47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

Resubmissions

25/04/2023, 15:04

230425-sfwdtacg8x 1

25/04/2023, 14:56

25/04/2023, 14:53

25/04/2023, 14:49

25/04/2023, 14:42

Analysis

max time kernel
118s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25/04/2023, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoEscape.zip
Size

616KB
MD5

ef4fdf65fc90bfda8d1d2ae6d20aff60
SHA1

9431227836440c78f12bfb2cb3247d59f4d4640b
SHA256

47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8
SHA512

6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9
SSDEEP

12288:1PQuO1JLx2auoA82iqOxdOc7XPkmpOw6mqc5m937hnTMktj1H:1PVqJx2auYqw7dOw6mql3nNBd

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4956	4880	WerFault.exe	108

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{73ADA18A-E388-11ED-8E3B-F6CDEFCD3E96} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7382FEB9-E388-11ED-8E3B-F6CDEFCD3E96} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a702c863227b745aefca3d2bb9571e800000000020000000000106600000001000020000000e3372e4b54a74afa34924c1041412d0267028c6ec4ac5662c7eb08352c712e20000000000e8000000002000020000000d9efed270857680913cbe6cedbc543e8fd35d5f6b5c4fcbefa180ead198369ee200000003ee2a4495c05be04a9ad795c1cf05fc8b7456cbfbeba72471d2f67541d669dae40000000cb80b3d6d8ae97b412ff9f222bac8767ee1969785e73b90fc3f7894bce835f921180067077f8616ab7c815c9f7c74016437f76404b6c7210660b792e647a51e5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30e7c2389577d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4384	vlc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3512	mspaint.exe
3512	mspaint.exe
2112	mspaint.exe
2112	mspaint.exe
2824	mspaint.exe
2824	mspaint.exe
4256	mspaint.exe
4256	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4384	vlc.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2924	mshta.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
2952	iexplore.exe
2952	iexplore.exe
3924	iexplore.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe
4384	vlc.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2924	mshta.exe
2924	mshta.exe
2924	mshta.exe
4384	vlc.exe
3512	mspaint.exe
2112	mspaint.exe
2824	mspaint.exe
4256	mspaint.exe
2952	iexplore.exe
2952	iexplore.exe
2952	iexplore.exe
2952	iexplore.exe
3924	iexplore.exe
3924	iexplore.exe
4080	IEXPLORE.EXE
4080	IEXPLORE.EXE
4080	IEXPLORE.EXE
4080	IEXPLORE.EXE
3368	IEXPLORE.EXE
3368	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 4080	2952	iexplore.exe	100
PID 2952 wrote to memory of 4080	2952	iexplore.exe	100
PID 2952 wrote to memory of 4080	2952	iexplore.exe	100
PID 3924 wrote to memory of 3368	3924	iexplore.exe	104
PID 3924 wrote to memory of 3368	3924	iexplore.exe	104
PID 3924 wrote to memory of 3368	3924	iexplore.exe	104

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NoEscape.zip
1⤵
PID:4116

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\WaitLimit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:4120

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\WaitLimit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:4132

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\WaitLimit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:4500

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\WaitLimit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\WaitLimit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:4028

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\WaitLimit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:4616

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\WaitLimit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:4660

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\WaitLimit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:4080

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\WaitLimit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:4548

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\WaitLimit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:3704

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\WaitLimit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:3760

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\WaitLimit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:2360

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ClearCompare.3gpp"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ClearCompare.3gpp"
1⤵
PID:3340

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ClearCompare.3gpp"
1⤵
PID:3160

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ClearCompare.3gpp"
1⤵
PID:5116

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ClearCompare.3gpp"
1⤵
PID:648

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ClearCompare.3gpp"
1⤵
PID:1148

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ClearCompare.3gpp"
1⤵
PID:1804

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ClearCompare.3gpp"
1⤵
PID:824

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ClearCompare.3gpp"
1⤵
PID:4648

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ClearCompare.3gpp"
1⤵
PID:3912

