poullight | 076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a

Analysis

max time kernel
152s
max time network
149s
platform
windows7_x64
resource
win7-20220414-en
submitted
02-05-2022 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
Size

618KB
MD5

55325b6ce1861b7982b9a3e38be7e8c1
SHA1

f936c13014e3346c0fa88aca690e0f29276cc991
SHA256

076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a
SHA512

34d4c2a0498f2c430ff2e9049d2634b1fb49e4155b54749ba31c8dac16e7f1a87947485192d0f77ba5eae7c679040c1e047e8ea875b35b9c0142082844425593

Score

10^/10

poullight remcos host persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

Artemlok134-50915.portmap.io:50915

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
WindowsDefender.exe
copy_folder
WindowsDefender
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%SystemDrive%
keylog_crypt
false
keylog_file
ban.dat
keylog_flag
false
keylog_folder
LolWtf
keylog_path
%AppData%
mouse_option
false
mutex
remcos_igwinxzuvw
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
qTorrent
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Fktqqeiihqnki.exeWindowsDefender.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\WindowsDefender\\WindowsDefender.exe\""	Fktqqeiihqnki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\WindowsDefender\\WindowsDefender.exe\""	Fktqqeiihqnki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\WindowsDefender\\WindowsDefender.exe\""	WindowsDefender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\WindowsDefender\\WindowsDefender.exe\""	WindowsDefender.exe

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Fktqqeiihqnki.exeWindowsDefender.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Fktqqeiihqnki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qTorrent = "\"C:\\WindowsDefender\\WindowsDefender.exe\""	Fktqqeiihqnki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WindowsDefender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qTorrent = "\"C:\\WindowsDefender\\WindowsDefender.exe\""	WindowsDefender.exe

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

Fwtsrp.exeFktqqeiihqnki.exeGuthxnefzrkt.exeCjvoamroksm.exeKgkdloedtfs.exeJzmpvemkft.exeIxount.exeWindowsDefender.exesvchost.exeServer.exe

pid	process
1956	Fwtsrp.exe
1268	Fktqqeiihqnki.exe
2012	Guthxnefzrkt.exe
1216	Cjvoamroksm.exe
896	Kgkdloedtfs.exe
1768	Jzmpvemkft.exe
432	Ixount.exe
1104	WindowsDefender.exe
1492	svchost.exe
676	Server.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uTorrent.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uTorrent.exe	svchost.exe

Loads dropped DLL 12 IoCs

Processes:

076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.execmd.exeFwtsrp.exe

pid	process
1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
2032	cmd.exe
2032	cmd.exe
1956	Fwtsrp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Fktqqeiihqnki.exeWindowsDefender.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\qTorrent = "\"C:\\WindowsDefender\\WindowsDefender.exe\""	Fktqqeiihqnki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	WindowsDefender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qTorrent = "\"C:\\WindowsDefender\\WindowsDefender.exe\""	WindowsDefender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Fktqqeiihqnki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qTorrent = "\"C:\\WindowsDefender\\WindowsDefender.exe\""	Fktqqeiihqnki.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\	WindowsDefender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\qTorrent = "\"C:\\WindowsDefender\\WindowsDefender.exe\""	WindowsDefender.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	Fktqqeiihqnki.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Fktqqeiihqnki.exeWindowsDefender.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	Fktqqeiihqnki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	WindowsDefender.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

WindowsDefender.exe

description pid process target process

PID 1104 set thread context of 1352 1104 WindowsDefender.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

992 1768 WerFault.exe Jzmpvemkft.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1516 schtasks.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

Cjvoamroksm.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main Cjvoamroksm.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

992 PING.EXE

description	pid	process	target process
PID 1104 set thread context of 1352	1104	WindowsDefender.exe	iexplore.exe

pid	pid_target	process	target process
992	1768	WerFault.exe	Jzmpvemkft.exe

pid	process
1516	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	Cjvoamroksm.exe

pid	process
992	PING.EXE

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

Guthxnefzrkt.exeCjvoamroksm.exe

pid	process
2012	Guthxnefzrkt.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
2012	Guthxnefzrkt.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

