gcleaner | bf04933d506d9325ceecaa263a5ae72bf90a53030cf52f71b30aee05a9462124

Analysis

max time kernel
90s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe
Size

4.7MB
MD5

93f7cfd3c022ed464cdcc4a13d8f48b3
SHA1

05e9c0722bae43249cfe1b9597325a47c00da1f1
SHA256

5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684
SHA512

c3b44c420ec8d28bd6df4451cdd6203cfe71cc515a8e56e4df8062ab451fbb6dfc5ed7681fad91d3f20309e0832468ac7eda0ac15d9cda9774320dc7c09b8727
SSDEEP

98304:xICvLUBsgYqbmtzs03GefVRgLECXbvgbLujlnCY:xVLUCgYqEBfrx8LALuZl

Score

10^/10

gcleaner nullmixer onlylogger privateloader redline socelars vidar 916 media0421 newjust aspackv2 discovery dropper execution infostealer loader spyware stealer

Malware Config

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

socelars

http://www.hhgenice.top/

Extracted

Family

redline

Botnet

media0421

91.121.67.60:23325

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

newjust

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

gcleaner

gcl-gb.biz

Extracted

Family

vidar

Version

47.8

Botnet

916

https://mas.to/@romashkin

Attributes

profile_id
916

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Onlylogger family
onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2416-271-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2416-269-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2416-268-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2416-265-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2416-263-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2200-289-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2200-287-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2200-286-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2200-283-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2200-281-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu129b58b9b0f.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

OnlyLogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1948-292-0x0000000000400000-0x000000000058E000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1896-291-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2952 powershell.exe
1556 powershell.exe

pid	process
2952	powershell.exe
1556	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\7zS41993C86\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\libstdc++-6.dll	aspack_v212_v242

Executes dropped EXE 26 IoCs

Processes:

setup_install.exeThu1208bf6d0f486a794.exeThu1280b59af22cd9c.exeThu129669806cdca3927.exeThu12e1241a094d.exeThu121140b64ce4c46ce.exeThu127981c26d54a.exeThu12da0e0583ec.exeThu12ef9d4918019024.exeThu12d029f46c2744e2.exeThu120f58b49aa7.exeThu128f00bf1210e.exeThu12f6511464c36.exeThu12a38e31c39b.exeThu1248a0986c9.exeThu1208bf6d0f486a794.exeThu129b58b9b0f.exeThu12d029f46c2744e2.exeThu12ef9d4918019024.tmpThu12e1241a094d.tmpThu12ef9d4918019024.exeThu12ef9d4918019024.tmpI6IQptFNP9WP.eXEThu12a38e31c39b.exeThu1248a0986c9.exeThu1248a0986c9.exe

pid	process
1920	setup_install.exe
2728	Thu1208bf6d0f486a794.exe
2260	Thu1280b59af22cd9c.exe
1608	Thu129669806cdca3927.exe
1668	Thu12e1241a094d.exe
1896	Thu121140b64ce4c46ce.exe
1624	Thu127981c26d54a.exe
2420	Thu12da0e0583ec.exe
1456	Thu12ef9d4918019024.exe
2760	Thu12d029f46c2744e2.exe
2872	Thu120f58b49aa7.exe
2076	Thu128f00bf1210e.exe
1948	Thu12f6511464c36.exe
2940	Thu12a38e31c39b.exe
3052	Thu1248a0986c9.exe
2096	Thu1208bf6d0f486a794.exe
3048	Thu129b58b9b0f.exe
1304	Thu12d029f46c2744e2.exe
1748	Thu12ef9d4918019024.tmp
1264	Thu12e1241a094d.tmp
1436	Thu12ef9d4918019024.exe
2456	Thu12ef9d4918019024.tmp
2832	I6IQptFNP9WP.eXE
2416	Thu12a38e31c39b.exe
948	Thu1248a0986c9.exe
2200	Thu1248a0986c9.exe

Loads dropped DLL 64 IoCs

Processes:

5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exeThu1208bf6d0f486a794.exeThu1280b59af22cd9c.execmd.exeThu12e1241a094d.execmd.exeThu121140b64ce4c46ce.exeThu12da0e0583ec.exeThu12ef9d4918019024.execmd.exeThu129669806cdca3927.execmd.execmd.exeThu120f58b49aa7.execmd.exeThu12f6511464c36.exeThu128f00bf1210e.execmd.execmd.exeThu12a38e31c39b.exeThu1248a0986c9.exeThu129b58b9b0f.exeThu12ef9d4918019024.tmpThu12e1241a094d.tmp

pid	process
2324	5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe
2324	5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe
2324	5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe
1920	setup_install.exe
1920	setup_install.exe
1920	setup_install.exe
1920	setup_install.exe
1920	setup_install.exe
1920	setup_install.exe
1920	setup_install.exe
1920	setup_install.exe
2568	cmd.exe
2768	cmd.exe
2524	cmd.exe
2724	cmd.exe
2568	cmd.exe
2596	cmd.exe
2724	cmd.exe
2492	cmd.exe
2728	Thu1208bf6d0f486a794.exe
2728	Thu1208bf6d0f486a794.exe
2260	Thu1280b59af22cd9c.exe
2260	Thu1280b59af22cd9c.exe
2688	cmd.exe
1668	Thu12e1241a094d.exe
1668	Thu12e1241a094d.exe
2108	cmd.exe
2108	cmd.exe
1896	Thu121140b64ce4c46ce.exe
1896	Thu121140b64ce4c46ce.exe
2420	Thu12da0e0583ec.exe
2420	Thu12da0e0583ec.exe
1456	Thu12ef9d4918019024.exe
1456	Thu12ef9d4918019024.exe
2636	cmd.exe
1608	Thu129669806cdca3927.exe
1608	Thu129669806cdca3927.exe
1704	cmd.exe
3068	cmd.exe
2872	Thu120f58b49aa7.exe
2872	Thu120f58b49aa7.exe
2068	cmd.exe
2068	cmd.exe
1948	Thu12f6511464c36.exe
1948	Thu12f6511464c36.exe
2076	Thu128f00bf1210e.exe
2076	Thu128f00bf1210e.exe
2692	cmd.exe
2692	cmd.exe
2572	cmd.exe
2572	cmd.exe
2940	Thu12a38e31c39b.exe
2940	Thu12a38e31c39b.exe
3052	Thu1248a0986c9.exe
3052	Thu1248a0986c9.exe
2728	Thu1208bf6d0f486a794.exe
3048	Thu129b58b9b0f.exe
3048	Thu129b58b9b0f.exe
1456	Thu12ef9d4918019024.exe
1668	Thu12e1241a094d.exe
1748	Thu12ef9d4918019024.tmp
1748	Thu12ef9d4918019024.tmp
1264	Thu12e1241a094d.tmp
1264	Thu12e1241a094d.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

28 iplogger.org
29 iplogger.org
40 pastebin.com
42 pastebin.com
43 pastebin.com
52 iplogger.org
62 iplogger.org
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
28	iplogger.org
29	iplogger.org
40	pastebin.com
42	pastebin.com
43	pastebin.com
52	iplogger.org
62	iplogger.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

Thu12a38e31c39b.exeThu1248a0986c9.exe

description	pid	process	target process
PID 2940 set thread context of 2416	2940	Thu12a38e31c39b.exe	Thu12a38e31c39b.exe
PID 3052 set thread context of 2200	3052	Thu1248a0986c9.exe	Thu1248a0986c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1376 1896 WerFault.exe Thu121140b64ce4c46ce.exe

pid	pid_target	process	target process
1376	1896	WerFault.exe	Thu121140b64ce4c46ce.exe

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

setup_install.execmd.execmd.execmd.exeThu1248a0986c9.exeThu12ef9d4918019024.tmpThu1208bf6d0f486a794.exeI6IQptFNP9WP.eXEmshta.exeThu129b58b9b0f.execmd.execmd.exeThu12e1241a094d.exemshta.exeThu1248a0986c9.exeThu129669806cdca3927.exeThu12f6511464c36.exetaskkill.execmd.exe5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.execmd.execmd.execmd.exepowershell.execmd.execmd.exeregsvr32.exetaskkill.execmd.execmd.exeThu12da0e0583ec.exeThu120f58b49aa7.execmd.exeThu1280b59af22cd9c.exeThu12e1241a094d.tmpThu121140b64ce4c46ce.execmd.exeThu1208bf6d0f486a794.exeThu12a38e31c39b.exepowershell.exeThu12a38e31c39b.execmd.exeThu128f00bf1210e.execmd.exemshta.execmd.exeThu12ef9d4918019024.execmd.exeThu12ef9d4918019024.execmd.execmd.execmd.exeThu12ef9d4918019024.tmpcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu1248a0986c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu12ef9d4918019024.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu1208bf6d0f486a794.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	I6IQptFNP9WP.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu129b58b9b0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu12e1241a094d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu1248a0986c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu129669806cdca3927.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu12f6511464c36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu12da0e0583ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu120f58b49aa7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu1280b59af22cd9c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu12e1241a094d.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu121140b64ce4c46ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu1208bf6d0f486a794.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu12a38e31c39b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu12a38e31c39b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu128f00bf1210e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu12ef9d4918019024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu12ef9d4918019024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu12ef9d4918019024.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2316 taskkill.exe
2376 taskkill.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2952 powershell.exe
1556 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Thu12ef9d4918019024.tmp

