No.00187.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4268 timeout.exe

pid	pid_target	process	target process
5088	3540	WerFault.exe	New Order Shipment No.00187.exe

pid	process
4268	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3816	powershell.exe
1912	powershell.exe
208	powershell.exe
1912	powershell.exe
208	powershell.exe
3816	powershell.exe
3816	powershell.exe
1912	powershell.exe
208	powershell.exe
2936	powershell.exe
2820	powershell.exe
3700	powershell.exe
2936	powershell.exe
2820	powershell.exe
3700	powershell.exe
2936	powershell.exe
2820	powershell.exe
3700	powershell.exe
4424	powershell.exe
4424	powershell.exe
4464	powershell.exe
4464	powershell.exe
4524	powershell.exe
4524	powershell.exe
4424	powershell.exe
4464	powershell.exe
4524	powershell.exe
4424	powershell.exe
4464	powershell.exe
4524	powershell.exe
4888	powershell.exe
4888	powershell.exe
4928	powershell.exe
4928	powershell.exe
4976	powershell.exe
4976	powershell.exe
4888	powershell.exe
4976	powershell.exe
4928	powershell.exe
4888	powershell.exe
4928	powershell.exe
4976	powershell.exe
4548	powershell.exe
4548	powershell.exe
4728	powershell.exe
4728	powershell.exe
1472	powershell.exe
1472	powershell.exe
4548	powershell.exe
1472	powershell.exe
4728	powershell.exe
4548	powershell.exe
4728	powershell.exe
1472	powershell.exe
4264	powershell.exe
4264	powershell.exe
2128	powershell.exe
2128	powershell.exe
3900	powershell.exe
3900	powershell.exe
4264	powershell.exe
2128	powershell.exe
3900	powershell.exe
4264	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

New Order Shipment No.00187.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exeNew Order Shipment No.00187.exe

description	pid	process
Token: SeDebugPrivilege	3540	New Order Shipment No.00187.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeRestorePrivilege	5088	WerFault.exe
Token: SeBackupPrivilege	5088	WerFault.exe
Token: SeDebugPrivilege	5088	WerFault.exe
Token: SeDebugPrivilege	4924	New Order Shipment No.00187.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Order Shipment No.00187.exe

description	pid	process	target process
PID 3540 wrote to memory of 3816	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 3816	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 3816	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 1912	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 1912	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 1912	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 208	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 208	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 208	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 2936	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 2936	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 2936	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 2820	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 2820	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 2820	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 3700	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 3700	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 3700	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4424	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4424	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4424	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4464	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4464	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4464	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4524	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4524	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4524	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4888	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4888	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4888	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4928	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4928	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4928	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4976	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4976	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4976	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4548	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4548	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4548	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4728	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4728	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4728	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 1472	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 1472	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 1472	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 2128	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 2128	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 2128	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4264	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4264	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 4264	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 3900	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 3900	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 3900	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 5004	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 5004	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 5004	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 2164	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 2164	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 2164	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 1544	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 1544	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 1544	3540	New Order Shipment No.00187.exe	powershell.exe
PID 3540 wrote to memory of 2328	3540	New Order Shipment No.00187.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe
"C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe"
1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\OzJzUEKRIwq\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:4972

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4268

C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe
"C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe"
2⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe
"C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe"
2⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe
"C:\Users\Admin\AppData\Local\Temp\New Order Shipment No.00187.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 2880
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4a2120bde96c4411c4ea89c56432b77d

SHA1
3a9bb4a7ffe1a0a3579f34ff9dd9383ada09aa5a

SHA256
bb558a0cec1f7a88e10077c10cd8de2a361317b34ddadb4714c7844241d2f7ae

SHA512
800c2c411408c01b51935d9b0536fa187482a02d0f51deed6237addac8670b8884fe05315224f9727bda8fc3176f105f401c0e3497f0800aa36050efb2db41be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4a2120bde96c4411c4ea89c56432b77d

SHA1
3a9bb4a7ffe1a0a3579f34ff9dd9383ada09aa5a

SHA256
bb558a0cec1f7a88e10077c10cd8de2a361317b34ddadb4714c7844241d2f7ae

SHA512
800c2c411408c01b51935d9b0536fa187482a02d0f51deed6237addac8670b8884fe05315224f9727bda8fc3176f105f401c0e3497f0800aa36050efb2db41be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5a7dce1f8dfa34b9f9cfc9dd2a2676c7

