neshta | 8a07690ab92973d54e970c0e2ca59e2dc6b25558c5d055ea7f095237cb6119e1

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe
Size

887KB
MD5

6866eee9cb71f0f645d6f2272d96c760
SHA1

b21e9aafefe4075105c57fbe29ffd0a265aed363
SHA256

8a07690ab92973d54e970c0e2ca59e2dc6b25558c5d055ea7f095237cb6119e1
SHA512

9c7137d87ac57936b03e330da8492b09fa4b52e7ac1d54812054ce22a41a6eef23da8e2c005b9ac33b8a1924a7fc2e72c8bd11c5f225309fbbff7384df90cd04
SSDEEP

24576:RBtolXsxkvJu9WAF+QCJifGz9g0AksafgEHEjE7:VoFAF+zJifGzi0AksQHq

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral1/files/0x00060000000186b7-38.dat	family_neshta
behavioral1/memory/2776-41-0x00000000005B0000-0x00000000005F8000-memory.dmp	family_neshta
behavioral1/memory/1668-47-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/memory/1668-219-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/memory/1420-494-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/memory/1668-582-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/memory/1420-619-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f7d8-698.dat	family_neshta
behavioral1/files/0x000100000000f7dd-701.dat	family_neshta
behavioral1/files/0x000100000000f77b-704.dat	family_neshta
behavioral1/files/0x000100000000f7cf-711.dat	family_neshta
behavioral1/files/0x000100000000f7eb-714.dat	family_neshta
behavioral1/files/0x000100000000f708-729.dat	family_neshta
behavioral1/files/0x000100000000f832-732.dat	family_neshta
behavioral1/files/0x000100000000f833-735.dat	family_neshta
behavioral1/files/0x000100000000f877-738.dat	family_neshta
behavioral1/files/0x00010000000114c5-747.dat	family_neshta
behavioral1/files/0x0001000000010b92-750.dat	family_neshta
behavioral1/files/0x000100000001039f-753.dat	family_neshta
behavioral1/files/0x0001000000010c10-760.dat	family_neshta
behavioral1/files/0x00010000000117fc-763.dat	family_neshta
behavioral1/files/0x00010000000118e3-772.dat	family_neshta
behavioral1/files/0x0001000000011876-769.dat	family_neshta
behavioral1/files/0x0001000000010f2f-766.dat	family_neshta
behavioral1/files/0x00010000000118ea-775.dat	family_neshta
behavioral1/files/0x0001000000011a18-778.dat	family_neshta
behavioral1/files/0x0001000000010417-789.dat	family_neshta
behavioral1/files/0x0001000000011b57-792.dat	family_neshta
behavioral1/files/0x00010000000108f7-797.dat	family_neshta
behavioral1/memory/1668-800-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/files/0x0003000000012140-801.dat	family_neshta
behavioral1/files/0x000300000001213f-816.dat	family_neshta
behavioral1/files/0x0003000000012142-813.dat	family_neshta
behavioral1/files/0x0003000000012181-819.dat	family_neshta
behavioral1/files/0x0003000000012180-810.dat	family_neshta
behavioral1/files/0x000300000001213d-807.dat	family_neshta
behavioral1/files/0x0003000000012141-804.dat	family_neshta
behavioral1/files/0x000300000001217e-824.dat	family_neshta
behavioral1/memory/1420-827-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/files/0x000100000001069a-833.dat	family_neshta
behavioral1/files/0x0002000000010923-840.dat	family_neshta
behavioral1/files/0x000200000001180f-843.dat	family_neshta
behavioral1/files/0x0001000000011448-849.dat	family_neshta
behavioral1/files/0x0001000000010b0b-846.dat	family_neshta
behavioral1/files/0x0002000000010c91-856.dat	family_neshta
behavioral1/files/0x00010000000115cb-1033.dat	family_neshta
behavioral1/files/0x0001000000011607-1039.dat	family_neshta
behavioral1/files/0x00010000000115f9-1036.dat	family_neshta
behavioral1/memory/1668-1162-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/memory/1420-1163-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/files/0x00050000000055df-1193.dat	family_neshta
behavioral1/files/0x0003000000005ab7-1196.dat	family_neshta
behavioral1/files/0x000300000000e6f5-1199.dat	family_neshta
behavioral1/files/0x000400000000572c-1202.dat	family_neshta
behavioral1/files/0x000d0000000056d7-1205.dat	family_neshta
behavioral1/files/0x000b00000000598c-1208.dat	family_neshta
behavioral1/memory/1668-1217-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/memory/1420-1218-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/memory/1668-1220-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/memory/1420-1221-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/memory/1420-1228-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/memory/1668-1232-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/memory/1668-1234-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta
behavioral1/memory/1668-1250-0x0000000000400000-0x0000000000448000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000186bb-52.dat	acprotect

Executes dropped EXE 5 IoCs

pid	Process
2892	dxdiubst.exe
2784	~586D.tmp
2840	icsuocom.exe
1668	~5A02.tmp.exe
1420	~5A02.tmp.exe

