neshta | c27c8f029c0ce21a116cdb60c78676cac7ea9dd38aab8bf5c394075b407d6f5e

Analysis

max time kernel
154s
max time network
159s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-06-2022 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hello.exe
Size

37KB
MD5

f6578c4f484063121bb63109b543fb95
SHA1

baae4772f958a85f2420a7c112f3b0ee02f962ce
SHA256

c27c8f029c0ce21a116cdb60c78676cac7ea9dd38aab8bf5c394075b407d6f5e
SHA512

882590671a309211271e40665ad0561c2f9474aac477a55dbe79e58122cb4370854641e84a9bd7d2d138eca3bef2d2453bacac501042139a7ec74cd37cacd87c

Score

10^/10

neshta njrat ramnit next banker evasion persistence spyware stealer suricata trojan upx worm

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

109.197.196.135:9991

Mutex

413491cbe232876548b9b7cd8a1b451d

Attributes

reg_key
413491cbe232876548b9b7cd8a1b451d
splitter
|'|'|

Signatures

Detect Neshta Payload 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe	family_neshta
\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

tmpA8DE.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	tmpA8DE.tmp.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata

Executes dropped EXE 13 IoCs

Processes:

tmp679A.tmp.exetmp8087.tmp.exedllhost.exetmpA8DE.tmp.exetmpA8DE.tmp.exetmpA8DE.tmpSrv.exeDesktopLayer.exesvchost.comTMP1B9~1.EXETMP1B9~1Srv.exeDesktopLayer.exesvchost.comTMP4E9~1.EXE

pid	process
296	tmp679A.tmp.exe
916	tmp8087.tmp.exe
1092	dllhost.exe
1712	tmpA8DE.tmp.exe
328	tmpA8DE.tmp.exe
1496	tmpA8DE.tmpSrv.exe
1168	DesktopLayer.exe
2112	svchost.com
2144	TMP1B9~1.EXE
2168	TMP1B9~1Srv.exe
2196	DesktopLayer.exe
2424	svchost.com
2452	TMP4E9~1.EXE

Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

1656 netsh.exe
1892 netsh.exe
1628 netsh.exe

pid	process
1656	netsh.exe
1892	netsh.exe
1628	netsh.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1168-105-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1496-101-0x0000000000400000-0x000000000042E000-memory.dmp	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE	upx
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE	upx
\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE	upx
\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE	upx
\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exe	upx
behavioral1/memory/2168-132-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/2144-138-0x0000000000400000-0x000000000041D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE	upx
\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE	upx
\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE	upx
C:\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE	upx

Drops startup file 4 IoCs

Processes:

hello.exedllhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17a12256c22089ecda68e950006be021.exe	hello.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17a12256c22089ecda68e950006be021.exe	hello.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\413491cbe232876548b9b7cd8a1b451d.exe	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\413491cbe232876548b9b7cd8a1b451d.exe	dllhost.exe

Loads dropped DLL 17 IoCs

Processes:

hello.exetmp679A.tmp.exedllhost.exetmpA8DE.tmp.exetmpA8DE.tmp.exetmpA8DE.tmpSrv.exesvchost.comTMP1B9~1.EXETMP1B9~1Srv.exesvchost.com

pid	process
1080	hello.exe
1080	hello.exe
296	tmp679A.tmp.exe
1092	dllhost.exe
1092	dllhost.exe
1712	tmpA8DE.tmp.exe
1712	tmpA8DE.tmp.exe
328	tmpA8DE.tmp.exe
1496	tmpA8DE.tmpSrv.exe
1712	tmpA8DE.tmp.exe
1712	tmpA8DE.tmp.exe
2112	svchost.com
2112	svchost.com
2144	TMP1B9~1.EXE
2168	TMP1B9~1Srv.exe
2424	svchost.com
2424	svchost.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp8087.tmp.exedllhost.exehello.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\075bed74890e43c52d546584d6c1b9c7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp8087.tmp.exe\" .."	tmp8087.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\075bed74890e43c52d546584d6c1b9c7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp8087.tmp.exe\" .."	tmp8087.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\413491cbe232876548b9b7cd8a1b451d = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .."	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\413491cbe232876548b9b7cd8a1b451d = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .."	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\17a12256c22089ecda68e950006be021 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hello.exe\" .."	hello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\17a12256c22089ecda68e950006be021 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hello.exe\" .."	hello.exe

Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

dllhost.exe

description ioc process

File opened for modification C:\autorun.inf dllhost.exe
File created D:\autorun.inf dllhost.exe
File created C:\autorun.inf dllhost.exe

description	ioc	process
File opened for modification	C:\autorun.inf	dllhost.exe
File created	D:\autorun.inf	dllhost.exe
File created	C:\autorun.inf	dllhost.exe

Drops file in Program Files directory 64 IoCs

Processes:

tmpA8DE.tmp.exeTMP1B9~1Srv.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	tmpA8DE.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	TMP1B9~1Srv.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MIE74D~1\DESKTO~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1C96.tmp	TMP1B9~1Srv.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	tmpA8DE.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	tmpA8DE.tmp.exe

Drops file in Windows directory 3 IoCs

Processes:

tmpA8DE.tmp.exesvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	tmpA8DE.tmp.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D46EB761-EDD7-11EC-9824-4224C87335A1} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 1 IoCs

Processes:

tmpA8DE.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	tmpA8DE.tmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dllhost.exe

pid	process
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe
1092	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

1092 dllhost.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

hello.exetmp8087.tmp.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	1080	hello.exe
Token: 33	1080	hello.exe
Token: SeIncBasePriorityPrivilege	1080	hello.exe
Token: 33	1080	hello.exe
Token: SeIncBasePriorityPrivilege	1080	hello.exe
Token: SeDebugPrivilege	916	tmp8087.tmp.exe
Token: SeDebugPrivilege	1092	dllhost.exe
Token: 33	1080	hello.exe
Token: SeIncBasePriorityPrivilege	1080	hello.exe
Token: 33	916	tmp8087.tmp.exe
Token: SeIncBasePriorityPrivilege	916	tmp8087.tmp.exe
Token: 33	1092	dllhost.exe
Token: SeIncBasePriorityPrivilege	1092	dllhost.exe
Token: 33	916	tmp8087.tmp.exe
Token: SeIncBasePriorityPrivilege	916	tmp8087.tmp.exe
Token: 33	1080	hello.exe
Token: SeIncBasePriorityPrivilege	1080	hello.exe
Token: 33	1092	dllhost.exe
Token: SeIncBasePriorityPrivilege	1092	dllhost.exe
Token: 33	916	tmp8087.tmp.exe
Token: SeIncBasePriorityPrivilege	916	tmp8087.tmp.exe
Token: 33	1080	hello.exe
Token: SeIncBasePriorityPrivilege	1080	hello.exe
Token: 33	916	tmp8087.tmp.exe
Token: SeIncBasePriorityPrivilege	916	tmp8087.tmp.exe
Token: 33	1092	dllhost.exe
Token: SeIncBasePriorityPrivilege	1092	dllhost.exe
Token: 33	916	tmp8087.tmp.exe
Token: SeIncBasePriorityPrivilege	916	tmp8087.tmp.exe
Token: 33	1080	hello.exe
Token: SeIncBasePriorityPrivilege	1080	hello.exe
Token: 33	1092	dllhost.exe
Token: SeIncBasePriorityPrivilege	1092	dllhost.exe
Token: 33	916	tmp8087.tmp.exe
Token: SeIncBasePriorityPrivilege	916	tmp8087.tmp.exe
Token: 33	1080	hello.exe
Token: SeIncBasePriorityPrivilege	1080	hello.exe
Token: 33	916	tmp8087.tmp.exe
Token: SeIncBasePriorityPrivilege	916	tmp8087.tmp.exe
Token: 33	1092	dllhost.exe
Token: SeIncBasePriorityPrivilege	1092	dllhost.exe
Token: 33	916	tmp8087.tmp.exe
Token: SeIncBasePriorityPrivilege	916	tmp8087.tmp.exe
Token: 33	1080	hello.exe
Token: SeIncBasePriorityPrivilege	1080	hello.exe
Token: 33	916	tmp8087.tmp.exe
Token: SeIncBasePriorityPrivilege	916	tmp8087.tmp.exe
Token: 33	1092	dllhost.exe
Token: SeIncBasePriorityPrivilege	1092	dllhost.exe
Token: 33	916	tmp8087.tmp.exe
Token: SeIncBasePriorityPrivilege	916	tmp8087.tmp.exe
Token: 33	1080	hello.exe
Token: SeIncBasePriorityPrivilege	1080	hello.exe
Token: 33	1092	dllhost.exe
Token: SeIncBasePriorityPrivilege	1092	dllhost.exe
Token: 33	916	tmp8087.tmp.exe
Token: SeIncBasePriorityPrivilege	916	tmp8087.tmp.exe
Token: 33	1080	hello.exe
Token: SeIncBasePriorityPrivilege	1080	hello.exe
Token: 33	916	tmp8087.tmp.exe
Token: SeIncBasePriorityPrivilege	916	tmp8087.tmp.exe
Token: 33	1092	dllhost.exe
Token: SeIncBasePriorityPrivilege	1092	dllhost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

