redline | 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

Analysis

max time kernel
299s
max time network
301s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-05-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Size

515KB
MD5

148b2c38cf0726535d760a703f803c80
SHA1

107503ca149f547d4745fe9b9a3fbae03d60126c
SHA256

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d
SHA512

6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd
SSDEEP

12288:EMbx504bFjsNfn8lmwaYy//2hWc8CYBMQI4aqNA:Lbw4bR689aYy//2hDPYBMQI4aqN

Score

10^/10

redline sectoprat xworm docx discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

DOCX

beshomandotestbesnd.run.place:1111

Extracted

Family

xworm

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%ProgramData%
install_file
cmd.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/756-1611-0x00000000088E0000-0x00000000088EE000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/756-50-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\explorer.exe	family_redline
behavioral2/memory/2328-35-0x00000000007B0000-0x00000000007CE000-memory.dmp	family_redline
behavioral2/memory/756-1610-0x00000000086D0000-0x00000000086EE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\explorer.exe	family_sectoprat
behavioral2/memory/2328-35-0x00000000007B0000-0x00000000007CE000-memory.dmp	family_sectoprat
behavioral2/memory/756-1610-0x00000000086D0000-0x00000000086EE000-memory.dmp	family_sectoprat

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4672	powershell.exe
344	powershell.exe
1408	powershell.exe
3288	powershell.exe
1548	powershell.exe
5088	powershell.exe
2968	powershell.exe
2668	powershell.exe
2120	powershell.exe
1548	powershell.exe
4360	powershell.exe
1352	powershell.exe
3184	powershell.exe
3696	powershell.exe
4664	powershell.exe
1540	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

Executes dropped EXE 16 IoCs

Processes:

explorer.execmd.exeexplorer.execmd.execmd.exeexplorer.execmd.execmd.exeexplorer.execmd.execmd.exeexplorer.execmd.execmd.exeexplorer.execmd.exe

pid	process
2328	explorer.exe
2704	cmd.exe
2904	explorer.exe
64	cmd.exe
2812	cmd.exe
816	explorer.exe
212	cmd.exe
1612	cmd.exe
4684	explorer.exe
60	cmd.exe
1512	cmd.exe
3168	explorer.exe
1836	cmd.exe
2644	cmd.exe
4820	explorer.exe
4664	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\ProgramData\\cmd.exe"	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4420 set thread context of 756	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 2704 set thread context of 64	2704	cmd.exe	cmd.exe
PID 2812 set thread context of 212	2812	cmd.exe	cmd.exe
PID 1612 set thread context of 60	1612	cmd.exe	cmd.exe
PID 1512 set thread context of 1836	1512	cmd.exe	cmd.exe
PID 2644 set thread context of 4664	2644	cmd.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

752 schtasks.exe
2328 schtasks.exe
3756 schtasks.exe
4832 schtasks.exe
4424 schtasks.exe
2332 schtasks.exe
652 schtasks.exe

pid	process
752	schtasks.exe
2328	schtasks.exe
3756	schtasks.exe
4832	schtasks.exe
4424	schtasks.exe
2332	schtasks.exe
652	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

pid process

756 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

pid	process
756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exepowershell.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.execmd.exepowershell.exepowershell.exeexplorer.execmd.exepowershell.exepowershell.exeexplorer.execmd.exepowershell.exepowershell.exeexplorer.execmd.exepowershell.exe

