glupteba | 4aa80d6935201d51bc5be593908289cc2e239be14991a5dc6054bb19e7f90c44

Analysis

max time kernel
46s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2023, 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

9.9MB
MD5

c7e1a35456fa34722556dd88dea6e5c7
SHA1

8b2a0d2b39945a80ce06e44a78973e0f9b93194c
SHA256

4aa80d6935201d51bc5be593908289cc2e239be14991a5dc6054bb19e7f90c44
SHA512

85273dfec4d40a9f8259c764f1d4c431d60c060e7792b2f8b0498205ebdb225d8a0314fb32f9663d5b30b00385b4e982a2d7ef3f429c317729dc4877b9598e5c
SSDEEP

196608:dqG6fth+H4TaduMIDwAsrzwBiaBYJwQwvk5KTOYTa+tH/+MpZG:gFhgIDwA9BiaBYJwQk8Z+YMpZ

Score

10^/10

glupteba smokeloader up3 backdoor discovery dropper evasion loader persistence trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

resource	yara_rule
behavioral2/memory/3192-51-0x0000000002DE0000-0x00000000036CB000-memory.dmp	family_glupteba
behavioral2/memory/3192-52-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/3192-144-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/3192-201-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/4052-205-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/4052-242-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/4052-350-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/3036-421-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 4864 created 3112	4864	latestX.exe	55
PID 4864 created 3112	4864	latestX.exe	55
PID 4864 created 3112	4864	latestX.exe	55
PID 4864 created 3112	4864	latestX.exe	55
PID 4864 created 3112	4864	latestX.exe	55

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4992	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	kos4.exe

Executes dropped EXE 12 IoCs

pid	Process
1268	toolspub2.exe
3192	e0cbefcb1af40c7d4aff4aca26621a98.exe
4892	kos4.exe
4864	latestX.exe
2112	toolspub2.exe
2712	LzmwAqmV.exe
2004	LzmwAqmV.tmp
4304	KAudioConverter.exe
4200	KAudioConverter.exe
4052	e0cbefcb1af40c7d4aff4aca26621a98.exe
3204	updater.exe
3036	csrss.exe

Loads dropped DLL 3 IoCs

pid	Process
2004	LzmwAqmV.tmp
2004	LzmwAqmV.tmp
2004	LzmwAqmV.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	e0cbefcb1af40c7d4aff4aca26621a98.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1268 set thread context of 2112	1268	toolspub2.exe	94

