fabookie | a0497dde6d202b7dfe6d1b6b6a0493560bc3fc16a085b46097662aac3a44bd38

Analysis

max time kernel
90s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2023 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installerexe.exe
Size

9.1MB
MD5

93e23e5bed552c0500856641d19729a8
SHA1

7e14cdf808dcd21d766a4054935c87c89c037445
SHA256

e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
SHA512

3996d6144bd7dab401df7f95d4623ba91502619446d7c877c2ecb601f23433c9447168e959a90458e0fae3d9d39a03c25642f611dbc3114917cad48aca2594ff
SSDEEP

196608:PBXWySxHnUIYfGp0N6k7jn3R655p0aRnk6bAEzV1d:pXc6rf6Q3ipdnkqAEzVf

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.znsjis.top/

Extracted

Family

privateloader

http://45.133.1.182/proxies.txt

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp

https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://mnbuiy.pw/adsli/note8876.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://luminati-china.xyz/aman/casper2.exe

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

ffdroider

http://186.2.171.3

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://govsurplusstore.com/upload/

http://best-forsale.com/upload/

http://chmxnautoparts.com/upload/

http://kwazone.com/upload/

rc4.i32

Extracted

Family

gcleaner

194.145.227.161

Signatures

Detect Fabookie payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files.exe	family_fabookie
C:\Users\Admin\AppData\Local\Temp\Files.exe	family_fabookie
C:\Users\Admin\AppData\Local\Temp\Files.exe	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1964-276-0x0000000000320000-0x00000000008CC000-memory.dmp	family_ffdroider
behavioral3/memory/1964-324-0x0000000000320000-0x00000000008CC000-memory.dmp	family_ffdroider
behavioral3/memory/1964-858-0x0000000000320000-0x00000000008CC000-memory.dmp	family_ffdroider

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 12 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2808-280-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral3/memory/2808-289-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral3/memory/2808-294-0x00000000039D0000-0x00000000042EE000-memory.dmp	family_glupteba
behavioral3/memory/2808-339-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral3/memory/2808-511-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral3/memory/2808-546-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral3/memory/912-609-0x0000000003970000-0x000000000428E000-memory.dmp	family_glupteba
behavioral3/memory/912-629-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral3/memory/912-862-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral3/memory/912-873-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral3/memory/1440-876-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral3/memory/1440-888-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

File.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	File.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	File.exe

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3212 232 rUNdlL32.eXe
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	232	rUNdlL32.eXe

Socelars payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

OnlyLogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/5104-539-0x0000000001F80000-0x0000000001FB0000-memory.dmp	family_onlylogger
behavioral3/memory/5104-540-0x0000000000400000-0x00000000004BF000-memory.dmp	family_onlylogger

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4624 netsh.exe

pid	process
4624	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

installerexe.exeFolder.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	installerexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	File.exe

Executes dropped EXE 13 IoCs

Processes:

md9_1sjm.exeFoxSBrowser.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFile.exepub2.exeFiles.exeDetails.exeFolder.exeGraphics.execsrss.exe

pid	process
1964	md9_1sjm.exe
4480	FoxSBrowser.exe
3520	Folder.exe
2808	Graphics.exe
3792	Updbdate.exe
396	Install.exe
1192	File.exe
4300	pub2.exe
3328	Files.exe
5104	Details.exe
2252	Folder.exe
912	Graphics.exe
1440	csrss.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4544 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4544	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgedWater = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

96 ipinfo.io
97 ipinfo.io
41 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

Graphics.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN Graphics.exe
Drops file in Windows directory 2 IoCs

Processes:

Graphics.exe

description ioc process

File opened for modification C:\Windows\rss Graphics.exe
File created C:\Windows\rss\csrss.exe Graphics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

flow	ioc
96	ipinfo.io
97	ipinfo.io
41	ip-api.com

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	Graphics.exe

description	ioc	process
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2792	4544	WerFault.exe	rundll32.exe
1428	5104	WerFault.exe	Details.exe
3876	5104	WerFault.exe	Details.exe
3704	5104	WerFault.exe	Details.exe
1652	5104	WerFault.exe	Details.exe
944	5104	WerFault.exe	Details.exe
1160	5104	WerFault.exe	Details.exe
1464	5104	WerFault.exe	Details.exe
3868	5104	WerFault.exe	Details.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4004 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3876 taskkill.exe

pid	process
4004	schtasks.exe

pid	process
3876	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	Graphics.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

md9_1sjm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	md9_1sjm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	md9_1sjm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exe

pid	process
4300	pub2.exe
4300	pub2.exe
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3160
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

4300 pub2.exe

pid	process
3160

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

Install.exeFoxSBrowser.exetaskkill.execmd.exeGraphics.exeGraphics.execsrss.exe

description	pid	process
Token: SeCreateTokenPrivilege	396	Install.exe
Token: SeAssignPrimaryTokenPrivilege	396	Install.exe
Token: SeLockMemoryPrivilege	396	Install.exe
Token: SeIncreaseQuotaPrivilege	396	Install.exe
Token: SeMachineAccountPrivilege	396	Install.exe
Token: SeTcbPrivilege	396	Install.exe
Token: SeSecurityPrivilege	396	Install.exe
Token: SeTakeOwnershipPrivilege	396	Install.exe
Token: SeLoadDriverPrivilege	396	Install.exe
Token: SeSystemProfilePrivilege	396	Install.exe
Token: SeSystemtimePrivilege	396	Install.exe
Token: SeProfSingleProcessPrivilege	396	Install.exe
Token: SeIncBasePriorityPrivilege	396	Install.exe
Token: SeCreatePagefilePrivilege	396	Install.exe
Token: SeCreatePermanentPrivilege	396	Install.exe
Token: SeBackupPrivilege	396	Install.exe
Token: SeRestorePrivilege	396	Install.exe
Token: SeShutdownPrivilege	396	Install.exe
Token: SeDebugPrivilege	396	Install.exe
Token: SeAuditPrivilege	396	Install.exe
Token: SeSystemEnvironmentPrivilege	396	Install.exe
Token: SeChangeNotifyPrivilege	396	Install.exe
Token: SeRemoteShutdownPrivilege	396	Install.exe
Token: SeUndockPrivilege	396	Install.exe
Token: SeSyncAgentPrivilege	396	Install.exe
Token: SeEnableDelegationPrivilege	396	Install.exe
Token: SeManageVolumePrivilege	396	Install.exe
Token: SeImpersonatePrivilege	396	Install.exe
Token: SeCreateGlobalPrivilege	396	Install.exe
Token: 31	396	Install.exe
Token: 32	396	Install.exe
Token: 33	396	Install.exe
Token: 34	396	Install.exe
Token: 35	396	Install.exe
Token: SeDebugPrivilege	4480	FoxSBrowser.exe
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeManageVolumePrivilege	1964	cmd.exe
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeManageVolumePrivilege	1964	cmd.exe
Token: SeDebugPrivilege	2808	Graphics.exe
Token: SeImpersonatePrivilege	2808	Graphics.exe
Token: SeManageVolumePrivilege	1964	cmd.exe
Token: SeManageVolumePrivilege	1964	cmd.exe
Token: SeSystemEnvironmentPrivilege	912	Graphics.exe
Token: SeManageVolumePrivilege	1964	cmd.exe
Token: SeShutdownPrivilege	3160
Token: SeCreatePagefilePrivilege	3160
Token: SeSystemEnvironmentPrivilege	1440	csrss.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

