fabookie | a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe
Size

7.1MB
MD5

1f6e0a406d4d8dbd2c113d3565dbe7a8
SHA1

dc5a439e7a0e918494c1065fe15d4bbe2b9b33be
SHA256

0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6
SHA512

59310d8756a63d7df6c05a6ae78721d8339913bca4b47e076a60cdc95071bd690648c1e298bd29510fc252d813a0ea3dc05d7cdf07ef243770722d4fe1b8e59c
SSDEEP

196608:xtgdzQIV48kCWgj0JSk2apV4f0PxHtJvMYOYqF06pamS:xtgdz1V4tC3j08k2apyf0pHtWYkC2amS

Malware Config

Extracted

Family

nullmixer

http://621f9481e1e2d.com/

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

gcleaner

appwebstat.biz

ads-memory.biz

Extracted

Family

redline

Botnet

media60603

92.255.57.154:11841

Attributes

auth_value
32ca3353c43f67b3879fce4660e9c65d

Signatures

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948fe5007_Wed163feaf0.exe	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Onlylogger family
onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2928-263-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2928-262-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2928-261-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2928-258-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2928-256-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Smokeloader family
smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe	family_socelars

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral1/memory/948-201-0x0000000000400000-0x0000000000480000-memory.dmp	Nirsoft
behavioral1/memory/2708-238-0x0000000000400000-0x0000000000483000-memory.dmp	Nirsoft
behavioral1/memory/2708-290-0x0000000000400000-0x0000000000483000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2708-238-0x0000000000400000-0x0000000000483000-memory.dmp	WebBrowserPassView
behavioral1/memory/2708-290-0x0000000000400000-0x0000000000483000-memory.dmp	WebBrowserPassView

OnlyLogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2036-245-0x0000000000400000-0x0000000000670000-memory.dmp	family_onlylogger
behavioral1/memory/2036-270-0x0000000000400000-0x0000000000670000-memory.dmp	family_onlylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2516 powershell.exe
1484 powershell.exe

pid	process
2516	powershell.exe
1484	powershell.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe	aspack_v212_v242

Executes dropped EXE 25 IoCs

Processes:

setup_install.exe621f9482b3cb5_Wed16d6773e4.exe621f948449020_Wed163088fdd.exe621f948855a5b_Wed16c9c6da01a3.exe621f94837e687_Wed16b4f13b0b4.exe621f948a0fc8a_Wed1650732795.exe621f948e7f7ef_Wed16b426d6adc1.exe621f948855a5b_Wed16c9c6da01a3.exe621f948b816de_Wed16bd6eaa.exe621f9486b4516_Wed16eb16ea4.exe621f9490c9091_Wed16d3d6c5.exe621f948d05937_Wed16374c3beda.exe621f94aa19419_Wed16184b9bf0.exe621f949237c58_Wed168fc449f.exe621f948fe5007_Wed163feaf0.exe621f948a0fc8a_Wed1650732795.tmp621f9490c9091_Wed16d3d6c5.exe621f949237c58_Wed168fc449f.tmp11111.exe621f948a0fc8a_Wed1650732795.exe621f948a0fc8a_Wed1650732795.tmp11111.exe621f948449020_Wed163088fdd.exe3A2M90A5EHAHK5K.exe

pid	process
2572	setup_install.exe
1292	621f9482b3cb5_Wed16d6773e4.exe
1136	621f948449020_Wed163088fdd.exe
2224	621f948855a5b_Wed16c9c6da01a3.exe
2064	621f94837e687_Wed16b4f13b0b4.exe
1144	621f948a0fc8a_Wed1650732795.exe
2036	621f948e7f7ef_Wed16b426d6adc1.exe
1840	621f948855a5b_Wed16c9c6da01a3.exe
1744	621f948b816de_Wed16bd6eaa.exe
1768	621f9486b4516_Wed16eb16ea4.exe
2272	621f9490c9091_Wed16d3d6c5.exe
2504	621f948d05937_Wed16374c3beda.exe
2260	621f94aa19419_Wed16184b9bf0.exe
2072	621f949237c58_Wed168fc449f.exe
368	621f948fe5007_Wed163feaf0.exe
612	621f948a0fc8a_Wed1650732795.tmp
2128	621f9490c9091_Wed16d3d6c5.exe
2436	621f949237c58_Wed168fc449f.tmp
948	11111.exe
472	621f948a0fc8a_Wed1650732795.exe
2256	621f948a0fc8a_Wed1650732795.tmp
2708	11111.exe
2928	621f948449020_Wed163088fdd.exe
1536	3A2M90A5EHAHK5K.exe
1360

