neshta | d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
Size

892KB
MD5

e501c275814bfcb58fe845c38227d5c5
SHA1

e2dd36fd738326611cc8d80462451beb842b2d93
SHA256

d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0
SHA512

435829c2248659e855cef6aca52061fb33c568f73b3668fcb87bcc33cc86f5c442a3e9ef7f840c3f54d813bf8c8b8c80c4139ae134a71245e269f186b550786a
SSDEEP

12288:WpJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9djS0TMS9:OJ39LyjbJkQFMhmC+6GD9d7n9

Score

10^/10

neshta xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

45.141.26.232:6666

Mutex

mbuYWmhQxC0l7ybb

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	family_xworm
behavioral1/memory/744-84-0x0000000000430000-0x0000000000450000-memory.dmp	family_xworm
behavioral1/memory/2980-142-0x0000000000400000-0x00000000004DB000-memory.dmp	family_xworm
behavioral1/memory/2204-392-0x0000000000400000-0x00000000004DB000-memory.dmp	family_xworm
behavioral1/memory/2204-520-0x0000000000400000-0x00000000004DB000-memory.dmp	family_xworm
behavioral1/memory/2204-541-0x0000000000400000-0x00000000004DB000-memory.dmp	family_xworm

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3724 powershell.exe
3988 powershell.exe
4440 powershell.exe
3480 powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Synaptics.exe._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exed5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exed5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

Drops startup file 2 IoCs

Processes:

._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

Executes dropped EXE 8 IoCs

Processes:

d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exeSynaptics.exe._cache_Synaptics.exesvchost.comsvchost.comsvchost.comsvchost.com

pid	process
2980	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
2204	Synaptics.exe
3820	._cache_Synaptics.exe
4964	svchost.com
2792	svchost.com
4228	svchost.com
772	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 ip-api.com

flow	ioc
29	ip-api.com

Drops file in Program Files directory 64 IoCs

Processes:

d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MIA062~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

Drops file in Windows directory 9 IoCs

Processes:

svchost.comsvchost.comsvchost.comd5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

Processes:

d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exed5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exeSynaptics.exe._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

pid	process
3724	powershell.exe
3724	powershell.exe
3724	powershell.exe
3988	powershell.exe
3988	powershell.exe
4440	powershell.exe
4440	powershell.exe
3480	powershell.exe
3480	powershell.exe
3988	powershell.exe
3480	powershell.exe
4440	powershell.exe
744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe._cache_Synaptics.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
Token: SeDebugPrivilege	3820	._cache_Synaptics.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

pid process

744 ._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

pid	process
744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

description	pid	process	target process
PID 3064 wrote to memory of 2980	3064	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
PID 3064 wrote to memory of 2980	3064	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
PID 3064 wrote to memory of 2980	3064	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
PID 2980 wrote to memory of 744	2980	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
PID 2980 wrote to memory of 744	2980	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
PID 2980 wrote to memory of 2204	2980	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	Synaptics.exe
PID 2980 wrote to memory of 2204	2980	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	Synaptics.exe
PID 2980 wrote to memory of 2204	2980	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	Synaptics.exe
PID 2204 wrote to memory of 3820	2204	Synaptics.exe	._cache_Synaptics.exe
PID 2204 wrote to memory of 3820	2204	Synaptics.exe	._cache_Synaptics.exe
PID 744 wrote to memory of 4964	744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	svchost.com
PID 744 wrote to memory of 4964	744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	svchost.com
PID 744 wrote to memory of 4964	744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	svchost.com
PID 4964 wrote to memory of 3724	4964	svchost.com	powershell.exe
PID 4964 wrote to memory of 3724	4964	svchost.com	powershell.exe
PID 4964 wrote to memory of 3724	4964	svchost.com	powershell.exe
PID 744 wrote to memory of 2792	744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	svchost.com
PID 744 wrote to memory of 2792	744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	svchost.com
PID 744 wrote to memory of 2792	744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	svchost.com
PID 2792 wrote to memory of 3988	2792	svchost.com	powershell.exe
PID 2792 wrote to memory of 3988	2792	svchost.com	powershell.exe
PID 2792 wrote to memory of 3988	2792	svchost.com	powershell.exe
PID 744 wrote to memory of 4228	744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	svchost.com
PID 744 wrote to memory of 4228	744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	svchost.com
PID 744 wrote to memory of 4228	744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	svchost.com
PID 4228 wrote to memory of 4440	4228	svchost.com	powershell.exe
PID 4228 wrote to memory of 4440	4228	svchost.com	powershell.exe
PID 4228 wrote to memory of 4440	4228	svchost.com	powershell.exe
PID 744 wrote to memory of 772	744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	svchost.com
PID 744 wrote to memory of 772	744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	svchost.com
PID 744 wrote to memory of 772	744	._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe	svchost.com
PID 772 wrote to memory of 3480	772	svchost.com	powershell.exe
PID 772 wrote to memory of 3480	772	svchost.com	powershell.exe
PID 772 wrote to memory of 3480	772	svchost.com	powershell.exe

