fabookie | 669ae7546f43d4f4c06680ccf97908e524ad1ccd818d13e2cc8460619ce753a3

Analysis

max time kernel
54s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe
Size

6.0MB
MD5

86ccfd1a65f0462d8e9f0f6f8afdfb56
SHA1

81d24059fc2153dcee703c5a15ddbf05bdf40dc0
SHA256

7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277
SHA512

a57371adebbe59510b6068f8b204ab296d34f8f0bdc97926ed2c239ff5d4d4521cc2b7fbd39cd26045a219754a087dca9e0f07189fafbeb77f93c3da2d467372
SSDEEP

196608:JCkC/es5dTeoJSnAaokBCXno+6Rj815MJxQP:JEmsXTeE5ahonJX6e

Score

10^/10

fabookie nullmixer redline socelars media14n v2user1 aspackv2 discovery dropper execution infostealer spyware stealer

Malware Config

Extracted

Family

socelars

http://www.yarchworkshop.com/

Extracted

Family

redline

Botnet

v2user1

159.69.246.184:13127

Attributes

auth_value
0cd1ad671efa88aa6b92a97334b72134

Extracted

Family

redline

Botnet

media14n

65.108.69.168:13293

Attributes

auth_value
db1bd9b56a9c8bae94bb9c3ceead1829

Signatures

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15cf9217ee25.exe	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2568-241-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2568-243-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2016-253-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2016-252-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2016-251-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2016-248-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2016-246-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2568-240-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2568-237-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2568-235-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15a496b9738c79.exe	family_socelars

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15cf9217ee25.exe	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15cf9217ee25.exe	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1168 powershell.exe
1312 powershell.exe

pid	process
1168	powershell.exe
1312	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\libcurlpp.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\libstdc++-6.dll	aspack_v212_v242

Executes dropped EXE 24 IoCs

Processes:

setup_installer.exesetup_install.exeWed150fa420cf1b07ced.exeWed15ada196cda5299.exeWed15b1f483121d7.exeWed15293e7a1888b.exeWed151063a67e4fb25.exeWed15348d008c3887.exeWed1585cf7372.exeWed1541b8f98f.exeWed15cf9217ee25.exeWed158c4d832483dca5.exeWed156eff953b0ec.exeWed15df05b995.exeWed150fa420cf1b07ced.exeWed15a496b9738c79.exeWed15b688725f14e50ec.exeWed15462d0908875cc7.exeWed158c4d832483dca5.tmpWed156eff953b0ec.tmpWed158c4d832483dca5.exeWed158c4d832483dca5.tmpWed1541b8f98f.exeWed15b1f483121d7.exe

pid	process
2288	setup_installer.exe
2824	setup_install.exe
3028	Wed150fa420cf1b07ced.exe
584	Wed15ada196cda5299.exe
1612	Wed15b1f483121d7.exe
2232	Wed15293e7a1888b.exe
2004	Wed151063a67e4fb25.exe
2244	Wed15348d008c3887.exe
2332	Wed1585cf7372.exe
800	Wed1541b8f98f.exe
1272	Wed15cf9217ee25.exe
2272	Wed158c4d832483dca5.exe
2432	Wed156eff953b0ec.exe
848	Wed15df05b995.exe
2168	Wed150fa420cf1b07ced.exe
1220	Wed15a496b9738c79.exe
1716	Wed15b688725f14e50ec.exe
1552	Wed15462d0908875cc7.exe
1556	Wed158c4d832483dca5.tmp
1672	Wed156eff953b0ec.tmp
1528	Wed158c4d832483dca5.exe
2368	Wed158c4d832483dca5.tmp
2568	Wed1541b8f98f.exe
2016	Wed15b1f483121d7.exe

Loads dropped DLL 64 IoCs

Processes:

7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exesetup_installer.exesetup_install.execmd.execmd.exeWed150fa420cf1b07ced.execmd.execmd.exeWed15ada196cda5299.execmd.execmd.execmd.execmd.exeWed15293e7a1888b.exeWed15b1f483121d7.execmd.execmd.exeWed15348d008c3887.exeWed1541b8f98f.execmd.execmd.execmd.execmd.execmd.exeWed150fa420cf1b07ced.exeWed15462d0908875cc7.exeWed15a496b9738c79.exeWed156eff953b0ec.exeWed15b688725f14e50ec.exeWed15df05b995.exeWed158c4d832483dca5.exe

pid	process
840	7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe
2288	setup_installer.exe
2288	setup_installer.exe
2288	setup_installer.exe
2288	setup_installer.exe
2288	setup_installer.exe
2288	setup_installer.exe
2824	setup_install.exe
2824	setup_install.exe
2824	setup_install.exe
2824	setup_install.exe
2824	setup_install.exe
2824	setup_install.exe
2824	setup_install.exe
2824	setup_install.exe
1292	cmd.exe
1292	cmd.exe
2352	cmd.exe
3028	Wed150fa420cf1b07ced.exe
3028	Wed150fa420cf1b07ced.exe
2180	cmd.exe
2808	cmd.exe
2808	cmd.exe
584	Wed15ada196cda5299.exe
584	Wed15ada196cda5299.exe
2172	cmd.exe
2172	cmd.exe
3040	cmd.exe
3040	cmd.exe
1580	cmd.exe
2224	cmd.exe
2224	cmd.exe
2232	Wed15293e7a1888b.exe
2232	Wed15293e7a1888b.exe
1612	Wed15b1f483121d7.exe
1612	Wed15b1f483121d7.exe
1136	cmd.exe
2108	cmd.exe
2244	Wed15348d008c3887.exe
2244	Wed15348d008c3887.exe
800	Wed1541b8f98f.exe
800	Wed1541b8f98f.exe
2320	cmd.exe
3056	cmd.exe
3060	cmd.exe
3060	cmd.exe
2064	cmd.exe
3028	Wed150fa420cf1b07ced.exe
1584	cmd.exe
2168	Wed150fa420cf1b07ced.exe
2168	Wed150fa420cf1b07ced.exe
1552	Wed15462d0908875cc7.exe
1552	Wed15462d0908875cc7.exe
1220	Wed15a496b9738c79.exe
1220	Wed15a496b9738c79.exe
2432	Wed156eff953b0ec.exe
2432	Wed156eff953b0ec.exe
1716	Wed15b688725f14e50ec.exe
848	Wed15df05b995.exe
1716	Wed15b688725f14e50ec.exe
848	Wed15df05b995.exe
2272	Wed158c4d832483dca5.exe
2272	Wed158c4d832483dca5.exe
2272	Wed158c4d832483dca5.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 29 IoCs

Web Service

T1102

Processes:

flow	ioc
66	iplogger.org
75	iplogger.org
76	iplogger.org
81	iplogger.org
84	iplogger.org
43	iplogger.org
35	iplogger.org
41	iplogger.org
68	iplogger.org
83	iplogger.org
32	pastebin.com
70	iplogger.org
69	iplogger.org
63	iplogger.org
25	iplogger.org
31	pastebin.com
57	iplogger.org
67	iplogger.org
23	iplogger.org
56	iplogger.org
62	iplogger.org
82	iplogger.org
38	pastebin.com
28	iplogger.org
49	iplogger.org
77	iplogger.org
26	iplogger.org
78	iplogger.org
73	iplogger.org

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
16	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

Wed1541b8f98f.exeWed15b1f483121d7.exe

description	pid	process	target process
PID 800 set thread context of 2568	800	Wed1541b8f98f.exe	Wed1541b8f98f.exe
PID 1612 set thread context of 2016	1612	Wed15b1f483121d7.exe	Wed15b1f483121d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process

2236 2232 WerFault.exe
884 848 WerFault.exe Wed15df05b995.exe

pid	pid_target	process
2236	2232	WerFault.exe
884	848	WerFault.exe	Wed15df05b995.exe

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Wed150fa420cf1b07ced.exeWed15b688725f14e50ec.exeWed158c4d832483dca5.tmpWed156eff953b0ec.tmpcmd.execmd.execmd.exepowershell.execmd.execmd.exeWed15293e7a1888b.exeWed1541b8f98f.exepowershell.exeWed150fa420cf1b07ced.execmd.exeWed158c4d832483dca5.exeWed15cf9217ee25.execontrol.exeWed15b1f483121d7.exe7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exeWed15a496b9738c79.exeWed15b1f483121d7.exeWed15462d0908875cc7.exeWed15df05b995.exeWed158c4d832483dca5.tmpcmd.execmd.execmd.exeWed15348d008c3887.execmd.execmd.execmd.exeWed156eff953b0ec.exerundll32.execmd.execmd.execmd.execmd.exeWed15ada196cda5299.exetaskkill.exerundll32.exesetup_installer.execmd.exeWed158c4d832483dca5.exeWed1541b8f98f.exesetup_install.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed150fa420cf1b07ced.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15b688725f14e50ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed158c4d832483dca5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed156eff953b0ec.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15293e7a1888b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed1541b8f98f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed150fa420cf1b07ced.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed158c4d832483dca5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15cf9217ee25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15b1f483121d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15a496b9738c79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15b1f483121d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15462d0908875cc7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15df05b995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed158c4d832483dca5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15348d008c3887.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed156eff953b0ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed15ada196cda5299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed158c4d832483dca5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed1541b8f98f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2812 taskkill.exe

