neshta | 595eb49460b7eb4f393af28a335dcaf98317faad04a92e49e9eceaa1f7379f40

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-02-2025 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ATRTool_2.0.exe
Size

2.1MB
MD5

3ae9004eaa14b935532ca38e56c364e0
SHA1

022afbf6dc5577509e031f30fe570169710f056b
SHA256

595eb49460b7eb4f393af28a335dcaf98317faad04a92e49e9eceaa1f7379f40
SHA512

694c8403c53f40eeec2efef61f98cdbd76c1c187d3abcff550cd67aa8f96f375b81260a655d842be2cc9bc519281d97cafa790ea3524aa5ad48d3c298609aba8
SSDEEP

49152:dnsHyjtk2MYC5GDgHyjtk2MYC5GD/qnUiBqnUUpQln:dnsmtk2aVmtk2aApOn

Score

10^/10

neshta xred backdoor discovery persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 15 IoCs

pid	Process
2016	._cache_ATRTool_2.0.exe
1212	Synaptics.exe
2412	._cache_ATRTool_2.0.exe
2692	._cache_._cache_ATRTool_2.0.exe
2556	svchost.com
2940	._cache_Synaptics.exe
648	Synaptics.exe
2380	svchost.com
1720	_CACHE~2.EXE
1184	_CACHE~3.EXE
2072	._cache__CACHE~3.EXE
1132	svchost.com
704	_CACHE~4.EXE
496	Synaptics.exe
1192	Process not Found