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	e0cbefcb1af40c7d4aff4aca26621a98.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\KAudioConverter\is-Q3OG7.tmp	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\unins000.dat	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\is-45IP2.tmp	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\is-S5M3A.tmp	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\is-JMEU5.tmp	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\is-9PR1Q.tmp	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\is-VNA69.tmp	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\XML\Styles\is-T8DPQ.tmp	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\is-NSV7K.tmp	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\is-EMJ4I.tmp	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\is-QAE0B.tmp	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\is-U3M3C.tmp	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\XML\Styles\is-9NVDP.tmp	LzmwAqmV.tmp
File opened for modification	C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\is-M0IN8.tmp	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\is-QS5GV.tmp	LzmwAqmV.tmp
File opened for modification	C:\Program Files (x86)\KAudioConverter\unins000.dat	LzmwAqmV.tmp
File created	C:\Program Files (x86)\KAudioConverter\XML\Styles\is-Q1TCQ.tmp	LzmwAqmV.tmp
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	e0cbefcb1af40c7d4aff4aca26621a98.exe
File created	C:\Windows\rss\csrss.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4240	sc.exe
1180	sc.exe
5008	sc.exe
1188	sc.exe
1244	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2012	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	toolspub2.exe
2112	toolspub2.exe
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
2708	powershell.exe
2708	powershell.exe
3112	Explorer.EXE
3112	Explorer.EXE
2708	powershell.exe
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE
3112	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2112	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	kos4.exe
Token: SeShutdownPrivilege	3112	Explorer.EXE
Token: SeCreatePagefilePrivilege	3112	Explorer.EXE
Token: SeShutdownPrivilege	3112	Explorer.EXE
Token: SeCreatePagefilePrivilege	3112	Explorer.EXE
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeShutdownPrivilege	3112	Explorer.EXE
Token: SeCreatePagefilePrivilege	3112	Explorer.EXE
Token: SeDebugPrivilege	3192	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeImpersonatePrivilege	3192	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeShutdownPrivilege	3112	Explorer.EXE
Token: SeCreatePagefilePrivilege	3112	Explorer.EXE
Token: SeShutdownPrivilege	3112	Explorer.EXE
Token: SeCreatePagefilePrivilege	3112	Explorer.EXE
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeShutdownPrivilege	3304	powercfg.exe
Token: SeCreatePagefilePrivilege	3304	powercfg.exe
Token: SeShutdownPrivilege	4820	powercfg.exe
Token: SeCreatePagefilePrivilege	4820	powercfg.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeShutdownPrivilege	1612	powercfg.exe
Token: SeCreatePagefilePrivilege	1612	powercfg.exe
Token: SeShutdownPrivilege	656	powercfg.exe
Token: SeCreatePagefilePrivilege	656	powercfg.exe
Token: SeShutdownPrivilege	3112	Explorer.EXE
Token: SeCreatePagefilePrivilege	3112	Explorer.EXE
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeIncreaseQuotaPrivilege	400	powershell.exe
Token: SeSecurityPrivilege	400	powershell.exe
Token: SeTakeOwnershipPrivilege	400	powershell.exe
Token: SeLoadDriverPrivilege	400	powershell.exe
Token: SeSystemProfilePrivilege	400	powershell.exe
Token: SeSystemtimePrivilege	400	powershell.exe
Token: SeProfSingleProcessPrivilege	400	powershell.exe
Token: SeIncBasePriorityPrivilege	400	powershell.exe
Token: SeCreatePagefilePrivilege	400	powershell.exe
Token: SeBackupPrivilege	400	powershell.exe
Token: SeRestorePrivilege	400	powershell.exe
Token: SeShutdownPrivilege	400	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeSystemEnvironmentPrivilege	400	powershell.exe
Token: SeRemoteShutdownPrivilege	400	powershell.exe
Token: SeUndockPrivilege	400	powershell.exe
Token: SeManageVolumePrivilege	400	powershell.exe
Token: 33	400	powershell.exe
Token: 34	400	powershell.exe
Token: 35	400	powershell.exe
Token: 36	400	powershell.exe
Token: SeIncreaseQuotaPrivilege	400	powershell.exe
Token: SeSecurityPrivilege	400	powershell.exe
Token: SeTakeOwnershipPrivilege	400	powershell.exe
Token: SeLoadDriverPrivilege	400	powershell.exe
Token: SeSystemProfilePrivilege	400	powershell.exe
Token: SeSystemtimePrivilege	400	powershell.exe
Token: SeProfSingleProcessPrivilege	400	powershell.exe
Token: SeIncBasePriorityPrivilege	400	powershell.exe
Token: SeCreatePagefilePrivilege	400	powershell.exe
Token: SeBackupPrivilege	400	powershell.exe
Token: SeRestorePrivilege	400	powershell.exe