SHA1
b04ddcc48b12358ffa96c6cea5e0f51cbc560aea

SHA256
bf4d3dd2937facedcb85e974a098c559e92892f80e8ee5c483032d0e2c2635b7

SHA512
9c52a12f3ae513f1c9dd3b1f86883fa10e9a454294eeb88bf0dbbb3e00288057d3b64dd494a58c828d5f9f5d8edd0b641c9e2f4095a60a353cb8820b10636c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1db894e49d5be17d335e19cdf109e78a

SHA1
dc75615371c473215d0a196bad429a47c01c8707

SHA256
371413f9650379521024445f68eb1c5c5df0ac46601161b489ed93a23cf761b7

SHA512
189d8b1d319521805de5bf2037e187c4b7992b13440a95da67f22359ccbe1a1116ff131e8724d06c56ba9f4f7e9f8d7f5772a3b11f7b59fe5ac179448e550775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
abfd5e124f1defca0071d29c10a82da5

SHA1
ee2736a167e2f9e4b845bfac273fd9564126f740

SHA256
a5c452fbe7738ba4655b4125a98a5c38768d503df3b8b0dd54a9c1f3d7a2802c

SHA512
3379f535b6ac000aa2e6f370f07053df279b7025ef9ad229849705ef1884016840e2cfdc07b3ee39a5f47c1e1e7b3dae65e0970e1fcfb5d7a57bd886b76ee2bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3126257866494b9a86ba646ccec20c3f

SHA1
7eb8fa942a54607b6147d7125abbf2984e855d53

SHA256
953550af9313c795daeb52e62091bc4e592e055416b9328aec19ae1c6eae9ac9

SHA512
49c8a291bc88981a623ddd61402d0ac77fb2d9b6e103fb9365cbdb810cb51c0942181c5d07951ea481417bba73a9db208083fe93f0281eff573406b612affb82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6ef57a43348ab6faddef8f75a03fff13

SHA1
7d7d95942b6d8397c5f5851167a638c43d5537a1

SHA256
72bde0ef3b1affbae8bb74fa0f266be2d9bcc59f72e363601689c776c98aa972

SHA512
c88dd0ef3564c7cfd5c20907c24a520bd2348d74f8bc800f69a64d120b086ab14cf90fee15849a1c9314a4148caf68c98e31bac20bb16b1941231259e8f048bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c5c6d9ed7d45e83dc17bb1910f0c3deb

SHA1
e769b8a5245483442949b8acdf11fd153c16d0fb

SHA256
d0d2a543ecd21c68ce22e5230f81eb79197869283319f044beecda7419461eb8

SHA512
85bd48e7ab3b23e8638b7c18fae45c9565c7da0fd699145f272829d3327915b7191540a0fe2af86718ba50c6e9349305fafa36a6b5be3ead413a3b20813c11fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c5c6d9ed7d45e83dc17bb1910f0c3deb

SHA1
e769b8a5245483442949b8acdf11fd153c16d0fb

SHA256
d0d2a543ecd21c68ce22e5230f81eb79197869283319f044beecda7419461eb8

SHA512
85bd48e7ab3b23e8638b7c18fae45c9565c7da0fd699145f272829d3327915b7191540a0fe2af86718ba50c6e9349305fafa36a6b5be3ead413a3b20813c11fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
69665f635ad7e5587475f1162e03ffca

SHA1
b32bfe0d768d0a0f7c41e5213d955908fab73dbd

SHA256
5b67a664791983a4cfeafb1bb29f2b6ca8cc8191d74efa4b51112d3eec7887e3

SHA512
764bdf17d04981f01f3ac6962f2e3f0b8d691fff76fbf75468351f1ad64fbbe86dd184ebd8ee60d8a538b175b3c0e340a517f74d9b7601d3589302ef298283a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
89fbc641f7b1e62f19f21233d7633df6

SHA1
e70333d78d2aba4fb6155bd9e2fbb79941b62821

SHA256
e507480c3d8d06291753b6628d907539421367e99543614a81c8b7b69eb191ca

SHA512
b221f0cb74ae939d22e533bbbc075dfe8f54c59fe797ea3848936c5ab19bb267bc0f043a4e209a10fd09719e5134333990fb09ec2027f41ca829a42636f0db84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cf1452d568e80a453da08761585b73df

