fabookie | 56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

Analysis

max time kernel
210s
max time network
214s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
12-02-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

4.0MB
MD5

73491325fde5366b31c09da701d07dd6
SHA1

a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
SHA256

56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
SHA512

28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88
SSDEEP

98304:yptnr0G0JYxx0zDo1bUGOrl1zfyl3zaW8+c:yLnr0L2xKObNAg5c

Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader smokeloader socelars vidar 706 aspackv2 backdoor dropper loader spyware stealer trojan

Malware Config

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.znsjis.top/

Extracted

Family

privateloader

http://37.0.10.244/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

gcleaner

194.145.227.161

Extracted

Family

vidar

Version

40.7

Botnet

706

https://petrenko96.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000600000001ab0a-72.dat	family_fabookie
behavioral2/files/0x000600000001ab0a-87.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000600000001ab09-71.dat	family_socelars
behavioral2/files/0x000600000001ab09-90.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger payload 3 IoCs

resource	yara_rule
behavioral2/memory/2344-173-0x00000000006B0000-0x00000000006F8000-memory.dmp	family_onlylogger
behavioral2/memory/2344-181-0x0000000000400000-0x0000000000466000-memory.dmp	family_onlylogger
behavioral2/memory/2344-487-0x0000000000400000-0x0000000000466000-memory.dmp	family_onlylogger

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/4292-175-0x00000000009C0000-0x0000000000A94000-memory.dmp	family_vidar
behavioral2/memory/4292-184-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar
behavioral2/memory/4292-471-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000700000001aafd-49.dat	aspack_v212_v242
behavioral2/files/0x000700000001ab00-46.dat	aspack_v212_v242

Executes dropped EXE 15 IoCs

pid	Process
4728	setup_installer.exe
2692	setup_install.exe
3468	Sun1908b94df837b3158.exe
4596	Sun1917b8fb5f09db8.exe
4188	Sun1905815e51282417.exe
2344	Sun19de8ff4b6aefeb8.exe
3152	Sun193fda712d9f1.exe
1076	Sun191101c1aaa.exe
4772	Sun195a1614ec24e6a.exe
4960	Sun19262b9e49ad.exe
4292	Sun19eb40faaaa9.exe
2380	WerFault.exe
3180	Sun1966fb31dd5a07.exe
964	Sun198361825f4.exe
540	Sun1966fb31dd5a07.tmp

Loads dropped DLL 7 IoCs

pid	Process
2692	setup_install.exe
2692	setup_install.exe
2692	setup_install.exe
2692	setup_install.exe
2692	setup_install.exe
2692	setup_install.exe
540	Sun1966fb31dd5a07.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
27	iplogger.org
40	iplogger.org
62	pastebin.com
63	pastebin.com
22	iplogger.org
26	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
2932	2692	WerFault.exe	73
4160	4772	WerFault.exe	82
5080	4292	WerFault.exe	92
4148	2344	WerFault.exe	84
2380	2344	WerFault.exe	84
4936	2344	WerFault.exe	84
4664	2344	WerFault.exe	84
4604	2344	WerFault.exe	84
3332	2344	WerFault.exe	84
3432	2344	WerFault.exe	84
5036	2344	WerFault.exe	84
2520	2344	WerFault.exe	84
4744	2344	WerFault.exe	84

