azorult | 8c9e2676a1a4fb3c147b277ed5366e0697361f734fe63c668ab3625bc35a870c

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BookletCreator.v1.4.keygen.by.orion.exe
Size

16.4MB
MD5

6142633864870e6797ad77499f596f5d
SHA1

87b9b85c6871449a92dfc0882c8d1ecec48c579a
SHA256

8c9e2676a1a4fb3c147b277ed5366e0697361f734fe63c668ab3625bc35a870c
SHA512

610cb8306d76260968bcb24e6bbd4dc557b0f2921d2ae07722d47a2e0f3a6887cfd99aa59caccf409fd3ba8261831046f36c10661b50ea502c0d1ec1db49fbfd
SSDEEP

393216:nDYcRsuBbPVVk8cJcDQ/9AveVU/75hYzynSD/JvxQMngO:n0cRsu7m8+PluZ/VCWg3QUh

Score

10^/10

azorult nymaim raccoon redline socelars vidar 681eba47078319b9f76eff3159c0ff86 915 vinmat discovery evasion infostealer persistence spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

redline

Botnet

Vinmat

15.235.171.56:30730

Attributes

auth_value
699eda832e48220d3d26a9458dee1daa

Extracted

Family

socelars

https://dfgrthres.s3.eu-west-3.amazonaws.com/fdgds919/

Extracted

Family

raccoon

Botnet

681eba47078319b9f76eff3159c0ff86

http://94.131.97.33/

http://45.67.229.149/

rc4.plain

Extracted

Family

vidar

Version

54.6

Botnet

915

https://t.me/huobiinside

https://mas.to/@kyriazhs1975

Attributes

profile_id
915

Extracted

Family

nymaim

208.67.104.97

85.31.46.167

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 1768 rundll32.exe
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1768	rundll32.exe

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5032-204-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Setup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe

Executes dropped EXE 18 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-5.exekeygen-step-6.exekeygen-step-4.exekey.exeLicense Keys.exeLicense Keys.exeOriginal Build.exeF1D7.tmp.exeOriginal Build.exemp3studios_91.exeSetup.exev0357Q97.exefODLT42n.exeNewfile2.exepopara.exepb1119.exe

pid	process
348	keygen-pr.exe
212	keygen-step-1.exe
1536	keygen-step-5.exe
4136	keygen-step-6.exe
1800	keygen-step-4.exe
3812	key.exe
5044	License Keys.exe
4076	License Keys.exe
4416	Original Build.exe
1164	F1D7.tmp.exe
5032	Original Build.exe
3636	mp3studios_91.exe
4968	Setup.exe
4376	v0357Q97.exe
4136	fODLT42n.exe
460	Newfile2.exe
5080	popara.exe
4744	pb1119.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4136-260-0x0000000000B10000-0x0000000001DB5000-memory.dmp	upx
behavioral2/memory/4136-292-0x0000000000B10000-0x0000000001DB5000-memory.dmp	upx
behavioral2/memory/4136-318-0x0000000000B10000-0x0000000001DB5000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4744-300-0x0000000140000000-0x000000014060C000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

keygen-step-5.exekeygen-step-4.exeLicense Keys.exeOriginal Build.exepopara.exeBookletCreator.v1.4.keygen.by.orion.exekeygen-pr.exekeygen-step-6.exeF1D7.tmp.exeSetup.exeNewfile2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	keygen-step-5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	keygen-step-4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	License Keys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Original Build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	popara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	BookletCreator.v1.4.keygen.by.orion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	keygen-pr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	keygen-step-6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	F1D7.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Newfile2.exe

Loads dropped DLL 9 IoCs

Processes:

rundll32.exerundll32.exerundll32.exeSetup.exeNewfile2.exe

pid process

2536 rundll32.exe
2980 rundll32.exe
1444 rundll32.exe
1444 rundll32.exe
4968 Setup.exe
4968 Setup.exe
4968 Setup.exe
460 Newfile2.exe
460 Newfile2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exev0357Q97.exe

pid process

4968 Setup.exe
4376 v0357Q97.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Original Build.exe

description pid process target process

PID 4416 set thread context of 5032 4416 Original Build.exe Original Build.exe

pid	process
2536	rundll32.exe
2980	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
4968	Setup.exe
4968	Setup.exe
4968	Setup.exe
460	Newfile2.exe
460	Newfile2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

pid	process
4968	Setup.exe
4376	v0357Q97.exe

description	pid	process	target process
PID 4416 set thread context of 5032	4416	Original Build.exe	Original Build.exe

Drops file in Program Files directory 12 IoCs

Processes:

mp3studios_91.exesetup.exe

description	ioc	process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	mp3studios_91.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_91.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\41b3b0fa-f9c1-45df-b94e-68f75d9f9420.tmp	setup.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	mp3studios_91.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220925091258.pma	setup.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	mp3studios_91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2040	2980	WerFault.exe	rundll32.exe
2968	4376	WerFault.exe	v0357Q97.exe
3420	460	WerFault.exe	Newfile2.exe
1972	5080	WerFault.exe	popara.exe
4688	5080	WerFault.exe	popara.exe
2664	5080	WerFault.exe	popara.exe
2072	5080	WerFault.exe	popara.exe
1304	5080	WerFault.exe	popara.exe
528	5080	WerFault.exe	popara.exe
1456	5080	WerFault.exe	popara.exe
4256	5080	WerFault.exe	popara.exe
1048	5080	WerFault.exe	popara.exe
2836	5080	WerFault.exe	popara.exe
4328	4744	WerFault.exe	pb1119.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Newfile2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Newfile2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Newfile2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3652 schtasks.exe
4172 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

