smokeloader | 85660f53b413aec419d226daa868ec603bc048db1b11c8524f22d7eac6dd16dc

Analysis

max time kernel
88s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe
Size

274KB
MD5

652685c8ba9a7aa68011ae58ef4ba00c
SHA1

6dcfbd4f8cea0f732038bb36d12e42875d974a65
SHA256

38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48
SHA512

35a357269fc185b2905dd589768f6284692c737bd0e912436f9aef05d105aa4fd8ea60adf97caff4a1834896603891027ac4d026567540911874895e593e1b4d
SSDEEP

3072:e3zrCktY3urayKuR1ukF4bZjcQsjS+tFDg9zV8/Og3lSgwae/CpL//c5pNN4TJY:8AOahuRKl+txgBV4OgNJnpL/mNN4T

Score

10^/10

smokeloader pub4 backdoor collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

38 4540 rundll32.exe
55 4540 rundll32.exe
59 4540 rundll32.exe
Downloads MZ/PE file

flow	pid	process
38	4540	rundll32.exe
55	4540	rundll32.exe
59	4540	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogTransport2\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\LogTransport2.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogTransport2\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Executes dropped EXE 1 IoCs

Processes:

C70E.exe

pid process

4016 C70E.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exesvchost.exe

pid process

4540 rundll32.exe
4540 rundll32.exe
4724 svchost.exe
4724 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4016	C70E.exe

pid	process
4540	rundll32.exe
4540	rundll32.exe
4724	svchost.exe
4724	svchost.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4540 set thread context of 3200	4540	rundll32.exe	rundll32.exe
PID 4540 set thread context of 4624	4540	rundll32.exe	rundll32.exe
PID 4540 set thread context of 2680	4540	rundll32.exe	rundll32.exe
PID 4540 set thread context of 1784	4540	rundll32.exe	rundll32.exe

Drops file in Program Files directory 36 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\logsession.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ADelRCP.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Close2x.png	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SignHere.pdf	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\info.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DropboxStorage.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\main.css	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\organize.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\AXE8SharedExpat.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Certificates_R.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\eula.ini	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\main-cef-win.css	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\main-high-contrast.css	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\FullTrustNotifier.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\adoberfp.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\LogTransport2.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\FillSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\apple-touch-icon-144x144-precomposed.png	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1768 4016 WerFault.exe C70E.exe
2080 4724 WerFault.exe svchost.exe

pid	pid_target	process	target process
1768	4016	WerFault.exe	C70E.exe
2080	4724	WerFault.exe	svchost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe

Checks processor information in registry 2 TTPs 49 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 48 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000007c56531c100054656d7000003a0009000400efbe55564a167c565a1c2e0000000000000000000000000000000000000000000000000048bacb00540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3184

pid	process
3184

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe

pid	process
2364	38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe
2364	38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3184
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe

pid process

2364 38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe

pid	process
3184

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeDebugPrivilege	4540	rundll32.exe
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

3200 rundll32.exe
4540 rundll32.exe
4624 rundll32.exe
2680 rundll32.exe
4540 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3184
3184

pid	process
3200	rundll32.exe
4540	rundll32.exe
4624	rundll32.exe
2680	rundll32.exe
4540	rundll32.exe

pid	process
3184
3184

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

C70E.exerundll32.exe

description	pid	process	target process
PID 3184 wrote to memory of 4016	3184		C70E.exe
PID 3184 wrote to memory of 4016	3184		C70E.exe
PID 3184 wrote to memory of 4016	3184		C70E.exe
PID 4016 wrote to memory of 4540	4016	C70E.exe	rundll32.exe
PID 4016 wrote to memory of 4540	4016	C70E.exe	rundll32.exe
PID 4016 wrote to memory of 4540	4016	C70E.exe	rundll32.exe
PID 4540 wrote to memory of 3200	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 3200	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 3200	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 4352	4540	rundll32.exe	schtasks.exe
PID 4540 wrote to memory of 4352	4540	rundll32.exe	schtasks.exe
PID 4540 wrote to memory of 4352	4540	rundll32.exe	schtasks.exe
PID 4540 wrote to memory of 4624	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 4624	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 4624	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 2000	4540	rundll32.exe	schtasks.exe
PID 4540 wrote to memory of 2000	4540	rundll32.exe	schtasks.exe
PID 4540 wrote to memory of 2000	4540	rundll32.exe	schtasks.exe
PID 4540 wrote to memory of 2680	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 2680	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 2680	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 908	4540	rundll32.exe	schtasks.exe
PID 4540 wrote to memory of 908	4540	rundll32.exe	schtasks.exe
PID 4540 wrote to memory of 908	4540	rundll32.exe	schtasks.exe
PID 4540 wrote to memory of 2596	4540	rundll32.exe	schtasks.exe
PID 4540 wrote to memory of 2596	4540	rundll32.exe	schtasks.exe
PID 4540 wrote to memory of 2596	4540	rundll32.exe	schtasks.exe
PID 4540 wrote to memory of 1784	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 1784	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 1784	4540	rundll32.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe
"C:\Users\Admin\AppData\Local\Temp\38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2364

