amadey | deedf9717742f1877012bea4d07472b6f3acd87e80170f439957d7183984bfe6

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2023 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deedf9717742f1877012bea4d07472b6f3acd87e80170f439957d7183984bfe6.exe
Size

992KB
MD5

cb45c08fd1ee7be0106b551063bab07e
SHA1

94eef19edc0ec0cb07ba54ff77de269088cea4b3
SHA256

deedf9717742f1877012bea4d07472b6f3acd87e80170f439957d7183984bfe6
SHA512

ce71ba2289d1da1e54e02e0eef04f6b33e51e34d5ed035ecdf507966d1da8fba674b3e620cfef84498d0c3e7628114fc0696257023d5d9d33bffe0cebabbb943
SSDEEP

24576:LyEWEuIIpvtbCwduvNHqfU/sJtyjsXi0q:+EWEsvswsNKfwjsS0

Score

10^/10

amadey healer redline gruha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1352474.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1352474.exe	healer
behavioral1/memory/3332-35-0x0000000000E50000-0x0000000000E5A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

q1352474.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q1352474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q1352474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q1352474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q1352474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q1352474.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q1352474.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Dailybread.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	Dailybread.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	svchost.exe

Downloads MZ/PE file

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Dailybread.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Dailybread.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	svchost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Dailybread.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Dailybread.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Dailybread.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

t8894499.exeexplothe.exeu4170209.exelegota.exeDailybread.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	t8894499.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	u4170209.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	Dailybread.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 18 IoCs

Processes:

z0776251.exez4679846.exez4230342.exez9078324.exeq1352474.exer0148924.exes2104021.exet8894499.exeexplothe.exeu4170209.exelegota.exew0391079.exeDailybread.exesvchost.exeexplothe.exelegota.exeexplothe.exelegota.exe

pid	process
3012	z0776251.exe
4440	z4679846.exe
4028	z4230342.exe
460	z9078324.exe
3332	q1352474.exe
4772	r0148924.exe
4408	s2104021.exe
2856	t8894499.exe
1176	explothe.exe
4264	u4170209.exe
1856	legota.exe
3160	w0391079.exe
4500	Dailybread.exe
1692	svchost.exe
4628	explothe.exe
116	legota.exe
4684	explothe.exe
3772	legota.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3444 rundll32.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3444	rundll32.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exeq1352474.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q1352474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z9078324.exeDailybread.exedeedf9717742f1877012bea4d07472b6f3acd87e80170f439957d7183984bfe6.exez0776251.exez4679846.exez4230342.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9078324.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	Dailybread.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	deedf9717742f1877012bea4d07472b6f3acd87e80170f439957d7183984bfe6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0776251.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4679846.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z4230342.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exeDailybread.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Dailybread.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Dailybread.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

r0148924.exes2104021.exe

description	pid	process	target process
PID 4772 set thread context of 544	4772	r0148924.exe	AppLaunch.exe
PID 4408 set thread context of 3508	4408	s2104021.exe	AppLaunch.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3012 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4148 544 WerFault.exe AppLaunch.exe
4080 4772 WerFault.exe r0148924.exe
3340 4408 WerFault.exe s2104021.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5068 schtasks.exe
4136 schtasks.exe
1968 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2968 timeout.exe

pid	process
3012	sc.exe

pid	pid_target	process	target process
4148	544	WerFault.exe	AppLaunch.exe
4080	4772	WerFault.exe	r0148924.exe
3340	4408	WerFault.exe	s2104021.exe

pid	process
5068	schtasks.exe
4136	schtasks.exe
1968	schtasks.exe

pid	process
2968	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

q1352474.exeDailybread.exesvchost.exepowershell.exe

pid	process
3332	q1352474.exe
3332	q1352474.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
4500	Dailybread.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
4024	powershell.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

q1352474.exeDailybread.exesvchost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3332	q1352474.exe
Token: SeDebugPrivilege	4500	Dailybread.exe
Token: SeDebugPrivilege	1692	svchost.exe
Token: SeDebugPrivilege	4024	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

deedf9717742f1877012bea4d07472b6f3acd87e80170f439957d7183984bfe6.exez0776251.exez4679846.exez4230342.exez9078324.exer0148924.exes2104021.exet8894499.exeexplothe.exeu4170209.exe

