azorult | 8c9e2676a1a4fb3c147b277ed5366e0697361f734fe63c668ab3625bc35a870c

Analysis

max time kernel
99s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BookletCreator.v1.4.keygen.by.orion.exe
Size

16.4MB
MD5

6142633864870e6797ad77499f596f5d
SHA1

87b9b85c6871449a92dfc0882c8d1ecec48c579a
SHA256

8c9e2676a1a4fb3c147b277ed5366e0697361f734fe63c668ab3625bc35a870c
SHA512

610cb8306d76260968bcb24e6bbd4dc557b0f2921d2ae07722d47a2e0f3a6887cfd99aa59caccf409fd3ba8261831046f36c10661b50ea502c0d1ec1db49fbfd
SSDEEP

393216:nDYcRsuBbPVVk8cJcDQ/9AveVU/75hYzynSD/JvxQMngO:n0cRsu7m8+PluZ/VCWg3QUh

Score

10^/10

azorult nymaim pony raccoon redline socelars vidar 681eba47078319b9f76eff3159c0ff86 915 vinmat collection discovery evasion infostealer rat spyware stealer trojan upx

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

pony

http://www.oldhorse.info

Extracted

Family

redline

Botnet

Vinmat

15.235.171.56:30730

Attributes

auth_value
699eda832e48220d3d26a9458dee1daa

Extracted

Family

socelars

https://dfgrthres.s3.eu-west-3.amazonaws.com/fdgds919/

Extracted

Family

raccoon

Botnet

681eba47078319b9f76eff3159c0ff86

http://94.131.97.33/

http://45.67.229.149/

rc4.plain

Extracted

Family

vidar

Version

54.6

Botnet

915

https://t.me/huobiinside

https://mas.to/@kyriazhs1975

Attributes

profile_id
915

Extracted

Family

nymaim

208.67.104.97

85.31.46.167

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 3836 rundll32.exe
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	3836	rundll32.exe

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4752-221-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Setup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe

Executes dropped EXE 19 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-5.exekeygen-step-6.exekeygen-step-4.exekey.exeLicense Keys.exekey.exe46EC.tmp.exeLicense Keys.exeOriginal Build.exeOriginal Build.exemp3studios_91.exeSetup.exe7d8sUAKp.exeS4wHNT5w.exeNewfile2.exepopara.exepb1119.exe

pid	process
3464	keygen-pr.exe
3816	keygen-step-1.exe
4464	keygen-step-5.exe
476	keygen-step-6.exe
1416	keygen-step-4.exe
1776	key.exe
4472	License Keys.exe
3508	key.exe
4448	46EC.tmp.exe
2168	License Keys.exe
3104	Original Build.exe
4752	Original Build.exe
1664	mp3studios_91.exe
4900	Setup.exe
5536	7d8sUAKp.exe
5824	S4wHNT5w.exe
5844	Newfile2.exe
2664	popara.exe
5524	pb1119.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5824-278-0x0000000000140000-0x00000000013E5000-memory.dmp	upx
behavioral2/memory/5824-309-0x0000000000140000-0x00000000013E5000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BookletCreator.v1.4.keygen.by.orion.exekeygen-pr.exekeygen-step-4.exekeygen-step-6.exeLicense Keys.exeSetup.exeNewfile2.exekeygen-step-5.exekeygen-step-1.exeOriginal Build.exe46EC.tmp.exepopara.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	BookletCreator.v1.4.keygen.by.orion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	keygen-pr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	keygen-step-4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	keygen-step-6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	License Keys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Newfile2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	keygen-step-5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	keygen-step-1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Original Build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	46EC.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	popara.exe

Loads dropped DLL 14 IoCs

Processes:

keygen-step-1.exerundll32.exerundll32.exerundll32.exeSetup.exeNewfile2.exe

pid	process
3816	keygen-step-1.exe
3816	keygen-step-1.exe
3816	keygen-step-1.exe
3816	keygen-step-1.exe
2712	rundll32.exe
2712	rundll32.exe
5028	rundll32.exe
5012	rundll32.exe
5012	rundll32.exe
4900	Setup.exe
4900	Setup.exe
4900	Setup.exe
5844	Newfile2.exe
5844	Newfile2.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

key.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	key.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

keygen-step-1.exekey.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	keygen-step-1.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	keygen-step-1.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	keygen-step-1.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	key.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exe7d8sUAKp.exe

pid process

4900 Setup.exe
5536 7d8sUAKp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

pid	process
4900	Setup.exe
5536	7d8sUAKp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

key.exeOriginal Build.exe

description	pid	process	target process
PID 1776 set thread context of 3508	1776	key.exe	key.exe
PID 3104 set thread context of 4752	3104	Original Build.exe	Original Build.exe

Drops file in Program Files directory 10 IoCs

Processes:

mp3studios_91.exe

description	ioc	process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	mp3studios_91.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4488	5028	WerFault.exe	rundll32.exe
5784	5536	WerFault.exe	7d8sUAKp.exe
6104	5844	WerFault.exe	Newfile2.exe
3116	2664	WerFault.exe	popara.exe
4800	2664	WerFault.exe	popara.exe
4116	2664	WerFault.exe	popara.exe
5296	2664	WerFault.exe	popara.exe
5044	2664	WerFault.exe	popara.exe
5368	2664	WerFault.exe	popara.exe
440	2664	WerFault.exe	popara.exe
5460	2664	WerFault.exe	popara.exe
5580	2664	WerFault.exe	popara.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

keygen-step-1.exeNewfile2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	keygen-step-1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	keygen-step-1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Newfile2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Newfile2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5572 schtasks.exe
5692 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

4616 timeout.exe
1924 timeout.exe
5144 timeout.exe

pid	process
5572	schtasks.exe
5692	schtasks.exe

pid	process
4616	timeout.exe
1924	timeout.exe
5144	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