388 timeout.exe
4456 timeout.exe

pid	process
3652	schtasks.exe
4172	schtasks.exe

pid	process
388	timeout.exe
4456	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2044 taskkill.exe
4168 taskkill.exe
4080 taskkill.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 37 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2044	taskkill.exe
4168	taskkill.exe
4080	taskkill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

description	flow	ioc
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

keygen-step-6.exepowershell.exechrome.exechrome.exeSetup.exeOriginal Build.exechrome.exechrome.exeNewfile2.exechrome.exemsedge.exepowershell.exemsedge.exechrome.exeidentity_helper.exechrome.exe

pid	process
4136	keygen-step-6.exe
4136	keygen-step-6.exe
2248	powershell.exe
2248	powershell.exe
1252	chrome.exe
1252	chrome.exe
1876	chrome.exe
1876	chrome.exe
4968	Setup.exe
4968	Setup.exe
5032	Original Build.exe
5032	Original Build.exe
4892	chrome.exe
4892	chrome.exe
5032	Original Build.exe
1492	chrome.exe
1492	chrome.exe
460	Newfile2.exe
460	Newfile2.exe
1324	chrome.exe
1324	chrome.exe
1304	msedge.exe
1304	msedge.exe
4528	powershell.exe
4528	powershell.exe
4528	powershell.exe
4040	msedge.exe
4040	msedge.exe
4036	chrome.exe
4036	chrome.exe
5520	identity_helper.exe
5520	identity_helper.exe
5680	chrome.exe
5680	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exemsedge.exe

pid process

1876 chrome.exe
1876 chrome.exe
1876 chrome.exe
1876 chrome.exe
1876 chrome.exe
4040 msedge.exe
4040 msedge.exe
4040 msedge.exe
4040 msedge.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

F1D7.tmp.exepowershell.exeOriginal Build.exemp3studios_91.exetaskkill.exeOriginal Build.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1164	F1D7.tmp.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	4416	Original Build.exe
Token: SeCreateTokenPrivilege	3636	mp3studios_91.exe
Token: SeAssignPrimaryTokenPrivilege	3636	mp3studios_91.exe
Token: SeLockMemoryPrivilege	3636	mp3studios_91.exe
Token: SeIncreaseQuotaPrivilege	3636	mp3studios_91.exe
Token: SeMachineAccountPrivilege	3636	mp3studios_91.exe
Token: SeTcbPrivilege	3636	mp3studios_91.exe
Token: SeSecurityPrivilege	3636	mp3studios_91.exe
Token: SeTakeOwnershipPrivilege	3636	mp3studios_91.exe
Token: SeLoadDriverPrivilege	3636	mp3studios_91.exe
Token: SeSystemProfilePrivilege	3636	mp3studios_91.exe
Token: SeSystemtimePrivilege	3636	mp3studios_91.exe
Token: SeProfSingleProcessPrivilege	3636	mp3studios_91.exe
Token: SeIncBasePriorityPrivilege	3636	mp3studios_91.exe
Token: SeCreatePagefilePrivilege	3636	mp3studios_91.exe
Token: SeCreatePermanentPrivilege	3636	mp3studios_91.exe
Token: SeBackupPrivilege	3636	mp3studios_91.exe
Token: SeRestorePrivilege	3636	mp3studios_91.exe
Token: SeShutdownPrivilege	3636	mp3studios_91.exe
Token: SeDebugPrivilege	3636	mp3studios_91.exe
Token: SeAuditPrivilege	3636	mp3studios_91.exe
Token: SeSystemEnvironmentPrivilege	3636	mp3studios_91.exe
Token: SeChangeNotifyPrivilege	3636	mp3studios_91.exe
Token: SeRemoteShutdownPrivilege	3636	mp3studios_91.exe
Token: SeUndockPrivilege	3636	mp3studios_91.exe
Token: SeSyncAgentPrivilege	3636	mp3studios_91.exe
Token: SeEnableDelegationPrivilege	3636	mp3studios_91.exe
Token: SeManageVolumePrivilege	3636	mp3studios_91.exe
Token: SeImpersonatePrivilege	3636	mp3studios_91.exe
Token: SeCreateGlobalPrivilege	3636	mp3studios_91.exe
Token: 31	3636	mp3studios_91.exe
Token: 32	3636	mp3studios_91.exe
Token: 33	3636	mp3studios_91.exe
Token: 34	3636	mp3studios_91.exe
Token: 35	3636	mp3studios_91.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	5032	Original Build.exe
Token: SeDebugPrivilege	4168	taskkill.exe
Token: SeDebugPrivilege	4080	taskkill.exe
Token: SeDebugPrivilege	4528	powershell.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