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2516	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2544	powershell.exe
2544	powershell.exe
3468	Sun1908b94df837b3158.exe
3468	Sun1908b94df837b3158.exe
2544	powershell.exe
2544	powershell.exe
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found
2976	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2344	Sun19de8ff4b6aefeb8.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3468	Sun1908b94df837b3158.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4960	Sun19262b9e49ad.exe
Token: SeAssignPrimaryTokenPrivilege	4960	Sun19262b9e49ad.exe
Token: SeLockMemoryPrivilege	4960	Sun19262b9e49ad.exe
Token: SeIncreaseQuotaPrivilege	4960	Sun19262b9e49ad.exe
Token: SeMachineAccountPrivilege	4960	Sun19262b9e49ad.exe
Token: SeTcbPrivilege	4960	Sun19262b9e49ad.exe
Token: SeSecurityPrivilege	4960	Sun19262b9e49ad.exe
Token: SeTakeOwnershipPrivilege	4960	Sun19262b9e49ad.exe
Token: SeLoadDriverPrivilege	4960	Sun19262b9e49ad.exe
Token: SeSystemProfilePrivilege	4960	Sun19262b9e49ad.exe
Token: SeSystemtimePrivilege	4960	Sun19262b9e49ad.exe
Token: SeProfSingleProcessPrivilege	4960	Sun19262b9e49ad.exe
Token: SeIncBasePriorityPrivilege	4960	Sun19262b9e49ad.exe
Token: SeCreatePagefilePrivilege	4960	Sun19262b9e49ad.exe
Token: SeCreatePermanentPrivilege	4960	Sun19262b9e49ad.exe
Token: SeBackupPrivilege	4960	Sun19262b9e49ad.exe
Token: SeRestorePrivilege	4960	Sun19262b9e49ad.exe
Token: SeShutdownPrivilege	4960	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	4960	Sun19262b9e49ad.exe
Token: SeAuditPrivilege	4960	Sun19262b9e49ad.exe
Token: SeSystemEnvironmentPrivilege	4960	Sun19262b9e49ad.exe
Token: SeChangeNotifyPrivilege	4960	Sun19262b9e49ad.exe
Token: SeRemoteShutdownPrivilege	4960	Sun19262b9e49ad.exe
Token: SeUndockPrivilege	4960	Sun19262b9e49ad.exe
Token: SeSyncAgentPrivilege	4960	Sun19262b9e49ad.exe
Token: SeEnableDelegationPrivilege	4960	Sun19262b9e49ad.exe
Token: SeManageVolumePrivilege	4960	Sun19262b9e49ad.exe
Token: SeImpersonatePrivilege	4960	Sun19262b9e49ad.exe
Token: SeCreateGlobalPrivilege	4960	Sun19262b9e49ad.exe
Token: 31	4960	Sun19262b9e49ad.exe
Token: 32	4960	Sun19262b9e49ad.exe
Token: 33	4960	Sun19262b9e49ad.exe
Token: 34	4960	Sun19262b9e49ad.exe
Token: 35	4960	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	1076	Sun191101c1aaa.exe
Token: SeDebugPrivilege	4772	Sun195a1614ec24e6a.exe
Token: SeDebugPrivilege	2380	WerFault.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	964	Sun198361825f4.exe
Token: SeDebugPrivilege	2516	taskkill.exe
Token: SeShutdownPrivilege	2976	Process not Found
Token: SeCreatePagefilePrivilege	2976	Process not Found
Token: SeShutdownPrivilege	2976	Process not Found
Token: SeCreatePagefilePrivilege	2976	Process not Found
Token: SeShutdownPrivilege	2976	Process not Found
Token: SeCreatePagefilePrivilege	2976	Process not Found
Token: SeShutdownPrivilege	2976	Process not Found
Token: SeCreatePagefilePrivilege	2976	Process not Found
Token: SeShutdownPrivilege	2976	Process not Found
Token: SeCreatePagefilePrivilege	2976	Process not Found
Token: SeShutdownPrivilege	2976	Process not Found
Token: SeCreatePagefilePrivilege	2976	Process not Found
Token: SeShutdownPrivilege	2976	Process not Found
Token: SeCreatePagefilePrivilege	2976	Process not Found
Token: SeShutdownPrivilege	2976	Process not Found
Token: SeCreatePagefilePrivilege	2976	Process not Found
Token: SeShutdownPrivilege	2976	Process not Found
Token: SeCreatePagefilePrivilege	2976	Process not Found
Token: SeShutdownPrivilege	2976	Process not Found
Token: SeCreatePagefilePrivilege	2976	Process not Found
Token: SeShutdownPrivilege	2976	Process not Found
Token: SeCreatePagefilePrivilege	2976	Process not Found
Token: SeShutdownPrivilege	2976	Process not Found
Token: SeCreatePagefilePrivilege	2976	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 4728	3320	setup_x86_x64_install.exe	72