C:\Users\Admin\AppData\Local\Temp\C70E.exe
C:\Users\Admin\AppData\Local\Temp\C70E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll,start
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4540

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14092
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3200

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4352

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14092
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4624

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2000

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14092
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2680

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:908

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2596

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14092
3⤵
PID:1784

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4672

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2852

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14092
3⤵
PID:3588

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5088

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14092
3⤵
PID:1328

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1164

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1744

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14092
3⤵
PID:4524

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2000

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1980

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14092
3⤵
PID:3924

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2596

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14092
3⤵
PID:4612

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4896

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1836

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14092
3⤵
PID:4288

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1536

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4172

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14092
3⤵
PID:3252

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1744

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1636

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14092
3⤵
PID:3680

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:320

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3612

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14092
3⤵
PID:4972

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1152

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14092
3⤵
PID:4448

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 512
2⤵
- Program crash
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4016 -ip 4016
1⤵
PID:4396

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 944
2⤵
- Program crash
PID:2080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4724 -ip 4724
1⤵
PID:3648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\LogTransport2.dll
Filesize
5.3MB

MD5
cfee60721f941195b39600f83d5fc721

SHA1
eb5053951086ad857133b65770faac159401db2e

SHA256
b1520fb14585bedd7ddef6c1d29c4c2deecb97b80ae6710df4d0b6080fca629d

SHA512
fbce4c06cfedc5a0d1165fa849586613f454c4c3b14a899abc5fcb3367952a26a10ff2d0738ea19e6f0cc0642cc5e13e570ce23d805a2716ad6310fb954bb10e

Download Submit
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\LogTransport2.dll
Filesize
5.3MB

MD5
cfee60721f941195b39600f83d5fc721

SHA1
eb5053951086ad857133b65770faac159401db2e

SHA256
b1520fb14585bedd7ddef6c1d29c4c2deecb97b80ae6710df4d0b6080fca629d

SHA512
fbce4c06cfedc5a0d1165fa849586613f454c4c3b14a899abc5fcb3367952a26a10ff2d0738ea19e6f0cc0642cc5e13e570ce23d805a2716ad6310fb954bb10e

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\C2RManifest.osmuxmui.msi.16.en-us.xml
Filesize
10KB

MD5
220ae72aa2505c9276da2056b7e34936

SHA1
6dfb0f4fd5c0d25062d3d1235fc20358560fdb89

SHA256
afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c

SHA512
cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml
Filesize
719KB

MD5
e9f03f8b71cac83b7d16ef685cabd0d0

SHA1
c5057520e0a65340360219618632037e7c0c474a

SHA256
fff80dc60d751bc2ff8c3085b5c338bc3f149a0e71976c3d82f30a0d43d284db

SHA512
1703ea88d9e8cd768308c246812cdd0d2a733a28e0beb039d019c1efd190ee05f9d045e280de7a75578d4282c161e768a48aebf8d97e58bfc7357cadbd5f208a

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\DesktopSettings2013.xml
Filesize
17KB

MD5
c6b6b07071e0f8ff39f5941a3169b20c

SHA1
d77fd2513ac3cb9b8595424d1f695fce21e33d96

SHA256
f8b710777d2c0105e74ee27ee6dfc8e43ca4ff7e14b4dba390eb72dad20705bd

SHA512
167ab504d6e4c91239f8239722aba17a7f6748fb3e8ee750b2d3f3fd677e6646a8149c8b956513cb2e90722196471865591215938cea8444fdf2e5cff180fdec

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe.xml
Filesize
7KB

MD5
b290178a94a0bd93830d5714c11f9681

SHA1
9dd5d3337117568b6423a32dff9baf14fb11e73c

SHA256
5876d6a887dd7db15a3bea28e71c0aa044023eafb1eed8ca9356035f5943249c

SHA512
ef5af5bc01510ea6e865e11a94bcf67966a01930fcdd9ab10bcb854a06976f59c909bd10e9ff3ef0aea53bad9a4af510401c05ada4c017e45ff512a127dea9fb