SHA1
9cd2caac4f41029943b316334d2448e838baf536

SHA256
bdb5d1ebab63896ac3c403bd13d7fa135cc4ab91b21d709e4ff1def7a68dcc68

SHA512
6d3b977e9c7530702303f6dd2fa09ead44a867752a51547883d43dd7d6e08b30b1c9ae5af873389bd1c1097fc7a5eb910573abd7555c1d94751c7f96c1a59384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cf1452d568e80a453da08761585b73df

SHA1
9cd2caac4f41029943b316334d2448e838baf536

SHA256
bdb5d1ebab63896ac3c403bd13d7fa135cc4ab91b21d709e4ff1def7a68dcc68

SHA512
6d3b977e9c7530702303f6dd2fa09ead44a867752a51547883d43dd7d6e08b30b1c9ae5af873389bd1c1097fc7a5eb910573abd7555c1d94751c7f96c1a59384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
154762e7a84a89c1dcf864bfac4f8dcc

SHA1
b6ac30e7fbf92f137dae24e902ffea824084d7f6

SHA256
434ae54c2bebbc8641680526c737f51207a615733930c450ba3bde963a60d3db

SHA512
eed05e6c4d9764c4d502313c2964ea927efea05cbb7a28882e637723dbfdff3886e3a1343b8b881aed947ae15e801fa3cbe8c08cfbc35320476466e77e6510e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
163d5cc10aaa425fd6b88d2094849e52

SHA1
ad5912d24e993e7e5e1723f4f3a252c3dba358cb

SHA256
1f8ab67559a3e17980eb89e561c442d225e4359d8473c04f0262b643f6a29d0f

SHA512
cfbec9bf8012f7e9573d9ba0676ecfc39bd889b00195a9b5a9ae0ae797f40f0796b264df106ebe7ab6eaadc1087e0e0c86c795d1c1865470e4c3db44c9c2d1a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2adb1896fbfc7e4b0ce392098d0480f7

SHA1
ada3e7454beea376b216f6e7bf53719502bcd05f

SHA256
ad76a5aa91a0d0f160365da5d57ba66fe99a655418b2ba5ab4825d2a69403982

SHA512
422beb369122ad468706c3d580bd384e9eb804b84e21e6724e14501d9af51ac39d3b485669778c1eb1c3966c30244a2bdd51252cda3c132c24208f66dd635f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
57a5fecbcf1a743647346b0180922cd2

SHA1
24e02f15697b578b3bb466fb4bac36ac63be2ca8

SHA256
7efa7b2cc9dfba2258d330f62079295f226ebef481c5c4a9206a8fec82dd0f74

SHA512
5f3a1f3e1d60346f4d1ecc9f98fd4f5772fa6e5899bfc70f5bb52d7da5065ac2497fd8b33f48975227a772989dca2698366f3abd630a0401191a896816d6396e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
58b3794c31a889ee76161ee71129f852

SHA1
c20721c128ef331be630fb3ce92f931839d8cb12

SHA256
1146ad5664d6346b5602e30ff69d8a6368f171bdcf9780afd2752736627f799e

SHA512
9aac2320351de9b8357cb893761f768f48682788ce73f00e2ba146e9c6f9286ac4bccb9f92daa03f54a51bd54dafd30b948639f68c1f80533f263a8df7af8b96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
497619e6d618c3f92f3226cdf1e0fcce

SHA1
7aa2214e4b66bb5efaccc76c9ed21f5da485c758

SHA256
2843f9b9b874a12ae48a9c202c59b294651d54f3abee7c4e06c1737fdaa6a306

SHA512
fb2c61f473aa82111f97ba5b1ccb01e7af1e416b3bfbb697e0fef686a7ca90c132bba454bb466f18d2d342c90500dc64e698244f33bc0f82e2333dad2d5185bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
128e028760b8b684fb946051ebfc694e

SHA1
2dc6f6678c6e8009993f0128b1d0afbe6aa7ef03

SHA256
80df0d623d5bf9d18f37c87a76a3b3f5715ad63934635582a4828717f24fa3d0

SHA512
3885d43d60b2ade2437ae00984587eb1c8b6d4a409279129d68b9ed57f5e26ec9ae0584d9c00caec8a4ac7e473bcfb7e67e3452aa0f46687ad01a38f687a9300

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
128e028760b8b684fb946051ebfc694e