1492 svchost.exe

pid	process
1492	svchost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

Cjvoamroksm.exeJzmpvemkft.exeGuthxnefzrkt.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1216	Cjvoamroksm.exe
Token: SeDebugPrivilege	1768	Jzmpvemkft.exe
Token: SeDebugPrivilege	2012	Guthxnefzrkt.exe
Token: SeDebugPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe
Token: 33	1492	svchost.exe
Token: SeIncBasePriorityPrivilege	1492	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

iexplore.exeCjvoamroksm.exe

pid process

1352 iexplore.exe
1216 Cjvoamroksm.exe
1216 Cjvoamroksm.exe

pid	process
1352	iexplore.exe
1216	Cjvoamroksm.exe
1216	Cjvoamroksm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exeFktqqeiihqnki.execmd.exeWindowsDefender.exeFwtsrp.exeJzmpvemkft.exesvchost.exe

description	pid	process	target process
PID 1580 wrote to memory of 1956	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Fwtsrp.exe
PID 1580 wrote to memory of 1956	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Fwtsrp.exe
PID 1580 wrote to memory of 1956	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Fwtsrp.exe
PID 1580 wrote to memory of 1956	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Fwtsrp.exe
PID 1580 wrote to memory of 1268	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Fktqqeiihqnki.exe
PID 1580 wrote to memory of 1268	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Fktqqeiihqnki.exe
PID 1580 wrote to memory of 1268	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Fktqqeiihqnki.exe
PID 1580 wrote to memory of 1268	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Fktqqeiihqnki.exe
PID 1580 wrote to memory of 2012	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Guthxnefzrkt.exe
PID 1580 wrote to memory of 2012	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Guthxnefzrkt.exe
PID 1580 wrote to memory of 2012	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Guthxnefzrkt.exe
PID 1580 wrote to memory of 2012	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Guthxnefzrkt.exe
PID 1580 wrote to memory of 1216	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Cjvoamroksm.exe
PID 1580 wrote to memory of 1216	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Cjvoamroksm.exe
PID 1580 wrote to memory of 1216	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Cjvoamroksm.exe
PID 1580 wrote to memory of 1216	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Cjvoamroksm.exe
PID 1580 wrote to memory of 896	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Kgkdloedtfs.exe
PID 1580 wrote to memory of 896	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Kgkdloedtfs.exe
PID 1580 wrote to memory of 896	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Kgkdloedtfs.exe
PID 1580 wrote to memory of 896	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Kgkdloedtfs.exe
PID 1580 wrote to memory of 1768	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Jzmpvemkft.exe
PID 1580 wrote to memory of 1768	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Jzmpvemkft.exe
PID 1580 wrote to memory of 1768	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Jzmpvemkft.exe
PID 1580 wrote to memory of 1768	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Jzmpvemkft.exe
PID 1580 wrote to memory of 432	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Ixount.exe
PID 1580 wrote to memory of 432	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Ixount.exe
PID 1580 wrote to memory of 432	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Ixount.exe
PID 1580 wrote to memory of 432	1580	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Ixount.exe
PID 1268 wrote to memory of 2032	1268	Fktqqeiihqnki.exe	cmd.exe
PID 1268 wrote to memory of 2032	1268	Fktqqeiihqnki.exe	cmd.exe
PID 1268 wrote to memory of 2032	1268	Fktqqeiihqnki.exe	cmd.exe
PID 1268 wrote to memory of 2032	1268	Fktqqeiihqnki.exe	cmd.exe
PID 1268 wrote to memory of 2032	1268	Fktqqeiihqnki.exe	cmd.exe
PID 1268 wrote to memory of 2032	1268	Fktqqeiihqnki.exe	cmd.exe
PID 1268 wrote to memory of 2032	1268	Fktqqeiihqnki.exe	cmd.exe
PID 2032 wrote to memory of 992	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 992	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 992	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 992	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1104	2032	cmd.exe	WindowsDefender.exe
PID 2032 wrote to memory of 1104	2032	cmd.exe	WindowsDefender.exe
PID 2032 wrote to memory of 1104	2032	cmd.exe	WindowsDefender.exe
PID 2032 wrote to memory of 1104	2032	cmd.exe	WindowsDefender.exe
PID 1104 wrote to memory of 1352	1104	WindowsDefender.exe	iexplore.exe
PID 1104 wrote to memory of 1352	1104	WindowsDefender.exe	iexplore.exe
PID 1104 wrote to memory of 1352	1104	WindowsDefender.exe	iexplore.exe
PID 1104 wrote to memory of 1352	1104	WindowsDefender.exe	iexplore.exe
PID 1104 wrote to memory of 1352	1104	WindowsDefender.exe	iexplore.exe
PID 1104 wrote to memory of 1352	1104	WindowsDefender.exe	iexplore.exe
PID 1104 wrote to memory of 1352	1104	WindowsDefender.exe	iexplore.exe
PID 1104 wrote to memory of 1352	1104	WindowsDefender.exe	iexplore.exe
PID 1104 wrote to memory of 1352	1104	WindowsDefender.exe	iexplore.exe
PID 1104 wrote to memory of 1352	1104	WindowsDefender.exe	iexplore.exe
PID 1104 wrote to memory of 1352	1104	WindowsDefender.exe	iexplore.exe
PID 1956 wrote to memory of 1492	1956	Fwtsrp.exe	svchost.exe
PID 1956 wrote to memory of 1492	1956	Fwtsrp.exe	svchost.exe
PID 1956 wrote to memory of 1492	1956	Fwtsrp.exe	svchost.exe
PID 1956 wrote to memory of 1492	1956	Fwtsrp.exe	svchost.exe
PID 1768 wrote to memory of 992	1768	Jzmpvemkft.exe	WerFault.exe
PID 1768 wrote to memory of 992	1768	Jzmpvemkft.exe	WerFault.exe
PID 1768 wrote to memory of 992	1768	Jzmpvemkft.exe	WerFault.exe
PID 1492 wrote to memory of 1516	1492	svchost.exe	schtasks.exe
PID 1492 wrote to memory of 1516	1492	svchost.exe	schtasks.exe
PID 1492 wrote to memory of 1516	1492	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
"C:\Users\Admin\AppData\Local\Temp\076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\Fwtsrp.exe
"C:\Users\Admin\AppData\Local\Temp\Fwtsrp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
4⤵
- Creates scheduled task(s)
PID:1516