pid	process
4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
4672	powershell.exe
4672	powershell.exe
4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
4672	powershell.exe
3696	powershell.exe
4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
3696	powershell.exe
3696	powershell.exe
5088	powershell.exe
5088	powershell.exe
5088	powershell.exe
344	powershell.exe
344	powershell.exe
344	powershell.exe
2668	powershell.exe
2668	powershell.exe
2668	powershell.exe
2328	explorer.exe
2328	explorer.exe
2120	powershell.exe
2120	powershell.exe
2120	powershell.exe
756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
2704	cmd.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
2704	cmd.exe
4360	powershell.exe
2704	cmd.exe
4360	powershell.exe
4360	powershell.exe
2904	explorer.exe
2904	explorer.exe
2812	cmd.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
2812	cmd.exe
4664	powershell.exe
2812	cmd.exe
4664	powershell.exe
4664	powershell.exe
816	explorer.exe
816	explorer.exe
1612	cmd.exe
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
1612	cmd.exe
1612	cmd.exe
2968	powershell.exe
2968	powershell.exe
2968	powershell.exe
4684	explorer.exe
4684	explorer.exe
1512	cmd.exe
1540	powershell.exe
1540	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepowershell.exepowershell.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exeexplorer.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.execmd.exeexplorer.execmd.exepowershell.exepowershell.exeexplorer.execmd.execmd.exepowershell.execmd.exepowershell.exeexplorer.execmd.exepowershell.execmd.exeexplorer.exepowershell.execmd.exepowershell.execmd.exepowershell.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Token: SeDebugPrivilege	2328	explorer.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Token: SeDebugPrivilege	2704	cmd.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	64	cmd.exe
Token: SeDebugPrivilege	2904	explorer.exe
Token: SeDebugPrivilege	2812	cmd.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	816	explorer.exe
Token: SeDebugPrivilege	212	cmd.exe
Token: SeDebugPrivilege	1612	cmd.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	60	cmd.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	4684	explorer.exe
Token: SeDebugPrivilege	1512	cmd.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1836	cmd.exe
Token: SeDebugPrivilege	3168	explorer.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	2644	cmd.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	4664	cmd.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	4820	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

pid process

756 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

pid	process
756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.execmd.execmd.exe

description	pid	process	target process
PID 4420 wrote to memory of 4672	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 4420 wrote to memory of 4672	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 4420 wrote to memory of 4672	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 4420 wrote to memory of 2328	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	explorer.exe
PID 4420 wrote to memory of 2328	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	explorer.exe
PID 4420 wrote to memory of 2328	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	explorer.exe
PID 4420 wrote to memory of 3696	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 4420 wrote to memory of 3696	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 4420 wrote to memory of 3696	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 4420 wrote to memory of 3756	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	schtasks.exe
PID 4420 wrote to memory of 3756	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	schtasks.exe
PID 4420 wrote to memory of 3756	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	schtasks.exe
PID 4420 wrote to memory of 756	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 4420 wrote to memory of 756	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 4420 wrote to memory of 756	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 4420 wrote to memory of 756	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 4420 wrote to memory of 756	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 4420 wrote to memory of 756	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 4420 wrote to memory of 756	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 4420 wrote to memory of 756	4420	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 756 wrote to memory of 5088	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 756 wrote to memory of 5088	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 756 wrote to memory of 5088	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 756 wrote to memory of 344	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 756 wrote to memory of 344	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 756 wrote to memory of 344	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 756 wrote to memory of 2668	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 756 wrote to memory of 2668	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 756 wrote to memory of 2668	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 756 wrote to memory of 2120	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 756 wrote to memory of 2120	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 756 wrote to memory of 2120	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 756 wrote to memory of 4832	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	schtasks.exe
PID 756 wrote to memory of 4832	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	schtasks.exe
PID 756 wrote to memory of 4832	756	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	schtasks.exe
PID 2704 wrote to memory of 1548	2704	cmd.exe	powershell.exe
PID 2704 wrote to memory of 1548	2704	cmd.exe	powershell.exe
PID 2704 wrote to memory of 1548	2704	cmd.exe	powershell.exe
PID 2704 wrote to memory of 2904	2704	cmd.exe	explorer.exe
PID 2704 wrote to memory of 2904	2704	cmd.exe	explorer.exe
PID 2704 wrote to memory of 2904	2704	cmd.exe	explorer.exe
PID 2704 wrote to memory of 4360	2704	cmd.exe	powershell.exe
PID 2704 wrote to memory of 4360	2704	cmd.exe	powershell.exe
PID 2704 wrote to memory of 4360	2704	cmd.exe	powershell.exe
PID 2704 wrote to memory of 4424	2704	cmd.exe	schtasks.exe
PID 2704 wrote to memory of 4424	2704	cmd.exe	schtasks.exe
PID 2704 wrote to memory of 4424	2704	cmd.exe	schtasks.exe
PID 2704 wrote to memory of 64	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 64	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 64	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 64	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 64	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 64	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 64	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 64	2704	cmd.exe	cmd.exe
PID 2812 wrote to memory of 1352	2812	cmd.exe	powershell.exe
PID 2812 wrote to memory of 1352	2812	cmd.exe	powershell.exe
PID 2812 wrote to memory of 1352	2812	cmd.exe	powershell.exe
PID 2812 wrote to memory of 816	2812	cmd.exe	explorer.exe
PID 2812 wrote to memory of 816	2812	cmd.exe	explorer.exe
PID 2812 wrote to memory of 816	2812	cmd.exe	explorer.exe
PID 2812 wrote to memory of 4664	2812	cmd.exe	powershell.exe
PID 2812 wrote to memory of 4664	2812	cmd.exe	powershell.exe
PID 2812 wrote to memory of 4664	2812	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE5E.tmp"
2⤵
- Creates scheduled task(s)
PID:3756

