fabookie | 048c51cddd7226942b94b0b406e6134fb17766eda673f1dd713fee7c845f4514

Analysis

max time kernel
17s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

048c51cddd7226942b94b0b406e6134fb17766eda673f1dd713fee7c845f4514.exe
Size

7.1MB
MD5

ba081b0e14f236799ac98b4704b299d2
SHA1

b4a15a7359431171610ef629be5c5e9f18c9c6db
SHA256

048c51cddd7226942b94b0b406e6134fb17766eda673f1dd713fee7c845f4514
SHA512

c9eeb160323f467ab0727708c1110735bb5aae2c6c4fd7e1ae6c2dea1e2d175ebcfdb1b602e90983ebaeee723070fa4947c2c898711bdfaa6ca744eeba4d1bc5
SSDEEP

196608:x9nqZY7+ydwDEyrghwssarM1NDfvCAmoxUVQvk:x9nqg+2QEkgyss/N7aKsWk

Score

10^/10

fabookie gcleaner lgoogloader redline smokeloader socelars pub3 agilenet backdoor downloader infostealer loader spyware stealer trojan vmprotect

Malware Config

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/ujfreids61/

Extracted

Family

gcleaner

37.0.8.39

31.210.20.149

212.192.241.16

203.159.80.49

Attributes

url_path
/software.php

/software.php

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2404-81-0x0000000140000000-0x000000014067D000-memory.dmp	family_fabookie

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4108-74-0x0000000000A30000-0x0000000000A3E000-memory.dmp	family_lgoogloader

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bad771e8f_923347.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae4d2a9c_cc09b024e.exe	family_socelars

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

048c51cddd7226942b94b0b406e6134fb17766eda673f1dd713fee7c845f4514.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	048c51cddd7226942b94b0b406e6134fb17766eda673f1dd713fee7c845f4514.exe

Executes dropped EXE 12 IoCs

Processes:

setup_install.exe62a4bae02cdda_a09bb3e.exe62a4badb7af85_623761ba41.exe62a4bae89fe45_b5ccf628.execmd.exe62a4badf31e77_62aa4e13bb.exe62a4badcb43a3_a6c0e514.exe62a4bae4d2a9c_cc09b024e.exe62a4bae1cd5ec_f0e751fd26.exe62a4bae2a134b_4fa915d.exe62a4bade488e6_dadba0.exe62a4bae132fe9_b10406e779.tmp

pid	process
4180	setup_install.exe
3648	62a4bae02cdda_a09bb3e.exe
4468	62a4badb7af85_623761ba41.exe
4132	62a4bae89fe45_b5ccf628.exe
4464	cmd.exe
3192	62a4badf31e77_62aa4e13bb.exe
3672	62a4badcb43a3_a6c0e514.exe
4328	62a4bae4d2a9c_cc09b024e.exe
4108	62a4bae1cd5ec_f0e751fd26.exe
4732	62a4bae2a134b_4fa915d.exe
2404	62a4bade488e6_dadba0.exe
2288	62a4bae132fe9_b10406e779.tmp

Loads dropped DLL 1 IoCs

Processes:

setup_install.exe

pid process

4180 setup_install.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bad771e8f_923347.exe	agile_net

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bade488e6_dadba0.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bade488e6_dadba0.exe	vmprotect
behavioral2/memory/2404-81-0x0000000140000000-0x000000014067D000-memory.dmp	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
35	ip-api.com