Token: SeShutdownPrivilege	400	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeSystemEnvironmentPrivilege	400	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2004	LzmwAqmV.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 1268	1568	file.exe	89
PID 1568 wrote to memory of 1268	1568	file.exe	89
PID 1568 wrote to memory of 1268	1568	file.exe	89
PID 1568 wrote to memory of 3192	1568	file.exe	90
PID 1568 wrote to memory of 3192	1568	file.exe	90
PID 1568 wrote to memory of 3192	1568	file.exe	90
PID 1568 wrote to memory of 4892	1568	file.exe	91
PID 1568 wrote to memory of 4892	1568	file.exe	91
PID 1568 wrote to memory of 4864	1568	file.exe	92
PID 1568 wrote to memory of 4864	1568	file.exe	92
PID 1268 wrote to memory of 2112	1268	toolspub2.exe	94
PID 1268 wrote to memory of 2112	1268	toolspub2.exe	94
PID 1268 wrote to memory of 2112	1268	toolspub2.exe	94
PID 1268 wrote to memory of 2112	1268	toolspub2.exe	94
PID 1268 wrote to memory of 2112	1268	toolspub2.exe	94
PID 1268 wrote to memory of 2112	1268	toolspub2.exe	94
PID 4892 wrote to memory of 2712	4892	kos4.exe	97
PID 4892 wrote to memory of 2712	4892	kos4.exe	97
PID 4892 wrote to memory of 2712	4892	kos4.exe	97
PID 2712 wrote to memory of 2004	2712	LzmwAqmV.exe	98
PID 2712 wrote to memory of 2004	2712	LzmwAqmV.exe	98
PID 2712 wrote to memory of 2004	2712	LzmwAqmV.exe	98
PID 2004 wrote to memory of 2168	2004	LzmwAqmV.tmp	99
PID 2004 wrote to memory of 2168	2004	LzmwAqmV.tmp	99
PID 2004 wrote to memory of 2168	2004	LzmwAqmV.tmp	99
PID 2004 wrote to memory of 4304	2004	LzmwAqmV.tmp	101
PID 2004 wrote to memory of 4304	2004	LzmwAqmV.tmp	101
PID 2004 wrote to memory of 4304	2004	LzmwAqmV.tmp	101
PID 3192 wrote to memory of 2708	3192	e0cbefcb1af40c7d4aff4aca26621a98.exe	102
PID 3192 wrote to memory of 2708	3192	e0cbefcb1af40c7d4aff4aca26621a98.exe	102
PID 3192 wrote to memory of 2708	3192	e0cbefcb1af40c7d4aff4aca26621a98.exe	102
PID 2004 wrote to memory of 4200	2004	LzmwAqmV.tmp	104
PID 2004 wrote to memory of 4200	2004	LzmwAqmV.tmp	104
PID 2004 wrote to memory of 4200	2004	LzmwAqmV.tmp	104
PID 4052 wrote to memory of 4668	4052	e0cbefcb1af40c7d4aff4aca26621a98.exe	113
PID 4052 wrote to memory of 4668	4052	e0cbefcb1af40c7d4aff4aca26621a98.exe	113
PID 4052 wrote to memory of 4668	4052	e0cbefcb1af40c7d4aff4aca26621a98.exe	113
PID 4052 wrote to memory of 4340	4052	e0cbefcb1af40c7d4aff4aca26621a98.exe	116
PID 4052 wrote to memory of 4340	4052	e0cbefcb1af40c7d4aff4aca26621a98.exe	116
PID 4340 wrote to memory of 4992	4340	cmd.exe	139
PID 4340 wrote to memory of 4992	4340	cmd.exe	139
PID 4052 wrote to memory of 2904	4052	e0cbefcb1af40c7d4aff4aca26621a98.exe	119
PID 4052 wrote to memory of 2904	4052	e0cbefcb1af40c7d4aff4aca26621a98.exe	119
PID 4052 wrote to memory of 2904	4052	e0cbefcb1af40c7d4aff4aca26621a98.exe	119
PID 2552 wrote to memory of 4240	2552	cmd.exe	125
PID 2552 wrote to memory of 4240	2552	cmd.exe	125
PID 2552 wrote to memory of 1180	2552	cmd.exe	126
PID 2552 wrote to memory of 1180	2552	cmd.exe	126
PID 2552 wrote to memory of 5008	2552	cmd.exe	127
PID 2552 wrote to memory of 5008	2552	cmd.exe	127
PID 2552 wrote to memory of 1188	2552	cmd.exe	128
PID 2552 wrote to memory of 1188	2552	cmd.exe	128
PID 2552 wrote to memory of 1244	2552	cmd.exe	129
PID 2552 wrote to memory of 1244	2552	cmd.exe	129
PID 4512 wrote to memory of 3304	4512	cmd.exe	134
PID 4512 wrote to memory of 3304	4512	cmd.exe	134
PID 4512 wrote to memory of 4820	4512	cmd.exe	135
PID 4512 wrote to memory of 4820	4512	cmd.exe	135
PID 4512 wrote to memory of 1612	4512	cmd.exe	136
PID 4512 wrote to memory of 1612	4512	cmd.exe	136
PID 4512 wrote to memory of 656	4512	cmd.exe	137
PID 4512 wrote to memory of 656	4512	cmd.exe	137
PID 4052 wrote to memory of 2108	4052	e0cbefcb1af40c7d4aff4aca26621a98.exe	138
PID 4052 wrote to memory of 2108	4052	e0cbefcb1af40c7d4aff4aca26621a98.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3112
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2112
- - C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
    "C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
      "C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4992
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4992
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        
        PID:3036
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4796
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2012
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:2328
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1940
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1452
- - C:\Users\Admin\AppData\Local\Temp\kos4.exe
    "C:\Users\Admin\AppData\Local\Temp\kos4.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\is-5HPUT.tmp\LzmwAqmV.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5HPUT.tmp\LzmwAqmV.tmp" /SL5="$801DC,3013629,68096,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Delete /F /TN "HAC1030-3"
        6⤵
        