C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
2⤵
- Drops startup file
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"
3⤵
- Creates scheduled task(s)
PID:4832

C:\ProgramData\cmd.exe
C:\ProgramData\cmd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6FBC.tmp"
2⤵
- Creates scheduled task(s)
PID:4424

C:\ProgramData\cmd.exe
"C:\ProgramData\cmd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\ProgramData\cmd.exe
C:\ProgramData\cmd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp55E6.tmp"
2⤵
- Creates scheduled task(s)
PID:2332

C:\ProgramData\cmd.exe
"C:\ProgramData\cmd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\ProgramData\cmd.exe
C:\ProgramData\cmd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4037.tmp"
2⤵
- Creates scheduled task(s)
PID:652

C:\ProgramData\cmd.exe
"C:\ProgramData\cmd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\ProgramData\cmd.exe
C:\ProgramData\cmd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2AC6.tmp"
2⤵
- Creates scheduled task(s)
PID:752

C:\ProgramData\cmd.exe
"C:\ProgramData\cmd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\ProgramData\cmd.exe
C:\ProgramData\cmd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1506.tmp"
2⤵
- Creates scheduled task(s)
PID:2328

C:\ProgramData\cmd.exe
"C:\ProgramData\cmd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cmd.exe
Filesize
515KB

MD5
148b2c38cf0726535d760a703f803c80

SHA1
107503ca149f547d4745fe9b9a3fbae03d60126c

SHA256
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

SHA512
6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cmd.exe.log
Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\explorer.exe.log
Filesize
2KB

MD5
486280d7d2144da43abf36457d713241

SHA1
f4cbbf5561f4bdc9676646bdbf673c70b6e45886

SHA256
f6fadd2b2c007833f72013e91084e903f4e2db49aea6491d218612d319502ba0

SHA512
53a1016b82d82da538755f834da80057b95517309b22d23bcba176b80a7e5988a2057ea31cc03045a12d5b05cf6c11d46b454364c3d560819d1fc7e6a27ce76c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
15bf4932a58ece6a913025357fc86065

SHA1
1ec617ce782dd9277ad287e0ccef0b16f35b38dc

SHA256
3aeb23a07a916132c8cf817d678055a8122f122814a067e4b5001ec7f5d6f484

SHA512
5ecd6ec163dad27f4e49ff8e37e1c2067686886732035a858ab2a58f5dd8b68f12c78848371e13c0393ef8b8fc84a2e162aad87d083f634eb927c7f47547e3d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
5adf1d582d4f4d33e6c9f07631adc631

SHA1
fb11fb160d921d6f6e3bd8915e278b00750755fd

SHA256
c0d656e3827d9fa7ac3f665210d0e15091ee6034da953e28b6783b1d9e67fb70

SHA512
3ad0bd39a1183d9d63eba14c3724faab827a1fa5dd6ef6068a48ad40639171679b9fce94f931f4f1f787fa86615838509fb5cf09042fc94004860134a3f559cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
51f1fbe090b7dfbba2319d3a3fabdbd0

SHA1
05ed70a3d8d290e14b8e469f05a454cd6bcc70af

SHA256
671d416061ef8b4c2251e1d614356904934774910aebd984bca44bd22f800e9e

SHA512
d8bde03f929aed040d7639a8be65a9d6a629cedc0ab79e0186d33b29ce03c17ca6bef585bab0fc5d99e4ee3ad37e661773fd94ef1d54e4da6f82cc70868f6be0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
aeb38d2230b47f2dfcd3a5fad4463c11