636 taskkill.exe
6124 taskkill.exe
5628 taskkill.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 37 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
636	taskkill.exe
6124	taskkill.exe
5628	taskkill.exe

description	flow	ioc
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

keygen-step-6.exekeygen-step-1.exepowershell.exekey.exechrome.exechrome.exeSetup.exeOriginal Build.exechrome.exechrome.exeNewfile2.exe

pid	process
476	keygen-step-6.exe
476	keygen-step-6.exe
3816	keygen-step-1.exe
3816	keygen-step-1.exe
5016	powershell.exe
5016	powershell.exe
5016	powershell.exe
1776	key.exe
1776	key.exe
4884	chrome.exe
4884	chrome.exe
4876	chrome.exe
4876	chrome.exe
4900	Setup.exe
4900	Setup.exe
4752	Original Build.exe
4752	Original Build.exe
4752	Original Build.exe
5268	chrome.exe
5268	chrome.exe
5392	chrome.exe
5392	chrome.exe
5844	Newfile2.exe
5844	Newfile2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4876 chrome.exe
4876 chrome.exe
4876 chrome.exe
4876 chrome.exe
4876 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

46EC.tmp.exepowershell.exekey.exeOriginal Build.exemp3studios_91.exe

description	pid	process
Token: SeDebugPrivilege	4448	46EC.tmp.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeImpersonatePrivilege	1776	key.exe
Token: SeTcbPrivilege	1776	key.exe
Token: SeChangeNotifyPrivilege	1776	key.exe
Token: SeCreateTokenPrivilege	1776	key.exe
Token: SeBackupPrivilege	1776	key.exe
Token: SeRestorePrivilege	1776	key.exe
Token: SeIncreaseQuotaPrivilege	1776	key.exe
Token: SeAssignPrimaryTokenPrivilege	1776	key.exe
Token: SeImpersonatePrivilege	1776	key.exe
Token: SeTcbPrivilege	1776	key.exe
Token: SeChangeNotifyPrivilege	1776	key.exe
Token: SeCreateTokenPrivilege	1776	key.exe
Token: SeBackupPrivilege	1776	key.exe
Token: SeRestorePrivilege	1776	key.exe
Token: SeIncreaseQuotaPrivilege	1776	key.exe
Token: SeAssignPrimaryTokenPrivilege	1776	key.exe
Token: SeImpersonatePrivilege	1776	key.exe
Token: SeTcbPrivilege	1776	key.exe
Token: SeChangeNotifyPrivilege	1776	key.exe
Token: SeCreateTokenPrivilege	1776	key.exe
Token: SeBackupPrivilege	1776	key.exe
Token: SeRestorePrivilege	1776	key.exe
Token: SeIncreaseQuotaPrivilege	1776	key.exe
Token: SeAssignPrimaryTokenPrivilege	1776	key.exe
Token: SeImpersonatePrivilege	1776	key.exe
Token: SeTcbPrivilege	1776	key.exe
Token: SeChangeNotifyPrivilege	1776	key.exe
Token: SeCreateTokenPrivilege	1776	key.exe
Token: SeBackupPrivilege	1776	key.exe
Token: SeRestorePrivilege	1776	key.exe
Token: SeIncreaseQuotaPrivilege	1776	key.exe
Token: SeAssignPrimaryTokenPrivilege	1776	key.exe
Token: SeImpersonatePrivilege	1776	key.exe
Token: SeTcbPrivilege	1776	key.exe
Token: SeChangeNotifyPrivilege	1776	key.exe
Token: SeCreateTokenPrivilege	1776	key.exe
Token: SeBackupPrivilege	1776	key.exe
Token: SeRestorePrivilege	1776	key.exe
Token: SeIncreaseQuotaPrivilege	1776	key.exe
Token: SeAssignPrimaryTokenPrivilege	1776	key.exe
Token: SeImpersonatePrivilege	1776	key.exe
Token: SeTcbPrivilege	1776	key.exe
Token: SeChangeNotifyPrivilege	1776	key.exe
Token: SeCreateTokenPrivilege	1776	key.exe
Token: SeBackupPrivilege	1776	key.exe
Token: SeRestorePrivilege	1776	key.exe
Token: SeIncreaseQuotaPrivilege	1776	key.exe
Token: SeAssignPrimaryTokenPrivilege	1776	key.exe
Token: SeDebugPrivilege	3104	Original Build.exe
Token: SeCreateTokenPrivilege	1664	mp3studios_91.exe
Token: SeAssignPrimaryTokenPrivilege	1664	mp3studios_91.exe
Token: SeLockMemoryPrivilege	1664	mp3studios_91.exe
Token: SeIncreaseQuotaPrivilege	1664	mp3studios_91.exe
Token: SeMachineAccountPrivilege	1664	mp3studios_91.exe
Token: SeTcbPrivilege	1664	mp3studios_91.exe
Token: SeSecurityPrivilege	1664	mp3studios_91.exe
Token: SeTakeOwnershipPrivilege	1664	mp3studios_91.exe
Token: SeLoadDriverPrivilege	1664	mp3studios_91.exe
Token: SeSystemProfilePrivilege	1664	mp3studios_91.exe
Token: SeSystemtimePrivilege	1664	mp3studios_91.exe
Token: SeProfSingleProcessPrivilege	1664	mp3studios_91.exe
Token: SeIncBasePriorityPrivilege	1664	mp3studios_91.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