chrome.exemsedge.exe

pid	process
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

v0357Q97.exe

pid process

4376 v0357Q97.exe

pid	process
4376	v0357Q97.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BookletCreator.v1.4.keygen.by.orion.execmd.exekeygen-step-5.exekeygen-pr.execontrol.exekeygen-step-4.exekey.exeLicense Keys.exekeygen-step-6.exerundll32.exeOriginal Build.exeF1D7.tmp.execmd.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 4112 wrote to memory of 1304	4112	BookletCreator.v1.4.keygen.by.orion.exe	cmd.exe
PID 4112 wrote to memory of 1304	4112	BookletCreator.v1.4.keygen.by.orion.exe	cmd.exe
PID 4112 wrote to memory of 1304	4112	BookletCreator.v1.4.keygen.by.orion.exe	cmd.exe
PID 1304 wrote to memory of 348	1304	cmd.exe	keygen-pr.exe
PID 1304 wrote to memory of 348	1304	cmd.exe	keygen-pr.exe
PID 1304 wrote to memory of 348	1304	cmd.exe	keygen-pr.exe
PID 1304 wrote to memory of 212	1304	cmd.exe	keygen-step-1.exe
PID 1304 wrote to memory of 212	1304	cmd.exe	keygen-step-1.exe
PID 1304 wrote to memory of 212	1304	cmd.exe	keygen-step-1.exe
PID 1304 wrote to memory of 1536	1304	cmd.exe	keygen-step-5.exe
PID 1304 wrote to memory of 1536	1304	cmd.exe	keygen-step-5.exe
PID 1304 wrote to memory of 1536	1304	cmd.exe	keygen-step-5.exe
PID 1304 wrote to memory of 4136	1304	cmd.exe	keygen-step-6.exe
PID 1304 wrote to memory of 4136	1304	cmd.exe	keygen-step-6.exe
PID 1304 wrote to memory of 4136	1304	cmd.exe	keygen-step-6.exe
PID 1304 wrote to memory of 1800	1304	cmd.exe	keygen-step-4.exe
PID 1304 wrote to memory of 1800	1304	cmd.exe	keygen-step-4.exe
PID 1304 wrote to memory of 1800	1304	cmd.exe	keygen-step-4.exe
PID 1536 wrote to memory of 2656	1536	keygen-step-5.exe	control.exe
PID 1536 wrote to memory of 2656	1536	keygen-step-5.exe	control.exe
PID 1536 wrote to memory of 2656	1536	keygen-step-5.exe	control.exe
PID 348 wrote to memory of 3812	348	keygen-pr.exe	key.exe
PID 348 wrote to memory of 3812	348	keygen-pr.exe	key.exe
PID 348 wrote to memory of 3812	348	keygen-pr.exe	key.exe
PID 2656 wrote to memory of 2536	2656	control.exe	rundll32.exe
PID 2656 wrote to memory of 2536	2656	control.exe	rundll32.exe
PID 2656 wrote to memory of 2536	2656	control.exe	rundll32.exe
PID 1800 wrote to memory of 5044	1800	keygen-step-4.exe	License Keys.exe
PID 1800 wrote to memory of 5044	1800	keygen-step-4.exe	License Keys.exe
PID 1800 wrote to memory of 5044	1800	keygen-step-4.exe	License Keys.exe
PID 3812 wrote to memory of 3076	3812	key.exe	key.exe
PID 3812 wrote to memory of 3076	3812	key.exe	key.exe
PID 3812 wrote to memory of 3076	3812	key.exe	key.exe
PID 5044 wrote to memory of 4076	5044	License Keys.exe	License Keys.exe
PID 5044 wrote to memory of 4076	5044	License Keys.exe	License Keys.exe
PID 5044 wrote to memory of 4076	5044	License Keys.exe	License Keys.exe
PID 1800 wrote to memory of 4416	1800	keygen-step-4.exe	Original Build.exe
PID 1800 wrote to memory of 4416	1800	keygen-step-4.exe	Original Build.exe
PID 1800 wrote to memory of 4416	1800	keygen-step-4.exe	Original Build.exe
PID 4136 wrote to memory of 1164	4136	keygen-step-6.exe	F1D7.tmp.exe
PID 4136 wrote to memory of 1164	4136	keygen-step-6.exe	F1D7.tmp.exe
PID 4136 wrote to memory of 1164	4136	keygen-step-6.exe	F1D7.tmp.exe
PID 1152 wrote to memory of 2980	1152	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 2980	1152	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 2980	1152	rundll32.exe	rundll32.exe
PID 4416 wrote to memory of 2248	4416	Original Build.exe	powershell.exe
PID 4416 wrote to memory of 2248	4416	Original Build.exe	powershell.exe
PID 4416 wrote to memory of 2248	4416	Original Build.exe	powershell.exe
PID 1164 wrote to memory of 4880	1164	F1D7.tmp.exe	cmd.exe
PID 1164 wrote to memory of 4880	1164	F1D7.tmp.exe	cmd.exe
PID 1164 wrote to memory of 4880	1164	F1D7.tmp.exe	cmd.exe
PID 4880 wrote to memory of 388	4880	cmd.exe	timeout.exe
PID 4880 wrote to memory of 388	4880	cmd.exe	timeout.exe
PID 4880 wrote to memory of 388	4880	cmd.exe	timeout.exe
PID 2536 wrote to memory of 2212	2536	rundll32.exe	RunDll32.exe
PID 2536 wrote to memory of 2212	2536	rundll32.exe	RunDll32.exe
PID 2212 wrote to memory of 1444	2212	RunDll32.exe	rundll32.exe
PID 2212 wrote to memory of 1444	2212	RunDll32.exe	rundll32.exe
PID 2212 wrote to memory of 1444	2212	RunDll32.exe	rundll32.exe
PID 4416 wrote to memory of 5032	4416	Original Build.exe	Original Build.exe
PID 4416 wrote to memory of 5032	4416	Original Build.exe	Original Build.exe
PID 4416 wrote to memory of 5032	4416	Original Build.exe	Original Build.exe
PID 4416 wrote to memory of 5032	4416	Original Build.exe	Original Build.exe
PID 4416 wrote to memory of 5032	4416	Original Build.exe	Original Build.exe

C:\Users\Admin\AppData\Local\Temp\BookletCreator.v1.4.keygen.by.orion.exe
"C:\Users\Admin\AppData\Local\Temp\BookletCreator.v1.4.keygen.by.orion.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:348

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:212

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
keygen-step-5.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\PBP0JqU.9Z
4⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\PBP0JqU.9Z
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\PBP0JqU.9Z
6⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\PBP0JqU.9Z
7⤵
- Loads dropped DLL
PID:1444

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
keygen-step-6.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4136

C:\Users\Admin\AppData\Roaming\F1D7.tmp.exe
"C:\Users\Admin\AppData\Roaming\F1D7.tmp.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout 2 && del "C:\Users\Admin\AppData\Roaming\F1D7.tmp.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:388

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe" -h
5⤵
- Executes dropped EXE
PID:4076

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Original Build.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Original Build.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Original Build.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Original Build.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:3984

