vipkeylogger | hxxps://drive[.]google[.]com/drive/folders/1yQcPmp8g-vnjU4Bk6fzClWjuU8qZ88J1?usp=sharing

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1yQcPmp8g-vnjU4Bk6fzClWjuU8qZ88J1?usp=sharing

Score

10^/10

vipkeylogger discovery execution keylogger persistence privilege_escalation stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.pymetal.net
Port:
587
Username:
[email protected]
Password:
21hnosgomezrecambios2021
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4568	powershell.exe
2528	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	7zFM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	WIpGif4IRrFfamQ.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 9 IoCs

pid	Process
2116	7z2408-x64.exe
4568	7zFM.exe
4992	7zG.exe
3888	7zFM.exe
1460	WIpGif4IRrFfamQ.exe
4928	WIpGif4IRrFfamQ.exe
4180	WIpGif4IRrFfamQ.exe
1332	WIpGif4IRrFfamQ.exe
2352	WIpGif4IRrFfamQ.exe

Loads dropped DLL 3 IoCs

pid	Process
4992	7zG.exe
3544	Process not Found
3888	7zFM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
6	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
182	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 2352	1460	WIpGif4IRrFfamQ.exe	158

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2408-x64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WIpGif4IRrFfamQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WIpGif4IRrFfamQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WIpGif4IRrFfamQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133724384344350841"	chrome.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
1460	WIpGif4IRrFfamQ.exe
1460	WIpGif4IRrFfamQ.exe
4568	powershell.exe
2528	powershell.exe
2528	powershell.exe
4568	powershell.exe
1460	WIpGif4IRrFfamQ.exe
1460	WIpGif4IRrFfamQ.exe
1460	WIpGif4IRrFfamQ.exe
1460	WIpGif4IRrFfamQ.exe
1460	WIpGif4IRrFfamQ.exe
2352	WIpGif4IRrFfamQ.exe
2352	WIpGif4IRrFfamQ.exe
3888	7zFM.exe
3888	7zFM.exe
2528	powershell.exe
4568	powershell.exe
3888	7zFM.exe
3888	7zFM.exe
3888	7zFM.exe
3888	7zFM.exe
3888	7zFM.exe
3888	7zFM.exe
3888	7zFM.exe
3888	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4568	7zFM.exe
3888	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
4992	7zG.exe
3888	7zFM.exe
3888	7zFM.exe
3888	7zFM.exe
3888	7zFM.exe
3888	7zFM.exe
3888	7zFM.exe
3888	7zFM.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
2116	7z2408-x64.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
1932	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe
2880	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 4120	2332	chrome.exe	84
PID 2332 wrote to memory of 4120	2332	chrome.exe	84
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 3056	2332	chrome.exe	86
PID 2332 wrote to memory of 1652	2332	chrome.exe	87
PID 2332 wrote to memory of 1652	2332	chrome.exe	87
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88
PID 2332 wrote to memory of 1052	2332	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/drive/folders/1yQcPmp8g-vnjU4Bk6fzClWjuU8qZ88J1?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff5599cc40,0x7fff5599cc4c,0x7fff5599cc58
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2260 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4672,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4412,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=4416 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5200,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5504,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5652,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3164 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5668,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5032,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5144,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3300 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5176,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3200 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4032,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=208,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5784,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:3536
- C:\Users\Admin\Downloads\7z2408-x64.exe
  "C:\Users\Admin\Downloads\7z2408-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3128,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5152,i,411309689233538750,14845759064874267147,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3760

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:4568
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap18930:98:7zEvent28974 -ad -saa -- "C:\Users\Admin\Downloads\Fra septiembre CGM"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:4992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4792