Loads dropped DLL 64 IoCs

Processes:

0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exesetup_install.execmd.execmd.execmd.exe621f9482b3cb5_Wed16d6773e4.exe621f948449020_Wed163088fdd.execmd.execmd.exe621f948855a5b_Wed16c9c6da01a3.execmd.execmd.execmd.exe621f948e7f7ef_Wed16b426d6adc1.exe621f948855a5b_Wed16c9c6da01a3.exe621f948a0fc8a_Wed1650732795.execmd.execmd.execmd.execmd.execmd.exe621f9486b4516_Wed16eb16ea4.exe621f948b816de_Wed16bd6eaa.exe621f9490c9091_Wed16d3d6c5.exe621f948d05937_Wed16374c3beda.exe621f949237c58_Wed168fc449f.exe621f94aa19419_Wed16184b9bf0.exe621f9490c9091_Wed16d3d6c5.exe621f948a0fc8a_Wed1650732795.tmp

pid	process
1356	0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe
1356	0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe
1356	0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe
2572	setup_install.exe
2572	setup_install.exe
2572	setup_install.exe
2572	setup_install.exe
2572	setup_install.exe
2572	setup_install.exe
2572	setup_install.exe
2572	setup_install.exe
2304	cmd.exe
2304	cmd.exe
2612	cmd.exe
2612	cmd.exe
2808	cmd.exe
2808	cmd.exe
1292	621f9482b3cb5_Wed16d6773e4.exe
1292	621f9482b3cb5_Wed16d6773e4.exe
1292	621f9482b3cb5_Wed16d6773e4.exe
1136	621f948449020_Wed163088fdd.exe
1136	621f948449020_Wed163088fdd.exe
1292	621f9482b3cb5_Wed16d6773e4.exe
1292	621f9482b3cb5_Wed16d6773e4.exe
1060	cmd.exe
832	cmd.exe
2224	621f948855a5b_Wed16c9c6da01a3.exe
2224	621f948855a5b_Wed16c9c6da01a3.exe
3048	cmd.exe
3048	cmd.exe
2224	621f948855a5b_Wed16c9c6da01a3.exe
1580	cmd.exe
1580	cmd.exe
2252	cmd.exe
2036	621f948e7f7ef_Wed16b426d6adc1.exe
1840	621f948855a5b_Wed16c9c6da01a3.exe
1144	621f948a0fc8a_Wed1650732795.exe
1840	621f948855a5b_Wed16c9c6da01a3.exe
2320	cmd.exe
2036	621f948e7f7ef_Wed16b426d6adc1.exe
2968	cmd.exe
2968	cmd.exe
2004	cmd.exe
1984	cmd.exe
1144	621f948a0fc8a_Wed1650732795.exe
2180	cmd.exe
1768	621f9486b4516_Wed16eb16ea4.exe
1744	621f948b816de_Wed16bd6eaa.exe
1768	621f9486b4516_Wed16eb16ea4.exe
1744	621f948b816de_Wed16bd6eaa.exe
2272	621f9490c9091_Wed16d3d6c5.exe
2272	621f9490c9091_Wed16d3d6c5.exe
1144	621f948a0fc8a_Wed1650732795.exe
2504	621f948d05937_Wed16374c3beda.exe
2072	621f949237c58_Wed168fc449f.exe
2504	621f948d05937_Wed16374c3beda.exe
2072	621f949237c58_Wed168fc449f.exe
2260	621f94aa19419_Wed16184b9bf0.exe
2260	621f94aa19419_Wed16184b9bf0.exe
2272	621f9490c9091_Wed16d3d6c5.exe
2128	621f9490c9091_Wed16d3d6c5.exe
2128	621f9490c9091_Wed16d3d6c5.exe
2072	621f949237c58_Wed168fc449f.exe
612	621f948a0fc8a_Wed1650732795.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 iplogger.org
16 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