672 iexplore.exe
672 iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
672	iexplore.exe
672	iexplore.exe
1964	IEXPLORE.EXE
1964	IEXPLORE.EXE
1964	IEXPLORE.EXE
1964	IEXPLORE.EXE
672	iexplore.exe
672	iexplore.exe
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hello.exetmp679A.tmp.exetmp8087.tmp.exedllhost.exetmpA8DE.tmp.exetmpA8DE.tmp.exetmpA8DE.tmpSrv.exeDesktopLayer.exeiexplore.exesvchost.comTMP1B9~1.EXETMP1B9~1Srv.exe

description	pid	process	target process
PID 1080 wrote to memory of 1656	1080	hello.exe	netsh.exe
PID 1080 wrote to memory of 1656	1080	hello.exe	netsh.exe
PID 1080 wrote to memory of 1656	1080	hello.exe	netsh.exe
PID 1080 wrote to memory of 1656	1080	hello.exe	netsh.exe
PID 1080 wrote to memory of 296	1080	hello.exe	tmp679A.tmp.exe
PID 1080 wrote to memory of 296	1080	hello.exe	tmp679A.tmp.exe
PID 1080 wrote to memory of 296	1080	hello.exe	tmp679A.tmp.exe
PID 1080 wrote to memory of 296	1080	hello.exe	tmp679A.tmp.exe
PID 1080 wrote to memory of 916	1080	hello.exe	tmp8087.tmp.exe
PID 1080 wrote to memory of 916	1080	hello.exe	tmp8087.tmp.exe
PID 1080 wrote to memory of 916	1080	hello.exe	tmp8087.tmp.exe
PID 1080 wrote to memory of 916	1080	hello.exe	tmp8087.tmp.exe
PID 296 wrote to memory of 1092	296	tmp679A.tmp.exe	dllhost.exe
PID 296 wrote to memory of 1092	296	tmp679A.tmp.exe	dllhost.exe
PID 296 wrote to memory of 1092	296	tmp679A.tmp.exe	dllhost.exe
PID 296 wrote to memory of 1092	296	tmp679A.tmp.exe	dllhost.exe
PID 916 wrote to memory of 1892	916	tmp8087.tmp.exe	netsh.exe
PID 916 wrote to memory of 1892	916	tmp8087.tmp.exe	netsh.exe
PID 916 wrote to memory of 1892	916	tmp8087.tmp.exe	netsh.exe
PID 916 wrote to memory of 1892	916	tmp8087.tmp.exe	netsh.exe
PID 1092 wrote to memory of 1628	1092	dllhost.exe	netsh.exe
PID 1092 wrote to memory of 1628	1092	dllhost.exe	netsh.exe
PID 1092 wrote to memory of 1628	1092	dllhost.exe	netsh.exe
PID 1092 wrote to memory of 1628	1092	dllhost.exe	netsh.exe
PID 1092 wrote to memory of 1712	1092	dllhost.exe	tmpA8DE.tmp.exe
PID 1092 wrote to memory of 1712	1092	dllhost.exe	tmpA8DE.tmp.exe
PID 1092 wrote to memory of 1712	1092	dllhost.exe	tmpA8DE.tmp.exe
PID 1092 wrote to memory of 1712	1092	dllhost.exe	tmpA8DE.tmp.exe
PID 1712 wrote to memory of 328	1712	tmpA8DE.tmp.exe	tmpA8DE.tmp.exe
