c6eb2706e143ab85be01195116147af57c3a3a025cac39329b70b6e999cb4e69

Analysis

max time kernel
72s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 00:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
Size

327KB
MD5

e8c95e4e550d5fd4fd49b0dfcfa6019c
SHA1

42511c1612c1a478796dd5f2f13b3fb606570a6e
SHA256

c6eb2706e143ab85be01195116147af57c3a3a025cac39329b70b6e999cb4e69
SHA512

a5e075a1b68d180f703f7179f3764a598a283b9f3fa7faa0bbc579fcdd19f24500ec659ed4d74ffa12f4f24462df38e718dbb43d554de52e81c531511dee8e87
SSDEEP

6144:IP/LqQPkY1TXUDW/jb+oMTKuiQnrL9AlVs+Qz4UJa5eteCPU2Fl:IP/LVdTXUDWn78K0nrZAMV0gCeDPUG

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
688	attrib.exe

Deletes itself 1 IoCs

pid	Process
1008	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2552	zzz.exe
2660	rei.exe
2532	navprotect.exe
2016	pskill.exe
2172	pskill.exe
1372	killzx.exe
808	pskill.exe
3040	pskill.exe
2288	pskill.exe
2968	pskill.exe
2596	pskill.exe
1156	pskill.exe
2236	pskill.exe
832	pskill.exe
984	pskill.exe
1788	pskill.exe
3060	pskill.exe
1604	pskill.exe
1540	pskill.exe
2128	pskill.exe
952	pskill.exe
1056	pskill.exe
1664	pskill.exe
900	pskill.exe
2332	pskill.exe
1740	pskill.exe
2360	pskill.exe
2076	pskill.exe
2844	pskill.exe
1200	pskill.exe
2052	pskill.exe
1516	pskill.exe
2216	pskill.exe
1984	pskill.exe
1036	pskill.exe
2068	pskill.exe
2568	pskill.exe
2632	pskill.exe
2676	pskill.exe
2620	pskill.exe
1612	pskill.exe
1232	pskill.exe
2684	pskill.exe
2716	pskill.exe
2364	pskill.exe
2428	pskill.exe
2208	pskill.exe
2624	pskill.exe
2728	pskill.exe
2888	pskill.exe
2760	pskill.exe
2732	pskill.exe
2772	pskill.exe
2604	navprotect.exe
2252	pskill.exe
1824	pskill.exe
2516	pskill.exe
488	pskill.exe
1708	pskill.exe
2016	pskill.exe
2172	pskill.exe
368	pskill.exe
788	pskill.exe
1956	pskill.exe