        PID:2168
      - C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe
        
        "C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe" -i
        6⤵
        Executes dropped EXE
        
        PID:4304
      - C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe
        
        "C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe" -s
        6⤵
        Executes dropped EXE
        
        PID:4200
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4828
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4240
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1180
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5008
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1188
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1244
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3304
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4468

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:3204

C:\Users\Admin\AppData\Roaming\sbjtrtu
C:\Users\Admin\AppData\Roaming\sbjtrtu
1⤵
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe

Filesize
2.1MB

MD5
534ba2d9315294cca72648e856f19f41

SHA1
9d63a0e64766dece13cc62228b518f230004bb51

SHA256
c769ce31b23112f9440d445928babe79d41fa2e33854c1e28b6dba7046034412

SHA512
3028ed4cebf2ad57f8058e84688665a6abfd8fd4ab32f05af4d1d3e85a7b9a14c14dc9a1d92c5f808aa3ad09c141b3acbab3fc18e4d5e9a7c232d8257e5aa40f

Download Submit
C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe

Filesize
2.1MB

MD5
534ba2d9315294cca72648e856f19f41

SHA1
9d63a0e64766dece13cc62228b518f230004bb51

SHA256
c769ce31b23112f9440d445928babe79d41fa2e33854c1e28b6dba7046034412

SHA512
3028ed4cebf2ad57f8058e84688665a6abfd8fd4ab32f05af4d1d3e85a7b9a14c14dc9a1d92c5f808aa3ad09c141b3acbab3fc18e4d5e9a7c232d8257e5aa40f

Download Submit
C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe

Filesize
2.1MB

MD5
534ba2d9315294cca72648e856f19f41

SHA1
9d63a0e64766dece13cc62228b518f230004bb51

SHA256
c769ce31b23112f9440d445928babe79d41fa2e33854c1e28b6dba7046034412

SHA512
3028ed4cebf2ad57f8058e84688665a6abfd8fd4ab32f05af4d1d3e85a7b9a14c14dc9a1d92c5f808aa3ad09c141b3acbab3fc18e4d5e9a7c232d8257e5aa40f

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
3.1MB

MD5
5a4818e452644b2c42639616d1529bee

SHA1
badb3db10314c17c1712960793c785c7e619daea

SHA256
958a55a2cdc188bbfbf1ab6d5361c27510b066b2b76dda281c311c80c184da95

SHA512
92fb00650d4ee04ec7240610aef1de2c8dcde302fc7512d59b42cc41b8869407c350f9b4da31633d3ffe8bd67a685656fd735e3022e4d859a3fd57909d4cbdfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
3.1MB

MD5
5a4818e452644b2c42639616d1529bee

SHA1
badb3db10314c17c1712960793c785c7e619daea

SHA256
958a55a2cdc188bbfbf1ab6d5361c27510b066b2b76dda281c311c80c184da95

SHA512
92fb00650d4ee04ec7240610aef1de2c8dcde302fc7512d59b42cc41b8869407c350f9b4da31633d3ffe8bd67a685656fd735e3022e4d859a3fd57909d4cbdfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
3.1MB

MD5
5a4818e452644b2c42639616d1529bee

SHA1
badb3db10314c17c1712960793c785c7e619daea

SHA256
958a55a2cdc188bbfbf1ab6d5361c27510b066b2b76dda281c311c80c184da95

SHA512
92fb00650d4ee04ec7240610aef1de2c8dcde302fc7512d59b42cc41b8869407c350f9b4da31633d3ffe8bd67a685656fd735e3022e4d859a3fd57909d4cbdfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_juhpm0w5.atk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.1MB

MD5
4e9861e0922867df031577e4552370fa

SHA1
fb96c4c432bbc2fd3bec91c1c138d699e56babeb

SHA256
9f22152ba421171dddcc2260bcc70ebc5627ea6892c9d24871919c44c83e31c4

SHA512
9dfc2ecf01e5e24ad4dc9af26fbcc8414b598da02bd348cc58751ae0b2fd1780ddf13da8e39df00603b34943f2331b191d84df2c063eff08e92ff469759c29d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.1MB