pid	process
2812	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Wed15df05b995.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Wed15df05b995.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Wed15df05b995.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1312 powershell.exe
1168 powershell.exe

pid	process
1312	powershell.exe
1168	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

Wed15a496b9738c79.exepowershell.exepowershell.exeWed1585cf7372.exeWed151063a67e4fb25.exeWed1541b8f98f.exeWed15b1f483121d7.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	1220	Wed15a496b9738c79.exe
Token: SeAssignPrimaryTokenPrivilege	1220	Wed15a496b9738c79.exe
Token: SeLockMemoryPrivilege	1220	Wed15a496b9738c79.exe
Token: SeIncreaseQuotaPrivilege	1220	Wed15a496b9738c79.exe
Token: SeMachineAccountPrivilege	1220	Wed15a496b9738c79.exe
Token: SeTcbPrivilege	1220	Wed15a496b9738c79.exe
Token: SeSecurityPrivilege	1220	Wed15a496b9738c79.exe
Token: SeTakeOwnershipPrivilege	1220	Wed15a496b9738c79.exe
Token: SeLoadDriverPrivilege	1220	Wed15a496b9738c79.exe
Token: SeSystemProfilePrivilege	1220	Wed15a496b9738c79.exe
Token: SeSystemtimePrivilege	1220	Wed15a496b9738c79.exe
Token: SeProfSingleProcessPrivilege	1220	Wed15a496b9738c79.exe
Token: SeIncBasePriorityPrivilege	1220	Wed15a496b9738c79.exe
Token: SeCreatePagefilePrivilege	1220	Wed15a496b9738c79.exe
Token: SeCreatePermanentPrivilege	1220	Wed15a496b9738c79.exe
Token: SeBackupPrivilege	1220	Wed15a496b9738c79.exe
Token: SeRestorePrivilege	1220	Wed15a496b9738c79.exe
Token: SeShutdownPrivilege	1220	Wed15a496b9738c79.exe
Token: SeDebugPrivilege	1220	Wed15a496b9738c79.exe
Token: SeAuditPrivilege	1220	Wed15a496b9738c79.exe
Token: SeSystemEnvironmentPrivilege	1220	Wed15a496b9738c79.exe
Token: SeChangeNotifyPrivilege	1220	Wed15a496b9738c79.exe
Token: SeRemoteShutdownPrivilege	1220	Wed15a496b9738c79.exe
Token: SeUndockPrivilege	1220	Wed15a496b9738c79.exe
Token: SeSyncAgentPrivilege	1220	Wed15a496b9738c79.exe
Token: SeEnableDelegationPrivilege	1220	Wed15a496b9738c79.exe
Token: SeManageVolumePrivilege	1220	Wed15a496b9738c79.exe
Token: SeImpersonatePrivilege	1220	Wed15a496b9738c79.exe
Token: SeCreateGlobalPrivilege	1220	Wed15a496b9738c79.exe
Token: 31	1220	Wed15a496b9738c79.exe
Token: 32	1220	Wed15a496b9738c79.exe
Token: 33	1220	Wed15a496b9738c79.exe
Token: 34	1220	Wed15a496b9738c79.exe
Token: 35	1220	Wed15a496b9738c79.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	2332	Wed1585cf7372.exe
Token: SeDebugPrivilege	2004	Wed151063a67e4fb25.exe
Token: SeDebugPrivilege	800	Wed1541b8f98f.exe
Token: SeDebugPrivilege	1612	Wed15b1f483121d7.exe
Token: SeDebugPrivilege	2812	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exesetup_installer.exesetup_install.exe