Loads dropped DLL 10 IoCs

pid	Process
2552	zzz.exe
2552	zzz.exe
2532	navprotect.exe
2532	navprotect.exe
2604	navprotect.exe
2604	navprotect.exe
2708	navprotect.exe
2708	navprotect.exe
1740	navprotect.exe
1740	navprotect.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\navprotect.exe	navprotect.exe
File opened for modification	C:\Windows\SysWOW64\navprotect.exe	navprotect.exe
File created	C:\Windows\SysWOW64\navprotect.exe	navprotect.exe
File created	C:\Windows\SysWOW64\navprotect.exe	navprotect.exe
File created	C:\Windows\SysWOW64\navprotect.exe	zzz.exe
File opened for modification	C:\Windows\SysWOW64\navprotect.exe	zzz.exe
File opened for modification	C:\Windows\SysWOW64\navprotect.exe	navprotect.exe
File opened for modification	C:\Windows\SysWOW64\navprotect.exe	navprotect.exe
File created	C:\Windows\SysWOW64\navprotect.exe	navprotect.exe
File opened for modification	C:\Windows\SysWOW64\navprotect.exe	navprotect.exe
File opened for modification	C:\Windows\SysWOW64\navprotect.exe	navprotect.exe
File created	C:\Windows\SysWOW64\navprotect.exe	navprotect.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\259407198.tmp	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File opened for modification	C:\Windows\pskill.exe	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File opened for modification	C:\Windows\rem.bat	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File opened for modification	C:\Windows\rm.reg	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File created	C:\Windows\a.reg	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File created	C:\Windows\reg43.htm	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File created	C:\Windows\reg65.htm	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File created	C:\Windows\rm.reg	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File created	C:\Windows\rei.exe	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File created	C:\Windows\259407214.tmp	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File opened for modification	C:\Windows\a.reg	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File created	C:\Windows\pskill.exe	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File opened for modification	C:\Windows\reg65.htm	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File opened for modification	C:\Windows\rei.exe	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File opened for modification	C:\Windows\psk.ex_	cmd.exe
File opened for modification	C:\Windows\rem.reg	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File opened for modification	C:\Windows\reu.exe	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File created	C:\Windows\psk.ex_	cmd.exe
File created	C:\Windows\rem.reg	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File created	C:\Windows\tbcr.bat	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File opened for modification	C:\Windows\zzz.exe	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File opened for modification	C:\Windows\killzx.exe	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File created	C:\Windows\rem.bat	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File created	C:\Windows\reu.exe	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File opened for modification	C:\Windows\tbcr.bat	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File created	C:\Windows\killzx.exe	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File opened for modification	C:\Windows\reg43.htm	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File created	C:\Windows\zzz.exe	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
File created	C:\Windows\Auto Update Uninstaller.exe	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 8 IoCs