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ClearCompare.3gpp"
1⤵
PID:5108

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ClearCompare.3gpp"
1⤵
PID:5008

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ResetMove.png" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3512

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ResetMove.png" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ResetMove.png" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ResetMove.png" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ClearUnprotect.mhtml
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2952 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4080

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ClearUnprotect.mhtml
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3924 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ClearUnprotect.mhtml
1⤵
- Modifies Internet Explorer settings
PID:3412

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DsSvc
1⤵
- Drops file in System32 directory
PID:168

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
PID:4880
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4880 -s 1380
  2⤵
  - Program crash
  PID:4956

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
PID:664

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
PID:4988

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
PID:4024

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffc2cdb9758,0x7ffc2cdb9768,0x7ffc2cdb9778
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=1840,i,3501647881784164399,15139250830607786570,131072 /prefetch:8
  2⤵
  PID:5172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1840,i,3501647881784164399,15139250830607786570,131072 /prefetch:2
  2⤵
  PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1840,i,3501647881784164399,15139250830607786570,131072 /prefetch:8
  2⤵
  PID:5180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1840,i,3501647881784164399,15139250830607786570,131072 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1840,i,3501647881784164399,15139250830607786570,131072 /prefetch:1
  2⤵
  PID:5476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:628
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:4796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2104
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.0.748216406\2139682044" -parentBuildID 20221007134813 -prefsHandle 1656 -prefMapHandle 1632 -prefsLen 20810 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {347929b6-be32-4c29-9049-4096a843fdcc} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 1748 1c264509158 gpu
  2⤵
  PID:5616
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.1.1991400554\849291488" -parentBuildID 20221007134813 -prefsHandle 2084 -prefMapHandle 2080 -prefsLen 20891 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a81d73bd-4a59-4d69-9be3-86c5383b198a} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 2104 1c2630ee858 socket
  2⤵
  PID:5764
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.2.1430510423\1007029754" -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 2816 -prefsLen 20974 -prefMapSize 232645 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f424d673-b8c7-4446-ba61-bcd5355c1508} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 2812 1c267129a58 tab
  2⤵
  PID:6024
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.3.1869563605\1668442606" -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 3484 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5144204-c524-4793-bbb4-c469fa5ed4d0} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 3508 1c257c5b258 tab
  2⤵
  PID:5160
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.4.1745531423\520721772" -childID 3 -isForBrowser -prefsHandle 4396 -prefMapHandle 4392 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ad79529-dfe7-4ec6-be8c-ff70e68c5f75} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 4400 1c268efa258 tab
  2⤵
  PID:5372
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.7.1184296309\349503398" -childID 6 -isForBrowser -prefsHandle 5136 -prefMapHandle 5140 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2820ff4a-d445-46b4-af96-b624f9684cf6} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 5124 1c268efd858 tab
  2⤵
  PID:6348
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.6.100469661\469864346" -childID 5 -isForBrowser -prefsHandle 4940 -prefMapHandle 4944 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f042dc9-3381-421b-a737-0ae2d10a1463} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 5024 1c26727d258 tab
  2⤵
  PID:6340
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.5.2098744758\1029987374" -childID 4 -isForBrowser -prefsHandle 4832 -prefMapHandle 4828 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {adb6f3a8-22f4-47d6-93e8-240284e63bfe} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 4840 1c26727c658 tab
  2⤵
  PID:6332

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
570B

MD5
f70901057a9594a3f457bcd631c54dc4

SHA1
7d0dee9bb29323f864d58e5879cf13048b052b32

SHA256
476406d95a16ee2cbd1b1680cc70599d88d0c45ad2753d6d0bdc009d0dddada6

SHA512
598947976573dd7615a0890877b93e69dcdfe03935e0a6dfd063bb350156e6108c72925927df4ca58c8f7ee1f2b9ca0f2a10d6e118d994a47788eb56ea8bb92b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8bea3c46a140d29dfb4844a9eb163f18