C:\Users\Admin\AppData\Local\Temp\d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
"C:\Users\Admin\AppData\Local\Temp\d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\3582-490\d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980

C:\Users\Admin\AppData\Local\Temp\._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe"
3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe'
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe'
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3820

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
Filesize
328KB

MD5
114445130d5e083c42830d9adbf5d748

SHA1
48a62ec52b835918cc19a2df9c624a7a0d6b85e1

SHA256
a5f47d59b8d08fc85ee411ec2e1015fedda08fd4a6cae2bf7b3bb1a7db2ccb5e

SHA512
45eb73fd4e12ed70c386c733b2bc04296fb1a16be04b4cd45260c70d0e4b6cf3a87dc223ce2319d94b79c513ba19d0816bae428c466076c1de906429aaa78748

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
86KB

MD5
ef63e5ccbea2788d900f1c70a6159c68

SHA1
4ac2e144f9dd97a0cd061b76be89f7850887c166

SHA256
a46d1ffbe9114015050b2a778859c26248f8bab22d5d1a302b59373bc20c6b45

SHA512
913371abb54e0adc94aa08372a20f07ced9f9fdc170f9e468cd39c7387c7e30c1ae238148ccf355d5c8b88b7fd63f914bb108c6cafca9a791d02d8b36468bfac

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE
Filesize
5.7MB

MD5
3e4c1ecf89d19b8484e386008bb37a25

SHA1
a9a92b63645928e8a92dc395713d3c5b921026b7

SHA256
1ebe469c94c2c2a5acbc3927cef19dbe2f583ba3651a55623633891c4c05cc22

SHA512
473d03abbb61609749a176a0724e427599a4f4707d72a74ed457b2198098f59fdf64b5394798db82f4064dfe964083d70af6a50a5fa2ab2674c77a99792e4e52

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
Filesize
175KB

MD5
3da833f022988fbc093129595cc8591c

SHA1
fdde5a7fb7a60169d2967ff88c6aba8273f12e36

SHA256
1ad4c736829dbcb0fcc620fd897fe0941b9c01e14ccba5d18085b3ca0416ab66

SHA512
1299d63337c958e8072d6aaa057904cbbaa51c2eec4457269ead6b72c4eb2a10882e4a5dc7afcdcab5a6910d2105c2e5ee706850074e0425ae7f87d9ea1e5537

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
Filesize
9.4MB

MD5
124147ede15f97b47224628152110ce2

SHA1
4530fee9b1199777693073414b82420a7c88a042

SHA256
3e815d583236b9cecd912fcc949a301d1e51b609cbb53a2285d08feea305edcd

SHA512
f4c2825380d1bb9ca889d5c5684f13aa0cacb0d6511f6409ca0972a7191195a0175e00c995407848bf09ea03cff05c7395952bf2ffd2af2015b8939f75a8e627

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
Filesize
2.4MB

MD5
d9e8a1fa55faebd36ed2342fedefbedd

SHA1
c25cc7f0035488de9c5df0121a09b5100e1c28e9

SHA256
bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a

SHA512
134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
Filesize
183KB

MD5
4ab023aa6def7b300dec4fc7ef55dbe7

SHA1
aa30491eb799fa5bdf79691f8fe5e087467463f1

SHA256
8ca27077312716f79f39309156c905719a908e8ded4bf88c2ba6fa821e574673

SHA512
000e33cc2399efa9dc56c06a42f91eb64b94f30b78cf260469f45f3b876f518d2d2b62e33d8f697660ae560d595e5bd5b7a5f847c316d5f97adeb3d8f9248ab5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
Filesize
131KB

MD5
514972e16cdda8b53012ad8a14a26e60

SHA1
aa082c2fbe0b3dd5c47952f9a285636412203559

SHA256
49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4

SHA512
98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
Filesize
254KB

MD5
c4a918069757a263adb9fbc9f5c9e00d

SHA1
66d749fc566763b6170080a40f54f4cda4644af4

SHA256
129a2bfe25ceabb871b65b645ef98f6799d7d273fc5ddfd33c1cb78f5b76fa3b

SHA512
4ecf32fa2c8f53ff7a08555ec5d37739dc1358352621d038669f608edf18b0dcc6dca168a2b602359c9ee098052e546e5c02603f83aad44a114192138de7b7b9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
Filesize
386KB