pid	Process
1428	regedit.exe
1332	regedit.exe
2416	regedit.exe
1948	regedit.exe
1048	regedit.exe
2624	regedit.exe
2672	regedit.exe
2728	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	pskill.exe
2172	pskill.exe
808	pskill.exe
808	pskill.exe
3040	pskill.exe
3040	pskill.exe
3040	pskill.exe
2288	pskill.exe
2596	pskill.exe
2596	pskill.exe
2596	pskill.exe
2288	pskill.exe
2288	pskill.exe
832	pskill.exe
984	pskill.exe
832	pskill.exe
1156	pskill.exe
984	pskill.exe
3060	pskill.exe
1156	pskill.exe
952	pskill.exe
1056	pskill.exe
1664	pskill.exe
900	pskill.exe
2332	pskill.exe
1740	pskill.exe
2360	pskill.exe
2076	pskill.exe
2844	pskill.exe
1200	pskill.exe
2052	pskill.exe
1516	pskill.exe
2216	pskill.exe
1036	pskill.exe
2068	pskill.exe
2568	pskill.exe
2632	pskill.exe
2676	pskill.exe
2620	pskill.exe
1612	pskill.exe
1232	pskill.exe
2684	pskill.exe
2716	pskill.exe
2364	pskill.exe
2428	pskill.exe
2208	pskill.exe
2624	pskill.exe
2728	pskill.exe
2888	pskill.exe
2760	pskill.exe
2732	pskill.exe
2772	pskill.exe
2252	pskill.exe
1824	pskill.exe
2516	pskill.exe
488	pskill.exe
1708	pskill.exe
2016	pskill.exe
2172	pskill.exe
368	pskill.exe
788	pskill.exe
1956	pskill.exe
2264	pskill.exe
1596	pskill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
Token: SeBackupPrivilege	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
Token: SeDebugPrivilege	2016	pskill.exe
Token: SeDebugPrivilege	2172	pskill.exe
Token: SeDebugPrivilege	808	pskill.exe
Token: SeDebugPrivilege	3040	pskill.exe
Token: SeDebugPrivilege	2288	pskill.exe
Token: SeDebugPrivilege	2968	pskill.exe
Token: SeDebugPrivilege	2596	pskill.exe
Token: SeDebugPrivilege	832	pskill.exe
Token: SeDebugPrivilege	1788	pskill.exe
Token: SeDebugPrivilege	2236	pskill.exe
Token: SeDebugPrivilege	984	pskill.exe
Token: SeDebugPrivilege	1156	pskill.exe
Token: SeDebugPrivilege	2128	pskill.exe
Token: SeDebugPrivilege	3060	pskill.exe
Token: SeDebugPrivilege	1540	pskill.exe
Token: SeDebugPrivilege	1604	pskill.exe
Token: SeDebugPrivilege	952	pskill.exe
Token: SeDebugPrivilege	1056	pskill.exe
Token: SeDebugPrivilege	1664	pskill.exe
Token: SeDebugPrivilege	900	pskill.exe
Token: SeDebugPrivilege	2332	pskill.exe
Token: SeDebugPrivilege	1740	pskill.exe
Token: SeDebugPrivilege	2360	pskill.exe
Token: SeDebugPrivilege	2076	pskill.exe
Token: SeDebugPrivilege	2844	pskill.exe
Token: SeDebugPrivilege	1200	pskill.exe
Token: SeDebugPrivilege	2052	pskill.exe
Token: SeDebugPrivilege	1516	pskill.exe
Token: SeDebugPrivilege	2216	pskill.exe
Token: SeDebugPrivilege	1036	pskill.exe
Token: SeDebugPrivilege	2068	pskill.exe
Token: SeDebugPrivilege	2568	pskill.exe
Token: SeDebugPrivilege	2632	pskill.exe
Token: SeDebugPrivilege	2676	pskill.exe
Token: SeDebugPrivilege	2620	pskill.exe
Token: SeDebugPrivilege	1612	pskill.exe
Token: SeDebugPrivilege	1232	pskill.exe
Token: SeDebugPrivilege	2684	pskill.exe
Token: SeDebugPrivilege	2716	pskill.exe
Token: SeDebugPrivilege	2364	pskill.exe
Token: SeDebugPrivilege	2428	pskill.exe
Token: SeDebugPrivilege	2208	pskill.exe
Token: SeDebugPrivilege	2624	pskill.exe
Token: SeDebugPrivilege	2728	pskill.exe
Token: SeDebugPrivilege	2888	pskill.exe
Token: SeDebugPrivilege	2760	pskill.exe
Token: SeDebugPrivilege	2732	pskill.exe
Token: SeDebugPrivilege	2772	pskill.exe
Token: SeDebugPrivilege	2252	pskill.exe
Token: SeDebugPrivilege	1824	pskill.exe
Token: SeDebugPrivilege	2516	pskill.exe
Token: SeDebugPrivilege	488	pskill.exe
Token: SeDebugPrivilege	1708	pskill.exe
Token: SeDebugPrivilege	2016	pskill.exe
Token: SeDebugPrivilege	2172	pskill.exe
Token: SeDebugPrivilege	368	pskill.exe
Token: SeDebugPrivilege	788	pskill.exe
Token: SeDebugPrivilege	1956	pskill.exe
Token: SeDebugPrivilege	2264	pskill.exe
Token: SeDebugPrivilege	1596	pskill.exe