SHA1
05730bedb948b1a72ba595f27087e48dbb20593e

SHA256
c2ce0d4a749300873a65503339eca1fdc4b7a3bf4395c7b834745257e11f8d6b

SHA512
823d2a4969d6d9e3b392b6b3d45b0d2d1357d46ba99dfc32ecfa1e920d3ae5a0b83295f416831f746b7f4402b62e6c87c03d352ec7dff12a2a8845afb62062f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
b4b9449645ebb1093717384f097130b2

SHA1
70b76831c96cafe9582ed1952118f49804a0e759

SHA256
6a8274fd2c23958f71b3fbccec2fff10d913e61e34c5276eb68b23fd92e9b9c5

SHA512
17df44e1e37ea75368195fcc926860e54d3ec63aa5b3a5cca944f1d55cede69cfaf54afad2996a459d919e8798ac1964880ac466152e9830a9d9facc11ef9942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7382FEB9-E388-11ED-8E3B-F6CDEFCD3E96}.dat

Filesize
5KB

MD5
dd354dd1f0d2c2c845758fe9b702eab5

SHA1
2d23ce05bf25d1f7b5738ed243a6cd15395ce485

SHA256
302426c0647982036b480ceb7ee8644b7d7eee000508aca7d4d3194344605740

SHA512
e3f1d7119e0a99a4c807a4eb0c9137f4efd67bdcc5825d87358d08b83c312f328f239c00febcb8579fbfac2b3202a1e7ef938d8d4696f981187616a60c6ff814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{D8B7F12A-B14E-11ED-8E34-7A8F0EDDD75F}.dat

Filesize
7KB

MD5
dabb557ad92b2dbb80e86a374b0ec42b

SHA1
6e970bfda3752e15db60ed61214ce80189e373a2

SHA256
8612661160436d5ebdcf997a63035d7190c80ccc6025fb889d6768f4a29b8e20

SHA512
f487282fac41a75a9936d9d7b30a288df297c96019e7f4aa58010fe95e8cd424769bde6673ed7aa63e799ac0e7a93600feceb5d4ab986bbcb3053bc63f147fce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{79B9A234-E388-11ED-8E3B-F6CDEFCD3E96}.dat

Filesize
4KB

MD5
652d0827e422fd854bc295d097477649

SHA1
a9c403836c3608bab8ef3f3da05ad5810d1a5aab

SHA256
02eab12649a08672ed39b33ed8be349ab551f2355bd7d55fe3c81636de1db43c

SHA512
6e12056f18e951b48f93cb31fee781a6da3020ec74c9cee0f3efca6a1b625a36bf8d989d4d83fd94d67d63fc1a8fa8bac0eabd82b0e4db1eaa3b680ffb40bff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PC8JD7GN\wbk241E.tmp

Filesize
840KB

MD5
51c0c9b2ae209ced55f848ae35247266

SHA1
7d5dd067abd772a5e8e003846b24b7df6f45903e

SHA256
d06c53df1a971bf9977e73153062d6c09e58fb838412029cd4f4b1a441adccaa

SHA512
f39323b8cd2faa81d9450dcccf8b7ebcb346e4d826122362dfccdd001c4c152a1083f13c20a040e1d95255f512c69d54c554dc79f12ca4aab963a5323ff9a579

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oqpbz544.default-release\activity-stream.discovery_stream.json.tmp

Filesize
153KB

MD5
ba077093016d0574bc8ee25062e846f7

SHA1
462ac3c246d130626442a4d982b7eb890f8173e7

SHA256
54ec3041a85b14fcca5b2706d101c6f010031a952ec71c56540c05ef50a3edab

SHA512
831d81b29e08627d714b223bb67571a655d88e07d07ab953f73f850d347996837d91b489fabbd1f03debf81af01729cb9dd7c412c0b6671187499aa299bfe0c9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
233B