Loads dropped DLL 13 IoCs

pid	Process
2776	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe
2776	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe
2892	dxdiubst.exe
2776	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe
2776	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe
1668	~5A02.tmp.exe
1420	~5A02.tmp.exe
1420	~5A02.tmp.exe
1420	~5A02.tmp.exe
1420	~5A02.tmp.exe
1420	~5A02.tmp.exe
1420	~5A02.tmp.exe
1420	~5A02.tmp.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	~5A02.tmp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	~5A02.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\AtBrtreq = "C:\\Users\\Admin\\AppData\\Roaming\\forfkmgr\\dxdiubst.exe"	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	~5A02.tmp.exe
File opened (read-only)	\??\V:	~5A02.tmp.exe
File opened (read-only)	\??\Y:	~5A02.tmp.exe
File opened (read-only)	\??\Z:	~5A02.tmp.exe
File opened (read-only)	\??\J:	~5A02.tmp.exe
File opened (read-only)	\??\Q:	~5A02.tmp.exe
File opened (read-only)	\??\M:	~5A02.tmp.exe
File opened (read-only)	\??\N:	~5A02.tmp.exe
File opened (read-only)	\??\R:	~5A02.tmp.exe
File opened (read-only)	\??\X:	~5A02.tmp.exe
File opened (read-only)	\??\H:	~5A02.tmp.exe
File opened (read-only)	\??\K:	~5A02.tmp.exe
File opened (read-only)	\??\P:	~5A02.tmp.exe
File opened (read-only)	\??\S:	~5A02.tmp.exe
File opened (read-only)	\??\G:	~5A02.tmp.exe
File opened (read-only)	\??\I:	~5A02.tmp.exe
File opened (read-only)	\??\O:	~5A02.tmp.exe
File opened (read-only)	\??\T:	~5A02.tmp.exe
File opened (read-only)	\??\W:	~5A02.tmp.exe
File opened (read-only)	\??\E:	~5A02.tmp.exe
File opened (read-only)	\??\L:	~5A02.tmp.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\icsuocom.exe	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe
File created	C:\Windows\SysWOW64\runouce.exe	~5A02.tmp.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	~5A02.tmp.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\readme.eml	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	~5A02.tmp.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\readme.eml	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	~5A02.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	~5A02.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	~5A02.tmp.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	~5A02.tmp.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	~5A02.tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.htm	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\readme.eml	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	~5A02.tmp.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	~5A02.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html	~5A02.tmp.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	~5A02.tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html	~5A02.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	~5A02.tmp.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\readme.eml	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	~5A02.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	~5A02.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	~5A02.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	~5A02.tmp.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\readme.eml	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\readme.eml	~5A02.tmp.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\readme.eml	~5A02.tmp.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm	~5A02.tmp.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	~5A02.tmp.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	~5A02.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\readme.eml	~5A02.tmp.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	~5A02.tmp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	~5A02.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiubst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsuocom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~5A02.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~5A02.tmp.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	~5A02.tmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2892	dxdiubst.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE
2840	icsuocom.exe
1212	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	dxdiubst.exe
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1420	~5A02.tmp.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2892	2776	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe	30
PID 2776 wrote to memory of 2892	2776	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe	30
PID 2776 wrote to memory of 2892	2776	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe	30
PID 2776 wrote to memory of 2892	2776	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe	30
PID 2892 wrote to memory of 2784	2892	dxdiubst.exe	31
PID 2892 wrote to memory of 2784	2892	dxdiubst.exe	31
PID 2892 wrote to memory of 2784	2892	dxdiubst.exe	31
PID 2892 wrote to memory of 2784	2892	dxdiubst.exe	31
PID 2784 wrote to memory of 1212	2784	~586D.tmp	21
PID 2776 wrote to memory of 1668	2776	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe	33
PID 2776 wrote to memory of 1668	2776	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe	33
PID 2776 wrote to memory of 1668	2776	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe	33
PID 2776 wrote to memory of 1668	2776	JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe	33
PID 1668 wrote to memory of 1420	1668	~5A02.tmp.exe	34
PID 1668 wrote to memory of 1420	1668	~5A02.tmp.exe	34
PID 1668 wrote to memory of 1420	1668	~5A02.tmp.exe	34
PID 1668 wrote to memory of 1420	1668	~5A02.tmp.exe	34
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21
PID 1668 wrote to memory of 1212	1668	~5A02.tmp.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:1212
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6866eee9cb71f0f645d6f2272d96c760.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Roaming\forfkmgr\dxdiubst.exe
    "C:\Users\Admin\AppData\Roaming\forfkmgr"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\~586D.tmp
      1212 249352 2892 1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2784
- - C:\Users\Admin\AppData\Local\Temp\~5A02.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\~5A02.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\~5A02.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\~5A02.tmp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:1420

C:\Windows\SysWOW64\icsuocom.exe
C:\Windows\SysWOW64\icsuocom.exe -s
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
825KB

MD5
2d36e7077528678439032d89317289b7

SHA1
b25f2cf0f670f04db2646fd45480816850686205

SHA256
c746fd5102e42b99e41a2f4034ffafd0d55535263640aeb31b03eda94cd1c566

SHA512
b5f114ab04f962757098ad5eb935eca14d66773b5a4cc79b7f94fe4ffa976abf2b66d534d4eb0668aa9a46543a5f5caeb55f001ff2e4727a07838b112dfa1f69

