gcleaner | 106d93ced41d81795f66bb29ad5c847a25a1e2c094fe28a67dc576f1c33fcad4

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2025, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
Size

3.4MB
MD5

ca48a01552acf9cb77202bf0b77a7a1c
SHA1

1daba5dbab15456462e1ac3e80b782aa867889c2
SHA256

106d93ced41d81795f66bb29ad5c847a25a1e2c094fe28a67dc576f1c33fcad4
SHA512

f5942e6a162c2b3e5df3ac14b24350f36e393ddb80400fcd47070e70b6eccaa366ef3406c8452b795c7b28cf2266fd8eb1339f51dcc1910a004c72e14cbe8a55
SSDEEP

49152:Kj4FOCYYcrX7JGwyTL2RhE3IiSKVFGclOt45MaUEr7NSv2opoSH7QirAnN4tSqJS:cRCHCowyTL2RgSWj5WaU28wN4t0N

Score

10^/10

gcleaner lgoogloader onlylogger raccoon vidar xmrig 87d2a2b472952d29d9ef08f8b28a7b6b1e587f6a 933 discovery downloader loader miner stealer

Malware Config

Extracted

Family

vidar

Version

41.4

Botnet

933

https://mas.to/@sslam

Attributes

profile_id
933

Extracted

Family

gcleaner

ppp-gl.biz

45.9.20.13

Extracted

Family

raccoon

Version

1.8.2

Botnet

87d2a2b472952d29d9ef08f8b28a7b6b1e587f6a

Attributes

url4cnc
http://telemirror.top/jredmankun

http://tgmirror.top/jredmankun

http://telegatt.top/jredmankun

http://telegka.top/jredmankun

http://telegin.top/jredmankun

https://t.me/jredmankun

rc4.plain

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral2/memory/988-34-0x0000000002340000-0x0000000002352000-memory.dmp	family_lgoogloader

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
Lgoogloader family
lgoogloader
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Onlylogger family
onlylogger
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 2 IoCs

resource	yara_rule
behavioral2/memory/4352-239-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral2/memory/4352-242-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

OnlyLogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/3308-213-0x0000000000400000-0x0000000000790000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/2576-212-0x0000000000400000-0x00000000007F1000-memory.dmp	family_vidar

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/memory/4904-268-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4904-270-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4904-273-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4904-275-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4904-274-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4904-272-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4904-276-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4904-277-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4904-281-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4904-288-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Chrome 5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services64.exe

Executes dropped EXE 19 IoCs

pid	Process
4908	DownFlSetup110.exe
988	inst1.exe
2140	pxScIi
2576	Soft1WW02.exe
3612	4.exe
4280	5.exe
1624	setup.exe
3560	EASS.exe
3308	setup_2.exe
3284	setup.tmp
4568	9.exe
944	Calculator Installation.exe
2628	Chrome 5.exe
4764	setup.exe
1416	setup.tmp
836	services64.exe
1476	EASS.exe
4352	EASS.exe
2688	sihost64.exe

Loads dropped DLL 6 IoCs

pid	Process
3284	setup.tmp
944	Calculator Installation.exe
944	Calculator Installation.exe
1416	setup.tmp
944	Calculator Installation.exe
944	Calculator Installation.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
130	iplogger.org
149	iplogger.org
153	iplogger.org
165	iplogger.org
172	iplogger.org
86	iplogger.org
100	iplogger.org
125	pastebin.com
126	pastebin.com
140	iplogger.org
150	iplogger.org
155	iplogger.org
61	iplogger.org
103	iplogger.org
110	iplogger.org
192	iplogger.org
90	iplogger.org
122	iplogger.org
168	iplogger.org
138	iplogger.org
52	iplogger.org
132	iplogger.org
137	iplogger.org
44	iplogger.org
139	iplogger.org
154	iplogger.org
123	iplogger.org
53	iplogger.org
58	iplogger.org
88	iplogger.org
184	iplogger.org
187	iplogger.org
46	iplogger.org
82	iplogger.org
180	iplogger.org
151	iplogger.org
170	iplogger.org
175	iplogger.org
185	iplogger.org
68	iplogger.org
91	iplogger.org
111	iplogger.org
147	iplogger.org
163	iplogger.org
112	iplogger.org
116	raw.githubusercontent.com
136	iplogger.org
143	iplogger.org
156	iplogger.org
161	iplogger.org
157	iplogger.org
169	iplogger.org
186	iplogger.org
87	iplogger.org
94	iplogger.org
131	iplogger.org
99	iplogger.org
102	iplogger.org
142	iplogger.org
158	iplogger.org
166	iplogger.org
4	iplogger.org
13	iplogger.org
92	iplogger.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 988 set thread context of 2140	988	inst1.exe	84
PID 3560 set thread context of 4352	3560	EASS.exe	134
PID 836 set thread context of 4904	836	services64.exe	139

