djvu | c26d93b2dc38db64e470819c16d1432046989f1e6fd4cdadfe319536333d7195

Analysis

max time kernel
156s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

225KB
MD5

bfc55c93babb2fdbe8e1679f713f1d04
SHA1

c18f51842c2dd332096c758f47782be0389f278e
SHA256

c26d93b2dc38db64e470819c16d1432046989f1e6fd4cdadfe319536333d7195
SHA512

16963a63d50fc91e01c420b4f013963830e38bd588db98f92dd548f235b70c8e02909a50b9984bec34549fd547c517aa255b7ba4d7772e068d31ff7300a1e7ed
SSDEEP

6144:nPiYHdpZG06NqGskIbTju+dRr6sMRR7T:nn9pZGb5skYdt6sGRv

Score

10^/10

djvu redline smokeloader xmrig logsdiller cloud (tg: @logsdillabot)backdoor collection discovery evasion infostealer miner ransomware spyware trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

51.255.152.132:36011

Signatures

Detected Djvu ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/5044-26-0x0000000002390000-0x00000000024AB000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4768-211-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

description	pid	Process	procid_target
PID 2888 created 3144	2888	latestX.exe	16
PID 2888 created 3144	2888	latestX.exe	16
PID 2888 created 3144	2888	latestX.exe	16
PID 2888 created 3144	2888	latestX.exe	16
PID 2888 created 3144	2888	latestX.exe	16
PID 672 created 3144	672	updater.exe	16
PID 672 created 3144	672	updater.exe	16
PID 672 created 3144	672	updater.exe	16
PID 672 created 3144	672	updater.exe	16

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral2/memory/672-368-0x00007FF7266F0000-0x00007FF726C91000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	74CF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	kos1.exe

Executes dropped EXE 15 IoCs

pid	Process
5044	5128.exe
4368	74CF.exe
628	9921.exe
3344	A017.exe
2292	toolspub2.exe
4464	A345.exe
1008	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2768	kos1.exe
2888	latestX.exe
2272	set16.exe
2680	kos.exe
4180	is-033UF.tmp
4516	previewer.exe
4428	previewer.exe
672	updater.exe

Loads dropped DLL 4 IoCs

pid	Process
1472	regsvr32.exe
4180	is-033UF.tmp
4180	is-033UF.tmp
4180	is-033UF.tmp

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4464 set thread context of 4768	4464	A345.exe	120

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-033UF.tmp
File created	C:\Program Files (x86)\PA Previewer\is-1NHM5.tmp	is-033UF.tmp
File created	C:\Program Files (x86)\PA Previewer\is-JK8UU.tmp	is-033UF.tmp
File created	C:\Program Files (x86)\PA Previewer\is-UMBK3.tmp	is-033UF.tmp
File created	C:\Program Files (x86)\PA Previewer\is-PE8C5.tmp	is-033UF.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-033UF.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-033UF.tmp

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4808	sc.exe
3804	sc.exe
2560	sc.exe
1508	sc.exe
5060	sc.exe
3600	sc.exe
2400	sc.exe
4680	sc.exe
4868	sc.exe
2980	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4896	4464	WerFault.exe	105