C:\Users\Admin\AppData\Local\Temp\Fktqqeiihqnki.exe
"C:\Users\Admin\AppData\Local\Temp\Fktqqeiihqnki.exe"
2⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:992

C:\WindowsDefender\WindowsDefender.exe
"C:\WindowsDefender\WindowsDefender.exe"
4⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:1352

C:\Users\Admin\AppData\Local\Temp\Guthxnefzrkt.exe
"C:\Users\Admin\AppData\Local\Temp\Guthxnefzrkt.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Users\Admin\AppData\Local\Temp\Cjvoamroksm.exe
"C:\Users\Admin\AppData\Local\Temp\Cjvoamroksm.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Users\Admin\AppData\Local\Temp\Kgkdloedtfs.exe
"C:\Users\Admin\AppData\Local\Temp\Kgkdloedtfs.exe"
2⤵
- Executes dropped EXE
PID:896

C:\Users\Admin\AppData\Local\Temp\Jzmpvemkft.exe
"C:\Users\Admin\AppData\Local\Temp\Jzmpvemkft.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1768 -s 1584
3⤵
- Program crash
PID:992

C:\Users\Admin\AppData\Local\Temp\Ixount.exe
"C:\Users\Admin\AppData\Local\Temp\Ixount.exe"
2⤵
- Executes dropped EXE
PID:432

C:\Windows\system32\taskeng.exe
taskeng.exe {322694E7-6923-4C86-BD1D-65290E90AE05} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Executes dropped EXE
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cjvoamroksm.exe
Filesize
215KB