MD5
5da507db92d87b01990822cbd727a6da

SHA1
9c673898108aa7f664e444ca1710f7c29745202f

SHA256
8587ae4906be19bb8a3e1360e0d77867569931c04a38a8a1fd0098e3f8fbe860

SHA512
3f7256175799eb5f16e610b9a7b3bf08376db6b1f1f8771d9838dfc271a3ee0be5f2f26a0ab9ac4cc00e8d7e1e4e31d89b7c34aba9f1ee07ab56d2dfb4badfc0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

Filesize
2KB

MD5
404a3ec24e3ebf45be65e77f75990825

SHA1
1e05647cf0a74cedfdeabfa3e8ee33b919780a61

SHA256
cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

SHA512
a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFF23E51CC2C83A8F5.TMP

Filesize
16KB

MD5
d3ba5a3f19c79d6842686e7da9849be2

SHA1
6e53eb1c691a1e643fff7946ae90428952508d41

SHA256
353552e6a09fd1b79817d5d23bb47f91a7c95214d22352f67d2e6b6bfeb5e87c

SHA512
c2f47639c726e7fe3fd19ee4e730a82da9f78f34837a5d08341bd455e0d1706e28161f578cf435e9fd0ad835a7109112749057d6691616df6347769abbc3f2f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\prefs.js

Filesize
6KB

MD5
cdb5a91b7898f75f98e448e80b41dba6

SHA1
c749651f98e32a2320d2e52fd467fd6217660535

SHA256
ed56bd19352777293cf7195af0fe1412d52e25af6a9a8e2bb04e3e32056556dc

SHA512
b99bca03a398f7e068691852106fe03a90489d1e8230720749c25703e59874765ef706e9e27c9215251372efee84d9c9d0eb636a54e45035d5d2095304fee97b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
d5e30c895d997b0f0f3205b5d7ab8c23

SHA1
a2ad81f3c70b6bc2176dbe8c7a2867e279050ef0

SHA256
89e3256d54c73190893656362c9b5f53ee26b7c3b24efc73bb53b4a9f9596361

SHA512
b83304f9a40b6cc0ba6c3da45858cbd38975ab1086115714024f18ad690cfbebe97fbd6906f8f34e2edff0136579b87fbfa3a162533fbd134d697a60b279f7e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore.jsonlz4

Filesize
891B

MD5
7e6e6428155688fb90cddcbda2e5e177

SHA1
8cb814aa45e7cdd17b7fecc257877f44d64b7de8

SHA256
e014acc4cda4200a2d1394ed1579f68117da0f97e381b75b76cd28a644e11773

SHA512
9fd4e28a201f8c3e584b18a16dd664733f1bb37d409e5da10295a24ea365e240e5fbb765e17aeea8b1445e9d636fa1be4c0bacc086ea43b039877d742ceb6c62

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
79B

MD5
982c1093b710bebbde366839140e19f3

SHA1
f04d549c965d06e02dc523fae7e108d65246233b

SHA256
08c8b4b12924aa340f07bfa5fbda189b31f79acabbe4a2ce066b07097989d22e

SHA512
981f97b45e4cfbc38cacc83d4bc3ab21140152a8f4a9a9a7990c22f6dc960491c998ac2d74e1faca86bd1d0756e1a17d4ec4ff0b4438adc144bb32729e9d1bb9

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
79B

MD5
982c1093b710bebbde366839140e19f3

SHA1
f04d549c965d06e02dc523fae7e108d65246233b

SHA256
08c8b4b12924aa340f07bfa5fbda189b31f79acabbe4a2ce066b07097989d22e

SHA512
981f97b45e4cfbc38cacc83d4bc3ab21140152a8f4a9a9a7990c22f6dc960491c998ac2d74e1faca86bd1d0756e1a17d4ec4ff0b4438adc144bb32729e9d1bb9