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2472	3672	WerFault.exe	62a4badcb43a3_a6c0e514.exe
1056	3648	WerFault.exe	62a4bae02cdda_a09bb3e.exe
2992	3672	WerFault.exe	62a4badcb43a3_a6c0e514.exe
2132	3672	WerFault.exe	62a4badcb43a3_a6c0e514.exe
5064	3672	WerFault.exe	62a4badcb43a3_a6c0e514.exe
3052	3672	WerFault.exe	62a4badcb43a3_a6c0e514.exe
1960	3672	WerFault.exe	62a4badcb43a3_a6c0e514.exe
4756	3672	WerFault.exe	62a4badcb43a3_a6c0e514.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4972 taskkill.exe
3636 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3376 PING.EXE

pid	process
4972	taskkill.exe
3636	taskkill.exe

pid	process
3376	PING.EXE

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

62a4bae4d2a9c_cc09b024e.exe

description	pid	process
Token: SeCreateTokenPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeAssignPrimaryTokenPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeLockMemoryPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeIncreaseQuotaPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeMachineAccountPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeTcbPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeSecurityPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeTakeOwnershipPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeLoadDriverPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeSystemProfilePrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeSystemtimePrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeProfSingleProcessPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeIncBasePriorityPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeCreatePagefilePrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeCreatePermanentPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeBackupPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeRestorePrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeShutdownPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeDebugPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeAuditPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeSystemEnvironmentPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeChangeNotifyPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeRemoteShutdownPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeUndockPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeSyncAgentPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeEnableDelegationPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeManageVolumePrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeImpersonatePrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: SeCreateGlobalPrivilege	4328	62a4bae4d2a9c_cc09b024e.exe
Token: 31	4328	62a4bae4d2a9c_cc09b024e.exe
Token: 32	4328	62a4bae4d2a9c_cc09b024e.exe
Token: 33	4328	62a4bae4d2a9c_cc09b024e.exe
Token: 34	4328	62a4bae4d2a9c_cc09b024e.exe
Token: 35	4328	62a4bae4d2a9c_cc09b024e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

048c51cddd7226942b94b0b406e6134fb17766eda673f1dd713fee7c845f4514.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1736 wrote to memory of 4180	1736	048c51cddd7226942b94b0b406e6134fb17766eda673f1dd713fee7c845f4514.exe	setup_install.exe
PID 1736 wrote to memory of 4180	1736	048c51cddd7226942b94b0b406e6134fb17766eda673f1dd713fee7c845f4514.exe	setup_install.exe
PID 1736 wrote to memory of 4180	1736	048c51cddd7226942b94b0b406e6134fb17766eda673f1dd713fee7c845f4514.exe	setup_install.exe
PID 4180 wrote to memory of 4300	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 4300	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 4300	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 1756	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 1756	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 1756	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 5032	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 5032	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 5032	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 2296	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 2296	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 2296	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 440	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 440	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 440	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 4284	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 4284	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 4284	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 2248	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 2248	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 2248	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 3524	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 3524	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 3524	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 3304	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 3304	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 3304	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 4984	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 4984	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 4984	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 896	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 896	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 896	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 1212	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 1212	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 1212	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 432	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 432	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 432	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 436	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 436	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 436	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 4324	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 4324	4180	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 4324	4180	setup_install.exe	cmd.exe
PID 4984 wrote to memory of 3648	4984	cmd.exe	62a4bae02cdda_a09bb3e.exe
PID 4984 wrote to memory of 3648	4984	cmd.exe	62a4bae02cdda_a09bb3e.exe
PID 4984 wrote to memory of 3648	4984	cmd.exe	62a4bae02cdda_a09bb3e.exe
PID 4284 wrote to memory of 4468	4284	cmd.exe	62a4badb7af85_623761ba41.exe
PID 4284 wrote to memory of 4468	4284	cmd.exe	62a4badb7af85_623761ba41.exe
PID 4284 wrote to memory of 4468	4284	cmd.exe	62a4badb7af85_623761ba41.exe
PID 4324 wrote to memory of 4132	4324	cmd.exe	62a4bae89fe45_b5ccf628.exe
PID 4324 wrote to memory of 4132	4324	cmd.exe	62a4bae89fe45_b5ccf628.exe
PID 4324 wrote to memory of 4132	4324	cmd.exe	62a4bae89fe45_b5ccf628.exe
PID 896 wrote to memory of 4464	896	cmd.exe	62a4bae132fe9_b10406e779.exe
PID 896 wrote to memory of 4464	896	cmd.exe	62a4bae132fe9_b10406e779.exe
PID 896 wrote to memory of 4464	896	cmd.exe	62a4bae132fe9_b10406e779.exe
PID 3304 wrote to memory of 3192	3304	cmd.exe	62a4badf31e77_62aa4e13bb.exe
PID 3304 wrote to memory of 3192	3304	cmd.exe	62a4badf31e77_62aa4e13bb.exe
PID 3304 wrote to memory of 3192	3304	cmd.exe	62a4badf31e77_62aa4e13bb.exe
PID 2248 wrote to memory of 3672	2248	cmd.exe	62a4badcb43a3_a6c0e514.exe