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdf284f50,0x7fffdf284f60,0x7fffdf284f70
6⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1696 /prefetch:2
6⤵
PID:4176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2036 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:8
6⤵
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
6⤵
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
6⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
6⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4332 /prefetch:8
6⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
6⤵
PID:3544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4924 /prefetch:8
6⤵
PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5216 /prefetch:8
6⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5856 /prefetch:8
6⤵
PID:3660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4972 /prefetch:8
6⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:8
6⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5876 /prefetch:8
6⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
6⤵
PID:4040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2676 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
6⤵
PID:5644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=976 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,10610303950694398969,15540655135192823006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5780 /prefetch:8
6⤵
PID:5776

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4968

C:\Users\Admin\AppData\Roaming\v0357Q97.exe
"C:\Users\Admin\AppData\Roaming\v0357Q97.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
6⤵
- Creates scheduled task(s)
PID:3652

C:\Windows\SysWOW64\schtasks.exe
/C /Query /XML /TN "Event Viewer Snap-in Launcher (29762912)"
6⤵
PID:4852

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /tn "Event Viewer Snap-in Launcher (29762912)" /XML "C:\Users\Admin\AppData\Roaming\EventViewer\tfnme73946158264.tmp"
6⤵
- Creates scheduled task(s)
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 484
6⤵
- Program crash
PID:2968

C:\Users\Admin\AppData\Roaming\fODLT42n.exe
"C:\Users\Admin\AppData\Roaming\fODLT42n.exe"
5⤵
- Executes dropped EXE
PID:4136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Newfile2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Newfile2.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" ¸bPár/c taskkill /im Newfile2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Newfile2.exe" & del C:\PrograData\*.dll & exit
5⤵
PID:2244

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Newfile2.exe /f
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
6⤵
- Delays execution with timeout.exe
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 1900
5⤵
- Program crash
PID:3420

C:\Users\Admin\AppData\Local\Temp\RarSFX2\popara.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\popara.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 456
5⤵
- Program crash
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 772
5⤵
- Program crash
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 764
5⤵
- Program crash
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 844
5⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 860
5⤵
- Program crash
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 848
5⤵
- Program crash
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 764
5⤵
- Program crash
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1176
5⤵
- Program crash
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1220
5⤵
- Program crash
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "popara.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX2\popara.exe" & exit
5⤵
PID:948

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "popara.exe" /f
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 496
5⤵
- Program crash
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Iw9B
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe05346f8,0x7fffe0534708,0x7fffe0534718
5⤵
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,18239083164347849544,10815485337732044864,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
5⤵
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,18239083164347849544,10815485337732044864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,18239083164347849544,10815485337732044864,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
5⤵
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18239083164347849544,10815485337732044864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
5⤵
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18239083164347849544,10815485337732044864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
5⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,18239083164347849544,10815485337732044864,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 /prefetch:8
5⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,18239083164347849544,10815485337732044864,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5496 /prefetch:8
5⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18239083164347849544,10815485337732044864,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
5⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18239083164347849544,10815485337732044864,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
5⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,18239083164347849544,10815485337732044864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 /prefetch:8
5⤵
PID:5220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff62e5c5460,0x7ff62e5c5470,0x7ff62e5c5480
6⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,18239083164347849544,10815485337732044864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5520

C:\Users\Admin\AppData\Local\Temp\RarSFX2\pb1119.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\pb1119.exe"
4⤵
- Executes dropped EXE
PID:4744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4744 -s 428
5⤵
- Program crash
PID:4328

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 604
3⤵
- Program crash
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2980 -ip 2980
1⤵
PID:2836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4376 -ip 4376
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 460 -ip 460
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5080 -ip 5080
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5080 -ip 5080
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5080 -ip 5080
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5080 -ip 5080
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5080 -ip 5080
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5080 -ip 5080
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5080 -ip 5080
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5080 -ip 5080
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5080 -ip 5080
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5080 -ip 5080
1⤵
PID:4336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 4744 -ip 4744
1⤵
PID:4968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png
Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js
Filesize
20KB

MD5
34bcfa70a23d671ea14a08efa7f04c85

SHA1
ececbb3577c5e7906391c78f1973e5fd79dbeab0

SHA256
29b6a3449cf5860cfbf745179b061ef2aff70646c08c5bf93d00444cf1ab2cf1

SHA512
164d6b3b5f92e890292622cd0836dba6d0e058650c6a0960bb65e79d69745c3bbb1a849b4eda7b333f9c9185d3cd1ce838cd100e3285655a6b80d1346f716285

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js
Filesize
3KB

MD5
f79618c53614380c5fdc545699afe890

SHA1
7804a4621cd9405b6def471f3ebedb07fb17e90a

SHA256
f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c

SHA512
c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json
Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
fa5df4794d98252154922e3251d0cc28

SHA1
7d35baaf49db704ef495d5567b713e281ab6855b

SHA256
3f0f3cdbdb228cb1b5b9c17e6b9b5f1d567d20a2919d919d6bba343c6c012c6f

SHA512
ed03691441fbf4e763f833d063461cebc873dc7162eeec7dc3c7d557d48e221f73818da90a47a302ba95a5c1a9a83513c1ac4cac19bfbcf4268b88afdca69361

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
87c6f7a12400e4d26086b4edcde0cf38

SHA1
55b84af207dbf774694363edd28d64e2012c1018

SHA256
e91547635729afce24b069a3c00a1868f62d01e3127e6b45adeef9fb0e7d5283

SHA512
dfc26d6a0ca2ad2d6c035a8dcef4949039196a94702f519b6fd46315b34bf836d1f1db11d68aa6298cee814ad7c8fb6e606592cbec8731a6eb8e480ee5b25418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
94KB

MD5
ac8079ee0d1a33b89989326f90fb7724

SHA1
1cf13528f9a6134cbf3028e73b95c92686e7c55f

SHA256
a57270262c7980da53d45c625a1f9d090a8ab767ad5231c8b4bbf48fb8c0cfd5

SHA512
29c022e2992701f88ef5c657feae6e367d2e2899e515cf231ada906a18685ea9ce24bad6de8d0114992eae26ea24227ea5f39cbdf665151935ab2a39d9c060bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Original Build.exe.log
Filesize
1KB