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
732	file.exe
732	file.exe
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3144	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
732	file.exe
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeDebugPrivilege	2680	kos.exe
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeDebugPrivilege	4516	previewer.exe
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeDebugPrivilege	4428	previewer.exe
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeShutdownPrivilege	3700	powercfg.exe
Token: SeCreatePagefilePrivilege	3700	powercfg.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeShutdownPrivilege	676	powercfg.exe
Token: SeCreatePagefilePrivilege	676	powercfg.exe
Token: SeShutdownPrivilege	4168	powercfg.exe
Token: SeCreatePagefilePrivilege	4168	powercfg.exe
Token: SeShutdownPrivilege	4848	powercfg.exe
Token: SeCreatePagefilePrivilege	4848	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4368	powershell.exe
Token: SeSecurityPrivilege	4368	powershell.exe
Token: SeTakeOwnershipPrivilege	4368	powershell.exe
Token: SeLoadDriverPrivilege	4368	powershell.exe
Token: SeSystemProfilePrivilege	4368	powershell.exe
Token: SeSystemtimePrivilege	4368	powershell.exe
Token: SeProfSingleProcessPrivilege	4368	powershell.exe
Token: SeIncBasePriorityPrivilege	4368	powershell.exe
Token: SeCreatePagefilePrivilege	4368	powershell.exe
Token: SeBackupPrivilege	4368	powershell.exe
Token: SeRestorePrivilege	4368	powershell.exe
Token: SeShutdownPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeSystemEnvironmentPrivilege	4368	powershell.exe
Token: SeRemoteShutdownPrivilege	4368	powershell.exe
Token: SeUndockPrivilege	4368	powershell.exe
Token: SeManageVolumePrivilege	4368	powershell.exe
Token: 33	4368	powershell.exe
Token: 34	4368	powershell.exe
Token: 35	4368	powershell.exe
Token: 36	4368	powershell.exe
Token: SeIncreaseQuotaPrivilege	4368	powershell.exe
Token: SeSecurityPrivilege	4368	powershell.exe
Token: SeTakeOwnershipPrivilege	4368	powershell.exe
Token: SeLoadDriverPrivilege	4368	powershell.exe
Token: SeSystemProfilePrivilege	4368	powershell.exe
Token: SeSystemtimePrivilege	4368	powershell.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3144	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 5044	3144	Explorer.EXE	98
PID 3144 wrote to memory of 5044	3144	Explorer.EXE	98
PID 3144 wrote to memory of 5044	3144	Explorer.EXE	98
PID 3144 wrote to memory of 1868	3144	Explorer.EXE	99
PID 3144 wrote to memory of 1868	3144	Explorer.EXE	99
PID 1868 wrote to memory of 1472	1868	regsvr32.exe	100
PID 1868 wrote to memory of 1472	1868	regsvr32.exe	100
PID 1868 wrote to memory of 1472	1868	regsvr32.exe	100
PID 3144 wrote to memory of 4368	3144	Explorer.EXE	101
PID 3144 wrote to memory of 4368	3144	Explorer.EXE	101
PID 3144 wrote to memory of 4368	3144	Explorer.EXE	101
PID 3144 wrote to memory of 628	3144	Explorer.EXE	102
PID 3144 wrote to memory of 628	3144	Explorer.EXE	102
PID 3144 wrote to memory of 628	3144	Explorer.EXE	102
PID 3144 wrote to memory of 3344	3144	Explorer.EXE	103
PID 3144 wrote to memory of 3344	3144	Explorer.EXE	103
PID 3144 wrote to memory of 3344	3144	Explorer.EXE	103
PID 4368 wrote to memory of 2292	4368	74CF.exe	104
PID 4368 wrote to memory of 2292	4368	74CF.exe	104
PID 4368 wrote to memory of 2292	4368	74CF.exe	104
PID 3144 wrote to memory of 4464	3144	Explorer.EXE	105
PID 3144 wrote to memory of 4464	3144	Explorer.EXE	105
PID 3144 wrote to memory of 4464	3144	Explorer.EXE	105
PID 3144 wrote to memory of 1020	3144	Explorer.EXE	107
PID 3144 wrote to memory of 1020	3144	Explorer.EXE	107
PID 3144 wrote to memory of 1020	3144	Explorer.EXE	107
PID 3144 wrote to memory of 1020	3144	Explorer.EXE	107
PID 4368 wrote to memory of 1008	4368	74CF.exe	108
PID 4368 wrote to memory of 1008	4368	74CF.exe	108
PID 4368 wrote to memory of 1008	4368	74CF.exe	108
PID 3144 wrote to memory of 916	3144	Explorer.EXE	109
PID 3144 wrote to memory of 916	3144	Explorer.EXE	109
PID 3144 wrote to memory of 916	3144	Explorer.EXE	109
PID 4368 wrote to memory of 2768	4368	74CF.exe	110
PID 4368 wrote to memory of 2768	4368	74CF.exe	110
PID 4368 wrote to memory of 2768	4368	74CF.exe	110
PID 4368 wrote to memory of 2888	4368	74CF.exe	111
PID 4368 wrote to memory of 2888	4368	74CF.exe	111
PID 2768 wrote to memory of 2272	2768	kos1.exe	112
PID 2768 wrote to memory of 2272	2768	kos1.exe	112
PID 2768 wrote to memory of 2272	2768	kos1.exe	112
PID 2768 wrote to memory of 2680	2768	kos1.exe	113
PID 2768 wrote to memory of 2680	2768	kos1.exe	113
PID 2272 wrote to memory of 4180	2272	set16.exe	114
PID 2272 wrote to memory of 4180	2272	set16.exe	114
PID 2272 wrote to memory of 4180	2272	set16.exe	114
PID 4180 wrote to memory of 1328	4180	is-033UF.tmp	115
PID 4180 wrote to memory of 1328	4180	is-033UF.tmp	115
PID 4180 wrote to memory of 1328	4180	is-033UF.tmp	115
PID 4180 wrote to memory of 4516	4180	is-033UF.tmp	117
PID 4180 wrote to memory of 4516	4180	is-033UF.tmp	117
PID 4180 wrote to memory of 4516	4180	is-033UF.tmp	117
PID 4180 wrote to memory of 4428	4180	is-033UF.tmp	118
PID 4180 wrote to memory of 4428	4180	is-033UF.tmp	118
PID 4180 wrote to memory of 4428	4180	is-033UF.tmp	118
PID 1328 wrote to memory of 3464	1328	net.exe	119
PID 1328 wrote to memory of 3464	1328	net.exe	119
PID 1328 wrote to memory of 3464	1328	net.exe	119
PID 4464 wrote to memory of 4768	4464	A345.exe	120
PID 4464 wrote to memory of 4768	4464	A345.exe	120
PID 4464 wrote to memory of 4768	4464	A345.exe	120
PID 4464 wrote to memory of 4768	4464	A345.exe	120
PID 4464 wrote to memory of 4768	4464	A345.exe	120
PID 4464 wrote to memory of 4768	4464	A345.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:732
- C:\Users\Admin\AppData\Local\Temp\5128.exe
  C:\Users\Admin\AppData\Local\Temp\5128.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\57FF.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\57FF.dll
    3⤵
    - Loads dropped DLL
    PID:1472
- C:\Users\Admin\AppData\Local\Temp\74CF.exe
  C:\Users\Admin\AppData\Local\Temp\74CF.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    PID:2292
- - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
    3⤵
    - Executes dropped EXE
    PID:1008
- - C:\Users\Admin\AppData\Local\Temp\kos1.exe
    "C:\Users\Admin\AppData\Local\Temp\kos1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\set16.exe
      "C:\Users\Admin\AppData\Local\Temp\set16.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Users\Admin\AppData\Local\Temp\is-H8TF7.tmp\is-033UF.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-H8TF7.tmp\is-033UF.tmp" /SL4 $A0180 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4180
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 8
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 8
        7⤵
        