C:\Users\Admin\AppData\Local\Temp\048c51cddd7226942b94b0b406e6134fb17766eda673f1dd713fee7c845f4514.exe
"C:\Users\Admin\AppData\Local\Temp\048c51cddd7226942b94b0b406e6134fb17766eda673f1dd713fee7c845f4514.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:4300
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:4540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bad771e8f_923347.exe
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bad6b95e3_be16fe.exe
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bad8262f6_79a499f590.exe
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bad9333c8_8e10071d.exe
    3⤵
    PID:440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4badb7af85_623761ba41.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4badb7af85_623761ba41.exe
      62a4badb7af85_623761ba41.exe
      4⤵
      Executes dropped EXE
      PID:4468
    - - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\B_L8H0.cPL",
        5⤵
        
        PID:4352
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\B_L8H0.cPL",
        6⤵
        
        PID:3640
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\B_L8H0.cPL",
        7⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\B_L8H0.cPL",
        8⤵
        
        PID:3316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bae89fe45_b5ccf628.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bae4d2a9c_cc09b024e.exe
    3⤵
    PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bae2a134b_4fa915d.exe
    3⤵
    PID:432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bae1cd5ec_f0e751fd26.exe
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bae132fe9_b10406e779.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bae02cdda_a09bb3e.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4badf31e77_62aa4e13bb.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bade488e6_dadba0.exe
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4badcb43a3_a6c0e514.exe /mixtwo
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248

C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae02cdda_a09bb3e.exe
62a4bae02cdda_a09bb3e.exe
1⤵
- Executes dropped EXE
PID:3648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "62a4bae02cdda_a09bb3e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae02cdda_a09bb3e.exe" & exit
  2⤵
  - Executes dropped EXE
  PID:4464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "62a4bae02cdda_a09bb3e.exe" /f
    3⤵
    - Kills process with taskkill
    PID:3636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1508
  2⤵
  - Program crash
  PID:1056

C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae89fe45_b5ccf628.exe
62a4bae89fe45_b5ccf628.exe
1⤵
- Executes dropped EXE
PID:4132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae89fe45_b5ccf628.exe" >> NUL
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3376

C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4badf31e77_62aa4e13bb.exe
62a4badf31e77_62aa4e13bb.exe
1⤵
- Executes dropped EXE
PID:3192
- C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4badf31e77_62aa4e13bb.exe
  62a4badf31e77_62aa4e13bb.exe
  2⤵
  PID:2964

C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae1cd5ec_f0e751fd26.exe
62a4bae1cd5ec_f0e751fd26.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bade488e6_dadba0.exe
62a4bade488e6_dadba0.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae2a134b_4fa915d.exe
62a4bae2a134b_4fa915d.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4badcb43a3_a6c0e514.exe
62a4badcb43a3_a6c0e514.exe /mixtwo
1⤵
- Executes dropped EXE
PID:3672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 472
  2⤵
  - Program crash
  PID:2472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 776
  2⤵
  - Program crash
  PID:2992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 784
  2⤵
  - Program crash
  PID:2132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 828
  2⤵
  - Program crash
  PID:5064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 836
  2⤵
  - Program crash
  PID:3052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 992
  2⤵
  - Program crash
  PID:1960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1028
  2⤵
  - Program crash
  PID:4756