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
513KB

MD5
8ac495f924156f6bd2f2ac511579e971

SHA1
92b8560f5896b6d870881fc3a5394f448f8b0e7c

SHA256
b32fe5b1a0f366a214c4f9184f10e10fc02033c057d6de02a84a15ee5e489597

SHA512
e25e058eabff1ce215711bd9660885b80b3b42056001847c770c914f2fefb2763c8402a792f2f293ad9584cca2ef6adae6e5597ab06ed2973e044b43b0eff3ca

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
152KB

MD5
991e600c6c3e046ecf653939fae3f8b0

SHA1
37c8da359e8c99830a20032ba5dfbb09f275eba2

SHA256
b22b91c4b7ce361607e985bdfc132148500d0bbeafeb489b888e4dd842a76b98

SHA512
2ea1c4e0f124c2f94b74071fabb5a62586b61adff0d70450f994f61fab3c8c7f80fbf3ccc750036425baa72ff7e60f9a96babd48b6380d84e8a2d22f05a27f1d

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
d5cf6410057d5169370754a954914258

SHA1
69c6c4e3d51defc8cab1e96683b2677c0ddd0566

SHA256
22c00d8c0e23bc84a7de7b0af69c6f75312482865c9175ccdc15d5b5586adce9

SHA512
30f4d71a5f90b88a08ff0400a223ffd8fa81be1ecacd9918e782a2352b939eaa24d05aaadf391e8be2510c9c30a4b5b6e2ab0e3499e173727a13f126776432ee

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe

Filesize
292KB

MD5
05bb2cc6bd41fdb885069cde765a70f9

SHA1
d1597d0488456e3d9795026ce11079dd89e592a7

SHA256
042390ed0c65da67a357bac55da640e280c121dad2c8240f22249398b8723a8a

SHA512
241059306c6bf4e5a39a97eb651267015abe579ed2ce49163159b48b7ef213fb1428888de6678b19823640fd32dd0ef479b11dfedbf6ab1635fbd449c283ddab

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe

Filesize
320KB

MD5
80ec9cfb494fa5a269a0df238b31c878

SHA1
b2bfced7e3bcb83ecec44d3900d2f2d196a4d880

SHA256
6afdb3dc0afc19015e5867c35210e91fb85520c835866faf07ef5c6d5bae0acf

SHA512
f96879c5442f4131d75ba75daa7e32274e0e6c191507d687e118daddb2e3bb2784335a65b790e59b5d5b5d28added3bf6b1eccd6b1349c1a0ccaeff48574eb26

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

Filesize
388KB

MD5
c8b731a8cf4fb4a3341444026301ccd3

SHA1
067bd26fe18dc944e759d4c46980acfd7134acb2

SHA256
f078272f65b9f91d5e93fcb49c65aa14b63e96633996dc5464b3ca1b70321b3a

SHA512
c6675437298688dd7fed066355af400c172fd00e164ab70126e4714bc0cea1e1a4aa7f9fa9bb19a2914f59d9ff008c5a57bac6117599f58c87a68683b29c9c11

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe

Filesize
576KB

MD5
549b90176ec2268d53b9f92d166036a6

SHA1
bc5e3da1113142caa2a5b86e2d3d0012bbd8cb9c

SHA256
4015e94cd11f92ca408c7adf028d200617caf35c928a68df73634b8ac4d58098

SHA512
64826728069eee1c51b7293ccd3f9ecedc61868f6824ac8850c391bbb54139acfde93a2bfc6d7fd29fcfb63c090e524e74ee6a05556eb823f2d22fcf99f18661

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe

Filesize
144KB

MD5
0d3f9cf348278cca35334648c86d491e

SHA1
f7c75de012a3bf0a5796e6f26d43a6ae164dbf3e

SHA256
c67869f4c2bfc4c423722720a86394933231bd5508aaa96e935d82471ad71217

SHA512
dfffd8b46f038de7c630f374ce71c22f84574f3884983666b7dab38ffa78313a6bb791d001e0eaf1072e6d303c748ce6fa0c18a2e79c85beb54728fc46f6aa05

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe

Filesize
380KB

MD5
1ab0d3aae1c0df5a4e9eedd2bb903273

SHA1
c8708b2df016ae1b551e3948d2b8900b31ab9a6f

SHA256
41a6dff5bed64ebf07a9f08d9ae339cd4b165ee3f6f1212b19a657408714f6d8

SHA512
40e44e3e2fb1922da7fb3f8d0f1f8cd5fdd71b381f2f7deefb338abd662e9b70919dadd66e5dc73982a54900c9c93b33520ae95dfcb0eea3ac0a866fdaf5a21f

Download Submit
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe

Filesize
106KB

MD5
16a809d0d8953432670cae2cf58232a1

SHA1
283d02f040583aded8712b0e85d7268c660d1b1b

SHA256
fbbf1a63d19702718b08a0789f933e5533ec7637c8401293242c8ada6f710d4d

SHA512
84d3c5187d64f6402ec1405fbafd270dc8c92c60c39e1832f28527efa46bce7e82d75bbf84fdc3e3948e0bc3cf4873eb6c3d39c0e11134d700ba328813103b32

