f484c9093a7046d53d4856234679e3a9f4d92064b41d6fa3121129758482cdad

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f484c9093a7046d53d4856234679e3a9f4d92064b41d6fa3121129758482cdad.exe
Size

2.2MB
MD5

3f7bc6e3931deadf8544cf8c9c70054b
SHA1

bf12dabc90ab9fe6edd04768a156a00e2c7eca47
SHA256

f484c9093a7046d53d4856234679e3a9f4d92064b41d6fa3121129758482cdad
SHA512

79085b3fcbe847eb85227d79b32769eeb4f826747f54b8147db7d6e09fbe14e160094b5c3b205ed9a501791a9c6ece1b2732b635e64a86dcb85327da9d9efc4c
SSDEEP

49152:wTG4Q/0YAaVo8oP3KpuZj3QcG2jGnYALhbgG:wK4XK

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2496 created 580	2496	Explorer.EXE	4

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\patI3i2xG.sys	djoin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f484c9093a7046d53d4856234679e3a9f4d92064b41d6fa3121129758482cdad.exe

Executes dropped EXE 2 IoCs

pid	Process
5088	3439c374
4104	djoin.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/756-0-0x0000000000EC0000-0x0000000000F49000-memory.dmp	upx
behavioral2/files/0x000300000001ef8c-2.dat	upx
behavioral2/files/0x000300000001ef8c-3.dat	upx
behavioral2/memory/5088-4-0x0000000000010000-0x0000000000099000-memory.dmp	upx
behavioral2/memory/756-24-0x0000000000EC0000-0x0000000000F49000-memory.dmp	upx
behavioral2/memory/5088-28-0x0000000000010000-0x0000000000099000-memory.dmp	upx
behavioral2/memory/756-38-0x0000000000EC0000-0x0000000000F49000-memory.dmp	upx
behavioral2/memory/5088-67-0x0000000000010000-0x0000000000099000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	3439c374
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	3439c374
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	djoin.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	djoin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	3439c374
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	djoin.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	djoin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	3439c374
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	djoin.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	djoin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4	3439c374
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	3439c374
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	djoin.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	djoin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	3439c374
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	3439c374
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	djoin.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	djoin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	3439c374
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	3439c374
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	3439c374
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	3439c374
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4	3439c374
File created	C:\Windows\SysWOW64\3439c374	f484c9093a7046d53d4856234679e3a9f4d92064b41d6fa3121129758482cdad.exe
File created	C:\Windows\system32\ \Windows\System32\OIBhks.sys	djoin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	3439c374

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\571bc0	3439c374
File created	C:\Windows\Fonts\djoin.exe	Explorer.EXE
File opened for modification	C:\Windows\Fonts\djoin.exe	Explorer.EXE
File created	C:\Windows\Wt6ut3N.sys	djoin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	djoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	djoin.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	djoin.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4316	timeout.exe
2452	timeout.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	3439c374
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	3439c374
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	3439c374
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	3439c374
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	3439c374
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	djoin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	djoin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	djoin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	djoin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	djoin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	djoin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	djoin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	djoin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	3439c374
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	3439c374
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	3439c374
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	djoin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	3439c374