PID 3320 wrote to memory of 4728	3320	setup_x86_x64_install.exe	72
PID 3320 wrote to memory of 4728	3320	setup_x86_x64_install.exe	72
PID 4728 wrote to memory of 2692	4728	setup_installer.exe	73
PID 4728 wrote to memory of 2692	4728	setup_installer.exe	73
PID 4728 wrote to memory of 2692	4728	setup_installer.exe	73
PID 2692 wrote to memory of 924	2692	setup_install.exe	103
PID 2692 wrote to memory of 924	2692	setup_install.exe	103
PID 2692 wrote to memory of 924	2692	setup_install.exe	103
PID 2692 wrote to memory of 4676	2692	setup_install.exe	102
PID 2692 wrote to memory of 4676	2692	setup_install.exe	102
PID 2692 wrote to memory of 4676	2692	setup_install.exe	102
PID 2692 wrote to memory of 4296	2692	setup_install.exe	101
PID 2692 wrote to memory of 4296	2692	setup_install.exe	101
PID 2692 wrote to memory of 4296	2692	setup_install.exe	101
PID 2692 wrote to memory of 3232	2692	setup_install.exe	100
PID 2692 wrote to memory of 3232	2692	setup_install.exe	100
PID 2692 wrote to memory of 3232	2692	setup_install.exe	100
PID 2692 wrote to memory of 4424	2692	setup_install.exe	99
PID 2692 wrote to memory of 4424	2692	setup_install.exe	99
PID 2692 wrote to memory of 4424	2692	setup_install.exe	99
PID 2692 wrote to memory of 3880	2692	setup_install.exe	98
PID 2692 wrote to memory of 3880	2692	setup_install.exe	98
PID 2692 wrote to memory of 3880	2692	setup_install.exe	98
PID 2692 wrote to memory of 4140	2692	setup_install.exe	97
PID 2692 wrote to memory of 4140	2692	setup_install.exe	97
PID 2692 wrote to memory of 4140	2692	setup_install.exe	97
PID 2692 wrote to memory of 2952	2692	setup_install.exe	96
PID 2692 wrote to memory of 2952	2692	setup_install.exe	96
PID 2692 wrote to memory of 2952	2692	setup_install.exe	96
PID 2692 wrote to memory of 3720	2692	setup_install.exe	95
PID 2692 wrote to memory of 3720	2692	setup_install.exe	95
PID 2692 wrote to memory of 3720	2692	setup_install.exe	95
PID 2692 wrote to memory of 4404	2692	setup_install.exe	94
PID 2692 wrote to memory of 4404	2692	setup_install.exe	94
PID 2692 wrote to memory of 4404	2692	setup_install.exe	94
PID 2692 wrote to memory of 4448	2692	setup_install.exe	93
PID 2692 wrote to memory of 4448	2692	setup_install.exe	93
PID 2692 wrote to memory of 4448	2692	setup_install.exe	93
PID 2692 wrote to memory of 4164	2692	setup_install.exe	88
PID 2692 wrote to memory of 4164	2692	setup_install.exe	88
PID 2692 wrote to memory of 4164	2692	setup_install.exe	88
PID 2692 wrote to memory of 4884	2692	setup_install.exe	87
PID 2692 wrote to memory of 4884	2692	setup_install.exe	87
PID 2692 wrote to memory of 4884	2692	setup_install.exe	87
PID 3880 wrote to memory of 3468	3880	cmd.exe	79
PID 3880 wrote to memory of 3468	3880	cmd.exe	79
PID 3880 wrote to memory of 3468	3880	cmd.exe	79
PID 924 wrote to memory of 2544	924	cmd.exe	78
PID 924 wrote to memory of 2544	924	cmd.exe	78
PID 924 wrote to memory of 2544	924	cmd.exe	78
PID 4676 wrote to memory of 4596	4676	cmd.exe	86
PID 4676 wrote to memory of 4596	4676	cmd.exe	86
PID 4676 wrote to memory of 4596	4676	cmd.exe	86
PID 4448 wrote to memory of 4188	4448	cmd.exe	85
PID 4448 wrote to memory of 4188	4448	cmd.exe	85
PID 4448 wrote to memory of 4188	4448	cmd.exe	85
PID 4140 wrote to memory of 2344	4140	cmd.exe	84
PID 4140 wrote to memory of 2344	4140	cmd.exe	84
PID 4140 wrote to memory of 2344	4140	cmd.exe	84
PID 3232 wrote to memory of 3152	3232	cmd.exe	80
PID 3232 wrote to memory of 3152	3232	cmd.exe	80
PID 2952 wrote to memory of 1076	2952	cmd.exe	83
PID 2952 wrote to memory of 1076	2952	cmd.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 584
      4⤵
      Program crash
      PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe
      4⤵
      PID:4884
    - - C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun1966fb31dd5a07.exe
        
