pony | 874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291

Analysis

max time kernel
187s
max time network
192s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exe
Size

1.4MB
MD5

113e8b10637e6cc627646137a72b5c5f
SHA1

5a24bf144e5b2f0389fab918de5e8a80c1dfae4c
SHA256

874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291
SHA512

9dae0644e39297e69cd017f6e05aad5a4eba8e42176423c97b4ca83397d21bf060304e061305a9dc3f8b5de0bc38f6c60d791e8e372fb7e380f2a2b38df20628
SSDEEP

24576:o9nu6U6JccV5SbELQqxIA3D1RzjfhkOhNRTmpREDh4XJLqYra/dnu6U6JccV5Sbj:o9nu6Dac/SILQqxIA3D1RzjfhkOhNRT6

Score

10^/10

pony collection discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://coco-bomgo.ru/wp-content/themes/twentytwelve/admin1/php/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 5 IoCs

Processes:

FB_84F9.tmp.exeFB_85D4.tmp.exeFB_8623.tmp.exeoqcey.exeavas.exe

pid process

1532 FB_84F9.tmp.exe
1324 FB_85D4.tmp.exe
1272 FB_8623.tmp.exe
1724 oqcey.exe
1364 avas.exe

pid	process
1532	FB_84F9.tmp.exe
1324	FB_85D4.tmp.exe
1272	FB_8623.tmp.exe
1724	oqcey.exe
1364	avas.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\FB_85D4.tmp.exe	upx
\Users\Admin\AppData\Local\Temp\FB_85D4.tmp.exe	upx
C:\Users\Admin\AppData\Local\Temp\FB_85D4.tmp.exe	upx
behavioral1/memory/1324-72-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1324-243-0x0000000000400000-0x000000000041C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\FB_85D4.tmp.exe	upx
\Users\Admin\AppData\Local\Temp\FB_85D4.tmp.exe	upx
behavioral1/memory/1324-657-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Loads dropped DLL 14 IoCs

Processes:

iexplore.exeFB_8623.tmp.exeoqcey.exeFB_84F9.tmp.exe

pid	process
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1272	FB_8623.tmp.exe
1272	FB_8623.tmp.exe
1724	oqcey.exe
1724	oqcey.exe
1532	FB_84F9.tmp.exe
1532	FB_84F9.tmp.exe
1532	FB_84F9.tmp.exe
1724	oqcey.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

FB_85D4.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	FB_85D4.tmp.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

FB_85D4.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	FB_85D4.tmp.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

avas.exeoqcey.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	avas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{BA9E93D0-09A5-2651-94E3-99B170659A96} = "C:\\Users\\Admin\\AppData\\Roaming\\Uvylpi\\avas.exe"	avas.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	oqcey.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	oqcey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Puefe = "C:\\Users\\Admin\\AppData\\Roaming\\Syxey\\oqcey.exe"	oqcey.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exeFB_84F9.tmp.exeFB_85D4.tmp.exeFB_8623.tmp.exe

description	pid	process	target process
PID 1648 set thread context of 1212	1648	874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exe	iexplore.exe
PID 1532 set thread context of 1364	1532	FB_84F9.tmp.exe	avas.exe
PID 1324 set thread context of 1316	1324	FB_85D4.tmp.exe	cmd.exe
PID 1272 set thread context of 856	1272	FB_8623.tmp.exe	cmd.exe
PID 1532 set thread context of 1116	1532	FB_84F9.tmp.exe	cmd.exe
PID 1532 set thread context of 1116	1532	FB_84F9.tmp.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

FB_84F9.tmp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	FB_84F9.tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	FB_84F9.tmp.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\7D4E42F6-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

oqcey.exeavas.exe

pid	process
1724	oqcey.exe
1724	oqcey.exe
1724	oqcey.exe
1364	avas.exe
1724	oqcey.exe
1724	oqcey.exe
1364	avas.exe
1724	oqcey.exe
1724	oqcey.exe
1364	avas.exe
1364	avas.exe
1724	oqcey.exe
1364	avas.exe
1724	oqcey.exe
1724	oqcey.exe
1364	avas.exe
1364	avas.exe
1724	oqcey.exe
1364	avas.exe
1724	oqcey.exe
1364	avas.exe
1724	oqcey.exe
1364	avas.exe
1724	oqcey.exe
1364	avas.exe
1724	oqcey.exe
1364	avas.exe
1724	oqcey.exe
1724	oqcey.exe
1364	avas.exe
1364	avas.exe
1724	oqcey.exe
1364	avas.exe
1724	oqcey.exe
1364	avas.exe
1364	avas.exe
1724	oqcey.exe
1724	oqcey.exe
1364	avas.exe
1724	oqcey.exe
1364	avas.exe
1724	oqcey.exe
1724	oqcey.exe
1364	avas.exe
1364	avas.exe
1724	oqcey.exe
1364	avas.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