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5088	3439c374
5088	3439c374
5088	3439c374
5088	3439c374
5088	3439c374
5088	3439c374
5088	3439c374
5088	3439c374
5088	3439c374
5088	3439c374
2496	Explorer.EXE
2496	Explorer.EXE
2496	Explorer.EXE
2496	Explorer.EXE
5088	3439c374
5088	3439c374
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe
4104	djoin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2496	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
648	Process not Found
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	f484c9093a7046d53d4856234679e3a9f4d92064b41d6fa3121129758482cdad.exe
Token: SeTcbPrivilege	756	f484c9093a7046d53d4856234679e3a9f4d92064b41d6fa3121129758482cdad.exe
Token: SeDebugPrivilege	5088	3439c374
Token: SeTcbPrivilege	5088	3439c374
Token: SeDebugPrivilege	5088	3439c374
Token: SeDebugPrivilege	2496	Explorer.EXE
Token: SeDebugPrivilege	2496	Explorer.EXE
Token: SeDebugPrivilege	5088	3439c374
Token: SeIncBasePriorityPrivilege	756	f484c9093a7046d53d4856234679e3a9f4d92064b41d6fa3121129758482cdad.exe
Token: SeDebugPrivilege	4104	djoin.exe
Token: SeDebugPrivilege	4104	djoin.exe
Token: SeDebugPrivilege	4104	djoin.exe
Token: SeShutdownPrivilege	2496	Explorer.EXE
Token: SeCreatePagefilePrivilege	2496	Explorer.EXE
Token: SeIncBasePriorityPrivilege	5088	3439c374
Token: SeShutdownPrivilege	2496	Explorer.EXE
Token: SeCreatePagefilePrivilege	2496	Explorer.EXE
Token: SeShutdownPrivilege	2496	Explorer.EXE
Token: SeCreatePagefilePrivilege	2496	Explorer.EXE
Token: SeShutdownPrivilege	2496	Explorer.EXE
Token: SeCreatePagefilePrivilege	2496	Explorer.EXE
Token: SeShutdownPrivilege	2496	Explorer.EXE
Token: SeCreatePagefilePrivilege	2496	Explorer.EXE
Token: SeShutdownPrivilege	2496	Explorer.EXE
Token: SeCreatePagefilePrivilege	2496	Explorer.EXE
Token: SeShutdownPrivilege	2496	Explorer.EXE
Token: SeCreatePagefilePrivilege	2496	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2496	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2496	5088	3439c374	22
PID 5088 wrote to memory of 2496	5088	3439c374	22
PID 5088 wrote to memory of 2496	5088	3439c374	22
PID 5088 wrote to memory of 2496	5088	3439c374	22
PID 5088 wrote to memory of 2496	5088	3439c374	22
PID 2496 wrote to memory of 4104	2496	Explorer.EXE	88
PID 2496 wrote to memory of 4104	2496	Explorer.EXE	88
PID 2496 wrote to memory of 4104	2496	Explorer.EXE	88
PID 2496 wrote to memory of 4104	2496	Explorer.EXE	88
PID 2496 wrote to memory of 4104	2496	Explorer.EXE	88
PID 2496 wrote to memory of 4104	2496	Explorer.EXE	88
PID 2496 wrote to memory of 4104	2496	Explorer.EXE	88
PID 5088 wrote to memory of 580	5088	3439c374	4
PID 5088 wrote to memory of 580	5088	3439c374	4
PID 5088 wrote to memory of 580	5088	3439c374	4
PID 5088 wrote to memory of 580	5088	3439c374	4
PID 5088 wrote to memory of 580	5088	3439c374	4
PID 756 wrote to memory of 1040	756	f484c9093a7046d53d4856234679e3a9f4d92064b41d6fa3121129758482cdad.exe	91
PID 756 wrote to memory of 1040	756	f484c9093a7046d53d4856234679e3a9f4d92064b41d6fa3121129758482cdad.exe	91
PID 756 wrote to memory of 1040	756	f484c9093a7046d53d4856234679e3a9f4d92064b41d6fa3121129758482cdad.exe	91
PID 1040 wrote to memory of 4316	1040	cmd.exe	93
PID 1040 wrote to memory of 4316	1040	cmd.exe	93
PID 1040 wrote to memory of 4316	1040	cmd.exe	93
PID 5088 wrote to memory of 1360	5088	3439c374	95
PID 5088 wrote to memory of 1360	5088	3439c374	95
PID 5088 wrote to memory of 1360	5088	3439c374	95
PID 1360 wrote to memory of 2452	1360	cmd.exe	97
PID 1360 wrote to memory of 2452	1360	cmd.exe	97
PID 1360 wrote to memory of 2452	1360	cmd.exe	97

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:580
- C:\Windows\Fonts\djoin.exe
  "C:\Windows\Fonts\djoin.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\f484c9093a7046d53d4856234679e3a9f4d92064b41d6fa3121129758482cdad.exe
  "C:\Users\Admin\AppData\Local\Temp\f484c9093a7046d53d4856234679e3a9f4d92064b41d6fa3121129758482cdad.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\f484c9093a7046d53d4856234679e3a9f4d92064b41d6fa3121129758482cdad.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:4316