pid process

2456 Thu12ef9d4918019024.tmp

pid	process
2316	taskkill.exe
2376	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2952	powershell.exe
1556	powershell.exe

pid	process
2456	Thu12ef9d4918019024.tmp

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

Thu127981c26d54a.exeThu129b58b9b0f.exepowershell.exepowershell.exetaskkill.exeThu1280b59af22cd9c.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1624	Thu127981c26d54a.exe
Token: SeCreateTokenPrivilege	3048	Thu129b58b9b0f.exe
Token: SeAssignPrimaryTokenPrivilege	3048	Thu129b58b9b0f.exe
Token: SeLockMemoryPrivilege	3048	Thu129b58b9b0f.exe
Token: SeIncreaseQuotaPrivilege	3048	Thu129b58b9b0f.exe
Token: SeMachineAccountPrivilege	3048	Thu129b58b9b0f.exe
Token: SeTcbPrivilege	3048	Thu129b58b9b0f.exe
Token: SeSecurityPrivilege	3048	Thu129b58b9b0f.exe
Token: SeTakeOwnershipPrivilege	3048	Thu129b58b9b0f.exe
Token: SeLoadDriverPrivilege	3048	Thu129b58b9b0f.exe
Token: SeSystemProfilePrivilege	3048	Thu129b58b9b0f.exe
Token: SeSystemtimePrivilege	3048	Thu129b58b9b0f.exe
Token: SeProfSingleProcessPrivilege	3048	Thu129b58b9b0f.exe
Token: SeIncBasePriorityPrivilege	3048	Thu129b58b9b0f.exe
Token: SeCreatePagefilePrivilege	3048	Thu129b58b9b0f.exe
Token: SeCreatePermanentPrivilege	3048	Thu129b58b9b0f.exe
Token: SeBackupPrivilege	3048	Thu129b58b9b0f.exe
Token: SeRestorePrivilege	3048	Thu129b58b9b0f.exe
Token: SeShutdownPrivilege	3048	Thu129b58b9b0f.exe
Token: SeDebugPrivilege	3048	Thu129b58b9b0f.exe
Token: SeAuditPrivilege	3048	Thu129b58b9b0f.exe
Token: SeSystemEnvironmentPrivilege	3048	Thu129b58b9b0f.exe
Token: SeChangeNotifyPrivilege	3048	Thu129b58b9b0f.exe
Token: SeRemoteShutdownPrivilege	3048	Thu129b58b9b0f.exe
Token: SeUndockPrivilege	3048	Thu129b58b9b0f.exe
Token: SeSyncAgentPrivilege	3048	Thu129b58b9b0f.exe
Token: SeEnableDelegationPrivilege	3048	Thu129b58b9b0f.exe
Token: SeManageVolumePrivilege	3048	Thu129b58b9b0f.exe
Token: SeImpersonatePrivilege	3048	Thu129b58b9b0f.exe
Token: SeCreateGlobalPrivilege	3048	Thu129b58b9b0f.exe
Token: 31	3048	Thu129b58b9b0f.exe
Token: 32	3048	Thu129b58b9b0f.exe
Token: 33	3048	Thu129b58b9b0f.exe
Token: 34	3048	Thu129b58b9b0f.exe
Token: 35	3048	Thu129b58b9b0f.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	2260	Thu1280b59af22cd9c.exe
Token: SeDebugPrivilege	2376	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exesetup_install.execmd.exe