SHA1
b7d0e81f392347978056a20e2ca7c356838cc877

SHA256
2e30e8d4cb5a8699c1e16dcb01dccff5370b96f79568dd1aa7c2fc6f24790399

SHA512
d8ee769c75d4ab7d60f36b1a99bb23ae1a4ff89768119bd3e908c854dbe7810b25f997c230f8395aea5567c67dcba048309c5c0f1749a333616ecb46027528cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
a051edf4f1276ffa15a910fc9a652c0b

SHA1
68ce6fed3c295b7d22a538a83074dd956ef6666e

SHA256
c5af22e9c1134d927113808452d36f0a88c8190b34af5b788923cf67ee682b66

SHA512
5dd40d9f9f10a5bd5d8fe126d1b26f11db73360470e98145041fc3737ca3bd4c7aef0c1bdf6fb659ae1ab4458f57d847f46f9e9aa5c4adc5085be92b233d5bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
d62fdb06cc5a9757138a5a148ec46aff

SHA1
6e733d6a2548de55ff8e62812856004f37ee977b

SHA256
ecfbad83a1a6b018dc1f33438b46996016f42f64265ca0a02e8c4b933483baf7

SHA512
31bd2801b38feb1363a862b6faec98b981ecb896f3d51d2ce85f449de7b252af8593489777e64374e31e11a1fca61ebd96b505aaed612f01655ab5a8783f80cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
9dc3de1a34a86dd677753ed0b0d38a49

SHA1
03716bdabdce94cd09e41fd396dc99002de9650b

SHA256
1edc06fdb7b097d3f6859bb5499d63869381eb716c36d20c15b9f3f40cc1fb30

SHA512
793749e96c2f52e627170ea4063acc53d1030f1120707869ab8da89ca1757be277994d2c8d0085c9d7ee027b45b2a7620fba2cca73709797b90e16687fc685e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
c159a01eade6b7a0c7fff3780abe1ac0

SHA1
47384d2a1b79b3832b9be1c1734d75877c794e7a

SHA256
5481e1c8dc048af6545337bfaba70610c562d9d952b200a835005f0fdda67d28

SHA512
f22da67101fa2649ad4b6b53ded60963b815cf2493fb73ac356c0cdf3197289a1e07fa71a51fff6a9355415b66339536938c3fccef684278d43364bbad33d4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e8ac9787849db28b0375fa06c2d209b7

SHA1
28b6b01d89da0e0c4b677b63da949147be7aa578

SHA256
2c4dcc41d309cea9bdeb3214f6bae94f6053f26a7dc0c6abd4fb24ff23e74069

SHA512
34e0025f8a91f780b50d8d6c72dbb75dd3b24e97aff52856b9fc50747c77b0408f4419ca33388b5585ec1e9593754d51cc97c5ac7fbcb94759ea60672a2a4310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
7f5850c8d34a0880c4a8bfee416b5949

SHA1
83e29fba588b43321abe6aa6d3ba249e13823d59

SHA256
88e4cae337dd18c8b390bfdb481776e8ee1e467c6db9259acaf430cc423edf4b

SHA512
29fbb2f626a0819eeea4022f50be929315f8f8943689d9827fa2f9675a2d26b94d405dc916a95b2aed63f6ef3e716360dece65b2c0bbbfebacb0e53592657b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
3ae149e444f0f836daeda9bd0a4c03f0

SHA1
d2b66b82635484e0720f746de6841449fb115765

SHA256
d907aaa6219287d89435fc183de387ceb62640761331cf87a318dce7003bc671

SHA512
4b06366a4f6d932a29100d01d881d9fc2c06f2da56d29f542d5001327e34cc839d7303d9c03381494edf5b7e68cde2ce9bb8668be47faf05438333f7f11cffa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rndhhcsw.2zt.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
95KB

