amadey | 1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
Size

454KB
MD5

37d198ad751d31a71acc9cb28ed0c64e
SHA1

8eb519b7a6df66d84c566605da9a0946717a921d
SHA256

1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde
SHA512

60923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96
SSDEEP

12288:QeeeeVeeeeeegeeKVe3zJQX7MHv+xY2DxDdeeeeVeeeeeegeeKVZ3zY:QeeeeVeeeeeegeeKVe3zJ7QdeeeeVeeq

Score

10^/10

amadey cryptbot lumma redline zharkbot 1176f2 @cloudytteam botnet credential_access discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

http://185.215.113.19

Attributes

install_dir
417fd29867
install_file
ednfoki.exe
strings_key
183201dc3defc4394182b4bff63c4065
url_paths
/CoreOPT/index.php

rc4.plain

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

65.21.18.51:45580

Extracted

Family

cryptbot

thizx13vt.top

analforeverlovyu.top

Attributes

url_path
/v1/upload.php

Extracted

Family

lumma

https://complainnykso.shop/api

https://preachstrwnwjw.shop/api

https://basedsymsotp.shop/api

https://charistmatwio.shop/api

https://grassemenwji.shop/api

https://stitchmiscpaew.shop/api

https://commisionipwn.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Detects ZharkBot payload 1 IoCs

ZharkBot is a botnet written C++.

resource	yara_rule
behavioral2/files/0x0007000000023506-236.dat	zharkcore

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234e0-120.dat	family_redline
behavioral2/memory/5048-128-0x0000000000010000-0x0000000000062000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1924 created 3448	1924	Intake.pif	56
PID 1924 created 3448	1924	Intake.pif	56

ZharkBot
ZharkBot is a botnet written C++.
botnet zharkbot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	contorax.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	exbuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	BowExpert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Hkbsse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	JUmer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url	cmd.exe

Executes dropped EXE 21 IoCs

pid	Process
2412	contorax.exe
1684	winmsbt.exe
4648	3546345.exe
4244	crypteda.exe
548	4xPvWM8Q3j.exe
5048	n5vDEeJUpb.exe
1376	exbuild.exe
3716	Hkbsse.exe
4660	BowExpert.exe
3028	kitty.exe
1924	Intake.pif
4692	acentric.exe
876	vlst.exe
1668	Hkbsse.exe
2420	freedom.exe
4488	RegAsm.exe
3436	appgate15.exe
2212	JLumma.exe
4132	JUmer.exe
3484	Hkbsse.exe
4440	service123.exe

Loads dropped DLL 1 IoCs

pid	Process
4440	service123.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe\" /update"	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Subsystem Framework = "\"C:\\ProgramData\\Microsoft Subsystem Framework\\winmsbt.exe\""	winmsbt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\acentric = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\acentric.exe\" /update"	acentric.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
42	pastebin.com
41	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
97	ipinfo.io
98	ipinfo.io
93	api64.ipify.org
94	api64.ipify.org

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2724	tasklist.exe
1932	tasklist.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3384 set thread context of 2116	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	92
PID 4244 set thread context of 636	4244	crypteda.exe	101
PID 4692 set thread context of 4152	4692	acentric.exe	133
PID 3436 set thread context of 4268	3436	appgate15.exe	138
PID 2212 set thread context of 4704	2212	JLumma.exe	140

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Hkbsse.job	exbuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3988	3028	WerFault.exe	115