description	pid	process	target process
PID 2324 wrote to memory of 1920	2324	5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe	setup_install.exe
PID 2324 wrote to memory of 1920	2324	5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe	setup_install.exe
PID 2324 wrote to memory of 1920	2324	5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe	setup_install.exe
PID 2324 wrote to memory of 1920	2324	5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe	setup_install.exe
PID 2324 wrote to memory of 1920	2324	5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe	setup_install.exe
PID 2324 wrote to memory of 1920	2324	5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe	setup_install.exe
PID 2324 wrote to memory of 1920	2324	5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe	setup_install.exe
PID 1920 wrote to memory of 2780	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2780	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2780	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2780	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2780	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2780	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2780	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2708	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2708	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2708	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2708	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2708	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2708	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2708	1920	setup_install.exe	cmd.exe
PID 2780 wrote to memory of 2952	2780	cmd.exe	powershell.exe
PID 2780 wrote to memory of 2952	2780	cmd.exe	powershell.exe
PID 2780 wrote to memory of 2952	2780	cmd.exe	powershell.exe
PID 2780 wrote to memory of 2952	2780	cmd.exe	powershell.exe
PID 2780 wrote to memory of 2952	2780	cmd.exe	powershell.exe
PID 2780 wrote to memory of 2952	2780	cmd.exe	powershell.exe
PID 2780 wrote to memory of 2952	2780	cmd.exe	powershell.exe
PID 1920 wrote to memory of 2724	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2724	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2724	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2724	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2724	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2724	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2724	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2108	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2108	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2108	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2108	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2108	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2108	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2108	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2688	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2688	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2688	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2688	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2688	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2688	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2688	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2636	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2636	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2636	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2636	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2636	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2636	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2636	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2768	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2768	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2768	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2768	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2768	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2768	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2768	1920	setup_install.exe	cmd.exe
PID 1920 wrote to memory of 2524	1920	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe
"C:\Users\Admin\AppData\Local\Temp\5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\7zS41993C86\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS41993C86\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu12da0e0583ec.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12da0e0583ec.exe
      Thu12da0e0583ec.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu121140b64ce4c46ce.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu121140b64ce4c46ce.exe
      Thu121140b64ce4c46ce.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 936
        5⤵
        Program crash
        
        PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu12e1241a094d.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12e1241a094d.exe
      Thu12e1241a094d.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1668
    - - C:\Users\Admin\AppData\Local\Temp\is-A06U1.tmp\Thu12e1241a094d.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-A06U1.tmp\Thu12e1241a094d.tmp" /SL5="$501F8,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12e1241a094d.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu120f58b49aa7.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu120f58b49aa7.exe
      Thu120f58b49aa7.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu127981c26d54a.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu127981c26d54a.exe
      Thu127981c26d54a.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu1280b59af22cd9c.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu1280b59af22cd9c.exe
      Thu1280b59af22cd9c.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu12d029f46c2744e2.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12d029f46c2744e2.exe
      Thu12d029f46c2744e2.exe
      4⤵
      Executes dropped EXE
      PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12d029f46c2744e2.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12d029f46c2744e2.exe"
      4⤵
      Executes dropped EXE
      PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu1208bf6d0f486a794.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2568
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu1208bf6d0f486a794.exe
      Thu1208bf6d0f486a794.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu1208bf6d0f486a794.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu1208bf6d0f486a794.exe" -u
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu129669806cdca3927.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu129669806cdca3927.exe
      Thu129669806cdca3927.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu1248a0986c9.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu1248a0986c9.exe
      Thu1248a0986c9.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3052
    - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu1248a0986c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu1248a0986c9.exe
        5⤵
        Executes dropped EXE
        
        PID:948
    - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu1248a0986c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu1248a0986c9.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu128f00bf1210e.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu128f00bf1210e.exe
      Thu128f00bf1210e.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2076
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCRiPT: cLOsE( cReATeOBjeCT("WSCripT.shELl"). run("cmD /q /C COpy /y ""C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu128f00bf1210e.exe"" I6IQptFNP9WP.eXE&& staRT I6IQPtFNP9WP.EXe -Pw4qd4A~q8IThZSKJXqwde6TkE & if """"== """" for %Q IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu128f00bf1210e.exe"" ) do taskkill -IM ""%~nXQ"" /F ",0 ,truE ) )
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C COpy /y "C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu128f00bf1210e.exe" I6IQptFNP9WP.eXE&& staRT I6IQPtFNP9WP.EXe -Pw4qd4A~q8IThZSKJXqwde6TkE & if ""== "" for %Q IN ("C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu128f00bf1210e.exe" ) do taskkill -IM "%~nXQ" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\I6IQptFNP9WP.eXE
        