621f94aa19419_Wed16184b9bf0.exe

pid process

2260 621f94aa19419_Wed16184b9bf0.exe

flow	ioc
15	iplogger.org
16	iplogger.org

flow	ioc
2	ip-api.com

pid	process
2260	621f94aa19419_Wed16184b9bf0.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

621f9490c9091_Wed16d3d6c5.exe621f948449020_Wed163088fdd.exe

description	pid	process	target process
PID 2272 set thread context of 2128	2272	621f9490c9091_Wed16d3d6c5.exe	621f9490c9091_Wed16d3d6c5.exe
PID 1136 set thread context of 2928	1136	621f948449020_Wed163088fdd.exe	621f948449020_Wed163088fdd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\11111.exe	upx
behavioral1/memory/948-192-0x0000000000400000-0x0000000000480000-memory.dmp	upx
behavioral1/memory/948-201-0x0000000000400000-0x0000000000480000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\11111.exe	upx
behavioral1/memory/2708-238-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2708-290-0x0000000000400000-0x0000000000483000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2224 2036 WerFault.exe 621f948e7f7ef_Wed16b426d6adc1.exe

pid	pid_target	process	target process
2224	2036	WerFault.exe	621f948e7f7ef_Wed16b426d6adc1.exe

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe621f9490c9091_Wed16d3d6c5.exe621f948a0fc8a_Wed1650732795.tmp621f948449020_Wed163088fdd.exe0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.execmd.exe621f9482b3cb5_Wed16d6773e4.execmd.exe621f948a0fc8a_Wed1650732795.tmppowershell.exesetup_install.execmd.exe11111.exeregsvr32.execmd.execmd.exepowershell.exe621f9490c9091_Wed16d3d6c5.execmd.execmd.exe621f948e7f7ef_Wed16b426d6adc1.exe621f948d05937_Wed16374c3beda.execmd.exe621f949237c58_Wed168fc449f.tmpcmd.execmd.execmd.exe621f948855a5b_Wed16c9c6da01a3.exe621f9486b4516_Wed16eb16ea4.exe11111.exe621f948a0fc8a_Wed1650732795.execmd.execmd.execmd.exe621f94aa19419_Wed16184b9bf0.exetaskkill.execmd.exe621f948855a5b_Wed16c9c6da01a3.exe621f948a0fc8a_Wed1650732795.exe621f948b816de_Wed16bd6eaa.exe621f949237c58_Wed168fc449f.exe621f948449020_Wed163088fdd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f9490c9091_Wed16d3d6c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f948a0fc8a_Wed1650732795.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f948449020_Wed163088fdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f9482b3cb5_Wed16d6773e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f948a0fc8a_Wed1650732795.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f9490c9091_Wed16d3d6c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f948e7f7ef_Wed16b426d6adc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f948d05937_Wed16374c3beda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f949237c58_Wed168fc449f.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f948855a5b_Wed16c9c6da01a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f9486b4516_Wed16eb16ea4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f948a0fc8a_Wed1650732795.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f94aa19419_Wed16184b9bf0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f948855a5b_Wed16c9c6da01a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f948a0fc8a_Wed1650732795.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f948b816de_Wed16bd6eaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f949237c58_Wed168fc449f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	621f948449020_Wed163088fdd.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2884 taskkill.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

621f94aa19419_Wed16184b9bf0.exepowershell.exepowershell.exe11111.exe

pid process

2260 621f94aa19419_Wed16184b9bf0.exe
1484 powershell.exe
2516 powershell.exe
2708 11111.exe
2708 11111.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