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Intake.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3546345.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kitty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JLumma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n5vDEeJUpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	appgate15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BowExpert.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JUmer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acentric.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4xPvWM8Q3j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	freedom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service123.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	freedom.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	freedom.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	freedom.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	freedom.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	freedom.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JUmer.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	freedom.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	freedom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JUmer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	n5vDEeJUpb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	n5vDEeJUpb.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3332	schtasks.exe
4024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
548	4xPvWM8Q3j.exe
5048	n5vDEeJUpb.exe
5048	n5vDEeJUpb.exe
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
5048	n5vDEeJUpb.exe
5048	n5vDEeJUpb.exe
5048	n5vDEeJUpb.exe
5048	n5vDEeJUpb.exe
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
876	vlst.exe
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
4488	RegAsm.exe
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
Token: SeDebugPrivilege	2412	contorax.exe
Token: SeDebugPrivilege	1684	winmsbt.exe
Token: SeDebugPrivilege	548	4xPvWM8Q3j.exe
Token: SeBackupPrivilege	548	4xPvWM8Q3j.exe
Token: SeSecurityPrivilege	548	4xPvWM8Q3j.exe
Token: SeSecurityPrivilege	548	4xPvWM8Q3j.exe
Token: SeSecurityPrivilege	548	4xPvWM8Q3j.exe
Token: SeSecurityPrivilege	548	4xPvWM8Q3j.exe
Token: SeDebugPrivilege	2724	tasklist.exe
Token: SeDebugPrivilege	1932	tasklist.exe
Token: SeDebugPrivilege	5048	n5vDEeJUpb.exe
Token: SeDebugPrivilege	876	vlst.exe
Token: SeBackupPrivilege	876	vlst.exe
Token: SeSecurityPrivilege	876	vlst.exe
Token: SeSecurityPrivilege	876	vlst.exe
Token: SeSecurityPrivilege	876	vlst.exe
Token: SeSecurityPrivilege	876	vlst.exe
Token: SeDebugPrivilege	4692	acentric.exe
Token: SeDebugPrivilege	4488	RegAsm.exe
Token: SeBackupPrivilege	4488	RegAsm.exe
Token: SeSecurityPrivilege	4488	RegAsm.exe
Token: SeSecurityPrivilege	4488	RegAsm.exe
Token: SeSecurityPrivilege	4488	RegAsm.exe
Token: SeSecurityPrivilege	4488	RegAsm.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2412	contorax.exe
1684	winmsbt.exe
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1684	winmsbt.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2412	contorax.exe
1684	winmsbt.exe
1924	Intake.pif
1924	Intake.pif
1924	Intake.pif
1684	winmsbt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 3380	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	91
PID 3384 wrote to memory of 3380	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	91
PID 3384 wrote to memory of 3380	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	91
PID 3384 wrote to memory of 2116	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	92
PID 3384 wrote to memory of 2116	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	92
PID 3384 wrote to memory of 2116	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	92
PID 3384 wrote to memory of 2116	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	92
PID 3384 wrote to memory of 2116	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	92
PID 3384 wrote to memory of 2116	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	92
PID 3384 wrote to memory of 2116	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	92
PID 3384 wrote to memory of 2116	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	92
PID 3384 wrote to memory of 2116	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	92
PID 3384 wrote to memory of 2116	3384	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	92
PID 2116 wrote to memory of 2412	2116	Explorer.exe	97
PID 2116 wrote to memory of 2412	2116	Explorer.exe	97
PID 2412 wrote to memory of 1684	2412	contorax.exe	98
PID 2412 wrote to memory of 1684	2412	contorax.exe	98
PID 2116 wrote to memory of 4648	2116	Explorer.exe	99
PID 2116 wrote to memory of 4648	2116	Explorer.exe	99
PID 2116 wrote to memory of 4648	2116	Explorer.exe	99
PID 2116 wrote to memory of 4244	2116	Explorer.exe	100
PID 2116 wrote to memory of 4244	2116	Explorer.exe	100
PID 2116 wrote to memory of 4244	2116	Explorer.exe	100
PID 4244 wrote to memory of 636	4244	crypteda.exe	101
PID 4244 wrote to memory of 636	4244	crypteda.exe	101
PID 4244 wrote to memory of 636	4244	crypteda.exe	101
PID 4244 wrote to memory of 636	4244	crypteda.exe	101
PID 4244 wrote to memory of 636	4244	crypteda.exe	101
PID 4244 wrote to memory of 636	4244	crypteda.exe	101
PID 4244 wrote to memory of 636	4244	crypteda.exe	101
PID 4244 wrote to memory of 636	4244	crypteda.exe	101
PID 4244 wrote to memory of 636	4244	crypteda.exe	101
PID 4244 wrote to memory of 636	4244	crypteda.exe	101
PID 636 wrote to memory of 548	636	RegAsm.exe	102
PID 636 wrote to memory of 548	636	RegAsm.exe	102
PID 636 wrote to memory of 548	636	RegAsm.exe	102
PID 636 wrote to memory of 5048	636	RegAsm.exe	104
PID 636 wrote to memory of 5048	636	RegAsm.exe	104
PID 636 wrote to memory of 5048	636	RegAsm.exe	104
PID 2116 wrote to memory of 1376	2116	Explorer.exe	105
PID 2116 wrote to memory of 1376	2116	Explorer.exe	105
PID 2116 wrote to memory of 1376	2116	Explorer.exe	105
PID 1376 wrote to memory of 3716	1376	exbuild.exe	107
PID 1376 wrote to memory of 3716	1376	exbuild.exe	107
PID 1376 wrote to memory of 3716	1376	exbuild.exe	107
PID 2116 wrote to memory of 4660	2116	Explorer.exe	108
PID 2116 wrote to memory of 4660	2116	Explorer.exe	108
PID 2116 wrote to memory of 4660	2116	Explorer.exe	108
PID 4660 wrote to memory of 2716	4660	BowExpert.exe	109
PID 4660 wrote to memory of 2716	4660	BowExpert.exe	109
PID 4660 wrote to memory of 2716	4660	BowExpert.exe	109
PID 2716 wrote to memory of 2724	2716	cmd.exe	111
PID 2716 wrote to memory of 2724	2716	cmd.exe	111
PID 2716 wrote to memory of 2724	2716	cmd.exe	111
PID 2716 wrote to memory of 4360	2716	cmd.exe	112
PID 2716 wrote to memory of 4360	2716	cmd.exe	112
PID 2716 wrote to memory of 4360	2716	cmd.exe	112
PID 2716 wrote to memory of 1932	2716	cmd.exe	113
PID 2716 wrote to memory of 1932	2716	cmd.exe	113
PID 2716 wrote to memory of 1932	2716	cmd.exe	113
PID 2716 wrote to memory of 4596	2716	cmd.exe	114
PID 2716 wrote to memory of 4596	2716	cmd.exe	114
PID 2716 wrote to memory of 4596	2716	cmd.exe	114
PID 2116 wrote to memory of 3028	2116	Explorer.exe	115