description	pid	process	target process
PID 4708 wrote to memory of 3012	4708	deedf9717742f1877012bea4d07472b6f3acd87e80170f439957d7183984bfe6.exe	z0776251.exe
PID 4708 wrote to memory of 3012	4708	deedf9717742f1877012bea4d07472b6f3acd87e80170f439957d7183984bfe6.exe	z0776251.exe
PID 4708 wrote to memory of 3012	4708	deedf9717742f1877012bea4d07472b6f3acd87e80170f439957d7183984bfe6.exe	z0776251.exe
PID 3012 wrote to memory of 4440	3012	z0776251.exe	z4679846.exe
PID 3012 wrote to memory of 4440	3012	z0776251.exe	z4679846.exe
PID 3012 wrote to memory of 4440	3012	z0776251.exe	z4679846.exe
PID 4440 wrote to memory of 4028	4440	z4679846.exe	z4230342.exe
PID 4440 wrote to memory of 4028	4440	z4679846.exe	z4230342.exe
PID 4440 wrote to memory of 4028	4440	z4679846.exe	z4230342.exe
PID 4028 wrote to memory of 460	4028	z4230342.exe	z9078324.exe
PID 4028 wrote to memory of 460	4028	z4230342.exe	z9078324.exe
PID 4028 wrote to memory of 460	4028	z4230342.exe	z9078324.exe
PID 460 wrote to memory of 3332	460	z9078324.exe	q1352474.exe
PID 460 wrote to memory of 3332	460	z9078324.exe	q1352474.exe
PID 460 wrote to memory of 4772	460	z9078324.exe	r0148924.exe
PID 460 wrote to memory of 4772	460	z9078324.exe	r0148924.exe
PID 460 wrote to memory of 4772	460	z9078324.exe	r0148924.exe
PID 4772 wrote to memory of 544	4772	r0148924.exe	AppLaunch.exe
PID 4772 wrote to memory of 544	4772	r0148924.exe	AppLaunch.exe
PID 4772 wrote to memory of 544	4772	r0148924.exe	AppLaunch.exe
PID 4772 wrote to memory of 544	4772	r0148924.exe	AppLaunch.exe
PID 4772 wrote to memory of 544	4772	r0148924.exe	AppLaunch.exe
PID 4772 wrote to memory of 544	4772	r0148924.exe	AppLaunch.exe
PID 4772 wrote to memory of 544	4772	r0148924.exe	AppLaunch.exe
PID 4772 wrote to memory of 544	4772	r0148924.exe	AppLaunch.exe
PID 4772 wrote to memory of 544	4772	r0148924.exe	AppLaunch.exe
PID 4772 wrote to memory of 544	4772	r0148924.exe	AppLaunch.exe
PID 4028 wrote to memory of 4408	4028	z4230342.exe	s2104021.exe
PID 4028 wrote to memory of 4408	4028	z4230342.exe	s2104021.exe
PID 4028 wrote to memory of 4408	4028	z4230342.exe	s2104021.exe
PID 4408 wrote to memory of 1944	4408	s2104021.exe	AppLaunch.exe
PID 4408 wrote to memory of 1944	4408	s2104021.exe	AppLaunch.exe
PID 4408 wrote to memory of 1944	4408	s2104021.exe	AppLaunch.exe
PID 4408 wrote to memory of 2700	4408	s2104021.exe	AppLaunch.exe
PID 4408 wrote to memory of 2700	4408	s2104021.exe	AppLaunch.exe
PID 4408 wrote to memory of 2700	4408	s2104021.exe	AppLaunch.exe
PID 4408 wrote to memory of 3508	4408	s2104021.exe	AppLaunch.exe
PID 4408 wrote to memory of 3508	4408	s2104021.exe	AppLaunch.exe
PID 4408 wrote to memory of 3508	4408	s2104021.exe	AppLaunch.exe
PID 4408 wrote to memory of 3508	4408	s2104021.exe	AppLaunch.exe