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2880

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Fra septiembre CGM.7z"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3888
- C:\Users\Admin\AppData\Local\Temp\7zO03F13AA9\WIpGif4IRrFfamQ.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO03F13AA9\WIpGif4IRrFfamQ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zO03F13AA9\WIpGif4IRrFfamQ.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4568
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AcEnrS.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2528
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC5D7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4336
- - C:\Users\Admin\AppData\Local\Temp\7zO03F13AA9\WIpGif4IRrFfamQ.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO03F13AA9\WIpGif4IRrFfamQ.exe"
    3⤵
    - Executes dropped EXE
    PID:4180
- - C:\Users\Admin\AppData\Local\Temp\7zO03F13AA9\WIpGif4IRrFfamQ.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO03F13AA9\WIpGif4IRrFfamQ.exe"
    3⤵
    - Executes dropped EXE
    PID:1332
- - C:\Users\Admin\AppData\Local\Temp\7zO03F13AA9\WIpGif4IRrFfamQ.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO03F13AA9\WIpGif4IRrFfamQ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2352
- C:\Users\Admin\AppData\Local\Temp\7zO03F82189\WIpGif4IRrFfamQ.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO03F82189\WIpGif4IRrFfamQ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
d346530e648e15887ae88ea34c82efc9

SHA1
5644d95910852e50a4b42375bddfef05f6b3490f

SHA256
f972b164d9a90821be0ea2f46da84dd65f85cd0f29cd1abba0c8e9a7d0140902

SHA512
62db21717f79702cbdd805109f30f51a7f7ff5f751dc115f4c95d052c5405eb34d5e8c5a83f426d73875591b7d463f00f686c182ef3850db2e25989ae2d83673

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
963KB

MD5
004d7851f74f86704152ecaaa147f0ce

SHA1
45a9765c26eb0b1372cb711120d90b5f111123b3

SHA256
028cf2158df45889e9a565c9ce3c6648fb05c286b97f39c33317163e35d6f6be

SHA512
16ebda34803977a324f5592f947b32f5bb2362dd520dc2e97088d12729024498ddfa6800694d37f2e6e5c6fc8d4c6f603414f0c033df9288efc66a2c39b5ec29

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
692KB

MD5
4159ff3f09b72e504e25a5f3c7ed3a5b

SHA1
b79ab2c83803e1d6da1dcd902f41e45d6cd26346

SHA256
0163ec83208b4902a2846de998a915de1b9e72aba33d98d5c8a14a8fbf0f6101

SHA512
48f54f0ab96be620db392b4c459a49a0fa8fbe95b1c1b7df932de565cf5f77adfaae98ef1e5998f326172b5ae4ffa9896aeac0f7b98568fcde6f7b1480df4e2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
12dc5223e0708e0a82f2f0a50f48e59b

SHA1
f222ac3bacaa83cca98d8fb7242922b3007d882d

SHA256
bc15a1a621833f43081dca6e18bc16ef9ea7d0d54de0f7749e0c402c38095efe

SHA512
ee5ab695015d22d42cf4635abe768facc65214e8b68cd6f391873db350d460a11a0010bdd4db30d67df22065c7fcc036a858e5c55277c2e566fa117b3fde92a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
41KB

MD5
abda4d3a17526328b95aad4cfbf82980

SHA1
f0e1d7c57c6504d2712cec813bc6fd92446ec9e8

SHA256
ee22a58fa0825364628a7618894bcacb1df5a6a775cafcfb6dea146e56a7a476

SHA512
91769a876df0aea973129c758d9a36b319a9285374c95ea1b16e9712f9aa65a1be5acf996c8f53d8cae5faf68e4e5829cd379f523055f8bcfaa0deae0d729170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

Filesize
666KB

MD5
a13ce859ac80c8d3b26a61a765ab6fc9

SHA1
35b200880eeea2ff3758ea8eb63b299cdf2fc19c

SHA256
b774b34bb4e9aeb33bdfaaee232aaf17ebf666aa642056eac78c11d4ea43937d

SHA512
4fd400fec3cd0d32dc34b1a2c58e74c41e0c7a85aec291c03782a04ce573334bafdfe9774a6e9e656aa45fef6b9cb83d9c3b6cb8612ccfa123a0e985a5fae04a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
225ed43a082f3301a41799634a89669e