MD5
7e88081fcf716d85992bb3af3d9b6454

SHA1
2153780fbc71061b0102a7a7b665349e1013e250

SHA256
5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

SHA512
ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBP0JqU.9Z
Filesize
1.9MB

MD5
133413526cb30b573d09414deea531bf

SHA1
4af5b5ede4f3c26393efa72a60c2ddc787ffbad4

SHA256
c799d7bd02ffd4d0bc7a3bfb3d911f4b5aa524ea597b90d5cc5312d3cb59c6f8

SHA512
4916952cf420d31d2371d2c2241f26cdedb114a0552ef33dffce27c3fda057c10d84d4bc8b6b2301ac47f4c58dfe2d1733fc51ac5260008fa641718447038acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBP0JqU.9Z
Filesize
1.9MB

MD5
133413526cb30b573d09414deea531bf

SHA1
4af5b5ede4f3c26393efa72a60c2ddc787ffbad4

SHA256
c799d7bd02ffd4d0bc7a3bfb3d911f4b5aa524ea597b90d5cc5312d3cb59c6f8

SHA512
4916952cf420d31d2371d2c2241f26cdedb114a0552ef33dffce27c3fda057c10d84d4bc8b6b2301ac47f4c58dfe2d1733fc51ac5260008fa641718447038acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBP0JqU.9Z
Filesize
1.9MB

MD5
133413526cb30b573d09414deea531bf

SHA1
4af5b5ede4f3c26393efa72a60c2ddc787ffbad4

SHA256
c799d7bd02ffd4d0bc7a3bfb3d911f4b5aa524ea597b90d5cc5312d3cb59c6f8

SHA512
4916952cf420d31d2371d2c2241f26cdedb114a0552ef33dffce27c3fda057c10d84d4bc8b6b2301ac47f4c58dfe2d1733fc51ac5260008fa641718447038acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBP0JqU.9Z
Filesize
1.9MB

MD5
133413526cb30b573d09414deea531bf

SHA1
4af5b5ede4f3c26393efa72a60c2ddc787ffbad4

SHA256
c799d7bd02ffd4d0bc7a3bfb3d911f4b5aa524ea597b90d5cc5312d3cb59c6f8

SHA512
4916952cf420d31d2371d2c2241f26cdedb114a0552ef33dffce27c3fda057c10d84d4bc8b6b2301ac47f4c58dfe2d1733fc51ac5260008fa641718447038acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
Filesize
1.7MB

MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
Filesize
1.7MB

MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
Filesize
112KB

MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
Filesize
112KB

MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
Filesize
12.7MB

MD5
4d60874cca2a655f1a33419bfe216dc4

SHA1
a9ff587d4a490040965bc8dff687586c95021ca4

SHA256
aabd51e5b60ec9e73695700361872fbb2cfb1337b358df54784a10a89cf54a8a

SHA512
0af118ae919eea2894bf2c760f5f722a258fa7944e5719026a5b39405303208bc040d5690efa782de0dd0306cefcd79f04bd6b5572af1269949e635ebba0195e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
Filesize
12.7MB

MD5
4d60874cca2a655f1a33419bfe216dc4

SHA1
a9ff587d4a490040965bc8dff687586c95021ca4

SHA256
aabd51e5b60ec9e73695700361872fbb2cfb1337b358df54784a10a89cf54a8a

SHA512
0af118ae919eea2894bf2c760f5f722a258fa7944e5719026a5b39405303208bc040d5690efa782de0dd0306cefcd79f04bd6b5572af1269949e635ebba0195e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
Filesize
2.0MB

MD5
9bbe6ce3a25922ab74e126b56596b4fb

SHA1
8dd4b0d3e05bfcde1d1a47ec8a9d42f785094631

SHA256
a78c4a5d1371eba669e95facbccfb70a0e6da88154cf02324c1767f53752d063

SHA512
fae2e5a43504d385eb9b846ed62db040635133c7caeb8edc4263325075a269a9d0fb081c38839da9f1ad0a0d95634ce52d970d94b32a68e67cd95e73ef9fc6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
Filesize
2.0MB

MD5
9bbe6ce3a25922ab74e126b56596b4fb

SHA1
8dd4b0d3e05bfcde1d1a47ec8a9d42f785094631

SHA256
a78c4a5d1371eba669e95facbccfb70a0e6da88154cf02324c1767f53752d063

SHA512
fae2e5a43504d385eb9b846ed62db040635133c7caeb8edc4263325075a269a9d0fb081c38839da9f1ad0a0d95634ce52d970d94b32a68e67cd95e73ef9fc6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
Filesize
80KB

MD5
0ccff32c225f062f028e7a0bc2707799

SHA1
aa410d93fa92488877c419110a54b3170bc04923

SHA256
b96f30418380b7ef39e66146a4eb3a68d114c0823e0511c9097be46c1effe62d

SHA512
6e91b74367e17f769b8671122fcfb8035f3b6c55c3328e4c791f8d67881cf71699ce85c427dfc25b7929d5fc76409f74c02eb554d286d54bf09e51ff8dc0ccdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
Filesize
80KB

MD5
0ccff32c225f062f028e7a0bc2707799

SHA1
aa410d93fa92488877c419110a54b3170bc04923

SHA256
b96f30418380b7ef39e66146a4eb3a68d114c0823e0511c9097be46c1effe62d

SHA512
6e91b74367e17f769b8671122fcfb8035f3b6c55c3328e4c791f8d67881cf71699ce85c427dfc25b7929d5fc76409f74c02eb554d286d54bf09e51ff8dc0ccdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat
Filesize
149B

MD5
601bb2b0a5d8b03895d13b6461fab11d

SHA1
29e815e3252c5be49f9b57b1ec9c479b523000ce

SHA256
f9be5d8f88ddf4e50a05b23fce2d6af154e427b636fdd90ca0822654acdc851c

SHA512
95acdd98dc84ea03951b5827233d30b750226846d1883548911f31e182bc6def3ec397732a6b0730db24312aefe8f8892689c3666b3db3d8f20b127e76430e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat
Filesize
1.5MB

MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
Filesize
58KB

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
Filesize
58KB

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
Filesize
76KB

MD5
75a6c1a6ef5439c5c7ef7c2961eb1e4c

SHA1
0af04b9178ea8521c09f887dfb2f2f0ac862f7ca

SHA256
8e3101d29cbcc87cae115fe4a157a3817493badb6e0457068d08c70cba5f9b08

SHA512
a085476279219fa3e970dba66d7376561d730b357518cd2c5282df236552f267e49737764bc85919d17b9f9becde49d79d36ed1b5be4d50b4c77d7b86d11837a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
Filesize
76KB

MD5
75a6c1a6ef5439c5c7ef7c2961eb1e4c

SHA1
0af04b9178ea8521c09f887dfb2f2f0ac862f7ca

SHA256
8e3101d29cbcc87cae115fe4a157a3817493badb6e0457068d08c70cba5f9b08

SHA512
a085476279219fa3e970dba66d7376561d730b357518cd2c5282df236552f267e49737764bc85919d17b9f9becde49d79d36ed1b5be4d50b4c77d7b86d11837a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
Filesize
76KB

MD5
75a6c1a6ef5439c5c7ef7c2961eb1e4c

SHA1
0af04b9178ea8521c09f887dfb2f2f0ac862f7ca

SHA256
8e3101d29cbcc87cae115fe4a157a3817493badb6e0457068d08c70cba5f9b08

SHA512
a085476279219fa3e970dba66d7376561d730b357518cd2c5282df236552f267e49737764bc85919d17b9f9becde49d79d36ed1b5be4d50b4c77d7b86d11837a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Original Build.exe
Filesize
3.8MB

MD5
33e89dd6df83a3c745b5a90acef2abd3

SHA1
eaa10a67188d3c7ce35e3de6436eeba13cd1bca9

SHA256
d97eb538f83f7b2477c197acf5bf01344fbe65034608bb8c9b29061f2c111985

SHA512
7fbf0705337adcf08207b20d80e905a64418eca8c1bb5e3be85e21491b79033e1924a4971a103e9a87d2d3636f1980c809a0edbf8692626aa37f0f6a24c3ec5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Original Build.exe
Filesize
3.8MB

MD5
33e89dd6df83a3c745b5a90acef2abd3

SHA1
eaa10a67188d3c7ce35e3de6436eeba13cd1bca9

SHA256
d97eb538f83f7b2477c197acf5bf01344fbe65034608bb8c9b29061f2c111985

SHA512
7fbf0705337adcf08207b20d80e905a64418eca8c1bb5e3be85e21491b79033e1924a4971a103e9a87d2d3636f1980c809a0edbf8692626aa37f0f6a24c3ec5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Original Build.exe
Filesize
3.8MB

MD5
33e89dd6df83a3c745b5a90acef2abd3

SHA1
eaa10a67188d3c7ce35e3de6436eeba13cd1bca9

SHA256
d97eb538f83f7b2477c197acf5bf01344fbe65034608bb8c9b29061f2c111985

SHA512
7fbf0705337adcf08207b20d80e905a64418eca8c1bb5e3be85e21491b79033e1924a4971a103e9a87d2d3636f1980c809a0edbf8692626aa37f0f6a24c3ec5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
Filesize
4.5MB

MD5
44fe2e4147976979d23f751b52a31490

SHA1
58fec1897a27c7fa4d401f2363ef4c2aebb47cc5

SHA256
34a4a22df4b0adc0662b7127e4a010d7cb416eaca7eff32aaf939ce914ca5846

SHA512
5902e7b84617525441bf28effda4b4c769bc81032b0ba2ce23a642b86f511e099cef4ca4f2bf65592c58e06289f86c05c2d356a226cc96197cda7c443354833c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
Filesize
4.5MB

MD5
44fe2e4147976979d23f751b52a31490

SHA1
58fec1897a27c7fa4d401f2363ef4c2aebb47cc5

SHA256
34a4a22df4b0adc0662b7127e4a010d7cb416eaca7eff32aaf939ce914ca5846

SHA512
5902e7b84617525441bf28effda4b4c769bc81032b0ba2ce23a642b86f511e099cef4ca4f2bf65592c58e06289f86c05c2d356a226cc96197cda7c443354833c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe
Filesize
1.4MB

MD5
e1878272005721f797853d631a650ca7

SHA1
88a00367f162b7d4b06e7e9f338524f7eabf7b0c

SHA256
6bf88af8c896852e110034492e7e0799afd09f29eb92fa858d64e93c0856506a

SHA512
08c23e21c56b8103e5d56f286e841200ab85d808bc114bfa938e7d761e7053eef631946efa7d821480d35c0955bc477460bbde0b0b247304371e1ae89f30d3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe
Filesize
1.4MB

MD5
e1878272005721f797853d631a650ca7

SHA1
88a00367f162b7d4b06e7e9f338524f7eabf7b0c

SHA256
6bf88af8c896852e110034492e7e0799afd09f29eb92fa858d64e93c0856506a

SHA512
08c23e21c56b8103e5d56f286e841200ab85d808bc114bfa938e7d761e7053eef631946efa7d821480d35c0955bc477460bbde0b0b247304371e1ae89f30d3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
48abebba7675785b5973b17b0765b88d

SHA1
780fe8bbdfa6de3bc6215bea213153e4a9b9874b

SHA256
18dfc5eb22ec12374b59d1fee26a8e67a89403e828891f2c6eff295160b12a6b

SHA512
b5b4e7ab4ea7a30039c566643b3a616f06cf055ac621aab081d4a6ef70b88ac64851e4c17b6206665e913227a4c09003c7fd8529dfdd8939fd501ae11d340a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
60KB