Token: SeDebugPrivilege	3048	pskill.exe
Token: SeDebugPrivilege	2036	pskill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1372	killzx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2552	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe	28
PID 1948 wrote to memory of 2552	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe	28
PID 1948 wrote to memory of 2552	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe	28
PID 1948 wrote to memory of 2552	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe	28
PID 1948 wrote to memory of 2552	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe	28
PID 1948 wrote to memory of 2552	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe	28
PID 1948 wrote to memory of 2552	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe	28
PID 1948 wrote to memory of 2660	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2660	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2660	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2660	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2660	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2660	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2660	1948	e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe	29
PID 2552 wrote to memory of 2532	2552	zzz.exe	30
PID 2552 wrote to memory of 2532	2552	zzz.exe	30
PID 2552 wrote to memory of 2532	2552	zzz.exe	30
PID 2552 wrote to memory of 2532	2552	zzz.exe	30
PID 2660 wrote to memory of 1008	2660	rei.exe	32
PID 2660 wrote to memory of 1008	2660	rei.exe	32
PID 2660 wrote to memory of 1008	2660	rei.exe	32
PID 2660 wrote to memory of 1008	2660	rei.exe	32
PID 1008 wrote to memory of 688	1008	cmd.exe	34
PID 1008 wrote to memory of 688	1008	cmd.exe	34
PID 1008 wrote to memory of 688	1008	cmd.exe	34
PID 1008 wrote to memory of 688	1008	cmd.exe	34
PID 1008 wrote to memory of 320	1008	cmd.exe	35
PID 1008 wrote to memory of 320	1008	cmd.exe	35
PID 1008 wrote to memory of 320	1008	cmd.exe	35
PID 1008 wrote to memory of 320	1008	cmd.exe	35
PID 1008 wrote to memory of 1708	1008	cmd.exe	36
PID 1008 wrote to memory of 1708	1008	cmd.exe	36
PID 1008 wrote to memory of 1708	1008	cmd.exe	36
PID 1008 wrote to memory of 1708	1008	cmd.exe	36
PID 1008 wrote to memory of 2016	1008	cmd.exe	37
PID 1008 wrote to memory of 2016	1008	cmd.exe	37
PID 1008 wrote to memory of 2016	1008	cmd.exe	37
PID 1008 wrote to memory of 2016	1008	cmd.exe	37
PID 1008 wrote to memory of 2172	1008	cmd.exe	38
PID 1008 wrote to memory of 2172	1008	cmd.exe	38
PID 1008 wrote to memory of 2172	1008	cmd.exe	38
PID 1008 wrote to memory of 2172	1008	cmd.exe	38
PID 1008 wrote to memory of 1372	1008	cmd.exe	39
PID 1008 wrote to memory of 1372	1008	cmd.exe	39
PID 1008 wrote to memory of 1372	1008	cmd.exe	39
PID 1008 wrote to memory of 1372	1008	cmd.exe	39
PID 1372 wrote to memory of 1752	1372	killzx.exe	40
PID 1372 wrote to memory of 1752	1372	killzx.exe	40
PID 1372 wrote to memory of 1752	1372	killzx.exe	40
PID 1372 wrote to memory of 1752	1372	killzx.exe	40
PID 1372 wrote to memory of 528	1372	killzx.exe	41
PID 1372 wrote to memory of 528	1372	killzx.exe	41
PID 1372 wrote to memory of 528	1372	killzx.exe	41
PID 1372 wrote to memory of 528	1372	killzx.exe	41
PID 1008 wrote to memory of 808	1008	cmd.exe	44
PID 1008 wrote to memory of 808	1008	cmd.exe	44
PID 1008 wrote to memory of 808	1008	cmd.exe	44
PID 1008 wrote to memory of 808	1008	cmd.exe	44
PID 1372 wrote to memory of 432	1372	killzx.exe	43
PID 1372 wrote to memory of 432	1372	killzx.exe	43
PID 1372 wrote to memory of 432	1372	killzx.exe	43
PID 1372 wrote to memory of 432	1372	killzx.exe	43
PID 1372 wrote to memory of 992	1372	killzx.exe	45
PID 1372 wrote to memory of 992	1372	killzx.exe	45