MD5
4e9861e0922867df031577e4552370fa

SHA1
fb96c4c432bbc2fd3bec91c1c138d699e56babeb

SHA256
9f22152ba421171dddcc2260bcc70ebc5627ea6892c9d24871919c44c83e31c4

SHA512
9dfc2ecf01e5e24ad4dc9af26fbcc8414b598da02bd348cc58751ae0b2fd1780ddf13da8e39df00603b34943f2331b191d84df2c063eff08e92ff469759c29d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.1MB

MD5
4e9861e0922867df031577e4552370fa

SHA1
fb96c4c432bbc2fd3bec91c1c138d699e56babeb

SHA256
9f22152ba421171dddcc2260bcc70ebc5627ea6892c9d24871919c44c83e31c4

SHA512
9dfc2ecf01e5e24ad4dc9af26fbcc8414b598da02bd348cc58751ae0b2fd1780ddf13da8e39df00603b34943f2331b191d84df2c063eff08e92ff469759c29d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.1MB

MD5
4e9861e0922867df031577e4552370fa

SHA1
fb96c4c432bbc2fd3bec91c1c138d699e56babeb

SHA256
9f22152ba421171dddcc2260bcc70ebc5627ea6892c9d24871919c44c83e31c4

SHA512
9dfc2ecf01e5e24ad4dc9af26fbcc8414b598da02bd348cc58751ae0b2fd1780ddf13da8e39df00603b34943f2331b191d84df2c063eff08e92ff469759c29d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5HPUT.tmp\LzmwAqmV.tmp

Filesize
694KB

MD5
d89e4fd868dc68413a47f5d409f98f40

SHA1
959d3cea37d66e160292efae00e78cda8757fb17

SHA256
2273b4e3baee64715c0d84fd0cd0ba0d048ddcfd8f184365b9c8bb6181931672

SHA512
6b276dde30e664436bead2fea57c99ac376f42f0b7923979cd43d96b25cbb1dd20bcd6691bef623126b036e9d3bbd486274666a18198ad3a06d88c5121f0d775

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5HPUT.tmp\LzmwAqmV.tmp

Filesize
694KB

MD5
d89e4fd868dc68413a47f5d409f98f40

SHA1
959d3cea37d66e160292efae00e78cda8757fb17

SHA256
2273b4e3baee64715c0d84fd0cd0ba0d048ddcfd8f184365b9c8bb6181931672

SHA512
6b276dde30e664436bead2fea57c99ac376f42f0b7923979cd43d96b25cbb1dd20bcd6691bef623126b036e9d3bbd486274666a18198ad3a06d88c5121f0d775

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PMCS0.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PMCS0.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PMCS0.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos4.exe

Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos4.exe

Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos4.exe

Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
177KB

MD5
6e68805f0661dbeb776db896761d469f

SHA1
95e550b2f54e9167ae02f67e963703c593833845

SHA256
095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47

SHA512
5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
177KB

MD5
6e68805f0661dbeb776db896761d469f

SHA1
95e550b2f54e9167ae02f67e963703c593833845

SHA256
095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47

SHA512
5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
177KB

MD5
6e68805f0661dbeb776db896761d469f

SHA1
95e550b2f54e9167ae02f67e963703c593833845

SHA256
095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47

SHA512
5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
177KB

MD5
6e68805f0661dbeb776db896761d469f

SHA1
95e550b2f54e9167ae02f67e963703c593833845

SHA256
095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47

SHA512
5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

Download Submit
C:\Users\Admin\AppData\Roaming\sbjtrtu

Filesize
177KB

MD5
6e68805f0661dbeb776db896761d469f

SHA1
95e550b2f54e9167ae02f67e963703c593833845

SHA256
095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47

SHA512
5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

Download Submit
C:\Users\Admin\AppData\Roaming\sbjtrtu

Filesize
177KB

MD5
6e68805f0661dbeb776db896761d469f

SHA1
95e550b2f54e9167ae02f67e963703c593833845

SHA256
095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47

SHA512
5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
75ce82cbd0e88aee4afb2a666e95f251

SHA1
f0578694733460c99c891c5205b90878b345a721

SHA256
4c77f03be9b3de3b4a8216d0878a67c5b439767d9824ff2b626eb7812cc8d9a7

SHA512
36f912b4f8e2c66074cd094f2381701ca585ae8046e1a6f1d989a077e2b581e35a8b5f8fa77a8ce8c031fd730e91891723ce594b43c15ec98b518160000468bb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6bc47518a6a22eeb85c9c335d82bb304