MD5
d2dadfffd0d0b568488b545bbd20ffdb

SHA1
3f7857f14e092c16fe0b4f56adf7fc0de9837921

SHA256
c6b014fee2b8660cb29d8e9745551aa91a8a9da998a8fb55f1b7e25647a5f028

SHA512
afe1e42ea3749aa5663df9a84998c71c6eb668cbf1b775e7fb0c8374a1fbd23b31bae58995eba729d84594ededdffb79520c3ed547137468e52c433e7339baa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cjvoamroksm.exe
Filesize
215KB

MD5
d2dadfffd0d0b568488b545bbd20ffdb

SHA1
3f7857f14e092c16fe0b4f56adf7fc0de9837921

SHA256
c6b014fee2b8660cb29d8e9745551aa91a8a9da998a8fb55f1b7e25647a5f028

SHA512
afe1e42ea3749aa5663df9a84998c71c6eb668cbf1b775e7fb0c8374a1fbd23b31bae58995eba729d84594ededdffb79520c3ed547137468e52c433e7339baa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fktqqeiihqnki.exe
Filesize
100KB

MD5
038d789b437e11a44c2f8ca4ca99344e

SHA1
9ee174df14ae4a3c545c6550ea2cdd707c9a9e1e

SHA256
e23cc8a659bb1a423956fc66f7160eabeb258dc45dc5f91c273898809e27857a

SHA512
a4a66833fd462f51b50f99e3c90aa0914d2cc09a126b3ac7bea3415d5c7c426cf68b1ed4bf073e2ff243bed040d0818d8d00f524967a6431b3d3b43c51475754

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fktqqeiihqnki.exe
Filesize
100KB

MD5
038d789b437e11a44c2f8ca4ca99344e

SHA1
9ee174df14ae4a3c545c6550ea2cdd707c9a9e1e

SHA256
e23cc8a659bb1a423956fc66f7160eabeb258dc45dc5f91c273898809e27857a

SHA512
a4a66833fd462f51b50f99e3c90aa0914d2cc09a126b3ac7bea3415d5c7c426cf68b1ed4bf073e2ff243bed040d0818d8d00f524967a6431b3d3b43c51475754

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fwtsrp.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fwtsrp.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Guthxnefzrkt.exe
Filesize
191KB

MD5
af780d52692a18542d0c1c09018d66b6

SHA1
cb8e3c4a1a93dff4fe26380987a6fe961aa9569f

SHA256
b159ab627b17febc5a0f8af89b4761ceec83a4f0077170baff4f761bae21f223

SHA512
10b675a5c814a3e867e6aa3fac0b09e4448edd92feba1020d304d005aa8a5960a1df71ab424008106c342633d08ee9960a98ee70574272d159cb1a0a534e00e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Guthxnefzrkt.exe
Filesize
191KB

MD5
af780d52692a18542d0c1c09018d66b6

SHA1
cb8e3c4a1a93dff4fe26380987a6fe961aa9569f

SHA256
b159ab627b17febc5a0f8af89b4761ceec83a4f0077170baff4f761bae21f223

SHA512
10b675a5c814a3e867e6aa3fac0b09e4448edd92feba1020d304d005aa8a5960a1df71ab424008106c342633d08ee9960a98ee70574272d159cb1a0a534e00e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ixount.exe
Filesize
55KB

MD5
f10b00d5198070d136773a13b44f0c09

SHA1
7d6cbfd28c597b93f9b02233b2e43e60f8beb458

SHA256
0ecff37f3e85044af87a6499794b921a39c1821e38a4d9c57c8f15c9b852644f

SHA512
9218198a12e36dad75e8b892306b8590318b16f7bf44d91be2c58c3500016fad285ddd2dede3c6707ba27cf5583feea7a5d32d83a5539d5536f7ce9a1593030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ixount.exe
Filesize
55KB

MD5
f10b00d5198070d136773a13b44f0c09

SHA1
7d6cbfd28c597b93f9b02233b2e43e60f8beb458

SHA256
0ecff37f3e85044af87a6499794b921a39c1821e38a4d9c57c8f15c9b852644f

SHA512
9218198a12e36dad75e8b892306b8590318b16f7bf44d91be2c58c3500016fad285ddd2dede3c6707ba27cf5583feea7a5d32d83a5539d5536f7ce9a1593030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jzmpvemkft.exe
Filesize
55KB