MD5
9d4dcac910a0acdfbf2abc62d26ba9c2

SHA1
5b8ff8cce6bf6147a2b69672cbe62d90fbb0e9b8

SHA256
3898b7e87d779005405350a02ee5a8df61e37fc793914e56a27948478791bf19

SHA512
36fe82fdcb466cb32355491a858fb1ed8a4c0a313f11d3ff2221f4ed5866fa3befbf33fffe02e338766601ca2be449812c366601d973197ebcd80d0b66cc3281

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DF1.tmp
Filesize
425KB

MD5
a7b443591e244193c7b16f3abfdd0912

SHA1
65ca6c40403553c5a83c9a466c88eee97427ecbf

SHA256
2d980bf14ed387f4c055d17fdbf4df2860a96bc6157b374c439a2ee1925b2ebf

SHA512
392f4565d00e84d402f4d473214594611e2c105e3c4ad12aa966de0c4be80127b75e8723596477b0f7aae2ff9752787ba8bb1397006d019ab1035644efb4a59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DF2.tmp
Filesize
323KB

MD5
08625c0d1b098bdbea864fdbf6ee6680

SHA1
981997af683ff198a43e125f7cc4e19c4ddbdd56

SHA256
650c83f053e2cbd88c3b34193cdffca453b26eb4ea2a992d8e7f0a19d605ff1d

SHA512
137a95deeb986ea9c047473ed1aa313bd7f0d8e364bc1566a46c1ff73b6bdfba3d4f2bb7ff2f48d79cb5a8163382466fda3d3801404461c6d70e093f92088890

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DF3.tmp
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DF4.tmp
Filesize
544KB

MD5
9a2a07c3769f388e37ad02205559f26b

SHA1
44db154d9acf4e8ea852212a28ef525beffccfc3

SHA256
83194b08e80404d79e9d1c5c969d63da85cdd6dd2777770ee2aa450f88d412e8

SHA512
4487dccbe6dbd090be1d8fd3ff2bd25d94e18d2528680d2337f1a36afecf0998c7dc03598b45e18c5b73b2746879450312924e964697fdfcbdc5f66ee8d9dbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DF5.tmp
Filesize
442KB

MD5
b61872512fbc4077a7814ad1bde3a687

SHA1
6f866936ea887118c8f9c60665c00a0f0f6e4241

SHA256
9a8ffba4319b17449c6eede01484ab752d28311720d0153460f75812e28f1320

SHA512
8e4903df25abf1f129d61da778c23abdeb1873582c93b7b822145cf0f634d75cb5bbf032a6d2261dbc8f2db8cd89f6dff3a2bb53f10c3c78c0dcf171ac1e7247

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DF6.tmp
Filesize
799KB

MD5
8c910c193e4f7c4164e8c8e5af790b9f

SHA1
285ec454c833a8589d190972de4e8f6493c81c9c

SHA256
e065dc8e6102ba9060dff3f7e72d0429e45589d56d428cef634f0e7177bba16c

SHA512
5530b219312614bdca66e7a9abef902900f3cb7abe76f6be7bc599727865c306545a032c9dbfe550a17e4df8d3ce4b6072cc5c23193d1d4b98b05cb62962488a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E06.tmp
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E07.tmp
Filesize
731KB

MD5
023de87d4e7fa2f83145bece4771fbb8

SHA1
213d833207153e290572dbcd58064b92532dd3f7

SHA256
3687d8eff902ea5b6883e6767be0f70343acdd2d7eabd4b836285457f9c6a159

SHA512
3376a9e12871d392209e2525e19e3db63a14d10b2abfc5707d4ceff282cbca75ea4361b118392b4b30ee6d0f2fdef8f6b5ae4b2e9c97c1603b1ab5ff8f319e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E08.tmp
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E09.tmp
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E0A.tmp
Filesize
510KB

MD5
9bd3cc7e5eaa64a931b0881b9f7635f9

SHA1
3f545b1b3c4b5c2117701ef4fffe86b5c87bcf67

SHA256
ba5bfd7239afd83386d76b20d727b08e3e2309edc7ccbd5ff6773657b72777ef

SHA512
9f7cde4af5fc765c8af6be40b182f2474f64e31b6a8ad06ddf9a02377c7af64fc92a94891856f66f3e32a2b6802ed52162b1ce8d803f1a4776a0c3c1869e456b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E0B.tmp
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8D82.tmp
Filesize
327KB