        PID:3464
      - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -i
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
      - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -s
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\kos.exe
      "C:\Users\Admin\AppData\Local\Temp\kos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2680
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2888
- C:\Users\Admin\AppData\Local\Temp\9921.exe
  C:\Users\Admin\AppData\Local\Temp\9921.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Users\Admin\AppData\Local\Temp\A017.exe
  C:\Users\Admin\AppData\Local\Temp\A017.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Users\Admin\AppData\Local\Temp\A345.exe
  C:\Users\Admin\AppData\Local\Temp\A345.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 136
    3⤵
    - Program crash
    PID:4896
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:1020
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:3420
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4808
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2400
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3804
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2560
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3948
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4168
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1976
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4304
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1508
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4868
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2980
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5060
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3600
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2560
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4628
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4452
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:968
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Modifies data under HKEY_USERS
  PID:4324
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1532
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4464 -ip 4464
1⤵
PID:1976

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\ProgramData\ContentDVSvc\ContentDVSvc.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5128.exe

Filesize
724KB

MD5
e79a6b2a60dbb899a3ed24f3030ed5ff

SHA1
323664f0a2a86dd00910e2dbf6a109ac74d3fcef

SHA256
868554e78e8b6861d4be85fd7e5844b2136aab492db60d16be7d4ddb2cb5b6b1

SHA512
ce30f168eb712cdba8de9289f6d28a085da915c15e94f1f5d9ce1517a6bec0e24254eb98694e04f86cf0ab64457cb12a3f42dbe2f811288e7fd299c1df1dcba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5128.exe