PID 4408 wrote to memory of 3508	4408	s2104021.exe	AppLaunch.exe
PID 4408 wrote to memory of 3508	4408	s2104021.exe	AppLaunch.exe
PID 4408 wrote to memory of 3508	4408	s2104021.exe	AppLaunch.exe
PID 4408 wrote to memory of 3508	4408	s2104021.exe	AppLaunch.exe
PID 4440 wrote to memory of 2856	4440	z4679846.exe	t8894499.exe
PID 4440 wrote to memory of 2856	4440	z4679846.exe	t8894499.exe
PID 4440 wrote to memory of 2856	4440	z4679846.exe	t8894499.exe
PID 2856 wrote to memory of 1176	2856	t8894499.exe	explothe.exe
PID 2856 wrote to memory of 1176	2856	t8894499.exe	explothe.exe
PID 2856 wrote to memory of 1176	2856	t8894499.exe	explothe.exe
PID 3012 wrote to memory of 4264	3012	z0776251.exe	u4170209.exe
PID 3012 wrote to memory of 4264	3012	z0776251.exe	u4170209.exe
PID 3012 wrote to memory of 4264	3012	z0776251.exe	u4170209.exe
PID 1176 wrote to memory of 5068	1176	explothe.exe	schtasks.exe
PID 1176 wrote to memory of 5068	1176	explothe.exe	schtasks.exe
PID 1176 wrote to memory of 5068	1176	explothe.exe	schtasks.exe
PID 1176 wrote to memory of 4176	1176	explothe.exe	cmd.exe
PID 1176 wrote to memory of 4176	1176	explothe.exe	cmd.exe
PID 1176 wrote to memory of 4176	1176	explothe.exe	cmd.exe
PID 4264 wrote to memory of 1856	4264	u4170209.exe	legota.exe
PID 4264 wrote to memory of 1856	4264	u4170209.exe	legota.exe
PID 4264 wrote to memory of 1856	4264	u4170209.exe	legota.exe
PID 4708 wrote to memory of 3160	4708	deedf9717742f1877012bea4d07472b6f3acd87e80170f439957d7183984bfe6.exe	w0391079.exe
PID 4708 wrote to memory of 3160	4708	deedf9717742f1877012bea4d07472b6f3acd87e80170f439957d7183984bfe6.exe	w0391079.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\deedf9717742f1877012bea4d07472b6f3acd87e80170f439957d7183984bfe6.exe
"C:\Users\Admin\AppData\Local\Temp\deedf9717742f1877012bea4d07472b6f3acd87e80170f439957d7183984bfe6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0776251.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0776251.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4679846.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4679846.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4230342.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4230342.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4028
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9078324.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9078324.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:460
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1352474.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1352474.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0148924.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0148924.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 540
        8⤵
        Program crash
        