MD5
2e989da204d9c4c3e375a32edf4d16e7

SHA1
e8a0bf8b4ae4f26e2af5c1748de6055ba4308129

SHA256
cae320401aa01a3cef836c191c2edbd7a96bfcce9efad1a21880626a64cc4dec

SHA512
3ebf71578bef909d9411c131d0ccd38ead68cba01a8e0f845d08faa012ca2136476fe09a2859ed846641f80b7a2d9b78d49c709065a52c6b9ee149edf84c8c4f

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
Filesize
92KB

MD5
3e8712e3f8ce04d61b1c23d9494e1154

SHA1
7e28cd92992cdee55a02b5ece4b7c2fc4dd0c5e4

SHA256
7a8ee09f8a75b3e812f99a0b611c6720626c62c6985306a408694389a996c8e9

SHA512
d07d924f338bd36ca51c8e11931f7ff069e65942725a8e1f1ff6b81076a987ab7d787452a5fb08314edf1489e081f4164db1ad299a6d78401e630796f4487dc8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE
Filesize
147KB

MD5
dc6f9d4b474492fd2c6bb0d6219b9877

SHA1
85f5550b7e51ecbf361aaba35b26d62ed4a3f907

SHA256
686bec325444e43232fb20e96365bb1f1eb7c47a4e4ce246fc900d3a9784d436

SHA512
1e9c2dfeada91e69ee91cd398145e4044bd5788a628b89441c8c6ff4067ba0a399124197fd31dad26ccb76a4d866ad99918ba8e1549983be967d31b933ad9780

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
Filesize
125KB

MD5
66a77a65eea771304e524dd844c9846a

SHA1
f7e3b403439b5f63927e8681a64f62caafe9a360

SHA256
9a7391267ab83b45a47d9fcf1e0f76002ed6640ed6a574ba51373410b94812f6

SHA512
3643ad1036075305d76dfd753b1ed29ae611b4b9f397b2520f95b1487e85155a111adc83578db8ca5d0fd1e9fe146d018e22f572c187ef468eab8d11d48fc7f4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE
Filesize
142KB

MD5
3ccfc6967bcfea597926999974eb0cf9

SHA1
6736e7886e848d41de098cd00b8279c9bc94d501

SHA256
a89d3e2109a8e35e263da363d3551258ea320a99bfb84a4b13ad563008eda8d9

SHA512
f550af4e053d89eff45c0fb00bb32e8d212645a155727d3536a3f12bb0b5550bed25516516334245b912fa4fc2e4e7c267e80da4f06d22ea128f20eb56ab4351

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
Filesize
278KB

MD5
823cb3e3a3de255bdb0d1f362f6f48ab

SHA1
9027969c2f7b427527b23cb7ab1a0abc1898b262

SHA256
b8c5b99365f5ac318973b151fe3fe2a4ad12546371df69e1b7d749f7a4ce356f

SHA512
0652b60e07aa5a469b9cf1013a1ed98d0352996c59b9a66f612be2bc0081d8ec8a65a44a3977d2e188cd8ee3311edb251b818cf300d152ed5f633679a6cf834c

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
Filesize
454KB

MD5
961c73fd70b543a6a3c816649e5f8fce

SHA1
8dbdc7daeb83110638d192f65f6d014169e0a79b

SHA256
f94ddaf929fb16d952b79c02e78439a10dd2faa78f7f66b7d52de2675e513103

SHA512
e5d97ee63b02abc65add41f6721514515b34fd79f7db23ae04cf608c2f7e0504e00b07694047b982d14d60cccf6f833b50268c693e3baf1b697d3370c0bba0b6

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
Filesize
1.2MB

MD5
e115eb174536d5fbcf5164232c89c25d

SHA1
5879354de61734962d39d13316d1fe028389cc16

SHA256
57329b38314923c17e9dd9e153e894708389dd597fcb1438d5291c7627238653

SHA512
69696a2e842e0557a57ec4d12c31d5afde0cdfb80d6028ad8d9b0b59d558ad6eaf043c9da0d31c43b16b4f12894dcea69db9366772c49c758773e6c35a9fb0c5

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
Filesize
558KB

MD5
8fd90c66d00e8ebd57228ceabe7988c0

SHA1
8fce22981b6594cc389fe489c762f7aa2e8321e1

SHA256
b729a1d144500514f8d4a2e6ba9839f1f60b27476ba2a5cbe7d60fd020c5bc47

SHA512
985cfc92636a84cc986dc0b17beba5ccf66d1553ccf24ecb150e2feea8c59f8ecc6f670219032b323692f1061e5e6f824577c7111667f12450c1969fceaa19ea