Filesize
724KB

MD5
e79a6b2a60dbb899a3ed24f3030ed5ff

SHA1
323664f0a2a86dd00910e2dbf6a109ac74d3fcef

SHA256
868554e78e8b6861d4be85fd7e5844b2136aab492db60d16be7d4ddb2cb5b6b1

SHA512
ce30f168eb712cdba8de9289f6d28a085da915c15e94f1f5d9ce1517a6bec0e24254eb98694e04f86cf0ab64457cb12a3f42dbe2f811288e7fd299c1df1dcba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\57FF.dll

Filesize
2.3MB

MD5
601a71404704d76ec70cbb987ff4c6ec

SHA1
cdad89b1e9c8673f11d5ccad90795218e607a76c

SHA256
c137a8671a06ad7d1234d4342fc4e7481ca92ce260a0a5473d30a842de7a3d86

SHA512
d951317b04dceb54419c15c676a82bc75d7a07e977c058c017db82586907b43c76fa9496ce728044980f4632ae0e3b9c9b9a95b1a99ceee2df92b900b90bae6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\57FF.dll

Filesize
2.3MB

MD5
601a71404704d76ec70cbb987ff4c6ec

SHA1
cdad89b1e9c8673f11d5ccad90795218e607a76c

SHA256
c137a8671a06ad7d1234d4342fc4e7481ca92ce260a0a5473d30a842de7a3d86

SHA512
d951317b04dceb54419c15c676a82bc75d7a07e977c058c017db82586907b43c76fa9496ce728044980f4632ae0e3b9c9b9a95b1a99ceee2df92b900b90bae6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\74CF.exe

Filesize
11.4MB

MD5
d026dd5532acfed2160b3016b583e480

SHA1
77bf69780708cc75c1fb59c806306b37bee7944c

SHA256
daed0466ca4cd862394eaa4d058808a589bff5162b8d3657bd9c9eb48b131aa6

SHA512
c6360364cb61dd5299d83f55ec5198fe41e4c7129503cca928098f5962d4f35114442eb3f4a608deaef2a996c0f85460c365bc725ac7a6edd89b62caa5f00aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\74CF.exe

Filesize
11.4MB

MD5
d026dd5532acfed2160b3016b583e480

SHA1
77bf69780708cc75c1fb59c806306b37bee7944c

SHA256
daed0466ca4cd862394eaa4d058808a589bff5162b8d3657bd9c9eb48b131aa6

SHA512
c6360364cb61dd5299d83f55ec5198fe41e4c7129503cca928098f5962d4f35114442eb3f4a608deaef2a996c0f85460c365bc725ac7a6edd89b62caa5f00aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\9921.exe

Filesize
226KB

MD5
49836ba06a97faec080623e1b11fa687

SHA1
cfb1ccd0500929876cb6b9e19e034c4f07b5c7f0

SHA256
c92f6e04a637473dbcc20e90b733dcba95d53d210c790ecbc3dd3d6af314f696

SHA512
658ae2840c46d38ce0f8a31feb24fa32360e504998253377cfc864f22438a0ccc8a1579726ab201273b5163ac60456aec7a265945f1833c1f4be95a5038b1a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9921.exe

Filesize
226KB

MD5
49836ba06a97faec080623e1b11fa687

SHA1
cfb1ccd0500929876cb6b9e19e034c4f07b5c7f0

SHA256
c92f6e04a637473dbcc20e90b733dcba95d53d210c790ecbc3dd3d6af314f696

SHA512
658ae2840c46d38ce0f8a31feb24fa32360e504998253377cfc864f22438a0ccc8a1579726ab201273b5163ac60456aec7a265945f1833c1f4be95a5038b1a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A017.exe

Filesize
4.1MB

MD5
732caadc27e9e0ee117426d1aec2c075

SHA1
75332130f549f64194b54ca3c913cb1f559911a7

SHA256
2040b1e381fcab4853d63b89fadb6c5bde6dba3e68037ab0672f57799d1749e4

SHA512
035242e52ebfa770a2c9bd966b0a98f88460b78a0fa54484adf5050f24ddf2372c4783b63a4a4110aaf24c7c3dca2985520baf6a64e9203eda0072fe2d6386df

Download Submit
C:\Users\Admin\AppData\Local\Temp\A017.exe

Filesize
4.1MB

MD5
732caadc27e9e0ee117426d1aec2c075

SHA1
75332130f549f64194b54ca3c913cb1f559911a7

SHA256
2040b1e381fcab4853d63b89fadb6c5bde6dba3e68037ab0672f57799d1749e4

SHA512
035242e52ebfa770a2c9bd966b0a98f88460b78a0fa54484adf5050f24ddf2372c4783b63a4a4110aaf24c7c3dca2985520baf6a64e9203eda0072fe2d6386df