installerexe.exeFolder.exeInstall.execmd.exerUNdlL32.eXeGraphics.execmd.exe

description	pid	process	target process
PID 224 wrote to memory of 1964	224	installerexe.exe	md9_1sjm.exe
PID 224 wrote to memory of 1964	224	installerexe.exe	md9_1sjm.exe
PID 224 wrote to memory of 1964	224	installerexe.exe	md9_1sjm.exe
PID 224 wrote to memory of 4480	224	installerexe.exe	FoxSBrowser.exe
PID 224 wrote to memory of 4480	224	installerexe.exe	FoxSBrowser.exe
PID 224 wrote to memory of 3520	224	installerexe.exe	Folder.exe
PID 224 wrote to memory of 3520	224	installerexe.exe	Folder.exe
PID 224 wrote to memory of 3520	224	installerexe.exe	Folder.exe
PID 224 wrote to memory of 2808	224	installerexe.exe	Graphics.exe
PID 224 wrote to memory of 2808	224	installerexe.exe	Graphics.exe
PID 224 wrote to memory of 2808	224	installerexe.exe	Graphics.exe
PID 224 wrote to memory of 3792	224	installerexe.exe	Updbdate.exe
PID 224 wrote to memory of 3792	224	installerexe.exe	Updbdate.exe
PID 224 wrote to memory of 3792	224	installerexe.exe	Updbdate.exe
PID 224 wrote to memory of 396	224	installerexe.exe	Install.exe
PID 224 wrote to memory of 396	224	installerexe.exe	Install.exe
PID 224 wrote to memory of 396	224	installerexe.exe	Install.exe
PID 224 wrote to memory of 1192	224	installerexe.exe	File.exe
PID 224 wrote to memory of 1192	224	installerexe.exe	File.exe
PID 224 wrote to memory of 1192	224	installerexe.exe	File.exe
PID 224 wrote to memory of 4300	224	installerexe.exe	pub2.exe
PID 224 wrote to memory of 4300	224	installerexe.exe	pub2.exe
PID 224 wrote to memory of 4300	224	installerexe.exe	pub2.exe
PID 224 wrote to memory of 3328	224	installerexe.exe	Files.exe
PID 224 wrote to memory of 3328	224	installerexe.exe	Files.exe
PID 224 wrote to memory of 5104	224	installerexe.exe	Details.exe
PID 224 wrote to memory of 5104	224	installerexe.exe	Details.exe
PID 224 wrote to memory of 5104	224	installerexe.exe	Details.exe
PID 3520 wrote to memory of 2252	3520	Folder.exe	Folder.exe
PID 3520 wrote to memory of 2252	3520	Folder.exe	Folder.exe
PID 3520 wrote to memory of 2252	3520	Folder.exe	Folder.exe
PID 396 wrote to memory of 3572	396	Install.exe	cmd.exe
PID 396 wrote to memory of 3572	396	Install.exe	cmd.exe
PID 396 wrote to memory of 3572	396	Install.exe	cmd.exe
PID 3572 wrote to memory of 3876	3572	cmd.exe	taskkill.exe
PID 3572 wrote to memory of 3876	3572	cmd.exe	taskkill.exe
PID 3572 wrote to memory of 3876	3572	cmd.exe	taskkill.exe
PID 3212 wrote to memory of 4544	3212	rUNdlL32.eXe	rundll32.exe
PID 3212 wrote to memory of 4544	3212	rUNdlL32.eXe	rundll32.exe
PID 3212 wrote to memory of 4544	3212	rUNdlL32.eXe	rundll32.exe
PID 912 wrote to memory of 1964	912	Graphics.exe	cmd.exe
PID 912 wrote to memory of 1964	912	Graphics.exe	cmd.exe
PID 1964 wrote to memory of 4624	1964	cmd.exe	netsh.exe
PID 1964 wrote to memory of 4624	1964	cmd.exe	netsh.exe
PID 912 wrote to memory of 1440	912	Graphics.exe	csrss.exe
PID 912 wrote to memory of 1440	912	Graphics.exe	csrss.exe
PID 912 wrote to memory of 1440	912	Graphics.exe	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\installerexe.exe
"C:\Users\Admin\AppData\Local\Temp\installerexe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1964

C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
"C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:2252

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
PID:1192

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4300

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:3792

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4624

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4004

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
PID:3328

C:\Users\Admin\AppData\Local\Temp\Details.exe
"C:\Users\Admin\AppData\Local\Temp\Details.exe"
2⤵
- Executes dropped EXE
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 452
3⤵
- Program crash
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 620
3⤵
- Program crash
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 656
3⤵
- Program crash
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 776
3⤵
- Program crash
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 804
3⤵
- Program crash
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1016
3⤵
- Program crash
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1028
3⤵
- Program crash
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1324
3⤵
- Program crash
PID:3868