SHA1
5330d041ecc70b5114307276d548dc5b5444052c

SHA256
50a1f5411c7ecbc98f865a4e47010b498979dddea2e14bb49e2ee334ad477394

SHA512
c1c82433fbf7dd629bfb5b990d4bdc5b980d2b6f10ab37a33fe6e0c5a9e30bb92c1d97b488cf8a517553af5350a5c9e51892c05e95ea7e7789b7727da04921b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f1dec3830abcf2325a30e922f1189d1e

SHA1
803ca645d7ec2d2cd60bee66c6cd4e911afda395

SHA256
23e9441cf3394064dccd6c3f043823cd9a2c5cbe60ef15f7e26150008d30123b

SHA512
81ed24eae8d459426c55b644f340e851a6b21f8a388251013a9a03048f523a09ebd172449bd40fae481dbca015956c9c51f0af7ffca5f5b7967e543487e2238f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
cb71072cf7d563529f783a2a16fe431d

SHA1
5935345e86d6a0d4bed3519cf435fb204f21d46e

SHA256
21383515b3128585b318468ea891ba0021211913a543286f5561946952d938be

SHA512
39d094a015b3ae21fb59aeae9204e06ad9cda831af7553ada25e25a6c55ab3fef805574b04f3c707eae4bac1226c539874a991fb9dfcc739480f1bb036436e3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
30d695cf06bf20d9608545cc584957dc

SHA1
5bff5b56724c0f04a023d547a48387d811ea95d7

SHA256
3a2cac5306671d5e19e5293cbc2585114db8a350a378c3fa65c89288ca0b210e

SHA512
fe11e58c84485d92b5c4dd9c8b42cb78fc2b372bf21ccd81e7362d1c40957f893067f2e926b83e075bd90e818a1c96ade7f96c9b921e91bb075c5c956ed57410

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2d719b8abff1039b13c9665fa1c9e37b

SHA1
a5f09c415bc6edde33a3e0c934d56fedcb12a7f9

SHA256
d871b45023e2be2828f5eaddec98f1ff0a29b8fc40e5ade5e1faed42eb073ab5

SHA512
39ff06d53da774e155c4f7dc9303e70a88ab96195740e11394964fa714a9457f66362cd84d879c7a541777d981dae07434679d1bb1c0976b1d068e05bc9f31c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
eb75e4f2654227bb01e70245aba7fb9f

SHA1
f0dda0d4b291748e873327e7339497b194a6aaa5

SHA256
3c45150375a1b5347de83b88920b9f72f5cf6cae759cb7731fb154c18644d4ab

SHA512
15c12c3550ffbdbe67e0ebd03ab7cf838ee3ad3ca466a386724b2316b14df04c8aa7d13fe7bc510db7f5d86b88516dcc9d566b05b54e195d222179f30c0c5635

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
961fb124abc2ef5502200cf885f5515d

SHA1
b235016a06d0e4fbd2bc7f9c45b9d0ad6f8e1935

SHA256
c85107eb27e508f79672d05e370f4357a07bf4c3a19626b37aa387c26f6fa703

SHA512
721ad9daa7050d22bcafd3dda1a99df743523820b02e8eca03b2803c77b1eff2da5b9ca0f89ff9e189e0a473664c7795138296f5195047e8469cc3860cc2f65d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cf1b669767b4eeded7f60deba7b6f124

SHA1
97ff869ef95ecca35c0eee3ff48a7c99c772917c

SHA256
cfc45708af12d55e3716fc7c0ecd6f3b243433ee8f5b3beaf063a73c6906fa9c

SHA512
69f941694ca111c589b1186f1d4364effac55d140cd7374d14d18123cbf5085dbb6cfc92ae092280a369f8aee9a7c5662c0c0f96107aade863ff65a2c9224d8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f8e6c7943819c20bf8e518ae339e89ce

SHA1
cb581735c2d3f94db1295a989e80fa5d6a103ed2

SHA256
33c5837dd7f44d9bc227ff978dff57e0033da338381b7a4affc7d3e67dbb440a

SHA512
f6d63e9a2d2d9b2743e1a6a29c758616f2312464c41d59e2c35a39cdb087e58e7d209b971046dcfcf49372e7bda9ac0bf0b4333c39c86859c3af79cea04e7692