MD5
2b7ea3716345175c2b01c66345867eff

SHA1
15abc914d23de1c5a0c59fff36fce1f4e504124c

SHA256
f835efdf6103d3efafba7975a849c017832b3d4ae90f4b5b2d45051b9902dc6b

SHA512
da910690f5d3e6e03dd13121aaf79fa965f0a67cc9fb3ac950dd217726d4f899ac10522eedfbe051e2ee4653f6956a3dadf70d769a6abe21f5eb556f7a82d476

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE5E.tmp
Filesize
1KB

MD5
b90a6bc07a91862d3fce96663cc5f805

SHA1
90cda6388d84f899d8281401ef5554f03184e9b4

SHA256
b24b6a6186e5d401fbebb765fefa936d080db5880a970aa47804038be02ca794

SHA512
085e48144298bbaa4f26243128b9fd00bf508b8dfe7c363ec834615e8a55c4ecbadffbc6f59a49cc533087e666812514e6abbf15cc42e63473209ec8f9a469a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE71E.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE734.tmp
Filesize
92KB

MD5
cae9079afcb4c379869afa5d34181d8a

SHA1
188e2435c533dd9633f5fcc09f245ddc1a78db2c

SHA256
2be0a96da90da69fbc34b8e7747e89ce57dfc4fb58ed6c79e0fc21cb7c6791b7

SHA512
ff7d863ebd1090219f07eaf2ac493f20b6ed11606e7f2c19536d764e730a8bb426fff26dc3890f0503c12329ea4a6c5d8812a0d1b69c19a29fbb8cb8366bd4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE750.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
memory/344-779-0x0000000009270000-0x0000000009315000-memory.dmp

Filesize
660KB

Download
memory/344-774-0x000000006EC60000-0x000000006ECAB000-memory.dmp

Filesize
300KB

Download
memory/344-754-0x0000000007840000-0x0000000007B90000-memory.dmp

Filesize
3.3MB

Download
memory/756-1616-0x000000000A170000-0x000000000A4C0000-memory.dmp

Filesize
3.3MB

Download
memory/756-1625-0x000000000BD30000-0x000000000BDD5000-memory.dmp

Filesize
660KB

Download
memory/756-1615-0x0000000009720000-0x000000000976A000-memory.dmp

Filesize
296KB

Download
memory/756-1614-0x00000000095C0000-0x00000000095E2000-memory.dmp

Filesize
136KB

Download
memory/756-1613-0x000000000A7F0000-0x000000000AE68000-memory.dmp

Filesize
6.5MB

Download
memory/756-1612-0x0000000008CB0000-0x0000000008CCA000-memory.dmp

Filesize
104KB

Download
memory/756-1611-0x00000000088E0000-0x00000000088EE000-memory.dmp

Filesize
56KB

Download
memory/756-1610-0x00000000086D0000-0x00000000086EE000-memory.dmp

Filesize
120KB

Download
memory/756-50-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2120-1391-0x000000006EC60000-0x000000006ECAB000-memory.dmp

Filesize
300KB

Download
memory/2120-1373-0x0000000007A90000-0x0000000007DE0000-memory.dmp

Filesize
3.3MB

Download
memory/2328-37-0x0000000004FE0000-0x0000000004FF2000-memory.dmp

Filesize
72KB

Download
memory/2328-757-0x0000000006B50000-0x000000000707C000-memory.dmp

Filesize
5.2MB

Download
memory/2328-46-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/2328-35-0x00000000007B0000-0x00000000007CE000-memory.dmp

Filesize
120KB

Download
memory/2328-1001-0x0000000006AF0000-0x0000000006B0E000-memory.dmp

Filesize
120KB

Download
memory/2328-756-0x0000000006450000-0x0000000006612000-memory.dmp

Filesize
1.8MB

Download
memory/2328-36-0x0000000005560000-0x0000000005B66000-memory.dmp

Filesize
6.0MB

Download
memory/2328-52-0x00000000052E0000-0x00000000053EA000-memory.dmp

Filesize
1.0MB

Download
memory/2668-1090-0x0000000008F20000-0x0000000008FC5000-memory.dmp

Filesize
660KB

Download
memory/2668-1085-0x000000006EC60000-0x000000006ECAB000-memory.dmp

Filesize
300KB

Download
memory/3696-153-0x000000006EC60000-0x000000006ECAB000-memory.dmp

Filesize
300KB

Download
memory/4420-5-0x0000000073AB0000-0x000000007419E000-memory.dmp

Filesize
6.9MB

Download
memory/4420-8-0x00000000076B0000-0x000000000770A000-memory.dmp

Filesize
360KB

Download
memory/4420-7-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/4420-6-0x00000000073A0000-0x00000000073BA000-memory.dmp

