dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac

Analysis

max time kernel
149s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
11-05-2021 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
Size

1.9MB
MD5

4a401739cc063b19870a7c1cf3a5d8a9
SHA1

0bfd9614b124c7bc1035e58d1ed2e2e3d020686c
SHA256

dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac
SHA512

ce9fc63110adedaee0ab4ab569d210853d6b58c9a1233a776c7b7012d007d2bdf23a91fc92318ddd438940b08bb9a6f10a8dd14832fdec8adcf99210ae9b249c

Score

8^/10

discovery macro persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exeSynaptics.exe._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

pid	process
1216	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1576	Synaptics.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\bG7Z9sJY.xlsm	office_macros

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

Loads dropped DLL 9 IoCs

Processes:

._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

pid	process
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1908 EXCEL.EXE

pid	process
1908	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

pid	process
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

description pid process

Token: SeDebugPrivilege 1748 ._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1908 EXCEL.EXE
1908 EXCEL.EXE
1908 EXCEL.EXE
1908 EXCEL.EXE
1908 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1748	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

pid	process
1908	EXCEL.EXE
1908	EXCEL.EXE
1908	EXCEL.EXE
1908	EXCEL.EXE
1908	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

description	pid	process	target process
PID 4024 wrote to memory of 1216	4024	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 4024 wrote to memory of 1216	4024	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 4024 wrote to memory of 1216	4024	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 4024 wrote to memory of 1576	4024	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	Synaptics.exe
PID 4024 wrote to memory of 1576	4024	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	Synaptics.exe
PID 4024 wrote to memory of 1576	4024	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	Synaptics.exe
PID 1216 wrote to memory of 1748	1216	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 1216 wrote to memory of 1748	1216	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 1216 wrote to memory of 1748	1216	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

C:\Users\Admin\AppData\Local\Temp\dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
"C:\Users\Admin\AppData\Local\Temp\dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe" -burn.unelevated BurnPipe.{8BFCF6B7-F28A-4D87-9DFA-B55D89B63AE4} {904653A8-70B3-44A7-9B8F-FC057620D5C4} 1216
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1576

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:3488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

MD5
f6dc5c09d9e0941fd93a9bda70c6a529

SHA1
27a9250233252625456c06049292a2c27a6a4efc

SHA256
a0a20c6b71890512baf81b9843db7e18608def2e19e19a020802ca7702563ff4

SHA512
8bcd32f755531ddb457db3969d2c0606232dd1dcde6fe171f511a1877eb5b6efda11b8e92baf156d9b92b32d0c4f93e3050366f617cf21c8de50403bb5fa4ab8

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

MD5
f6dc5c09d9e0941fd93a9bda70c6a529

SHA1
27a9250233252625456c06049292a2c27a6a4efc

SHA256
a0a20c6b71890512baf81b9843db7e18608def2e19e19a020802ca7702563ff4

SHA512
8bcd32f755531ddb457db3969d2c0606232dd1dcde6fe171f511a1877eb5b6efda11b8e92baf156d9b92b32d0c4f93e3050366f617cf21c8de50403bb5fa4ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

MD5
4736c0ddc6104a9327b0fb889b39b8ac

SHA1
3fe80b770e0edf013dfb0353b86f70fedf33cca8

SHA256
285d21e6ba826f86faf1352163a687facb2e3f87fe1dd08db5b4e3025dc68f6a

SHA512
a32f71a89be6333c5b5bcd5d1d6c245e183f7ad6cad6903b565184921db3b529a5d5fb8fd5afaa515ec2255e64f84b8897d0c39dda6b56f9932c618e0a073bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

MD5
4736c0ddc6104a9327b0fb889b39b8ac

SHA1
3fe80b770e0edf013dfb0353b86f70fedf33cca8

SHA256
285d21e6ba826f86faf1352163a687facb2e3f87fe1dd08db5b4e3025dc68f6a

SHA512
a32f71a89be6333c5b5bcd5d1d6c245e183f7ad6cad6903b565184921db3b529a5d5fb8fd5afaa515ec2255e64f84b8897d0c39dda6b56f9932c618e0a073bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

