formbook | 219cefc8a02aa9c891d95febd308941a2f6d2a8fb5dadcb14b747bd456d56e5f

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-03-2023 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO2023.docx
Size

10KB
MD5

3bd45b53b7c5bb34787723820e0fdae3
SHA1

67d08bbc3da158e4d600d6447350e70774a0a35b
SHA256

219cefc8a02aa9c891d95febd308941a2f6d2a8fb5dadcb14b747bd456d56e5f
SHA512

c7a19b16fc5fbc1d6a68428965f2c4b295cf226f0c91aa7e91401a1c2f121d0177c030e3c3ada1ca30d5fecd8b86d0e69227170a1965c02d0cb5eff599ff80bb
SSDEEP

192:ScIMmtP1aIG/bslPL++uO1KPol+CVWBXJC0c3dkJfe:SPXU/slT+LO1YoHkZC9dqm

Score

10^/10

formbook remcos remotehost dcn0 collection persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

top.noforabusers1.xyz:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-5DQBA4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1932-223-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1932-234-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1932-247-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1600-216-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1600-231-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1600-241-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1600-216-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1932-223-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1632-232-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1600-231-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1932-234-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1632-236-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1600-241-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1932-247-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1344 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1344	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Common\Offline\Files\http://314482727/se.......se.........se.doc	WINWORD.EXE

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

bmhxz.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\International\Geo\Nation bmhxz.exe
Executes dropped EXE 10 IoCs

Processes:

vbc.exezipguge.exezipguge.exezipguge.exedwn.exebmhxz.exebmhxz.exezipguge.exezipguge.exezipguge.exe

pid process

1312 vbc.exe
928 zipguge.exe
580 zipguge.exe
956 zipguge.exe
1748 dwn.exe
396 bmhxz.exe
1456 bmhxz.exe
1600 zipguge.exe
1932 zipguge.exe
1632 zipguge.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\International\Geo\Nation	bmhxz.exe

pid	process
1312	vbc.exe
928	zipguge.exe
580	zipguge.exe
956	zipguge.exe
1748	dwn.exe
396	bmhxz.exe
1456	bmhxz.exe
1600	zipguge.exe
1932	zipguge.exe
1632	zipguge.exe

Loads dropped DLL 13 IoCs

Processes:

EQNEDT32.EXEvbc.exezipguge.exezipguge.exedwn.exebmhxz.exehelp.exe

pid	process
1344	EQNEDT32.EXE
1312	vbc.exe
1312	vbc.exe
928	zipguge.exe
928	zipguge.exe
956	zipguge.exe
1748	dwn.exe
1748	dwn.exe
396	bmhxz.exe
956	zipguge.exe
956	zipguge.exe
956	zipguge.exe
928	help.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/956-160-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-162-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-164-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-165-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-166-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-167-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-169-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-170-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-172-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-173-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-171-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-175-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-190-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-253-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-255-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-259-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-260-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-268-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-269-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-316-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-317-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/956-324-0x0000000000400000-0x0000000000488000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

zipguge.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	zipguge.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zipguge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\frdnx = "C:\\Users\\Admin\\AppData\\Roaming\\wtwklmktexxebr\\pepnknlvetqnvf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\zipguge.exe\" C:\\Users\\Admin\\Ap"	zipguge.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

zipguge.exebmhxz.exezipguge.exebmhxz.exehelp.exe

description	pid	process	target process
PID 928 set thread context of 956	928	zipguge.exe	zipguge.exe
PID 396 set thread context of 1456	396	bmhxz.exe	bmhxz.exe
PID 956 set thread context of 1600	956	zipguge.exe	zipguge.exe
PID 956 set thread context of 1932	956	zipguge.exe	zipguge.exe
PID 956 set thread context of 1632	956	zipguge.exe	zipguge.exe
PID 1456 set thread context of 1204	1456	bmhxz.exe	Explorer.EXE
PID 928 set thread context of 1204	928	help.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1344 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEhelp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\Registry\User\S-1-5-21-2647223082-2067913677-935928954-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1396 WINWORD.EXE

pid	process
1396	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

bmhxz.exezipguge.exehelp.exe

pid	process
1456	bmhxz.exe
1456	bmhxz.exe
1456	bmhxz.exe
1456	bmhxz.exe
1600	zipguge.exe
1600	zipguge.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe

Suspicious behavior: MapViewOfSection 13 IoCs

Processes:

zipguge.exebmhxz.exezipguge.exebmhxz.exehelp.exe

pid	process
928	zipguge.exe
928	zipguge.exe
396	bmhxz.exe
956	zipguge.exe
956	zipguge.exe
1456	bmhxz.exe
956	zipguge.exe
1456	bmhxz.exe
1456	bmhxz.exe
928	help.exe
928	help.exe
928	help.exe
928	help.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

bmhxz.exezipguge.exehelp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1456	bmhxz.exe
Token: SeDebugPrivilege	1632	zipguge.exe
Token: SeDebugPrivilege	928	help.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEExplorer.EXE

pid process

1396 WINWORD.EXE
1396 WINWORD.EXE
1204 Explorer.EXE

pid	process
1396	WINWORD.EXE
1396	WINWORD.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

EQNEDT32.EXEvbc.exezipguge.exeWINWORD.EXEzipguge.exedwn.exebmhxz.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1344 wrote to memory of 1312	1344	EQNEDT32.EXE	vbc.exe
PID 1344 wrote to memory of 1312	1344	EQNEDT32.EXE	vbc.exe
PID 1344 wrote to memory of 1312	1344	EQNEDT32.EXE	vbc.exe
PID 1344 wrote to memory of 1312	1344	EQNEDT32.EXE	vbc.exe
PID 1312 wrote to memory of 928	1312	vbc.exe	zipguge.exe
PID 1312 wrote to memory of 928	1312	vbc.exe	zipguge.exe
PID 1312 wrote to memory of 928	1312	vbc.exe	zipguge.exe
PID 1312 wrote to memory of 928	1312	vbc.exe	zipguge.exe
PID 928 wrote to memory of 580	928	zipguge.exe	zipguge.exe
PID 928 wrote to memory of 580	928	zipguge.exe	zipguge.exe
PID 928 wrote to memory of 580	928	zipguge.exe	zipguge.exe
PID 928 wrote to memory of 580	928	zipguge.exe	zipguge.exe
PID 928 wrote to memory of 956	928	zipguge.exe	zipguge.exe
PID 928 wrote to memory of 956	928	zipguge.exe	zipguge.exe
PID 928 wrote to memory of 956	928	zipguge.exe	zipguge.exe
PID 928 wrote to memory of 956	928	zipguge.exe	zipguge.exe
PID 928 wrote to memory of 956	928	zipguge.exe	zipguge.exe
PID 1396 wrote to memory of 944	1396	WINWORD.EXE	splwow64.exe
PID 1396 wrote to memory of 944	1396	WINWORD.EXE	splwow64.exe
PID 1396 wrote to memory of 944	1396	WINWORD.EXE	splwow64.exe
PID 1396 wrote to memory of 944	1396	WINWORD.EXE	splwow64.exe
PID 956 wrote to memory of 1748	956	zipguge.exe	dwn.exe
PID 956 wrote to memory of 1748	956	zipguge.exe	dwn.exe
PID 956 wrote to memory of 1748	956	zipguge.exe	dwn.exe
PID 956 wrote to memory of 1748	956	zipguge.exe	dwn.exe
PID 1748 wrote to memory of 396	1748	dwn.exe	bmhxz.exe
PID 1748 wrote to memory of 396	1748	dwn.exe	bmhxz.exe
PID 1748 wrote to memory of 396	1748	dwn.exe	bmhxz.exe
PID 1748 wrote to memory of 396	1748	dwn.exe	bmhxz.exe
PID 396 wrote to memory of 1456	396	bmhxz.exe	bmhxz.exe
PID 396 wrote to memory of 1456	396	bmhxz.exe	bmhxz.exe
PID 396 wrote to memory of 1456	396	bmhxz.exe	bmhxz.exe
PID 396 wrote to memory of 1456	396	bmhxz.exe	bmhxz.exe
PID 396 wrote to memory of 1456	396	bmhxz.exe	bmhxz.exe
PID 956 wrote to memory of 1600	956	zipguge.exe	zipguge.exe
PID 956 wrote to memory of 1600	956	zipguge.exe	zipguge.exe
PID 956 wrote to memory of 1600	956	zipguge.exe	zipguge.exe
PID 956 wrote to memory of 1600	956	zipguge.exe	zipguge.exe
PID 956 wrote to memory of 1600	956	zipguge.exe	zipguge.exe
PID 956 wrote to memory of 1932	956	zipguge.exe	zipguge.exe
PID 956 wrote to memory of 1932	956	zipguge.exe	zipguge.exe
PID 956 wrote to memory of 1932	956	zipguge.exe	zipguge.exe
PID 956 wrote to memory of 1932	956	zipguge.exe	zipguge.exe
PID 956 wrote to memory of 1932	956	zipguge.exe	zipguge.exe
PID 956 wrote to memory of 1632	956	zipguge.exe	zipguge.exe
PID 956 wrote to memory of 1632	956	zipguge.exe	zipguge.exe
PID 956 wrote to memory of 1632	956	zipguge.exe	zipguge.exe
PID 956 wrote to memory of 1632	956	zipguge.exe	zipguge.exe
PID 956 wrote to memory of 1632	956	zipguge.exe	zipguge.exe
PID 1204 wrote to memory of 928	1204	Explorer.EXE	help.exe
PID 1204 wrote to memory of 928	1204	Explorer.EXE	help.exe
PID 1204 wrote to memory of 928	1204	Explorer.EXE	help.exe
PID 1204 wrote to memory of 928	1204	Explorer.EXE	help.exe
PID 928 wrote to memory of 1908	928	help.exe	Firefox.exe
PID 928 wrote to memory of 1908	928	help.exe	Firefox.exe
PID 928 wrote to memory of 1908	928	help.exe	Firefox.exe
PID 928 wrote to memory of 1908	928	help.exe	Firefox.exe
PID 928 wrote to memory of 1908	928	help.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO2023.docx"
2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:944