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe

Filesize
137KB

MD5
e3ae0d31c4775be8642e00765f35fd4b

SHA1
02e18cd3f5e32cd33f69ac950eacb0e10242eb5b

SHA256
759e33613e697329a7e9dd24b0eda6e55ca9d54fd45d4ac24f2833d8e7db6fb0

SHA512
5642be33cdaa83d1d172ac78e0b1be2f8c8a97f96242b09ac52e86f3d5079311d2b6c5d27531b6267a883994577815f154667b2ef81950d46fe46a42ef3fb9d1

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe

Filesize
2.4MB

MD5
996ce17e40a09adc899bedec28ce4144

SHA1
b005ef735cc785a5c63b4c16bcb39e9c929b2150

SHA256
062ccbfa5761d4f283263c25000f0df7158d3bbbe7602bb9242a8fabf194b060

SHA512
5c95522d99c5ee0d7e4b38f6300b75891e14e30b66905266425509a3c4efe5dd13fef228138957833577bdc84faf28ee173019da248a663157661ccd016f38bd

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE

Filesize
865KB

MD5
f3bb9e9be8b261da8ac649cf85d7999b

SHA1
ccdcc903bfcc2222e959a4eec25865276e22f255

SHA256
8040d9907991d8f65b1ea80c8cbf70e9b42949cc488062ebd8d288dc0a318327

SHA512
3560145d3da76e6c8cfa8dcc24ccf64ba51ba4a8521718bfcec8adebc4cb967903993ce5e906bee96053c66e40e97454e4fd51e49210bb51547ed8ac790e1790

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE

Filesize
554KB

MD5
7a423d69c2c0c96866c302348d6cdfc3

SHA1
af842a10c76615ae141398d9738eb22eab746b21

SHA256
e70867362d87123976682afbaaa11ab2a4daca009d04d8104b81ede11c3be5d9

SHA512
d81bbef4df6fcc80d887cbe7eea6e57f1bf16604832fcfdb7b35398e400cdf0f9e27d1fbdd5ecdcbad7999c0ad6868c8ca453967dd6bca6bdf0645756e832d62

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Filesize
577KB

MD5
db645a60335425b29cdcde06751f2473

SHA1
235e86539e7708bf1d29797bf61da802625e7213

SHA256
7e820be592a7705748f264fbc433652f2905ac4f75bc3645f3d8657f3f3ffaf1

SHA512
42e4fe6b668a868a034157360e769d9bfe9d415e396271e791d8fe0d3d5006c8e17d17d1da0bfca81fe97c457da8fbfd8eca8da3e28a344fa9df3e73daed7954

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE

Filesize
164KB

MD5
b91fc8e7f335199da289fea94558575e

SHA1
04d451ba52a5639eeaab3b4e4d6ad1ff82d921fb

SHA256
8e937ae24ba66925c4d5baf87d0a94a519de7add4465bd5739cd86dc1c33f7f3

SHA512
af97258e7d02d79c05069562decdfd81bfda001af03fa9851d0a7b6e07db697b9c2ea03fb14b9ccb019f5832950c94682fb425da80780d548420fb84ffde8333

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE

Filesize
236KB

MD5
780b59141a04b9aa8670ac9d7dc3d0b1

SHA1
2d6a370f2079d3950e9dfcedf0599f14fe0fa9c6

SHA256
a5d49eb3be247c6a3d61baca068e6277cfe212036305efa8fb36f447592c6f21

SHA512
def2cdd80a3d00b19c891d90a76a93e60d7ca068bbce4be777e2fd4ccf051a6b0a94c5f30867af4cd1a82154399c8cec1ca4010ebe6b108faba538661569450a

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE

Filesize
509KB

MD5
e38c298c9efa724a2129514fff0815b7

SHA1
c21e19cb7618d403386e08fa20b8966b6f6349d3

SHA256
cea19bc4d28260b65569ca6a73465565a261b945b44262df31ae83b610ca49d1

SHA512
84cf2fb58f397ac6b47868f7bb8552194e97db80112c47e7a211b25a956030fe9701df224950eb3ccd9dc6de11319991ab2afd27f4dae723df51a0cf8b085930

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE

Filesize
160KB

MD5
19baa21117a56516fcbc174b84845493

SHA1
d61ddec617f6b2db134dd5a38e9fce5cd0648967

SHA256
7df586d1b88eb007a7e8bddf67792ecb3770b65b23a81ad7fb9c43c58c0ba8f7

SHA512
cace731da1fedebb62eb41c7d26b1b2a58f5a3131097ce326b90e7d1cffd8a356a3fbebf624acde0a47fc3fa8c243443e677856b6c7827c6f7e95b8ceb3c2e4c

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe

Filesize
212KB

MD5
204af7c6304453501c9534dbcab5bad0

SHA1
2f7a987e8a85e6d0ec567950ccd7a974c97d519e

SHA256
2a52736b360ed8e80b064c0918a3872b1c3ed3c3eacc4535229aacde70d6c6aa

SHA512
3192696e6220f7d68ddc22c07548b1b95c124d1ae0c569c3f4fadb20b85c299a39313bf7fb7b053854e55aa2f7df80f6ce64926d0ecb5a7339220e61460b2d58