MD5
4736c0ddc6104a9327b0fb889b39b8ac

SHA1
3fe80b770e0edf013dfb0353b86f70fedf33cca8

SHA256
285d21e6ba826f86faf1352163a687facb2e3f87fe1dd08db5b4e3025dc68f6a

SHA512
a32f71a89be6333c5b5bcd5d1d6c245e183f7ad6cad6903b565184921db3b529a5d5fb8fd5afaa515ec2255e64f84b8897d0c39dda6b56f9932c618e0a073bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bG7Z9sJY.xlsm

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\BootstrapperCore.dll

MD5
a8b01738b2582c198096c7ecee8f84f1

SHA1
8dfca728d9f7db0d7cf32f1f034bdd812713337f

SHA256
74788435ec96e8f153c04c807ce6f96777d0307ee8a46a3f6b975ca69eeeb65f

SHA512
0b3b791d82f7d23c2d3b6fa683784ba510c293ea0cba9dd762268fe91150f4e3cfb5b06b4921ee6eaa69f437f48c49d6ef8fee6d798e6d2d15bbc336df380c4c

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\BootstrapperCore.dll

MD5
a8b01738b2582c198096c7ecee8f84f1

SHA1
8dfca728d9f7db0d7cf32f1f034bdd812713337f

SHA256
74788435ec96e8f153c04c807ce6f96777d0307ee8a46a3f6b975ca69eeeb65f

SHA512
0b3b791d82f7d23c2d3b6fa683784ba510c293ea0cba9dd762268fe91150f4e3cfb5b06b4921ee6eaa69f437f48c49d6ef8fee6d798e6d2d15bbc336df380c4c

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\BootstrapperCore.dll

MD5
a8b01738b2582c198096c7ecee8f84f1

SHA1
8dfca728d9f7db0d7cf32f1f034bdd812713337f

SHA256
74788435ec96e8f153c04c807ce6f96777d0307ee8a46a3f6b975ca69eeeb65f

SHA512
0b3b791d82f7d23c2d3b6fa683784ba510c293ea0cba9dd762268fe91150f4e3cfb5b06b4921ee6eaa69f437f48c49d6ef8fee6d798e6d2d15bbc336df380c4c

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\BootstrapperCore.dll

MD5
a8b01738b2582c198096c7ecee8f84f1

SHA1
8dfca728d9f7db0d7cf32f1f034bdd812713337f

SHA256
74788435ec96e8f153c04c807ce6f96777d0307ee8a46a3f6b975ca69eeeb65f

SHA512
0b3b791d82f7d23c2d3b6fa683784ba510c293ea0cba9dd762268fe91150f4e3cfb5b06b4921ee6eaa69f437f48c49d6ef8fee6d798e6d2d15bbc336df380c4c

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\ManagedUx.dll

MD5
869a1e6676fca19bc59856d9d06fa143

SHA1
75cf1b1e50977d3937db5a121235b2d476d45a8d

SHA256
b6e907ac487eb0fe755ab89dd30af1d888c199afb575afe02737299ede45ecae

SHA512
8c4f877ef00eb5de128bc36276b32b4b9c7ebeebaeecaaa6d67a713940d0d6abc1224bf5f525db8b2631685d7bf0190053d8fd615488b3eb19aa13be23a9e8cf

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\ManagedUx.dll

MD5
869a1e6676fca19bc59856d9d06fa143

SHA1
75cf1b1e50977d3937db5a121235b2d476d45a8d

SHA256
b6e907ac487eb0fe755ab89dd30af1d888c199afb575afe02737299ede45ecae

SHA512
8c4f877ef00eb5de128bc36276b32b4b9c7ebeebaeecaaa6d67a713940d0d6abc1224bf5f525db8b2631685d7bf0190053d8fd615488b3eb19aa13be23a9e8cf

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\ManagedUx.dll

MD5
869a1e6676fca19bc59856d9d06fa143

SHA1
75cf1b1e50977d3937db5a121235b2d476d45a8d

SHA256
b6e907ac487eb0fe755ab89dd30af1d888c199afb575afe02737299ede45ecae

SHA512
8c4f877ef00eb5de128bc36276b32b4b9c7ebeebaeecaaa6d67a713940d0d6abc1224bf5f525db8b2631685d7bf0190053d8fd615488b3eb19aa13be23a9e8cf