Loads dropped DLL 44 IoCs

pid	Process
2440	ATRTool_2.0.exe
2440	ATRTool_2.0.exe
2440	ATRTool_2.0.exe
2440	ATRTool_2.0.exe
2016	._cache_ATRTool_2.0.exe
2016	._cache_ATRTool_2.0.exe
2412	._cache_ATRTool_2.0.exe
2412	._cache_ATRTool_2.0.exe
2412	._cache_ATRTool_2.0.exe
1212	Synaptics.exe
1212	Synaptics.exe
1212	Synaptics.exe
2412	._cache_ATRTool_2.0.exe
648	Synaptics.exe
2556	svchost.com
2380	svchost.com
2380	svchost.com
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1132	svchost.com
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
2692	._cache_._cache_ATRTool_2.0.exe
2016	._cache_ATRTool_2.0.exe
2016	._cache_ATRTool_2.0.exe
2016	._cache_ATRTool_2.0.exe
2016	._cache_ATRTool_2.0.exe
2016	._cache_ATRTool_2.0.exe
2016	._cache_ATRTool_2.0.exe
2016	._cache_ATRTool_2.0.exe
2016	._cache_ATRTool_2.0.exe
1192	Process not Found
2016	._cache_ATRTool_2.0.exe
2016	._cache_ATRTool_2.0.exe
2692	._cache_._cache_ATRTool_2.0.exe
2016	._cache_ATRTool_2.0.exe
2692	._cache_._cache_ATRTool_2.0.exe
2016	._cache_ATRTool_2.0.exe
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	._cache_ATRTool_2.0.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	ATRTool_2.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_ATRTool_2.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~3.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	._cache_ATRTool_2.0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	._cache_._cache_ATRTool_2.0.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~3.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~3.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_ATRTool_2.0.exe
File opened for modification	C:\Windows\svchost.com	._cache_._cache_ATRTool_2.0.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~3.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ATRTool_2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_ATRTool_2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_ATRTool_2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~3.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_ATRTool_2.0.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	._cache_ATRTool_2.0.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2028	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE
1184	_CACHE~3.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE
Token: SeSystemProfilePrivilege	1184	_CACHE~3.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2028	EXCEL.EXE
272	EXCEL.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2016	2440	ATRTool_2.0.exe	28
PID 2440 wrote to memory of 2016	2440	ATRTool_2.0.exe	28
PID 2440 wrote to memory of 2016	2440	ATRTool_2.0.exe	28
PID 2440 wrote to memory of 2016	2440	ATRTool_2.0.exe	28
PID 2440 wrote to memory of 1212	2440	ATRTool_2.0.exe	29
PID 2440 wrote to memory of 1212	2440	ATRTool_2.0.exe	29
PID 2440 wrote to memory of 1212	2440	ATRTool_2.0.exe	29
PID 2440 wrote to memory of 1212	2440	ATRTool_2.0.exe	29
PID 2016 wrote to memory of 2412	2016	._cache_ATRTool_2.0.exe	30
PID 2016 wrote to memory of 2412	2016	._cache_ATRTool_2.0.exe	30
PID 2016 wrote to memory of 2412	2016	._cache_ATRTool_2.0.exe	30
PID 2016 wrote to memory of 2412	2016	._cache_ATRTool_2.0.exe	30
PID 2412 wrote to memory of 2692	2412	._cache_ATRTool_2.0.exe	31
PID 2412 wrote to memory of 2692	2412	._cache_ATRTool_2.0.exe	31
PID 2412 wrote to memory of 2692	2412	._cache_ATRTool_2.0.exe	31
PID 2412 wrote to memory of 2692	2412	._cache_ATRTool_2.0.exe	31
PID 2692 wrote to memory of 2556	2692	._cache_._cache_ATRTool_2.0.exe	32
PID 2692 wrote to memory of 2556	2692	._cache_._cache_ATRTool_2.0.exe	32
PID 2692 wrote to memory of 2556	2692	._cache_._cache_ATRTool_2.0.exe	32
PID 2692 wrote to memory of 2556	2692	._cache_._cache_ATRTool_2.0.exe	32
PID 1212 wrote to memory of 2940	1212	Synaptics.exe	33
PID 1212 wrote to memory of 2940	1212	Synaptics.exe	33
PID 1212 wrote to memory of 2940	1212	Synaptics.exe	33
PID 1212 wrote to memory of 2940	1212	Synaptics.exe	33
PID 2412 wrote to memory of 648	2412	._cache_ATRTool_2.0.exe	34
PID 2412 wrote to memory of 648	2412	._cache_ATRTool_2.0.exe	34
PID 2412 wrote to memory of 648	2412	._cache_ATRTool_2.0.exe	34
PID 2412 wrote to memory of 648	2412	._cache_ATRTool_2.0.exe	34
PID 2940 wrote to memory of 2380	2940	._cache_Synaptics.exe	35
PID 2940 wrote to memory of 2380	2940	._cache_Synaptics.exe	35
PID 2940 wrote to memory of 2380	2940	._cache_Synaptics.exe	35
PID 2940 wrote to memory of 2380	2940	._cache_Synaptics.exe	35
PID 2556 wrote to memory of 1720	2556	svchost.com	36
PID 2556 wrote to memory of 1720	2556	svchost.com	36
PID 2556 wrote to memory of 1720	2556	svchost.com	36
PID 2556 wrote to memory of 1720	2556	svchost.com	36
PID 2380 wrote to memory of 1184	2380	svchost.com	38
PID 2380 wrote to memory of 1184	2380	svchost.com	38
PID 2380 wrote to memory of 1184	2380	svchost.com	38
PID 2380 wrote to memory of 1184	2380	svchost.com	38
PID 1184 wrote to memory of 2072	1184	_CACHE~3.EXE	39
PID 1184 wrote to memory of 2072	1184	_CACHE~3.EXE	39
PID 1184 wrote to memory of 2072	1184	_CACHE~3.EXE	39
PID 1184 wrote to memory of 2072	1184	_CACHE~3.EXE	39
PID 2072 wrote to memory of 1132	2072	._cache__CACHE~3.EXE	40
PID 2072 wrote to memory of 1132	2072	._cache__CACHE~3.EXE	40
PID 2072 wrote to memory of 1132	2072	._cache__CACHE~3.EXE	40
PID 2072 wrote to memory of 1132	2072	._cache__CACHE~3.EXE	40
PID 1132 wrote to memory of 704	1132	svchost.com	41
PID 1132 wrote to memory of 704	1132	svchost.com	41
PID 1132 wrote to memory of 704	1132	svchost.com	41
PID 1132 wrote to memory of 704	1132	svchost.com	41
PID 1184 wrote to memory of 496	1184	_CACHE~3.EXE	42
PID 1184 wrote to memory of 496	1184	_CACHE~3.EXE	42
PID 1184 wrote to memory of 496	1184	_CACHE~3.EXE	42
PID 1184 wrote to memory of 496	1184	_CACHE~3.EXE	42