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe

Filesize
545KB

MD5
00e339665885419021101f6a9e7ffa1d

SHA1
44fe6b2878b3ad29ccd502f6cfb785b471313f6a

SHA256
66b0ba0467eec0e1fcc30db9dd977afa1aa9d25d77a523467a21ec9cd7945ee2

SHA512
e531c281d06051f6c0594693d9bd733eb92a0d979ce7a5ba565081bd22ac6abef5251d7be1165435986317ccfb66486ba846a91fa5f68e6b50a6e871997ab9f0

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe

Filesize
1.1MB

MD5
e4f7c424d932ba0f0a626a5ea100610c

SHA1
72d420567e56a5bd59013831a67abe6cf1503025

SHA256
9f42584cfe599b8d181a69c4f0a8cf0ffc5261a2b080fa85553ae5f72a170d17

SHA512
5971df3930c6809c203bdebf9318377248baa8e54219221da96273bb2387a50e3a1ec02a2e8297ae2aac41e3efcd32ee76fc9b09f7efc6a97aafee7dcde59366

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
192KB

MD5
ee0b97d4e9186d51321643a97003c994

SHA1
c6e5879b21dd007a47e57ef0ebb3163ca079a902

SHA256
a436564d3d59bac5c5a107aaf7d51ccab48435259c02d181e6c72a398a0cf9e2

SHA512
e800efa4bf44e207b3ff02f888df3a332647c0c9d7a6d5516aea739049582b75ff5f7c3504018960d681ecf9a6ab9edf4114d258dcc88fdc7c24eec0c4d56a00

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe

Filesize
1.2MB

MD5
a428cf5560c8f19b1d7182ed6e4d0704

SHA1
79a8f41bda252c272ad6c446ef5655edf059ec6e

SHA256
9c0ec0cea79964463dcad3568daf505d9f3c44584db598589e31fba06e41becf

SHA512
856f454f58344f4206b685a7c69e0317faad8a467d4a11c1a4177fa6b19a8d412870da0d4c05f217d4e14fead2865391d4ad47ff03be15e28d2343e9591a3b11

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
132KB

MD5
03264c7372082f60d25ff740ec28121a

SHA1
9f582331430af686e4d77487a6177a21346002d0

SHA256
5bca7a6da02e4591e8ea4c4ad617af8596fc72ca90fb305a5343f1b451f5689d

SHA512
166b7f7c5a0719e9a1630def7e9a3f652dec2f5806d92549f732085d31af6d962f13bdd3f7f379e74e93aa3a45fb87f7ef16ace3f86a6fd22872b1dc41a4a786

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe

Filesize
349KB

MD5
03ecabe6782c23305c4361ac75b46414

SHA1
73049b79b25e98821ebe87b50456a531d5a67a95

SHA256
149dd36600168f9453c7996c94a64b4ad672c8518f4d6a33fb9610b3324abb60

SHA512
53b046681dba26d26e2f971afe9d0537946dae334dc0f5600d4784b6115702b671b708cf4110b3991dc8475c4dada49aa286c2969d3b09f7b28b86050d1a2234

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe

Filesize
445KB

MD5
63b8b52b0ab2dcafb8ca981b3c78e24a

SHA1
56ae89ddb4f4b5d5aeb781e6121d63e11e5bd4ae

SHA256
9415c7bdf78d4429635f72e16df21df0e8bebdd8c12d1091e0882e69e4e10065

SHA512
ff4dfef4306bc9249b4b0bfb2da934db98fe8f4e802bf09e936080064ea87d67fa729be4e0ebac35fefcaf8efad752ba218780911336d6bf408982e4f020336d

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe

Filesize
214KB

MD5
d90a91cf4cac027567cc15672c141ea7

SHA1
39585362787f54dec16077f3a2e8953426fafcee

SHA256
f09b5dd2ec97f6a320935445810b388ceeb8cbe7151b99fa91ac53868ae9dec6

SHA512
688101378ed0e955afe1916f504aeaf2435f602fd0909e1c4214a43c248c83a4a1161b519414756eac54ebb6210bbbab4b8d00635fba3b9fd2d5c1353f1617ca

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe

Filesize
161KB

MD5
9b7d58ea73ebee75ee095226c30c7f57

SHA1
2cba42f662ef7397a1690c98c355e3b7cc7658a4

SHA256
896043868237b5a9827c23ca6aa6c42b8bcc7cc916d65db6a54d70525991b889

SHA512
35ca62f2bd2a405f5e0001b32595241ae8b1ddcbf3902212d6c55e8ac3d5643501b829ed15c8a2ef17c73f74b1c27bf3a83c6767ae02aed11abd4cb508fb5d0f

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe

Filesize
237KB

MD5
9b5eda1b7b3b493f44386aa33f71a70a

SHA1
5c4170c142ca4088aeae1f21a62ca249c35ca35c

SHA256
e5677b5b24af506910c8d4b6d8c590a01b4a2cb974c34479334f292e390c7d9d

SHA512
eac5925baff120ce8aaca429257a646c6649044e489ab3da872db43425c71ca797902889d47b67799db931fb891a80c19b5492aa076b8f531f6d91eb38c992d9