FB_8623.tmp.exeFB_84F9.tmp.exeFB_85D4.tmp.exeWinMail.exeWinMail.exeoqcey.exe

description	pid	process
Token: SeSecurityPrivilege	1272	FB_8623.tmp.exe
Token: SeSecurityPrivilege	1272	FB_8623.tmp.exe
Token: SeSecurityPrivilege	1532	FB_84F9.tmp.exe
Token: SeImpersonatePrivilege	1324	FB_85D4.tmp.exe
Token: SeTcbPrivilege	1324	FB_85D4.tmp.exe
Token: SeChangeNotifyPrivilege	1324	FB_85D4.tmp.exe
Token: SeCreateTokenPrivilege	1324	FB_85D4.tmp.exe
Token: SeBackupPrivilege	1324	FB_85D4.tmp.exe
Token: SeRestorePrivilege	1324	FB_85D4.tmp.exe
Token: SeIncreaseQuotaPrivilege	1324	FB_85D4.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	1324	FB_85D4.tmp.exe
Token: SeSecurityPrivilege	1532	FB_84F9.tmp.exe
Token: SeSecurityPrivilege	1532	FB_84F9.tmp.exe
Token: SeSecurityPrivilege	1532	FB_84F9.tmp.exe
Token: SeSecurityPrivilege	1532	FB_84F9.tmp.exe
Token: SeSecurityPrivilege	1532	FB_84F9.tmp.exe
Token: SeSecurityPrivilege	1532	FB_84F9.tmp.exe
Token: SeManageVolumePrivilege	576	WinMail.exe
Token: SeSecurityPrivilege	1532	FB_84F9.tmp.exe
Token: SeSecurityPrivilege	1532	FB_84F9.tmp.exe
Token: SeImpersonatePrivilege	1324	FB_85D4.tmp.exe
Token: SeTcbPrivilege	1324	FB_85D4.tmp.exe
Token: SeChangeNotifyPrivilege	1324	FB_85D4.tmp.exe
Token: SeCreateTokenPrivilege	1324	FB_85D4.tmp.exe
Token: SeBackupPrivilege	1324	FB_85D4.tmp.exe
Token: SeRestorePrivilege	1324	FB_85D4.tmp.exe
Token: SeIncreaseQuotaPrivilege	1324	FB_85D4.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	1324	FB_85D4.tmp.exe
Token: SeImpersonatePrivilege	1324	FB_85D4.tmp.exe
Token: SeTcbPrivilege	1324	FB_85D4.tmp.exe
Token: SeChangeNotifyPrivilege	1324	FB_85D4.tmp.exe
Token: SeCreateTokenPrivilege	1324	FB_85D4.tmp.exe
Token: SeBackupPrivilege	1324	FB_85D4.tmp.exe
Token: SeRestorePrivilege	1324	FB_85D4.tmp.exe
Token: SeIncreaseQuotaPrivilege	1324	FB_85D4.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	1324	FB_85D4.tmp.exe
Token: SeImpersonatePrivilege	1324	FB_85D4.tmp.exe
Token: SeTcbPrivilege	1324	FB_85D4.tmp.exe
Token: SeChangeNotifyPrivilege	1324	FB_85D4.tmp.exe
Token: SeCreateTokenPrivilege	1324	FB_85D4.tmp.exe
Token: SeBackupPrivilege	1324	FB_85D4.tmp.exe
Token: SeRestorePrivilege	1324	FB_85D4.tmp.exe
Token: SeIncreaseQuotaPrivilege	1324	FB_85D4.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	1324	FB_85D4.tmp.exe
Token: SeSecurityPrivilege	1532	FB_84F9.tmp.exe
Token: SeSecurityPrivilege	1532	FB_84F9.tmp.exe
Token: SeManageVolumePrivilege	1000	WinMail.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe
Token: SeSecurityPrivilege	1724	oqcey.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

576 WinMail.exe
1000 WinMail.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

576 WinMail.exe
1000 WinMail.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

576 WinMail.exe
1000 WinMail.exe

pid	process
576	WinMail.exe
1000	WinMail.exe

pid	process
576	WinMail.exe
1000	WinMail.exe

pid	process
576	WinMail.exe
1000	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exeiexplore.exeFB_8623.tmp.exeoqcey.exeFB_84F9.tmp.exe