C:\Users\Admin\AppData\Local\Temp\ATRTool_2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ATRTool_2.0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        6⤵
        Executes dropped EXE
        
        PID:1720
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:648
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
      - C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        8⤵
        Executes dropped EXE
        
        PID:704
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:496

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
ad98b20199243808cde0b5f0fd14b98f

SHA1
f95ce4c4c1bb507da8ed379503b7f597ee2016cd

SHA256
214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b

SHA512
ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
248a8df8e662dfca1db4f7160e1a972b

SHA1
dca22df5bca069f90d84d59988abe73a24704304

SHA256
6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2

SHA512
0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
dc6114cf663ccdb1e55d37e6501c54cc

SHA1
8007df78476f6e723ddcb3ad6d515e558dcb97c9

SHA256
d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348

SHA512
677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c

Download Submit
C:\ProgramData\Synaptics\RCX933B.tmp

Filesize
1.1MB

MD5
339353be0495c2d16d52c0c7a5f4b334

SHA1
8d96c4996ff665c34e9dc15d88213d4ee8be7d15

SHA256
223a7b688141eaee7d34e703bbbc1f9ed4126689b7bb109ae8fc7df001dc3063

SHA512
b88719dd715b0795f0c936b3c9bdff72e2af5e63f904fd71c3e68b361b41d7219448c90658dcf46c26a249583a7ffbff60a051bba8c6fe8342243998711c05f0

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.1MB

MD5
3ae9004eaa14b935532ca38e56c364e0

SHA1
022afbf6dc5577509e031f30fe570169710f056b

SHA256
595eb49460b7eb4f393af28a335dcaf98317faad04a92e49e9eceaa1f7379f40

SHA512
694c8403c53f40eeec2efef61f98cdbd76c1c187d3abcff550cd67aa8f96f375b81260a655d842be2cc9bc519281d97cafa790ea3524aa5ad48d3c298609aba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe

Filesize
294KB

MD5
2099910ba6417aaf84a759d4982e90e6

SHA1
eced7b6852bd70e50ca8570132d3ed9062ee63de

SHA256
6ea0f0bd75c37b5217a25f56d31821735feded4b6ad6141fdcce84a7e91c8e89

SHA512
a2c7da5bf383b3e382af35caa20a04799f21c28a2e2e5456761f9e58d87e0b5630b3a574fd80dadba477857a7d5f361d21b42d46dda91476170bd36252ed881b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe

Filesize
1.0MB

MD5
b8e1007adcef7c323538cf075aa95637

SHA1
048ff934f2d1c655108cfab62816528589d0d7e7

SHA256
0243b35b9e8a53cfc75fb60ec9121f4097d40fe3f9bbefb967c36af189993051

SHA512
7f673738cb448cdd15faae14fb14a7b02ad32faa9d916a07d712a7c12f254d00e285cf39a31247cecf9badd8e6512e3bac9398509178e2c048da9f433a97da04

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

Filesize
253KB

MD5
ddf79e9c69388e228e42d9f93e179cd6

SHA1
e70fed04ff2d63a2026162e7e8888a9ec195832e

SHA256
33598c2ce7ba425ee7c95120313821562b20ce4016a3ecd5f312e7a4ee6576ad

SHA512
0433cd6a69ad69b580424d45ac2e681e682177089d8613e2cdebe5cb493790b52db2460bd204bdfb7d2ae8b5b3dc48c98f7b867cc184ee7231c06422b25b4661