C:\Windows\Syswow64\3439c374
C:\Windows\Syswow64\3439c374
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\3439c374"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\83401e62.tmp

Filesize
11.6MB

MD5
5244c87dbafa1f764b258766005dea73

SHA1
84cb8b4fb3e0910cfecfb31b6fa54c16d940e703

SHA256
077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40

SHA512
54d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438

Download Submit
C:\Windows\Fonts\djoin.exe

Filesize
74KB

MD5
1bc9245d12077f2e422c84541d62bed9

SHA1
01c877005e353a5202b2250b0277bb900d71753f

SHA256
f5ee00bf7cfd7bf7504597d0106d1fa2c8cebfc7b693dc18e6e10f2864fad690

SHA512
23d6d5217d2113909d69c769a41a39bf824101ebf4424f52f8adf19e807d9ff392b5b2e29607d3659e22c513a024eb6d46e85dc73e89b443bba74e497626e987

Download Submit
C:\Windows\Fonts\djoin.exe

Filesize
74KB

MD5
1bc9245d12077f2e422c84541d62bed9

SHA1
01c877005e353a5202b2250b0277bb900d71753f

SHA256
f5ee00bf7cfd7bf7504597d0106d1fa2c8cebfc7b693dc18e6e10f2864fad690

SHA512
23d6d5217d2113909d69c769a41a39bf824101ebf4424f52f8adf19e807d9ff392b5b2e29607d3659e22c513a024eb6d46e85dc73e89b443bba74e497626e987

Download Submit
C:\Windows\SysWOW64\3439c374

Filesize
2.2MB

MD5
86bb0d4a21d7757f489893b3583e3fc5

SHA1
daf80a18e9d0a7b141a1673a356568bf397cea6d

SHA256
6021b8d33c7c3d943a0a73981969638227cf5cff8c9242b0c4c6bc815fc36430

SHA512
9adfd874bbfab004ecdecfaa6df956cc032c06096b4b25f00d7b51a22ecebc6b268e4ddfe0fd3aa86a114cf58e8aa36228153a0b1f00d2bee1a452903e662048

Download Submit
C:\Windows\SysWOW64\3439c374

Filesize
2.2MB

MD5
86bb0d4a21d7757f489893b3583e3fc5

SHA1
daf80a18e9d0a7b141a1673a356568bf397cea6d

SHA256
6021b8d33c7c3d943a0a73981969638227cf5cff8c9242b0c4c6bc815fc36430

SHA512
9adfd874bbfab004ecdecfaa6df956cc032c06096b4b25f00d7b51a22ecebc6b268e4ddfe0fd3aa86a114cf58e8aa36228153a0b1f00d2bee1a452903e662048

Download Submit
memory/580-70-0x000001866E9B0000-0x000001866E9B1000-memory.dmp

Filesize
4KB

Download
memory/580-31-0x000001866E950000-0x000001866E978000-memory.dmp

Filesize
160KB

Download
memory/580-30-0x000001866E9B0000-0x000001866E9B1000-memory.dmp

Filesize
4KB

Download
memory/756-24-0x0000000000EC0000-0x0000000000F49000-memory.dmp

Filesize
548KB

Download
memory/756-0-0x0000000000EC0000-0x0000000000F49000-memory.dmp

Filesize
548KB

Download
memory/756-38-0x0000000000EC0000-0x0000000000F49000-memory.dmp

Filesize
548KB

Download
memory/2496-141-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-145-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/2496-202-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-200-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-197-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-195-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-189-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-13-0x0000000002B50000-0x0000000002B53000-memory.dmp

Filesize
12KB

Download
memory/2496-182-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-65-0x0000000008980000-0x0000000008A79000-memory.dmp