description	pid	process	target process
PID 1648 wrote to memory of 1212	1648	874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exe	iexplore.exe
PID 1648 wrote to memory of 1212	1648	874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exe	iexplore.exe
PID 1648 wrote to memory of 1212	1648	874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exe	iexplore.exe
PID 1648 wrote to memory of 1212	1648	874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exe	iexplore.exe
PID 1648 wrote to memory of 1212	1648	874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exe	iexplore.exe
PID 1648 wrote to memory of 1212	1648	874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exe	iexplore.exe
PID 1648 wrote to memory of 1212	1648	874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exe	iexplore.exe
PID 1648 wrote to memory of 1212	1648	874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exe	iexplore.exe
PID 1648 wrote to memory of 1212	1648	874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exe	iexplore.exe
PID 1648 wrote to memory of 1212	1648	874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exe	iexplore.exe
PID 1212 wrote to memory of 1532	1212	iexplore.exe	FB_84F9.tmp.exe
PID 1212 wrote to memory of 1532	1212	iexplore.exe	FB_84F9.tmp.exe
PID 1212 wrote to memory of 1532	1212	iexplore.exe	FB_84F9.tmp.exe
PID 1212 wrote to memory of 1532	1212	iexplore.exe	FB_84F9.tmp.exe
PID 1212 wrote to memory of 1324	1212	iexplore.exe	FB_85D4.tmp.exe
PID 1212 wrote to memory of 1324	1212	iexplore.exe	FB_85D4.tmp.exe
PID 1212 wrote to memory of 1324	1212	iexplore.exe	FB_85D4.tmp.exe
PID 1212 wrote to memory of 1324	1212	iexplore.exe	FB_85D4.tmp.exe
PID 1212 wrote to memory of 1272	1212	iexplore.exe	FB_8623.tmp.exe
PID 1212 wrote to memory of 1272	1212	iexplore.exe	FB_8623.tmp.exe
PID 1212 wrote to memory of 1272	1212	iexplore.exe	FB_8623.tmp.exe
PID 1212 wrote to memory of 1272	1212	iexplore.exe	FB_8623.tmp.exe
PID 1272 wrote to memory of 1724	1272	FB_8623.tmp.exe	oqcey.exe
PID 1272 wrote to memory of 1724	1272	FB_8623.tmp.exe	oqcey.exe
PID 1272 wrote to memory of 1724	1272	FB_8623.tmp.exe	oqcey.exe
PID 1272 wrote to memory of 1724	1272	FB_8623.tmp.exe	oqcey.exe
PID 1724 wrote to memory of 1128	1724	oqcey.exe	taskhost.exe
PID 1724 wrote to memory of 1128	1724	oqcey.exe	taskhost.exe
PID 1724 wrote to memory of 1128	1724	oqcey.exe	taskhost.exe
PID 1724 wrote to memory of 1128	1724	oqcey.exe	taskhost.exe
PID 1724 wrote to memory of 1128	1724	oqcey.exe	taskhost.exe
PID 1724 wrote to memory of 1188	1724	oqcey.exe	Dwm.exe
PID 1724 wrote to memory of 1188	1724	oqcey.exe	Dwm.exe
PID 1724 wrote to memory of 1188	1724	oqcey.exe	Dwm.exe
PID 1724 wrote to memory of 1188	1724	oqcey.exe	Dwm.exe
PID 1724 wrote to memory of 1188	1724	oqcey.exe	Dwm.exe
PID 1724 wrote to memory of 1216	1724	oqcey.exe	Explorer.EXE
PID 1724 wrote to memory of 1216	1724	oqcey.exe	Explorer.EXE
PID 1724 wrote to memory of 1216	1724	oqcey.exe	Explorer.EXE
PID 1724 wrote to memory of 1216	1724	oqcey.exe	Explorer.EXE
PID 1724 wrote to memory of 1216	1724	oqcey.exe	Explorer.EXE
PID 1724 wrote to memory of 1532	1724	oqcey.exe	FB_84F9.tmp.exe
PID 1724 wrote to memory of 1532	1724	oqcey.exe	FB_84F9.tmp.exe
PID 1724 wrote to memory of 1532	1724	oqcey.exe	FB_84F9.tmp.exe
PID 1724 wrote to memory of 1532	1724	oqcey.exe	FB_84F9.tmp.exe
PID 1724 wrote to memory of 1532	1724	oqcey.exe	FB_84F9.tmp.exe
PID 1724 wrote to memory of 1324	1724	oqcey.exe	FB_85D4.tmp.exe
PID 1724 wrote to memory of 1324	1724	oqcey.exe	FB_85D4.tmp.exe
PID 1724 wrote to memory of 1324	1724	oqcey.exe	FB_85D4.tmp.exe
PID 1724 wrote to memory of 1324	1724	oqcey.exe	FB_85D4.tmp.exe
PID 1724 wrote to memory of 1324	1724	oqcey.exe	FB_85D4.tmp.exe
PID 1532 wrote to memory of 1364	1532	FB_84F9.tmp.exe	avas.exe
PID 1532 wrote to memory of 1364	1532	FB_84F9.tmp.exe	avas.exe
PID 1532 wrote to memory of 1364	1532	FB_84F9.tmp.exe	avas.exe
PID 1532 wrote to memory of 1364	1532	FB_84F9.tmp.exe	avas.exe
PID 1532 wrote to memory of 1364	1532	FB_84F9.tmp.exe	avas.exe
PID 1532 wrote to memory of 1364	1532	FB_84F9.tmp.exe	avas.exe
PID 1532 wrote to memory of 1364	1532	FB_84F9.tmp.exe	avas.exe
PID 1532 wrote to memory of 1364	1532	FB_84F9.tmp.exe	avas.exe
PID 1532 wrote to memory of 1364	1532	FB_84F9.tmp.exe	avas.exe
PID 1724 wrote to memory of 1272	1724	oqcey.exe	FB_8623.tmp.exe
PID 1724 wrote to memory of 1272	1724	oqcey.exe	FB_8623.tmp.exe
PID 1724 wrote to memory of 1272	1724	oqcey.exe	FB_8623.tmp.exe
PID 1724 wrote to memory of 1272	1724	oqcey.exe	FB_8623.tmp.exe

outlook_win_path 1 IoCs

Processes:

FB_85D4.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	FB_85D4.tmp.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exe
"C:\Users\Admin\AppData\Local\Temp\874487fc375dec18195e7e5cad2176994cb3429717b3607d9e4fea4503a45291.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\FB_84F9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_84F9.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Roaming\Uvylpi\avas.exe
"C:\Users\Admin\AppData\Roaming\Uvylpi\avas.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1128db83.bat"
5⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\FB_85D4.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_85D4.tmp.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7144346.bat" "C:\Users\Admin\AppData\Local\Temp\FB_85D4.tmp.exe" "
5⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\FB_8623.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_8623.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Roaming\Syxey\oqcey.exe
"C:\Users\Admin\AppData\Roaming\Syxey\oqcey.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp24cefe31.bat"
5⤵
PID:856

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1440

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "816473285-1320602459-13629735751492792338-1269228612-794440937-1358572783746251807"
1⤵
PID:1836

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1700

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1360

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1208

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:768

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
Filesize
558B

MD5
3cc0012f96f8f44164c18d7de05023d9

SHA1
c8feb560d751fe720c8bdb53f5e78aa92abb9a9e

SHA256
2654c273c211ae1afc60a7736153a853142e3db028417206948576d1d57bf5d5

SHA512
626746176663e2460b18f1eb245306107060c172c4e65ad710dd75ec0b348d8f000342c0dd2f7ea3bb2e0796f61e1ddd2cd77c312d6a177ff2e70a10b68cc6af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
41dc64b77e0a1e63e669332460c567d3

SHA1
18fea9b52e494f594f5f5520a8e47773f66daf88

SHA256
05ea398f978e234dbc524971f786a941bab8b6cc9dc21f671c496b5619720f19

SHA512
43cc38cf915225ba054c84bbbb3af97ae3c12ca13e2fd9a43fb61ba96f63b8bef925c646943114dd16a8e11c499a5643802a6f42a994aa9004f23f5b627a1ce6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
Filesize
232B

MD5
5147211dcd47f2ed0c039c73c0ea5121

SHA1
be7b1bfc086b455ef70a15537deb8893137aaf8d

SHA256
7734fbb6508ee95c520523b6a8f821257c3a1d2ff45036bb8d35c5929c481924

SHA512
659ded97fd6d40d96edb9851cc26f1c265d5097c3c60a6e1b4c083d810cc1c270d37758c6bd27ff2a60c1663980724ca194c575c3a30596c888b254d1de1e9ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
Filesize
2.0MB

MD5
f74bf27fdd594629982163b7ac1a9dcc

SHA1
79b0150b32cbb6b6c91063046b1ba1aff67259c8

SHA256
a4d39dd9c79a0147adf0d6a68b352cfdade428ace246c80b5e8275c3c6b649d1

SHA512
da42a81642ff573bd37af7af0cd0032e04ef034d11a79ec19eb3a78f2918c7bc14d695f7f3e11cb8bbb0018337352aea3272ab350e899f7c7541308e2a5563bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk
Filesize
8KB

MD5
5ce6927a8da80b8a79ddd056df976e04

SHA1
087ba7e49d1e847ced77243043586578817efcf2

SHA256
a32a877b7c00d7a7ed2a5d4af060243c424293670f29e9e574f804d080ca04ee

SHA512
f55e4792a4c32a16bc305c689eee70c72ca1cd75ad804f8b435f9d87f5e8181ad93c8eb9bf6993b7ce072732b79a0f20856d889614c69da079c89cd3d3d6f9ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
Filesize
2.0MB

MD5
0ff587714c4bbf864ece7abbafa58e56

SHA1
a93f0cd354e8637b68829ad706adbdc2860d806d

SHA256
3b4887b565fa635304222c4bae2fc008ac4315a8662c22c6e2c2479919855835

SHA512
8d0dfdc67021f5855963553b1afc018a46f327740ba1d44d419cfe925ed3eb32ea883dd9332c29b1c91bbc354a3c9bc806b20de9e02257ab0fa43919302c0ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7144346.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_84F9.tmp.exe
Filesize
138KB