621f948a0fc8a_Wed1650732795.tmp

pid process

2256 621f948a0fc8a_Wed1650732795.tmp

pid	process
2884	taskkill.exe

pid	process
2260	621f94aa19419_Wed16184b9bf0.exe
1484	powershell.exe
2516	powershell.exe
2708	11111.exe
2708	11111.exe

pid	process
2256	621f948a0fc8a_Wed1650732795.tmp

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

621f9486b4516_Wed16eb16ea4.exepowershell.exepowershell.exetaskkill.exe621f94837e687_Wed16b4f13b0b4.exe

description	pid	process
Token: SeCreateTokenPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeAssignPrimaryTokenPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeLockMemoryPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeIncreaseQuotaPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeMachineAccountPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeTcbPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeSecurityPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeTakeOwnershipPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeLoadDriverPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeSystemProfilePrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeSystemtimePrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeProfSingleProcessPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeIncBasePriorityPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeCreatePagefilePrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeCreatePermanentPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeBackupPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeRestorePrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeShutdownPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeDebugPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeAuditPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeSystemEnvironmentPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeChangeNotifyPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeRemoteShutdownPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeUndockPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeSyncAgentPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeEnableDelegationPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeManageVolumePrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeImpersonatePrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeCreateGlobalPrivilege	1768	621f9486b4516_Wed16eb16ea4.exe
Token: 31	1768	621f9486b4516_Wed16eb16ea4.exe
Token: 32	1768	621f9486b4516_Wed16eb16ea4.exe
Token: 33	1768	621f9486b4516_Wed16eb16ea4.exe
Token: 34	1768	621f9486b4516_Wed16eb16ea4.exe
Token: 35	1768	621f9486b4516_Wed16eb16ea4.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	2064	621f94837e687_Wed16b4f13b0b4.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

621f948855a5b_Wed16c9c6da01a3.exe621f948855a5b_Wed16c9c6da01a3.exe3A2M90A5EHAHK5K.exe

pid	process
2224	621f948855a5b_Wed16c9c6da01a3.exe
2224	621f948855a5b_Wed16c9c6da01a3.exe
1840	621f948855a5b_Wed16c9c6da01a3.exe
1840	621f948855a5b_Wed16c9c6da01a3.exe
1536	3A2M90A5EHAHK5K.exe
1536	3A2M90A5EHAHK5K.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exesetup_install.execmd.exe