description	pid	process	target process
PID 840 wrote to memory of 2288	840	7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe	setup_installer.exe
PID 840 wrote to memory of 2288	840	7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe	setup_installer.exe
PID 840 wrote to memory of 2288	840	7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe	setup_installer.exe
PID 840 wrote to memory of 2288	840	7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe	setup_installer.exe
PID 840 wrote to memory of 2288	840	7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe	setup_installer.exe
PID 840 wrote to memory of 2288	840	7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe	setup_installer.exe
PID 840 wrote to memory of 2288	840	7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe	setup_installer.exe
PID 2288 wrote to memory of 2824	2288	setup_installer.exe	setup_install.exe
PID 2288 wrote to memory of 2824	2288	setup_installer.exe	setup_install.exe
PID 2288 wrote to memory of 2824	2288	setup_installer.exe	setup_install.exe
PID 2288 wrote to memory of 2824	2288	setup_installer.exe	setup_install.exe
PID 2288 wrote to memory of 2824	2288	setup_installer.exe	setup_install.exe
PID 2288 wrote to memory of 2824	2288	setup_installer.exe	setup_install.exe
PID 2288 wrote to memory of 2824	2288	setup_installer.exe	setup_install.exe
PID 2824 wrote to memory of 2472	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2472	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2472	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2472	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2472	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2472	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2472	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2100	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2100	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2100	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2100	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2100	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2100	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2100	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2808	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2808	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2808	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2808	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2808	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2808	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2808	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1292	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1292	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1292	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1292	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1292	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1292	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1292	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2352	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2352	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2352	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2352	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2352	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2352	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2352	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2108	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2108	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2108	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2108	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2108	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2108	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 2108	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1580	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1580	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1580	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1580	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1580	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1580	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1580	2824	setup_install.exe	cmd.exe
PID 2824 wrote to memory of 1584	2824	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe
"C:\Users\Admin\AppData\Local\Temp\7e937f29320a38d6ed0e384bc19cc45dd3b06c32edb635a905663d063d226277.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:2472
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2100
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15ada196cda5299.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15ada196cda5299.exe
        
        Wed15ada196cda5299.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed150fa420cf1b07ced.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1292
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed150fa420cf1b07ced.exe
        
        Wed150fa420cf1b07ced.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3028
      - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed150fa420cf1b07ced.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed150fa420cf1b07ced.exe" -u
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed151063a67e4fb25.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2352
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed151063a67e4fb25.exe
        
        Wed151063a67e4fb25.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15348d008c3887.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2108
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15348d008c3887.exe
        
        Wed15348d008c3887.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15cf9217ee25.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15cf9217ee25.exe
        
        Wed15cf9217ee25.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15462d0908875cc7.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1584
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15462d0908875cc7.exe
        
        Wed15462d0908875cc7.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1552
      - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\27~IKAVW.CPL",
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\27~IKAVW.CPL",
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\27~IKAVW.CPL",
        8⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\27~IKAVW.CPL",
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed158c4d832483dca5.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1136
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed158c4d832483dca5.exe
        
        Wed158c4d832483dca5.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2272
      - C:\Users\Admin\AppData\Local\Temp\is-THR1B.tmp\Wed158c4d832483dca5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-THR1B.tmp\Wed158c4d832483dca5.tmp" /SL5="$60224,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed158c4d832483dca5.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed158c4d832483dca5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed158c4d832483dca5.exe" /SILENT
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\is-J0S8P.tmp\Wed158c4d832483dca5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-J0S8P.tmp\Wed158c4d832483dca5.tmp" /SL5="$70224,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed158c4d832483dca5.exe" /SILENT
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15293e7a1888b.exe /mixtwo
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15293e7a1888b.exe
        
        Wed15293e7a1888b.exe /mixtwo
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2232
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 268
        6⤵
        Program crash
        
        PID:2236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed156eff953b0ec.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed156eff953b0ec.exe
        
        Wed156eff953b0ec.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2432
      - C:\Users\Admin\AppData\Local\Temp\is-M95S5.tmp\Wed156eff953b0ec.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-M95S5.tmp\Wed156eff953b0ec.tmp" /SL5="$80226,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed156eff953b0ec.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15b1f483121d7.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3040
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15b1f483121d7.exe
        
        Wed15b1f483121d7.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
      - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15b1f483121d7.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15b1f483121d7.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15a496b9738c79.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3056
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15a496b9738c79.exe
        
        Wed15a496b9738c79.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed1541b8f98f.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2172
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed1541b8f98f.exe
        