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
  "C:\Users\Admin\AppData\Local\Temp\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\SysWOW64\Explorer.exe
    "C:\Windows\SysWOW64\Explorer.exe"
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\Explorer.exe
    "C:\Windows\SysWOW64\Explorer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe
      "C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe
        
        "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe
      "C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4648
  - - C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe
      "C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4244
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:636
      - C:\Users\Admin\AppData\Roaming\4xPvWM8Q3j.exe
        
        "C:\Users\Admin\AppData\Roaming\4xPvWM8Q3j.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
      - C:\Users\Admin\AppData\Roaming\n5vDEeJUpb.exe
        
        "C:\Users\Admin\AppData\Roaming\n5vDEeJUpb.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe
      "C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3716
      - C:\Users\Admin\AppData\Local\Temp\1000035001\JLumma.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000035001\JLumma.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
      - C:\Users\Admin\AppData\Local\Temp\1000037001\JUmer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000037001\JUmer.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe
      "C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 684126
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "VegetablesIndividualBindingGba" Ever
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif
        
        Intake.pif C
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
        7⤵
        
        PID:1124
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe
      "C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 488
        5⤵
        Program crash
        
        PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\1000305001\acentric.exe
      "C:\Users\Admin\AppData\Local\Temp\1000305001\acentric.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4692
    - - C:\Windows\SysWOW64\Explorer.exe
        
        "C:\Windows\SysWOW64\Explorer.exe"
        5⤵
        
        PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\1000306001\vlst.exe
      "C:\Users\Admin\AppData\Local\Temp\1000306001\vlst.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:876
  - - C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe
      "C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\1000322001\appgate15.exe
      "C:\Users\Admin\AppData\Local\Temp\1000322001\appgate15.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3436
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4836
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3332
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3028 -ip 3028
1⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1668