        PID:4148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 148
        7⤵
        Program crash
        
        PID:4080
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2104021.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2104021.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1944
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2700
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3508
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 580
        6⤵
        Program crash
        
        PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t8894499.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t8894499.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:5068
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:2868
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4170209.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4170209.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1856
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4136
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:1988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3088
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        
        PID:4956
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        
        PID:2488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2848
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        
        PID:3712
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        
        PID:3352
    - - C:\Users\Admin\AppData\Local\Temp\1000085001\Dailybread.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000085001\Dailybread.exe"
        5⤵
        Looks for VirtualBox Guest Additions in registry
        Looks for VMWare Tools registry key
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
        6⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:1968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB6FC.tmp.bat""
        6⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        7⤵
        UAC bypass
        Windows security bypass
        Looks for VirtualBox Guest Additions in registry
        Looks for VMWare Tools registry key
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
        8⤵
        
        PID:3412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
        8⤵
        
        PID:2556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        
        PID:4068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
        8⤵
        
        PID:3228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        8⤵
        
        PID:1944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"
        8⤵
        
        PID:4960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
        8⤵
        
        PID:4408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
        8⤵
        
        PID:4028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:2568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:2080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:1460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
        8⤵
        
        PID:1564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
        8⤵
        
        PID:4440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
        8⤵
        
        PID:908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        8⤵
        
        PID:1412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
        8⤵
        
        PID:2008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        8⤵
        
        PID:4280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        8⤵
        
        PID:688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        8⤵
        
        PID:820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
        8⤵
        
        PID:4132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
        8⤵
        
        PID:4276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"
        8⤵
        
        PID:2056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        8⤵
        
        PID:212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
        8⤵
        
        PID:1104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        8⤵
        
        PID:4272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
        8⤵
        
        PID:4264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        8⤵
        
        PID:1688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
        8⤵
        
        PID:3028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
        8⤵
        
        PID:3012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"
        8⤵
        
        PID:3668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
        8⤵
        
        PID:2372
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:3444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0391079.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0391079.exe
  2⤵
  - Executes dropped EXE
  PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4772 -ip 4772
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 544 -ip 544
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4408 -ip 4408
1⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3012

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000085001\Dailybread.exe

Filesize
1.0MB

MD5
2ca666f252769a1b017dd94cd8188390

SHA1
c91da706b80906338a0b99021ca9e9ee76b2bf6b

SHA256
072416fb1e5ffa890f82a6613339b5bcd0faed10d8e3caeab91611ef99a0ca89

SHA512
30703b6191e4b9902602d40b73184ccae9316246052dcf5dd86c8e14b8a76faded4b74be3d27ecd2de0ab1288d77e8173757f6f67d41519dbeb4ed1dbf075950

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000085001\Dailybread.exe

Filesize
1.0MB

MD5
2ca666f252769a1b017dd94cd8188390

SHA1
c91da706b80906338a0b99021ca9e9ee76b2bf6b

SHA256
072416fb1e5ffa890f82a6613339b5bcd0faed10d8e3caeab91611ef99a0ca89

SHA512
30703b6191e4b9902602d40b73184ccae9316246052dcf5dd86c8e14b8a76faded4b74be3d27ecd2de0ab1288d77e8173757f6f67d41519dbeb4ed1dbf075950

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000085001\Dailybread.exe

Filesize
1.0MB

MD5
2ca666f252769a1b017dd94cd8188390

SHA1
c91da706b80906338a0b99021ca9e9ee76b2bf6b

SHA256
072416fb1e5ffa890f82a6613339b5bcd0faed10d8e3caeab91611ef99a0ca89

SHA512
30703b6191e4b9902602d40b73184ccae9316246052dcf5dd86c8e14b8a76faded4b74be3d27ecd2de0ab1288d77e8173757f6f67d41519dbeb4ed1dbf075950

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0391079.exe

Filesize
24KB

MD5
c6a996bd38dfdf6db36bbd93a58adce5

SHA1
4382541e07b6e8b78ead2864ece098c25251e97a

SHA256
35665dc14d8fc66a1a04bc52e7f314b62fc45b5723d4b5f0b1f39329f9e0de4e

SHA512
21fb2274ba02157ff1a0c0206a0c6c1f568cfca7f668d1d0bcb984bec9e9d3736cae0c572d34890585813c1f485f87ca2a87e11a87ba8cf325dac4617c5623bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0391079.exe

Filesize
24KB

MD5
c6a996bd38dfdf6db36bbd93a58adce5

SHA1
4382541e07b6e8b78ead2864ece098c25251e97a

SHA256
35665dc14d8fc66a1a04bc52e7f314b62fc45b5723d4b5f0b1f39329f9e0de4e

SHA512
21fb2274ba02157ff1a0c0206a0c6c1f568cfca7f668d1d0bcb984bec9e9d3736cae0c572d34890585813c1f485f87ca2a87e11a87ba8cf325dac4617c5623bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0776251.exe

Filesize
893KB

MD5
1da5a9e9995e81c4ca2a139e43945d15

SHA1
d4ebefaa5c0d97d8a0c1c6e5580f2f0cdf3c7ddc

SHA256
3bc880aae92d221a4b2d53363fff196206b9ee82956e3a9c053fe95102cf5aec

SHA512
d76459a02988fa913d16db36e73310a39639f92bee834fceb1e088c71eb4063e974ad46dd2ec3bc0ed9f9fcbff553632cbcee3c75a48c5a6f770cd9b3c6e8acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0776251.exe