description	pid	process	target process
PID 1356 wrote to memory of 2572	1356	0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe	setup_install.exe
PID 1356 wrote to memory of 2572	1356	0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe	setup_install.exe
PID 1356 wrote to memory of 2572	1356	0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe	setup_install.exe
PID 1356 wrote to memory of 2572	1356	0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe	setup_install.exe
PID 1356 wrote to memory of 2572	1356	0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe	setup_install.exe
PID 1356 wrote to memory of 2572	1356	0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe	setup_install.exe
PID 1356 wrote to memory of 2572	1356	0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe	setup_install.exe
PID 2572 wrote to memory of 2812	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2812	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2812	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2812	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2812	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2812	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2812	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2304	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2304	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2304	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2304	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2304	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2304	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2304	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 1060	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 1060	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 1060	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 1060	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 1060	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 1060	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 1060	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2612	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2612	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2612	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2612	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2612	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2612	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2612	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2252	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2252	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2252	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2252	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2252	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2252	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2252	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2808	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2808	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2808	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2808	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2808	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2808	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 2808	2572	setup_install.exe	cmd.exe
PID 2304 wrote to memory of 1292	2304	cmd.exe	621f9482b3cb5_Wed16d6773e4.exe
PID 2304 wrote to memory of 1292	2304	cmd.exe	621f9482b3cb5_Wed16d6773e4.exe
PID 2304 wrote to memory of 1292	2304	cmd.exe	621f9482b3cb5_Wed16d6773e4.exe
PID 2304 wrote to memory of 1292	2304	cmd.exe	621f9482b3cb5_Wed16d6773e4.exe
PID 2304 wrote to memory of 1292	2304	cmd.exe	621f9482b3cb5_Wed16d6773e4.exe
PID 2304 wrote to memory of 1292	2304	cmd.exe	621f9482b3cb5_Wed16d6773e4.exe
PID 2304 wrote to memory of 1292	2304	cmd.exe	621f9482b3cb5_Wed16d6773e4.exe
PID 2572 wrote to memory of 832	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 832	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 832	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 832	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 832	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 832	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 832	2572	setup_install.exe	cmd.exe
PID 2572 wrote to memory of 1580	2572	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe
"C:\Users\Admin\AppData\Local\Temp\0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 621f9482b3cb5_Wed16d6773e4.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe
      621f9482b3cb5_Wed16d6773e4.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 621f94837e687_Wed16b4f13b0b4.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94837e687_Wed16b4f13b0b4.exe
      621f94837e687_Wed16b4f13b0b4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 621f948449020_Wed163088fdd.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe
      621f948449020_Wed163088fdd.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1136
    - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 621f9486b4516_Wed16eb16ea4.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe
      621f9486b4516_Wed16eb16ea4.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1768
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 621f948855a5b_Wed16c9c6da01a3.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe
      621f948855a5b_Wed16c9c6da01a3.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe" -h
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 621f948a0fc8a_Wed1650732795.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:832
  - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe
      621f948a0fc8a_Wed1650732795.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1144
    - - C:\Users\Admin\AppData\Local\Temp\is-BU1ND.tmp\621f948a0fc8a_Wed1650732795.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BU1ND.tmp\621f948a0fc8a_Wed1650732795.tmp" /SL5="$301E6,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:612
      - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe" /SILENT
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\is-N4MR5.tmp\621f948a0fc8a_Wed1650732795.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N4MR5.tmp\621f948a0fc8a_Wed1650732795.tmp" /SL5="$501BC,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe" /SILENT
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 621f948b816de_Wed16bd6eaa.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948b816de_Wed16bd6eaa.exe
      621f948b816de_Wed16bd6eaa.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 621f948d05937_Wed16374c3beda.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948d05937_Wed16374c3beda.exe
      621f948d05937_Wed16374c3beda.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2504
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" .\ZMJYD.C /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 621f948e7f7ef_Wed16b426d6adc1.exe /mixtwo
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948e7f7ef_Wed16b426d6adc1.exe
      621f948e7f7ef_Wed16b426d6adc1.exe /mixtwo
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 492
        5⤵
        Program crash
        
        PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 621f948fe5007_Wed163feaf0.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948fe5007_Wed163feaf0.exe
      621f948fe5007_Wed163feaf0.exe
      4⤵
      Executes dropped EXE
      PID:368
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:948
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2708
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 368 -s 380
        5⤵
        
        PID:112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 621f9490c9091_Wed16d3d6c5.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe
      621f9490c9091_Wed16d3d6c5.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2272
    - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe
        
        621f9490c9091_Wed16d3d6c5.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 621f949237c58_Wed168fc449f.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe
      621f949237c58_Wed168fc449f.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2072
    - - C:\Users\Admin\AppData\Local\Temp\is-11311.tmp\621f949237c58_Wed168fc449f.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-11311.tmp\621f949237c58_Wed168fc449f.tmp" /SL5="$301CC,140006,56320,C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 621f94aa19419_Wed16184b9bf0.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94aa19419_Wed16184b9bf0.exe
      621f94aa19419_Wed16184b9bf0.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2260
    - - C:\Users\Admin\AppData\Local\Temp\3A2M90A5EHAHK5K.exe
        
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
215KB

MD5
94989927a6611e1919f84e1871922b63

SHA1
b602e4c47c9c42c273b68a1ce85f0814c0e05deb

SHA256
6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17

SHA512
ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
207KB

MD5
d0527733abcc5c58735e11d43061b431

SHA1
28de9d191826192721e325787b8a50a84328cffd

SHA256
b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45

SHA512
7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9482b3cb5_Wed16d6773e4.exe

Filesize
20KB

MD5
98c3385d313ae6d4cf1f192830f6b555

SHA1
31c572430094e9adbf5b7647c3621b2e8dfa7fe8

SHA256
4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be

SHA512
fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94837e687_Wed16b4f13b0b4.exe