        Sun1966fb31dd5a07.exe
        5⤵
        Executes dropped EXE
        
        PID:3180
      - C:\Users\Admin\AppData\Local\Temp\is-BAJ7B.tmp\Sun1966fb31dd5a07.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BAJ7B.tmp\Sun1966fb31dd5a07.tmp" /SL5="$80116,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun1966fb31dd5a07.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe
      4⤵
      PID:4164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun198361825f4.exe
      4⤵
      PID:4404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe
      4⤵
      PID:4424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe
      4⤵
      PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun1908b94df837b3158.exe
Sun1908b94df837b3158.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3468

C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun193fda712d9f1.exe
Sun193fda712d9f1.exe
1⤵
- Executes dropped EXE
PID:3152

C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun19262b9e49ad.exe
Sun19262b9e49ad.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2516

C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun195a1614ec24e6a.exe
Sun195a1614ec24e6a.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1680
  2⤵
  - Program crash
  PID:4160

C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun191101c1aaa.exe
Sun191101c1aaa.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun19de8ff4b6aefeb8.exe
Sun19de8ff4b6aefeb8.exe /mixone
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 656
  2⤵
  - Program crash
  PID:4148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 672
  2⤵
  - Executes dropped EXE
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 772
  2⤵
  - Program crash
  PID:4936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 820
  2⤵
  - Program crash
  PID:4664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 840
  2⤵
  - Program crash
  PID:4604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 900
  2⤵
  - Program crash
  PID:3332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1140
  2⤵
  - Program crash
  PID:3432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1296
  2⤵
  - Program crash
  PID:5036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1332
  2⤵
  - Program crash
  PID:2520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 660
  2⤵
  - Program crash
  PID:4744

C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun1905815e51282417.exe
Sun1905815e51282417.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun1917b8fb5f09db8.exe
Sun1917b8fb5f09db8.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun198361825f4.exe
Sun198361825f4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun19e4ade31b2a.exe
Sun19e4ade31b2a.exe
1⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun19eb40faaaa9.exe
Sun19eb40faaaa9.exe
1⤵
- Executes dropped EXE
PID:4292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 932
  2⤵
  - Program crash
  PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Module_Art\Sun198361825f4.exe_Url_rxkxkwpguqcj1ozvmguw0z0y0jpzs2r4\1.2.1.0\gfqysifs.newcfg

Filesize
1KB

MD5
d71a12b7aa02592b03878877eb133425

SHA1
899c5404464c3efed66534207d0245e0cf050488

SHA256
b44c3fa39198be28e0e723fd458eae31a5f05041926917fe11e2b265aa0cbee4

SHA512
ae0733fe01b479f4ad291ac1180ae9f9b5833fa072001c40728d9f26d4aa9e94ec0239432df16cad35c2675b41d58c6e599fbd0dbc1354d297ab8bca30cd4441

Download Submit
C:\Users\Admin\AppData\Local\Module_Art\Sun198361825f4.exe_Url_rxkxkwpguqcj1ozvmguw0z0y0jpzs2r4\1.2.1.0\user.config

Filesize
842B

MD5
1b02b89ab3872d00c6a46cb4a7048dc9

SHA1
0840aefbbe40a00d7290d32ce8243de3cf98339e

SHA256
ac8517efbed88850a40943fbd667d9a06f6a156f0031109f59b4ca821aa22fd4

SHA512
0eeee6c2cf1eaa11d561ba17ed65caf97e069b5ccbf7420c3ae4bf88859f1273034a600da91620411b12cd3241dcfabdc8d4ddd58218f2781254ac6ccf1fa419

Download Submit
C:\Users\Admin\AppData\Local\Module_Art\Sun198361825f4.exe_Url_rxkxkwpguqcj1ozvmguw0z0y0jpzs2r4\1.2.1.0\vc5ro1ed.newcfg

Filesize
964B

MD5
8e18625cd36f0075da4bf0ce8fac8204

SHA1
0df80ad1c5ea9bddcb5cfcf2c60c6fb3db903216

SHA256
35799f5570b76aa51478e74ea9d1c42b39be157c3953a2b44047dd3ed2e629b1

SHA512
74d8be6cddfc1c13acb30c18752d93ef8d57348b8b29220914ecb126ae8459318dd150b2f51299870119bdb6483f35417baa988c688f0f621512c5a47e227c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun1905815e51282417.exe

Filesize
20KB

MD5
1aecd083bbec326d90698a79f73749d7

SHA1
1ea884d725caec27aac2b3c0baccfd0c380a414e

SHA256
d5ccebea40a76ec2c82cac45cc208a778269e743f1a825ef881533b85d6c1d31

SHA512
c1044945b17c8f2063a9b95367db93ad6d0f6e316ad9c3b32d2a2259459098b72f85f5569b5a33f7dae68194697c448617e37b6f24558a7ad9cb53b0f382b064