Download Submit
C:\Users\Admin\AppData\Local\Temp\A345.exe

Filesize
447KB

MD5
6fda89f9ede8da1551d6f27a87e0e7cf

SHA1
dd6b620ffcce67ac76e12373a730f365624798f8

SHA256
ec6792abafdfb3c169e062fb109ee71ffa1aed0ec82d560268ca489a4373bd5c

SHA512
a0460afdabecf3a0b3482ccb104807b3a235f19392e6d394756d35cb3908a3256693d02a79e0ce1d0ec9e3a3012839505d8a6a3b8ab3cad67706c66f71d32351

Download Submit
C:\Users\Admin\AppData\Local\Temp\A345.exe

Filesize
447KB

MD5
6fda89f9ede8da1551d6f27a87e0e7cf

SHA1
dd6b620ffcce67ac76e12373a730f365624798f8

SHA256
ec6792abafdfb3c169e062fb109ee71ffa1aed0ec82d560268ca489a4373bd5c

SHA512
a0460afdabecf3a0b3482ccb104807b3a235f19392e6d394756d35cb3908a3256693d02a79e0ce1d0ec9e3a3012839505d8a6a3b8ab3cad67706c66f71d32351

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_az3lfate.lv3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
4.1MB

MD5
e5ce2ba14a0d2f857c7f60568f262f35

SHA1
0cc8a3b0b2d8c039b750be3dc7efe702f46ecb4c

SHA256
49fd81c4c15da2146e8d41bf2d142fbf6d715dd195951791e6f0a444bc1f0db2

SHA512
f8c7367b4c02dd15a68b79d24301271fcf9800d0b6952c2a4b1724ef9114f72939303d0039a8cc4ab2be7108740156d9cbf6ad10203804fda1d8fc277238e2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
4.1MB

MD5
e5ce2ba14a0d2f857c7f60568f262f35

SHA1
0cc8a3b0b2d8c039b750be3dc7efe702f46ecb4c

SHA256
49fd81c4c15da2146e8d41bf2d142fbf6d715dd195951791e6f0a444bc1f0db2

SHA512
f8c7367b4c02dd15a68b79d24301271fcf9800d0b6952c2a4b1724ef9114f72939303d0039a8cc4ab2be7108740156d9cbf6ad10203804fda1d8fc277238e2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
4.1MB

MD5
e5ce2ba14a0d2f857c7f60568f262f35

SHA1
0cc8a3b0b2d8c039b750be3dc7efe702f46ecb4c

SHA256
49fd81c4c15da2146e8d41bf2d142fbf6d715dd195951791e6f0a444bc1f0db2

SHA512
f8c7367b4c02dd15a68b79d24301271fcf9800d0b6952c2a4b1724ef9114f72939303d0039a8cc4ab2be7108740156d9cbf6ad10203804fda1d8fc277238e2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H8TF7.tmp\is-033UF.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H8TF7.tmp\is-033UF.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NTD98.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NTD98.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NTD98.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
213KB

MD5
92505d71d65f3fd132de5d032d371d63

SHA1
a381f472b41aab5f1241f58e522cfe73b36c7a67

SHA256
3adc2d21a85e8f73b72c75cf9450a7eb2fe843df24b827a9afe1201316d07944

SHA512
4dca261185cdaf561b42e7210e1b3dd7d2eb4832354cbadb6ebbb5da2f07fa3917ddbb1433d19c358587f63483d6e59a1891aa26fb5e33e3c04cd6a353de9cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
213KB

MD5
92505d71d65f3fd132de5d032d371d63

SHA1
a381f472b41aab5f1241f58e522cfe73b36c7a67

SHA256
3adc2d21a85e8f73b72c75cf9450a7eb2fe843df24b827a9afe1201316d07944

SHA512
4dca261185cdaf561b42e7210e1b3dd7d2eb4832354cbadb6ebbb5da2f07fa3917ddbb1433d19c358587f63483d6e59a1891aa26fb5e33e3c04cd6a353de9cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
213KB