Download Submit
memory/648-159-0x00007FFC47EA0000-0x00007FFC47EB8000-memory.dmp

Filesize
96KB

Download
memory/648-151-0x00007FF606E30000-0x00007FF606F28000-memory.dmp

Filesize
992KB

Download
memory/648-162-0x00007FFC44A20000-0x00007FFC44A31000-memory.dmp

Filesize
68KB

Download
memory/648-157-0x00007FFC44360000-0x00007FFC44614000-memory.dmp

Filesize
2.7MB

Download
memory/648-154-0x00007FFC47EC0000-0x00007FFC47EF4000-memory.dmp

Filesize
208KB

Download
memory/648-161-0x00007FFC44BB0000-0x00007FFC44BC7000-memory.dmp

Filesize
92KB

Download
memory/824-178-0x00007FFC44A20000-0x00007FFC44A31000-memory.dmp

Filesize
68KB

Download
memory/824-170-0x00007FF606E30000-0x00007FF606F28000-memory.dmp

Filesize
992KB

Download
memory/824-173-0x00007FFC47EC0000-0x00007FFC47EF4000-memory.dmp

Filesize
208KB

Download
memory/824-175-0x00007FFC44360000-0x00007FFC44614000-memory.dmp

Filesize
2.7MB

Download
memory/824-177-0x00007FFC44BB0000-0x00007FFC44BC7000-memory.dmp

Filesize
92KB

Download
memory/824-176-0x00007FFC47EA0000-0x00007FFC47EB8000-memory.dmp

Filesize
96KB

Download
memory/1148-194-0x00007FFC44BB0000-0x00007FFC44BC7000-memory.dmp

Filesize
92KB

Download
memory/1148-192-0x00007FFC47EA0000-0x00007FFC47EB8000-memory.dmp

Filesize
96KB

Download
memory/1148-190-0x00007FFC44360000-0x00007FFC44614000-memory.dmp

Filesize
2.7MB

Download
memory/1148-187-0x00007FFC47EC0000-0x00007FFC47EF4000-memory.dmp

Filesize
208KB

Download
memory/1148-196-0x00007FFC44A20000-0x00007FFC44A31000-memory.dmp

Filesize
68KB

Download
memory/1148-184-0x00007FF606E30000-0x00007FF606F28000-memory.dmp

Filesize
992KB

Download
memory/1804-179-0x00007FF606E30000-0x00007FF606F28000-memory.dmp

Filesize
992KB

Download
memory/1804-180-0x00007FFC47EC0000-0x00007FFC47EF4000-memory.dmp

Filesize
208KB

Download
memory/1804-183-0x00007FFC47EA0000-0x00007FFC47EB8000-memory.dmp

Filesize
96KB

Download
memory/1804-182-0x00007FFC44360000-0x00007FFC44614000-memory.dmp

Filesize
2.7MB

Download
memory/1804-185-0x00007FFC44BB0000-0x00007FFC44BC7000-memory.dmp

Filesize
92KB

Download
memory/1804-188-0x00007FFC44A20000-0x00007FFC44A31000-memory.dmp

Filesize
68KB

Download
memory/3160-133-0x00007FFC44BB0000-0x00007FFC44BC7000-memory.dmp

Filesize
92KB

Download
memory/3160-132-0x00007FFC47EA0000-0x00007FFC47EB8000-memory.dmp

Filesize
96KB

Download
memory/3160-131-0x00007FFC44360000-0x00007FFC44614000-memory.dmp

Filesize
2.7MB

Download
memory/3160-130-0x00007FFC47EC0000-0x00007FFC47EF4000-memory.dmp

Filesize
208KB

Download
memory/3160-134-0x00007FFC44A20000-0x00007FFC44A31000-memory.dmp

Filesize
68KB

Download
memory/3160-129-0x00007FF606E30000-0x00007FF606F28000-memory.dmp

Filesize
992KB

Download
memory/3340-123-0x00007FF606E30000-0x00007FF606F28000-memory.dmp

Filesize
992KB

Download
memory/3340-128-0x00007FFC44A20000-0x00007FFC44A31000-memory.dmp

Filesize
68KB

Download