C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae4d2a9c_cc09b024e.exe
62a4bae4d2a9c_cc09b024e.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:4744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbe70b9758,0x7ffbe70b9768,0x7ffbe70b9778
    3⤵
    PID:3976

C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae132fe9_b10406e779.exe
62a4bae132fe9_b10406e779.exe
1⤵
PID:4464
- C:\Users\Admin\AppData\Local\Temp\is-VJDCR.tmp\62a4bae132fe9_b10406e779.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VJDCR.tmp\62a4bae132fe9_b10406e779.tmp" /SL5="$30210,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae132fe9_b10406e779.exe"
  2⤵
  - Executes dropped EXE
  PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3672 -ip 3672
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3648 -ip 3648
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3672 -ip 3672
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3672 -ip 3672
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3672 -ip 3672
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3672 -ip 3672
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3672 -ip 3672
1⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3672 -ip 3672
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bad6b95e3_be16fe.exe

Filesize
157KB

MD5
3f1b557fe9b21d6f6e1930732bddbca5

SHA1
89ea657b120fccda8ca35ffc13c14010210c3878

SHA256
c8aca33eb3be35e343d86533c1f8c828231ef520efd2378dd2f09945544d9e54

SHA512
a598fab8a79213c0981c27916da406ad081724ecaed5f47bb13cdc2882f2543116fd1b05537fd5f856242c780d948e620944a1003e54a7711ee12e1b1bfa7fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bad771e8f_923347.exe

Filesize
242KB

MD5
2db62b3e5088b61ead161e0482b2f6f2

SHA1
a13b707e24ae6269631ce1099263cbc793f4b2a1

SHA256
c277eac5a2f147b839219c2327a2d7e6c85be9dabe91c8a92b553e2cadc9e3c3

SHA512
9c287e38c61c28ee0fce45b8734a979d6c74dbdd8648327ac7f7d24e9a2c07736eff70f2f8ca33ddd6196d4b629865ae35abd0de8e784e989179618aa1d72774

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bad8262f6_79a499f590.exe

Filesize
312KB

MD5
0cad21764fe956f3028096ff3ff37549

SHA1
09ceb67ca8d995e8811e6f0d13f7b01377f7f8c5

SHA256
f65a68dcc63bd141e3a6619ed81b9c0ff3a5492ebd73034f8c794681f1875e3e

SHA512
4733ea55c8aa918cd7dc35bfb97f5b9f59653244bae98caa3b9d4c7c60f8d7d249e8c20b191345923aa0db60137a0a04b8b20f589bef164076e2f8ec89529542

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bad9333c8_8e10071d.exe

Filesize
196KB

MD5
10f718551ce15ce0c355b32669b51d2f

SHA1
9df3e355231d2f4ff80f0201d1ae05ea151142eb

SHA256
74328b4664781c7c6d58bf597a0be968f198fbb199bd0c3425ff575a3f52d688

SHA512
19c9ce8541cb500652aab74d555c8be43594dd423a49e59284b129fe0e9d670c23a274942841444429a25082970486c13c95f254278fdf2a25a26e1bff831ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4badb7af85_623761ba41.exe

Filesize
1.7MB

MD5
687970ee527c342266c4d3ba85eb31fe

SHA1
df65ac38c3ad39d703f8af7e62750420bfca597a

SHA256
55a3d8c8e10550fcf0cb0a04282661333791d9646b0bc47db3cec8a82fd96f6a

SHA512
5d89e9636d320a749c2462a32d891e64ce531fb8033d085ca52ea8007ab08ee1e248a370ee1433e9dcc4216d0d8aafad4c2d5de28079235688eae632772bd2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4badcb43a3_a6c0e514.exe

Filesize
311KB

MD5
34ff1645f6865dee9a1ef114759ca48f

SHA1
7461a01ce24ba2e907cb28b21e0653b5392687d5

SHA256
909b86bc2ab0bbb6860422827a3827f7bd0b56efe17c077fd0709bce1d43aec7

SHA512
6b62cd81a7be8480739a4edb4551a32df167ca167120072bc6f5dc19a587e197d1ff0ffe3e5b68c2d7a32ea6956b867556580b5e28411d658edccdb178fea3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bade488e6_dadba0.exe