        I6IQPtFNP9WP.EXe -Pw4qd4A~q8IThZSKJXqwde6TkE
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCRiPT: cLOsE( cReATeOBjeCT("WSCripT.shELl"). run("cmD /q /C COpy /y ""C:\Users\Admin\AppData\Local\Temp\I6IQptFNP9WP.eXE"" I6IQptFNP9WP.eXE&& staRT I6IQPtFNP9WP.EXe -Pw4qd4A~q8IThZSKJXqwde6TkE & if ""-Pw4qd4A~q8IThZSKJXqwde6TkE ""== """" for %Q IN ( ""C:\Users\Admin\AppData\Local\Temp\I6IQptFNP9WP.eXE"" ) do taskkill -IM ""%~nXQ"" /F ",0 ,truE ) )
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C COpy /y "C:\Users\Admin\AppData\Local\Temp\I6IQptFNP9WP.eXE" I6IQptFNP9WP.eXE&& staRT I6IQPtFNP9WP.EXe -Pw4qd4A~q8IThZSKJXqwde6TkE & if "-Pw4qd4A~q8IThZSKJXqwde6TkE "== "" for %Q IN ("C:\Users\Admin\AppData\Local\Temp\I6IQptFNP9WP.eXE" ) do taskkill -IM "%~nXQ" /F
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPt:cLoSE ( CrEAteobJEcT ( "wscriPT.sHElL" ). RUN("cmd /c EchO | SET /p = ""MZ"" > YepETKe.D& copy /B /y YEpETKe.D +WaxWlAE.MOO + 5jPlwLI.8MA + FWIGqemS.T0 +RH9WTY5.zq + 5_OQ_EKT._ + 22H_X_.T7 FDS3LsH.MY& stArT regsvr32.exe /U -S fdS3LSH.MY ", 0, tRUe) )
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c EchO | SET /p = "MZ" > YepETKe.D& copy /B /y YEpETKe.D +WaxWlAE.MOO + 5jPlwLI.8MA + FWIGqemS.T0 +RH9WTY5.zq + 5_OQ_EKT._ + 22H_X_.T7 FDS3LsH.MY& stArT regsvr32.exe /U -S fdS3LSH.MY
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EchO "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /p = "MZ" 1>YepETKe.D"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /U -S fdS3LSH.MY
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -IM "Thu128f00bf1210e.exe" /F
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu12f6511464c36.exe /mixone
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12f6511464c36.exe
      Thu12f6511464c36.exe /mixone
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu12ef9d4918019024.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12ef9d4918019024.exe
      Thu12ef9d4918019024.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1456
    - - C:\Users\Admin\AppData\Local\Temp\is-U56J1.tmp\Thu12ef9d4918019024.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-U56J1.tmp\Thu12ef9d4918019024.tmp" /SL5="$140156,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12ef9d4918019024.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1748
      - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12ef9d4918019024.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12ef9d4918019024.exe" /SILENT
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\is-FTSFO.tmp\Thu12ef9d4918019024.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FTSFO.tmp\Thu12ef9d4918019024.tmp" /SL5="$201D2,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12ef9d4918019024.exe" /SILENT
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu12a38e31c39b.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12a38e31c39b.exe
      Thu12a38e31c39b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12a38e31c39b.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12a38e31c39b.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu129b58b9b0f.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu129b58b9b0f.exe
      Thu129b58b9b0f.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu1208bf6d0f486a794.exe

Filesize
76KB

MD5
f01cb242bdcd28fa53da087bccd1a018

SHA1
1eda5797f315ae5351889524b4adaeb7ed062002

SHA256
9279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350

SHA512
5e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu120f58b49aa7.exe

Filesize
172KB

MD5
24766cc32519b05db878cf9108faeec4

SHA1
c553780cb609ec91212bcdd25d25dde9c8ef5016

SHA256
d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530

SHA512
5b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu121140b64ce4c46ce.exe

Filesize
600KB

MD5
ef0a8a50e04fdef4ae644dbafa2e209f

SHA1
32f2dc22664f954c821152496808b8964684cba6

SHA256
858b7df9bb30150fd27e12a86679aed306d813459b24ff4bbb3143935ebff2f6

SHA512
5187dd1d1124431d410e3ceaa62c1a1fc93b972baec9370e9f9d71c6007bc0d919d65e39cc65e40bf5c425492a8e2b0e3fde1b1020318d1f9fb461daaf5f5bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu1248a0986c9.exe