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun1908b94df837b3158.exe

Filesize
244KB

MD5
26c211413dfd432a9ce28c19a67910a1

SHA1
dbf2173faa9e35bb9c710e289a247786248fe9e8

SHA256
e2a9ab13cd3031c7f5c84180de1f62d5905f87094efd8ab654b5fb7d88860e1b

SHA512
4c096e8ed12ebd5ef12b53fb9179fd0c8262837668994a2f2466c61436de95411f05f3af341ac9370448b6e910775b6a3c3a6ddb25850a2b4977c0bc3a3468cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun191101c1aaa.exe

Filesize
8KB

MD5
ae0bb0ef615f4606fbe1f050b6f08ca3

SHA1
f69b6d6496d8941ef53bca7c3578ad616cf5a4b1

SHA256
03d079303a3164960677e57a587e86c3a5e7736fbde0ab7b9e60c4b8b2e50745

SHA512
ec9ac14ac2ef705867c6c1611671c8185f3d3fe671a787840132a337d4bdf1ad3b808aa3ca24eee58bda78bef19e7a2a9ea5299b224bb370622e5072aa790afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun1917b8fb5f09db8.exe

Filesize
529KB

MD5
8a40bac445ecb19f7cb8995b5ae9390b

SHA1
2a8a36c14a0206acf54150331cc178af1af06d9c

SHA256
5da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8

SHA512
60678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun1917b8fb5f09db8.exe

Filesize
369KB

MD5
ec599d1430570ba28af86416bc6164e7

SHA1
f5e75ffd66c3db00a425467a3a42846a752962b3

SHA256
54c73fe1a17232710c53ea96f9cbdca1de4b5d6a62b65e7b66e83c28f80ab59a

SHA512
6a66ea6b2f4275629a467c83399eb02f4236a534cdc80145f31a8e3341b7f7d718b7506a3bd41b926d4f58815d4b8e0f751895dc15fb5348159f8d540643e7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun19262b9e49ad.exe

Filesize
496KB

MD5
f692c254c865bbe1e9eb2cc676ed8dec

SHA1
203eed15b00cc24178dd02e99ddacf73610a0557

SHA256
8515a09e81e2518b4e61fad24173d978667a1e6344d35206a64964b89389cf12

SHA512
31a50da027eea09447564638522b67e62756567c8d3cf1f4fb4961ac226b5e45c93ea6a79934ca077d572fc6556d899db49431f3c0673c6ac8d2a1766dcb0e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun19262b9e49ad.exe

Filesize
64KB

MD5
694d0401459e5f89d804698ec3bde983

SHA1
640c2e8788bf073f503548fcb1b9edf790c387d2

SHA256
f72619dbaa740edfd7edee7fe42befa19d9554cef198ff86b62cd6bffe94468f

SHA512
ba203fdb8900107ab8fad044a585feef0db2806059126b8824283525ca391070c76f9f5b347acaba3a89d4b1b825d06c8669889d57bd1767486baaf5c727572d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun193fda712d9f1.exe

Filesize
804KB

MD5
f28c78899f8ded54dbe421cb77eaf480

SHA1
370f43688d23670a208b7c6a69919a40c1dabe23

SHA256
90fe8093c9ba0949e08fcbdc709706f3e4a1edfa8333bc0b2992ace1225ddd45

SHA512
d628c3f5a28d050adc92a14808aebc1ba12897c0baadf604283d6725fc42e67585fa70613c7b0b6fff84ee465540df756f012d6dbd3fb6ea5570004a5a465b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun193fda712d9f1.exe

Filesize
1.2MB

MD5
ac6315382d1fd10d2746cfcc59d05da2

SHA1
ccbb9a3e3beda8171fc24afd6b459472a8db2607

SHA256
42ba0abb37cd263627fc0c280090fa564b54d8eca6b5e730bcaf6c6b1fd7d2db

SHA512
425cbfd93041d027ddad0cc0e570f1749a21d66356e0b44b479586cb62305a97bf8090363746e48b6ce2e2ef8e542f55471a7158a184a0cc3557578ec2055eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun195a1614ec24e6a.exe

Filesize
16KB

MD5
9b7319450f0633337955342ae97fa060

SHA1
4cc5b5dfc5a4cf357158aedcab93ce4cc5bff350

SHA256
c3926ccef4c9bce26bd1217ea25e108d92707847e04ddb4e1eadfff1a913d085

SHA512
e75d5e032374ead6836e37ad8a4e2d59da7e641aea178551ee187980455067d90c076ac8e49330b55e1f13591a14305401f3e59520b63ed628a83213220b7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun1966fb31dd5a07.exe