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
26KB

MD5
3973cc0067bf4b33098b7bf2d68db787

SHA1
88ddb50df1c24a7f658ba2050f94dea1e13ca8d4

SHA256
70d4896e97e5a6e63d081deb667a746d8153c30ef2556c15fac003e4ac3ea4e9

SHA512
87b72becab432f15accf9433b024b53efff165a9478937a4efd5ecf6841503b4c64eedbaae87ecba44f7803331950cd36f9e54c97c4ebf05d7a76062814bd080

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe.xml
Filesize
20KB

MD5
419d040255d3d92a74e19e346588ad4d

SHA1
4f005faf5b002a85a890a76900aec198b0b157ae

SHA256
43b225fa33b598526a7f3813c243575001643d3161ae55ecc9f62d5e2372e4f3

SHA512
9630665cbce8681653c14efb38cae9a28c9deaba7991596bac172e5bff4795c6f98f743b24d40d4abb79c3c07298333af2b559668528694bb8f8e063e1a377ed

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe.xml
Filesize
6KB

MD5
e2a07f037256d69937145aea357735fe

SHA1
07ce3d26f68b90604543f441bf75f57fbf6f5f99

SHA256
0f20839ad81a013e9700e22a629e7284a5b817adff6d992d4b761b6875ace257

SHA512
f78e8d10675b7c8d3fd8af0780fb979c1cca6b5ccfd1422529d7837f34f9973dc26a174f4b86587f7a1e1dbe1a3fe59cc0342379332a2e726a41c180a0dbad7d

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\MicrosoftInternetExplorer2013Backup.xml
Filesize
2KB

MD5
16fa6bd16573d544916a2cb3335a1f13

SHA1
479c5b9375b5b351d7dc217deb159fe92da03f75

SHA256
37e639679abd36b5b59324eea7aa1d602ff9c287e5c07dfd335ee1a85b68fc50

SHA512
9a871284356b2217fc8dbd568c6731def7781cac4550e77824f5c683b29313cd46e444760413ec730e8f70669ff08b62ab9b73c8099115a71eb84d7d728e2873

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\SettingsLocationTemplate.xsd
Filesize
9KB

MD5
f35965aa615dd128c2b95cfe925145c3

SHA1
57346050388048feb8034d5011b105018483b4a0

SHA256
ea9674d42081557b34958b2f7085f8d3865e71660d8f36258fa1c088d90d2398

SHA512
82767fdf269f813b5d39bb44c481f01678f9eab332ecc42f11d5a4f00a1970a6dd1875d30a98042113d37b04e501414b33e18abf2ab2a7995e5e773489f9cd82

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\TELEMETRY.ASM-WINDOWSSQ.json
Filesize
53B

MD5
6b5c875287b25d64563bd7c830621b66

SHA1
df0c4dcbbf3ce6706cae126955b4fcb88be0694a

SHA256
9d45f7e6114d2088ab05423697cafedc0a9926f785358cb2faddc4f1e45b193d

SHA512
608b92078a9082b4bfe2b066891127713cfd4329d8b26a3747b672c19e41e25242f60153517227a04a3f2b355805584cd4fe2f2dece45b1cd5dfc814a486d229

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Urpdpfsaas.tmp
Filesize
3.5MB

MD5
09e02009d573e9f023575982e41af6c4

SHA1
8c27822e1721b151bcfa2d2091d6d2d97a451170

SHA256
274229b93ed1a79b182a03f647181f0046074ecd9c18ea2ba567bb92bd4469c5

SHA512
e3d2fa5d7c0a43c1a85aeb492d899a15b81c994e2258061d6b35583ad86a352892ad6573ef82ae068d3ca4f76578318974480e5daa8fdf643d8ffff2ec31bbc2

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\print_pref.ico
Filesize
56KB

MD5
a52a082f2b18811deaf3138d27c57af8

SHA1
317bf685e50de705818bff26f032e7f593830509

SHA256
6b4b668a30271d7853257b5752dc429b39c7b264e77ff3533196e6fd03fbeb88

SHA512
0d6f4bbb993b4e9a0069ddd0503ceb45d8a1cc6f6453cc2faf91cb137fa49e15eeaa3d77cb9954cc07701153932da51977d467c54b1e0fcfe74b6670cac47d99