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
2240	2140	WerFault.exe	84
2864	3308	WerFault.exe	93
3492	3308	WerFault.exe	93
2300	3308	WerFault.exe	93
4260	3308	WerFault.exe	93
1640	3308	WerFault.exe	93
4292	2576	WerFault.exe	85
5096	3308	WerFault.exe	93
448	3308	WerFault.exe	93
1160	3308	WerFault.exe	93
736	3308	WerFault.exe	93
4404	3308	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calculator Installation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DownFlSetup110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inst1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pxScIi
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Soft1WW02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EASS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EASS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023c20-129.dat	nsis_installer_1
behavioral2/files/0x0008000000023c20-129.dat	nsis_installer_2

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1628	schtasks.exe
4376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2628	Chrome 5.exe
3560	EASS.exe
3560	EASS.exe
836	services64.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe
4904	explorer.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	DownFlSetup110.exe
Token: SeDebugPrivilege	3612	4.exe
Token: SeDebugPrivilege	4280	5.exe
Token: SeDebugPrivilege	4568	9.exe
Token: SeDebugPrivilege	2628	Chrome 5.exe
Token: SeDebugPrivilege	3560	EASS.exe
Token: SeDebugPrivilege	836	services64.exe
Token: SeLockMemoryPrivilege	4904	explorer.exe
Token: SeLockMemoryPrivilege	4904	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4908	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	82
PID 4596 wrote to memory of 4908	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	82
PID 4596 wrote to memory of 4908	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	82
PID 4596 wrote to memory of 988	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	83
PID 4596 wrote to memory of 988	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	83
PID 4596 wrote to memory of 988	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	83
PID 988 wrote to memory of 2140	988	inst1.exe	84
PID 988 wrote to memory of 2140	988	inst1.exe	84
PID 988 wrote to memory of 2140	988	inst1.exe	84
PID 988 wrote to memory of 2140	988	inst1.exe	84
PID 988 wrote to memory of 2140	988	inst1.exe	84
PID 988 wrote to memory of 2140	988	inst1.exe	84
PID 988 wrote to memory of 2140	988	inst1.exe	84
PID 988 wrote to memory of 2140	988	inst1.exe	84
PID 988 wrote to memory of 2140	988	inst1.exe	84
PID 988 wrote to memory of 2140	988	inst1.exe	84
PID 988 wrote to memory of 2140	988	inst1.exe	84
PID 988 wrote to memory of 2140	988	inst1.exe	84
PID 4596 wrote to memory of 2576	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	85
PID 4596 wrote to memory of 2576	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	85
PID 4596 wrote to memory of 2576	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	85
PID 4596 wrote to memory of 3612	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	87
PID 4596 wrote to memory of 3612	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	87
PID 4596 wrote to memory of 4280	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	88
PID 4596 wrote to memory of 4280	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	88
PID 4596 wrote to memory of 1624	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	90
PID 4596 wrote to memory of 1624	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	90
PID 4596 wrote to memory of 1624	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	90
PID 4596 wrote to memory of 3560	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	91
PID 4596 wrote to memory of 3560	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	91
PID 4596 wrote to memory of 3560	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	91
PID 4596 wrote to memory of 3308	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	93
PID 4596 wrote to memory of 3308	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	93
PID 4596 wrote to memory of 3308	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	93
PID 1624 wrote to memory of 3284	1624	setup.exe	94
PID 1624 wrote to memory of 3284	1624	setup.exe	94
PID 1624 wrote to memory of 3284	1624	setup.exe	94
PID 4596 wrote to memory of 4568	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	95
PID 4596 wrote to memory of 4568	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	95
PID 4596 wrote to memory of 944	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	96
PID 4596 wrote to memory of 944	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	96
PID 4596 wrote to memory of 944	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	96
PID 4596 wrote to memory of 2628	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	97
PID 4596 wrote to memory of 2628	4596	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	97
PID 3284 wrote to memory of 4764	3284	setup.tmp	98
PID 3284 wrote to memory of 4764	3284	setup.tmp	98
PID 3284 wrote to memory of 4764	3284	setup.tmp	98
PID 4764 wrote to memory of 1416	4764	setup.exe	99
PID 4764 wrote to memory of 1416	4764	setup.exe	99
PID 4764 wrote to memory of 1416	4764	setup.exe	99
PID 2628 wrote to memory of 3776	2628	Chrome 5.exe	128
PID 2628 wrote to memory of 3776	2628	Chrome 5.exe	128
PID 3776 wrote to memory of 1628	3776	cmd.exe	130
PID 3776 wrote to memory of 1628	3776	cmd.exe	130
PID 2628 wrote to memory of 836	2628	Chrome 5.exe	132
PID 2628 wrote to memory of 836	2628	Chrome 5.exe	132
PID 3560 wrote to memory of 1476	3560	EASS.exe	133
PID 3560 wrote to memory of 1476	3560	EASS.exe	133
PID 3560 wrote to memory of 1476	3560	EASS.exe	133
PID 3560 wrote to memory of 4352	3560	EASS.exe	134
PID 3560 wrote to memory of 4352	3560	EASS.exe	134
PID 3560 wrote to memory of 4352	3560	EASS.exe	134
PID 3560 wrote to memory of 4352	3560	EASS.exe	134
PID 3560 wrote to memory of 4352	3560	EASS.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
  "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\inst1.exe
  "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Users\Admin\AppData\Local\Temp\XKHXCxSRUZfXYaORzW\pxScIi
    C:\Users\Admin\AppData\Local\Temp\XKHXCxSRUZfXYaORzW\pxScIi
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 472
      4⤵
      Program crash
      PID:2240
- C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
  "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 1016
    3⤵
    - Program crash
    PID:4292
- C:\Users\Admin\AppData\Local\Temp\4.exe
  "C:\Users\Admin\AppData\Local\Temp\4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Users\Admin\AppData\Local\Temp\5.exe
  "C:\Users\Admin\AppData\Local\Temp\5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\is-NUETH.tmp\setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-NUETH.tmp\setup.tmp" /SL5="$70062,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4764
    - - C:\Users\Admin\AppData\Local\Temp\is-HI0S4.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HI0S4.tmp\setup.tmp" /SL5="$401F4,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1416
- C:\Users\Admin\AppData\Local\Temp\EASS.exe
  "C:\Users\Admin\AppData\Local\Temp\EASS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\EASS.exe
    "C:\Users\Admin\AppData\Local\Temp\EASS.exe"
    3⤵
    - Executes dropped EXE
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\EASS.exe
    "C:\Users\Admin\AppData\Local\Temp\EASS.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4352
- C:\Users\Admin\AppData\Local\Temp\setup_2.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 464
    3⤵
    - Program crash
    PID:2864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 648
    3⤵
    - Program crash
    PID:3492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 672
    3⤵
    - Program crash
    PID:2300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 824
    3⤵
    - Program crash
    PID:4260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 936
    3⤵
    - Program crash
    PID:1640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 904
    3⤵
    - Program crash
    PID:5096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1216
    3⤵
    - Program crash
    PID:448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1264
    3⤵
    - Program crash
    PID:1160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 840
    3⤵
    - Program crash
    PID:736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1212
    3⤵
    - Program crash
    PID:4404
- C:\Users\Admin\AppData\Local\Temp\9.exe
  "C:\Users\Admin\AppData\Local\Temp\9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
  "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:944
- C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1628
- - C:\Users\Admin\AppData\Roaming\services64.exe
    "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:836
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:2332
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4376
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:2688
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2140 -ip 2140
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3308 -ip 3308
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3308 -ip 3308
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3308 -ip 3308
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3308 -ip 3308
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3308 -ip 3308
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2576 -ip 2576
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3308 -ip 3308
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3308 -ip 3308
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3308 -ip 3308
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3308 -ip 3308
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3308 -ip 3308
1⤵
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
8KB