7d8sUAKp.exe

pid process

5536 7d8sUAKp.exe

pid	process
5536	7d8sUAKp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BookletCreator.v1.4.keygen.by.orion.execmd.exekeygen-step-5.exekeygen-pr.execontrol.exekeygen-step-4.exekey.exekeygen-step-6.exekeygen-step-1.exeLicense Keys.execmd.exerundll32.exeOriginal Build.exe

description	pid	process	target process
PID 1916 wrote to memory of 1944	1916	BookletCreator.v1.4.keygen.by.orion.exe	cmd.exe
PID 1916 wrote to memory of 1944	1916	BookletCreator.v1.4.keygen.by.orion.exe	cmd.exe
PID 1916 wrote to memory of 1944	1916	BookletCreator.v1.4.keygen.by.orion.exe	cmd.exe
PID 1944 wrote to memory of 3464	1944	cmd.exe	keygen-pr.exe
PID 1944 wrote to memory of 3464	1944	cmd.exe	keygen-pr.exe
PID 1944 wrote to memory of 3464	1944	cmd.exe	keygen-pr.exe
PID 1944 wrote to memory of 3816	1944	cmd.exe	keygen-step-1.exe
PID 1944 wrote to memory of 3816	1944	cmd.exe	keygen-step-1.exe
PID 1944 wrote to memory of 3816	1944	cmd.exe	keygen-step-1.exe
PID 1944 wrote to memory of 4464	1944	cmd.exe	keygen-step-5.exe
PID 1944 wrote to memory of 4464	1944	cmd.exe	keygen-step-5.exe
PID 1944 wrote to memory of 4464	1944	cmd.exe	keygen-step-5.exe
PID 1944 wrote to memory of 476	1944	cmd.exe	keygen-step-6.exe
PID 1944 wrote to memory of 476	1944	cmd.exe	keygen-step-6.exe
PID 1944 wrote to memory of 476	1944	cmd.exe	keygen-step-6.exe
PID 1944 wrote to memory of 1416	1944	cmd.exe	keygen-step-4.exe
PID 1944 wrote to memory of 1416	1944	cmd.exe	keygen-step-4.exe
PID 1944 wrote to memory of 1416	1944	cmd.exe	keygen-step-4.exe
PID 4464 wrote to memory of 4424	4464	keygen-step-5.exe	control.exe
PID 4464 wrote to memory of 4424	4464	keygen-step-5.exe	control.exe
PID 4464 wrote to memory of 4424	4464	keygen-step-5.exe	control.exe
PID 3464 wrote to memory of 1776	3464	keygen-pr.exe	key.exe
PID 3464 wrote to memory of 1776	3464	keygen-pr.exe	key.exe
PID 3464 wrote to memory of 1776	3464	keygen-pr.exe	key.exe
PID 4424 wrote to memory of 2712	4424	control.exe	rundll32.exe
PID 4424 wrote to memory of 2712	4424	control.exe	rundll32.exe
PID 4424 wrote to memory of 2712	4424	control.exe	rundll32.exe
PID 1416 wrote to memory of 4472	1416	keygen-step-4.exe	License Keys.exe
PID 1416 wrote to memory of 4472	1416	keygen-step-4.exe	License Keys.exe
PID 1416 wrote to memory of 4472	1416	keygen-step-4.exe	License Keys.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 1776 wrote to memory of 3508	1776	key.exe	key.exe
PID 476 wrote to memory of 4448	476	keygen-step-6.exe	46EC.tmp.exe
PID 476 wrote to memory of 4448	476	keygen-step-6.exe	46EC.tmp.exe
PID 476 wrote to memory of 4448	476	keygen-step-6.exe	46EC.tmp.exe
PID 3816 wrote to memory of 3908	3816	keygen-step-1.exe	cmd.exe
PID 3816 wrote to memory of 3908	3816	keygen-step-1.exe	cmd.exe
PID 3816 wrote to memory of 3908	3816	keygen-step-1.exe	cmd.exe
PID 4472 wrote to memory of 2168	4472	License Keys.exe	License Keys.exe
PID 4472 wrote to memory of 2168	4472	License Keys.exe	License Keys.exe
PID 4472 wrote to memory of 2168	4472	License Keys.exe	License Keys.exe
PID 1416 wrote to memory of 3104	1416	keygen-step-4.exe	Original Build.exe
PID 1416 wrote to memory of 3104	1416	keygen-step-4.exe	Original Build.exe
PID 1416 wrote to memory of 3104	1416	keygen-step-4.exe	Original Build.exe
PID 3908 wrote to memory of 4616	3908	cmd.exe	timeout.exe
PID 3908 wrote to memory of 4616	3908	cmd.exe	timeout.exe
PID 3908 wrote to memory of 4616	3908	cmd.exe	timeout.exe
PID 1316 wrote to memory of 5028	1316	rundll32.exe	rundll32.exe
PID 1316 wrote to memory of 5028	1316	rundll32.exe	rundll32.exe
PID 1316 wrote to memory of 5028	1316	rundll32.exe	rundll32.exe
PID 3104 wrote to memory of 5016	3104	Original Build.exe	powershell.exe

outlook_office_path 1 IoCs

Processes:

keygen-step-1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	keygen-step-1.exe

outlook_win_path 1 IoCs

Processes:

key.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	key.exe

C:\Users\Admin\AppData\Local\Temp\BookletCreator.v1.4.keygen.by.orion.exe
"C:\Users\Admin\AppData\Local\Temp\BookletCreator.v1.4.keygen.by.orion.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1776

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:3508

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
PID:3816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "keygen-step-1.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
5⤵
- Delays execution with timeout.exe
PID:4616

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
keygen-step-5.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\PBP0JqU.9Z
4⤵
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\PBP0JqU.9Z
5⤵
- Loads dropped DLL
PID:2712

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\PBP0JqU.9Z
6⤵
PID:2664

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\PBP0JqU.9Z
7⤵
- Loads dropped DLL
PID:5012

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
keygen-step-6.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:476

C:\Users\Admin\AppData\Roaming\46EC.tmp.exe
"C:\Users\Admin\AppData\Roaming\46EC.tmp.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout 2 && del "C:\Users\Admin\AppData\Roaming\46EC.tmp.exe"
5⤵
PID:4268

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:1924

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4472

C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe" -h
5⤵
- Executes dropped EXE
PID:2168

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Original Build.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Original Build.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Original Build.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Original Build.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4752