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
688	attrib.exe
1708	attrib.exe
2844	attrib.exe
1520	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8c95e4e550d5fd4fd49b0dfcfa6019c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\zzz.exe
  "C:\Windows\zzz.exe" zzz.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\navprotect.exe
    C:\Windows\system32\navprotect.exe 476 "C:\Windows\zzz.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:2532
  - - C:\Windows\SysWOW64\navprotect.exe
      C:\Windows\system32\navprotect.exe 532 "C:\Windows\SysWOW64\navprotect.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2604
    - - C:\Windows\SysWOW64\navprotect.exe
        
        C:\Windows\system32\navprotect.exe 528 "C:\Windows\SysWOW64\navprotect.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2708
      - C:\Windows\SysWOW64\navprotect.exe
        
        C:\Windows\system32\navprotect.exe 536 "C:\Windows\SysWOW64\navprotect.exe"
        6⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1740
        
        C:\Windows\SysWOW64\navprotect.exe
        
        C:\Windows\system32\navprotect.exe 544 "C:\Windows\SysWOW64\navprotect.exe"
        7⤵
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\navprotect.exe
        
        C:\Windows\system32\navprotect.exe 540 "C:\Windows\SysWOW64\navprotect.exe"
        8⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\navprotect.exe
        
        C:\Windows\system32\navprotect.exe 548 "C:\Windows\SysWOW64\navprotect.exe"
        9⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\navprotect.exe
        
        C:\Windows\system32\navprotect.exe 552 "C:\Windows\SysWOW64\navprotect.exe"
        10⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\navprotect.exe
        
        C:\Windows\system32\navprotect.exe 556 "C:\Windows\SysWOW64\navprotect.exe"
        11⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\navprotect.exe
        
        C:\Windows\system32\navprotect.exe 560 "C:\Windows\SysWOW64\navprotect.exe"
        12⤵
        
        PID:2732
- C:\Windows\rei.exe
  "C:\Windows\rei.exe" rei.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" cmd /c tbcr.bat
    3⤵
    - Deletes itself
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +A +S +H unin*.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c dir /B /L C:\windows\*.exe
      4⤵
      PID:320
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -A -S -H unin*.exe
      4⤵
      Views/modifies file attributes
      PID:1708
  - - C:\Windows\pskill.exe
      pskill iexplore.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2016
  - - C:\Windows\pskill.exe
      pskill iexplore.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2172
  - - C:\Windows\killzx.exe
      killzx.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1372
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c pskill bfsvc.exe
        5⤵
        
        PID:1752
      - C:\Windows\pskill.exe
        
        pskill bfsvc.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c pskill fveupdate.exe
        5⤵
        
        PID:528
      - C:\Windows\pskill.exe
        
        pskill fveupdate.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c pskill helppane.exe
        5⤵
        
        PID:432
      - C:\Windows\pskill.exe
        
        pskill helppane.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c pskill killzx.exe
        5⤵
        
        PID:992
      - C:\Windows\pskill.exe
        
        pskill killzx.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c pskill pskill.exe
        5⤵
        
        PID:1052
      - C:\Windows\pskill.exe
        
        pskill pskill.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c pskill rei.exe
        5⤵
        
        PID:1360
      - C:\Windows\pskill.exe
        
        pskill rei.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c pskill reu.exe
        5⤵
        
        PID:1688
      - C:\Windows\pskill.exe
        
        pskill reu.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c pskill splwow64.exe
        5⤵
        
        PID:1692
      - C:\Windows\pskill.exe
        
        pskill splwow64.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c pskill twunk_16.exe
        5⤵
        
        PID:2708
      - C:\Windows\pskill.exe
        
        pskill twunk_16.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c pskill twunk_32.exe
        5⤵
        
        PID:1500
      - C:\Windows\pskill.exe
        
        pskill twunk_32.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c pskill write.exe
        5⤵
        
        PID:2328
      - C:\Windows\pskill.exe
        
        pskill write.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c pskill zzz.exe
        5⤵
        