MD5
7f5da25c7eaa97d92532d22160abc7e2

SHA1
0630ecfacd812605dcc86fc38ad05c5aac089fb0

SHA256
dc2510ab9a346ec323946b518264180be6be672c116e0911aede5e85ede7bfc8

SHA512
e676f6434bc371a66ac4b908587290d1ccf6afe1eb7573e3c4e9ea6dbc6fb15ec37f3c5f90d14599db0d51f097e51c45c485cdc77ec3584e8f92eb96c04928d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_84F9.tmp.exe
Filesize
138KB

MD5
7f5da25c7eaa97d92532d22160abc7e2

SHA1
0630ecfacd812605dcc86fc38ad05c5aac089fb0

SHA256
dc2510ab9a346ec323946b518264180be6be672c116e0911aede5e85ede7bfc8

SHA512
e676f6434bc371a66ac4b908587290d1ccf6afe1eb7573e3c4e9ea6dbc6fb15ec37f3c5f90d14599db0d51f097e51c45c485cdc77ec3584e8f92eb96c04928d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_85D4.tmp.exe
Filesize
34KB

MD5
9bd5090df80ab7aa21baf18bd964294a

SHA1
ad7406fcb99966a594a22db6cd29e4c014be5e35

SHA256
534724ea404af7afe5d6605e90d23ba067db70ae5b2df0c7717e5799b46825c6

SHA512
9652f86ec0bce5ba667ca6db79af9c68664941cd691d996a5378aa59756a8fe00c8915f54f4455273bd99f49a5a4759f7dcfd3bdb7bbb5a700154a309e088975

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_85D4.tmp.exe
Filesize
34KB

MD5
9bd5090df80ab7aa21baf18bd964294a

SHA1
ad7406fcb99966a594a22db6cd29e4c014be5e35

SHA256
534724ea404af7afe5d6605e90d23ba067db70ae5b2df0c7717e5799b46825c6

SHA512
9652f86ec0bce5ba667ca6db79af9c68664941cd691d996a5378aa59756a8fe00c8915f54f4455273bd99f49a5a4759f7dcfd3bdb7bbb5a700154a309e088975

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_8623.tmp.exe
Filesize
221KB

MD5
68d9c641635c8c45c28b0406131ad7ff

SHA1
977bc367c7f67fe91f6e38eed2ada3c5481707f5

SHA256
ca9648f1cd0cbb6d3b58156e66a4f05c6347d20bdd090580b8d96771cee94eb1

SHA512
096b02b884859f8fc3bda44cacc3a915242e733d0b5b637547a25978e57f48b0fa9119f181a1b7af33ce4e3a9017bc831a15c2f3b8722795f359143bc224eb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_8623.tmp.exe
Filesize
221KB

MD5
68d9c641635c8c45c28b0406131ad7ff

SHA1
977bc367c7f67fe91f6e38eed2ada3c5481707f5

SHA256
ca9648f1cd0cbb6d3b58156e66a4f05c6347d20bdd090580b8d96771cee94eb1

SHA512
096b02b884859f8fc3bda44cacc3a915242e733d0b5b637547a25978e57f48b0fa9119f181a1b7af33ce4e3a9017bc831a15c2f3b8722795f359143bc224eb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1128db83.bat
Filesize
201B

MD5
2f6cd386c9b053fcd96805693f48fe79

SHA1
307b5c49780d478e73ba938f345192ab899f6bc5

SHA256
51be6b489d16d54aa0e9c3739c5719fd5808661a859a619e13d32e97e367ee48

SHA512
8931428a13865b6acf2e7c1e13fcd462ea20d1a2bec8ca24a388912d3bb6cd74149da20151bdedfb892941d0edf329ed4cbd5f302c9fd686cf4ebbf9c5bdacc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp24cefe31.bat
Filesize
201B

MD5
5cb474ca7b7e5ecf6dee93b8c6db1b01

SHA1
968ca5ec7ffd0c3a7ef8cf80207843e1d5d82c63

SHA256
30c76e7f53f4c1570749d5b205f1534998fcbc4b689662d28c7bd1af31b38b49

SHA512
df7ae57c315d696f17bd256eb5b838ee9d11e527e86b9e1f4a64c5d53122a3d304cf2e954e8352c1400da9479e03918712fcddb02cc13c921a0acb198a86eb2b

Download Submit
C:\Users\Admin\AppData\Roaming\Dezaol\suip.utu
Filesize
345B

MD5
39078b64dea6419e04d412b7a22033bd

SHA1
536fda2373ca28345624e155e5d2f424727ceb88

SHA256
9e2eb63e3db6d42357abe8529eb2035a66f866854cbf2b297cec550f33744229

SHA512
3713ac2ef2effac2134dc4c1884485363fc7542aa787f51a47dbd0071fcc5f6d8bb1db881a72bb65774b988ef0bf7057d1d0de0c1a08ab4a5b7cc129c5804d1c