Filesize
893KB

MD5
1da5a9e9995e81c4ca2a139e43945d15

SHA1
d4ebefaa5c0d97d8a0c1c6e5580f2f0cdf3c7ddc

SHA256
3bc880aae92d221a4b2d53363fff196206b9ee82956e3a9c053fe95102cf5aec

SHA512
d76459a02988fa913d16db36e73310a39639f92bee834fceb1e088c71eb4063e974ad46dd2ec3bc0ed9f9fcbff553632cbcee3c75a48c5a6f770cd9b3c6e8acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4170209.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4170209.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4679846.exe

Filesize
710KB

MD5
6d74610d3307684ebefea2f600c944fe

SHA1
bc949d37d7b2c58fb52600a60967bb64a61fa519

SHA256
7be8c86dc6c72f17e10933c5d98d089cba2df68c333fb7c424a3558053deb8a3

SHA512
afe8befb7140a35806f30986fae6cb714cc995366d2bd2db2530344d8534b9496d6fbe44342213c1a1ed79a4174d93efbed82e767c1e2e3164d9d389bde1f768

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4679846.exe

Filesize
710KB

MD5
6d74610d3307684ebefea2f600c944fe

SHA1
bc949d37d7b2c58fb52600a60967bb64a61fa519

SHA256
7be8c86dc6c72f17e10933c5d98d089cba2df68c333fb7c424a3558053deb8a3

SHA512
afe8befb7140a35806f30986fae6cb714cc995366d2bd2db2530344d8534b9496d6fbe44342213c1a1ed79a4174d93efbed82e767c1e2e3164d9d389bde1f768

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t8894499.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t8894499.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4230342.exe

Filesize
527KB

MD5
b97ce10b6837aec9c3f862d427243333

SHA1
a36d413554acbd70ddfda84db3fcf1d01eee7fe9

SHA256
8a6d28709586dd9d31ce399c2e24b7fcfe0a6ae56419f6aa7a1bf60e95707ba1

SHA512
b16fda596133327ee5a6a159a427b85e7a8203bff966d86a8f24e30c3e62edb88cc124a9f25a6fd2be44885f899244b3bb94a6815b7793ce41889207489e8725

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4230342.exe

Filesize
527KB

MD5
b97ce10b6837aec9c3f862d427243333

SHA1
a36d413554acbd70ddfda84db3fcf1d01eee7fe9

SHA256
8a6d28709586dd9d31ce399c2e24b7fcfe0a6ae56419f6aa7a1bf60e95707ba1

SHA512
b16fda596133327ee5a6a159a427b85e7a8203bff966d86a8f24e30c3e62edb88cc124a9f25a6fd2be44885f899244b3bb94a6815b7793ce41889207489e8725

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2104021.exe

Filesize
310KB

MD5
0edc15b55eba1ac2248318f39bd809ae

SHA1
b6a187a29a919a11b602209bad0edc6b373c592a

SHA256
da40cec6e27de8da75584ea3356ae0e8068581239c760537808bc212ab49fd01

SHA512
7e7f569f38e266f65c451086a267750a2241fdd391dabcaa6899d167d4c32450296679ed4a22cd690e9885d0892632ac5b41ca1dc660563dece35503eafc39c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2104021.exe

Filesize
310KB

MD5
0edc15b55eba1ac2248318f39bd809ae

SHA1
b6a187a29a919a11b602209bad0edc6b373c592a

SHA256
da40cec6e27de8da75584ea3356ae0e8068581239c760537808bc212ab49fd01

SHA512
7e7f569f38e266f65c451086a267750a2241fdd391dabcaa6899d167d4c32450296679ed4a22cd690e9885d0892632ac5b41ca1dc660563dece35503eafc39c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9078324.exe

Filesize
296KB

MD5
d01aa05da3eb4b1fad2ae1d7086ba107

SHA1
949c8d4db8068c332dfec367de54e75f90755f4b

SHA256
93ebae0fd26a65cdf23198fd7d1cd63714b62134938b53481ebf9a7bcd2a1be8

SHA512
594b3b0df0c6e5203ae044c4fe814b140978655fa9de99a3a118e1fb7d1b4e1b49afc4535c9b1fdb6e757d9de0b17980a8f1cb41eb102fdae6d448752342307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9078324.exe