Filesize
151KB

MD5
5b667f4b728b93ed5951e7bfddf8fb21

SHA1
00258995bd0f0b43af92656d217903e62b4229bd

SHA256
ac6cbfa5a8097b446fc0b6d7fb464c55425cf8093f3147f65b0bde3a08e1f3c1

SHA512
4f3fc716db01afab932bb800e4b26a729f47f693b4490176548cc67cca9c9957e155a04fd10ecf098c8a1c02dbca3dc8695cc67af545376aff771c207a6eee77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948449020_Wed163088fdd.exe

Filesize
305KB

MD5
c5ae00bc9521abc87b2143826b88731a

SHA1
ef44d7c5cc9fa1b61070a2aacd76a4718ccacf5e

SHA256
2d23db5f735a5b3111cdf867a611d73c757797bc28f099feef6d5d14154b31b1

SHA512
1f91288c9608cd83a3b7355b8523a3175b369d771cd5b3142ea8eb2c1ee0f3e69f13618e5ce5b7c6bc068cee61211bdc3a2a17c874a3802892125e97a0dd522a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9486b4516_Wed16eb16ea4.exe

Filesize
1.5MB

MD5
e1a8bb1c0d082168f5433a1bdd03b66b

SHA1
71e43669b4a74b4f830d3e74f5750dc7be78e085

SHA256
1286c91bd81aaccf5df1da0c78298a91d1d77bcddfe65871568b0661fb227929

SHA512
11fd29f912d52bb0984f39b4c12d7f2ead645abf0866b8e6f725a3c1bae154bb120859ce9e6f1010edf01f6dc7f3a2b6ca5071fff2e8a88c4e8a134808bfee49

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948855a5b_Wed16c9c6da01a3.exe

Filesize
372KB

MD5
894759b7ce3835029711d032205ec472

SHA1
e8824dffbc468e4dcdfd06094597776b3c4be593

SHA256
c12d359da11bc33309ac9d661aec047669aee7986bfd8326d122a26c055e0044

SHA512
ea25a7fd901eb9dedf93eb5e026de1406315599429ee31080828a59cd8cb6dd763ef307c329ef5f422b3cfaa136f2aa7b1412f013bbbd9aecf97a7c9195d127b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948a0fc8a_Wed1650732795.exe

Filesize
1.5MB

MD5
8f12876ff6f721e9b9786733f923ed5a

SHA1
4898a00c846f82316cc632007966dfb5f626ad43

SHA256
9aa138a385805dc69f7c082a3994538fea2127d18f352a74ab8505ccd74fa533

SHA512
1069e733a45c7a2bec67cae1b465bdd4a76051673a7bb0a7dba21a240d9e4d3d18f5915ace58e5a666d824e57355907c7ac23fc23d4fcf38af5a6e54115f1b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948b816de_Wed16bd6eaa.exe

Filesize
202KB

MD5
f47ef25d6fbd8fb1709ac978104480d9

SHA1
861dee7ae35269baf7429147f1089004dbdbbc75

SHA256
b141a340d0703b0dbe579bf42a8eb865b6d8bdc6ec5323215e7de9eeb890c788

SHA512
cf0332bcb6a75be665aafae033b3e810c0120aac02c3c3a4b5534788420ee7013e03bbaffa830fc34be19750efba1ef5205b2c356825ba02f6664816e98442d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948d05937_Wed16374c3beda.exe

Filesize
2.3MB

MD5
aa5254e8284e33aa8f60e9f4e9e8b1c5

SHA1
465f8b854048fc21a99b2f746c961bea598a4c38

SHA256
9780e353d9670c8ab8177d23af1ec3acdaa740a9f5f13f77e88f1f9de5ed8323

SHA512
024062930947a3d34d5fc01f1633aa8a09524a9537651269f090f800f9a248d551a7144e2726f9b3303c81237c00149b8bbe2f0de235d70ebe525534eac91fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948e7f7ef_Wed16b426d6adc1.exe