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 600
3⤵
- Program crash
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4544 -ip 4544
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5104 -ip 5104
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5104 -ip 5104
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5104 -ip 5104
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5104 -ip 5104
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5104 -ip 5104
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5104 -ip 5104
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5104 -ip 5104
1⤵
PID:340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5104 -ip 5104
1⤵
PID:952

C:\Users\Admin\AppData\Roaming\tavausv
C:\Users\Admin\AppData\Roaming\tavausv
1⤵
PID:5052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Details.exe
Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Details.exe
Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Details.exe
Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
Filesize
552KB

MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d
Filesize
14.0MB

MD5
be05c3d1b4f0f4f14400067c498576d7

SHA1
bbe5c647c70209b448c8cdc1bbbf6b6cbb76db62

SHA256
ba6ee2d5fc9f3861bf264a9dc87b81e0b4229f1ef116b7eff903282042924022

SHA512
256ecbb4ffa6cd91348db8762726897d3a7f707be8b19a03242f4206796c5eb5baf963d7c00ed5589c1bd0ee2fb47067a7cd0e20e31959f95d2d615ff7f5d3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW
Filesize
61KB

MD5
958b8f47e39f9e2ccda143fe9e70ef51

SHA1
f107545da1948b64ad919089ff0eb99ca6ddf35b

SHA256
a8dc2399a9f44d0545746fdcd55ff53b0192a80cb445cca6deb40c15a72f8764

SHA512
322f395a00299c5c0f33fcf43d085f55e2baf104e6342c92d7ea47f009d32d73dbc3d7fd6449c64fc076f32f266a5feecd184d980c7f86c1db7a162c386ec24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
282d9ecda3ab430d78e00e3a211f8da1

SHA1
c7a2ffac29d689f64714cdd5fc1de386990387d1

SHA256
d613ad6c3f9ac801262a610467ef53536d31d88e8b1f3e111bba38a238635896

SHA512
d4b9c150c322f4f612723d9d30106534ee8b8c1f79664353f41346447b9f0516b7bc6d8b23a05d32badf664fe2becba983ffbea16098227f57eac4a612d60b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
0245ee78058b73ee525c728839148d00

SHA1
9ce283b50bde4772786bd300d0141ffc3e4cf6cd

SHA256
f9ccc8d3a95d22df364f30a532ecb0e88672aa47787ef390be1d221f4cba3258

SHA512
7e4223bf512365d4faa5cb7281c3c749b5e463ff1cb630a4b09cc3858f255c99f8a1b186c63149c79240f526bba327ca133d71894954a2aa6746a85f3a0b8fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
bd306227114bb60a0275e1f9cd107d16

SHA1
b5470f2d57a7591e2e75f3223bcf8eec9af1dd61

SHA256
e316ecd14387137e0e4dae54d93587515b50b3377c748324bd0bf77110a9ab7e

SHA512
f55a75a7f2ca17d7e520ccbcf4c26bfdeaf8a7acfb6aa460c1224a329946cdad1a5c563f11b333cb280bd2ea21a6ec08c6c16cdee03109e47afbfac5d4998e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
bd306227114bb60a0275e1f9cd107d16

SHA1
b5470f2d57a7591e2e75f3223bcf8eec9af1dd61

SHA256
e316ecd14387137e0e4dae54d93587515b50b3377c748324bd0bf77110a9ab7e

SHA512
f55a75a7f2ca17d7e520ccbcf4c26bfdeaf8a7acfb6aa460c1224a329946cdad1a5c563f11b333cb280bd2ea21a6ec08c6c16cdee03109e47afbfac5d4998e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
6899836bb79bb443f745a53d5a75d721

SHA1
c855182a8cde4a6dc07776b3415f6c527af9faa2

SHA256
974f1b846cbeb5139259adea83270b24f893b6650a7dec0d919e71984ed1013c

SHA512
528268b0d7592ca63d266ad582e2cd03f0788697fb8d5cb5eaa83c522db0d490bc0a12927b95ab7afb3ffd3ff03c2e48a49095dd86519ed0199cd000a4a27930