Filesize
296KB

MD5
d01aa05da3eb4b1fad2ae1d7086ba107

SHA1
949c8d4db8068c332dfec367de54e75f90755f4b

SHA256
93ebae0fd26a65cdf23198fd7d1cd63714b62134938b53481ebf9a7bcd2a1be8

SHA512
594b3b0df0c6e5203ae044c4fe814b140978655fa9de99a3a118e1fb7d1b4e1b49afc4535c9b1fdb6e757d9de0b17980a8f1cb41eb102fdae6d448752342307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1352474.exe

Filesize
11KB

MD5
fb2ea96543665ffc5aaa070c63cde9f1

SHA1
79100a850bba86a2d534601046d032f429c1306c

SHA256
44a268c4fe23fdc8d38a826bb4d438f2b661ff2ea8e5ef6be749ea1cc193cfb0

SHA512
eb88529867965b28afd0ac4f071f7e75aa7e6167c3cf7e9a498c5da4dace49abbbcc6ce8ca802fe71868128d54814e6de87ff560fe5eac49f7f5852881534f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1352474.exe

Filesize
11KB

MD5
fb2ea96543665ffc5aaa070c63cde9f1

SHA1
79100a850bba86a2d534601046d032f429c1306c

SHA256
44a268c4fe23fdc8d38a826bb4d438f2b661ff2ea8e5ef6be749ea1cc193cfb0

SHA512
eb88529867965b28afd0ac4f071f7e75aa7e6167c3cf7e9a498c5da4dace49abbbcc6ce8ca802fe71868128d54814e6de87ff560fe5eac49f7f5852881534f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0148924.exe

Filesize
276KB

MD5
50eb3f2d64ad5d5b81513d6598417a59

SHA1
a3d59b52eb3771f3747e910fa8a6eac0620662e1

SHA256
702604aa291a76f94e3f0caaaca58d34ebb8e57431ef21ff7fb07c31ed33758e

SHA512
f850665eda45d7fc6299a6183c633000469b85c02a96d2a5e77d11ac7af6b9aa6efd22d19a9cb74bdc9ddfb2ea56d04daee1fa0d3c974a8c030d130df33a7d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0148924.exe

Filesize
276KB

MD5
50eb3f2d64ad5d5b81513d6598417a59

SHA1
a3d59b52eb3771f3747e910fa8a6eac0620662e1

SHA256
702604aa291a76f94e3f0caaaca58d34ebb8e57431ef21ff7fb07c31ed33758e

SHA512
f850665eda45d7fc6299a6183c633000469b85c02a96d2a5e77d11ac7af6b9aa6efd22d19a9cb74bdc9ddfb2ea56d04daee1fa0d3c974a8c030d130df33a7d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fccyfze5.qpq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB6FC.tmp.bat

Filesize
151B

MD5
e6f78c146514efac9283b00c37bc1cf7

SHA1
e68adc45d52dee427bd1ca678124079ac7c5df99

SHA256
aabed8ce017565a623175e2d70469be72a16b18695ebed50220bc377bf945c5d

SHA512
7243768cb2200645cfeb2fe72647bd1859f50efdae4608b415dcc646d635bc588f4db1f118b441b633e384cb2f22806f4991aae9951bb71317c5c9b1fc45fc74

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
273B

MD5
6d5040418450624fef735b49ec6bffe9

SHA1
5fff6a1a620a5c4522aead8dbd0a5a52570e8773

SHA256
dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3

SHA512
bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.0MB

MD5
2ca666f252769a1b017dd94cd8188390

SHA1
c91da706b80906338a0b99021ca9e9ee76b2bf6b

SHA256
072416fb1e5ffa890f82a6613339b5bcd0faed10d8e3caeab91611ef99a0ca89

SHA512
30703b6191e4b9902602d40b73184ccae9316246052dcf5dd86c8e14b8a76faded4b74be3d27ecd2de0ab1288d77e8173757f6f67d41519dbeb4ed1dbf075950