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000035001\JLumma.exe

Filesize
23.1MB

MD5
8094be340c539b9ac0d2af7ea4c3120c

SHA1
8d7e93d2ea05a156eefde875bcfaaceaae09b0e6

SHA256
71b814a0a6c6d9cd59504a14918e29f59d2b77d981dca01d22a97f098c89c782

SHA512
395029ace96b8c0c2d926ac5c2295b625ba93e91d27fd92b6605660c3c555c618df79db01c61ff28e29c05532554b6aac9361e103134cea794e9443439cd460d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000037001\JUmer.exe

Filesize
6.4MB

MD5
dc46c12181890e3705f40d55b09f8d1d

SHA1
b03e12c75fd92ee2ce5ca911b2af07e8db2616ae

SHA256
c85bffc34feb81361875f120fc673b9758c44dc333b25544ae9f7984b8cdf46b

SHA512
a4a26c9efdf21ca7ffd204bbe02af0f6940399ce8c9d6e650f5c793a2be3c75ff55bbbb3d5eac9563c0fd56490ececdd0774b863265eb248e478da9be99b0647

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe

Filesize
102KB

MD5
771b8e84ba4f0215298d9dadfe5a10bf

SHA1
0f5e4c440cd2e7b7d97723424ba9c56339036151

SHA256
3f074fb6a883663f2937fd9435fc90f8d31ceabe496627d40b3813dbcc472ed0

SHA512
2814ef23653c9be5f5e7245af291cf330c355ed12b4db76f71b4de699c67a9ffd1bdc0cc1df5352335b57ab920404b9c8e81cd9257527264bde4f72a53700164

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe

Filesize
2.7MB

MD5
fd2defc436fc7960d6501a01c91d893e

SHA1
5faa092857c3c892eab49e7c0e5ac12d50bce506

SHA256
ba13da01c41fa50ec5e340061973bc912b1f41cd1f96a7cae5d40afc00ff7945

SHA512
9a3e1f2dc5104d8636dc27af4c0f46bdb153fcfada98831b5af95eeb09bb7ef3c7e19927d8f06884a6837e10889380645b6138644f0c08b9cb2e59453041ec42

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe

Filesize
1.1MB

MD5
8e74497aff3b9d2ddb7e7f819dfc69ba

SHA1
1d18154c206083ead2d30995ce2847cbeb6cdbc1

SHA256
d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66

SHA512
9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000226001\fikbbm0902845.exe

Filesize
17B

MD5
c965aa525ae4cfbc3b45c6b7e9271a59

SHA1
3a84d4c1c9277173b530263107af4caf1f61213f

SHA256
50ea6c698e72e13b8132b66bbca9479b7f4815ebb2f8adb3ca1cfec79523107e

SHA512
bfddf9f5cb766b20f564b6a94048d1779431794b02cbd0993f4f3554b46b1a4e17bd3def58200da665fd991d1480b22992181ef543413d8013a19889484c3f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe

Filesize
1.3MB

MD5
db2a12edc73769f2f2b6b01545afe2c3

SHA1
73dc44fb0753296f51b851299f468031ceb77b54

SHA256
e6db7d34b498982601b2c45ac5b2a1c1b9502e502514ccffae9862f2aa719f42

SHA512
dadf36bc9c5d88c28b9064892cc263c912ce668435b71802df756c0a4e680f8407011d36498a2511dda7165aea866c0ae794f9ec8fbcc42c7da1661399316ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe

Filesize
319KB

MD5
0ec1f7cc17b6402cd2df150e0e5e92ca

SHA1
8405b9bf28accb6f1907fbe28d2536da4fba9fc9

SHA256
4c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4

SHA512
7caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000305001\acentric.exe

Filesize
454KB

MD5
37d198ad751d31a71acc9cb28ed0c64e

SHA1
8eb519b7a6df66d84c566605da9a0946717a921d

SHA256
1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde

SHA512
60923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000306001\vlst.exe