Filesize
3.7MB

MD5
e77f09a338e643ee05ad09e367eedf73

SHA1
6777cd291ece93e16aa95c3e60b63d46b1b142bd

SHA256
f32c3414f14e0b4c08183af08702736a2ed18c99101d5ee1bc5bc5e8ee3c8982

SHA512
53f59267e4bfe862e51edb0fd7d356485a7349e7ccd6439c6c88bda921a67909a36efd1690d06fe3c30c8a4433d5c4c1a34c30b928cb29ec45b08045ef4f5747

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bade488e6_dadba0.exe

Filesize
1.6MB

MD5
d50c95222b6d811d6a4cdae1651e0d04

SHA1
2f51c38e36398ded6c88a7766f8a0071304b6322

SHA256
e3c1d7adc77036ac7144fbde502e07ef97b26e7cebe3b4d3cac9757bb7da6a7d

SHA512
b0af8fb78feb77f57bf4b8fd217171099f1f0f56924018edf89371216e874db050e8b8143bee4a9aefe2e24ff5dc34e12f5bb83e3e1682f5eee465fb97f0ccfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4badf31e77_62aa4e13bb.exe

Filesize
196KB

MD5
92f5ca1832c018a5761f26e061f701d0

SHA1
f566a7544b02fe7dc64792bf65db81639f804b7e

SHA256
a39354bba664f79e28ec6792cea228188420d7a30b140a47506783b237d3a572

SHA512
2f4bce853e50f2a883fa97be81fb31c79fee6216378f02b504ca4316b4b9e51bfd4d582a760b9f72ed945e58281d4db5a4126dca7b7dcd3d0c016ac45e4f0799

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae02cdda_a09bb3e.exe

Filesize
268KB

MD5
20dc2240fc07dcc1b82c274cdd809d33

SHA1
10741d21ffaaff7cf2ba4464ee7298072a2394a9

SHA256
8ee483e0317d795b650f75861c0145707da9e0c2a73cc97760aea32d74209e5f

SHA512
efd1d9b7891b365916c5c600df07f6993eda62179d2c179d1d82438b30e54d6590c17d60328a04d16e40d829b31d44383760a1c6df3892f9bcc35f26a3ee905c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae132fe9_b10406e779.exe

Filesize
752KB

MD5
e57b3f11829f7f85d0e482043f8a6bd4

SHA1
5a7e389a273d75c845f754039d3faa15e0aac501

SHA256
7195edba387ee58556e027f17bc09f4b43db205ab89485e90863af84f2252517

SHA512
b9f977908b23559d57076a019117324c684d9f47542532fdcd0bb49b17e7079a117faa800c1cd2a019becc980f4553f4c8ae83a36658a96d0cbe8f2241f68de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae1cd5ec_f0e751fd26.exe

Filesize
212KB

MD5
8595eb1a87c49b9b940b46524e1fdf87

SHA1
59622f56b46c724876fce597df797512b6b3d12d

SHA256
77596040b690af4836406a17c20a69cd5093fd0c470b89df209a26694141bd4c

SHA512
cd6a7e25982bdf24ebc34c15b1465dfd8ed7be51f6a8d529309f5aabc811e6a6dd7914c4d6353add01daef8c1f4aaee1002c3f39937998df21d3abadb50535d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae2a134b_4fa915d.exe

Filesize
235KB

MD5
64ecfe6ca54439c864efaac021d35cf0

SHA1
92e8c181feaf8babc4db771ca33093177a67dc02

SHA256
6b0c5adaaca511a026245c67a45e18ebe0f208a33b35ea5dff14776c4e2aded4

SHA512
e1bc103efe3b6ba3722b63781dd0476ed6c036014f870b1913dac6fe86c13933d2dc8930f42782e6aae5119d21f3ec0bef886de026945ada006e228054bd2b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae4d2a9c_cc09b024e.exe