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fa9dd379f3f29e66bf3fc5729aa4c089

SHA1
0193494e6048eb7093dec827b1fe87287a537e28

SHA256
089138efa679fa9145d16d3c700e0a1824eb452ba41686b151772e77537e0ca1

SHA512
4600bb3b47ce3ba95125e3d608de4d44312be98ed733677f2b2a62b51f8a8d14244bf91530ebe8c94592aacb6ae6b4626d04a069ac05190533da0198773619a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
40f0f3ba8a55146ebf2bcaf7b3f67331

SHA1
7308db2aed6807681f2b1bde9c107a9501dbce1b

SHA256
bd46ab1a0053dd2c2c7deb8e61079dde23281ee9fe6dac2a9196e496e9d4cf65

SHA512
aa0e1117f14fc133dbf31f8d5080d03dc6411f5f32491fd33c66e770c974b91de7a91375ed21b7c49715c75be7132ac413fa83ebfaa937bd50e11034312c493e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
612807a257a2ceeeec6195201ea620cc

SHA1
f65e949d6622f5db764c2b47e04a22eb0d79de2c

SHA256
0b20faa9d4ac81d072aa395fb80a62aed9f2db6b1b133d2fd9950512505705f8

SHA512
9958f4bdc17a7c8640b4ba7cbb5205088f1c98807671a7072494140947ba2c1b26b90924192ca91681a910cac2d63ff2e1a26dee12293431157d27edb170981d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
51710068e1b0f079d51f1e8f9a259c5b

SHA1
2cbef4078d6d5876366fa8071e06139cff286e03

SHA256
864e6d78131905c8dac525c614578065d9cbe65ca66aba98af022e398ea6667a

SHA512
c6b26cb0dbd24f2e32fda9304222161a5316e74b158d0a8ae9343c3958450df0b5fb49850c701b9f2a9e66897e07afdb690c5420e6dfbb45f760dc7e823ad36f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5aca1eb1d3ba6df7e4bc7d436d6f63e5

SHA1
7e6ca10eb39c6459923e350c215a3f6784bc1ba5

SHA256
8500f8be6f45f685598af4a018277230267486af571140ce8f906bd34459c0cc

SHA512
960f6a0d44db209816bf4fb59dd66b43106e3beca24bc3cd1b84798272edfe3a2e7c88dcdfc571c721ea06357e27f5a9eb61f6f6da7d62f070387d2868b9822d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7e615c6406da9ae188686e0c1a3f4fde

SHA1
14914e7cb8c99d8c6b836a71b36ee8603ff9c164

SHA256
a054539b86bee95bdeeb051487eaea558fce733cb62d4f6c088dd7a25644d3c1

SHA512
b9a755e95b02fab35f49746dd4a779483a0dda1c39a9c20378309a23c13440d295b7a4e81cda6c422fcf0cab24a70587b6b70e82f14d13399d5943a69436b9f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
60b4eb08899e037679feee2cd98bf535

SHA1
df95b5477ef06436727234eb6d613afe93f366ea

SHA256
c688c4033598d5a329075e4253ff52fbe0cc236f79e62d0e6973ccd56d43b888

SHA512
5b083b1ddf48757b9b5627c3f5fff20e6a73dcc9985f1b9404051726a67cdbe693c2e773b58eb71e6333143f1bb108968ade24377f52181a87333ff2de263292

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
eabc208b61628c7449732a504cbb84cf

SHA1
0c828241efea06fa41f8e3d42e66ddda14c3e560

SHA256
2167dc3bd981aab9731a59c82299443fbcdff478cddd2204f6482457d66aeb90

SHA512
e60bfbf09544e9940ac10f399bfa3d2c8bb869fb337fd762cf2c7f8c726c43b48e7348b384f2b71b50d30e17ca8b374cb7a273859c2d05ac835e61b16ac61028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
aba3798eb1643a459a2516a302646465