Filesize
389KB

MD5
b3297e6a01982c405b14ae61e4d08f50

SHA1
857e4bca996e204bfa0b3713cd4ada71096edf0c

SHA256
c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da

SHA512
f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu127981c26d54a.exe

Filesize
8KB

MD5
d753ad5b798676ec4bdc19da55f7333c

SHA1
a6362aaa1b54239dea65704adb1f60a98bd310e3

SHA256
ff434abe91e23a5ad36a9c1feb4d87db9f054e362ae5e21c6a992e5f5a518f2e

SHA512
bb6c14eaa7a317bcfdf17b8701eeadb247db1bc37874b99fd926b347638260cab6ade3164a58d9ecac9f1e81c9a3029e0141196cbe68e7718ddddf045b60d45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu1280b59af22cd9c.exe

Filesize
159KB

MD5
0b1a68f8b891b82b83b795896eadb9ba

SHA1
e3fa975566e52e51ba60b03c03169fcb59628b11

SHA256
9ac3611f0a2f20c718e129bd4d39f6413cc2bffcd6c9b8bb801572535b006b85

SHA512
7ecc636545b2baa5f418dded4a2cf6b0edf33ee522b806910599ea662b2d66d4c08ccf3ed2766679f77a5330f69984ad94bd1bb2183d8ee2261637526a982e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu128f00bf1210e.exe

Filesize
1.2MB

MD5
2996964c0030eabf87dab442c8be5c9f

SHA1
d8d881dabcc68a043d26ca8bdbc0046a7dc36ea4

SHA256
df327aa5d85fbf8cf834a5e0577c5e4ddca9abaed7ed73f75bd273bbc352b928

SHA512
679c6bc12703a30ced6ec5d0bccf81dac0aa5785d585020b2d35383dd904ef6752b43a8708fb58adcb0d24700e383814f71f4f422c9395bb3eb2d06686a49143

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu129669806cdca3927.exe

Filesize
172KB

MD5
7c3cf9ce3ffb1e5dd48896fdc9080bab

SHA1
34b4976f8f83c1e0a9d277d2a103a61616178728

SHA256
b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83

SHA512
52ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu129b58b9b0f.exe

Filesize
1.4MB

MD5
621c0400ec50b6ba95b3a60ef01461b9

SHA1
60c920a321cffe8b50763c50aa03de89362f4163

SHA256
5714e2f0067cf7a946132efe0d64a621e01de74ef54f0bc713c948d89da236ea

SHA512
19d8422606c794234daa7fc6ffe334de2a9e9167b945663d97fafebbef982b411a3ee05ab148da9b0542b238c034127183532e3caf7fadf456757a6135ae2ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12a38e31c39b.exe

Filesize
389KB

MD5
41bc15b01b6c29e0ea839f74ddbda5da

SHA1
e76970642b293c14f2e02bb121860d5e6f696837

SHA256
5deceb4891a9b458a261708d0b00501d3a7c170ab8b3143687c56a8208c9d986

SHA512
dc5dbd488dd03923278c2ee77b397960d3f190c47edbee3b9dabbccb01d4671bb2b6393408824ba860bfa80c0e8eabd82562cdea564e4244dc46640050de3eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12d029f46c2744e2.exe

Filesize
900KB

MD5
627921c5516546bf5e3c022bc732315d

SHA1
c15421b4ebf2c992fd6698c44043f1d0c24d0f6e

SHA256
d01e7379a9d2440076a17d88a848deedc1e9187f5697bc644de67cae2d08caf6

SHA512
66e5a7eacb4b2d1ec9bcf6bd340cede116db39707efc7e6a7fb8ec93ba3abd2cc8fb023bd971b9da41b69d9469c0445bf821784466bbdd52d5e456d7cd9f4994

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12da0e0583ec.exe

Filesize
140KB

MD5
2196492a99bf26d9b6eeef3310db5db8

SHA1
a87b6b8bbc8036c4c38cbcfd82de5cb0265b21c8

SHA256
66dffe45589fc8d7a95ecb428da1fdc84e3580f414ba1126319f81cfad149b38

SHA512
eca574754fe6587c636655b1e52fec2a1d94b9356e2100bd57df963f5c56bc3008b85a11ffae1bf41af72d1b7168d5afa9d04a62d925f284b0058b4abad21553