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.0MB

MD5
2ca666f252769a1b017dd94cd8188390

SHA1
c91da706b80906338a0b99021ca9e9ee76b2bf6b

SHA256
072416fb1e5ffa890f82a6613339b5bcd0faed10d8e3caeab91611ef99a0ca89

SHA512
30703b6191e4b9902602d40b73184ccae9316246052dcf5dd86c8e14b8a76faded4b74be3d27ecd2de0ab1288d77e8173757f6f67d41519dbeb4ed1dbf075950

Download Submit
memory/544-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/544-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/544-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/544-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1692-161-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-126-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-170-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/3332-38-0x00007FF9012F0000-0x00007FF901DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-36-0x00007FF9012F0000-0x00007FF901DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-35-0x0000000000E50000-0x0000000000E5A000-memory.dmp

Filesize
40KB

Download
memory/3508-58-0x000000000B350000-0x000000000B968000-memory.dmp

Filesize
6.1MB

Download
memory/3508-51-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/3508-115-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/3508-60-0x000000000AE40000-0x000000000AF4A000-memory.dmp

Filesize
1.0MB

Download
memory/3508-64-0x000000000AD70000-0x000000000AD82000-memory.dmp

Filesize
72KB

Download
memory/3508-122-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/3508-77-0x000000000AF50000-0x000000000AF9C000-memory.dmp

Filesize
304KB

Download
memory/3508-52-0x00000000058F0000-0x00000000058F6000-memory.dmp

Filesize
24KB

Download
memory/3508-65-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/3508-69-0x000000000ADD0000-0x000000000AE0C000-memory.dmp

Filesize
240KB

Download
memory/3508-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4024-147-0x000000006E170000-0x000000006E1BC000-memory.dmp

Filesize
304KB

Download
memory/4024-163-0x0000000007BB0000-0x0000000007C46000-memory.dmp

Filesize
600KB

Download
memory/4024-131-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/4024-130-0x0000000005840000-0x0000000005E68000-memory.dmp

Filesize
6.2MB

Download
memory/4024-129-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/4024-142-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/4024-143-0x0000000006170000-0x00000000064C4000-memory.dmp

Filesize
3.3MB

Download
memory/4024-144-0x00000000065D0000-0x00000000065EE000-memory.dmp

Filesize
120KB

Download
memory/4024-145-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/4024-146-0x00000000077D0000-0x0000000007802000-memory.dmp

Filesize
200KB

Download
memory/4024-128-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4024-157-0x0000000006BB0000-0x0000000006BCE000-memory.dmp

Filesize
120KB

Download
memory/4024-158-0x0000000007810000-0x00000000078B3000-memory.dmp

Filesize
652KB

Download
memory/4024-159-0x0000000007F60000-0x00000000085DA000-memory.dmp

Filesize
6.5MB

Download
memory/4024-160-0x0000000007920000-0x000000000793A000-memory.dmp

Filesize
104KB

Download
memory/4024-127-0x0000000002CB0000-0x0000000002CE6000-memory.dmp

Filesize
216KB

Download
memory/4024-162-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/4024-137-0x0000000005E70000-0x0000000005E92000-memory.dmp

Filesize
136KB

Download
memory/4024-164-0x0000000007B20000-0x0000000007B31000-memory.dmp

Filesize
68KB

Download
memory/4024-165-0x0000000007B50000-0x0000000007B5E000-memory.dmp

Filesize
56KB

Download
memory/4024-166-0x0000000007B60000-0x0000000007B74000-memory.dmp

Filesize
80KB

Download
memory/4024-167-0x0000000007C50000-0x0000000007C6A000-memory.dmp

Filesize
104KB

Download
memory/4024-168-0x0000000007BA0000-0x0000000007BA8000-memory.dmp

Filesize
32KB

Download
memory/4024-174-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4024-171-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4500-120-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4500-114-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/4500-113-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/4500-112-0x00000000055D0000-0x00000000055EA000-memory.dmp

Filesize
104KB

Download
memory/4500-111-0x00000000056D0000-0x00000000057C6000-memory.dmp

Filesize
984KB

Download
memory/4500-110-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/4500-108-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4500-109-0x0000000005630000-0x00000000056CC000-memory.dmp

Filesize
624KB

Download
memory/4500-107-0x0000000000C40000-0x0000000000D4A000-memory.dmp

Filesize
1.0MB

Download