MD5
91c91eb2f1d210e72c9d30fcbeeca152

SHA1
f846979abaa50f9c9a4a4d2b3d960a4912239ea3

SHA256
29077cc2362b17677c8fcef23d17e6b95daad21211e9ba2db8bdc800eb5410cf

SHA512
3b9fcb014208dd0d3dcd88abe1871bf1792e00448181fe1619c7405741f0e5e59b8a9c1b24f81e299a80c157cfe129264cbc8c5e7a138524b0e187f6913291db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jzmpvemkft.exe
Filesize
55KB

MD5
91c91eb2f1d210e72c9d30fcbeeca152

SHA1
f846979abaa50f9c9a4a4d2b3d960a4912239ea3

SHA256
29077cc2362b17677c8fcef23d17e6b95daad21211e9ba2db8bdc800eb5410cf

SHA512
3b9fcb014208dd0d3dcd88abe1871bf1792e00448181fe1619c7405741f0e5e59b8a9c1b24f81e299a80c157cfe129264cbc8c5e7a138524b0e187f6913291db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgkdloedtfs.exe
Filesize
73KB

MD5
16ece5edee983f9c1dac0044c9d3895a

SHA1
c080e9b725a988983d43a1ec569c9c856bc686c8

SHA256
c497d5beab294032f654da11579dba76a22a61dd3600c4d37dcd2fa781712fae

SHA512
86f5696420db0ee854ce0aa9f9e2111e1bf225c0ae728321e4bc75f3ab2de490f626c27ff44ac4abc49cd19412a9c169865f5a9956e61d9258435f361a073026

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgkdloedtfs.exe
Filesize
73KB

MD5
16ece5edee983f9c1dac0044c9d3895a

SHA1
c080e9b725a988983d43a1ec569c9c856bc686c8

SHA256
c497d5beab294032f654da11579dba76a22a61dd3600c4d37dcd2fa781712fae

SHA512
86f5696420db0ee854ce0aa9f9e2111e1bf225c0ae728321e4bc75f3ab2de490f626c27ff44ac4abc49cd19412a9c169865f5a9956e61d9258435f361a073026

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
148B

MD5
8e7ed4782339b5f44357e62549f7267e

SHA1
f261e2d4c1c5488f8b8dde8d9e3a78633f36beec

SHA256
b808b06d31c91af9996dbec4f8aecfdb6c5150799a30c93290288fdfcd9a2888

SHA512
2d382e2cef1175d0b28f123a5e1a242a0782e3f753928fd04e37355287aeedc849cc6f01c81c7a49962875b00049e5d012310a91a620df1852b88e1595f024a1

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
C:\WindowsDefender\WindowsDefender.exe
Filesize
100KB

MD5
038d789b437e11a44c2f8ca4ca99344e

SHA1
9ee174df14ae4a3c545c6550ea2cdd707c9a9e1e

SHA256
e23cc8a659bb1a423956fc66f7160eabeb258dc45dc5f91c273898809e27857a

SHA512
a4a66833fd462f51b50f99e3c90aa0914d2cc09a126b3ac7bea3415d5c7c426cf68b1ed4bf073e2ff243bed040d0818d8d00f524967a6431b3d3b43c51475754

Download Submit
C:\WindowsDefender\WindowsDefender.exe
Filesize
100KB

MD5
038d789b437e11a44c2f8ca4ca99344e

SHA1
9ee174df14ae4a3c545c6550ea2cdd707c9a9e1e

SHA256
e23cc8a659bb1a423956fc66f7160eabeb258dc45dc5f91c273898809e27857a

SHA512
a4a66833fd462f51b50f99e3c90aa0914d2cc09a126b3ac7bea3415d5c7c426cf68b1ed4bf073e2ff243bed040d0818d8d00f524967a6431b3d3b43c51475754