Filesize
351KB

MD5
afe6087457ae59ca0d071370f60a3e86

SHA1
b576cae50f011161d729a257ea3c3f3ff9b47dd6

SHA256
d77eb517c120ffc52cb3bc21e2c592625073b0ba287f9f5cf8e9822a6fe00a95

SHA512
3aecbb441a22f247e84288e94020759f567e1d086a5f59cdd119e14612bb71a1c1dc5cbc80b951456fecdc10737b69a47bc3dc07059dbb94a46aab85247ba570

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f948fe5007_Wed163feaf0.exe

Filesize
1.6MB

MD5
749b436db9150b62721e67aa8d5bdebb

SHA1
a5b77f7cede8c4c40d96e941a941862b6a9c1a23

SHA256
9d400635b2cb61d461ade25b36097fc8e66c8d963c1cd3ab0d6864b9c016bbfc

SHA512
ccfbffc9ca5dde45e1a834336e0f1df4a9c0e8658a7c4f07f5dec347005b2c4f9bdd5c6d5981680ba9a84d4169f9a26d4a53c930def39cd298947ec7cf8db0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f9490c9091_Wed16d3d6c5.exe

Filesize
202KB

MD5
65a916a503ac8875b7a38d04f9ec53cd

SHA1
6fe3351cdd4e684ee2eccceabe7ec515f508a6a2

SHA256
bc84e7b06f99196ef82c0d5356644ed3fe1d897257e9e8149cf83e686e285618

SHA512
574071f47f85552cc8de4c26230528db1a7034a5ac454d704a29cfe2d919c9be36f23aa2be4c5ed59554613fe20382a95d5b7e31e43d32e0cd3fc7e4a2b1be71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f949237c58_Wed168fc449f.exe

Filesize
383KB

MD5
c427835b14238569c986d5543b36e0cb

SHA1
552d3752d6276cf8eebbf0ef976954e340930b14

SHA256
8804babd5cc914c36e67fb2a2b3086ce3b3a6b7d676749f5700f9eb41796c458

SHA512
dfe034d6f89a0068d9f1c33e4cc0df47ebfa0d38dc33884295a466f1126b24dbe78e56ef905f218636a2b3f780b28a62f5164ddf01502324854a81163c7539b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\621f94aa19419_Wed16184b9bf0.exe

Filesize
1.4MB

MD5
9955dd419c83119488778affdab16717

SHA1
da24a018dc2411f9c646c8770b34ad659387e931

SHA256
91c178a3c15eb95b93cd8d61be8a80c2eac2b66149e744b9e23a53fb9c68927f

SHA512
e4dfb73ab1812e22f783d269d9cdc7814134237d35887bc55dc1e105e3d95f64ed6851200dbecd8819e71927ac542fefbdbdf7b7bc318e90806a0912a2212e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC456E008\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G0RD0.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N4MR5.tmp\621f948a0fc8a_Wed1650732795.tmp

Filesize
2.5MB

MD5
83b531c1515044f8241cd9627fbfbe86

SHA1
d2f7096e18531abb963fc9af7ecc543641570ac8

SHA256
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c

SHA512
9f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V8N1GAL8IN3SZP8EEQT2.temp

Filesize
7KB

MD5
b2f0db58d86b1bcf5d66c58f9c26229c

SHA1
5d57d4ff5f6a701dff497b4489d399b1e729e32c

SHA256
bffad306773e7b84d24ed392861e5719b163dce94cdea97b0f2ced05c12db51c

SHA512
a37950929ca1d29a543278e8317218b97c8dea0863995a1b7bd327ec37766e1862ee411dcc2a8f17f094d3a9c70f2876485facbae5ca9fc90f2fa6a5db41a707

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC456E008\setup_install.exe

Filesize
2.1MB

MD5
dc72933d86bf031b858123f48c4fd14f

SHA1
ee6b17d8e965f2175dc7837c1b7cb0020c24a781

SHA256
a4fa4aa6dbd692660840d051ec283d262f32037ccadf9445d2ea86dd664b5831

SHA512
62be755bf2d61c747e94dc2f4a6efebc28cad43ded8d249188bc682f225ee8fad3bfc7ce1c85b1fc81c0c26c845dc7c19882bbd18008051bed0d6082fcf320c4