        Wed1541b8f98f.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
      - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed1541b8f98f.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed1541b8f98f.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15df05b995.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3060
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15df05b995.exe
        
        Wed15df05b995.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1408
        6⤵
        Program crash
        
        PID:884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed1585cf7372.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2180
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed1585cf7372.exe
        
        Wed1585cf7372.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed15b688725f14e50ec.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2064
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15b688725f14e50ec.exe
        
        Wed15b688725f14e50ec.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed150fa420cf1b07ced.exe

Filesize
120KB

MD5
dcde74f81ad6361c53ebdc164879a25c

SHA1
640f7b475864bd266edba226e86672101bf6f5c9

SHA256
cc10c90381719811def4bc31ff3c8e32c483c0eeffcb149df0b071e5a60d517b

SHA512
821b1a05601bbaee21cbd0b3cf2859359795ae55a3df8dea81f1142ede74b52af31273ffbbba772d77e40477853e6b02c9df8c44fc2ddad1cf3d248530427fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15348d008c3887.exe

Filesize
147KB

MD5
c709426184c7d412e0770fdcece52c60

SHA1
ba5caaa72a7f1338815a6f61767fbbcda3f61e52

SHA256
279d55e004ded5923888a2a5bf2e9e8295fa669a436e426396734def04565ea4

SHA512
7f5310126428128851249ce07f08c9d9410274eda04fbe4d8d5a0e4d6256f3fee96846fa0d3ce1206ce1c592c1b87d47bbd0083a47bd1a0726ea80c9804803f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15462d0908875cc7.exe

Filesize
1.8MB

MD5
ed6bba126cb98da82d5160f44c487147

SHA1
1bc0a3d09fed8a322e0e3f9399ac8efb0a556e34

SHA256
78fa012b9e7b197a0905215d0400d563524b975533c63befaf24644bab5af4c1

SHA512
e94e08bf9ff8c790fc63ac0b395736c6876b938aa3622f371cdbe7e43f67ad1baecad9680ed777a90f5d2c71eace477a63c753f47e1088afbd78fd17693ad881

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed156eff953b0ec.exe

Filesize
381KB

MD5
0295436778d0d530c12a4f2576f9717f

SHA1
fc712556f67fc2ac6eef59db2783d0c4d5e45068

SHA256
8bfd2ae9f340057c1ba4c042215ccc3a461ea24277f2a77e23d915ceb495910a

SHA512
b05f7901cde3c772694a959d040eda981f67c6355611729deb3251feac60621122f0558b2ca36f9e2c6425d92b406f331267b75d4b42597f07e94825ffbfc2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed158c4d832483dca5.exe

Filesize
1.5MB

MD5
204801e838e4a29f8270ab0ed7626555

SHA1
6ff2c20dc096eefa8084c97c30d95299880862b0

SHA256
13357a53f4c23bd8ac44790aa1db3233614c981ded62949559f63e841354276a

SHA512
008e6cb08094621bbcadfca32cc611a4a8c78158365e5c81eb58c4e7d5b7e3d36c88b543390120104f1c70c5393b1c1c38c33761cf65736fdf6873648df3fc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15a496b9738c79.exe

Filesize
1.4MB

MD5
367c574185ea01ac2ba69a1c8856ad57

SHA1
0b9b5af1ce8dce38937357f47e2817d85a6aba61

SHA256
18a630270e0ab33eccfb304269b4fa5bcefa565a1dbe3bd04f3f2a269646f5e9

SHA512
7862ad92b670e7193f266473c59166a6a9081ad28c66d328521aa288ad3ab92d9b98563b0fb768442706692224a69965d697b75dc974c73be934b5fd32f80a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15b688725f14e50ec.exe

Filesize
147KB

MD5
fb6abbe70588dd2b3fb91161410f2805

SHA1
193085164a8d2caa9e1e4e6d619be6481b5623b9

SHA256
9283fb214b006f9e2fd49fe21798a44ae5663566b1b2b08b448db7bdda996859

SHA512
9f2e7045982e61efeb4b3ec5523b0cc63d096166fcb02ea1d66fcdbf0f2fbec575baa381f7727c9222ea23b65038e4f98479514ab3168b6d9f5138cb64bb177a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15df05b995.exe