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\stream.x64.en-us.db
Filesize
438KB

MD5
a3c50402ad84ef273e1cbeb541d73389

SHA1
f5821ac76fff71ce7d447da98b5689278032511b

SHA256
d1cc394435822035a1467be9ad69281de6ecb1b1c83750cb7ccd6202d4c96971

SHA512
9518c804b317917243eb3d017a4ba9aed4cd4cbf86477646c33a83777f7cd6d30bacd576cc51069432a5e14f5888e64d9803d9709c10ba25c34bb4234305a53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C70E.exe
Filesize
4.8MB

MD5
3a863e6017227f9c1249342921f4c436

SHA1
720ca6347a629db77305fe40b787b18d2af2921b

SHA256
ef2afafa7dc329237b91e6d97af0b7ea32e0c567a906faaba68b9bfe6ad8ee09

SHA512
0dad30fb0d0056e69e54d19448a58b75d5d6c45056ac68bbc6599ba6d30ad14e6839597971d8934940f5756271d8ff9553d8b3f2ac763e203d7fa6016cd732c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\C70E.exe
Filesize
4.8MB

MD5
3a863e6017227f9c1249342921f4c436

SHA1
720ca6347a629db77305fe40b787b18d2af2921b

SHA256
ef2afafa7dc329237b91e6d97af0b7ea32e0c567a906faaba68b9bfe6ad8ee09

SHA512
0dad30fb0d0056e69e54d19448a58b75d5d6c45056ac68bbc6599ba6d30ad14e6839597971d8934940f5756271d8ff9553d8b3f2ac763e203d7fa6016cd732c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll
Filesize
5.3MB

MD5
3e569e09fd2bb9d64394fec38127c4a4

SHA1
534062f275ef9704f94a3046437b7c3b8d9490b2

SHA256
95c88bbabf8f50900f72c0ae382e5c1bee2319419cdd2d66a2edd6eb392a92ff

SHA512
fb090cf2c3ea17b8bee1a8eff8c4718ddf62a57f532a4fa8a71f8b725b0d76b879ee03986276d62da1bbb860bb1c3f5532dc104be9dab815d0a2ec63b2499565

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll
Filesize
5.3MB

MD5
3e569e09fd2bb9d64394fec38127c4a4

SHA1
534062f275ef9704f94a3046437b7c3b8d9490b2

SHA256
95c88bbabf8f50900f72c0ae382e5c1bee2319419cdd2d66a2edd6eb392a92ff

SHA512
fb090cf2c3ea17b8bee1a8eff8c4718ddf62a57f532a4fa8a71f8b725b0d76b879ee03986276d62da1bbb860bb1c3f5532dc104be9dab815d0a2ec63b2499565

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll
Filesize
5.3MB

MD5
3e569e09fd2bb9d64394fec38127c4a4

SHA1
534062f275ef9704f94a3046437b7c3b8d9490b2

SHA256
95c88bbabf8f50900f72c0ae382e5c1bee2319419cdd2d66a2edd6eb392a92ff

SHA512
fb090cf2c3ea17b8bee1a8eff8c4718ddf62a57f532a4fa8a71f8b725b0d76b879ee03986276d62da1bbb860bb1c3f5532dc104be9dab815d0a2ec63b2499565

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dwyrpqeyo
Filesize
46KB

MD5
b13fcb3223116f6eec60be9143cae98b

SHA1
9a9eb6da6d8e008a51e6ce6212c49bfbe7cb3c88

SHA256
961fc9bf866c5b58401d3c91735f9a7b7b4fc93c94038c504c965491f622b52b

SHA512
89d72b893acd2ec537b3c3deffcc71d1ce02211f9f5b931c561625ee7162052b511e46d4b4596c0a715e1c992310f2536ebdd512db400eeab23c8960ec4d312d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Efduroudsheuydo.tmp
Filesize
3.5MB

MD5
09e02009d573e9f023575982e41af6c4

SHA1
8c27822e1721b151bcfa2d2091d6d2d97a451170

SHA256
274229b93ed1a79b182a03f647181f0046074ecd9c18ea2ba567bb92bd4469c5

SHA512
e3d2fa5d7c0a43c1a85aeb492d899a15b81c994e2258061d6b35583ad86a352892ad6573ef82ae068d3ca4f76578318974480e5daa8fdf643d8ffff2ec31bbc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hueuwue
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sryyyuioe
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
Filesize
1KB