Download Submit
C:\Users\Admin\AppData\Roaming\Ezeck\uvyl.gyu
Filesize
4KB

MD5
3e3e5c18c5ec2ff33da96487768f2e07

SHA1
c4a4c63c5b554048507a7dfc24ef9ba461a8a83c

SHA256
6789340fbba4bf2db81d4058d986df0df111bf39af9d67ce6d9f0c9c4dd7b928

SHA512
17547547967b0def90153c4e824453c20493e1074d781d4f38d8deb97bdc48ca9c4605604b98b00af1b2d941982275787e7a3b59b17f56d2597d90c7a19d94de

Download Submit
C:\Users\Admin\AppData\Roaming\Syxey\oqcey.exe
Filesize
221KB

MD5
ccd40fb76eb980032f647c3fc2431d8b

SHA1
e9c977d06ab91448187b01e10ced379377141edc

SHA256
ca85f8a6f53e5c2fc2f254612f288f7442965d2d17a7eae3a07e494b856c8e0a

SHA512
907a8189ed1854d553b0c0d1aac7b71cfc7314d3238e2b66a03b1ba634ddd45d05959a605141a9e6f1ad998b82e7dbbcf7724d2ead2843efc6260196aabe3548

Download Submit
C:\Users\Admin\AppData\Roaming\Syxey\oqcey.exe
Filesize
221KB

MD5
ccd40fb76eb980032f647c3fc2431d8b

SHA1
e9c977d06ab91448187b01e10ced379377141edc

SHA256
ca85f8a6f53e5c2fc2f254612f288f7442965d2d17a7eae3a07e494b856c8e0a

SHA512
907a8189ed1854d553b0c0d1aac7b71cfc7314d3238e2b66a03b1ba634ddd45d05959a605141a9e6f1ad998b82e7dbbcf7724d2ead2843efc6260196aabe3548

Download Submit
C:\Users\Admin\AppData\Roaming\Uvylpi\avas.exe
Filesize
138KB

MD5
962296b21dbbc77e7b365300bf6649ce

SHA1
e213ebe1d199ff03050bbb0fb0bab308fe8f3332

SHA256
5b71a20fac87937b596ffd8d4fe0feb4ed4d51b1dcbe6403bb34e2faff814891

SHA512
ec48a215dfc24933e0a67af0d6cbdad842047822992e0441e4b526ee06fdfa66c8311f15ab81700478e3274c7c633a0947562033398db404c9e6adaee6bcbf94

Download Submit
C:\Users\Admin\AppData\Roaming\Uvylpi\avas.exe
Filesize
138KB

MD5
962296b21dbbc77e7b365300bf6649ce

SHA1
e213ebe1d199ff03050bbb0fb0bab308fe8f3332

SHA256
5b71a20fac87937b596ffd8d4fe0feb4ed4d51b1dcbe6403bb34e2faff814891

SHA512
ec48a215dfc24933e0a67af0d6cbdad842047822992e0441e4b526ee06fdfa66c8311f15ab81700478e3274c7c633a0947562033398db404c9e6adaee6bcbf94

Download Submit
\Users\Admin\AppData\Local\Temp\FB_84F9.tmp.exe
Filesize
138KB

MD5
7f5da25c7eaa97d92532d22160abc7e2

SHA1
0630ecfacd812605dcc86fc38ad05c5aac089fb0

SHA256
dc2510ab9a346ec323946b518264180be6be672c116e0911aede5e85ede7bfc8

SHA512
e676f6434bc371a66ac4b908587290d1ccf6afe1eb7573e3c4e9ea6dbc6fb15ec37f3c5f90d14599db0d51f097e51c45c485cdc77ec3584e8f92eb96c04928d3

Download Submit
\Users\Admin\AppData\Local\Temp\FB_84F9.tmp.exe
Filesize
138KB

MD5
7f5da25c7eaa97d92532d22160abc7e2

SHA1
0630ecfacd812605dcc86fc38ad05c5aac089fb0

SHA256
dc2510ab9a346ec323946b518264180be6be672c116e0911aede5e85ede7bfc8

SHA512
e676f6434bc371a66ac4b908587290d1ccf6afe1eb7573e3c4e9ea6dbc6fb15ec37f3c5f90d14599db0d51f097e51c45c485cdc77ec3584e8f92eb96c04928d3

Download Submit
\Users\Admin\AppData\Local\Temp\FB_84F9.tmp.exe
Filesize
138KB

MD5
7f5da25c7eaa97d92532d22160abc7e2

SHA1
0630ecfacd812605dcc86fc38ad05c5aac089fb0

SHA256
dc2510ab9a346ec323946b518264180be6be672c116e0911aede5e85ede7bfc8

SHA512
e676f6434bc371a66ac4b908587290d1ccf6afe1eb7573e3c4e9ea6dbc6fb15ec37f3c5f90d14599db0d51f097e51c45c485cdc77ec3584e8f92eb96c04928d3