Filesize
1.4MB

MD5
c8cc1b2dc76454583c3968d96af6d095

SHA1
bcd0ca7a524dbf55345baa6a0622acee27136eac

SHA256
03bc61c86383045ec0d07802596d98ec5b869144fb9f41330332058d340183f3

SHA512
c7c99a9f4d953373710f4cc3b80b3f8d36eee86491755437ec2a9648df08a804fc03b4ca769cb5df3751643f1c6c44b0907e73ff1947869dfcf9598368d9f883

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\62a4bae89fe45_b5ccf628.exe

Filesize
78KB

MD5
b735af19c1782c4fbeb037fca859b8fa

SHA1
171da3e442bd4aa2336dc197eecca615c89b07cb

SHA256
6515d15d618b349a68bc2456f3a9eecc6b0b64aaac9d662c1b3f702ffba3c054

SHA512
96c3c31a08952150e74f5ee16acf51495f06d309dfd58bf6ac8a7cb1aff0dbc027901c7bb60d4b4d3246610e13d624b342041c3ead85fc713f5ed3e702f31183

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C617FE7\setup_install.exe

Filesize
2.1MB

MD5
57ce0037afbf6d9c2b519127df0d6e68

SHA1
739e874190d9f5e3427a107bf89fa06014f49600

SHA256
22a5982c64b0f2fbbfadfc2dfe2387fbbbcc7985552aac146b74ae9e49fbdb5c

SHA512
fe34fa37e890f69118838e697e4ff128e338fb14dfe827a98ca1cee4c7d98fe2432c86620c300b6fd2a7af15fe2e1df02f7ecc48536ab41f42e2cfe3d98a87b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\B_L8H0.cPL

Filesize
3.9MB

MD5
0ed7fe4ca70ac151a11445cb77bbb5cf

SHA1
bfb4ab9b7460654e46c133be0d587e2584d1f9d5

SHA256
d8bd6d930b254f8b84c43e4c3915f413c229c26e0c398ba7364f1702bbe1322d

SHA512
86326ab2949094e0fe8e118d3fa41a45a44dda9a67269ab499ba850560a60b1565d888470958304be48f76c14fe8bdfa45fd59bfb0ca9ba39e9fbcd7c468e179

Download Submit
C:\Users\Admin\AppData\Local\Temp\B_L8H0.cpl

Filesize
20.7MB

MD5
3f9c30756ba82c14686ea1fc7f032435

SHA1
832fcbc20ccdae1aac02382d6237020f70d32a9a

SHA256
add996c9f5afd1b74a20738a8a49ee05fd58b7d3ffe9fd220cb068dc4adeac71

SHA512
537c8843efd149b541af0682fe7c0c6988b43cdfa13a660b4bb289b1260d08c09dd7c41b46621f678cdaf503672472ecac890a906b8d239d7f066c81f1f3bd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B_L8H0.cpl

Filesize
3.3MB

MD5
0510a88cc615a61ea43f4ea0f070f1fd

SHA1
bd5888ceb155935001268b0b59dc1ed1c5d88704

SHA256
abd74056dca6060bf32d17063a44c7dd8a9ebafe20e1355824a054932f0a5ab9

SHA512
3c83c6a8b48a48ac4ba3b13782354782496dd96bf0691099baa505f9615d8ca30beac9607991ec316d2ff77168b2be815465931107e45eb61b6a24316dad6d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B_L8H0.cpl

Filesize
3.1MB

MD5
3ade46f543b02ad59c8effd8b087b050

SHA1
8308573c1f9f0f0df4cf95977e485f5733425f84

SHA256
71b62b1a2b9fb27889ade79fab5fc16022465372df8f9fb8538fc5e2a7a22197

SHA512
7d3361f2c6101f398f9dc54009c62dbf39ed171cffb16d54c6827ccd8f3aa5c716e4bf4002fd9b308150572a00ff54b94573a52fdd1e2f2792ac2bcb62718d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\B_L8H0.cpl