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
Filesize
1.2MB

MD5
5b3ca6016c929f137ff0c9dd2f8b8e8c

SHA1
d948cc3594aa54aefd44530e065cc5b6e16ca5cf

SHA256
a2861567f8f4f350e330224b15808af1a6041a00aedeada49b574537c9fb4fc5

SHA512
8bcee0c7f4ff1bb3a7c3aaa4e68ce8cd837f83ec0ec327fe4f8388fae2fdec040bf3c7b6d112abfa8480b6928d2a331b4f155178916a4e4a2b9b6951e30f8774

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
Filesize
773KB

MD5
47ae0ae49744b65067e103b7f8d9e417

SHA1
66c02f3f4c7f8e47a14c0e7f8d69e87f1ff731ba

SHA256
c82bd563837140b24f2178304b0d19535ade3a73a5f5f637f88ad0d8f0ce94b3

SHA512
7c2f32fd07d756879f19d1b96937882f06a99a4037ad594245bd307973a1729ffd095734fb0a419475038f10d8b1520f5da86371f6c7faf279e9f246a6a4fd13

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
Filesize
121KB

MD5
6b27dd3f7c6898e7d1bcff73d6e29858

SHA1
55102c244643d43aeaf625145c6475e78dfbe9de

SHA256
53e47df12f0ce2005f4a2a773d194c9431b325b64c205dfa4cfba45c973b65f3

SHA512
52b7a596b07935f15f008c2de38c5dfd85df18b49e5083e363b90fb321d4f1bf588627dcbe94fa6434c460243b254c5ca1dbcf2c956e49baa92e13e104500f2f

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe
Filesize
325KB

MD5
6bfee9994e60258fc9c42f6599bbc110

SHA1
c1c326f6834be1b1fb9dffb75688f3c9284ad1c0

SHA256
4e79e28d0a362fa3b0b057847ae30c224afbb6cae23077cf127c23785b9a189c

SHA512
d720f889654a2e19b578d0fde957e2d34ad46bbf2093c0fc15fc4876dca8ce40a150369b33ad9f1f0398bfaacd57e563d7bea686416e00c04bba5b12b3776674

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe
Filesize
325KB

MD5
75ece15186fc9f27fefd1cee4366972b

SHA1
1f802d238abc99fe2fc339321fdcfd13dc61b254

SHA256
3f1b5509c9867b8e66af694a2be75cd865e347bd14f10bdd6444e72d1a965c7b

SHA512
e7db6591207d060dc9039df8e3e03957094bd309316dd5ffa501be32ff989b19cebd5b16b4f1255212ce7ec592f913709097c9348e8812562819bdc1a88111a7

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe
Filesize
505KB

MD5
067bcef4af8743e2d02a814f9dbffb17

SHA1
778704a150e6909a22c2968a7e7b89bff7d8db28

SHA256
9792b6949b5ec59be72d3c9e5793f80f079b2276b0c195e8c9cd80b092026f7c

SHA512
645c62ef1d8851256e06c6a85d342022425c945ac286cb32eb358ccbca6eb9f81cac26ec1863db370594e4a31171a0e79a101d26ce78eb4f5c5d595dde678845

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE
Filesize
155KB

MD5
6e2056a06a20c59fa9bfdef3490accf0

SHA1
4f84138c0c61e1c37e7c0b316c77b48a6401c3e1

SHA256
3ec70e2e58fc40e7031e37af2ea1f0ed1202d9608b91b29d5cef568a8900d387

SHA512
191a9a19d2eee3af36571177109a394a5f0582fc5c763c38b4490253c7f58329bb391981bf1702dda672e5a6b908585ddb92cf4ece71c082311b1e096430bd3d

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE
Filesize
230KB

MD5
94a6f89a6391389a41d4ab2f660ccbad

SHA1
61a95366a8fee5c11120f25d5d2f5202f4a550da

SHA256
da4ac3ca15fae5fa60717bf9a20e113d4108c7be883be4fe39d9e1fa91059325

SHA512
cf27c8767ebedb492a4f3eff73ac2884cde945eadc1c75ea20df5e981770423b0b5a7b76083c8d0499469d33f83d61c2c5608ff0b618d1fd420cf9e3163ad39d

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE
Filesize
155KB

MD5
156aa268fa5236c9f16110863dc383d1

SHA1
4d1a29a4a5b74716cb9a4a0c945aee511ef3cbf5

SHA256
0537d77d6e447a2ec34321c61828e9f3690a9b846995b6da5de6729692f7a31f

SHA512
2c7f5d2465f483a0cdfc01bc3962c6a31f46b04c91f3db6164e3a24504c76dba035fbbd0a6b0c959af505872395c77f9db614df2cf898850a3663ec97b2e06ad