PID 1712 wrote to memory of 328	1712	tmpA8DE.tmp.exe	tmpA8DE.tmp.exe
PID 1712 wrote to memory of 328	1712	tmpA8DE.tmp.exe	tmpA8DE.tmp.exe
PID 1712 wrote to memory of 328	1712	tmpA8DE.tmp.exe	tmpA8DE.tmp.exe
PID 328 wrote to memory of 1496	328	tmpA8DE.tmp.exe	tmpA8DE.tmpSrv.exe
PID 328 wrote to memory of 1496	328	tmpA8DE.tmp.exe	tmpA8DE.tmpSrv.exe
PID 328 wrote to memory of 1496	328	tmpA8DE.tmp.exe	tmpA8DE.tmpSrv.exe
PID 328 wrote to memory of 1496	328	tmpA8DE.tmp.exe	tmpA8DE.tmpSrv.exe
PID 1496 wrote to memory of 1168	1496	tmpA8DE.tmpSrv.exe	DesktopLayer.exe
PID 1496 wrote to memory of 1168	1496	tmpA8DE.tmpSrv.exe	DesktopLayer.exe
PID 1496 wrote to memory of 1168	1496	tmpA8DE.tmpSrv.exe	DesktopLayer.exe
PID 1496 wrote to memory of 1168	1496	tmpA8DE.tmpSrv.exe	DesktopLayer.exe
PID 1168 wrote to memory of 672	1168	DesktopLayer.exe	iexplore.exe
PID 1168 wrote to memory of 672	1168	DesktopLayer.exe	iexplore.exe
PID 1168 wrote to memory of 672	1168	DesktopLayer.exe	iexplore.exe
PID 1168 wrote to memory of 672	1168	DesktopLayer.exe	iexplore.exe
PID 672 wrote to memory of 1964	672	iexplore.exe	IEXPLORE.EXE
PID 672 wrote to memory of 1964	672	iexplore.exe	IEXPLORE.EXE
PID 672 wrote to memory of 1964	672	iexplore.exe	IEXPLORE.EXE
PID 672 wrote to memory of 1964	672	iexplore.exe	IEXPLORE.EXE
PID 1092 wrote to memory of 2112	1092	dllhost.exe	svchost.com
PID 1092 wrote to memory of 2112	1092	dllhost.exe	svchost.com
PID 1092 wrote to memory of 2112	1092	dllhost.exe	svchost.com
PID 1092 wrote to memory of 2112	1092	dllhost.exe	svchost.com
PID 2112 wrote to memory of 2144	2112	svchost.com	TMP1B9~1.EXE
PID 2112 wrote to memory of 2144	2112	svchost.com	TMP1B9~1.EXE
PID 2112 wrote to memory of 2144	2112	svchost.com	TMP1B9~1.EXE
PID 2112 wrote to memory of 2144	2112	svchost.com	TMP1B9~1.EXE
PID 2144 wrote to memory of 2168	2144	TMP1B9~1.EXE	TMP1B9~1Srv.exe
PID 2144 wrote to memory of 2168	2144	TMP1B9~1.EXE	TMP1B9~1Srv.exe
PID 2144 wrote to memory of 2168	2144	TMP1B9~1.EXE	TMP1B9~1Srv.exe
PID 2144 wrote to memory of 2168	2144	TMP1B9~1.EXE	TMP1B9~1Srv.exe
PID 2168 wrote to memory of 2196	2168	TMP1B9~1Srv.exe	DesktopLayer.exe
PID 2168 wrote to memory of 2196	2168	TMP1B9~1Srv.exe	DesktopLayer.exe
PID 2168 wrote to memory of 2196	2168	TMP1B9~1Srv.exe	DesktopLayer.exe
PID 2168 wrote to memory of 2196	2168	TMP1B9~1Srv.exe	DesktopLayer.exe