Download Submit
\Users\Admin\AppData\Local\Temp\FB_85D4.tmp.exe
Filesize
34KB

MD5
9bd5090df80ab7aa21baf18bd964294a

SHA1
ad7406fcb99966a594a22db6cd29e4c014be5e35

SHA256
534724ea404af7afe5d6605e90d23ba067db70ae5b2df0c7717e5799b46825c6

SHA512
9652f86ec0bce5ba667ca6db79af9c68664941cd691d996a5378aa59756a8fe00c8915f54f4455273bd99f49a5a4759f7dcfd3bdb7bbb5a700154a309e088975

Download Submit
\Users\Admin\AppData\Local\Temp\FB_85D4.tmp.exe
Filesize
34KB

MD5
9bd5090df80ab7aa21baf18bd964294a

SHA1
ad7406fcb99966a594a22db6cd29e4c014be5e35

SHA256
534724ea404af7afe5d6605e90d23ba067db70ae5b2df0c7717e5799b46825c6

SHA512
9652f86ec0bce5ba667ca6db79af9c68664941cd691d996a5378aa59756a8fe00c8915f54f4455273bd99f49a5a4759f7dcfd3bdb7bbb5a700154a309e088975

Download Submit
\Users\Admin\AppData\Local\Temp\FB_85D4.tmp.exe
Filesize
34KB

MD5
9bd5090df80ab7aa21baf18bd964294a

SHA1
ad7406fcb99966a594a22db6cd29e4c014be5e35

SHA256
534724ea404af7afe5d6605e90d23ba067db70ae5b2df0c7717e5799b46825c6

SHA512
9652f86ec0bce5ba667ca6db79af9c68664941cd691d996a5378aa59756a8fe00c8915f54f4455273bd99f49a5a4759f7dcfd3bdb7bbb5a700154a309e088975

Download Submit
\Users\Admin\AppData\Local\Temp\FB_8623.tmp.exe
Filesize
221KB

MD5
68d9c641635c8c45c28b0406131ad7ff

SHA1
977bc367c7f67fe91f6e38eed2ada3c5481707f5

SHA256
ca9648f1cd0cbb6d3b58156e66a4f05c6347d20bdd090580b8d96771cee94eb1

SHA512
096b02b884859f8fc3bda44cacc3a915242e733d0b5b637547a25978e57f48b0fa9119f181a1b7af33ce4e3a9017bc831a15c2f3b8722795f359143bc224eb9a

Download Submit
\Users\Admin\AppData\Local\Temp\FB_8623.tmp.exe
Filesize
221KB

MD5
68d9c641635c8c45c28b0406131ad7ff

SHA1
977bc367c7f67fe91f6e38eed2ada3c5481707f5

SHA256
ca9648f1cd0cbb6d3b58156e66a4f05c6347d20bdd090580b8d96771cee94eb1

SHA512
096b02b884859f8fc3bda44cacc3a915242e733d0b5b637547a25978e57f48b0fa9119f181a1b7af33ce4e3a9017bc831a15c2f3b8722795f359143bc224eb9a

Download Submit
\Users\Admin\AppData\Local\Temp\FB_8623.tmp.exe
Filesize
221KB

MD5
68d9c641635c8c45c28b0406131ad7ff

SHA1
977bc367c7f67fe91f6e38eed2ada3c5481707f5

SHA256
ca9648f1cd0cbb6d3b58156e66a4f05c6347d20bdd090580b8d96771cee94eb1

SHA512
096b02b884859f8fc3bda44cacc3a915242e733d0b5b637547a25978e57f48b0fa9119f181a1b7af33ce4e3a9017bc831a15c2f3b8722795f359143bc224eb9a

Download Submit
\Users\Admin\AppData\Roaming\Syxey\oqcey.exe
Filesize
221KB

MD5
ccd40fb76eb980032f647c3fc2431d8b

SHA1
e9c977d06ab91448187b01e10ced379377141edc

SHA256
ca85f8a6f53e5c2fc2f254612f288f7442965d2d17a7eae3a07e494b856c8e0a

SHA512
907a8189ed1854d553b0c0d1aac7b71cfc7314d3238e2b66a03b1ba634ddd45d05959a605141a9e6f1ad998b82e7dbbcf7724d2ead2843efc6260196aabe3548

Download Submit
\Users\Admin\AppData\Roaming\Syxey\oqcey.exe
Filesize
221KB

MD5
ccd40fb76eb980032f647c3fc2431d8b

SHA1
e9c977d06ab91448187b01e10ced379377141edc

SHA256
ca85f8a6f53e5c2fc2f254612f288f7442965d2d17a7eae3a07e494b856c8e0a

SHA512
907a8189ed1854d553b0c0d1aac7b71cfc7314d3238e2b66a03b1ba634ddd45d05959a605141a9e6f1ad998b82e7dbbcf7724d2ead2843efc6260196aabe3548