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1908

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\zipguge.exe
"C:\Users\Admin\AppData\Local\Temp\zipguge.exe" C:\Users\Admin\AppData\Local\Temp\bwnmlnda.zha
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\zipguge.exe
"C:\Users\Admin\AppData\Local\Temp\zipguge.exe"
4⤵
- Executes dropped EXE
PID:580

C:\Users\Admin\AppData\Local\Temp\zipguge.exe
"C:\Users\Admin\AppData\Local\Temp\zipguge.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\dwn.exe
"C:\Users\Admin\AppData\Local\Temp\dwn.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\bmhxz.exe
"C:\Users\Admin\AppData\Local\Temp\bmhxz.exe" C:\Users\Admin\AppData\Local\Temp\ivdovjt.r
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Local\Temp\bmhxz.exe
"C:\Users\Admin\AppData\Local\Temp\bmhxz.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Users\Admin\AppData\Local\Temp\zipguge.exe
C:\Users\Admin\AppData\Local\Temp\zipguge.exe /stext "C:\Users\Admin\AppData\Local\Temp\xohitlydcesbhkbj"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Users\Admin\AppData\Local\Temp\zipguge.exe
C:\Users\Admin\AppData\Local\Temp\zipguge.exe /stext "C:\Users\Admin\AppData\Local\Temp\iqmbuejxqmkgjqpnlly"
5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1932

C:\Users\Admin\AppData\Local\Temp\zipguge.exe
C:\Users\Admin\AppData\Local\Temp\zipguge.exe /stext "C:\Users\Admin\AppData\Local\Temp\kkrtvwtzeudktelrcwlyef"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
Filesize
128KB