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
b285ef3c885242f16bdef35ee45df195

SHA1
dbf86b8126761e4d5d2bd99a5acb46acb6ec822d

SHA256
522ce94833409f6632cd4cd781d11d526a16969563c63c241240499de05e2fb2

SHA512
df65380d810c416f6efa3d86ba4c9e5b93fa249acc71f7f38f4090a3153b0e5bb2e040c692e94ef4cb473ec89922868322c330e52463c5462f7d8011d509aa52

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
c9d9903b59ebd46b3d38754527badccb

SHA1
16173184256a3f2849e3263ccf8bbe833bea8c03

SHA256
75b9e1fbcad56f753cb09ba258a0418b574fcb16b71cc34e5af43c86621708b2

SHA512
6d276798f80f789c9eec47294ae4618b64488ca64fdb87a605687fdca608a8ac69f2b2c91648f1ab4592464e6bd64b7848dd8ce3890f6ec8c7a010135859d736

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
ea8bd439b7957e3f38f0577f4408a88c

SHA1
1d27c8a1ba094f290ee8917a3483017a461562ee

SHA256
ed0de15581132dda88a06f94673638a74265a11f8ff37d52f33aa051b48999cf

SHA512
508384e6ee645fd9e16e51363c337c792408d0233b41fd4842dbdc88f7514c2356e5eb25d38ea56858636bafa0f3604845f44d5cc40b6bfcd7a16bd7689b0a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
1d2862225fd1a79b3697e1301f98e230

SHA1
7f010b2057842c2549cea9d6d86dfc1084bcf842

SHA256
5b12ddd2275142412ea6f68c5800cfc6b04ebb6c8cae95f6337a2333344c61c2

SHA512
bbd1b30c1eb37d8eb1dc38d7e6d8abb8af192f0fd5ac5dde74683aed6b563eca1cc1f37b5e7121ff1ffe7f5f9bd6a21ca69940cb055eb461eff936f17c706f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
5fa79cb756a72e998d8b468e5cf3b043

SHA1
dcde3149eb1f548846fa823f99a48f8a6277d106

SHA256
b85ffc40bb3020fa83d58a76a10666c0194e6c0cf15658d3f1cbaf97b9b24beb

SHA512
ea6d04fba9ac722adbc11bf46c3d6495f6a6007f53b90b3d86d28b788606deb7fb9cc2c1a6a56aac48093ed01d0da3638fdf07d943d7a4eca3f2e3af3f374dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
2fd7f676915e43831bbb2bffd5089193

SHA1
768f689276d50ba34bfbd360a8ed1fa741439e5d

SHA256
150382e6a879a2bd73b317819154b47860cf4f4634986ad323e5e429a4ed7ffb

SHA512
ba43eae95adaeb675cdce48aac645e2d01fe7f857cf05f29e7d4e0b15082c8977544b3c7d1db364dd4d738e6db4883663ccd156d2ff784a34364e30f0d0f8c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
0cbb6122b29bc7b9d0d1225b561f3bd8

SHA1
fa10adb22ea33c453d1b6f0a0c64f9a8a5da4859

SHA256
97908b5ccbdb76cd6fa2b3fc8bc801479055b5a563b4499eefad268f73b01284

SHA512
c6c50e2053b71cc6b9e6d2d77ed7271dc400ab4e794291ae887ca20463f908c4a80c45a1509bf4bddd2f2b9d6dad3cd2b2982dd4ae0092fc0c1517bc4db6220d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
0cbb6122b29bc7b9d0d1225b561f3bd8

SHA1
fa10adb22ea33c453d1b6f0a0c64f9a8a5da4859

SHA256
97908b5ccbdb76cd6fa2b3fc8bc801479055b5a563b4499eefad268f73b01284

SHA512
c6c50e2053b71cc6b9e6d2d77ed7271dc400ab4e794291ae887ca20463f908c4a80c45a1509bf4bddd2f2b9d6dad3cd2b2982dd4ae0092fc0c1517bc4db6220d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
df0f72d189fd3e129f56622b69ac972c