Filesize
538KB

MD5
1b2583d84dca4708d7a0309cf1087a89

SHA1
cae0d1e16db95b9269b96c06caa66fa3dab99f48

SHA256
e0d9f3b8d36e9b4a44bc093b47ba3ba80cabd7e08b3f1a64dec7e3a2c5421bac

SHA512
a51b8ed6a6cf403b4b19fc7e9f22d5f60265b16cdf24a7033bc0ee0da8c31861caa212dc5fb3bf17e28842fc28a263564076ad4e9905afd483763859bafd4493

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe

Filesize
3.5MB

MD5
d6b80519cb7c625d200d2899c345c8c6

SHA1
5bdc488ee5c3139260fad6957fedfd9167427011

SHA256
9b31ce85872a2d41ea6e3181066790e56d4fb29d593ba9a156e12133490799ca

SHA512
12376e5d59cb61bc4de1678e08dd8a452d837eb2dd1102cfca718f12614d858b97c72fbedf2f5f978a26152251a58b07347cbb42fd8ade4b533f5192bcc74e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000322001\appgate15.exe

Filesize
4.3MB

MD5
d27f0f74b4381fb585068b4afdb81afc

SHA1
59d8efea4a87a203f6941efef0700edd95e2e38c

SHA256
aa66c3988f3631925873757ae73ac5630508a43e2eebe6c0502a4d3194de8e41

SHA512
5070e522c922636b36cced63719558b52249faec5289e68174d03295c4630f200c3db7757c7f96b84200944cd13ee396d0ae733d33aaba9c861c05610938425c

Download Submit
C:\Users\Admin\AppData\Local\Temp\453224882060

Filesize
79KB

MD5
62bbc14a5f6272a078723a0d963d31d7

SHA1
9acfad53a05edf6f7206dcce887eb3fc20b0dc32

SHA256
e863f5ee679b67297bd4b3c62dc81ef98d9c3631a8d28944ae780d1672c16f2d

SHA512
c1d44f29564417f93b91fe986069ed1567a362ef110770c34aac9a18e767564252a96454fcf043becd11167118f2858f212b46f62aa96fa4247853f883d777ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\684126\C

Filesize
764KB

MD5
0687024f2f53ac5521c7906f3fe520aa

SHA1
ed39dd96a9817591b49f918e2681746880fab7f3

SHA256
112bd1117039e48f288baf93af0f32425e8c713d286c035c9e17e8fb1c109dc1

SHA512
617e34ea0d74de0ddda1eae4a164b512b5e9f0495a3fb37a179d54d660ce3e9e300f0b7963abbbe8d4eef597253c7f98acea5bae0a08c0c6d3abb0f455541fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defend

Filesize
72KB

MD5
3ffe3c3fb21a5ed46a9978d2b5947b6d

SHA1
819162aff48f808f9f3b5e3ef4d0c796aa9db8e7

SHA256
7653a8cf9ba473a69bb709bf79e5fa9a9c6241a4b1e3322f2dddb687757be597

SHA512
9bd9e6c0eea5f5c1a8ca9bf73462ec5ebf40d6d1288cfdd9771fc8aca1483532fb32ae7db78bb1a097a402446e5bd2bdb74a569bd22d629044a1cf6c75da48d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Done

Filesize
71KB

MD5
6313731000c458f93f3b38f8efe8f473

SHA1
80465192259472d99df58ae9b855fb39a417057d

SHA256
515c0187913f0a9a8a29474ab4254c708b7313c7d51336298ac12309da2c5762

SHA512
9392eb0a8d2e0f40cdf1680836446df5ebf593946c08d70bdb847aee282c340284f101447474b029ee19267cd7d35a67036e1c601e4396a7f3d77602c2f0d193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dow

Filesize
58KB

MD5
8b6ffbdec787d05144222945ed6f1630

SHA1
5b78f2acf88b3fefdd6f83dceb7fab9f1e2f6e7f

SHA256
1556d87508fc4ff200a5ae230b2dedba08e928c874a8f4598e4b683c245112d5

SHA512
4143f7aa5cdf8bf1282901a01b85933c382c52c1761c47e140838d3657fb3312e732f4e1f75a2eb9e222b2bb7255f0bd704f3508ecda2b2580597886186a3c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drop