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE
Filesize
265KB

MD5
f38304be865a9f773dcac807b42684a4

SHA1
5dfb3d4424b20bec9a93cac785c4d6b65ec847d9

SHA256
0cd50ff5ddf00cdcf95370e5f169038293b1f4783380f88d2ce12e14eb73eafd

SHA512
ec81d5b8859937281e0018ba9ee9874e1de59f1f413440b5a3115662154c71546433efacf7e51d71c2893f81ebb41cd2268134849b07625e9861ba1d370ed3a0

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE
Filesize
342KB

MD5
0cde1fa887c8ea745774ce63ba6be5b8

SHA1
299de942f1b3318eece2fa1c3c094ff75c5ee034

SHA256
725df16261e3b528efb8b4d96313d1e98fabe575843bab72eb54eed6fa453079

SHA512
c4baaa6767c0ac6a8271634bcec7e19714dbf21bad2abce23e86165189809efbbd25cf9360c581ed8cc7765c154d0248bde36fbda1bd6b49bb4a6eb6e018d98f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE
Filesize
439KB

MD5
e9228ebf8b765c170034519a798bc2a3

SHA1
a28837f4aca4e86450ed38557f5f9dd4bec7eee0

SHA256
6a7e5d2f0c486637a27014308bb90944b571b3b1b09d70d37cfbfbc56ff575c9

SHA512
3139cf9ff431a5091512919718da45e86517c63511d90f1643897369d95af0bddaadb00a51bc3da82ebab6c76616d3ee9d3ee7f9f29e98802bf0b28737102423

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE
Filesize
207KB

MD5
137088e3f14337e7dd22e79ad53bf6bd

SHA1
fa12820a19d300a11e839457c4db2c4f9b19a93b

SHA256
d10e2f064a6beac6affab5cb5e7105961f5671f73dc22e2ab4a0a23dd91e0e21

SHA512
52056afdc54c16f8db18ea10769d44a98df8a2974edf9d0abf6e7677dd4b5505183d5d472142ec8998ce69da3471df940f424383a572d23ccfee11105dd33646

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE
Filesize
139KB

MD5
d870e8d0f543c4443f6d0030c21534c9

SHA1
567aafcc65a8e573ec1bb569de001340162c90a4

SHA256
79303b97cb84d63a92d5ee1480df9e797f6905ef2d1981bb3a4f0ab68ee84172

SHA512
7a4fa35dea6c4509f5da5ac76ce0f7f6420eec553e09dbe374afc7beda05fa5ed99a4d21ae4fa64cf2ce27c1d496e6fa2b7b063b351323bda752847b986ca327

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE
Filesize
139KB

MD5
e450cdcce865d737a30e4cab46101df6

SHA1
e8a1a9ce49b5f07d4deff36600056b44225fedad

SHA256
78f19e42f6e81890a14efa22ed4c7d4d49c6680741f0072228c6827166124e22

SHA512
aaf3e86172d8256ce0962e127ec2ed3da79bf7b869a76e4f9bdc5bc9867fb820e2a3e5b73b84bdc4e7118d32f9f57ffdda9c75b0f524e72c191fd2ccabe3c96c

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE
Filesize
242KB

MD5
7c529d5c3fd4f9a4dba4365fd16c0c0b

SHA1
cb8813ffdf693b50e48a476b1e4361db08882131

SHA256
8aa5c3030e310e9fbfe38dbee646ea0d023f656df6fddde8fab8726d1ef5b2e9

SHA512
d23b2a3b60af573611659494caf3989f0b902eec601979e5e594b4c4f7f6b00764cc2a00d7dfc86a8f4a09657350cfca6192a8da23c445e9fbe4ed85520c4abc

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE
Filesize
298KB

MD5
c60eb8f7c3df316b12ae7e04189cc9be

SHA1
4250de4d4ea8b5d7c651f442ed589fcafdf3c78f

SHA256
c0e53970d4fc3ea6ca016cfc23a9693f5184053270c59a61240df71811775372

SHA512
a51259a047ca5dc01567235ffd61ef73c1de530a2645bbf45a083f0d8f2c18d081928be9f4074dbdeccbac58997779ec75cd5973c0c87b704f07522240ef97f1