MD5
1ad904f056ea9002b86258a2264972fd

SHA1
e98eff19e3e24fd381b6a97f08f1d41bf1b59dc2

SHA256
b3d95400ff42a41514eb5a7ac20125619607fe6d65d095120f32c559a71489fe

SHA512
70c071bc7d8683033ca61a7e383b28f6da7c0e72d93d0a08bde7bc330ca609589eec764513d1e8c639e7847e2f0b8705feb1fdccda400beda579b9b209326ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4AC8.txt
Filesize
426KB

MD5
ae67a7107a6e962874bbcdd3dbe5e7a1

SHA1
e47629975196ca7e4e708f04953b1f7a6e130489

SHA256
ebba5123ecfae373f7250b8fc3a69133b77cf3bc653146582dbaae1a9e4b9bdb

SHA512
760cd7ee7839c7bdbe95bccff9834ad7a9f61532bd3ec0243a3511ee335b9e11175c88291c7f53b8d9f2085bd440f1feeef3de468a8f82f3e97f99657b220caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4AF3.txt
Filesize
413KB

MD5
8e43b6d2d7d45f9db56cda4c8f065e5c

SHA1
9f286996a07676759c458a4945bc0e7007e7ab65

SHA256
5e8a0234ca8803bb2c6b2d1dd1ac404b5cfe08719dd8c376d747ad62546bd4c2

SHA512
4db310f1539cde72e3536ca169c1bb1f31dfad04cd29283b811ef015bab5f3015b5d5d418ac88e9edbc9f4e770bbc0be0b8d3b285f53f927baf7eef3ce7965fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html
Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctFE8A.tmp
Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
\??\c:\program files (x86)\windows sidebar\shared gadgets\logtransport2.dll
Filesize
5.3MB

MD5
cfee60721f941195b39600f83d5fc721

SHA1
eb5053951086ad857133b65770faac159401db2e

SHA256
b1520fb14585bedd7ddef6c1d29c4c2deecb97b80ae6710df4d0b6080fca629d

SHA512
fbce4c06cfedc5a0d1165fa849586613f454c4c3b14a899abc5fcb3367952a26a10ff2d0738ea19e6f0cc0642cc5e13e570ce23d805a2716ad6310fb954bb10e

Download Submit
memory/1328-550-0x000001D8F3230000-0x000001D8F34D2000-memory.dmp

Filesize
2.6MB

Download
memory/1328-584-0x000001D8F3230000-0x000001D8F34D2000-memory.dmp

Filesize
2.6MB

Download
memory/1784-469-0x0000025F76950000-0x0000025F76BF2000-memory.dmp

Filesize
2.6MB

Download
memory/1784-483-0x0000025F76950000-0x0000025F76BF2000-memory.dmp

Filesize
2.6MB

Download
memory/2364-136-0x0000000000400000-0x0000000002B72000-memory.dmp

Filesize
39.4MB

Download
memory/2364-134-0x0000000002C00000-0x0000000002C09000-memory.dmp

Filesize
36KB

Download
memory/2680-418-0x00000239FED80000-0x00000239FF022000-memory.dmp

Filesize
2.6MB

Download
memory/2680-432-0x00000239FED80000-0x00000239FF022000-memory.dmp

Filesize
2.6MB

Download
memory/3184-146-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-155-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-153-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-135-0x0000000000700000-0x0000000000716000-memory.dmp

Filesize
88KB

Download
memory/3184-152-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-151-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-150-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-154-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-149-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-148-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-147-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-145-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-144-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-156-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-157-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-143-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-175-0x0000000002C00000-0x0000000002C09000-memory.dmp

Filesize
36KB

Download
memory/3184-174-0x0000000002C00000-0x0000000002C09000-memory.dmp

Filesize
36KB

Download
memory/3184-158-0x0000000002C00000-0x0000000002C09000-memory.dmp

Filesize
36KB

Download
memory/3184-142-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3184-159-0x0000000002C00000-0x0000000002C09000-memory.dmp