Filesize
84KB

MD5
04e73383049289673593df5a29973bad

SHA1
97902e070c1a530994cae694220795d1a28036b0

SHA256
98aa216d527304e5c3d0b912141b382fab019c266b39ca6a0fa7d370f5cb863a

SHA512
0892ec2917d1b9538576fa44bfb04bcfee4772f88109b365866ca15953eb2552158cc4ffc1c7345236143b00aeb4abd0b573e21cb89cd2e97732a30fe98e18fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ever

Filesize
434B

MD5
d0771024e040eec0492c72f99f1a9da3

SHA1
9b0c8a089917fb62620772fbf905f2131a6e3263

SHA256
5cbda1c4b5d68d0591eb5d0c82f05c4af6a971ab1e01111b7a456dd8fe5d928e

SHA512
e3ee538586972969ee2652e63719e7221ad96ba21fc9de757cbdd5188f2074ee19a80b7da1364f9d047ab377c676285c8734383abad8c04e5485826442345a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Haiti

Filesize
53KB

MD5
a3bd90672827ff4663266fecb6984494

SHA1
47b92e0b39385192b21ef35e10420708bff5880f

SHA256
1597abdd2a12a699b8430e6e0ba2f5929902055255f3498ddea3b7bb7846219a

SHA512
5183a5ce6920eb8b737c22ef1331e49d40687aea4e8842261d56d629da833bf66083baa0e3492c20bc19146c1d6e194584a47913ce099e551c996c072c64bf42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Judy

Filesize
79KB

MD5
0042de6ea5da496e284a3a7c45d1f224

SHA1
e449e78b4f6b0879dc49ce81cbc522aef069f2a9

SHA256
41c6a8aa311fc5a358144a730b1afa20f46ceeea2ffc725944257261a98afb7a

SHA512
82d9a17f4483474c31e7f74fc046bd109941811a29c348b8823cb32e13cd972a1960259466f923e1c6c07eb9c9493d79ca9f54417ddb5b34fdbf098ce6f3da18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Luck

Filesize
11KB

MD5
2dc7d0c0f159951f61bf3a13b09248fa

SHA1
096befa4fb246d61bce5143c841a4557ef2db783

SHA256
be3789def126bae2c4aab1f575cd5a0672ad622f6ebbafa1531a8b88b144beec

SHA512
bea4558dc80e80d1c7933472d2661a9a1759ea0f5ef86a6ebf48a5a828472cb6a22b2fbbe760c97a204530e03c9bd6700c64e0f66c6d12c52acaad0d95e9f38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Manufacturers

Filesize
72KB

MD5
754a9dae2397213100854741cf7db47d

SHA1
c1dbda2ae60b34ca976f7930855ab55ebaac6c24

SHA256
485cba993ae39c80b87167c2694c3078811838101caaf7b968a2b5f6a0390b7b

SHA512
ff9a1578733fbeb1179a6fb08145cd663009cd9d35f3ce28fed836bd4a44cdde96ebd15fd63b030f61c8d389e224430dbc63ffd2b1c09b73bc5f726b83b5ecb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nevertheless

Filesize
872KB

MD5
e813b80d164d4952b66c8ea5536349cd

SHA1
8907d822bd69009a8ab7586f26bc5fb2392d0ef1

SHA256
0611030533326de6bf61941f4a87deb1f310874ddfc32daed2e2f4c22acb1d70

SHA512
3b97a8476074e47999a892a663168a19ab4a17c75ee1629a95cdd507533a256f8fee5cc7308e6e755b4d90425dd3145f8c08f0e1d5de5534a1e805c61fcbb4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qualified

Filesize
68KB

MD5
5ca401680e665e82b5a935f525e843f5

SHA1
01bf1fc5da64b1cdef2388a542669161dc33852d

SHA256
9c9acaa1e7f8fce40369324a265c9b7d17022b7ee5802896d0985eb9b09fd098

SHA512
29e259058ca187d56a49835eea888b29d065cba8958d3bc619a339860e0405dcbeb7f82fe1aa56381224ee27eebbe451b539fe153a1dd26fe43405497b898f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runner