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
271KB

MD5
4c77f763cc21c9b2ab2c61e35167362e

SHA1
af563240a49d3a68ffb4651a6b779e5fe5cf808e

SHA256
ca57cc1d4d3c05a139e353b6510d6791b9ac858c81f2c6202f2a8eba0e8b8d0e

SHA512
27fa4ffdb2fc2a91293ea1097fcee87ce7428a14056076a48b1daf40cc3f67f588ab2c6be26f78b52fda0efcf3852220713fe98243ce10a87c47ebc9ff1c2433

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe

Filesize
161KB

MD5
c33c6f80066b6acaade01130a4d82c54

SHA1
350c4815a858ad5bcacbdb06c6b143b00c408224

SHA256
8a1986f3e7e47775478888406c1b327ff92fc6d92e5d4044f80571b80cc1fa0b

SHA512
4891070dcfb5efb9c8e4b761b4c9d08ca984c2948c467c4860fb8a80f5ca0dbd815e734eb0021e4f8d8da5db05049c39b82210b91b2e50b68a8a80aba7e49d30

Download Submit
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe

Filesize
214KB

MD5
b8d6a7757925b376b8c36aa0a164cf48

SHA1
587e15ab3695fdf32f56fcd3f9fd4ba45a4e8c8f

SHA256
612e6000ca94104f55a37986b8e8fe6d1478b094ded281b4d7144035f6aaf281

SHA512
6135a05052159574db11ccc7358e319809288669970ec72c1227939084408caafea7bf908986f98e5c9c671e9e3acbd9808df6b05f6f0bdc8b667bca9234cede

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE

Filesize
91KB

MD5
120b8a5dcb111954aae91356b59612f2

SHA1
470f684ea55d0720c7459f64a8498a9700210bfa

SHA256
45366afca20e230499df96a2227f53ece5912eb1ef26b7b3c955cce20cad7ad2

SHA512
48e0d60d6a756e3aa2f27bde6e6f6af87bc39abf102e37ae3cef322ffe6e82f17c7674d4898e230696cb750b049d0833dd0c200a39ea03a2aedf95118eed2319

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE

Filesize
1.4MB

MD5
21fdb5b3237161309f3c9c00bfadf6ff

SHA1
d7f92ef68ddda431606bee808b3cf2fd837f7960

SHA256
9b1139798135e174bccd882f50ea0b6fb10d7321a12b7d682080775cba8b1609

SHA512
3a178dece56c914b6cfceaced8c5fb81ad702d40760ab01c8f944acfac44e05c4735e33230695be6487d5683e8a3d1f9a006fbb5ba3da826429fb7cbe021dab3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
136KB

MD5
df31cd9fb22a7295ac891c3babf909bd

SHA1
65eab9e138b57c24fa0b8a28909f6beb7030fc80

SHA256
83ace84e1a45dbedd4080cc98419bc90ae78526a9616f0b86d0989e3a3b41f4c

SHA512
e91e732648f5569dda125f1dc383fd3fb403db8e794a1d673b4ff602832889b1b8dbb838d03ca582add7e5365250ce60166b675a312882404b8e083cf6943200

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE

Filesize
253KB

MD5
19ad84d13c4a338e28616442950c0e64

SHA1
0ae4ec06b34ac4c65ff7c44b1bff46a1f3dacb5b

SHA256
11e8e2daa708941ba6448bc5a7db0583004f250166fc88f6b40de82b72dc576d

SHA512
74fce59703487f856d4465eae8a0ba9d2f3c029c55fb71a582185b4b8b09c27db8425edcbabd3e7e5f89a9f4eaf21992e7f74842a60a52c3b9be3c037da58a5f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE

Filesize
194KB

MD5
7e82f79de62cbced5fff3818ae041e14

SHA1
78c1748abe210304df67703a51dd25783a90a2a3

SHA256
8b1bd9d6d316ea3d4c487d3aa15c906aa7a3f6425bf32463a656cb8f792078a5

SHA512
ca7c02182226c4bc4627ef2aa5a60801b63e42b36ec9c09de92f684bd8a6f98a667ec25e6fdfd1289894806d65a770153eb8daa1327ae5d80dcf4cfa5fe72653

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE

Filesize
4.1MB

MD5
8aaceff4c568151c64622d087bc477a6

SHA1
546cef9cc8d3cc727b30515625e2cb2531ee29f3

SHA256
1035ee296f733f815567e289a5fc96336446228b51924d708f654d4f3ddabe36

SHA512
7701d5fade197531febf594c7dae72abd7c027538c4fc643e9c7f6b14acd9f5d19b6f9be0247b7302002943cde83e4d4459292d3a66dcb8c37aeef428e88c74d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE

Filesize
968KB

MD5
7a6b5c726624a443c686a3ac3a42e56e

SHA1
248cb273a2aa50769ab1a8b5b45f964d02a64a46

SHA256
a31ef9b9318357c27ba8989805ac0a63af31348679e6835ea8f7ce1c0b073363

SHA512
7dbeffcf9f1629b31febc245526b651f427a8ce137cc091f07a9e0be857215517ef80e2cec94115a1df0cf9a9ed401e3ce807fef2b4b257e3a8517a0940e68fa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe

Filesize
611KB

MD5
49f816c0ba2caf8c1c78bc2e26a48495

SHA1
e9d6ff39196eae10fa6056d97768101df6af6f59

SHA256
1fb51069842522b196a26a112eb83973a6e477b5b6ea3c4faeb7134ef927fce2

SHA512
a416efc265edfa173378ae41bbd9a5bd694947571697d900410b9b4c87fb60bbe0a715ca3097eb4a01a451bdc59733a45cc46ffd1cc97e250b55758bfab01241

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE

Filesize
1.7MB

MD5
c39e90221d068c77d834d95aa756b28b

SHA1
541120a1852ee03887fd35cd4e4d02fa40e8d122

SHA256
419d73e10d9c9b5895185f2beffa77cc2a6f195f85e637bd3d33506778303a74

SHA512
a40e52ae27dcd0ba9cd7f622548c8d8832929d1c3b84227311754ff4ac942be6bc85431cf41d5fd5af142091a131b7478441508ac7fda88999f8f6fae3303cf8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

Filesize
14KB

MD5
ebe5363aa01b80636363fcbb43789370

SHA1
712f5d281d2272f0ec6597009956d5237e8088d7

SHA256
94d6a714411a7bd1c4a4680526eeaa01f7a697f5e4fd1339fb4dbc1a941c443d

SHA512
e9a22adf7ab7431661a670d54108ef07bd4a274fc073f4786b1b1b5e32db2122960aeaa54382212aab6e1aa876675b7f909f996e43f78f49b10004d48c071369

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8156706568e77846b7bfbcc091c6ffeb

SHA1
792aa0db64f517520ee8f745bee71152532fe4d2

SHA256
5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

SHA512
8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
7757fe48a0974cb625e89012c92cc995

SHA1
e4684021f14053c3f9526070dc687ff125251162

SHA256
c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

SHA512
b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
492KB

MD5
d7102b199cbb81ccf76213bd12a10c92

SHA1
2083f42abe85b45239e7277407742c4f3863c2ed

SHA256
b702ced8ad28bdbf5c7aa47895d18e2945cc09bc403e47241d62314067c50d7a

SHA512
86cdc16e8734a41087091ff034685dca86ba3a76077d62e4ddbb5456477baf9fc4f8126536021cec5ff8c74b9e65a4dbdfe44c98862fcf293403458f4fe42460

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
680KB

MD5
6cafeb9bbd94a5fa3aa9ba0e48129b73

SHA1
056b78caee265129b8b24302186e932e3e3a88f5

SHA256
ea521becd189820f01bc9b255d9889bed426ffcae2a3312910d43b461c4d7fa5

SHA512
7f060349f1d33768801b83b689b48a5102436692ef31aa8f4ac5b150f2d41bc6eae65ab6dbbef16099168756ccae85d090ac3cc15376b22a3416d1b6a4b466b1

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
681KB

MD5
e9bb3469e2be426c4127fe1edfdcade1

SHA1
5295ae16cb03071f5e83d4bf63b02438819c2a24

SHA256
75d768bd70fa5756c248e5ab83664f80a1e959218ebcb018d8736c1af79b3fb8

SHA512
999a1ce3fdb4740f8bddef2b80f448fa06c4787af29589600cd3b37683d09142f9a03c6e898114df26f9dd6c9a9282e17a857998f8a4feaa188cc595e3a6cba9

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
502KB

MD5
01bdc0a88837463d4bb52e931148f256

SHA1
0f35f3c9963e865c92f9ff2f10d40ede40516f74

SHA256
961968f3c98282e1596469fff01b169f31fe13f1398cb35d069fea8905acc8be

SHA512
148a2382d43ccdf7792104a689f6f45922038bb7e93e153c2626421194abb0ea40ad43bca1e2e1855ab755b8692d04f51729296afda4d255cf1b8cabe359243d

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
491KB

MD5
ddf2c1827c2986cec76e51955a1f7afe

SHA1
6c1e12292f14bab4657c8b916908f8cd652ecb8c

SHA256
faac096083c43f11f961b13cf85c23c78eef95113c998f1c43ba6d86815db10e

SHA512
58fd7d28224fad13cb1cba6c8e287ba96e868a9375d3e3f05aad2d04a5d90cbc9035048497c5e6fbce66f10fd5c4bdc457171d92ece61ac8894d70cb4995e659

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
502KB

MD5
8ebf88d105f7c3704315f6b8f8a543ab

SHA1
123ca70e23afa8656ccfc7d320ff8b8427c3a4e3

SHA256
6ebfca20985243e778e89143e62abcc0e6b4424ef120fdcc6eed32376ae0687c

SHA512
eafd11717098f293c51458f41f20646aa37809a95930cd17c4fde32639c6d7311bb44cf94656af96af8fd2c24d065fbc2f0b79272e1a728ef448f3edd2352f86

Download Submit
C:\Windows\SysWOW64\runouce.exe

Filesize
10KB

MD5
613e217a5f834f707980f2cd3e6f5c9a

SHA1
c161884afb39cad61fd1fab8bdc04e4231281bb8

SHA256
9499df4896f16eca4b8409e8dc8eab1b00fbd81680b5f244e28fe68e104f57fb

SHA512
c5bc45f78d0ff95182192b02b8493e1e6e56899a0e23cb103f87f084d3eb4d217aec63999e28ad62368678484dc033f1c34c86cb486e8ec3146946c4927337f7