MD5
9464988c8681070e8dbae63a0ba99140

SHA1
8b27e2782bdc3b9e48f2be1fcc41e4d199a6349b

SHA256
29e9b1a5b2bfd3279323a7db600629e34a03297cdfe259afae405e479044c117

SHA512
35368fc2e809069a32670286723fa45960b3128e37d93f43d03958c4e04019d962ed05a0d976f30479a31f3170c6e808583b5a1b09949e55babc16096537a6b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{43F130C1-0B86-45EE-89AA-DEBFD5A15A50}.FSD
Filesize
128KB

MD5
7de847b8ad9bc87d8f4b5e01c3eadc6b

SHA1
a443230f6746e551a150c89d021a9b5d2db5d613

SHA256
b69189fc248393d75fe4aa2a4f2626a722c307ad58994c3f7c7956d52db253a8

SHA512
e8871c09ea9b5c125b4ced3bdc39ad3d6a5470c66d6035b6bf32866261ba519edee16cc0f928ef217062d5320da3adb95e0bf73209142c350ff0565fb650f796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
9ec21e0f786bf424959cb99a6b6e210d

SHA1
709777c4479a76afbc0fb2cc770560be11fead32

SHA256
e58fd9fbe370c914b1f678146c2be33277c8f49cfd91befff3e5b527090ad404

SHA512
086e34ae478a116949b05e8a2e9e6542ca80da281af5c6b1454f5243a3449dc59d9edffdaaf06c588b0dc852ba356b72c17cfc0d446b0cf41862a0bbe24f4b81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{478E6479-6145-4C24-87E2-809EB30BA106}.FSD
Filesize
128KB

MD5
d53c2abe22eb770ab1ba83728bbf6269

SHA1
a4dad7b855915f1237a67b941ffa61be5ff9af2c

SHA256
0c7c757f4aaa475ad5a22bb339f7adbc461c8c8e5131ee2102be238812088730

SHA512
d713efde431d82acff5ac4697d296baf764de1bc6323a2835965b1cb8a4200cfed95d5bc6e979a79de60b2fd00e138e76710b5336f5ba50b8c19d3455aefb84b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\se.......se.........se[1].doc
Filesize
11KB

MD5
67d53c6ca1dda0546fc34f0667c1f3a3

SHA1
5b54209b40d8cc4dc2843051c3d4265f5678fa0a

SHA256
d19b9cdf9f175fd8833c9dbd62f5f01a0daa451b7e6b972a4d34b74c3bc409c7

SHA512
4314cf547ae5c1884c93f9a9c6d73a597475a1f7b8a86094f604fc6647a5b394d52a1e76dcebf820657edf61c1c7005c3a99f974ce084fd70d62ef9166832684

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmhxz.exe
Filesize
60KB

MD5
b6ffac9fd9fa4bda1fb559339b1129c6

SHA1
19601603364fc52963e6a1164e7b2ebc8f74798f

SHA256
31584cf85de8403216e18bcad08639039b952991202d9be5fb7f84a965897248

SHA512
f9dba9280908f7c61c1d93b08bde0e7ee0340b76718cce73797921f89b5badf61f163c3e75b1323353cd0f7f36b2d9134c93b61cd8ddac3e92851596833622ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmhxz.exe
Filesize
60KB

MD5
b6ffac9fd9fa4bda1fb559339b1129c6

SHA1
19601603364fc52963e6a1164e7b2ebc8f74798f

SHA256
31584cf85de8403216e18bcad08639039b952991202d9be5fb7f84a965897248

SHA512
f9dba9280908f7c61c1d93b08bde0e7ee0340b76718cce73797921f89b5badf61f163c3e75b1323353cd0f7f36b2d9134c93b61cd8ddac3e92851596833622ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmhxz.exe
Filesize
60KB