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE
Filesize
253KB

MD5
371fe80bdde71019c270f38d4c36639b

SHA1
e818b457524b2a95d294adacce0d543bdc7b80c6

SHA256
a06bd428a4f8e14c959e055483860519a21b5d61c7c3d0d3a363eade34a29951

SHA512
66322d6b282bc9838f11a5f0e3b9118fd0f4032265d54a5a2c39462cb515c757cadb7f9524d4b6f3ef46c070c5754cccfedb474208513beffef8909bbe3445ae

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE
Filesize
220KB

MD5
eee817016431278bd858e5c321767f7b

SHA1
6dd600c4fb9d3e24d1cebc6956ce8102f9d58e74

SHA256
a7eb193768af5d871ce180824e956dc327ba61b0b6db57f2bf3e615c910720ba

SHA512
480f8868b1c18640206892cd6b56b89db812d55cbaeab956f592f1918ab8cc944aead1ccc7c153dda94580415be90b0f463fe803a97eeb4fc3760e99d7e57c15

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE
Filesize
1.6MB

MD5
d7849bec6f678677aac607fe0957e9f6

SHA1
609608db7274d689b0de22a2b9a2cf18e672d425

SHA256
46f3f3592fe48e9e5f57c3c46d803a9f1d53e263c866942a1bfd9bdb730937d7

SHA512
655bd22ce061d27e32e583ec3a4b12402cd45af7b8e0ef44f621f0f4ece3c40142eb867b83d4c538947a5c7a7405e2638299615971ae9c62643db756cf739767

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE
Filesize
509KB

MD5
fdad5d6d8cf37e8c446dcd6c56c718c3

SHA1
412883fd3bb56f2b850d2c29ee666d9b75636faf

SHA256
2ed31146dc94132acafc7e759086f18c83560693a813b1d842a30908f50faf7c

SHA512
9866ddd370e7ab75aea143c5ede3ee96700ed662aab7fb3e989f9beedb2800b488f985a8069a61025cc8201bbc42e23d744717988587c2a8a66f2e91ea7cbbbc

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE
Filesize
138KB

MD5
b84ae39dd0420080bd9e6b9557eea65b

SHA1
5326a058a3bcc4eb0530028e17d391e356210603

SHA256
92439a773781fc1b4e45de7fad393bb9ccd05af99dc1a1bb2246a4befb1f5924

SHA512
860ae09c5806622420147af1073cecc065786968737547276641af710b4caccd16b787bdf7212dd1d8ab16e257dd5c5cd20790bf000d75d82410cbd5bf7af388

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE
Filesize
1.6MB

MD5
ae390fa093b459a84c27b6c266888a7e

SHA1
ad88709a7f286fc7d65559e9aee3812be6baf4b2

SHA256
738b7b5da8ca4798043672d2a32913e0f64268c7861eecc9fcc4c7f9d440d8cd

SHA512
096b5190efefe4c5272637e0721dcd339883f551c5e0cce568ed0bd63b31fb9acef6b09d310966482dbc7a944cc7a5878b0ad6bd68c30d1871254865a1660851

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE
Filesize
1.1MB

MD5
24eeb998cb16869438b95642d49ac3dd

SHA1
b45aa87f45250aa3482c29b24fa4aa3d57ae4c71

SHA256
a2cfd55902b1750070e9154a90e29a10b9e6fa0c03bc82d8f198678e9bc46cd0

SHA512
2ac6de5c3e52b31355300ff4e846ed0627d8d4af02c4c07c0886694a09237ef2ee76e004883fae76a959bef0b60bd4138a9c88ad22139c6b859786c8e37bb358

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe
Filesize
3.6MB

MD5
69e1e0de795a8bf8c4884cb98203b1f4

SHA1
a17f2ba68776596e2d1593781289c7007a805675

SHA256
2b6d153b9df86033b7a83eb4f521fd4f7aeec35dc54ef8d1ffe80f5bbd030dbb

SHA512
353b664271d0f49f94b60c7fbaf5ab6d5b8df7690383517a90ba675f750d9b28628bbd5ed92a6782879607f4c21214b15ea95fd6a5a8d6f9540a1b75ddb9e665

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE
Filesize
1.6MB

MD5
af9aba6ab24cba804abba88d1626b2b9

SHA1
6a387c9ec2c06178476f8439a5a3d9149c480a9a

SHA256
e6a06e738140a8cc089bc607e5f5e1e2b224b71d52e0be0d01f9deb8e9763a90

SHA512
9e004f2eccb4e48d2c98a8168f7fe752ad3195b66f0aa1d7ec07dd5819539bc94a50ffb1deb291e7fea11932eb88fb5938b1ef0a93cd8b1902495d1f7bd2d950