MD5
4d11bd6f3172584b3fda0e9efcaf0ddb

SHA1
0581c7f087f6538a1b6d4f05d928c1df24236944

SHA256
73314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930

SHA512
6a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
60KB

MD5
4d11bd6f3172584b3fda0e9efcaf0ddb

SHA1
0581c7f087f6538a1b6d4f05d928c1df24236944

SHA256
73314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930

SHA512
6a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04

Download Submit
C:\Users\Admin\AppData\Roaming\F1D7.tmp.exe
Filesize
223KB

MD5
ce79df6cf31e074162eed2c856db279b

SHA1
e3b0f86b587b31ee5403fc5a0260fda2e9f0748d

SHA256
dd6bd89becfe1b396e0e535482c9c0ed777ec0f6ef1dd417377e39eb7e33264d

SHA512
f1896f55a9f4bc5f044a601f895810bef78c12a63512b059f6924ada8ee4d78fef0ed8cb67ad470860aac0afce2606d3ab258ccccd432ca1743d08935cd78108

Download Submit
C:\Users\Admin\AppData\Roaming\F1D7.tmp.exe
Filesize
223KB

MD5
ce79df6cf31e074162eed2c856db279b

SHA1
e3b0f86b587b31ee5403fc5a0260fda2e9f0748d

SHA256
dd6bd89becfe1b396e0e535482c9c0ed777ec0f6ef1dd417377e39eb7e33264d

SHA512
f1896f55a9f4bc5f044a601f895810bef78c12a63512b059f6924ada8ee4d78fef0ed8cb67ad470860aac0afce2606d3ab258ccccd432ca1743d08935cd78108

Download Submit
\??\pipe\crashpad_1876_SAWADWZJILXBHRTV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/212-136-0x0000000000000000-mapping.dmp

Download
memory/348-134-0x0000000000000000-mapping.dmp

Download
memory/388-190-0x0000000000000000-mapping.dmp

Download
memory/460-287-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/460-261-0x0000000000000000-mapping.dmp

Download
memory/460-286-0x000000000065B000-0x0000000000684000-memory.dmp

Filesize
164KB

Download
memory/460-265-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/460-264-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/460-263-0x00000000020F0000-0x0000000002137000-memory.dmp

Filesize
284KB

Download
memory/460-262-0x000000000065B000-0x0000000000684000-memory.dmp

Filesize
164KB

Download
memory/948-293-0x0000000000000000-mapping.dmp

Download
memory/1164-171-0x00000000053A0000-0x00000000053F0000-memory.dmp

Filesize
320KB

Download
memory/1164-168-0x0000000000000000-mapping.dmp

Download
memory/1164-174-0x00000000061C0000-0x0000000006764000-memory.dmp

Filesize
5.6MB

Download
memory/1164-173-0x0000000005B70000-0x0000000005C02000-memory.dmp

Filesize
584KB

Download
memory/1164-172-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/1304-306-0x0000000000000000-mapping.dmp

Download
memory/1304-132-0x0000000000000000-mapping.dmp

Download
memory/1444-215-0x0000000003230000-0x00000000032E2000-memory.dmp

Filesize
712KB

Download
memory/1444-218-0x0000000003020000-0x000000000315C000-memory.dmp

Filesize
1.2MB

Download
memory/1444-201-0x0000000003020000-0x000000000315C000-memory.dmp

Filesize
1.2MB

Download
memory/1444-200-0x0000000002D60000-0x0000000002EE0000-memory.dmp

Filesize
1.5MB

Download
memory/1444-210-0x0000000003160000-0x0000000003228000-memory.dmp

Filesize
800KB

Download
memory/1444-196-0x0000000000000000-mapping.dmp

Download
memory/1444-199-0x0000000002850000-0x0000000002A46000-memory.dmp

Filesize
2.0MB

Download
memory/1536-139-0x0000000000000000-mapping.dmp

Download
memory/1800-146-0x0000000000000000-mapping.dmp

Download
memory/1900-317-0x0000000000000000-mapping.dmp

Download
memory/2044-222-0x0000000000000000-mapping.dmp

Download
memory/2212-195-0x0000000000000000-mapping.dmp

Download
memory/2244-283-0x0000000000000000-mapping.dmp

Download
memory/2248-184-0x0000000006840000-0x000000000685E000-memory.dmp

Filesize
120KB

Download
memory/2248-187-0x0000000006CF0000-0x0000000006D0A000-memory.dmp

Filesize
104KB

Download
memory/2248-180-0x0000000000000000-mapping.dmp

Download
memory/2248-181-0x0000000003290000-0x00000000032C6000-memory.dmp

Filesize
216KB

Download
memory/2248-182-0x0000000005A80000-0x00000000060A8000-memory.dmp

Filesize
6.2MB

Download
memory/2248-183-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/2248-185-0x00000000080B0000-0x000000000872A000-memory.dmp