SHA1
362588cb1bc41d2f1cd33197f2fbca466f9b849c

SHA256
ffd28a6e5944003b025a9c6867ee982f9233fe38b20121fc4fc8c267e1948cf3

SHA512
bdc75aa6074ab391dd5470a0acb4081d304c0e0f57cc09fb975feffc07433bae1e278ec301f8395c62a62cf47a62b718ddb51633a48261c0477de74251c2e447

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
112KB

MD5
d0cee812b85cf1a3fdef530b048251dd

SHA1
e956d5013c22466aebea3dcb2d601e0d650aac53

SHA256
631b18b6e63d516bf1efbdc587ae271ca9827a9024629aff45409dc38d5bd8a2

SHA512
fb40a1af6949cb1058558f6cca301b639ef5ad4998f3fab86576505fc2f19b79b875bf28fc49742cacdb9deff83dff8ecfa28f5c92534e4c0bffe69231191a18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
113KB

MD5
50bb311f4818e1469bc37dd691a1f7b3

SHA1
d619ac35ede1ef7e611abac13ef4ac4da7b5d7af

SHA256
eae32c3d5191c09e3ea0ecff2c13b4555dc6360dfeb385b0563b7feff5006bca

SHA512
e8bcf0c2631a9d9dc90d683ce31edf5b9b3b399bb91e21adb33c535eed4129dbdbc84e6aa3a26a2ad02bacb17252bbf9ebd49d9f5c2340815606c42ebeba05a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
112KB

MD5
6f7aa3a47d4536764b62fe4d7aa4929b

SHA1
7d9e0b949a22ac89520105f5407d1cfbd0882850

SHA256
1080856b889d0bfd2a7af4ccbb2e8eeec39f958774c7a93cd0e53846841a49d5

SHA512
2963b439661866b607d8d9932cccf29dc1d9b7761fed027a1b3a9415236309efabce656d6574ea0a92cd541820b96c92c299b6a886fedef4c2a56a88d7434a21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
bc29b0f6ce9f03313a91223ad0edfa1a

SHA1
d08f1523e99e7b54fea29d5bf0ada2f0766f9ec1

SHA256
b2d000d2e2e2e00541ca106f2502163cd185c9f56abd3f7846c97cd72f66a94f

SHA512
86a898000380be247b3265bb099873ad880f0f31bfd9d2a6b7ae38c9f3aec34e5dfe86cb8ac23d69579f8335a791ad2380fafe601d23da57d6dc1002e90b9671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
113KB

MD5
3ea14dd29395f019bfe1ed3d8a4aa075

SHA1
5d3a370f70f203d0bcae50a5315eb25df47d9c28

SHA256
bb475266c8468e9afb3c435b9c93010c82cd19b8d2e0c769ac3ec563cdf2d167

SHA512
b5c2df507c5425241fcaf1559f9e103ba4bc6560e3eb86eb8ad2c183837277333e583406f817d0c903241a8aa46ae6131b53f2bcc99e1b1aa37e41b5f2010525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ebaec3de8b12ee80379f1541800be3d2

SHA1
cc443a8ea01e684b593014dcb8e487bf9e60ba18

SHA256
928f3f75ad0ac00a070b2b82722589808a243ae6b952a472374fd1e196a0e95b

SHA512
fb401016b6e383292bb1e15bccf0c4d40bb04893003feeb5c2eeb32a316ad3b0ba0bc0a3b6a1d93a1a38f72dd5d9974aab241499ab27cadbd64e4b787aa896af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO03F13AA9\WIpGif4IRrFfamQ.exe

Filesize
751KB

MD5
102c9ce1c659517c4ea924c2044305b7

SHA1
942b0a7e2077eca38b9b6ff16d89722cbbbf7002

SHA256
b31cbc6ec2eb2b790c422f0f960bb1436106d92958703cb005ccdef38887e310

SHA512
eca6ed6a871e9fbee67feb73534bff544f052d6b3e1058a68b4602f159f089193f0f576384e6cd49373d50200d71bb4aeadd151c0fb81a77a6246849af2f39f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ue1kysur.yxe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC5D7.tmp