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE
Filesize
2.8MB

MD5
032ee4d65b62d87cf809438556d30429

SHA1
34458fcefe3c67f19c3d2c94389fc99e54e74801

SHA256
0099c710e406e0423bb0b11eb4c113508c67f84a0972a2d14c038687cac1753b

SHA512
6b912d51e93f1e4756ecc5321ec08a6eb5e15413a9d9cf568bd14ce2a5199d064f6dd5c7d9d5155296d1a4ab5852c81a8fc138565fb788e7402c09b61281a5cd

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE
Filesize
1.3MB

MD5
b8bffe8467716db4da9d94061dc33d07

SHA1
db4bac1757b1b60b26e2fef0fc88ce708efad352

SHA256
b03986224aa28f1e1850bd2fcd1a5f5f2fea34c2c0815d8e6943f0a98b754af2

SHA512
5d6f6363c9c87c61d2be785280d420725fe7cc4b68908e78fc82dc480260a400500a84f1c9247b34437cd520d702ef5fc4546024fed891231630514d1418592c

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE
Filesize
1.1MB

MD5
a31628879099ba1efd1b63e81771f6c7

SHA1
42d9de49d0465c907be8ee1ef1ccf3926b8825fe

SHA256
031b0b0de72eba9350a1234eba7489bc04f94823501fc6a200266fa94b8c51dc

SHA512
0e86020f61fd08578507c3cd37385ffa2ffd964407a689b4c3d532fe4dc826eea58391f938840d18ecfa6bae79c6ece31b8f63b50366c2fa4d6ecf5194475759

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE
Filesize
1.1MB

MD5
ecda5b4161dbf34af2cd3bd4b4ca92a6

SHA1
a76347d21e3bfc8d9a528097318e4b037d7b1351

SHA256
98e7a35dd61a5eeea32ca5ff0f195b7e5931429e2e4b12d1e75ca09ddab3278f

SHA512
3cd3d64e7670ab824d36a792faa5d16a61f080d52345e07b0ef8396b2a1481876a3b30fc702bf0018a1b02c7788c3c7f1b016590c5b31485a90e3a375f11dade

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe
Filesize
3.2MB

MD5
6b7a2ce420e8dd7484ca4fa4460894ae

SHA1
df07e4a085fc29168ae9ec4781b88002077f7594

SHA256
dec51011b3bd2d82c42d13f043fac935b52adeaa17427ce4e21e34fcbd2231e4

SHA512
7d2cd278ee45ec0e14145f2be26b8cdbe3312b300aa216532c41e839ba61c12ae379025568c85634f0ec3bc95cc481bb17f99ab30c711986651569f0f1f81beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
Filesize
106KB

MD5
76fcf5160f19a49da44978548cf3fa1e

SHA1
aa2c21f652e98b834fe6e2d43657df89379b0b4d

SHA256
9a64b5728eef4de86778fbca03c84a64923ec9b901ca8b16277fc691f3567666

SHA512
e0707f660cf989a4b8b07e4017d6272b9cf83585a9f9f1ee9b381f7261972b98d9203f8dab04ddc9d9eb357dd4887ecd8abd86ed7f8abde97d24b4186205dd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
Filesize
851KB

MD5
0298a5df4bd22b716b51e1eec63fddab

SHA1
3d2b46097abf97b220af7f22eeb6fa3d5d2fb8cb

SHA256
8f678796641d5e6293f902303f67f17914b359f863c3fbdccb13d865e8361857

SHA512
a1352e33bd27deb8898e634cf6f94ebdcba8bb481fb3364dbd568c0a9c604916b7ba482aae4afac5d777504437443f70260b66e73525d3a59aaecb8c16b9bf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_suyiqxmr.y02.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
67b9bccec6f43c62ca8629a55f6d1fa8

SHA1
1bc4f8f4b4eada84f92c9e23caf8dff5d8aecbe8

SHA256
9598808eba13997d4ab2a1f99d701767e041007b508292956ca9ccb59205cfd0

SHA512
149d73ee6a5bb3f2bb4ce1d8923b2c02ffe94323d5ee24824e5c0ac692dc4ff6d598721b8bf1f14ed8183cb269bc24b81add74669fb55abb29bd9d340636ac91

Download Submit
C:\Windows\directx.sys
Filesize
59B

MD5
9e06cbaea528ed37c8d88cb88a27a9ff

SHA1
8c6863473edbbe39d692ede22a57d09076bd40e1

SHA256
fb23916ef2ef95cabf567d35d79de3209bd357967bbe1aac618b684d06f4ad36

SHA512
b9ea6e2ef1e35be7ee1e2782452ff4419787792299b30cfd7adf9b37dc6d92d3e6ec36040e6320822e405c7fafe7f79d05975b8430af113041d1726a9bf90754