SHA1
2dc6f6678c6e8009993f0128b1d0afbe6aa7ef03

SHA256
80df0d623d5bf9d18f37c87a76a3b3f5715ad63934635582a4828717f24fa3d0

SHA512
3885d43d60b2ade2437ae00984587eb1c8b6d4a409279129d68b9ed57f5e26ec9ae0584d9c00caec8a4ac7e473bcfb7e67e3452aa0f46687ad01a38f687a9300

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
802e2b85eb8c1b1e8c8861836ab2f262

SHA1
0c34c00eb8543d41a38697af858ea5ac2c5e15fb

SHA256
54c16fe57cd76a1d4cecfc2e1a3715ea02e8c81ca34438655cf9f0e5f757de9b

SHA512
ff107c13a314de2d07af50ce5c66b21c3638bd3a597f196dedebeabfde8a582812ea53ac5c15f7aa4de5bb58c8f4609eb7d6806aba40dce14542f4cb56c6c283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e07263055446bdfa1e05a02641ad2790

SHA1
b5086303edcfd761cd2b39c61fc69c49e75357ae

SHA256
e2c5f049a91830b8228c08594f1b66a7b9855f99495db6c36bee8f191a1cba8e

SHA512
0080ec4ba23611b9ad4fc04bfb491b53ecc070232bd9748624aba510a61d85467c863a06adc19d6cc9e3046baee0ad2dd9dc46e00feb25e11d98f84695d2fa43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e07263055446bdfa1e05a02641ad2790

SHA1
b5086303edcfd761cd2b39c61fc69c49e75357ae

SHA256
e2c5f049a91830b8228c08594f1b66a7b9855f99495db6c36bee8f191a1cba8e

SHA512
0080ec4ba23611b9ad4fc04bfb491b53ecc070232bd9748624aba510a61d85467c863a06adc19d6cc9e3046baee0ad2dd9dc46e00feb25e11d98f84695d2fa43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
99d3b0013f74bf0cc05c2d3175678623

SHA1
41169ea6a7d12116e46eaa9774341444bf8bcd1d

SHA256
fda8dc3b5b6f1d00c9fa4e938418a6d45d15370849b35039361c1335bb3148e4

SHA512
9a864b4c5864b85331b4b6e690943c07968dd6652d1c3f04b2b5de49efe1a33db4e8857b50b81204f2aca516786d54dff9966ac4bab167825b6517d878f7781e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8d1d59866a215825d128137a4f41833c

SHA1
1be61f390bf7a3de664be7a38f81201c67c561b0

SHA256
d3ee3919f57bea817acdd3e71b5f6cae2ff16783ce5289b24c91ee7816c4331d

SHA512
bec819133440f2d78d229dbcf5f290b9455da2ae8275fdb37b6127e8b0a2bf4d12a96b71cd983d99c4ab1d1b218ef7e3831d109e366d920193dcd2d286dc5c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8d1d59866a215825d128137a4f41833c

SHA1
1be61f390bf7a3de664be7a38f81201c67c561b0

SHA256
d3ee3919f57bea817acdd3e71b5f6cae2ff16783ce5289b24c91ee7816c4331d

SHA512
bec819133440f2d78d229dbcf5f290b9455da2ae8275fdb37b6127e8b0a2bf4d12a96b71cd983d99c4ab1d1b218ef7e3831d109e366d920193dcd2d286dc5c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5da2dac6c143ccf04caab73a929a7998

SHA1
d6da0f5a4574ebe846dd01b542549e67df2dc132

SHA256
5343eb3e2b1eadcd6d95f0193469ecd202bb5752ce7d7175ef80f35619ed51b5

SHA512
5b7cbcc16b66fdac0676a430a5b997ea6056db8a5bdf12d1b5e2b80fe610987ec20f4dfa76da99a8cce915c4e5dac8900369acd7cc12816fcc4eb71f5b166835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
570fbf763264d24f5b2df3837a7634e3

SHA1
ec8b129e973dc7308f05f7b8ae786d5b2d0f299c

SHA256
a2a57ed78342dc952c592a6d576cd73cfe28f5fb0e6ebc6d855722196dae79d3

SHA512
0c1bd1347af1e417be448556bf725ac8ec1a768d0cd60647a1fc8c68cc47d9774b6d5cee40acf531549bfd2d9d61c9ecf569262a17871f289af10ac29f7ca59e