MD5
b6ffac9fd9fa4bda1fb559339b1129c6

SHA1
19601603364fc52963e6a1164e7b2ebc8f74798f

SHA256
31584cf85de8403216e18bcad08639039b952991202d9be5fb7f84a965897248

SHA512
f9dba9280908f7c61c1d93b08bde0e7ee0340b76718cce73797921f89b5badf61f163c3e75b1323353cd0f7f36b2d9134c93b61cd8ddac3e92851596833622ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmhxz.exe
Filesize
60KB

MD5
b6ffac9fd9fa4bda1fb559339b1129c6

SHA1
19601603364fc52963e6a1164e7b2ebc8f74798f

SHA256
31584cf85de8403216e18bcad08639039b952991202d9be5fb7f84a965897248

SHA512
f9dba9280908f7c61c1d93b08bde0e7ee0340b76718cce73797921f89b5badf61f163c3e75b1323353cd0f7f36b2d9134c93b61cd8ddac3e92851596833622ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwnmlnda.zha
Filesize
7KB

MD5
34460fb4f84ad9cdbe4e24b77752437d

SHA1
ed7d6b57ca7662e069cbdee69fd73cf6d2701d8e

SHA256
b3fb80fe2450104084e20acd43a9930ba14bf13246c4d374e1e36c8594f2dec4

SHA512
d72f0f2f8b5fb00b73c8a4ef7a8410015638ce6bd5665cd585285735ac1ff8de9eab972e22c265e1b24bece19efc7212d64ecaf9b5f0b44fd192e3183b4e5433

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwn.exe
Filesize
293KB

MD5
1cec6fc1d987f880a59744420e67e0bd

SHA1
ccc4e68717d9f5184de4743e662d8920492b0099

SHA256
050398f0efe923fd04f6ba862784dff664c1b16579e412ec80f421056944c1a6

SHA512
99bd35611c86a9b01e1d41e4972b1bbecefc6161bff1d803f130e4136c95eddb59c14ef7a913a44df689ee4db590817d3465af1b32c1423064dd66cbdb7642d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwn.exe
Filesize
293KB

MD5
1cec6fc1d987f880a59744420e67e0bd

SHA1
ccc4e68717d9f5184de4743e662d8920492b0099

SHA256
050398f0efe923fd04f6ba862784dff664c1b16579e412ec80f421056944c1a6

SHA512
99bd35611c86a9b01e1d41e4972b1bbecefc6161bff1d803f130e4136c95eddb59c14ef7a913a44df689ee4db590817d3465af1b32c1423064dd66cbdb7642d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivdovjt.r
Filesize
6KB

MD5
2a2d33c157870c03e0b4da24a25182e0

SHA1
42c9fb1bcf601e9329971facde44fd1881a6fcd8

SHA256
d0d65f0fc8d81902d8526dcca5c4a9fe6b20dcf4bafa84347282882d95a6ca10

SHA512
729ce67a9f99727d4b0bbc282eea1173add32709863fbc25c7f8349050eee826460c1bb9408aa2446ee86adfb6ed74fd714f2e6a5847db2021f8cd9bc9f727c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvixesnbcl.rgy
Filesize
204KB

MD5
003608cb27e878d22426a616856d0e1a

SHA1
c81bd2c2ab545eed81e46c2094a0e34df479532b

SHA256
ce994d0cbfa200fcb394abc6ac2afe9d08e9f53946efaa70b83bf7a23d0246f8

SHA512
0601d5af0be9e7b95ceac147d7319d302d72c76466db1983504143a0092850cb988fec3aa169e1eb0cec027b80177871658fe00707cd91d603778805dae8ccdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xohitlydcesbhkbj
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\xohitlydcesbhkbj
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrd0hbm.zip
Filesize
435KB

MD5
0d1613320b79de7e8c7627c07d19f4a7

SHA1
f85b78ed8568a648b9134beb654e384c622c73bd

SHA256
e6fc736d8850729ee5d9d65076e0f4a869530b2c5df7239bda47051fa3c04be7

SHA512
13c00d2a48a42c3da05c6f475ab9b0581c951dd62ca0b435c44dbcefdfc02f14597b2b33aa28d3c4c8526adb198b24f1a83d92b12612209ca4aed06b80c7cbfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwkrasyudl.j
Filesize
250KB