MD5
92505d71d65f3fd132de5d032d371d63

SHA1
a381f472b41aab5f1241f58e522cfe73b36c7a67

SHA256
3adc2d21a85e8f73b72c75cf9450a7eb2fe843df24b827a9afe1201316d07944

SHA512
4dca261185cdaf561b42e7210e1b3dd7d2eb4832354cbadb6ebbb5da2f07fa3917ddbb1433d19c358587f63483d6e59a1891aa26fb5e33e3c04cd6a353de9cdc

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/672-280-0x00007FF7266F0000-0x00007FF726C91000-memory.dmp

Filesize
5.6MB

Download
memory/672-368-0x00007FF7266F0000-0x00007FF726C91000-memory.dmp

Filesize
5.6MB

Download
memory/672-353-0x00007FF7266F0000-0x00007FF726C91000-memory.dmp

Filesize
5.6MB

Download
memory/732-4-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/732-6-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/732-3-0x0000000000740000-0x000000000074B000-memory.dmp

Filesize
44KB

Download
memory/732-1-0x0000000000880000-0x0000000000980000-memory.dmp

Filesize
1024KB

Download
memory/732-2-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/916-73-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

Filesize
48KB

Download
memory/916-72-0x0000000000FF0000-0x0000000000FF7000-memory.dmp

Filesize
28KB

Download
memory/916-70-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

Filesize
48KB

Download
memory/1020-77-0x0000000000690000-0x00000000006FB000-memory.dmp

Filesize
428KB

Download
memory/1020-86-0x0000000000700000-0x0000000000780000-memory.dmp

Filesize
512KB

Download
memory/1020-176-0x0000000000690000-0x00000000006FB000-memory.dmp

Filesize
428KB

Download
memory/1472-88-0x0000000002CC0000-0x0000000002DCF000-memory.dmp

Filesize
1.1MB

Download
memory/1472-159-0x0000000002DD0000-0x0000000002EC5000-memory.dmp

Filesize
980KB

Download
memory/1472-121-0x0000000010000000-0x0000000010253000-memory.dmp

Filesize
2.3MB

Download
memory/1472-27-0x0000000000BE0000-0x0000000000BE6000-memory.dmp

Filesize
24KB

Download
memory/1472-153-0x0000000002DD0000-0x0000000002EC5000-memory.dmp

Filesize
980KB

Download
memory/1472-155-0x0000000002DD0000-0x0000000002EC5000-memory.dmp

Filesize
980KB

Download
memory/1472-28-0x0000000010000000-0x0000000010253000-memory.dmp

Filesize
2.3MB

Download
memory/1472-177-0x0000000002DD0000-0x0000000002EC5000-memory.dmp

Filesize
980KB

Download
memory/1976-299-0x000001E31BD60000-0x000001E31BD70000-memory.dmp

Filesize
64KB

Download
memory/1976-300-0x000001E31BD60000-0x000001E31BD70000-memory.dmp

Filesize
64KB

Download
memory/1976-298-0x00007FFAEBA90000-0x00007FFAEC551000-memory.dmp

Filesize
10.8MB

Download
memory/2228-242-0x00007FFAEBA90000-0x00007FFAEC551000-memory.dmp

Filesize
10.8MB

Download
memory/2228-240-0x0000017A60B50000-0x0000017A60B60000-memory.dmp

Filesize
64KB

Download
memory/2228-239-0x0000017A60B50000-0x0000017A60B60000-memory.dmp

Filesize
64KB

Download
memory/2228-237-0x0000017A60B50000-0x0000017A60B60000-memory.dmp

Filesize
64KB

Download
memory/2228-238-0x0000017A60B50000-0x0000017A60B60000-memory.dmp

Filesize
64KB

Download
memory/2228-235-0x00007FFAEBA90000-0x00007FFAEC551000-memory.dmp

Filesize
10.8MB

Download
memory/2228-230-0x0000017A60B90000-0x0000017A60BB2000-memory.dmp

Filesize
136KB

Download
memory/2272-136-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2272-201-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2680-203-0x00007FFAEBA90000-0x00007FFAEC551000-memory.dmp