Filesize
503KB

MD5
29158d5c6096b12a039400f7ae1eaf0e

SHA1
940043fa68cc971b0aa74d4e0833130dad1abc16

SHA256
36cc42294d2cac9e45fa389f9a7a1df18cb5af6f68ed2d5e9563bd522f48bc4a

SHA512
366f6f7bc8ff07995a273dc28f77f5d43515c9a079d3e64308228e4eba12f32bb7945fc898e8ef9ac02a0f58fdc6ed90f82142d43eec94fe2cf7da80d7b1ad88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun198361825f4.exe

Filesize
801KB

MD5
715adc3e400995ffa6ecbe95acbe4f2f

SHA1
e15ec077124e12ebe81f3ffb4854054e4fd81456

SHA256
04a4473b92ad516a4736470f501af92151d76f2f0b8f4152a27de652dbaf783a

SHA512
13b5aa683cf93d8c2c835d9670a24afa0e2de0ab1079785299c3e58a6fd2f9de31eee7468d1c1b07c4eb97387864db9d977ccd622558d134cfa8f8ceff361b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun198361825f4.exe

Filesize
833KB

MD5
b5e6b9b29735d99b8009463b4ea5a176

SHA1
bcf780367341bb2b51b9586a7abaf9cdf27f19ab

SHA256
2c4e3b2da9a0c9b827058e3ef9367005550f8433f4aa9dc55b8516532eb71e2b

SHA512
54b1415b7b53ea67944433863b3b9955cebe8f94af17debd809277313485101e63213922b8e78e5c42d4b868a64d264a9b8ce26643b1a710c87bdb74dbd522f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun19de8ff4b6aefeb8.exe

Filesize
341KB

MD5
a59fcaa97312717fb21d7b2c06bca07d

SHA1
4eaa829db16fb78f9a276da83c13c080de4827c0

SHA256
ca3709824b869ca7204f9494514c0e2a90ead31cbf5fc155ae14bc6dc5ed1bc0

SHA512
4a30f4a44f60c07b6c64e4ee975fd5ea2521c369c5664da08336344906c7e7dbaa68af2108ccab6404ca7752bfee5113133975f57b2236948e85711819bf8474

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun19e4ade31b2a.exe

Filesize
50KB

MD5
9535f08bd5920f84ac344f8884fe155d

SHA1
05acf56d12840558ebc17a138d4390dad7a96d5a

SHA256
bbe7d6e50b7b2229d023aa7170b52d2fa3e63646c6232c25102fa121d1a4534e

SHA512
2dac84fa85149c3c287b70fbd53a1b1aec2de5d44099972a988c3f65822cf659e0ce0c758df009cd39b420ef4b2db027e8bf3e8966cdc3c18c459421c9e8736f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun19e4ade31b2a.exe

Filesize
1KB

MD5
993aaf3dd8dbfbff3b76cfdbd0a3221f

SHA1
e7a10e0559ffa0518d76b0fb2760c238800ca7e0

SHA256
06c3d6808b65c368c62da73b752ceee260bcec787f2084c0034388d42a4a7168

SHA512
880aa9d966a0de95d40f8eaddf44d2067c54161b55d5c25b0877dfb495a6f7d1c01e4b57413c23abbcd9e0928059c6b35b368aec758b6e6a7310c96aa9a5de9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun19eb40faaaa9.exe

Filesize
405KB

MD5
f2b5b69d04d9d829a44864fd35c8928f

SHA1
1e4d4eddf5cc11eb91f212165b35ab6c39d3661b

SHA256
9df160858c7216dfc8de54cf5c8703d1e5d035c5b4e6248e33c5889eb7a6afcd

SHA512
0edcf1d1e5fb508a3387b64594e03fc8da291539f1f9d1f4a1e1dc5c6ddb2e982d38c44eea0e29ece535e4c13e0759ca759212f428237a5ccf27784ad371eb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\Sun19eb40faaaa9.exe

Filesize
64KB

MD5
b407018f02e0db440aa17c662e816d54

SHA1
2acb262cab06b9dfaabd7f84e9b1cb658b5e6e7e

SHA256
71cade7de4c64b85797246fd961c1b1e931141fc3b779b547f319f6692ea817d

SHA512
a535c9edf74b20147ec556d395e5620474d6cb23529758f5652155950551079ab1dc64df70a0f2b50ce648e97e78c0bcbda9a65c22a1a88d471fa36e83f0232c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\setup_install.exe