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\ManagedUx.dll

MD5
869a1e6676fca19bc59856d9d06fa143

SHA1
75cf1b1e50977d3937db5a121235b2d476d45a8d

SHA256
b6e907ac487eb0fe755ab89dd30af1d888c199afb575afe02737299ede45ecae

SHA512
8c4f877ef00eb5de128bc36276b32b4b9c7ebeebaeecaaa6d67a713940d0d6abc1224bf5f525db8b2631685d7bf0190053d8fd615488b3eb19aa13be23a9e8cf

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\mbahost.dll

MD5
fe7968a25d40e940eba0ed10e420b0b8

SHA1
12d89db5ec0bd6aa4980141cc420b5a2fa01a5ec

SHA256
1c94f023d5d246551451229676132bb0be239129963be24394b13e090db69dee

SHA512
f6135e9842dfb4d717e7d496957090b27549dbe46a5845271c83be054f7fe0236bf1f75811a80a0502bf6123bf342c11ac0f1a603d59785841d42d197ed90134

Download Submit
memory/1216-115-0x0000000000000000-mapping.dmp

Download
memory/1576-125-0x00000000004D0000-0x000000000061A000-memory.dmp

Filesize
1.3MB

Download
memory/1576-118-0x0000000000000000-mapping.dmp

Download
memory/1748-138-0x0000000002A15000-0x0000000002A16000-memory.dmp

Filesize
4KB

Download
memory/1748-211-0x0000000003482000-0x0000000003483000-memory.dmp

Filesize
4KB

Download
memory/1748-131-0x0000000002A12000-0x0000000002A13000-memory.dmp

Filesize
4KB

Download
memory/1748-218-0x0000000003492000-0x0000000003497000-memory.dmp

Filesize
20KB

Download
memory/1748-132-0x0000000002A13000-0x0000000002A15000-memory.dmp

Filesize
8KB

Download
memory/1748-126-0x0000000002A11000-0x0000000002A12000-memory.dmp

Filesize
4KB

Download
memory/1748-217-0x000000000348F000-0x0000000003492000-memory.dmp

Filesize
12KB

Download
memory/1748-139-0x0000000002A16000-0x0000000002A17000-memory.dmp

Filesize
4KB

Download
memory/1748-216-0x000000000348C000-0x000000000348F000-memory.dmp

Filesize
12KB

Download
memory/1748-214-0x0000000003487000-0x0000000003489000-memory.dmp

Filesize
8KB

Download
memory/1748-215-0x0000000003489000-0x000000000348C000-memory.dmp

Filesize
12KB

Download
memory/1748-213-0x0000000003485000-0x0000000003487000-memory.dmp

Filesize
8KB

Download
memory/1748-212-0x0000000003484000-0x0000000003485000-memory.dmp

Filesize
4KB

Download
memory/1748-133-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1748-210-0x0000000003483000-0x0000000003484000-memory.dmp

Filesize
4KB

Download
memory/1748-155-0x0000000002A19000-0x0000000002A1B000-memory.dmp

Filesize
8KB

Download
memory/1748-209-0x0000000003480000-0x0000000003482000-memory.dmp

Filesize
8KB

Download
memory/1748-121-0x0000000000000000-mapping.dmp

Download
memory/1748-207-0x000000007ECD0000-0x000000007ECD1000-memory.dmp

Filesize
4KB

Download
memory/1748-208-0x0000000002A1B000-0x0000000002A1F000-memory.dmp

Filesize
16KB

Download
memory/1908-148-0x00007FF94B0E0000-0x00007FF94CFD5000-memory.dmp

Filesize
31.0MB

Download
memory/1908-147-0x00007FF94CFE0000-0x00007FF94E0CE000-memory.dmp

Filesize
16.9MB

Download
memory/1908-146-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

Filesize
64KB

Download
memory/1908-143-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

Filesize
64KB

Download
memory/1908-142-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

Filesize
64KB

Download
memory/1908-141-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

Filesize
64KB

Download
memory/1908-140-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

Filesize
64KB

Download
memory/1908-123-0x00007FF6B56A0000-0x00007FF6B8C56000-memory.dmp

Filesize
53.7MB

Download
memory/3488-156-0x0000000000D20000-0x0000000000D22000-memory.dmp

Filesize
8KB

Download
memory/4024-114-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download