Filesize
64KB

MD5
c17552522a54e508d07c008d72b87321

SHA1
be1f9beb4800793dbef0ab8431ca25286ede7bd2

SHA256
8d58e294dea1c83234048d48694d64ab1766a16128d69699fdea62c2d5e0b722

SHA512
5d38a368819e6c7d9def4c162bc221ff52dab77376bab01be3f524da006de58ec5b4c977edbedf60b880fa73f2da408c7d21ecf9f32bb0a03a636ad3a35e21be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp6220.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wesley

Filesize
59KB

MD5
d44cf7a22a55b3a4f00cb0487077a976

SHA1
3cc2ffe8a71ccace6c960fbb96f59f5ef1923d3b

SHA256
5e6343866115cab6a45deae3d997108d9d38a29c2f5411664d545c5d036aa725

SHA512
c976f59400a25336c76aff9d40e81063e55ea999036599e1d1a082178bfaea0ed91f6b5f301a9a8b2d79bd0040948172a9b2d3eb9118b40eec1e402e60331373

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wire

Filesize
84KB

MD5
b471046a9262afd7e3d2f92ca6491166

SHA1
e84925e58952c869227880e426afb8cd9c07b7a9

SHA256
578039840a13f711610a0048d723bcf64d1bf5844da53d0c3959a6deec7cfca6

SHA512
ac321081300e1aefe7706c66348733f3750e59938ef4e80a5bce1aebe076bdf1267cceef43cf1fa1b03a7bf07255c462fc3eec83ad32b93d914f4299ae53f9fe

Download Submit
C:\Users\Admin\AppData\Roaming\4xPvWM8Q3j.exe

Filesize
544KB

MD5
88367533c12315805c059e688e7cdfe9

SHA1
64a107adcbac381c10bd9c5271c2087b7aa369ec

SHA256
c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9

SHA512
7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714

Download Submit
C:\Users\Admin\AppData\Roaming\n5vDEeJUpb.exe

Filesize
304KB

MD5
30f46f4476cdc27691c7fdad1c255037

SHA1
b53415af5d01f8500881c06867a49a5825172e36

SHA256
3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0

SHA512
271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f

Download Submit
memory/548-188-0x000000000A5E0000-0x000000000AB0C000-memory.dmp

Filesize
5.2MB

Download
memory/548-186-0x0000000008BD0000-0x0000000008C36000-memory.dmp

Filesize
408KB

Download
memory/548-187-0x0000000009EE0000-0x000000000A0A2000-memory.dmp

Filesize
1.8MB

Download
memory/548-130-0x00000000009B0000-0x0000000000A3E000-memory.dmp

Filesize
568KB

Download
memory/636-102-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/636-105-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/636-125-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/636-100-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/636-104-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/876-325-0x000000001F630000-0x000000001FB58000-memory.dmp

Filesize
5.2MB

Download
memory/876-324-0x000000001EF30000-0x000000001F0F2000-memory.dmp

Filesize
1.8MB

Download
memory/876-323-0x000000001DFD0000-0x000000001DFEE000-memory.dmp

Filesize
120KB

Download
memory/876-322-0x000000001E610000-0x000000001E686000-memory.dmp

Filesize
472KB

Download
memory/876-321-0x000000001DFF0000-0x000000001E02C000-memory.dmp

Filesize
240KB

Download
memory/876-320-0x000000001DF90000-0x000000001DFA2000-memory.dmp

Filesize
72KB

Download
memory/876-319-0x000000001E080000-0x000000001E18A000-memory.dmp

Filesize
1.0MB

Download
memory/876-318-0x0000000000150000-0x00000000001DC000-memory.dmp

Filesize
560KB

Download
memory/2116-292-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-13-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-396-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-387-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-347-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-96-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-208-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-214-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-340-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-86-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-240-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-246-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-76-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-69-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-283-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-316-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-167-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-40-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-30-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-160-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-20-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-14-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-306-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-11-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-9-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2412-42-0x00007FFB43973000-0x00007FFB43975000-memory.dmp