C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:4900

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa52f64f50,0x7ffa52f64f60,0x7ffa52f64f70
6⤵
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1708 /prefetch:2
6⤵
PID:3508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1756 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2364 /prefetch:8
6⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
6⤵
PID:1812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
6⤵
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1684 /prefetch:1
6⤵
PID:4624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
6⤵
PID:3880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4660 /prefetch:8
6⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4760 /prefetch:8
6⤵
PID:3884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
6⤵
PID:5124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5884 /prefetch:8
6⤵
PID:5360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5980 /prefetch:8
6⤵
PID:5408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5088 /prefetch:8
6⤵
PID:5468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:8
6⤵
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1700,12086474493690030641,14908688921809745419,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
6⤵
PID:5724

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Users\Admin\AppData\Roaming\7d8sUAKp.exe
"C:\Users\Admin\AppData\Roaming\7d8sUAKp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5536

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
6⤵
- Creates scheduled task(s)
PID:5572

C:\Windows\SysWOW64\schtasks.exe
/C /Query /XML /TN "Event Viewer Snap-in Launcher (29762912)"
6⤵
PID:5636

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /tn "Event Viewer Snap-in Launcher (29762912)" /XML "C:\Users\Admin\AppData\Roaming\EventViewer\tfnme73946158264.tmp"
6⤵
- Creates scheduled task(s)
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 716
6⤵
- Program crash
PID:5784

C:\Users\Admin\AppData\Roaming\S4wHNT5w.exe
"C:\Users\Admin\AppData\Roaming\S4wHNT5w.exe"
5⤵
- Executes dropped EXE
PID:5824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
6⤵
PID:5712

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Newfile2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Newfile2.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" @/c taskkill /im Newfile2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Newfile2.exe" & del C:\PrograData\*.dll & exit
5⤵
PID:6040

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Newfile2.exe /f
6⤵
- Kills process with taskkill
PID:6124

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
6⤵
- Delays execution with timeout.exe
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 1884
5⤵
- Program crash
PID:6104

C:\Users\Admin\AppData\Local\Temp\RarSFX2\popara.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\popara.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 456
5⤵
- Program crash
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 772
5⤵
- Program crash
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 760
5⤵
- Program crash
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 800
5⤵
- Program crash
PID:5296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 784
5⤵
- Program crash
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 984
5⤵
- Program crash
PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1004
5⤵
- Program crash
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1360
5⤵
- Program crash
PID:5460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "popara.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX2\popara.exe" & exit
5⤵
PID:860

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "popara.exe" /f
6⤵
- Kills process with taskkill
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 492
5⤵
- Program crash
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Iw9B
4⤵
PID:5652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa540646f8,0x7ffa54064708,0x7ffa54064718
5⤵
PID:5508

C:\Users\Admin\AppData\Local\Temp\RarSFX2\pb1119.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\pb1119.exe"
4⤵
- Executes dropped EXE
PID:5524

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 600
3⤵
- Program crash
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5028 -ip 5028
1⤵
PID:4168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5536 -ip 5536
1⤵
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5844 -ip 5844
1⤵
PID:6060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2664 -ip 2664
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2664 -ip 2664
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2664 -ip 2664
1⤵
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2664 -ip 2664
1⤵
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2664 -ip 2664
1⤵
PID:5268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2664 -ip 2664
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2664 -ip 2664
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2664 -ip 2664
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2664 -ip 2664
1⤵
PID:5492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png
Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js
Filesize
20KB

MD5
95531a9082389fb64be311fbe711dba0

SHA1
dcccce21f730777a902e51cedcd1e107de64c1a0

SHA256
bf57ab046f270aa4b81f1c5456ca509c506c9bf67744b867704c5a70a92ba489

SHA512
e35bac03cb1ce695fcc24f0f29a9e6828fc0844fb2655a6ed028f635f5d9d402e38f887829cde4f237952f7f6edd92f45870cbecbe5826aac394515445d3528b

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js
Filesize
3KB

MD5
f79618c53614380c5fdc545699afe890

SHA1
7804a4621cd9405b6def471f3ebedb07fb17e90a

SHA256
f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c

SHA512
c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json
Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
70e92adbc85df47ebd1fcb7e62c99940

SHA1
e2c25b31a7e7d08813fdb57b37bb84110a1dc41b

SHA256
ca4e4676159a8684d96e82464b72fdfc5fd21ca0d5682dd6bc781189f96fee42

SHA512
f289a5ce5f1e8d2c3fcc0cd49cabf565d264e0ba5ebe8dd8d0e7b8dd83ff06c3936c4535eeb999dc8bfd25f244ab0b18f42d9ce6dda23daed91914847362bb2c

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
b067659845981d9a6ad922d70e77ff3a

SHA1
81315a2eb2d7a58f14bf6877eaa636d7171bb393

SHA256
93a2bc2294ca863df94d35a62ab28c3d2725c72e38324da126d73c0abe6bb749

SHA512
e339832f8347d12bd863de8b7c0ecb9e172613fb443ceb46098d2269826d57e58190b61aaa6113503bacbfb7c9fd117b97e7f1918674238c4732426b226cac5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
181KB

MD5
98ebfafef1db31beed3a90a95c484398

SHA1
ef8668b1507cc8eaf71244400d2bff271db6946c

SHA256
4135e68f335c6419dd876d3ef11c8ad3d131d9c93af2914aac5ef20fe38a4c1d

SHA512
f1123b25c1fb21230ac8e7411185b4393fe0c9af1c5dc9aa77767b3d27055908b38774dbe00a433be7782c13c013c1af15c315b40bda66b3da4614e2fd273dc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Original Build.exe.log
Filesize
1KB

MD5
7e88081fcf716d85992bb3af3d9b6454

SHA1
2153780fbc71061b0102a7a7b665349e1013e250

SHA256
5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

SHA512
ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\57AD0CBD\mozglue.dll
Filesize
135KB

MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\57AD0CBD\msvcp140.dll
Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\57AD0CBD\nss3.dll
Filesize
1.2MB

MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
C:\Users\Admin\AppData\Local\Temp\57AD0CBD\vcruntime140.dll
Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBP0JqU.9Z
Filesize
1.9MB

MD5
133413526cb30b573d09414deea531bf

SHA1
4af5b5ede4f3c26393efa72a60c2ddc787ffbad4

SHA256
c799d7bd02ffd4d0bc7a3bfb3d911f4b5aa524ea597b90d5cc5312d3cb59c6f8

SHA512
4916952cf420d31d2371d2c2241f26cdedb114a0552ef33dffce27c3fda057c10d84d4bc8b6b2301ac47f4c58dfe2d1733fc51ac5260008fa641718447038acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBP0JqU.9Z
Filesize
1.9MB

MD5
133413526cb30b573d09414deea531bf

SHA1
4af5b5ede4f3c26393efa72a60c2ddc787ffbad4

SHA256
c799d7bd02ffd4d0bc7a3bfb3d911f4b5aa524ea597b90d5cc5312d3cb59c6f8

SHA512
4916952cf420d31d2371d2c2241f26cdedb114a0552ef33dffce27c3fda057c10d84d4bc8b6b2301ac47f4c58dfe2d1733fc51ac5260008fa641718447038acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBP0JqU.9Z
Filesize
1.9MB

MD5
133413526cb30b573d09414deea531bf

SHA1
4af5b5ede4f3c26393efa72a60c2ddc787ffbad4

SHA256
c799d7bd02ffd4d0bc7a3bfb3d911f4b5aa524ea597b90d5cc5312d3cb59c6f8

SHA512
4916952cf420d31d2371d2c2241f26cdedb114a0552ef33dffce27c3fda057c10d84d4bc8b6b2301ac47f4c58dfe2d1733fc51ac5260008fa641718447038acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBP0JqU.9Z
Filesize
1.9MB

MD5
133413526cb30b573d09414deea531bf

SHA1
4af5b5ede4f3c26393efa72a60c2ddc787ffbad4

SHA256
c799d7bd02ffd4d0bc7a3bfb3d911f4b5aa524ea597b90d5cc5312d3cb59c6f8

SHA512
4916952cf420d31d2371d2c2241f26cdedb114a0552ef33dffce27c3fda057c10d84d4bc8b6b2301ac47f4c58dfe2d1733fc51ac5260008fa641718447038acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBP0JqU.9Z
Filesize
1.9MB

MD5
133413526cb30b573d09414deea531bf

SHA1
4af5b5ede4f3c26393efa72a60c2ddc787ffbad4

SHA256
c799d7bd02ffd4d0bc7a3bfb3d911f4b5aa524ea597b90d5cc5312d3cb59c6f8

SHA512
4916952cf420d31d2371d2c2241f26cdedb114a0552ef33dffce27c3fda057c10d84d4bc8b6b2301ac47f4c58dfe2d1733fc51ac5260008fa641718447038acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
Filesize
1.7MB

MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
Filesize
1.7MB

MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
Filesize
112KB

MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
Filesize
112KB

MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
Filesize
12.7MB

MD5
4d60874cca2a655f1a33419bfe216dc4

SHA1
a9ff587d4a490040965bc8dff687586c95021ca4

SHA256
aabd51e5b60ec9e73695700361872fbb2cfb1337b358df54784a10a89cf54a8a

SHA512
0af118ae919eea2894bf2c760f5f722a258fa7944e5719026a5b39405303208bc040d5690efa782de0dd0306cefcd79f04bd6b5572af1269949e635ebba0195e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
Filesize
12.7MB

MD5
4d60874cca2a655f1a33419bfe216dc4

SHA1
a9ff587d4a490040965bc8dff687586c95021ca4

SHA256
aabd51e5b60ec9e73695700361872fbb2cfb1337b358df54784a10a89cf54a8a

SHA512
0af118ae919eea2894bf2c760f5f722a258fa7944e5719026a5b39405303208bc040d5690efa782de0dd0306cefcd79f04bd6b5572af1269949e635ebba0195e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
Filesize
2.0MB

MD5
9bbe6ce3a25922ab74e126b56596b4fb

SHA1
8dd4b0d3e05bfcde1d1a47ec8a9d42f785094631

SHA256
a78c4a5d1371eba669e95facbccfb70a0e6da88154cf02324c1767f53752d063

SHA512
fae2e5a43504d385eb9b846ed62db040635133c7caeb8edc4263325075a269a9d0fb081c38839da9f1ad0a0d95634ce52d970d94b32a68e67cd95e73ef9fc6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
Filesize
2.0MB

MD5
9bbe6ce3a25922ab74e126b56596b4fb

SHA1
8dd4b0d3e05bfcde1d1a47ec8a9d42f785094631

SHA256
a78c4a5d1371eba669e95facbccfb70a0e6da88154cf02324c1767f53752d063

SHA512
fae2e5a43504d385eb9b846ed62db040635133c7caeb8edc4263325075a269a9d0fb081c38839da9f1ad0a0d95634ce52d970d94b32a68e67cd95e73ef9fc6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
Filesize
80KB

MD5
0ccff32c225f062f028e7a0bc2707799

SHA1
aa410d93fa92488877c419110a54b3170bc04923

SHA256
b96f30418380b7ef39e66146a4eb3a68d114c0823e0511c9097be46c1effe62d

SHA512
6e91b74367e17f769b8671122fcfb8035f3b6c55c3328e4c791f8d67881cf71699ce85c427dfc25b7929d5fc76409f74c02eb554d286d54bf09e51ff8dc0ccdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
Filesize
80KB

MD5
0ccff32c225f062f028e7a0bc2707799

SHA1
aa410d93fa92488877c419110a54b3170bc04923

SHA256
b96f30418380b7ef39e66146a4eb3a68d114c0823e0511c9097be46c1effe62d

SHA512
6e91b74367e17f769b8671122fcfb8035f3b6c55c3328e4c791f8d67881cf71699ce85c427dfc25b7929d5fc76409f74c02eb554d286d54bf09e51ff8dc0ccdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat
Filesize
149B