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrSqlnhn.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgcCVWnC.xlsm

Filesize
22KB

MD5
77be3415c50378277dc4ea4b0c78a537

SHA1
6912a4e796b9108bfd9e6daee86571b6868d1f6c

SHA256
cf20cc21b84fedfa66c240e4e2b8db9bcb9ab02d84315775adfafb9bc575fa03

SHA512
4e9083c3c77f881dbfa088425657369cf347d42eded4358e01cb707ff899a12a8b86ba334a8ff27bc67654db41682de59e218bc5ff376e7b601b99668effe0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgcCVWnC.xlsm

Filesize
23KB

MD5
dc7cb63fc4c574b4228be8ce5e96e092

SHA1
32fabe7ba412e80c939e26a35858fe91e77046ea

SHA256
182f6e9a54761ba20f10c828bb4a61ba931b9da9ae92ee1b3ae82fffa2747271

SHA512
7a734ad1d1f6b82ba6b05462114226afb3843ea0d8539a11d6baa369cc50baa9d280f2e6877df486553cd04b2fe6c26dfe362a58a2b742a06eeaa51fde01160f

Download Submit
C:\Users\Admin\Documents\~$BlockJoin.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
b42f2603883dadf133cee3ae5d767bb2

SHA1
dc4161551044405353e870b029afff27c8030e22

SHA256
998e1546bc98d29ffccb70e81ed00a01f3dbd3015e947d1aabca4cb01775ce28

SHA512
a4c33c9b87f84b4aba84ecf8b0b2d8a90703ef8523f1d057824196e584451072ab5bbc96e0c95a319baaffd16ba7a26f940fec2e28e9228e1275c87fb061c02d

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
8e4bd9619c227ef2bc20a2cb2aa55e7b

SHA1
a6214b7678b83c4db74b210625b4812300df3a74

SHA256
84ba3f2b07e112efaff6ee034b84db960521db9e504a4ac77a5e8e5e988d86d9

SHA512
12a6a559b89441983e9aab70f0ea17dc790bc48c7938dd573c888e33811db8fb210539ebebaa6c8f5c04971d72d037be6603de15ea3a1ffc0f5ea3dd5132b4bf

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
f3db8ffdeb781e898aa20bc2d30f3408

SHA1
a11e57d1cc90c30db396fc4f219c7f43989c2538

SHA256
b7bda66c52f7ec1c8a97823a9fa9abb7c88f93e4382472c7e57976bd2296d08c

SHA512
d25a36baaa5fe52cf9438831733d071879eb9f360e440a5444f283b79cbd514bdd6f8f606fbaf1406f06fa879ec48d59dd97088d74a94c22aabe2f2e8e9b35bb

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe

Filesize
1.1MB

MD5
9d48229dc6695fd4d13ad58ae8b7d8dd

SHA1
7c967634d6bf5e41e4d07d456aa41c46321cb20d

SHA256
e26fa69daafcc345413c0610a03a1c0daa82303cbf3bc49fe259a0beb1232927

SHA512
72dda935f5ebf1669f02397399c2d1a3af7ee01cd965a582610d2a0a1a7d81ae6eaa963b54f9d1801f76d629a50d4104ef53f66ad0fcd9961cb294b0759f1e44

Download Submit
memory/496-326-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/496-339-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/496-338-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/496-336-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/496-335-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/496-343-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/496-340-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/496-329-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/648-139-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/704-165-0x00000000000E0000-0x0000000000122000-memory.dmp

Filesize
264KB

Download
memory/704-271-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/1132-212-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1184-167-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/1212-138-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/1720-341-0x00000000010F0000-0x00000000010FA000-memory.dmp

Filesize
40KB

Download
memory/1720-160-0x0000000001120000-0x0000000001162000-memory.dmp

Filesize
264KB

Download
memory/2016-324-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2016-327-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2016-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2028-108-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2072-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2380-112-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2412-89-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2440-41-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/2440-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2556-213-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2692-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2692-331-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2692-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2940-104-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download