C:\Users\Admin\AppData\Local\Temp\hello.exe
"C:\Users\Admin\AppData\Local\Temp\hello.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\hello.exe" "hello.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:1656

C:\Users\Admin\AppData\Local\Temp\tmp679A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp679A.tmp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:296

C:\Users\Admin\AppData\Roaming\dllhost.exe
"C:\Users\Admin\AppData\Roaming\dllhost.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dllhost.exe" "dllhost.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1628

C:\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe"
4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmp.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328

C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:672 CREDAT:275457 /prefetch:2
9⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:672 CREDAT:209934 /prefetch:2
9⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exe
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2168

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
7⤵
- Executes dropped EXE
PID:2196

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2228

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2424

C:\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE
C:\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE
5⤵
- Executes dropped EXE
PID:2452

C:\Users\Admin\AppData\Local\Temp\tmp8087.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8087.tmp.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tmp8087.tmp.exe" "tmp8087.tmp.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmp.exe
Filesize
112KB

MD5
9a1b04a62283ab9848be4331ba124d0c

SHA1
f83fdad90c24e41987b44a022db3856c9ff22368

SHA256
3c782281df50b6286b774ce47c94da5b8283e73d285cf3412514c060fbb5405a

SHA512
393cc7cd603ee0f1f65085460c868339ae78e2616902da2ac25e2f45a453674f0bb94f5f1da3d62118d4cf7ec1d377f805ef3b74ce40fb368357055fe09740cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE
Filesize
65KB

MD5
c1de9eca3223daed0bc2ae4816193d94

SHA1
802d287f4b04454349ca29edf759c8a17c1001fa

SHA256
da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c

SHA512
1ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE
Filesize
65KB

MD5
c1de9eca3223daed0bc2ae4816193d94

SHA1
802d287f4b04454349ca29edf759c8a17c1001fa

SHA256
da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c

SHA512
1ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE
Filesize
65KB

MD5
c1de9eca3223daed0bc2ae4816193d94

SHA1
802d287f4b04454349ca29edf759c8a17c1001fa

SHA256
da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c

SHA512
1ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE
Filesize
65KB

MD5
c1de9eca3223daed0bc2ae4816193d94

SHA1
802d287f4b04454349ca29edf759c8a17c1001fa

SHA256
da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c

SHA512
1ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp679A.tmp.exe
Filesize
37KB

MD5
73196f394725a9623d84a512cdddf6ce

SHA1
4d24d92f70b2cbce52b1b173162b8f504ee7752f

SHA256
ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

SHA512
9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp679A.tmp.exe
Filesize
37KB

MD5
73196f394725a9623d84a512cdddf6ce

SHA1
4d24d92f70b2cbce52b1b173162b8f504ee7752f

SHA256
ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

SHA512
9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8087.tmp.exe
Filesize
32KB

MD5
00b5c86717162d1d8b22334fe21b9041

SHA1
eada1b62b4d7e5ddcbdf57aa1fea6312d218e154

SHA256
60411ad95716024ff295b429667ca3363b12a9fa23f795f42ef51609d05b9036

SHA512
e6b5563070f56f6c76c103ef56592f52bff2657393983a05364619b374deee919424493fba70c63100c806ad4a98ab81c9db04e1285fe5f31d80ab1131b04a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8087.tmp.exe
Filesize
32KB

MD5
00b5c86717162d1d8b22334fe21b9041

SHA1
eada1b62b4d7e5ddcbdf57aa1fea6312d218e154

SHA256
60411ad95716024ff295b429667ca3363b12a9fa23f795f42ef51609d05b9036

SHA512
e6b5563070f56f6c76c103ef56592f52bff2657393983a05364619b374deee919424493fba70c63100c806ad4a98ab81c9db04e1285fe5f31d80ab1131b04a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe
Filesize
152KB