MD5
200df3463b32028243e5afd190df206c

SHA1
a45550c563b60b8a29859031f5b94ab107f44087

SHA256
bac67949e660a912516c259a225059b672f8839fbf1f5c54cd86783ecbba9df7

SHA512
257a5e595d366d8786b827cc60b285af7db66dd707d18df24f5dd6200d0d3d35c8dacfd010cb2940399ed2acb1cb8e93c06a26213dbe120b770fda39c2572581

Download Submit
C:\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{47F3C66B-F015-4495-A914-BB72743BC918}
Filesize
128KB

MD5
23e23cfb47ee65d169b3d827e6ab1aa0

SHA1
ccd0ce090cf01fcbd3b0ef75fb5d815ba417df42

SHA256
cc47e79a1cd5ce24f4f58521b74a58e81ca996741be0be8b39fc1c688110bea4

SHA512
75a947c74e133ea71c88d299584a40c8664e42591c5c4a4b84ef40d66831560fa833d3fdc18665e2256844d11b7a5675b674c5020d4ce3791a598e967e7d7b08

Download Submit
C:\Users\Public\vbc.exe
Filesize
334KB

MD5
f90db90919147d8d78cd6bb75401cf45

SHA1
cd5213f1efe2f09f846d77fe8b4401739d42155e

SHA256
586bee5c54945ec0395c23fcaa6cef65401f4360b970f94c484c3e6106196c30

SHA512
e82d9782d58d5c05bc15ab81aa60a3a154b12f2f7d41f227b85451716105a14933436f4021ed71fb3968ef1f08804412e3c3e48ab92c14338f957d2b606be085

Download Submit
C:\Users\Public\vbc.exe
Filesize
334KB

MD5
f90db90919147d8d78cd6bb75401cf45

SHA1
cd5213f1efe2f09f846d77fe8b4401739d42155e

SHA256
586bee5c54945ec0395c23fcaa6cef65401f4360b970f94c484c3e6106196c30

SHA512
e82d9782d58d5c05bc15ab81aa60a3a154b12f2f7d41f227b85451716105a14933436f4021ed71fb3968ef1f08804412e3c3e48ab92c14338f957d2b606be085

Download Submit
C:\Users\Public\vbc.exe
Filesize
334KB

MD5
f90db90919147d8d78cd6bb75401cf45

SHA1
cd5213f1efe2f09f846d77fe8b4401739d42155e

SHA256
586bee5c54945ec0395c23fcaa6cef65401f4360b970f94c484c3e6106196c30

SHA512
e82d9782d58d5c05bc15ab81aa60a3a154b12f2f7d41f227b85451716105a14933436f4021ed71fb3968ef1f08804412e3c3e48ab92c14338f957d2b606be085

Download Submit
\Users\Admin\AppData\Local\Temp\bmhxz.exe
Filesize
60KB

MD5
b6ffac9fd9fa4bda1fb559339b1129c6

SHA1
19601603364fc52963e6a1164e7b2ebc8f74798f

SHA256
31584cf85de8403216e18bcad08639039b952991202d9be5fb7f84a965897248

SHA512
f9dba9280908f7c61c1d93b08bde0e7ee0340b76718cce73797921f89b5badf61f163c3e75b1323353cd0f7f36b2d9134c93b61cd8ddac3e92851596833622ff

Download Submit
\Users\Admin\AppData\Local\Temp\bmhxz.exe
Filesize
60KB

MD5
b6ffac9fd9fa4bda1fb559339b1129c6

SHA1
19601603364fc52963e6a1164e7b2ebc8f74798f

SHA256
31584cf85de8403216e18bcad08639039b952991202d9be5fb7f84a965897248

SHA512
f9dba9280908f7c61c1d93b08bde0e7ee0340b76718cce73797921f89b5badf61f163c3e75b1323353cd0f7f36b2d9134c93b61cd8ddac3e92851596833622ff