Filesize
6.5MB

Download
memory/2536-191-0x0000000003480000-0x0000000003548000-memory.dmp

Filesize
800KB

Download
memory/2536-154-0x0000000000000000-mapping.dmp

Download
memory/2536-202-0x0000000003330000-0x000000000346C000-memory.dmp

Filesize
1.2MB

Download
memory/2536-188-0x0000000003330000-0x000000000346C000-memory.dmp

Filesize
1.2MB

Download
memory/2536-186-0x0000000003070000-0x00000000031F0000-memory.dmp

Filesize
1.5MB

Download
memory/2536-192-0x0000000003560000-0x0000000003612000-memory.dmp

Filesize
712KB

Download
memory/2656-149-0x0000000000000000-mapping.dmp

Download
memory/2968-308-0x0000000000000000-mapping.dmp

Download
memory/2980-176-0x0000000000000000-mapping.dmp

Download
memory/3016-299-0x0000000000000000-mapping.dmp

Download
memory/3076-159-0x0000000000000000-mapping.dmp

Download
memory/3444-322-0x0000000000000000-mapping.dmp

Download
memory/3636-207-0x0000000000000000-mapping.dmp

Download
memory/3652-253-0x0000000000000000-mapping.dmp

Download
memory/3812-150-0x0000000000000000-mapping.dmp

Download
memory/3812-161-0x0000000002C80000-0x0000000002E1C000-memory.dmp

Filesize
1.6MB

Download
memory/3984-221-0x0000000000000000-mapping.dmp

Download
memory/4040-297-0x0000000000000000-mapping.dmp

Download
memory/4076-162-0x0000000000000000-mapping.dmp

Download
memory/4080-294-0x0000000000000000-mapping.dmp

Download
memory/4136-143-0x0000000000000000-mapping.dmp

Download
memory/4136-292-0x0000000000B10000-0x0000000001DB5000-memory.dmp

Filesize
18.6MB

Download
memory/4136-318-0x0000000000B10000-0x0000000001DB5000-memory.dmp

Filesize
18.6MB

Download
memory/4136-260-0x0000000000B10000-0x0000000001DB5000-memory.dmp

Filesize
18.6MB

Download
memory/4136-258-0x0000000000000000-mapping.dmp

Download
memory/4168-284-0x0000000000000000-mapping.dmp

Download
memory/4172-255-0x0000000000000000-mapping.dmp

Download
memory/4356-314-0x0000000000000000-mapping.dmp

Download
memory/4376-256-0x0000000000480000-0x0000000000DDC000-memory.dmp

Filesize
9.4MB

Download
memory/4376-257-0x000000007F170000-0x000000007F541000-memory.dmp

Filesize
3.8MB

Download
memory/4376-252-0x0000000000000000-mapping.dmp

Download
memory/4416-179-0x0000000005040000-0x0000000005062000-memory.dmp

Filesize
136KB

Download
memory/4416-167-0x0000000000280000-0x000000000065C000-memory.dmp

Filesize
3.9MB

Download
memory/4416-164-0x0000000000000000-mapping.dmp

Download
memory/4456-285-0x0000000000000000-mapping.dmp

Download
memory/4528-309-0x0000000000000000-mapping.dmp

Download
memory/4528-316-0x00007FFFDB0C0000-0x00007FFFDBB81000-memory.dmp

Filesize
10.8MB

Download
memory/4528-328-0x00007FFFDB0C0000-0x00007FFFDBB81000-memory.dmp

Filesize
10.8MB

Download
memory/4528-310-0x000001B45E720000-0x000001B45E742000-memory.dmp

Filesize
136KB

Download
memory/4612-324-0x0000000000000000-mapping.dmp

Download
memory/4684-312-0x0000000000000000-mapping.dmp

Download
memory/4700-320-0x0000000000000000-mapping.dmp

Download
memory/4744-300-0x0000000140000000-0x000000014060C000-memory.dmp

Filesize
6.0MB

Download
memory/4744-298-0x0000000000000000-mapping.dmp

Download
memory/4800-305-0x0000000000000000-mapping.dmp

Download
memory/4852-254-0x0000000000000000-mapping.dmp

Download
memory/4880-189-0x0000000000000000-mapping.dmp

Download
memory/4968-250-0x0000000077520000-0x00000000776C3000-memory.dmp

Filesize
1.6MB

Download
memory/4968-229-0x0000000000400000-0x0000000000D94000-memory.dmp

Filesize
9.6MB

Download
memory/4968-244-0x0000000077520000-0x00000000776C3000-memory.dmp

Filesize
1.6MB

Download
memory/4968-232-0x0000000000400000-0x0000000000D94000-memory.dmp

Filesize
9.6MB

Download
memory/4968-235-0x0000000000400000-0x0000000000D94000-memory.dmp

Filesize
9.6MB

Download
memory/4968-243-0x0000000000400000-0x0000000000D94000-memory.dmp

Filesize
9.6MB

Download
memory/4968-245-0x0000000000400000-0x0000000000D94000-memory.dmp

Filesize
9.6MB

Download
memory/4968-259-0x0000000077520000-0x00000000776C3000-memory.dmp

Filesize
1.6MB

Download
memory/4968-223-0x0000000000000000-mapping.dmp

Download
memory/4968-251-0x0000000000400000-0x0000000000D94000-memory.dmp

Filesize
9.6MB

Download
memory/5032-213-0x00000000056D0000-0x00000000056E2000-memory.dmp

Filesize
72KB

Download
memory/5032-203-0x0000000000000000-mapping.dmp

Download
memory/5032-242-0x00000000076B0000-0x0000000007BDC000-memory.dmp

Filesize
5.2MB

Download
memory/5032-214-0x0000000005730000-0x000000000576C000-memory.dmp

Filesize
240KB

Download
memory/5032-212-0x00000000057A0000-0x00000000058AA000-memory.dmp

Filesize
1.0MB

Download
memory/5032-226-0x0000000006700000-0x0000000006776000-memory.dmp

Filesize
472KB

Download
memory/5032-204-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5032-236-0x0000000006FB0000-0x0000000007172000-memory.dmp

Filesize
1.8MB

Download
memory/5032-211-0x0000000005C60000-0x0000000006278000-memory.dmp

Filesize
6.1MB

Download
memory/5044-157-0x0000000000000000-mapping.dmp

Download
memory/5080-289-0x000000000086B000-0x0000000000892000-memory.dmp

Filesize
156KB

Download
memory/5080-290-0x00000000021F0000-0x0000000002231000-memory.dmp

Filesize
260KB

Download
memory/5080-288-0x0000000000000000-mapping.dmp

Download
memory/5080-291-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/5080-295-0x000000000086B000-0x0000000000892000-memory.dmp

Filesize
156KB

Download
memory/5080-296-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/5228-325-0x0000000000000000-mapping.dmp

Download
memory/5292-326-0x0000000000000000-mapping.dmp

Download
memory/5520-327-0x0000000000000000-mapping.dmp

Download