MD5
a83982b0882253cabec61f523f16954e

SHA1
fcd593b4380735520b2f77fa7243abd5bcc61c56

SHA256
b299476128e76cee29e3bc7b3cca388ebc60f38e7bde79d0d348c16b197b6e29

SHA512
e2b38461813afd7246bc836c276625ac58c568a0176f5990c14eb46dbf7ff7b30d181dacee0c29f3b37efde75f17a7105513a2a4bc35e0490899513caf3f9468

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe
Filesize
152KB

MD5
a83982b0882253cabec61f523f16954e

SHA1
fcd593b4380735520b2f77fa7243abd5bcc61c56

SHA256
b299476128e76cee29e3bc7b3cca388ebc60f38e7bde79d0d348c16b197b6e29

SHA512
e2b38461813afd7246bc836c276625ac58c568a0176f5990c14eb46dbf7ff7b30d181dacee0c29f3b37efde75f17a7105513a2a4bc35e0490899513caf3f9468

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe
Filesize
37KB

MD5
73196f394725a9623d84a512cdddf6ce

SHA1
4d24d92f70b2cbce52b1b173162b8f504ee7752f

SHA256
ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

SHA512
9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe
Filesize
37KB

MD5
73196f394725a9623d84a512cdddf6ce

SHA1
4d24d92f70b2cbce52b1b173162b8f504ee7752f

SHA256
ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

SHA512
9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

Download Submit
C:\Windows\directx.sys
Filesize
48B

MD5
f9e40b77a07b0d27e13ae001b226881b

SHA1
9531152ad0b25f5371be4b65bb748dbf6f41a367

SHA256
c95ef1d16ca45b6222c64b3e26ec8b982a650da8ff2e028a32dc684d8de51ace

SHA512
107b93147333536c3a3490d6f17fa22aaade7dceef7c5c99f995c893fee71f0096860f0ad24607e61dca29f4719dbbaa38f6a8e3e8195a605826e482aa203515

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmp.exe
Filesize
112KB

MD5
9a1b04a62283ab9848be4331ba124d0c

SHA1
f83fdad90c24e41987b44a022db3856c9ff22368

SHA256
3c782281df50b6286b774ce47c94da5b8283e73d285cf3412514c060fbb5405a

SHA512
393cc7cd603ee0f1f65085460c868339ae78e2616902da2ac25e2f45a453674f0bb94f5f1da3d62118d4cf7ec1d377f805ef3b74ce40fb368357055fe09740cc

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmp.exe
Filesize
112KB

MD5
9a1b04a62283ab9848be4331ba124d0c

SHA1
f83fdad90c24e41987b44a022db3856c9ff22368

SHA256
3c782281df50b6286b774ce47c94da5b8283e73d285cf3412514c060fbb5405a

SHA512
393cc7cd603ee0f1f65085460c868339ae78e2616902da2ac25e2f45a453674f0bb94f5f1da3d62118d4cf7ec1d377f805ef3b74ce40fb368357055fe09740cc

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE
Filesize
65KB

MD5
c1de9eca3223daed0bc2ae4816193d94

SHA1
802d287f4b04454349ca29edf759c8a17c1001fa

SHA256
da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c

SHA512
1ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0

Download Submit
\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE
Filesize
65KB

MD5
c1de9eca3223daed0bc2ae4816193d94

SHA1
802d287f4b04454349ca29edf759c8a17c1001fa

SHA256
da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c

SHA512
1ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0

Download Submit
\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE
Filesize
65KB

MD5
c1de9eca3223daed0bc2ae4816193d94

SHA1
802d287f4b04454349ca29edf759c8a17c1001fa

SHA256
da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c

SHA512
1ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0

Download Submit
\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE
Filesize
65KB

MD5
c1de9eca3223daed0bc2ae4816193d94

SHA1
802d287f4b04454349ca29edf759c8a17c1001fa

SHA256
da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c

SHA512
1ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0

Download Submit
\Users\Admin\AppData\Local\Temp\tmp679A.tmp.exe
Filesize
37KB

MD5
73196f394725a9623d84a512cdddf6ce

SHA1
4d24d92f70b2cbce52b1b173162b8f504ee7752f

SHA256
ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

SHA512
9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8087.tmp.exe
Filesize
32KB