Filesize
896KB

MD5
42bbc2440846425aff01af4305c18835

SHA1
c67535ff548df0d5b1e9ad64084a9d3c15095127

SHA256
c89ba9111159a3bb70f9a2cf3efd2dbdbeb5b5c91b5d64018129f79e53de7cb7

SHA512
fbf4965789f41220cd939f0bd9d51bb95b3e5700e644a9bd64ea3e4a5839ab7bfa7285fd490b4e7a5519cc71f584c64974b3b07bf5a14b53050989161403919b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B_L8H0.cpl

Filesize
128KB

MD5
d267baf9f9f68cab700fe9d6cab553c5

SHA1
cb6fd48189367664c5eeed45b1b05c6d0d36dd58

SHA256
c483bf8d55ecaf7542aff72696cbafd2db3cdb2431081d2f4b877964acde1444

SHA512
2878a629be607a0476f86dffafb12ebb4153df1d95d74cd01ffe5887be05a5232c5d18fa4f50944215f35e7ebdd9ab4f1fefecfe748e28bc6a816ff5e7ec1757

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xulsyp2t.y05.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EDK8R.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VJDCR.tmp\62a4bae132fe9_b10406e779.tmp

Filesize
1.0MB

MD5
a5ea5f8ae934ab6efe216fc1e4d1b6dc

SHA1
cb52a9e2aa2aa0e6e82fa44879055003a91207d7

SHA256
be998499deb4ad2cbb87ff38e372f387baf4da3a15faf6d0a43c5cc137650d9e

SHA512
f13280508fb43734809321f65741351aedd1613c3c989e978147dbb5a59efb02494349fbf6ee96b85de5ad049493d8382372993f3d54b80e84e36edf986e915c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VJDCR.tmp\62a4bae132fe9_b10406e779.tmp

Filesize
704KB

MD5
abdd01dc2f28360843c116a6ce30705d

SHA1
8736a6e599873766fbc07cc384d65744b8b87464

SHA256
21e6e26b333daf1fc05c2ff3e53e8be5798634b0a99327bb53bdb8c37994214a

SHA512
4281eafe9ae02db80790c417f6ae7cda880e08a3ecb712f4882f04f8cd9808bb7d39004ed0e2e1e3e73e9d131032ade4b59e3739737ff5e02d44d667dcf5958e

Download Submit
memory/2288-88-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/2288-111-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2404-81-0x0000000140000000-0x000000014067D000-memory.dmp

Filesize
6.5MB

Download
memory/2964-189-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2964-198-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2964-212-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3192-193-0x00000000006BE000-0x00000000006C7000-memory.dmp

Filesize
36KB

Download
memory/3192-195-0x0000000000690000-0x0000000000699000-memory.dmp

Filesize
36KB

Download
memory/3316-240-0x000000002F730000-0x000000002F7EE000-memory.dmp

Filesize
760KB

Download
memory/3316-233-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/3316-237-0x000000002DFA0000-0x000000002E043000-memory.dmp

Filesize
652KB

Download
memory/3316-225-0x000000002F5B0000-0x000000002F670000-memory.dmp

Filesize
768KB

Download
memory/3316-230-0x000000002DFA0000-0x000000002E043000-memory.dmp

Filesize
652KB

Download
memory/3316-227-0x000000002DED0000-0x000000002DF87000-memory.dmp

Filesize
732KB

Download
memory/3316-234-0x000000002DFA0000-0x000000002E043000-memory.dmp

Filesize
652KB

Download
memory/3316-221-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/3316-226-0x000000002F730000-0x000000002F7EE000-memory.dmp

Filesize
760KB

Download
memory/3316-224-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/3588-209-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/3640-141-0x000000002E9F0000-0x000000002EAAE000-memory.dmp