SHA1
627ceec34a7a2541fb6ae4c56a092ab658c988eb

SHA256
61b02898fae323fc6a35c52ee8ba7b9ed3847e10488b2dbefcbb1627abca3ab8

SHA512
9a57c5822f2a65e56fd14c85b8e1ce6ddb64c7ffe55dae86118be423e9a34f6be4fe9c18f95edca8538d952943c8fd75fac60d427dde45e8a1af74e1513f66dc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
3e583cb10557b738f337d5951ad4eb36

SHA1
c557c352716ee782f49603a38b9a598e92db5780

SHA256
2785c72d3f2a9ea89fb894320d33c40507e08b48ce4963f71f7b3f274db4bd25

SHA512
16e8674bac978e881487eb330b6613209c9a03d530010b052abbc66baad71305da20af2dca8febd736dfa4f18b200ef0d710715e8481b2e1c6be079e4c97ddff

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
1d0ca59632108fb4dd027daa0ad39555

SHA1
ad9382637c8759f07b220158f5262e7dec3c1952

SHA256
d6fa87bc7f134ebdce9268e33c3dac339e650925547cc5f2d2249a83d1ff9426

SHA512
761d804702c344ca00e1a4e823657e713498f470f86080b6624d1b8494c74e6f4cfa9f00fcb16b7e7542389df1df574a6c8d02aab5f898e878982c12ea553ae3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
bfca99666f5540342faff303e2300862

SHA1
06a85b124a6477c927bec7f549d48dee9873ccdc

SHA256
2c6e7842dc47994a1946ba9d9305c8213298aacd60837ade2680b4ac7581079b

SHA512
1e30e66e3377e80fd912f949e70dc93801fcb86903b8ed87506af3b0efae19da3114907d5a4657994d57b8b0b0825ff7a1bac28774112ddece76670a203460f9

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
4e9861e0922867df031577e4552370fa

SHA1
fb96c4c432bbc2fd3bec91c1c138d699e56babeb

SHA256
9f22152ba421171dddcc2260bcc70ebc5627ea6892c9d24871919c44c83e31c4

SHA512
9dfc2ecf01e5e24ad4dc9af26fbcc8414b598da02bd348cc58751ae0b2fd1780ddf13da8e39df00603b34943f2331b191d84df2c063eff08e92ff469759c29d0

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
4e9861e0922867df031577e4552370fa

SHA1
fb96c4c432bbc2fd3bec91c1c138d699e56babeb

SHA256
9f22152ba421171dddcc2260bcc70ebc5627ea6892c9d24871919c44c83e31c4

SHA512
9dfc2ecf01e5e24ad4dc9af26fbcc8414b598da02bd348cc58751ae0b2fd1780ddf13da8e39df00603b34943f2331b191d84df2c063eff08e92ff469759c29d0

Download Submit
memory/1268-43-0x00000000007D0000-0x00000000007D9000-memory.dmp

Filesize
36KB

Download
memory/1268-42-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1568-40-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/1568-1-0x0000000000460000-0x0000000000E44000-memory.dmp

Filesize
9.9MB

Download
memory/1568-0-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/2004-89-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2004-189-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2004-168-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2112-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2112-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2112-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2112-134-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2708-159-0x00000000055E0000-0x0000000005934000-memory.dmp

Filesize
3.3MB

Download
memory/2708-195-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/2708-135-0x0000000072FC0000-0x0000000073770000-memory.dmp

Filesize
7.7MB

Download
memory/2708-145-0x0000000004DC0000-0x00000000053E8000-memory.dmp

Filesize
6.2MB

Download
memory/2708-198-0x0000000072FC0000-0x0000000073770000-memory.dmp

Filesize
7.7MB

Download
memory/2708-147-0x0000000004C40000-0x0000000004C62000-memory.dmp

Filesize
136KB

Download
memory/2708-148-0x0000000004CE0000-0x0000000004D46000-memory.dmp

Filesize
408KB

Download
memory/2708-149-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/2708-140-0x0000000004630000-0x0000000004666000-memory.dmp

Filesize
216KB

Download
memory/2708-142-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/2708-160-0x0000000005C10000-0x0000000005C2E000-memory.dmp