Filesize
1.4MB

MD5
52e06c2c8a4c4156ace4989940e0b18a

SHA1
7d41b0d0ed492112d3e2d31a2c882c6c3c171a1c

SHA256
ffda2216c053739dc3ae8110ec075791cd15737b3bfe29894f183dc0b3ce37c4

SHA512
15985565cd1388201a91648566c17e08fae2ca97f61ed087c62b46ede6638237509f42ac06c2d0c9e06e03c094e0a20984d4b8c835865c8b5ef580cb09f096b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8720D1F7\setup_install.exe

Filesize
257KB

MD5
d669d0b413b99e56afb861a9b78470c3

SHA1
2842f6bf69ade1747b67e8f8df1dc858fe8cea32

SHA256
c0044d0807b6397ae44be08b4893ae6669288dc93cebb5ca36d843e4098cb492

SHA512
7f87e5a4783aea86118d38cbd4cb6f06526e8af1b2d3ccaa0fb60660985346960b8d6769e2f73bce0404e3a59034c484878e1596b4f44cedce508c1c5c80cea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hcbemhzi.x5s.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BAJ7B.tmp\Sun1966fb31dd5a07.tmp

Filesize
318KB

MD5
e8b792b4dd154d31864a9f78c60078fe

SHA1
64861cacbe64541c84c51fed885ce5c3458e434d

SHA256
399a8696cea286a012b1da679c5f4ec0c57f8000fdb99dd5ca25a7ccd9b73dee

SHA512
f47afd624e896d383544a2b6a43e8856b3407bd0c7402510f2d12737bd93940f16acd7205835958bff5ca97c1e5a37bcd238fa0ee548ecd1e6500319d74b8455

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
2.8MB

MD5
fe74c7723f3da88a5c5543617ee93b89

SHA1
0f06191166ec8fbe7c1a9a2f25c07fa9af28021b

SHA256
e6eaa132da9292ebd0b184310faa5651765f567beea7d59c00b876f11cc09afc

SHA512
a371b81952ab84d1e1afe447bc83e7ccbef7f0170bf00da7d40d4cf1c131b42941404ff7d7147e78b219c7e8b85e5091e6b239dcc760da54977555f7d46f2443

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
3.3MB

MD5
625be36a97b61c272c0da1ebfcb7adad

SHA1
a3b089be914fbd0e7a3fd98a6ba801bc5a4e1918

SHA256
28f4f5cdfd7b7a4a63edb93830226b961e74b71083187d5289fc998dcaf4b222

SHA512
d47e31e59de31413e9b7594915fee6c624a8f27061bfcc8a83ff3740dbab6f3951b1078f6e6de51ceed030424c991dc079f475b942ac2e6414b40ac764a76240

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8720D1F7\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8720D1F7\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\is-7RQMQ.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/540-180-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/540-134-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/964-115-0x00007FFA5E740000-0x00007FFA5F12C000-memory.dmp

Filesize
9.9MB

Download
memory/964-106-0x000001DBDB200000-0x000001DBDB210000-memory.dmp

Filesize
64KB

Download
memory/964-489-0x000001DBF53B0000-0x000001DBF53C0000-memory.dmp

Filesize
64KB

Download
memory/964-486-0x000001DBF53B0000-0x000001DBF53C0000-memory.dmp

Filesize
64KB

Download
memory/964-151-0x000001DBF53B0000-0x000001DBF53C0000-memory.dmp

Filesize
64KB

Download
memory/964-488-0x000001DBF53B0000-0x000001DBF53C0000-memory.dmp

Filesize
64KB

Download
memory/964-100-0x000001DBDAD00000-0x000001DBDAE88000-memory.dmp

Filesize
1.5MB

Download
memory/964-128-0x000001DBF53B0000-0x000001DBF53C0000-memory.dmp

Filesize
64KB

Download
memory/964-484-0x00007FFA5E740000-0x00007FFA5F12C000-memory.dmp

Filesize
9.9MB

Download
memory/964-127-0x000001DBF7870000-0x000001DBF78F4000-memory.dmp

Filesize
528KB

Download
memory/964-152-0x000001DBF53B0000-0x000001DBF53C0000-memory.dmp

Filesize
64KB

Download
memory/964-137-0x000001DBF53B0000-0x000001DBF53C0000-memory.dmp

Filesize
64KB

Download
memory/1076-126-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/1076-96-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/1076-113-0x00007FFA5E740000-0x00007FFA5F12C000-memory.dmp