        PID:1564
      - C:\Windows\pskill.exe
        
        pskill zzz.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
  - - C:\Windows\pskill.exe
      pskill hyctjrb.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:808
  - - C:\Windows\pskill.exe
      pskill hyctjrb.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2236
  - - C:\Windows\pskill.exe
      pskill mshta.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:952
  - - C:\Windows\pskill.exe
      pskill mshta.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1056
  - - C:\Windows\pskill.exe
      pskill powerscan.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1664
  - - C:\Windows\pskill.exe
      pskill powerscan.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:900
  - - C:\Windows\pskill.exe
      pskill webrebates0.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2332
  - - C:\Windows\pskill.exe
      pskill webrebates1.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1740
  - - C:\Windows\pskill.exe
      pskill webrebates0.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2360
  - - C:\Windows\pskill.exe
      pskill webrebates1.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2076
  - - C:\Windows\pskill.exe
      pskill sidefind.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2844
  - - C:\Windows\pskill.exe
      pskill sidefind.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1200
  - - C:\Windows\pskill.exe
      pskill istsvc.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2052
  - - C:\Windows\pskill.exe
      pskill istsvc.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1516
  - - C:\Windows\pskill.exe
      pskill ts2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2216
  - - C:\Windows\pskill.exe
      pskill ts2.exe
      4⤵
      Executes dropped EXE
      PID:1984
  - - C:\Windows\pskill.exe
      pskill tsm2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1036
  - - C:\Windows\pskill.exe
      pskill tsm2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2068
  - - C:\Windows\pskill.exe
      pskill tsl.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2568
  - - C:\Windows\pskill.exe
      pskill tsl.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2632
  - - C:\Windows\pskill.exe
      pskill tsl2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2676
  - - C:\Windows\pskill.exe
      pskill tsl2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2620
  - - C:\Windows\pskill.exe
      pskill tsp2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1612
  - - C:\Windows\pskill.exe
      pskill tsp2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1232
  - - C:\Windows\pskill.exe
      pskill sais.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Windows\pskill.exe
      pskill sais.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2716
  - - C:\Windows\pskill.exe
      pskill actalert.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2364
  - - C:\Windows\pskill.exe
      pskill actalert.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2428
  - - C:\Windows\pskill.exe
      pskill optimize.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2208
  - - C:\Windows\pskill.exe
      pskill optimize.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2624
  - - C:\Windows\pskill.exe
      pskill webrebates0.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2728
  - - C:\Windows\pskill.exe
      pskill webrebates1.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2888
  - - C:\Windows\pskill.exe
      pskill webrebates0.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2760
  - - C:\Windows\pskill.exe
      pskill webrebates1.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2732
  - - C:\Windows\pskill.exe
      pskill actalert.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2772
  - - C:\Windows\pskill.exe
      pskill actalert.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Windows\pskill.exe
      pskill optimize.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1824
  - - C:\Windows\pskill.exe
      pskill optimize.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2516
  - - C:\Windows\pskill.exe
      pskill sais.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:488
  - - C:\Windows\pskill.exe
      pskill sais.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\Windows\pskill.exe
      pskill ts2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2016