MD5
00b5c86717162d1d8b22334fe21b9041

SHA1
eada1b62b4d7e5ddcbdf57aa1fea6312d218e154

SHA256
60411ad95716024ff295b429667ca3363b12a9fa23f795f42ef51609d05b9036

SHA512
e6b5563070f56f6c76c103ef56592f52bff2657393983a05364619b374deee919424493fba70c63100c806ad4a98ab81c9db04e1285fe5f31d80ab1131b04a07

Download Submit
\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe
Filesize
152KB

MD5
a83982b0882253cabec61f523f16954e

SHA1
fcd593b4380735520b2f77fa7243abd5bcc61c56

SHA256
b299476128e76cee29e3bc7b3cca388ebc60f38e7bde79d0d348c16b197b6e29

SHA512
e2b38461813afd7246bc836c276625ac58c568a0176f5990c14eb46dbf7ff7b30d181dacee0c29f3b37efde75f17a7105513a2a4bc35e0490899513caf3f9468

Download Submit
\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe
Filesize
152KB

MD5
a83982b0882253cabec61f523f16954e

SHA1
fcd593b4380735520b2f77fa7243abd5bcc61c56

SHA256
b299476128e76cee29e3bc7b3cca388ebc60f38e7bde79d0d348c16b197b6e29

SHA512
e2b38461813afd7246bc836c276625ac58c568a0176f5990c14eb46dbf7ff7b30d181dacee0c29f3b37efde75f17a7105513a2a4bc35e0490899513caf3f9468

Download Submit
\Users\Admin\AppData\Roaming\dllhost.exe
Filesize
37KB

MD5
73196f394725a9623d84a512cdddf6ce

SHA1
4d24d92f70b2cbce52b1b173162b8f504ee7752f

SHA256
ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

SHA512
9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

Download Submit
memory/296-75-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/296-60-0x0000000000000000-mapping.dmp

Download
memory/296-64-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/328-109-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/328-110-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/328-92-0x0000000000000000-mapping.dmp

Download
memory/328-114-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/916-76-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/916-66-0x0000000000000000-mapping.dmp

Download
memory/916-82-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1080-55-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1080-58-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1080-54-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download
memory/1092-77-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1092-71-0x0000000000000000-mapping.dmp

Download
memory/1092-83-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1168-100-0x0000000000000000-mapping.dmp

Download
memory/1168-105-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1496-101-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1496-95-0x0000000000000000-mapping.dmp

Download
memory/1628-80-0x0000000000000000-mapping.dmp

Download
memory/1656-56-0x0000000000000000-mapping.dmp

Download
memory/1712-107-0x0000000000310000-0x000000000032D000-memory.dmp

Filesize
116KB

Download
memory/1712-115-0x0000000000310000-0x000000000033E000-memory.dmp

Filesize
184KB

Download
memory/1712-112-0x0000000000310000-0x000000000032D000-memory.dmp

Filesize
116KB

Download
memory/1712-86-0x0000000000000000-mapping.dmp

Download
memory/1712-108-0x0000000000310000-0x000000000032D000-memory.dmp

Filesize
116KB

Download
memory/1712-113-0x0000000000310000-0x000000000032D000-memory.dmp

Filesize
116KB

Download
memory/1892-78-0x0000000000000000-mapping.dmp

Download
memory/2112-136-0x00000000003B0000-0x00000000003CD000-memory.dmp

Filesize
116KB

Download
memory/2112-137-0x00000000003B0000-0x00000000003CD000-memory.dmp

Filesize
116KB

Download
memory/2112-117-0x0000000000000000-mapping.dmp

Download
memory/2144-139-0x0000000000250000-0x000000000027E000-memory.dmp

Filesize
184KB

Download
memory/2144-138-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2144-123-0x0000000000000000-mapping.dmp

Download
memory/2168-126-0x0000000000000000-mapping.dmp

Download
memory/2168-132-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2196-131-0x0000000000000000-mapping.dmp

Download
memory/2424-140-0x0000000000000000-mapping.dmp

Download
memory/2452-147-0x0000000000000000-mapping.dmp

Download