MD5
601bb2b0a5d8b03895d13b6461fab11d

SHA1
29e815e3252c5be49f9b57b1ec9c479b523000ce

SHA256
f9be5d8f88ddf4e50a05b23fce2d6af154e427b636fdd90ca0822654acdc851c

SHA512
95acdd98dc84ea03951b5827233d30b750226846d1883548911f31e182bc6def3ec397732a6b0730db24312aefe8f8892689c3666b3db3d8f20b127e76430e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat
Filesize
1.5MB

MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
Filesize
58KB

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
Filesize
58KB

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
Filesize
58KB

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\potato.dat
Filesize
503B

MD5
a88b396be9e427b5f2bc08e523d80797

SHA1
34512b0d4f9741f72eefe9dfdf6b89d75797fa81

SHA256
331645fc1800ae2597b47bb397bbe00f5854c7589f5ad0563be45190416fffd0

SHA512
78398616d91d8c6f39633cd77b874c004ffb6ada437ee36af8ba383162a80fe28eea4ddb5dab737bb943a408d11018f44cd254a138b0d8e798f9724f48c0d35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
Filesize
76KB

MD5
75a6c1a6ef5439c5c7ef7c2961eb1e4c

SHA1
0af04b9178ea8521c09f887dfb2f2f0ac862f7ca

SHA256
8e3101d29cbcc87cae115fe4a157a3817493badb6e0457068d08c70cba5f9b08

SHA512
a085476279219fa3e970dba66d7376561d730b357518cd2c5282df236552f267e49737764bc85919d17b9f9becde49d79d36ed1b5be4d50b4c77d7b86d11837a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
Filesize
76KB

MD5
75a6c1a6ef5439c5c7ef7c2961eb1e4c

SHA1
0af04b9178ea8521c09f887dfb2f2f0ac862f7ca

SHA256
8e3101d29cbcc87cae115fe4a157a3817493badb6e0457068d08c70cba5f9b08

SHA512
a085476279219fa3e970dba66d7376561d730b357518cd2c5282df236552f267e49737764bc85919d17b9f9becde49d79d36ed1b5be4d50b4c77d7b86d11837a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
Filesize
76KB

MD5
75a6c1a6ef5439c5c7ef7c2961eb1e4c

SHA1
0af04b9178ea8521c09f887dfb2f2f0ac862f7ca

SHA256
8e3101d29cbcc87cae115fe4a157a3817493badb6e0457068d08c70cba5f9b08

SHA512
a085476279219fa3e970dba66d7376561d730b357518cd2c5282df236552f267e49737764bc85919d17b9f9becde49d79d36ed1b5be4d50b4c77d7b86d11837a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Original Build.exe
Filesize
3.8MB

MD5
33e89dd6df83a3c745b5a90acef2abd3

SHA1
eaa10a67188d3c7ce35e3de6436eeba13cd1bca9

SHA256
d97eb538f83f7b2477c197acf5bf01344fbe65034608bb8c9b29061f2c111985

SHA512
7fbf0705337adcf08207b20d80e905a64418eca8c1bb5e3be85e21491b79033e1924a4971a103e9a87d2d3636f1980c809a0edbf8692626aa37f0f6a24c3ec5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Original Build.exe
Filesize
3.8MB

MD5
33e89dd6df83a3c745b5a90acef2abd3

SHA1
eaa10a67188d3c7ce35e3de6436eeba13cd1bca9

SHA256
d97eb538f83f7b2477c197acf5bf01344fbe65034608bb8c9b29061f2c111985

SHA512
7fbf0705337adcf08207b20d80e905a64418eca8c1bb5e3be85e21491b79033e1924a4971a103e9a87d2d3636f1980c809a0edbf8692626aa37f0f6a24c3ec5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Original Build.exe
Filesize
3.8MB

MD5
33e89dd6df83a3c745b5a90acef2abd3

SHA1
eaa10a67188d3c7ce35e3de6436eeba13cd1bca9

SHA256
d97eb538f83f7b2477c197acf5bf01344fbe65034608bb8c9b29061f2c111985

SHA512
7fbf0705337adcf08207b20d80e905a64418eca8c1bb5e3be85e21491b79033e1924a4971a103e9a87d2d3636f1980c809a0edbf8692626aa37f0f6a24c3ec5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
Filesize
4.5MB

MD5
44fe2e4147976979d23f751b52a31490

SHA1
58fec1897a27c7fa4d401f2363ef4c2aebb47cc5

SHA256
34a4a22df4b0adc0662b7127e4a010d7cb416eaca7eff32aaf939ce914ca5846

SHA512
5902e7b84617525441bf28effda4b4c769bc81032b0ba2ce23a642b86f511e099cef4ca4f2bf65592c58e06289f86c05c2d356a226cc96197cda7c443354833c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
Filesize
4.5MB

MD5
44fe2e4147976979d23f751b52a31490

SHA1
58fec1897a27c7fa4d401f2363ef4c2aebb47cc5

SHA256
34a4a22df4b0adc0662b7127e4a010d7cb416eaca7eff32aaf939ce914ca5846

SHA512
5902e7b84617525441bf28effda4b4c769bc81032b0ba2ce23a642b86f511e099cef4ca4f2bf65592c58e06289f86c05c2d356a226cc96197cda7c443354833c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe
Filesize
1.4MB

MD5
e1878272005721f797853d631a650ca7

SHA1
88a00367f162b7d4b06e7e9f338524f7eabf7b0c

SHA256
6bf88af8c896852e110034492e7e0799afd09f29eb92fa858d64e93c0856506a

SHA512
08c23e21c56b8103e5d56f286e841200ab85d808bc114bfa938e7d761e7053eef631946efa7d821480d35c0955bc477460bbde0b0b247304371e1ae89f30d3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe
Filesize
1.4MB