memory/3340-124-0x00007FFC47EC0000-0x00007FFC47EF4000-memory.dmp

Filesize
208KB

Download
memory/3340-125-0x00007FFC44360000-0x00007FFC44614000-memory.dmp

Filesize
2.7MB

Download
memory/3340-126-0x00007FFC47EA0000-0x00007FFC47EB8000-memory.dmp

Filesize
96KB

Download
memory/3340-127-0x00007FFC44BB0000-0x00007FFC44BC7000-memory.dmp

Filesize
92KB

Download
memory/3912-160-0x00007FFC44BB0000-0x00007FFC44BC7000-memory.dmp

Filesize
92KB

Download
memory/3912-153-0x00007FF606E30000-0x00007FF606F28000-memory.dmp

Filesize
992KB

Download
memory/3912-165-0x00007FFC44A20000-0x00007FFC44A31000-memory.dmp

Filesize
68KB

Download
memory/3912-155-0x00007FFC47EC0000-0x00007FFC47EF4000-memory.dmp

Filesize
208KB

Download
memory/3912-156-0x00007FFC44360000-0x00007FFC44614000-memory.dmp

Filesize
2.7MB

Download
memory/3912-158-0x00007FFC47EA0000-0x00007FFC47EB8000-memory.dmp

Filesize
96KB

Download
memory/4648-171-0x00007FFC44BB0000-0x00007FFC44BC7000-memory.dmp

Filesize
92KB

Download
memory/4648-163-0x00007FF606E30000-0x00007FF606F28000-memory.dmp

Filesize
992KB

Download
memory/4648-174-0x00007FFC44A20000-0x00007FFC44A31000-memory.dmp

Filesize
68KB

Download
memory/4648-168-0x00007FFC47EA0000-0x00007FFC47EB8000-memory.dmp

Filesize
96KB

Download
memory/4648-167-0x00007FFC44360000-0x00007FFC44614000-memory.dmp

Filesize
2.7MB

Download
memory/4648-166-0x00007FFC47EC0000-0x00007FFC47EF4000-memory.dmp

Filesize
208KB

Download
memory/5008-189-0x00007FF606E30000-0x00007FF606F28000-memory.dmp

Filesize
992KB

Download
memory/5008-191-0x00007FFC47EC0000-0x00007FFC47EF4000-memory.dmp

Filesize
208KB

Download
memory/5008-193-0x00007FFC44360000-0x00007FFC44614000-memory.dmp

Filesize
2.7MB

Download
memory/5008-195-0x00007FFC47EA0000-0x00007FFC47EB8000-memory.dmp

Filesize
96KB

Download
memory/5108-140-0x00007FF606E30000-0x00007FF606F28000-memory.dmp

Filesize
992KB

Download
memory/5108-152-0x00007FFC44A20000-0x00007FFC44A31000-memory.dmp

Filesize
68KB

Download
memory/5108-150-0x00007FFC44BB0000-0x00007FFC44BC7000-memory.dmp

Filesize
92KB

Download
memory/5108-149-0x00007FFC47EA0000-0x00007FFC47EB8000-memory.dmp

Filesize
96KB

Download
memory/5108-142-0x00007FFC47EC0000-0x00007FFC47EF4000-memory.dmp

Filesize
208KB

Download
memory/5108-143-0x00007FFC44360000-0x00007FFC44614000-memory.dmp

Filesize
2.7MB

Download
memory/5116-138-0x00007FFC47EA0000-0x00007FFC47EB8000-memory.dmp

Filesize
96KB

Download
memory/5116-136-0x00007FFC47EC0000-0x00007FFC47EF4000-memory.dmp

Filesize
208KB

Download
memory/5116-141-0x00007FFC44A20000-0x00007FFC44A31000-memory.dmp

Filesize
68KB

Download
memory/5116-139-0x00007FFC44BB0000-0x00007FFC44BC7000-memory.dmp

Filesize
92KB

Download
memory/5116-137-0x00007FFC44360000-0x00007FFC44614000-memory.dmp

Filesize
2.7MB

Download
memory/5116-135-0x00007FF606E30000-0x00007FF606F28000-memory.dmp

Filesize
992KB

Download