Download Submit
\Users\Admin\AppData\Roaming\Uvylpi\avas.exe
Filesize
138KB

MD5
962296b21dbbc77e7b365300bf6649ce

SHA1
e213ebe1d199ff03050bbb0fb0bab308fe8f3332

SHA256
5b71a20fac87937b596ffd8d4fe0feb4ed4d51b1dcbe6403bb34e2faff814891

SHA512
ec48a215dfc24933e0a67af0d6cbdad842047822992e0441e4b526ee06fdfa66c8311f15ab81700478e3274c7c633a0947562033398db404c9e6adaee6bcbf94

Download Submit
\Users\Admin\AppData\Roaming\Uvylpi\avas.exe
Filesize
138KB

MD5
962296b21dbbc77e7b365300bf6649ce

SHA1
e213ebe1d199ff03050bbb0fb0bab308fe8f3332

SHA256
5b71a20fac87937b596ffd8d4fe0feb4ed4d51b1dcbe6403bb34e2faff814891

SHA512
ec48a215dfc24933e0a67af0d6cbdad842047822992e0441e4b526ee06fdfa66c8311f15ab81700478e3274c7c633a0947562033398db404c9e6adaee6bcbf94

Download Submit
\Users\Admin\AppData\Roaming\Uvylpi\avas.exe
Filesize
138KB

MD5
962296b21dbbc77e7b365300bf6649ce

SHA1
e213ebe1d199ff03050bbb0fb0bab308fe8f3332

SHA256
5b71a20fac87937b596ffd8d4fe0feb4ed4d51b1dcbe6403bb34e2faff814891

SHA512
ec48a215dfc24933e0a67af0d6cbdad842047822992e0441e4b526ee06fdfa66c8311f15ab81700478e3274c7c633a0947562033398db404c9e6adaee6bcbf94

Download Submit
memory/856-809-0x0000000000069BF5-mapping.dmp

Download
memory/856-967-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/856-820-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1116-1023-0x0000000000090000-0x00000000000B7000-memory.dmp

Filesize
156KB

Download
memory/1116-1020-0x00000000000AD12E-mapping.dmp

Download
memory/1128-84-0x0000000001D50000-0x0000000001D8B000-memory.dmp

Filesize
236KB

Download
memory/1128-82-0x0000000001D50000-0x0000000001D8B000-memory.dmp

Filesize
236KB

Download
memory/1128-83-0x0000000001D50000-0x0000000001D8B000-memory.dmp

Filesize
236KB

Download
memory/1128-81-0x0000000001D50000-0x0000000001D8B000-memory.dmp

Filesize
236KB

Download
memory/1128-79-0x0000000001D50000-0x0000000001D8B000-memory.dmp

Filesize
236KB

Download
memory/1188-88-0x0000000000130000-0x000000000016B000-memory.dmp

Filesize
236KB

Download
memory/1188-90-0x0000000000130000-0x000000000016B000-memory.dmp

Filesize
236KB

Download
memory/1188-89-0x0000000000130000-0x000000000016B000-memory.dmp

Filesize
236KB

Download
memory/1188-87-0x0000000000130000-0x000000000016B000-memory.dmp

Filesize
236KB

Download
memory/1216-95-0x0000000002A90000-0x0000000002ACB000-memory.dmp

Filesize
236KB

Download
memory/1216-96-0x0000000002A90000-0x0000000002ACB000-memory.dmp

Filesize
236KB

Download
memory/1216-94-0x0000000002A90000-0x0000000002ACB000-memory.dmp

Filesize
236KB

Download
memory/1216-93-0x0000000002A90000-0x0000000002ACB000-memory.dmp

Filesize
236KB

Download
memory/1272-648-0x0000000001C80000-0x0000000001CBB000-memory.dmp

Filesize
236KB

Download
memory/1272-66-0x0000000000000000-mapping.dmp

Download
memory/1316-823-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1316-783-0x00000000001D0000-0x000000000020B000-memory.dmp

Filesize
236KB

Download
memory/1316-656-0x00000000001E9BF5-mapping.dmp

Download
memory/1324-62-0x0000000000000000-mapping.dmp

Download
memory/1324-243-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1324-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1324-377-0x0000000002BA0000-0x0000000002BDB000-memory.dmp

Filesize
236KB

Download
memory/1324-657-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1364-389-0x00000000001A9BF5-mapping.dmp

Download
memory/1364-516-0x0000000000190000-0x00000000001CB000-memory.dmp

Filesize
236KB

Download
memory/1532-118-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-101-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-122-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-126-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-120-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-57-0x0000000000000000-mapping.dmp

Download
memory/1532-128-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-378-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-137-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-135-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-116-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-112-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-130-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-114-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-108-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-110-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-104-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-106-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-100-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-102-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-983-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1532-103-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-124-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-139-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1532-132-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1648-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1724-75-0x0000000000000000-mapping.dmp

Download
memory/1724-376-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/1724-1024-0x00000000005B0000-0x00000000005D3000-memory.dmp

Filesize
140KB

Download
memory/1724-1049-0x00000000005B0000-0x00000000005D3000-memory.dmp

Filesize
140KB

Download