Filesize
10.8MB

Download
memory/2680-149-0x00007FFAEBA90000-0x00007FFAEC551000-memory.dmp

Filesize
10.8MB

Download
memory/2680-205-0x000000001B7F0000-0x000000001B800000-memory.dmp

Filesize
64KB

Download
memory/2680-151-0x000000001B7F0000-0x000000001B800000-memory.dmp

Filesize
64KB

Download
memory/2680-148-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/2768-98-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-87-0x0000000000030000-0x00000000001A4000-memory.dmp

Filesize
1.5MB

Download
memory/2768-157-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2888-261-0x00007FF668B50000-0x00007FF6690F1000-memory.dmp

Filesize
5.6MB

Download
memory/2888-270-0x00007FF668B50000-0x00007FF6690F1000-memory.dmp

Filesize
5.6MB

Download
memory/2888-199-0x00007FF668B50000-0x00007FF6690F1000-memory.dmp

Filesize
5.6MB

Download
memory/3144-5-0x0000000007BA0000-0x0000000007BB6000-memory.dmp

Filesize
88KB

Download
memory/4180-175-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4180-206-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4180-204-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4368-122-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4368-36-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4368-37-0x00000000009B0000-0x0000000001514000-memory.dmp

Filesize
11.4MB

Download
memory/4368-266-0x00007FFAEBA90000-0x00007FFAEC551000-memory.dmp

Filesize
10.8MB

Download
memory/4368-263-0x000001FE93D40000-0x000001FE93D50000-memory.dmp

Filesize
64KB

Download
memory/4368-257-0x000001FE93D40000-0x000001FE93D50000-memory.dmp

Filesize
64KB

Download
memory/4368-256-0x000001FE93D40000-0x000001FE93D50000-memory.dmp

Filesize
64KB

Download
memory/4368-255-0x000001FE93D40000-0x000001FE93D50000-memory.dmp

Filesize
64KB

Download
memory/4368-253-0x00007FFAEBA90000-0x00007FFAEC551000-memory.dmp

Filesize
10.8MB

Download
memory/4428-262-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4428-327-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4428-369-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4428-197-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4428-200-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4428-285-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4428-361-0x0000000000820000-0x0000000000869000-memory.dmp

Filesize
292KB

Download
memory/4428-277-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4428-281-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4428-216-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4516-195-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4516-194-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4516-190-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4516-191-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4704-367-0x0000000000C20000-0x0000000000C40000-memory.dmp

Filesize
128KB

Download
memory/4768-223-0x00000000079F0000-0x0000000007A2C000-memory.dmp

Filesize
240KB

Download
memory/4768-222-0x0000000007990000-0x00000000079A2000-memory.dmp

Filesize
72KB

Download
memory/4768-267-0x000000000A020000-0x000000000A1E2000-memory.dmp

Filesize
1.8MB

Download
memory/4768-276-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-265-0x0000000009210000-0x0000000009260000-memory.dmp

Filesize
320KB

Download
memory/4768-260-0x0000000007930000-0x0000000007940000-memory.dmp

Filesize
64KB

Download
memory/4768-259-0x0000000008300000-0x0000000008366000-memory.dmp

Filesize
408KB

Download
memory/4768-258-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-224-0x0000000007A30000-0x0000000007A7C000-memory.dmp

Filesize
304KB

Download
memory/4768-213-0x0000000007BD0000-0x0000000008174000-memory.dmp

Filesize
5.6MB

Download
memory/4768-221-0x0000000008180000-0x000000000828A000-memory.dmp

Filesize
1.0MB

Download
memory/4768-272-0x000000000A720000-0x000000000AC4C000-memory.dmp

Filesize
5.2MB

Download
memory/4768-219-0x00000000087A0000-0x0000000008DB8000-memory.dmp

Filesize
6.1MB

Download
memory/4768-218-0x00000000078B0000-0x00000000078BA000-memory.dmp

Filesize
40KB

Download
memory/4768-217-0x0000000007930000-0x0000000007940000-memory.dmp

Filesize
64KB

Download
memory/4768-211-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4768-212-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-214-0x0000000007700000-0x0000000007792000-memory.dmp

Filesize
584KB

Download
memory/5044-32-0x00000000022A0000-0x0000000002342000-memory.dmp

Filesize
648KB

Download
memory/5044-26-0x0000000002390000-0x00000000024AB000-memory.dmp

Filesize
1.1MB

Download
memory/5044-25-0x00000000022A0000-0x0000000002342000-memory.dmp

Filesize
648KB

Download