Download Submit
memory/208-202-0x0000000000930000-0x0000000000A7A000-memory.dmp

Filesize
1.3MB

Download
memory/208-122-0x0000000000000000-mapping.dmp

Download
memory/208-199-0x000000007ED80000-0x000000007ED81000-memory.dmp

Filesize
4KB

Download
memory/208-153-0x0000000000930000-0x0000000000A7A000-memory.dmp

Filesize
1.3MB

Download
memory/208-162-0x0000000007F70000-0x0000000007F71000-memory.dmp

Filesize
4KB

Download
memory/208-154-0x0000000000930000-0x0000000000A7A000-memory.dmp

Filesize
1.3MB

Download
memory/208-155-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/1472-280-0x0000000004C73000-0x0000000004C74000-memory.dmp

Filesize
4KB

Download
memory/1472-250-0x0000000004C72000-0x0000000004C73000-memory.dmp

Filesize
4KB

Download
memory/1472-249-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/1472-244-0x0000000000000000-mapping.dmp

Download
memory/1544-281-0x0000000000000000-mapping.dmp

Download
memory/1648-292-0x0000000000000000-mapping.dmp

Download
memory/1912-200-0x0000000004E93000-0x0000000004E94000-memory.dmp

Filesize
4KB

Download
memory/1912-144-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/1912-197-0x000000007ED30000-0x000000007ED31000-memory.dmp

Filesize
4KB

Download
memory/1912-152-0x0000000004E92000-0x0000000004E93000-memory.dmp

Filesize
4KB

Download
memory/1912-151-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/1912-121-0x0000000000000000-mapping.dmp

Download
memory/2128-258-0x0000000000000000-mapping.dmp

Download
memory/2128-261-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2128-262-0x0000000000D32000-0x0000000000D33000-memory.dmp

Filesize
4KB

Download
memory/2164-278-0x0000000000000000-mapping.dmp

Download
memory/2320-294-0x0000000000000000-mapping.dmp

Download
memory/2328-286-0x0000000000000000-mapping.dmp

Download
memory/2820-208-0x000000007F130000-0x000000007F131000-memory.dmp

Filesize
4KB

Download
memory/2820-211-0x0000000007213000-0x0000000007214000-memory.dmp

Filesize
4KB

Download
memory/2820-165-0x0000000000000000-mapping.dmp

Download
memory/2820-185-0x0000000007212000-0x0000000007213000-memory.dmp

Filesize
4KB

Download
memory/2820-181-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/2936-161-0x0000000000000000-mapping.dmp

Download
memory/2936-206-0x000000007EC20000-0x000000007EC21000-memory.dmp

Filesize
4KB

Download
memory/2936-209-0x0000000006CC3000-0x0000000006CC4000-memory.dmp

Filesize
4KB

Download
memory/2936-180-0x0000000006CC2000-0x0000000006CC3000-memory.dmp

Filesize
4KB

Download
memory/2936-179-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/2980-287-0x0000000000000000-mapping.dmp

Download
memory/3540-117-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/3540-118-0x0000000005170000-0x00000000051E8000-memory.dmp

Filesize
480KB

Download
memory/3540-131-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/3540-119-0x0000000007940000-0x0000000007941000-memory.dmp

Filesize
4KB

Download
memory/3540-124-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/3540-116-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/3540-114-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/3700-166-0x0000000000000000-mapping.dmp

Download
memory/3700-207-0x000000007E4E0000-0x000000007E4E1000-memory.dmp

Filesize
4KB

Download
memory/3700-182-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/3700-189-0x00000000011B2000-0x00000000011B3000-memory.dmp

Filesize
4KB

Download
memory/3700-210-0x00000000011B3000-0x00000000011B4000-memory.dmp

Filesize
4KB

Download
memory/3816-149-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/3816-137-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/3816-158-0x00000000089E0000-0x00000000089E1000-memory.dmp

Filesize
4KB

Download
memory/3816-150-0x0000000004D02000-0x0000000004D03000-memory.dmp

Filesize
4KB

Download
memory/3816-120-0x0000000000000000-mapping.dmp

Download
memory/3816-127-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/3816-129-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/3816-141-0x0000000008080000-0x0000000008081000-memory.dmp