Filesize
8KB

Download
memory/2412-43-0x0000000000CD0000-0x0000000000CF0000-memory.dmp

Filesize
128KB

Download
memory/2412-44-0x0000000001540000-0x0000000001546000-memory.dmp

Filesize
24KB

Download
memory/2420-352-0x0000000002930000-0x0000000002E55000-memory.dmp

Filesize
5.1MB

Download
memory/2420-349-0x0000000002930000-0x0000000002E55000-memory.dmp

Filesize
5.1MB

Download
memory/2420-375-0x0000000002930000-0x0000000002E55000-memory.dmp

Filesize
5.1MB

Download
memory/2420-373-0x0000000000400000-0x0000000000799000-memory.dmp

Filesize
3.6MB

Download
memory/2420-354-0x0000000002930000-0x0000000002E55000-memory.dmp

Filesize
5.1MB

Download
memory/2420-357-0x0000000002930000-0x0000000002E55000-memory.dmp

Filesize
5.1MB

Download
memory/2420-356-0x0000000002930000-0x0000000002E55000-memory.dmp

Filesize
5.1MB

Download
memory/2420-355-0x0000000002930000-0x0000000002E55000-memory.dmp

Filesize
5.1MB

Download
memory/2420-351-0x000000006E600000-0x000000006E69D000-memory.dmp

Filesize
628KB

Download
memory/2420-350-0x0000000063280000-0x00000000634BE000-memory.dmp

Filesize
2.2MB

Download
memory/3384-21-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/3384-8-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/3384-3-0x0000000004B50000-0x0000000004BE2000-memory.dmp

Filesize
584KB

Download
memory/3384-5-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/3384-1-0x00000000000F0000-0x0000000000168000-memory.dmp

Filesize
480KB

Download
memory/3384-7-0x000000007490E000-0x000000007490F000-memory.dmp

Filesize
4KB

Download
memory/3384-4-0x0000000004C00000-0x0000000004C0A000-memory.dmp

Filesize
40KB

Download
memory/3384-0-0x000000007490E000-0x000000007490F000-memory.dmp

Filesize
4KB

Download
memory/3384-6-0x0000000007A10000-0x0000000007A2A000-memory.dmp

Filesize
104KB

Download
memory/3384-2-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/3436-402-0x00000000052D0000-0x00000000052F2000-memory.dmp

Filesize
136KB

Download
memory/3436-401-0x0000000004E50000-0x0000000005176000-memory.dmp

Filesize
3.1MB

Download
memory/3436-400-0x0000000004DB0000-0x0000000004E4C000-memory.dmp

Filesize
624KB

Download
memory/3436-399-0x00000000000C0000-0x000000000051C000-memory.dmp

Filesize
4.4MB

Download
memory/4152-331-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4244-98-0x00000000008A0000-0x00000000009B2000-memory.dmp

Filesize
1.1MB

Download
memory/4268-407-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4268-405-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4268-403-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/4488-370-0x0000000000B00000-0x0000000000B8C000-memory.dmp

Filesize
560KB

Download
memory/4488-374-0x00000000083E0000-0x000000000842C000-memory.dmp

Filesize
304KB

Download
memory/4648-189-0x0000000000400000-0x0000000000C61000-memory.dmp

Filesize
8.4MB

Download
memory/4704-434-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5048-173-0x0000000006250000-0x000000000629C000-memory.dmp

Filesize
304KB

Download
memory/5048-199-0x00000000065A0000-0x00000000065F0000-memory.dmp

Filesize
320KB

Download
memory/5048-147-0x0000000005550000-0x00000000055C6000-memory.dmp

Filesize
472KB

Download
memory/5048-148-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

Filesize
120KB

Download
memory/5048-151-0x00000000065F0000-0x0000000006C08000-memory.dmp

Filesize
6.1MB

Download
memory/5048-165-0x0000000006140000-0x000000000624A000-memory.dmp

Filesize
1.0MB

Download
memory/5048-170-0x0000000006080000-0x0000000006092000-memory.dmp

Filesize
72KB

Download
memory/5048-171-0x00000000060E0000-0x000000000611C000-memory.dmp

Filesize
240KB

Download
memory/5048-128-0x0000000000010000-0x0000000000062000-memory.dmp

Filesize
328KB

Download