Download Submit
\Users\Admin\AppData\Local\Temp\bmhxz.exe
Filesize
60KB

MD5
b6ffac9fd9fa4bda1fb559339b1129c6

SHA1
19601603364fc52963e6a1164e7b2ebc8f74798f

SHA256
31584cf85de8403216e18bcad08639039b952991202d9be5fb7f84a965897248

SHA512
f9dba9280908f7c61c1d93b08bde0e7ee0340b76718cce73797921f89b5badf61f163c3e75b1323353cd0f7f36b2d9134c93b61cd8ddac3e92851596833622ff

Download Submit
\Users\Admin\AppData\Local\Temp\dwn.exe
Filesize
293KB

MD5
1cec6fc1d987f880a59744420e67e0bd

SHA1
ccc4e68717d9f5184de4743e662d8920492b0099

SHA256
050398f0efe923fd04f6ba862784dff664c1b16579e412ec80f421056944c1a6

SHA512
99bd35611c86a9b01e1d41e4972b1bbecefc6161bff1d803f130e4136c95eddb59c14ef7a913a44df689ee4db590817d3465af1b32c1423064dd66cbdb7642d0

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
831KB

MD5
05ace2f6d9bef6fd9bbd05ee5262a1f2

SHA1
5cce2228e0d9c6cc913cf551e0bf7c76ed74ff59

SHA256
002459f4d4758011b4d7f36935f1fe323494b847f8c173a551076a3d30475ebc

SHA512
1e717a66a72eb626727144fa7458f472ada54fd1be37072c9e740945e34ba94025737aef44e54752c50c5b79a583c6a91a0d8043bf1bf7c3e7cab8537207f9fc

Download Submit
\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
\Users\Admin\AppData\Local\Temp\zipguge.exe
Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
\Users\Public\vbc.exe
Filesize
334KB

MD5
f90db90919147d8d78cd6bb75401cf45

SHA1
cd5213f1efe2f09f846d77fe8b4401739d42155e

SHA256
586bee5c54945ec0395c23fcaa6cef65401f4360b970f94c484c3e6106196c30

SHA512
e82d9782d58d5c05bc15ab81aa60a3a154b12f2f7d41f227b85451716105a14933436f4021ed71fb3968ef1f08804412e3c3e48ab92c14338f957d2b606be085

Download Submit
memory/928-246-0x0000000000870000-0x0000000000B73000-memory.dmp

Filesize
3.0MB

Download
memory/928-313-0x0000000061E00000-0x0000000061EBD000-memory.dmp

Filesize
756KB

Download
memory/928-258-0x00000000004B0000-0x000000000053F000-memory.dmp

Filesize
572KB

Download
memory/928-248-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/928-243-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/928-245-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/928-244-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/956-165-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-263-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/956-324-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-317-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-316-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-160-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-162-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-164-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-269-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-190-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-268-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-260-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-259-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-255-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-254-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/956-253-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-252-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/956-249-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/956-175-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-166-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-167-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-169-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-170-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-171-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-172-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/956-173-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1204-271-0x0000000004EB0000-0x0000000005015000-memory.dmp

Filesize
1.4MB

Download
memory/1204-266-0x0000000004EB0000-0x0000000005015000-memory.dmp

Filesize
1.4MB

Download
memory/1204-265-0x0000000004EB0000-0x0000000005015000-memory.dmp

Filesize
1.4MB

Download
memory/1204-261-0x00000000048D0000-0x00000000049A1000-memory.dmp

Filesize
836KB

Download
memory/1204-225-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/1204-235-0x00000000048D0000-0x00000000049A1000-memory.dmp

Filesize
836KB

Download
memory/1396-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1456-219-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1456-230-0x0000000000870000-0x0000000000B73000-memory.dmp

Filesize
3.0MB

Download
memory/1456-228-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1456-203-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1456-233-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/1600-231-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1600-241-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1600-216-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1600-207-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1600-208-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1600-214-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1632-229-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1632-224-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1632-232-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1632-236-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1932-221-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1932-223-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1932-215-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1932-247-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1932-234-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download