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
c8504c55568361d0666f5106ce70f94a

SHA1
ca45c6e3734fb6b657859a6d14c3f91f358f1a22

SHA256
7d8cef5a63a7a0fcc40300c8b6b9f3c3308e18d8cc3d7198179fc9ceadd5078d

SHA512
404cdcf8a09f54a39b6819fda11e555acb1a8b117bfa509d515bacbbff8e811a7348f9564f2b5ab937a8930071e0e5e83c3794a007a50dc383704599ef19f523

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\ajl5E08.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\~586D.tmp

Filesize
8KB

MD5
aac3165ece2959f39ff98334618d10d9

SHA1
020a191bfdc70c1fbd3bf74cd7479258bd197f51

SHA256
96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974

SHA512
9eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf

Download Submit
\Users\Admin\AppData\Local\Temp\~5A02.tmp.exe

Filesize
1.1MB

MD5
2a552a0bb277dc4adc5f24873b825f0e

SHA1
54121dd4e6280fc9084e83cf7405dd32a1f9c629

SHA256
0ada262345e4a4d82f7c2e3a612a16ac67628e4f8acd5d6d9ccc2ec49a2afb53

SHA512
8b077cd7543b3cd1f7c2fa78bf0fd02c392da2c4c78e590db12b0f7c4348ba75a6c2b3fe27fae38d273c8a3a4ecca6ac9e8426be287199abad6da12aec8c66dc

Download Submit
\Users\Admin\AppData\Roaming\forfkmgr\dxdiubst.exe

Filesize
243KB

MD5
664a1310b4ed8e56b0137bb15177624f

SHA1
02be9437f54bc4e9da20e624fcf3f962cad4f320

SHA256
96f295e61f86aa6626cfe77e0ab4ea44fb4653a838bb128c2181c809eb88e2f1

SHA512
d562db9894ff19aa97bd5deb3b383eb5367a559ccdc22969a4abad35331ca1f1460e5067293f56fc601e256e411b38585964351ae48cab6cc42d0449b8e7363c

Download Submit
memory/1212-58-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/1212-17-0x0000000002A70000-0x0000000002ABC000-memory.dmp

Filesize
304KB

Download
memory/1212-27-0x0000000002AC0000-0x0000000002AC6000-memory.dmp

Filesize
24KB

Download
memory/1212-28-0x0000000002AD0000-0x0000000002ADD000-memory.dmp

Filesize
52KB

Download
memory/1212-60-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/1212-18-0x0000000002A70000-0x0000000002ABC000-memory.dmp

Filesize
304KB

Download
memory/1212-21-0x0000000002A70000-0x0000000002ABC000-memory.dmp

Filesize
304KB

Download
memory/1420-620-0x0000000000450000-0x00000000004C3000-memory.dmp

Filesize
460KB

Download
memory/1420-623-0x000000002DFC0000-0x000000002E04A000-memory.dmp

Filesize
552KB

Download
memory/1420-1228-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1420-1221-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1420-494-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1420-1218-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1420-55-0x0000000000450000-0x00000000004C3000-memory.dmp

Filesize
460KB

Download
memory/1420-1229-0x0000000000450000-0x00000000004C3000-memory.dmp

Filesize
460KB

Download
memory/1420-1163-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1420-98-0x000000002D990000-0x000000002DA7E000-memory.dmp

Filesize
952KB

Download
memory/1420-95-0x000000002D2E0000-0x000000002D3FC000-memory.dmp

Filesize
1.1MB

Download
memory/1420-827-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1420-621-0x000000002D840000-0x000000002D86A000-memory.dmp

Filesize
168KB

Download
memory/1420-622-0x000000002D2E0000-0x000000002D3FC000-memory.dmp

Filesize
1.1MB

Download
memory/1420-96-0x000000002DFC0000-0x000000002E04A000-memory.dmp

Filesize
552KB

Download
memory/1420-89-0x000000002D840000-0x000000002D86A000-memory.dmp

Filesize
168KB

Download
memory/1420-619-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1668-1217-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1668-1250-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1668-1234-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1668-1232-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1668-1162-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1668-800-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1668-219-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1668-582-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1668-47-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1668-1220-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2776-97-0x00000000005B0000-0x00000000005F8000-memory.dmp

Filesize
288KB

Download
memory/2776-40-0x00000000004C0000-0x00000000005A7000-memory.dmp

Filesize
924KB

Download
memory/2776-41-0x00000000005B0000-0x00000000005F8000-memory.dmp

Filesize
288KB

Download
memory/2776-0-0x00000000004C0000-0x00000000005A7000-memory.dmp

Filesize
924KB

Download
memory/2840-34-0x0000000000150000-0x0000000000156000-memory.dmp

Filesize
24KB

Download
memory/2840-35-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/2840-83-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/2840-32-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/2840-31-0x00000000000E0000-0x0000000000126000-memory.dmp

Filesize
280KB

Download
memory/2840-66-0x00000000000E0000-0x0000000000126000-memory.dmp

Filesize
280KB

Download
memory/2892-13-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/2892-12-0x00000000000E0000-0x0000000000126000-memory.dmp

Filesize
280KB

Download