Download Submit
\Users\Admin\AppData\Local\Temp\Cjvoamroksm.exe
Filesize
215KB

MD5
d2dadfffd0d0b568488b545bbd20ffdb

SHA1
3f7857f14e092c16fe0b4f56adf7fc0de9837921

SHA256
c6b014fee2b8660cb29d8e9745551aa91a8a9da998a8fb55f1b7e25647a5f028

SHA512
afe1e42ea3749aa5663df9a84998c71c6eb668cbf1b775e7fb0c8374a1fbd23b31bae58995eba729d84594ededdffb79520c3ed547137468e52c433e7339baa4

Download Submit
\Users\Admin\AppData\Local\Temp\Fktqqeiihqnki.exe
Filesize
100KB

MD5
038d789b437e11a44c2f8ca4ca99344e

SHA1
9ee174df14ae4a3c545c6550ea2cdd707c9a9e1e

SHA256
e23cc8a659bb1a423956fc66f7160eabeb258dc45dc5f91c273898809e27857a

SHA512
a4a66833fd462f51b50f99e3c90aa0914d2cc09a126b3ac7bea3415d5c7c426cf68b1ed4bf073e2ff243bed040d0818d8d00f524967a6431b3d3b43c51475754

Download Submit
\Users\Admin\AppData\Local\Temp\Fktqqeiihqnki.exe
Filesize
100KB

MD5
038d789b437e11a44c2f8ca4ca99344e

SHA1
9ee174df14ae4a3c545c6550ea2cdd707c9a9e1e

SHA256
e23cc8a659bb1a423956fc66f7160eabeb258dc45dc5f91c273898809e27857a

SHA512
a4a66833fd462f51b50f99e3c90aa0914d2cc09a126b3ac7bea3415d5c7c426cf68b1ed4bf073e2ff243bed040d0818d8d00f524967a6431b3d3b43c51475754

Download Submit
\Users\Admin\AppData\Local\Temp\Fwtsrp.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
\Users\Admin\AppData\Local\Temp\Guthxnefzrkt.exe
Filesize
191KB

MD5
af780d52692a18542d0c1c09018d66b6

SHA1
cb8e3c4a1a93dff4fe26380987a6fe961aa9569f

SHA256
b159ab627b17febc5a0f8af89b4761ceec83a4f0077170baff4f761bae21f223

SHA512
10b675a5c814a3e867e6aa3fac0b09e4448edd92feba1020d304d005aa8a5960a1df71ab424008106c342633d08ee9960a98ee70574272d159cb1a0a534e00e7

Download Submit
\Users\Admin\AppData\Local\Temp\Guthxnefzrkt.exe
Filesize
191KB

MD5
af780d52692a18542d0c1c09018d66b6

SHA1
cb8e3c4a1a93dff4fe26380987a6fe961aa9569f

SHA256
b159ab627b17febc5a0f8af89b4761ceec83a4f0077170baff4f761bae21f223

SHA512
10b675a5c814a3e867e6aa3fac0b09e4448edd92feba1020d304d005aa8a5960a1df71ab424008106c342633d08ee9960a98ee70574272d159cb1a0a534e00e7

Download Submit
\Users\Admin\AppData\Local\Temp\Ixount.exe
Filesize
55KB

MD5
f10b00d5198070d136773a13b44f0c09

SHA1
7d6cbfd28c597b93f9b02233b2e43e60f8beb458

SHA256
0ecff37f3e85044af87a6499794b921a39c1821e38a4d9c57c8f15c9b852644f

SHA512
9218198a12e36dad75e8b892306b8590318b16f7bf44d91be2c58c3500016fad285ddd2dede3c6707ba27cf5583feea7a5d32d83a5539d5536f7ce9a1593030f

Download Submit
\Users\Admin\AppData\Local\Temp\Jzmpvemkft.exe
Filesize
55KB

MD5
91c91eb2f1d210e72c9d30fcbeeca152

SHA1
f846979abaa50f9c9a4a4d2b3d960a4912239ea3

SHA256
29077cc2362b17677c8fcef23d17e6b95daad21211e9ba2db8bdc800eb5410cf

SHA512
3b9fcb014208dd0d3dcd88abe1871bf1792e00448181fe1619c7405741f0e5e59b8a9c1b24f81e299a80c157cfe129264cbc8c5e7a138524b0e187f6913291db