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
0a69c2eb3bf7fdc922d6cee63b45ff71

SHA1
557dc36d04443945e1bf5c68d81ad1435f2ea74a

SHA256
da47f0a133b32c0dc0c0b9a42ec4af3ff6db7c4f94ee7690e03b6ec6f69ce2da

SHA512
a68249aa5c582ff5f69488f6fb9b15a28623b6596340c5d14c50b7a145e5b705855e6781058f27df302ba0f9bffc240c8cfc544ada901e52591025955c9bd92e

Download Submit
memory/744-391-0x0000000002520000-0x0000000002536000-memory.dmp

Filesize
88KB

Download
memory/744-290-0x00007FFF7D640000-0x00007FFF7E101000-memory.dmp

Filesize
10.8MB

Download
memory/744-409-0x00007FFF7D640000-0x00007FFF7E101000-memory.dmp

Filesize
10.8MB

Download
memory/744-84-0x0000000000430000-0x0000000000450000-memory.dmp

Filesize
128KB

Download
memory/744-83-0x00007FFF7D643000-0x00007FFF7D645000-memory.dmp

Filesize
8KB

Download
memory/744-389-0x000000001B780000-0x000000001B882000-memory.dmp

Filesize
1.0MB

Download
memory/772-435-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2204-520-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2204-541-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2204-392-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2792-423-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2980-13-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2980-142-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3064-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3064-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3064-417-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3064-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3064-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3480-510-0x0000000007170000-0x0000000007184000-memory.dmp

Filesize
80KB

Download
memory/3480-509-0x0000000007140000-0x0000000007151000-memory.dmp

Filesize
68KB

Download
memory/3480-489-0x000000006F1A0000-0x000000006F1EC000-memory.dmp

Filesize
304KB

Download
memory/3724-370-0x00000000065D0000-0x000000000661C000-memory.dmp

Filesize
304KB

Download
memory/3724-383-0x00000000071F0000-0x0000000007293000-memory.dmp

Filesize
652KB

Download
memory/3724-371-0x0000000006560000-0x0000000006592000-memory.dmp

Filesize
200KB

Download
memory/3724-393-0x0000000007550000-0x000000000755E000-memory.dmp

Filesize
56KB

Download
memory/3724-394-0x0000000007560000-0x0000000007574000-memory.dmp

Filesize
80KB

Download
memory/3724-395-0x0000000007660000-0x000000000767A000-memory.dmp

Filesize
104KB

Download
memory/3724-396-0x0000000007640000-0x0000000007648000-memory.dmp

Filesize
32KB

Download
memory/3724-369-0x0000000006010000-0x000000000602E000-memory.dmp

Filesize
120KB

Download
memory/3724-382-0x00000000065A0000-0x00000000065BE000-memory.dmp

Filesize
120KB

Download
memory/3724-315-0x00000000052F0000-0x0000000005918000-memory.dmp

Filesize
6.2MB

Download
memory/3724-390-0x0000000007520000-0x0000000007531000-memory.dmp

Filesize
68KB

Download
memory/3724-346-0x0000000005A70000-0x0000000005DC4000-memory.dmp

Filesize
3.3MB

Download
memory/3724-384-0x0000000007970000-0x0000000007FEA000-memory.dmp

Filesize
6.5MB

Download
memory/3724-324-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/3724-387-0x00000000075A0000-0x0000000007636000-memory.dmp

Filesize
600KB

Download
memory/3724-385-0x0000000007320000-0x000000000733A000-memory.dmp

Filesize
104KB

Download
memory/3724-323-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/3724-322-0x0000000005260000-0x0000000005282000-memory.dmp

Filesize
136KB

Download
memory/3724-386-0x0000000007390000-0x000000000739A000-memory.dmp

Filesize
40KB

Download
memory/3724-314-0x0000000002B50000-0x0000000002B86000-memory.dmp

Filesize
216KB

Download
memory/3724-372-0x000000006F1D0000-0x000000006F21C000-memory.dmp

Filesize
304KB

Download
memory/3988-473-0x0000000006410000-0x000000000645C000-memory.dmp

Filesize
304KB

Download
memory/3988-449-0x0000000005B70000-0x0000000005EC4000-memory.dmp

Filesize
3.3MB

Download
memory/3988-478-0x000000006F1A0000-0x000000006F1EC000-memory.dmp

Filesize
304KB

Download
memory/3988-488-0x00000000074B0000-0x0000000007553000-memory.dmp

Filesize
652KB

Download
memory/4228-429-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4440-499-0x000000006F1A0000-0x000000006F1EC000-memory.dmp

Filesize
304KB

Download
memory/4964-416-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4964-410-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4964-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4964-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download