MD5
e1878272005721f797853d631a650ca7

SHA1
88a00367f162b7d4b06e7e9f338524f7eabf7b0c

SHA256
6bf88af8c896852e110034492e7e0799afd09f29eb92fa858d64e93c0856506a

SHA512
08c23e21c56b8103e5d56f286e841200ab85d808bc114bfa938e7d761e7053eef631946efa7d821480d35c0955bc477460bbde0b0b247304371e1ae89f30d3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
48abebba7675785b5973b17b0765b88d

SHA1
780fe8bbdfa6de3bc6215bea213153e4a9b9874b

SHA256
18dfc5eb22ec12374b59d1fee26a8e67a89403e828891f2c6eff295160b12a6b

SHA512
b5b4e7ab4ea7a30039c566643b3a616f06cf055ac621aab081d4a6ef70b88ac64851e4c17b6206665e913227a4c09003c7fd8529dfdd8939fd501ae11d340a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
60KB

MD5
4d11bd6f3172584b3fda0e9efcaf0ddb

SHA1
0581c7f087f6538a1b6d4f05d928c1df24236944

SHA256
73314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930

SHA512
6a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
60KB

MD5
4d11bd6f3172584b3fda0e9efcaf0ddb

SHA1
0581c7f087f6538a1b6d4f05d928c1df24236944

SHA256
73314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930

SHA512
6a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04

Download Submit
C:\Users\Admin\AppData\Roaming\46EC.tmp.exe
Filesize
223KB

MD5
ce79df6cf31e074162eed2c856db279b

SHA1
e3b0f86b587b31ee5403fc5a0260fda2e9f0748d

SHA256
dd6bd89becfe1b396e0e535482c9c0ed777ec0f6ef1dd417377e39eb7e33264d

SHA512
f1896f55a9f4bc5f044a601f895810bef78c12a63512b059f6924ada8ee4d78fef0ed8cb67ad470860aac0afce2606d3ab258ccccd432ca1743d08935cd78108

Download Submit
C:\Users\Admin\AppData\Roaming\46EC.tmp.exe
Filesize
223KB

MD5
ce79df6cf31e074162eed2c856db279b

SHA1
e3b0f86b587b31ee5403fc5a0260fda2e9f0748d

SHA256
dd6bd89becfe1b396e0e535482c9c0ed777ec0f6ef1dd417377e39eb7e33264d

SHA512
f1896f55a9f4bc5f044a601f895810bef78c12a63512b059f6924ada8ee4d78fef0ed8cb67ad470860aac0afce2606d3ab258ccccd432ca1743d08935cd78108

Download Submit
\??\pipe\crashpad_4876_JUDABZWSIVENJFAJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/476-142-0x0000000000000000-mapping.dmp

Download
memory/636-234-0x0000000000000000-mapping.dmp

Download
memory/860-310-0x0000000000000000-mapping.dmp

Download
memory/1416-146-0x0000000000000000-mapping.dmp

Download
memory/1664-224-0x0000000000000000-mapping.dmp

Download
memory/1776-166-0x0000000002A90000-0x0000000002C2C000-memory.dmp

Filesize
1.6MB

Download
memory/1776-154-0x0000000000000000-mapping.dmp

Download
memory/1776-206-0x00000000033F0000-0x00000000034DF000-memory.dmp

Filesize
956KB

Download
memory/1776-205-0x0000000002A90000-0x0000000002C2C000-memory.dmp

Filesize
1.6MB

Download
memory/1776-204-0x0000000000D70000-0x0000000000D8B000-memory.dmp

Filesize
108KB

Download
memory/1776-203-0x00000000033F0000-0x00000000034DF000-memory.dmp

Filesize
956KB

Download
memory/1924-208-0x0000000000000000-mapping.dmp

Download
memory/1944-132-0x0000000000000000-mapping.dmp

Download
memory/2168-177-0x0000000000000000-mapping.dmp

Download
memory/2664-312-0x00000000006CB000-0x00000000006F2000-memory.dmp

Filesize
156KB

Download
memory/2664-215-0x0000000000000000-mapping.dmp

Download
memory/2664-313-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2664-305-0x0000000000000000-mapping.dmp

Download
memory/2664-308-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2664-306-0x00000000006CB000-0x00000000006F2000-memory.dmp

Filesize
156KB

Download
memory/2664-307-0x0000000000650000-0x0000000000691000-memory.dmp

Filesize
260KB

Download
memory/2712-212-0x00000000031C0000-0x0000000003272000-memory.dmp

Filesize
712KB

Download
memory/2712-211-0x00000000030E0000-0x00000000031A8000-memory.dmp

Filesize
800KB

Download
memory/2712-158-0x0000000000000000-mapping.dmp

Download
memory/2712-209-0x0000000002CD0000-0x0000000002E50000-memory.dmp

Filesize
1.5MB

Download
memory/2712-210-0x0000000002F90000-0x00000000030CC000-memory.dmp

Filesize
1.2MB

Download
memory/2712-235-0x0000000002F90000-0x00000000030CC000-memory.dmp

Filesize
1.2MB

Download
memory/2712-164-0x0000000002830000-0x0000000002A26000-memory.dmp

Filesize
2.0MB

Download
memory/3104-180-0x0000000000000000-mapping.dmp

Download
memory/3104-193-0x00000000050C0000-0x00000000050E2000-memory.dmp

Filesize
136KB

Download
memory/3104-185-0x0000000000300000-0x00000000006DC000-memory.dmp

Filesize
3.9MB

Download
memory/3464-134-0x0000000000000000-mapping.dmp

Download
memory/3508-168-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3508-175-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3508-184-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3508-173-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3508-201-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3508-167-0x0000000000000000-mapping.dmp

Download
memory/3816-137-0x0000000000000000-mapping.dmp

Download
memory/3908-174-0x0000000000000000-mapping.dmp

Download
memory/4268-207-0x0000000000000000-mapping.dmp

Download
memory/4424-149-0x0000000000000000-mapping.dmp

Download
memory/4448-188-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/4448-187-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/4448-181-0x0000000004C50000-0x0000000004CB6000-memory.dmp