Filesize
120KB

Download
memory/2708-161-0x0000000005C60000-0x0000000005CAC000-memory.dmp

Filesize
304KB

Download
memory/2708-162-0x00000000061C0000-0x0000000006204000-memory.dmp

Filesize
272KB

Download
memory/2708-143-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/2708-164-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/2708-165-0x0000000006F50000-0x0000000006FC6000-memory.dmp

Filesize
472KB

Download
memory/2708-166-0x0000000007650000-0x0000000007CCA000-memory.dmp

Filesize
6.5MB

Download
memory/2708-167-0x0000000006FD0000-0x0000000006FEA000-memory.dmp

Filesize
104KB

Download
memory/2708-194-0x0000000007360000-0x0000000007368000-memory.dmp

Filesize
32KB

Download
memory/2708-169-0x000000007EE80000-0x000000007EE90000-memory.dmp

Filesize
64KB

Download
memory/2708-170-0x0000000007190000-0x00000000071C2000-memory.dmp

Filesize
200KB

Download
memory/2708-171-0x000000006F940000-0x000000006F98C000-memory.dmp

Filesize
304KB

Download
memory/2708-172-0x00000000715F0000-0x0000000071944000-memory.dmp

Filesize
3.3MB

Download
memory/2708-182-0x0000000007170000-0x000000000718E000-memory.dmp

Filesize
120KB

Download
memory/2708-183-0x00000000071D0000-0x0000000007273000-memory.dmp

Filesize
652KB

Download
memory/2708-184-0x00000000072C0000-0x00000000072CA000-memory.dmp

Filesize
40KB

Download
memory/2708-185-0x0000000007380000-0x0000000007416000-memory.dmp

Filesize
600KB

Download
memory/2708-186-0x00000000072E0000-0x00000000072F1000-memory.dmp

Filesize
68KB

Download
memory/2708-188-0x0000000072FC0000-0x0000000073770000-memory.dmp

Filesize
7.7MB

Download
memory/2708-193-0x0000000007420000-0x000000000743A000-memory.dmp

Filesize
104KB

Download
memory/2708-192-0x0000000007330000-0x0000000007344000-memory.dmp

Filesize
80KB

Download
memory/2708-191-0x0000000007320000-0x000000000732E000-memory.dmp

Filesize
56KB

Download
memory/2712-67-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2712-163-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3036-421-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3112-131-0x0000000000D90000-0x0000000000DA6000-memory.dmp

Filesize
88KB

Download
memory/3192-144-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3192-49-0x00000000028D0000-0x0000000002CD6000-memory.dmp

Filesize
4.0MB

Download
memory/3192-201-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3192-51-0x0000000002DE0000-0x00000000036CB000-memory.dmp

Filesize
8.9MB

Download
memory/3192-52-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3192-138-0x00000000028D0000-0x0000000002CD6000-memory.dmp

Filesize
4.0MB

Download
memory/3204-369-0x00007FF664630000-0x00007FF664BD1000-memory.dmp

Filesize
5.6MB

Download
memory/4052-204-0x0000000002A20000-0x0000000002E1C000-memory.dmp

Filesize
4.0MB

Download
memory/4052-205-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/4052-350-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/4052-242-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/4200-349-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/4200-239-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/4200-190-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/4200-141-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/4200-199-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/4200-420-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/4304-129-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/4304-127-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/4304-125-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/4668-218-0x0000000006340000-0x0000000006694000-memory.dmp

Filesize
3.3MB

Download
memory/4668-208-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/4668-207-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/4668-219-0x0000000006BA0000-0x0000000006BEC000-memory.dmp

Filesize
304KB

Download
memory/4668-206-0x0000000072F50000-0x0000000073700000-memory.dmp

Filesize
7.7MB

Download
memory/4864-146-0x00007FF7CB1C0000-0x00007FF7CB761000-memory.dmp

Filesize
5.6MB

Download
memory/4864-326-0x00007FF7CB1C0000-0x00007FF7CB761000-memory.dmp

Filesize
5.6MB

Download
memory/4892-50-0x00007FFFABB80000-0x00007FFFAC641000-memory.dmp

Filesize
10.8MB

Download
memory/4892-54-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/4892-36-0x00007FFFABB80000-0x00007FFFAC641000-memory.dmp

Filesize
10.8MB

Download
memory/4892-38-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/4892-69-0x00007FFFABB80000-0x00007FFFAC641000-memory.dmp

Filesize
10.8MB

Download
memory/4892-29-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download