Filesize
4KB

Download
memory/3816-201-0x0000000004D03000-0x0000000004D04000-memory.dmp

Filesize
4KB

Download
memory/3816-139-0x0000000007F70000-0x0000000007F71000-memory.dmp

Filesize
4KB

Download
memory/3816-198-0x000000007F650000-0x000000007F651000-memory.dmp

Filesize
4KB

Download
memory/3900-260-0x0000000000000000-mapping.dmp

Download
memory/3900-266-0x0000000006E12000-0x0000000006E13000-memory.dmp

Filesize
4KB

Download
memory/3900-265-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/3940-299-0x0000000000000000-mapping.dmp

Download
memory/3968-300-0x0000000000000000-mapping.dmp

Download
memory/4264-259-0x0000000000000000-mapping.dmp

Download
memory/4264-263-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/4264-264-0x0000000006D32000-0x0000000006D33000-memory.dmp

Filesize
4KB

Download
memory/4268-305-0x0000000000000000-mapping.dmp

Download
memory/4424-203-0x0000000000000000-mapping.dmp

Download
memory/4424-212-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/4424-213-0x0000000006C72000-0x0000000006C73000-memory.dmp

Filesize
4KB

Download
memory/4424-221-0x000000007EEB0000-0x000000007EEB1000-memory.dmp

Filesize
4KB

Download
memory/4424-227-0x0000000006C73000-0x0000000006C74000-memory.dmp

Filesize
4KB

Download
memory/4428-288-0x0000000000000000-mapping.dmp

Download
memory/4464-215-0x0000000001102000-0x0000000001103000-memory.dmp

Filesize
4KB

Download
memory/4464-226-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/4464-229-0x0000000001103000-0x0000000001104000-memory.dmp

Filesize
4KB

Download
memory/4464-204-0x0000000000000000-mapping.dmp

Download
memory/4464-214-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/4472-298-0x0000000000000000-mapping.dmp

Download
memory/4524-205-0x0000000000000000-mapping.dmp

Download
memory/4524-216-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/4524-217-0x0000000006FF2000-0x0000000006FF3000-memory.dmp

Filesize
4KB

Download
memory/4524-228-0x0000000006FF3000-0x0000000006FF4000-memory.dmp

Filesize
4KB

Download
memory/4524-225-0x000000007E5F0000-0x000000007E5F1000-memory.dmp

Filesize
4KB

Download
memory/4548-245-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/4548-279-0x0000000004CF3000-0x0000000004CF4000-memory.dmp

Filesize
4KB

Download
memory/4548-242-0x0000000000000000-mapping.dmp

Download
memory/4548-246-0x0000000004CF2000-0x0000000004CF3000-memory.dmp

Filesize
4KB

Download
memory/4728-282-0x0000000004AE3000-0x0000000004AE4000-memory.dmp

Filesize
4KB

Download
memory/4728-243-0x0000000000000000-mapping.dmp

Download
memory/4728-248-0x0000000004AE2000-0x0000000004AE3000-memory.dmp

Filesize
4KB

Download
memory/4728-247-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4888-231-0x0000000001362000-0x0000000001363000-memory.dmp

Filesize
4KB

Download
memory/4888-236-0x000000007E390000-0x000000007E391000-memory.dmp

Filesize
4KB

Download
memory/4888-222-0x0000000000000000-mapping.dmp

Download
memory/4888-230-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/4888-239-0x0000000001363000-0x0000000001364000-memory.dmp

Filesize
4KB

Download
memory/4924-306-0x0000000000412E5E-mapping.dmp

Download
memory/4928-233-0x0000000003542000-0x0000000003543000-memory.dmp

Filesize
4KB

Download
memory/4928-223-0x0000000000000000-mapping.dmp

Download
memory/4928-241-0x0000000003543000-0x0000000003544000-memory.dmp

Filesize
4KB

Download
memory/4928-232-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/4928-238-0x000000007E850000-0x000000007E851000-memory.dmp

Filesize
4KB

Download
memory/4936-293-0x0000000000000000-mapping.dmp

Download
memory/4972-304-0x0000000000000000-mapping.dmp

Download
memory/4976-235-0x00000000012E2000-0x00000000012E3000-memory.dmp

Filesize
4KB

Download
memory/4976-240-0x00000000012E3000-0x00000000012E4000-memory.dmp

Filesize
4KB

Download
memory/4976-234-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/4976-237-0x000000007F6F0000-0x000000007F6F1000-memory.dmp

Filesize
4KB

Download
memory/4976-224-0x0000000000000000-mapping.dmp

Download
memory/5004-277-0x0000000000000000-mapping.dmp

Download