  - - C:\Windows\pskill.exe
      pskill ts2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2172
  - - C:\Windows\pskill.exe
      pskill tsm2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:368
  - - C:\Windows\pskill.exe
      pskill tsm2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:788
  - - C:\Windows\pskill.exe
      pskill tsl.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\pskill.exe
      pskill tsl.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2264
  - - C:\Windows\pskill.exe
      pskill tsl2.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1596
  - - C:\Windows\pskill.exe
      pskill tsl2.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3048
  - - C:\Windows\pskill.exe
      pskill tsp2.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2036
  - - C:\Windows\pskill.exe
      pskill tsp2.exe
      4⤵
      PID:3000
  - - C:\Windows\pskill.exe
      pskill istsvc.exe
      4⤵
      PID:808
  - - C:\Windows\pskill.exe
      pskill istsvc.exe
      4⤵
      PID:2340
  - - C:\Windows\pskill.exe
      pskill sidefind.exe
      4⤵
      PID:800
  - - C:\Windows\pskill.exe
      pskill sidefind.exe
      4⤵
      PID:2660
  - - C:\Windows\pskill.exe
      pskill hyctjrb.exe
      4⤵
      PID:1776
  - - C:\Windows\pskill.exe
      pskill hyctjrb.exe
      4⤵
      PID:856
  - - C:\Windows\pskill.exe
      pskill mshta.exe
      4⤵
      PID:2824
  - - C:\Windows\pskill.exe
      pskill mshta.exe
      4⤵
      PID:828
  - - C:\Windows\pskill.exe
      pskill powerscan.exe
      4⤵
      PID:3044
  - - C:\Windows\pskill.exe
      pskill powerscan.exe
      4⤵
      PID:1096
  - - C:\Windows\pskill.exe
      pskill WinAdSlave.exe
      4⤵
      PID:1672
  - - C:\Windows\pskill.exe
      pskill winctlad.exe
      4⤵
      PID:3064
  - - C:\Windows\pskill.exe
      pskill winctladalt.exe
      4⤵
      PID:1856
  - - C:\Windows\pskill.exe
      pskill winctlad.exe
      4⤵
      PID:1412
  - - C:\Windows\pskill.exe
      pskill winctladalt.exe
      4⤵
      PID:956
  - - C:\Windows\pskill.exe
      pskill WinAdSlave.exe
      4⤵
      PID:1632
  - - C:\Windows\pskill.exe
      pskill winctlad.exe
      4⤵
      PID:2092
  - - C:\Windows\pskill.exe
      pskill winctladalt.exe
      4⤵
      PID:2380
  - - C:\Windows\pskill.exe
      pskill wsets.exe
      4⤵
      PID:2724
  - - C:\Windows\pskill.exe
      pskill.exe actalert.exe
      4⤵
      PID:1584
  - - C:\Windows\pskill.exe
      pskill.exe bargains.exe
      4⤵
      PID:880
  - - C:\Windows\pskill.exe
      pskill.exe msbb.exe
      4⤵
      PID:2236
  - - C:\Windows\pskill.exe
      pskill.exe webrebates0.exe
      4⤵
      PID:2836
  - - C:\Windows\pskill.exe
      pskill.exe webrebates1.exe
      4⤵
      PID:2832
  - - C:\Windows\pskill.exe
      pskill.exe optimize.exe
      4⤵
      PID:528
  - - C:\Windows\pskill.exe
      pskill.exe alchem.exe
      4⤵
      PID:2312
  - - C:\Windows\pskill.exe
      pskill.exe SyncroAd.exe
      4⤵
      PID:2968
  - - C:\Windows\pskill.exe
      pskill.exe WinSync.exe
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h -r -s -a "C:\Program Files\Windows SyncroAd\SyncroAd.exe"
      4⤵
      Views/modifies file attributes
      PID:2844
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h -s -r -a "C:\Program Files\Windows SyncroAd\WinSync.exe"
      4⤵
      Views/modifies file attributes
      PID:1520
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT.EXE /S a.reg
      4⤵
      Runs .reg file with regedit
      PID:2416
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S a.reg
      4⤵
      Runs .reg file with regedit
      PID:1948
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT.EXE -S a.reg
      4⤵
      Runs .reg file with regedit
      PID:1048
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT -S a.reg
      4⤵
      Runs .reg file with regedit
      PID:2624
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT.EXE /S rm.reg
      4⤵
      Runs .reg file with regedit
      PID:2672
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S rm.reg
      4⤵
      Runs .reg file with regedit
      PID:2728
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT.EXE -S rm.reg
      4⤵
      Runs .reg file with regedit
      PID:1428
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT -S rm.reg
      4⤵
      Runs .reg file with regedit
      PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\killzx.exe