Filesize
9.9MB

Download
memory/1076-477-0x00007FFA5E740000-0x00007FFA5F12C000-memory.dmp

Filesize
9.9MB

Download
memory/1076-485-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/2344-179-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/2344-487-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2344-181-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2344-173-0x00000000006B0000-0x00000000006F8000-memory.dmp

Filesize
288KB

Download
memory/2380-99-0x0000000000090000-0x00000000000A4000-memory.dmp

Filesize
80KB

Download
memory/2380-190-0x00007FFA5E740000-0x00007FFA5F12C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-131-0x000000001ACF0000-0x000000001AD00000-memory.dmp

Filesize
64KB

Download
memory/2380-108-0x00007FFA5E740000-0x00007FFA5F12C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-110-0x0000000000830000-0x0000000000836000-memory.dmp

Filesize
24KB

Download
memory/2544-217-0x0000000009500000-0x0000000009533000-memory.dmp

Filesize
204KB

Download
memory/2544-185-0x0000000007A50000-0x0000000007A6C000-memory.dmp

Filesize
112KB

Download
memory/2544-133-0x0000000006D90000-0x0000000006DA0000-memory.dmp

Filesize
64KB

Download
memory/2544-470-0x00000000719D0000-0x00000000720BE000-memory.dmp

Filesize
6.9MB

Download
memory/2544-129-0x0000000006D90000-0x0000000006DA0000-memory.dmp

Filesize
64KB

Download
memory/2544-125-0x00000000719D0000-0x00000000720BE000-memory.dmp

Filesize
6.9MB

Download
memory/2544-442-0x0000000008620000-0x0000000008628000-memory.dmp

Filesize
32KB

Download
memory/2544-114-0x00000000073D0000-0x00000000079F8000-memory.dmp

Filesize
6.2MB

Download
memory/2544-111-0x0000000006C70000-0x0000000006CA6000-memory.dmp

Filesize
216KB

Download
memory/2544-138-0x0000000007360000-0x0000000007382000-memory.dmp

Filesize
136KB

Download
memory/2544-437-0x0000000008640000-0x000000000865A000-memory.dmp

Filesize
104KB

Download
memory/2544-167-0x0000000007C50000-0x0000000007CB6000-memory.dmp

Filesize
408KB

Download
memory/2544-169-0x0000000007A70000-0x0000000007AD6000-memory.dmp

Filesize
408KB

Download
memory/2544-243-0x0000000009810000-0x00000000098A4000-memory.dmp

Filesize
592KB

Download
memory/2544-240-0x0000000006D90000-0x0000000006DA0000-memory.dmp

Filesize
64KB

Download
memory/2544-171-0x0000000007CC0000-0x0000000008010000-memory.dmp

Filesize
3.3MB

Download
memory/2544-221-0x0000000070090000-0x00000000700DB000-memory.dmp

Filesize
300KB

Download
memory/2544-233-0x0000000009630000-0x00000000096D5000-memory.dmp

Filesize
660KB

Download
memory/2544-229-0x000000007ECA0000-0x000000007ECB0000-memory.dmp

Filesize
64KB

Download
memory/2544-225-0x00000000092C0000-0x00000000092DE000-memory.dmp

Filesize
120KB

Download
memory/2544-189-0x00000000083C0000-0x0000000008436000-memory.dmp

Filesize
472KB

Download
memory/2544-188-0x00000000082D0000-0x000000000831B000-memory.dmp

Filesize
300KB

Download
memory/2692-216-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2692-481-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2692-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2692-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2692-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2692-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2692-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2692-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2692-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2692-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2692-62-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2692-227-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2692-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2692-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2692-222-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2692-483-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2692-220-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2692-219-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2692-482-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2692-480-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2692-479-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2692-478-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2692-218-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2692-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2976-239-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/3180-95-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3180-132-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3180-183-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3468-241-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3468-172-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3468-170-0x0000000000490000-0x0000000000499000-memory.dmp

Filesize
36KB

Download
memory/3468-168-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/4292-174-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/4292-175-0x00000000009C0000-0x0000000000A94000-memory.dmp

Filesize
848KB

Download
memory/4292-471-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4292-184-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4772-107-0x0000000004E50000-0x0000000004EEC000-memory.dmp

Filesize
624KB

Download
memory/4772-476-0x00000000719D0000-0x00000000720BE000-memory.dmp

Filesize
6.9MB

Download
memory/4772-102-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/4772-120-0x00000000719D0000-0x00000000720BE000-memory.dmp

Filesize
6.9MB

Download
memory/4772-130-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download