Filesize
104KB

Download
memory/4420-53-0x0000000073AB0000-0x000000007419E000-memory.dmp

Filesize
6.9MB

Download
memory/4420-4-0x0000000004B60000-0x0000000004B6A000-memory.dmp

Filesize
40KB

Download
memory/4420-3-0x00000000049E0000-0x0000000004A72000-memory.dmp

Filesize
584KB

Download
memory/4420-2-0x0000000004E40000-0x000000000533E000-memory.dmp

Filesize
5.0MB

Download
memory/4420-9-0x0000000009E20000-0x0000000009EBC000-memory.dmp

Filesize
624KB

Download
memory/4420-0-0x0000000073ABE000-0x0000000073ABF000-memory.dmp

Filesize
4KB

Download
memory/4420-1-0x0000000000110000-0x0000000000198000-memory.dmp

Filesize
544KB

Download
memory/4672-70-0x0000000008CE0000-0x0000000008CFE000-memory.dmp

Filesize
120KB

Download
memory/4672-15-0x0000000006DC0000-0x00000000073E8000-memory.dmp

Filesize
6.2MB

Download
memory/4672-69-0x000000006EC60000-0x000000006ECAB000-memory.dmp

Filesize
300KB

Download
memory/4672-28-0x00000000075D0000-0x00000000075EC000-memory.dmp

Filesize
112KB

Download
memory/4672-30-0x0000000007BD0000-0x0000000007C1B000-memory.dmp

Filesize
300KB

Download
memory/4672-20-0x0000000007880000-0x0000000007BD0000-memory.dmp

Filesize
3.3MB

Download
memory/4672-17-0x0000000007460000-0x00000000074C6000-memory.dmp

Filesize
408KB

Download
memory/4672-18-0x0000000007540000-0x00000000075A6000-memory.dmp

Filesize
408KB

Download
memory/4672-19-0x0000000073AB0000-0x000000007419E000-memory.dmp

Filesize
6.9MB

Download
memory/4672-16-0x0000000006D90000-0x0000000006DB2000-memory.dmp

Filesize
136KB

Download
memory/4672-14-0x0000000073AB0000-0x000000007419E000-memory.dmp

Filesize
6.9MB

Download
memory/4672-31-0x0000000007E70000-0x0000000007EE6000-memory.dmp

Filesize
472KB

Download
memory/4672-13-0x0000000073AB0000-0x000000007419E000-memory.dmp

Filesize
6.9MB

Download
memory/4672-12-0x0000000000F00000-0x0000000000F36000-memory.dmp

Filesize
216KB

Download
memory/4672-483-0x00000000091B0000-0x00000000091B8000-memory.dmp

Filesize
32KB

Download
memory/4672-68-0x0000000008F20000-0x0000000008F53000-memory.dmp

Filesize
204KB

Download
memory/4672-77-0x0000000009050000-0x00000000090F5000-memory.dmp

Filesize
660KB

Download
memory/4672-80-0x0000000009270000-0x0000000009304000-memory.dmp

Filesize
592KB

Download
memory/4672-458-0x00000000091D0000-0x00000000091EA000-memory.dmp

Filesize
104KB

Download
memory/4672-515-0x0000000073AB0000-0x000000007419E000-memory.dmp

Filesize
6.9MB

Download
memory/5088-518-0x00000000084B0000-0x0000000008800000-memory.dmp

Filesize
3.3MB

Download
memory/5088-536-0x000000006EC60000-0x000000006ECAB000-memory.dmp

Filesize
300KB

Download
memory/5088-541-0x0000000009ED0000-0x0000000009F75000-memory.dmp

Filesize
660KB

Download