Filesize
642KB

MD5
4ab9a562ae67268c6bb05b16d749bc9b

SHA1
68d495c62dfeb11a06b3c0d01d090bb56cb48140

SHA256
aae6eab70a845dacd24f6e33c7e5161b2218a784b8d6017e1d9dda95d83ddf6d

SHA512
822108a76a47edc6782c41195c5947844bb6f6e588ebd5f4de2fd3c944dab81416ef051dd4aef6d3908e1dd79c2c96043668d4e7127b595a69af312256032e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F8B7968\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab168.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J0S8P.tmp\Wed158c4d832483dca5.tmp

Filesize
2.5MB

MD5
a6865d7dffcc927d975be63b76147e20

SHA1
28e7edab84163cc2d0c864820bef89bae6f56bf8

SHA256
fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b

SHA512
a9d2b59b40793fb685911f0e452e43a8e83c1bd133fda8a2a210ef1b9ca7ad419b8502fbb75b37f1b0fdef6ad0381b7d910fbff0bcfdeeec9e26b81d11effcec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O27PD.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\86D5DF80XSR49CKBFEJO.temp

Filesize
7KB

MD5
4f9979435102f21fc94ddb9e206ac4dc

SHA1
c43dfad72ef36b448befad1d82eb584a6e9d968e

SHA256
8ad332ea9bcfb4e52a544a0ddd7cbda3e84ab2ad8098d3f27672efd98f41ea6f

SHA512
f41e00846cd22ff82016af2c426582a1f273191a4f36dbae85baaa33fa208d6d23a41f4425cfb11f978d43904d0cbbb0af46abc826c9202922b04023c953f307

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed151063a67e4fb25.exe

Filesize
151KB

MD5
3b31cac552dc741631b567493f238a2f

SHA1
d92c09126462846d41365a0180a1572a4b5838e0

SHA256
f593c276fffb9961b488a71f33b2675ac50331f704020f7017bd0bf4b469079c

SHA512
631bcb3ecdf59daf9b3c007844928302bb837c16f9df04a419a7aed57bd73a809febab69c0ea412216fc7d666e59a94c1e85432a059152d26f29a91c63ebfe11

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15293e7a1888b.exe

Filesize
1.1MB

MD5
aa75aa3f07c593b1cd7441f7d8723e14

SHA1
f8e9190ccb6b36474c63ed65a74629ad490f2620

SHA256
af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1

SHA512
b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed1541b8f98f.exe

Filesize
532KB

MD5
43e459f57576305386c2a225bfc0c207

SHA1
13511d3f0d41fe28981961f87c3c29dc1aa46a70

SHA256
fb58f709914380bce2e643aa0f64cd5458cb8b29c8f072cd1645e42947f89787

SHA512
33cbcc6fb73147b7b3f2007be904faf01dc04b0e773bb1cfe6290f141b1f01cb260cd4f3826e30ab8c60d981bcc1b7f60e17ab7146ba32c94c87ac3a2b717207

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed1585cf7372.exe

Filesize
8KB

MD5
7e32ef0bd7899fa465bb0bc866b21560

SHA1
115d09eeaff6bae686263d57b6069dd41f63c80c

SHA256
f45daafd61371b1f080a92eea8e9c8bfc9b710f22c82d5a06a1b1bf271c646ad

SHA512
9fbf4afc7a03460cd56f2456684108ccce9cfc8d31361bb49dd0531fa82b6b002450ab3c4c7f3d96f1dc55761615465828b1c33702d23d59fabe155a9db1b5cc

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15ada196cda5299.exe

Filesize
166KB

MD5
da9161800860fe7026a467b0974f7616

SHA1
e53ee1e2fdfcf777d7f5b3c47111c85edeee4c5a

SHA256
6a4a2c3368555340d852697a2fc56d9c98164b93e4101803466f8b6cbe68762d

SHA512
460508b701e610404567285c020a819926319d0564c1180371922972ead9568849fe2bf2192dd28f09706cad27a0bb5d93bb08bab70d87ff55c70e51920fa7dc

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15b1f483121d7.exe

Filesize
532KB

MD5
394452dc2bb66b83e6763fc1542b2a87

SHA1
74b3fb5bf64f4eb3fc59152330befef67f5464c2

SHA256
037bed7bce597aec4c2320e48715ab3a387d10e1ecad7a494bc72ebd60168794

SHA512
b5f4405a672df81d4e5155247bbd5522f15b534c6edd2892fc4c9032ae3d8c42d6e239ca52f604f84fdad993e7deeff4613938403cb829b60e610f683a40ea4c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\Wed15cf9217ee25.exe