Filesize
408KB

Download
memory/4448-169-0x0000000000000000-mapping.dmp

Download
memory/4448-178-0x0000000004B90000-0x0000000004BE0000-memory.dmp

Filesize
320KB

Download
memory/4464-140-0x0000000000000000-mapping.dmp

Download
memory/4472-159-0x0000000000000000-mapping.dmp

Download
memory/4616-186-0x0000000000000000-mapping.dmp

Download
memory/4752-220-0x0000000000000000-mapping.dmp

Download
memory/4752-266-0x0000000009430000-0x00000000095F2000-memory.dmp

Filesize
1.8MB

Download
memory/4752-228-0x0000000005BD0000-0x0000000005CDA000-memory.dmp

Filesize
1.0MB

Download
memory/4752-221-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4752-229-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/4752-227-0x0000000006090000-0x00000000066A8000-memory.dmp

Filesize
6.1MB

Download
memory/4752-267-0x0000000009B30000-0x000000000A05C000-memory.dmp

Filesize
5.2MB

Download
memory/4752-256-0x00000000084F0000-0x0000000008566000-memory.dmp

Filesize
472KB

Download
memory/4752-230-0x0000000005B70000-0x0000000005BAC000-memory.dmp

Filesize
240KB

Download
memory/4900-276-0x0000000077C50000-0x0000000077DF3000-memory.dmp

Filesize
1.6MB

Download
memory/4900-233-0x0000000000000000-mapping.dmp

Download
memory/4900-252-0x0000000000400000-0x0000000000D94000-memory.dmp

Filesize
9.6MB

Download
memory/4900-253-0x0000000000400000-0x0000000000D94000-memory.dmp

Filesize
9.6MB

Download
memory/4900-254-0x0000000077C50000-0x0000000077DF3000-memory.dmp

Filesize
1.6MB

Download
memory/4900-255-0x0000000000400000-0x0000000000D94000-memory.dmp

Filesize
9.6MB

Download
memory/4900-268-0x0000000077C50000-0x0000000077DF3000-memory.dmp

Filesize
1.6MB

Download
memory/4900-246-0x0000000000400000-0x0000000000D94000-memory.dmp

Filesize
9.6MB

Download
memory/4900-236-0x0000000000000000-mapping.dmp

Download
memory/4900-265-0x0000000000400000-0x0000000000D94000-memory.dmp

Filesize
9.6MB

Download
memory/4900-245-0x0000000000400000-0x0000000000D94000-memory.dmp

Filesize
9.6MB

Download
memory/5012-216-0x0000000000000000-mapping.dmp

Download
memory/5012-260-0x0000000003040000-0x00000000030F2000-memory.dmp

Filesize
712KB

Download
memory/5012-259-0x0000000002F70000-0x0000000003038000-memory.dmp

Filesize
800KB

Download
memory/5012-258-0x0000000002E30000-0x0000000002F6C000-memory.dmp

Filesize
1.2MB

Download
memory/5012-257-0x0000000002B70000-0x0000000002CF0000-memory.dmp

Filesize
1.5MB

Download
memory/5012-219-0x00000000027C0000-0x00000000029B6000-memory.dmp

Filesize
2.0MB

Download
memory/5016-194-0x0000000000000000-mapping.dmp

Download
memory/5016-195-0x0000000002880000-0x00000000028B6000-memory.dmp

Filesize
216KB

Download
memory/5016-196-0x0000000004F30000-0x0000000005558000-memory.dmp

Filesize
6.2MB

Download
memory/5016-200-0x0000000006310000-0x000000000632A000-memory.dmp

Filesize
104KB

Download
memory/5016-197-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/5016-198-0x0000000005E20000-0x0000000005E3E000-memory.dmp

Filesize
120KB

Download
memory/5016-199-0x0000000007610000-0x0000000007C8A000-memory.dmp

Filesize
6.5MB

Download
memory/5028-190-0x0000000000000000-mapping.dmp

Download
memory/5144-302-0x0000000000000000-mapping.dmp

Download
memory/5508-316-0x0000000000000000-mapping.dmp

Download
memory/5524-317-0x0000000000000000-mapping.dmp

Download
memory/5536-273-0x000000007F8B0000-0x000000007FC81000-memory.dmp

Filesize
3.8MB

Download
memory/5536-274-0x0000000000DD0000-0x000000000172C000-memory.dmp

Filesize
9.4MB

Download
memory/5536-269-0x0000000000000000-mapping.dmp

Download
memory/5536-272-0x0000000000DD0000-0x000000000172C000-memory.dmp

Filesize
9.4MB

Download
memory/5572-270-0x0000000000000000-mapping.dmp

Download
memory/5628-311-0x0000000000000000-mapping.dmp

Download
memory/5636-271-0x0000000000000000-mapping.dmp

Download
memory/5652-314-0x0000000000000000-mapping.dmp

Download
memory/5712-315-0x0000000000000000-mapping.dmp

Download
memory/5824-275-0x0000000000000000-mapping.dmp

Download
memory/5824-309-0x0000000000140000-0x00000000013E5000-memory.dmp

Filesize
18.6MB

Download
memory/5824-278-0x0000000000140000-0x00000000013E5000-memory.dmp

Filesize
18.6MB

Download
memory/5844-277-0x0000000000000000-mapping.dmp

Download
memory/5844-281-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/5844-279-0x000000000088B000-0x00000000008B4000-memory.dmp

Filesize
164KB

Download
memory/5844-304-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/5844-303-0x000000000088B000-0x00000000008B4000-memory.dmp

Filesize
164KB

Download
memory/5844-280-0x0000000002210000-0x0000000002257000-memory.dmp

Filesize
284KB

Download
memory/5844-282-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/6040-300-0x0000000000000000-mapping.dmp

Download
memory/6124-301-0x0000000000000000-mapping.dmp

Download