SHA1
ff6a5ade183b8861b340a8f5b809ffa6a6c9ba5c

SHA256
edc4a6754c21cf0515b32ee069e2ee0ecf49bda454aa9fdfe8ea94c94e868062

SHA512
541448fd7739f3049443b1adb41db9b68cf0db910c8c83d4a177c668397c5b9726c01172be5615575c362dd97d2b233dc6dc5cdbe154b7f96dc171ce8bde7f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
4bc5541085e73be5a2188312ec9d1f78

SHA1
f9488a2dbc2fc4763ee00061c5ac928ae8ae50cf

SHA256
27e05c6e68df9114f9b0b3ba0dbe799f6c2e7a366b6ee69431e59c4d37fb353c

SHA512
3b25711420b41ba33453b126d9ab5b1813172730329f82120f135ee54c57b349d0e9d5b90cc45a4ab24d036709b67aeef74a78b912b0a305a888796f7b8f3aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
669a7c5e5bb3005df03375a973d47b9d

SHA1
16415f740e0861a543a1c9cc3ac0eccb0549e762

SHA256
b3c01501ad44318e1c2f50599aecd31c765071e34e32fb67aa533aab3ab8c623

SHA512
24e183e431d7441b3811ca7ec6d1b0f6a17e7d31f0e2b5a6de65420f49f2eddefd6ff3bf16d4bbe3cb3595e238ddab83d3b8c0591790c9712b0837cb2ee23e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
544cb86def89251c970cd04ebc4c44b1

SHA1
993de5fcb442abf70ae9a329056e4d5ed826af09

SHA256
231b5ef12a97b3b1adb70d2f50fe106abb03c18ddffd45a452bb3a1711e8b29f

SHA512
727c1d7e168d8f553623683c4078e52707420d8e216fd8ef8fe50d2f4268e8890917dd088c2e1ef9f78fe3759ddb5301c005132c9a282e09d0a5a20961c1d00c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
894b01838ffab062156570421fde4375

SHA1
e7ea2df60c504c9b403443de5eb9332ee133d8a7

SHA256
265255698a18894f1d666d4a56d15d1dacd9ba7c2ecef44f19209fac8eb39a20

SHA512
12479573d8f3fd7950d927a592db985d7d791a1db837b38bc3c577ce437e040dfd78c88749959231bba085f0cd3d20e311493db537fe00eb5c0389d954f4e4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
61bb1f9adbfc5682a531c0f003af138e

SHA1
e3e1f88423f3def5e3852ccb8c5b9aa4a29e31ba

SHA256
106081ee6be3505d9757fdc39ddbb546614be45b5ea1bea89feb8f392ec2950e

SHA512
1f63e36066dd61df985afdeb1a9e98f96c43f99d8d33a5abe8dea92503a3c4112a5c072f4b9641134da50afe53b0bc738bfa8e2f2646852030d61c23394396bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
da7d1fc7f8336d9ecf202c12584d75be

SHA1
dd3ab7bceb793d403b2eff250f28f028c14a27bd

SHA256
8d36046370d30d395a6f08bdde7435141df4edf73cdd92a65bc3314e621a9cdf

SHA512
8b6d35dda0f46aaad7cab295343a481927cad7b13ede229788428260dacbce5a751707695ff1514cdbbfd4a36dfbc2aa693ecc78f072c3ccf79aa1613dc64c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
e27ded863b90087c16b53a00144f7c50

SHA1
bcca3543acc8ba7aeb47d9879c875f67d6cd5637

SHA256
c6da8aab1d69be2a53708d3f6965b3d4aa2e894ca95e2512285f444488a2dedb

SHA512
b21073f2edc4921c1d4966018a3e88511f2e8271723ad80a313e270e7118ca102d65cef13776a87d6a33701d53b42a83ce3aca6f6e75ce9762195a9f9e8a51a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
d59425ca99e0c1106aa98fe115119f94