Filesize
1.4MB

MD5
6a306f07fcb8c28197a292dcd39d8796

SHA1
ef25c24fd3918a0efd450c1c5c873265d5886626

SHA256
68fb1568af02a8bff326df6de053d082199db809aa925aefac2749c64f78994f

SHA512
84f938b3974be1b66872cdacb910ec580a2542068d018ac93662238de55a898a5d6df6e9a202a18138effc9308fffac1612149be879f1803bc73f5972f54b90b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F8B7968\setup_install.exe

Filesize
2.1MB

MD5
912368164a5c99aacb8fcb58b4ee017a

SHA1
29f6342d0b955bd861ca83135b286f505f1c68a6

SHA256
1523475f249dac98abee0ead1f81d3d408d3bf67827c7382e034e7d330fe7c7a

SHA512
ef741ad8b9402ed5b1ddbf4ecf8440ae5304dcfe3450af21b52dd9c1fd71de6c44a2bfd5f8cd0c518fc08bc1c40a45f748287009031699a415de0f95794c90b3

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
6.0MB

MD5
cb6ea932807f63821715e87a32d96ba6

SHA1
cc2fb753d385683d6f972adab5b3148ca30d75c9

SHA256
aa401b09d4b6ec37c7159a9b025500993642573bc32b1e78aaea25c2fe168c57

SHA512
acc3a31e1753e3185674f57c870a410e9ca6aa139fd43384845ebd51cacebb682e1a70a65acb170859b71f7562b9717d2fca8c192dfc366fcf16d9477dc4d065

Download Submit
memory/584-257-0x0000000000400000-0x000000000081B000-memory.dmp

Filesize
4.1MB

Download
memory/584-256-0x0000000000400000-0x000000000081B000-memory.dmp

Filesize
4.1MB

Download
memory/800-158-0x0000000001340000-0x00000000013CC000-memory.dmp

Filesize
560KB

Download
memory/1528-203-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1528-174-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1556-181-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/1612-157-0x0000000000020000-0x00000000000AC000-memory.dmp

Filesize
560KB

Download
memory/1672-201-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2004-143-0x00000000000B0000-0x00000000000DE000-memory.dmp

Filesize
184KB

Download
memory/2004-161-0x0000000000180000-0x000000000019C000-memory.dmp

Filesize
112KB

Download
memory/2004-193-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/2004-146-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/2016-252-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-244-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-246-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-248-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-251-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-250-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2016-253-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2224-194-0x00000000005D0000-0x00000000006AE000-memory.dmp

Filesize
888KB

Download
memory/2224-141-0x00000000005D0000-0x00000000006AE000-memory.dmp

Filesize
888KB

Download
memory/2224-195-0x00000000005D0000-0x00000000006AE000-memory.dmp

Filesize
888KB

Download
memory/2224-140-0x00000000005D0000-0x00000000006AE000-memory.dmp

Filesize
888KB

Download
memory/2232-204-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2232-196-0x0000000000900000-0x00000000009DE000-memory.dmp

Filesize
888KB

Download
memory/2232-205-0x0000000000900000-0x00000000009DE000-memory.dmp

Filesize
888KB

Download
memory/2232-206-0x0000000000900000-0x00000000009DE000-memory.dmp

Filesize
888KB

Download
memory/2232-142-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2232-144-0x0000000000900000-0x00000000009DE000-memory.dmp

Filesize
888KB

Download
memory/2232-145-0x0000000000900000-0x00000000009DE000-memory.dmp

Filesize
888KB

Download
memory/2272-149-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2272-182-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2332-139-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/2368-207-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/2432-151-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2432-197-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2432-202-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2568-241-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-240-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-239-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-237-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-235-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-233-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-243-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-229-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2824-105-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2824-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2824-112-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2824-113-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2824-111-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2824-109-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2824-106-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2824-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2824-88-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2824-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2824-87-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2824-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2824-82-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2824-81-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2824-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2824-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2824-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2824-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2916-254-0x00000000026F0000-0x00000000036F0000-memory.dmp

Filesize
16.0MB

Download
memory/2916-260-0x00000000001F0000-0x000000000029F000-memory.dmp

Filesize
700KB

Download
memory/2916-261-0x00000000002E0000-0x000000000037B000-memory.dmp

Filesize
620KB

Download
memory/2916-208-0x00000000026F0000-0x00000000036F0000-memory.dmp

Filesize
16.0MB

Download