Filesize
760KB

Download
memory/3640-218-0x000000002D340000-0x000000002D3E3000-memory.dmp

Filesize
652KB

Download
memory/3640-206-0x000000002D280000-0x000000002D337000-memory.dmp

Filesize
732KB

Download
memory/3640-140-0x000000002E870000-0x000000002E930000-memory.dmp

Filesize
768KB

Download
memory/3640-164-0x0000000002530000-0x0000000003530000-memory.dmp

Filesize
16.0MB

Download
memory/3640-136-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/3640-244-0x000000002E9F0000-0x000000002EAAE000-memory.dmp

Filesize
760KB

Download
memory/3640-124-0x0000000002530000-0x0000000003530000-memory.dmp

Filesize
16.0MB

Download
memory/3640-214-0x000000002D340000-0x000000002D3E3000-memory.dmp

Filesize
652KB

Download
memory/3640-217-0x000000002D340000-0x000000002D3E3000-memory.dmp

Filesize
652KB

Download
memory/3648-194-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/3648-197-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/3648-208-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/3648-196-0x0000000002270000-0x000000000229A000-memory.dmp

Filesize
168KB

Download
memory/3672-186-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/3672-222-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/3672-192-0x00000000022B0000-0x00000000022EF000-memory.dmp

Filesize
252KB

Download
memory/3672-190-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/4108-71-0x0000000000A10000-0x0000000000A19000-memory.dmp

Filesize
36KB

Download
memory/4108-74-0x0000000000A30000-0x0000000000A3E000-memory.dmp

Filesize
56KB

Download
memory/4180-45-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4180-61-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4180-60-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/4464-72-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4464-76-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4464-112-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4540-145-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/4540-201-0x0000000007880000-0x0000000007894000-memory.dmp

Filesize
80KB

Download
memory/4540-202-0x0000000007970000-0x000000000798A000-memory.dmp

Filesize
104KB

Download
memory/4540-203-0x0000000007960000-0x0000000007968000-memory.dmp

Filesize
32KB

Download
memory/4540-207-0x0000000072BE0000-0x0000000073390000-memory.dmp

Filesize
7.7MB

Download
memory/4540-200-0x0000000007870000-0x000000000787E000-memory.dmp

Filesize
56KB

Download
memory/4540-199-0x0000000072BE0000-0x0000000073390000-memory.dmp

Filesize
7.7MB

Download
memory/4540-183-0x0000000007840000-0x0000000007851000-memory.dmp

Filesize
68KB

Download
memory/4540-182-0x00000000078B0000-0x0000000007946000-memory.dmp

Filesize
600KB

Download
memory/4540-181-0x00000000076C0000-0x00000000076CA000-memory.dmp

Filesize
40KB

Download
memory/4540-180-0x0000000006330000-0x000000000634A000-memory.dmp

Filesize
104KB

Download
memory/4540-179-0x0000000007C70000-0x00000000082EA000-memory.dmp

Filesize
6.5MB

Download
memory/4540-178-0x00000000072E0000-0x0000000007383000-memory.dmp

Filesize
652KB

Download
memory/4540-177-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/4540-167-0x000000006E200000-0x000000006E24C000-memory.dmp

Filesize
304KB

Download
memory/4540-166-0x00000000068E0000-0x0000000006912000-memory.dmp

Filesize
200KB

Download
memory/4540-165-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4540-146-0x0000000006370000-0x00000000063BC000-memory.dmp

Filesize
304KB

Download
memory/4540-135-0x0000000005D00000-0x0000000006054000-memory.dmp

Filesize
3.3MB

Download
memory/4540-127-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/4540-123-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/4540-119-0x0000000005B80000-0x0000000005BA2000-memory.dmp

Filesize
136KB

Download
memory/4540-98-0x00000000054A0000-0x0000000005AC8000-memory.dmp

Filesize
6.2MB

Download
memory/4540-97-0x0000000004D40000-0x0000000004D76000-memory.dmp

Filesize
216KB

Download
memory/4540-96-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4540-84-0x0000000072BE0000-0x0000000073390000-memory.dmp

Filesize
7.7MB

Download