Download Submit
\Users\Admin\AppData\Local\Temp\Kgkdloedtfs.exe
Filesize
73KB

MD5
16ece5edee983f9c1dac0044c9d3895a

SHA1
c080e9b725a988983d43a1ec569c9c856bc686c8

SHA256
c497d5beab294032f654da11579dba76a22a61dd3600c4d37dcd2fa781712fae

SHA512
86f5696420db0ee854ce0aa9f9e2111e1bf225c0ae728321e4bc75f3ab2de490f626c27ff44ac4abc49cd19412a9c169865f5a9956e61d9258435f361a073026

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
\WindowsDefender\WindowsDefender.exe
Filesize
100KB

MD5
038d789b437e11a44c2f8ca4ca99344e

SHA1
9ee174df14ae4a3c545c6550ea2cdd707c9a9e1e

SHA256
e23cc8a659bb1a423956fc66f7160eabeb258dc45dc5f91c273898809e27857a

SHA512
a4a66833fd462f51b50f99e3c90aa0914d2cc09a126b3ac7bea3415d5c7c426cf68b1ed4bf073e2ff243bed040d0818d8d00f524967a6431b3d3b43c51475754

Download Submit
\WindowsDefender\WindowsDefender.exe
Filesize
100KB

MD5
038d789b437e11a44c2f8ca4ca99344e

SHA1
9ee174df14ae4a3c545c6550ea2cdd707c9a9e1e

SHA256
e23cc8a659bb1a423956fc66f7160eabeb258dc45dc5f91c273898809e27857a

SHA512
a4a66833fd462f51b50f99e3c90aa0914d2cc09a126b3ac7bea3415d5c7c426cf68b1ed4bf073e2ff243bed040d0818d8d00f524967a6431b3d3b43c51475754

Download Submit
memory/432-97-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/432-90-0x0000000000390000-0x00000000003A4000-memory.dmp

Filesize
80KB

Download
memory/432-85-0x0000000000000000-mapping.dmp

Download
memory/432-93-0x00000000002F0000-0x0000000000308000-memory.dmp

Filesize
96KB

Download
memory/676-127-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/676-124-0x0000000000000000-mapping.dmp

Download
memory/896-92-0x00000000005C0000-0x00000000005E0000-memory.dmp

Filesize
128KB

Download
memory/896-98-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/896-87-0x00000000000C0000-0x00000000000D8000-memory.dmp

Filesize
96KB

Download
memory/896-76-0x0000000000000000-mapping.dmp

Download
memory/992-95-0x0000000000000000-mapping.dmp

Download
memory/992-121-0x0000000000000000-mapping.dmp

Download
memory/1104-105-0x0000000000000000-mapping.dmp

Download
memory/1216-108-0x0000000001D55000-0x0000000001D66000-memory.dmp

Filesize
68KB

Download
memory/1216-128-0x000000000AD10000-0x000000000B4B6000-memory.dmp

Filesize
7.6MB

Download
memory/1216-71-0x0000000000000000-mapping.dmp

Download
memory/1216-74-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/1268-62-0x0000000000000000-mapping.dmp

Download
memory/1492-116-0x0000000000000000-mapping.dmp

Download
memory/1492-120-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/1516-122-0x0000000000000000-mapping.dmp

Download
memory/1580-55-0x0000000076811000-0x0000000076813000-memory.dmp

Filesize
8KB

Download
memory/1580-54-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1768-112-0x00000000001D0000-0x00000000001E8000-memory.dmp

Filesize
96KB

Download
memory/1768-114-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/1768-109-0x0000000000870000-0x0000000000884000-memory.dmp

Filesize
80KB

Download
memory/1768-79-0x0000000000000000-mapping.dmp

Download
memory/1956-57-0x0000000000000000-mapping.dmp

Download
memory/1956-100-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/2012-113-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2012-111-0x00000000003F0000-0x0000000000442000-memory.dmp

Filesize
328KB

Download
memory/2012-110-0x0000000000820000-0x0000000000856000-memory.dmp

Filesize
216KB

Download
memory/2012-67-0x0000000000000000-mapping.dmp

Download
memory/2032-91-0x0000000000000000-mapping.dmp

Download