Download Submit
memory/472-196-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/472-250-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/612-202-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/948-201-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/948-195-0x0000000000330000-0x00000000003B0000-memory.dmp

Filesize
512KB

Download
memory/948-192-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/948-194-0x0000000000330000-0x00000000003B0000-memory.dmp

Filesize
512KB

Download
memory/1136-214-0x0000000001310000-0x0000000001362000-memory.dmp

Filesize
328KB

Download
memory/1144-203-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1144-146-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1292-103-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1292-118-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1292-143-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1292-142-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/1292-116-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1292-117-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1292-144-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1292-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1292-119-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1292-137-0x0000000000330000-0x0000000000344000-memory.dmp

Filesize
80KB

Download
memory/1536-269-0x000000013F160000-0x000000013F166000-memory.dmp

Filesize
24KB

Download
memory/1676-244-0x0000000001F10000-0x0000000002F10000-memory.dmp

Filesize
16.0MB

Download
memory/1676-271-0x0000000001F10000-0x0000000002F10000-memory.dmp

Filesize
16.0MB

Download
memory/1744-162-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/2004-140-0x0000000002260000-0x00000000023E8000-memory.dmp

Filesize
1.5MB

Download
memory/2004-232-0x0000000002260000-0x00000000023E8000-memory.dmp

Filesize
1.5MB

Download
memory/2036-245-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/2036-270-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/2064-193-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/2064-165-0x00000000003E0000-0x000000000040E000-memory.dmp

Filesize
184KB

Download
memory/2072-152-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2072-231-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2128-163-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2128-164-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2128-168-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2256-251-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/2260-159-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2260-145-0x0000000000AA0000-0x0000000000C28000-memory.dmp

Filesize
1.5MB

Download
memory/2260-240-0x0000000000C30000-0x0000000000DB8000-memory.dmp

Filesize
1.5MB

Download
memory/2260-249-0x0000000000AA0000-0x0000000000C28000-memory.dmp

Filesize
1.5MB

Download
memory/2260-161-0x0000000000AA0000-0x0000000000C28000-memory.dmp

Filesize
1.5MB

Download
memory/2260-278-0x0000000000AA0000-0x0000000000C28000-memory.dmp

Filesize
1.5MB

Download
memory/2260-155-0x0000000000C30000-0x0000000000DB8000-memory.dmp

Filesize
1.5MB

Download
memory/2260-241-0x0000000000C30000-0x0000000000DB8000-memory.dmp

Filesize
1.5MB

Download
memory/2260-154-0x0000000000C30000-0x0000000000DB8000-memory.dmp

Filesize
1.5MB

Download
memory/2260-157-0x0000000000AA0000-0x0000000000C28000-memory.dmp

Filesize
1.5MB

Download
memory/2260-160-0x00000000002F0000-0x00000000002F2000-memory.dmp

Filesize
8KB

Download
memory/2260-158-0x0000000000AA0000-0x0000000000C28000-memory.dmp

Filesize
1.5MB

Download
memory/2260-233-0x0000000000AA0000-0x0000000000C28000-memory.dmp

Filesize
1.5MB

Download
memory/2304-85-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/2304-86-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/2436-213-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2572-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2572-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2572-68-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2572-67-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2572-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2572-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2572-77-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2572-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2572-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2572-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2572-128-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2572-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2572-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2572-123-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2572-124-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2572-125-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2572-126-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2572-66-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/2572-127-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2572-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2572-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2708-265-0x0000000000240000-0x00000000002C3000-memory.dmp

Filesize
524KB

Download
memory/2708-291-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/2708-290-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2708-238-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2708-239-0x0000000000240000-0x00000000002C3000-memory.dmp

Filesize
524KB

Download
memory/2708-264-0x0000000000240000-0x00000000002C3000-memory.dmp

Filesize
524KB

Download
memory/2928-256-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2928-252-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2928-262-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2928-263-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2928-254-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2928-261-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2928-258-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2928-260-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download