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12e1241a094d.exe

Filesize
748KB

MD5
550dfc282a7f90bb87b21108fe29327e

SHA1
8bf22e0751de1700f5b0794679356754863aa108

SHA256
b4ab4fb943a460764b2a04299d286279a23475a0cf91b01a5baaf31fae207b7c

SHA512
5815a56477d61f461fb460ea5cfb720f7978e0d059a1e8f6d6ba953105334e69538b0670bde0da8ef42858f0d7b131c926591c23db5ef3952ed72c10602a96b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12ef9d4918019024.exe

Filesize
379KB

MD5
32314bd21d6ff16a7cdf12a9ed15661e

SHA1
bc808deb22df54c4878aba82692a738a82a9aa4b

SHA256
3be78b4c7991d773efa9255ab9ea55a0772fb01edb55788cdbe824337f36bb33

SHA512
f685421966fa1f09998a385c9a6e6898f984a546895008339aaea6e50b19c7ee079da50e5bbcc5bbb05c32259e138243c2c982d5a8201546908a79dedf577b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\Thu12f6511464c36.exe

Filesize
362KB

MD5
dcf289d0f7a31fc3e6913d6713e2adc0

SHA1
44be915c2c70a387453224af85f20b1e129ed0f0

SHA256
06edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5

SHA512
7035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41993C86\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCAAF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FTSFO.tmp\Thu12ef9d4918019024.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L2D94.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QRFQC.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZD9F4PSXDTSX9T291KJ2.temp

Filesize
7KB

MD5
69bc83703da80eae3a3ff0d95ac0db19

SHA1
41bcc048bffe31dd006b9b6890bd619c16bae925

SHA256
a15b264396027b130a1195b938010742184a877e9c76eb514874eed7a0c3ca57

SHA512
e65a20092208c284459b4206e9ec6e0f6bca54711f2cccd188485ea48f88c7dedc3f234a5a9f43285aba501ea0fe55f36ea62f41e38ec3c4d0a05535e94bba69

Download Submit
\Users\Admin\AppData\Local\Temp\7zS41993C86\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS41993C86\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS41993C86\setup_install.exe

Filesize
2.1MB

MD5
0f93c94bf2889def027d1cdeabd701c4

SHA1
4f3499ab87a1af1b7e246efd7533ff39408fccf3

SHA256
c9f519699ea9e2c98d75b549706abe02b19af1f099919a2374b05342f016caac

SHA512
e8e6ee7a86a952076a927f9d1e1c03a68c6f513bbba3de12be7763751b2010242ecc7bb89732e4523ca4c0d6ae627b07481e090da56f5281646ce5855b389d4d

Download Submit
memory/580-272-0x00000000028B0000-0x000000000295E000-memory.dmp

Filesize
696KB

Download
memory/580-273-0x0000000002960000-0x00000000029FA000-memory.dmp

Filesize
616KB

Download
memory/580-276-0x0000000002960000-0x00000000029FA000-memory.dmp

Filesize
616KB

Download
memory/580-245-0x00000000023F0000-0x0000000002590000-memory.dmp

Filesize
1.6MB

Download
memory/580-309-0x00000000023F0000-0x0000000002590000-memory.dmp

Filesize
1.6MB

Download
memory/1264-294-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1264-306-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1436-210-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1436-295-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1456-139-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1456-209-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1624-144-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/1668-290-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1668-307-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1668-142-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1748-204-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1896-291-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1920-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1920-97-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1920-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1920-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1920-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1920-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1920-106-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1920-105-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1920-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1920-81-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1920-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1920-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1920-72-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1920-71-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1920-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1920-70-0x000000006494A000-0x000000006494F000-memory.dmp

Filesize
20KB

Download
memory/1920-101-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/1920-103-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1920-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1920-104-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1920-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1948-292-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2200-285-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2200-281-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2200-289-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2200-287-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2200-286-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2200-279-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2200-283-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2260-225-0x0000000001000000-0x0000000001030000-memory.dmp

Filesize
192KB

Download
memory/2260-230-0x00000000006F0000-0x00000000006F6000-memory.dmp

Filesize
24KB

Download
memory/2416-267-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2416-265-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-259-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-268-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-269-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-271-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-263-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-261-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2420-135-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2456-308-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2940-224-0x0000000000B60000-0x0000000000BC8000-memory.dmp

Filesize
416KB

Download
memory/3052-223-0x0000000001190000-0x00000000011F8000-memory.dmp

Filesize
416KB

Download