Filesize
996KB

Download
memory/2496-66-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2496-184-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-175-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-173-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-19-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2496-171-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-168-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-164-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-109-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-162-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-160-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-158-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-157-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-155-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-148-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/2496-79-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-150-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-85-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-86-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/2496-84-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-90-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-151-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/2496-91-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-93-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-108-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-153-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-87-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-82-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-95-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/2496-149-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-98-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-97-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-99-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/2496-100-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-102-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-147-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-103-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-106-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-88-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-111-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-146-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-113-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-112-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-114-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-110-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/2496-116-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-117-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-118-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-115-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-18-0x0000000008980000-0x0000000008A79000-memory.dmp

Filesize
996KB

Download
memory/2496-10-0x0000000002B50000-0x0000000002B53000-memory.dmp

Filesize
12KB

Download
memory/2496-144-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-132-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-133-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-134-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/2496-135-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-136-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-138-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-137-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-139-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2496-143-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/4104-20-0x0000016C371E0000-0x0000016C371E3000-memory.dmp

Filesize
12KB

Download
memory/4104-21-0x0000016C37470000-0x0000016C3753B000-memory.dmp

Filesize
812KB

Download
memory/4104-23-0x0000016C37470000-0x0000016C3753B000-memory.dmp

Filesize
812KB

Download
memory/4104-76-0x0000016C39D30000-0x0000016C39EF5000-memory.dmp

Filesize
1.8MB

Download
memory/4104-104-0x0000016C39B60000-0x0000016C39B62000-memory.dmp

Filesize
8KB

Download
memory/4104-96-0x0000016C39D30000-0x0000016C39EF5000-memory.dmp

Filesize
1.8MB

Download
memory/4104-94-0x0000016C39590000-0x0000016C39591000-memory.dmp

Filesize
4KB

Download
memory/4104-92-0x0000016C395B0000-0x0000016C395B1000-memory.dmp

Filesize
4KB

Download
memory/4104-83-0x0000016C395A0000-0x0000016C395A1000-memory.dmp

Filesize
4KB

Download
memory/4104-81-0x0000016C39C80000-0x0000016C39C81000-memory.dmp

Filesize
4KB

Download
memory/4104-80-0x0000016C39590000-0x0000016C39591000-memory.dmp

Filesize
4KB

Download
memory/4104-75-0x0000016C39590000-0x0000016C39591000-memory.dmp

Filesize
4KB

Download
memory/4104-127-0x0000016C39D30000-0x0000016C39EF5000-memory.dmp

Filesize
1.8MB

Download
memory/4104-78-0x0000016C39C80000-0x0000016C39C81000-memory.dmp

Filesize
4KB

Download
memory/4104-26-0x00007FFB22320000-0x00007FFB22330000-memory.dmp

Filesize
64KB

Download
memory/4104-72-0x0000016C39590000-0x0000016C39591000-memory.dmp

Filesize
4KB

Download
memory/4104-73-0x0000016C39380000-0x0000016C39381000-memory.dmp

Filesize
4KB

Download
memory/4104-71-0x0000016C39590000-0x0000016C39591000-memory.dmp

Filesize
4KB

Download
memory/4104-69-0x0000016C37580000-0x0000016C37581000-memory.dmp

Filesize
4KB

Download
memory/4104-68-0x0000016C37470000-0x0000016C3753B000-memory.dmp

Filesize
812KB

Download
memory/4104-25-0x0000016C37580000-0x0000016C37581000-memory.dmp

Filesize
4KB

Download
memory/4104-64-0x00007FFB22320000-0x00007FFB22330000-memory.dmp

Filesize
64KB

Download
memory/4104-77-0x0000016C39B60000-0x0000016C39B62000-memory.dmp

Filesize
8KB

Download
memory/4104-74-0x0000016C39590000-0x0000016C39591000-memory.dmp

Filesize
4KB

Download
memory/5088-28-0x0000000000010000-0x0000000000099000-memory.dmp

Filesize
548KB

Download
memory/5088-67-0x0000000000010000-0x0000000000099000-memory.dmp

Filesize
548KB

Download
memory/5088-4-0x0000000000010000-0x0000000000099000-memory.dmp

Filesize
548KB

Download