SHA1
e4bb77e8aa1a87fcd867810e887c15dc0e5e48c9

SHA256
f1668f4c578d8732727a6014485afe319745e5a39e6083019c27cc87790b368d

SHA512
f70551aeb02dd1cf03058b5f740449702de7330581412fb065cfc616209b89e076317aa607a3c103f6d7e91152410b37a4ea05665fff9d93a47cc3381a48e6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
0501fc586bb9fee800186eefe713d19d

SHA1
fe6662285ee16a92b266365e5cb71c6acf3e765c

SHA256
30ef813b42b01833fcbd61bc5314d94424445b05096f19e1ad9aa39205474a5e

SHA512
a56377219db80692deecbf5b8c915b2dcdc8071db20dbe669f7e2c6574318ad68a119c45d28009efd4ffb1e2bfedf9ccdbdcf92250b13ce8436876a30ebd0878

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
70cd696ecb03b00a8422eed33cb9be07

SHA1
064b5870d723c11316f2dfded7cdd7016a6441ea

SHA256
33010b7c52a2e4ac6442c2b9d5173db01f466866e66be87506a0736408fd4775

SHA512
6c679b1630e6a448d9e9ad78c06b4ed93bc52fb0fda331ce908a9cab1b1cb474165cb602a753d3b205011e8115bee45c26aa936e0939f9385cf39ca375d28fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm
Filesize
16KB

MD5
86f39f410eee2d13eed0ffde0fa88f68

SHA1
a278cefeef0858468e36080c586b215129dbf8cc

SHA256
626845c27155c2366635135d9170ef5b1a6c987af18478ebb019959b3fff714e

SHA512
c3e99f0724e28c1c74c5976fd006416de6a2b05044583da2cfb1c64aaa12ce092337e1a0df54b5a63c8200048eccc5465519113dfd56494b5d8d2e0b3adbdb00

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\AppData\Roaming\tavausv
Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\AppData\Roaming\tavausv
Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
memory/912-606-0x0000000003520000-0x0000000003968000-memory.dmp

Filesize
4.3MB

Download
memory/912-609-0x0000000003970000-0x000000000428E000-memory.dmp

Filesize
9.1MB

Download
memory/912-629-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/912-859-0x0000000003520000-0x0000000003968000-memory.dmp

Filesize
4.3MB

Download
memory/912-862-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/912-873-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/1192-630-0x0000000003AE0000-0x0000000003D34000-memory.dmp

Filesize
2.3MB

Download
memory/1192-681-0x0000000003AE0000-0x0000000003D34000-memory.dmp

Filesize
2.3MB

Download
memory/1440-875-0x0000000003A00000-0x0000000003F00000-memory.dmp

Filesize
5.0MB

Download
memory/1440-876-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/1440-881-0x0000000003A00000-0x0000000003F00000-memory.dmp

Filesize
5.0MB

Download
memory/1440-888-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/1964-321-0x0000000005490000-0x0000000005498000-memory.dmp