Filesize
20KB

MD5
c58588c1d01a4997b9e6f3b508c4aed2

SHA1
45b9d989a8b1f1941cf7f32b6fad330e0a71b17b

SHA256
9d7125dbb307f386befaf583d53fd49aa88659e2e00dcf522423a3ff92f9122c

SHA512
210ea772ca52c814c74e927825bd5b478afb5f48490e862723f50f748c201878fd24792e9ebe8c694c4585e3c0887c5722c3a396624e5d85646c409a428e1f2a

Download Submit
C:\Windows\pskill.exe

Filesize
21KB

MD5
4369a2520f377941d65a4d15282e0a91

SHA1
4ea3c8f8bea3e2b4941cc9a90e1811ed4ceeb5c5

SHA256
363b945cec621ddee13f3cea0a254e2605f21545f98053a9f64b4809bb0576df

SHA512
1fdf0f0a80b163b85aaafd347f8e310e459f3a64c8a7d504a151dfd3fff2e96ec77bc18f9e49658490fa4a6596eccaf6408bcb992bd504369d2ba86a1f8e8c95

Download Submit
C:\Windows\rei.exe

Filesize
25KB

MD5
8b91058e2519fe36166e4b4b382f906d

SHA1
324003ccda8d3612f571779bf6dd030ca1cea5c7

SHA256
13c6de1ee711d7446d5af097fa7397138b79bba85a347dd29dd59434e0d2d1e6

SHA512
2f1aa5515c93fd5ec44b71aad717f92a04f4d8ad8cd109807c6d07de216beabd1e38201b1f479e008a338d2cf85859084d463c7db76834ab9370ba4cde54a395

Download Submit
C:\Windows\tbcr.bat

Filesize
7KB

MD5
9bcc0c148b9304d2aaf29f6f0efb65f8

SHA1
2314f29aecd0a353fb63c2c86d7d20d23b63e741

SHA256
d24db15965ab24cf24f3d1a3d9528389c1b58f9be73fad341c88af30e6590120

SHA512
6f17f116c0c5a83e9babb2cb1202c4e20966f36e1fe4ea6cf0a6643b5784d3ecfb5363c8363672d3ae703c7afc0c3068144f9433971af990701e6492772169ad

Download Submit
C:\Windows\zzz.exe

Filesize
70KB

MD5
99c2b66eb98367baddb34b958e4f68ca

SHA1
f3b0ecea2eba40e69960b7df514da6db078b6554

SHA256
6508104b9f79af562647244664bf7100b9d783f965b888ab80782ebcc159d716

SHA512
e30506a8adb80db66aa0585125869e420a76926987742662047803ae5e78b1a07505e204594d676947f8c1b97e2e9c8188b5997d5b833ce3be66eb2d9ecd24ce

Download Submit
C:\lol.txt

Filesize
206B

MD5
7e062ea2c1e5bee52ae6b7f2acaee9df

SHA1
91d1b51878947f6b2bbea5744838b3f9aa82e858

SHA256
5a821eb7d91556dbfb7d859ac17654ce60414daa0c0b2cc9f2acb77b80807d26

SHA512
832bdc23f9c8d733cb68ee03408776d4f29c70037a756048bd55e8765a4daf2f57e35701a2810ba30e9f6684a575b4e1bb771f1dd2035775036e6bdd85c9e317

Download Submit
C:\windows\reu.exe

Filesize
25KB

MD5
a926d898a634d2351b879c3b3c8ad969

SHA1
0ebb8c8d1812b85df49a263d85a12e5062e0c645

SHA256
53ed5ba772a4dce3eb1761a2e3286fd1619cb89d084addab412278530975b405

SHA512
d37a9412f0720528084b570d1bc7e006c2b894defcd40809a860662790f8fe4998edb447aaa4297fa36fc6142058473440a1c9d33c9ec0415f8a00240062d7ba

Download Submit
memory/368-181-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/488-177-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/788-182-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/808-78-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/832-95-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/900-111-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/952-105-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/984-97-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1036-136-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1056-107-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1156-98-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1200-123-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1232-150-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1516-127-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1540-101-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1596-185-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1604-96-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1612-148-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1664-109-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1708-178-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1740-115-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1788-103-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1824-175-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1956-183-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1984-131-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2016-179-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2016-66-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2036-187-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2052-125-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2068-138-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2076-119-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2128-99-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2172-68-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2172-180-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2208-160-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2216-129-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2236-100-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2252-174-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2264-184-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2288-92-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2332-113-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2360-117-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2364-156-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2428-158-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2516-176-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2568-140-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2596-93-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2620-146-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2624-162-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2632-142-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2676-144-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2684-152-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2716-154-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2728-164-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2732-170-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2760-168-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2772-173-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2844-121-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2888-166-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2968-102-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/3000-188-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/3040-88-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/3048-186-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/3060-94-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download