Filesize
36KB

Download
memory/3200-307-0x0000022E44260000-0x0000022E443A0000-memory.dmp

Filesize
1.2MB

Download
memory/3200-346-0x0000022E42810000-0x0000022E42AB2000-memory.dmp

Filesize
2.6MB

Download
memory/3200-306-0x00007FFFF3EF0000-0x00007FFFF3EF1000-memory.dmp

Filesize
4KB

Download
memory/3200-322-0x0000000000420000-0x00000000006B1000-memory.dmp

Filesize
2.6MB

Download
memory/3200-323-0x0000022E42810000-0x0000022E42AB2000-memory.dmp

Filesize
2.6MB

Download
memory/3252-795-0x0000019444370000-0x0000019444612000-memory.dmp

Filesize
2.6MB

Download
memory/3252-809-0x0000019444370000-0x0000019444612000-memory.dmp

Filesize
2.6MB

Download
memory/3588-533-0x000002497A2F0000-0x000002497A592000-memory.dmp

Filesize
2.6MB

Download
memory/3588-509-0x000002497A2F0000-0x000002497A592000-memory.dmp

Filesize
2.6MB

Download
memory/3680-845-0x000001D3A94A0000-0x000001D3A9742000-memory.dmp

Filesize
2.6MB

Download
memory/3680-860-0x000001D3A94A0000-0x000001D3A9742000-memory.dmp

Filesize
2.6MB

Download
memory/3924-651-0x000001F8B9F70000-0x000001F8BA212000-memory.dmp

Filesize
2.6MB

Download
memory/3924-655-0x000001F8B9F70000-0x000001F8BA212000-memory.dmp

Filesize
2.6MB

Download
memory/4016-172-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/4016-170-0x0000000002D30000-0x00000000033D6000-memory.dmp

Filesize
6.6MB

Download
memory/4288-758-0x0000022796940000-0x0000022796BE2000-memory.dmp

Filesize
2.6MB

Download
memory/4288-742-0x0000022796940000-0x0000022796BE2000-memory.dmp

Filesize
2.6MB

Download
memory/4448-927-0x000001D9B1EB0000-0x000001D9B2152000-memory.dmp

Filesize
2.6MB

Download
memory/4524-625-0x0000025022D70000-0x0000025023012000-memory.dmp

Filesize
2.6MB

Download
memory/4524-600-0x0000025022D70000-0x0000025023012000-memory.dmp

Filesize
2.6MB

Download
memory/4540-222-0x0000000004460000-0x00000000045A0000-memory.dmp

Filesize
1.2MB

Download
memory/4540-219-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-302-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/4540-304-0x0000000004460000-0x00000000045A0000-memory.dmp

Filesize
1.2MB

Download
memory/4540-303-0x0000000004460000-0x00000000045A0000-memory.dmp

Filesize
1.2MB

Download
memory/4540-301-0x0000000004EE0000-0x0000000005020000-memory.dmp

Filesize
1.2MB

Download
memory/4540-293-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-295-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-290-0x0000000004460000-0x00000000045A0000-memory.dmp

Filesize
1.2MB

Download
memory/4540-186-0x0000000002490000-0x00000000029F4000-memory.dmp

Filesize
5.4MB

Download
memory/4540-289-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-286-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-287-0x0000000002490000-0x00000000029F4000-memory.dmp

Filesize
5.4MB

Download
memory/4540-188-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-169-0x0000000002490000-0x00000000029F4000-memory.dmp

Filesize
5.4MB

Download
memory/4540-223-0x0000000004460000-0x00000000045A0000-memory.dmp

Filesize
1.2MB

Download
memory/4540-189-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/4540-190-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-221-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/4540-173-0x0000000003020000-0x0000000003021000-memory.dmp

Filesize
4KB

Download
memory/4540-220-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-305-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-218-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-217-0x0000000002490000-0x00000000029F4000-memory.dmp

Filesize
5.4MB

Download
memory/4540-216-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-215-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-213-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-212-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-211-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-209-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-208-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-207-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-191-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4540-171-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/4540-206-0x0000000003850000-0x0000000004396000-memory.dmp

Filesize
11.3MB

Download
memory/4612-706-0x0000022D384F0000-0x0000022D38792000-memory.dmp

Filesize
2.6MB

Download
memory/4612-702-0x0000022D384F0000-0x0000022D38792000-memory.dmp

Filesize
2.6MB

Download
memory/4624-382-0x000001CFFE950000-0x000001CFFEBF2000-memory.dmp

Filesize
2.6MB

Download
memory/4624-377-0x000001CFFE950000-0x000001CFFEBF2000-memory.dmp

Filesize
2.6MB

Download
memory/4724-285-0x0000000001740000-0x0000000001CA4000-memory.dmp

Filesize
5.4MB

Download
memory/4724-291-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4972-874-0x0000018B22360000-0x0000018B22602000-memory.dmp

Filesize
2.6MB

Download
memory/4972-910-0x0000018B22360000-0x0000018B22602000-memory.dmp

Filesize
2.6MB

Download