Filesize
1KB

MD5
3b3e9793fcb248d508e7163d0ac94353

SHA1
cbbfb3b5fddd9bb751a4cda1bd01651ca89373e5

SHA256
057d14b883a0968e625fe76984e772ba71ed901705da27e7e9a0fc89840791f6

SHA512
63bdd0088afb503caba99afb80c6c01c79abe006944072911bf4d4de2f5676caa4a54ab3f446243c3c1d52c20844b151a79db6e0dfa21df121a5926f3e1513de

Download Submit
C:\Users\Admin\Downloads\Fra septiembre CGM.7z

Filesize
666KB

MD5
0ba5910c520728a8fc90249239066e01

SHA1
64d8098867a77dc1e324907b2d1a2df4a3d3440a

SHA256
1e26c0ba410059f7944e036c8f8d0f55131d34d6f34da99f7215b078021550a1

SHA512
38f76a980ecb17e509f87ec6ac2022e76928251d1733d9d21f5b21238fb5f1244fa9a5b9612253652d087112e7576860eb0b816aa63fc0435a35e03211d6e1dd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 576122.crdownload

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
memory/1460-637-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/1460-639-0x0000000005420000-0x000000000543E000-memory.dmp

Filesize
120KB

Download
memory/1460-635-0x0000000000550000-0x0000000000612000-memory.dmp

Filesize
776KB

Download
memory/1460-636-0x0000000005690000-0x0000000005C34000-memory.dmp

Filesize
5.6MB

Download
memory/1460-678-0x00000000029F0000-0x0000000002A7C000-memory.dmp

Filesize
560KB

Download
memory/1460-638-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/1460-679-0x000000000BCD0000-0x000000000BD6C000-memory.dmp

Filesize
624KB

Download
memory/2352-694-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2528-743-0x0000000007E50000-0x0000000007E61000-memory.dmp

Filesize
68KB

Download
memory/2528-745-0x0000000007E90000-0x0000000007EA4000-memory.dmp

Filesize
80KB

Download
memory/2528-746-0x0000000007F90000-0x0000000007FAA000-memory.dmp

Filesize
104KB

Download
memory/2528-714-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/2528-715-0x0000000006E80000-0x0000000006ECC000-memory.dmp

Filesize
304KB

Download
memory/2528-717-0x00000000700A0000-0x00000000700EC000-memory.dmp

Filesize
304KB

Download
memory/2528-708-0x00000000062E0000-0x0000000006634000-memory.dmp

Filesize
3.3MB

Download
memory/2528-744-0x0000000007E80000-0x0000000007E8E000-memory.dmp

Filesize
56KB

Download
memory/2528-716-0x00000000078F0000-0x0000000007922000-memory.dmp

Filesize
200KB

Download
memory/2528-738-0x0000000007930000-0x00000000079D3000-memory.dmp

Filesize
652KB

Download
memory/2528-740-0x0000000007C50000-0x0000000007C6A000-memory.dmp

Filesize
104KB

Download
memory/4568-739-0x0000000007830000-0x0000000007EAA000-memory.dmp

Filesize
6.5MB

Download
memory/4568-741-0x0000000007260000-0x000000000726A000-memory.dmp

Filesize
40KB

Download
memory/4568-742-0x0000000007470000-0x0000000007506000-memory.dmp

Filesize
600KB

Download
memory/4568-689-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/4568-718-0x00000000700A0000-0x00000000700EC000-memory.dmp

Filesize
304KB

Download
memory/4568-733-0x0000000006430000-0x000000000644E000-memory.dmp

Filesize
120KB

Download
memory/4568-688-0x0000000004FB0000-0x0000000005016000-memory.dmp

Filesize
408KB

Download
memory/4568-747-0x0000000007510000-0x0000000007518000-memory.dmp

Filesize
32KB

Download
memory/4568-687-0x0000000004F10000-0x0000000004F32000-memory.dmp

Filesize
136KB

Download
memory/4568-685-0x00000000050F0000-0x0000000005718000-memory.dmp

Filesize
6.2MB

Download
memory/4568-684-0x00000000025F0000-0x0000000002626000-memory.dmp

Filesize
216KB

Download