Filesize
32KB

Download
memory/1964-300-0x0000000000990000-0x0000000000993000-memory.dmp

Filesize
12KB

Download
memory/1964-370-0x0000000005330000-0x0000000005338000-memory.dmp

Filesize
32KB

Download
memory/1964-349-0x0000000005330000-0x0000000005338000-memory.dmp

Filesize
32KB

Download
memory/1964-372-0x0000000005200000-0x0000000005208000-memory.dmp

Filesize
32KB

Download
memory/1964-170-0x0000000000320000-0x00000000008CC000-memory.dmp

Filesize
5.7MB

Download
memory/1964-411-0x0000000004EA0000-0x0000000004EA8000-memory.dmp

Filesize
32KB

Download
memory/1964-412-0x0000000004EC0000-0x0000000004EC8000-memory.dmp

Filesize
32KB

Download
memory/1964-346-0x0000000005200000-0x0000000005208000-memory.dmp

Filesize
32KB

Download
memory/1964-420-0x0000000004F60000-0x0000000004F68000-memory.dmp

Filesize
32KB

Download
memory/1964-324-0x0000000000320000-0x00000000008CC000-memory.dmp

Filesize
5.7MB

Download
memory/1964-337-0x0000000004FE0000-0x0000000004FE8000-memory.dmp

Filesize
32KB

Download
memory/1964-323-0x0000000005200000-0x0000000005208000-memory.dmp

Filesize
32KB

Download
memory/1964-322-0x0000000005390000-0x0000000005398000-memory.dmp

Filesize
32KB

Download
memory/1964-174-0x0000000000990000-0x0000000000993000-memory.dmp

Filesize
12KB

Download
memory/1964-320-0x00000000051F0000-0x00000000051F8000-memory.dmp

Filesize
32KB

Download
memory/1964-858-0x0000000000320000-0x00000000008CC000-memory.dmp

Filesize
5.7MB

Download
memory/1964-319-0x00000000051D0000-0x00000000051D8000-memory.dmp

Filesize
32KB

Download
memory/1964-276-0x0000000000320000-0x00000000008CC000-memory.dmp

Filesize
5.7MB

Download
memory/1964-362-0x0000000004FE0000-0x0000000004FE8000-memory.dmp

Filesize
32KB

Download
memory/1964-306-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/1964-314-0x0000000004FE0000-0x0000000004FE8000-memory.dmp

Filesize
32KB

Download
memory/1964-313-0x0000000004FC0000-0x0000000004FC8000-memory.dmp

Filesize
32KB

Download
memory/1964-316-0x0000000005080000-0x0000000005088000-memory.dmp

Filesize
32KB

Download
memory/2808-289-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/2808-339-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/2808-546-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/2808-537-0x0000000003590000-0x00000000039CC000-memory.dmp

Filesize
4.2MB

Download
memory/2808-511-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/2808-279-0x0000000003590000-0x00000000039CC000-memory.dmp

Filesize
4.2MB

Download
memory/2808-280-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/2808-294-0x00000000039D0000-0x00000000042EE000-memory.dmp

Filesize
9.1MB

Download
memory/3160-281-0x0000000002910000-0x0000000002925000-memory.dmp

Filesize
84KB

Download
memory/3792-535-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3792-542-0x0000000002D40000-0x0000000002E40000-memory.dmp

Filesize
1024KB

Download
memory/3792-290-0x0000000002D40000-0x0000000002E40000-memory.dmp

Filesize
1024KB

Download
memory/3792-292-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3792-544-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3792-482-0x00000000724B0000-0x0000000072C60000-memory.dmp

Filesize
7.7MB

Download
memory/3792-536-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3792-291-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3792-268-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/3792-270-0x0000000007950000-0x0000000007F68000-memory.dmp

Filesize
6.1MB

Download
memory/3792-277-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3792-278-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3792-275-0x00000000724B0000-0x0000000072C60000-memory.dmp

Filesize
7.7MB

Download
memory/3792-274-0x0000000007330000-0x000000000736C000-memory.dmp

Filesize
240KB

Download
memory/3792-273-0x0000000000400000-0x0000000002BA2000-memory.dmp

Filesize
39.6MB

Download
memory/3792-271-0x0000000007200000-0x0000000007212000-memory.dmp

Filesize
72KB

Download
memory/3792-269-0x00000000073A0000-0x0000000007944000-memory.dmp

Filesize
5.6MB

Download
memory/3792-272-0x0000000007220000-0x000000000732A000-memory.dmp

Filesize
1.0MB

Download
memory/4300-257-0x0000000002CB0000-0x0000000002CB9000-memory.dmp

Filesize
36KB

Download
memory/4300-267-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/4300-255-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

Filesize
1024KB

Download
memory/4300-283-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/4480-252-0x00007FF8054D0000-0x00007FF805F91000-memory.dmp

Filesize
10.8MB

Download
memory/4480-193-0x00000000008A0000-0x00000000008CE000-memory.dmp

Filesize
184KB

Download
memory/4480-224-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/4480-215-0x00007FF8054D0000-0x00007FF805F91000-memory.dmp

Filesize
10.8MB

Download
memory/5104-540-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5104-539-0x0000000001F80000-0x0000000001FB0000-memory.dmp

Filesize
192KB

Download
memory/5104-538-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/5104-648-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download