MD5
320681737aca2a42ef41a7a802e7e395

SHA1
bc6974316d2668a7d0e92cb1ab61a8a758cbd76b

SHA256
5e40c7686d99670b996cae8582dcf3aef6885f87934273f03d7bf10a232e0b33

SHA512
01e25cfb81095a7b0f37d1f69a35be63e6df8c428a0a2a37610c49fb3516dba69d91a6e98738fe7aefe77fd71a3978221817e20dd9dd1bfffe2b09c0deca1bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
8KB

MD5
f37e479ee64ec5b9d75689a12aa79cd2

SHA1
d6b2c01e90a1488cab24063e29bed1a22de5ca9b

SHA256
8127fa63cb781d32e4f0f91dde38c2c9d0307e9267c721922c6b8d9a31c915f0

SHA512
468245b2b9237de8cd9800da7881770525d14462faa95c0b608b3c972f70c6306851be7a41d92447f4dba9450f462be9328f7c867844fe42a8e7be123be13c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe

Filesize
8KB

MD5
3c7203aee224472579c502ad5adb8fb6

SHA1
f4ae3519f99431a4fb8130e929c94d89824b29fe

SHA256
f82dbb015721f197b206f377d1b0676c52c9725ad463a5ad09e12ca1cfc798e2

SHA512
9eae3f0db67cc1597d018203c9a0f53291fe08a3892c404e07093e658ef989cc77765669c19884e362ec0452946d75cb38749d74d7fa23b618e6dc021bd5c0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe

Filesize
328KB

MD5
7c4dd7df0090fafa88ea953ebf7e82c6

SHA1
587b32f765393a33aac665d2ead53012840ccb75

SHA256
bcc5b73bd77beae3ff24c384562c0902f90b212f4c345b99f97cae8452111f65

SHA512
8ab5dfd7ed4654e3f738a74ba3ec2c31ef79ea463edc81b5c781411401fac6982b6436ae668476f2a50ae88006379a57c85fec2f98c886bbb77a4d749969cdf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

Filesize
43KB

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe

Filesize
63KB

MD5
978582a03929afba9f50b7d149dfdb25

SHA1
fd27dfbd0ffec108b3c2ab648993817592010bbc

SHA256
7f413eeaf2db3ec6c7f94d3a5d06644fe5406afdde27e3552a736eaec373f283

SHA512
b37d706c64c15b6aec33d8c104ad18de335cb08dc831103669fd58995ef174f5306a0b5a083790a0f724d5cd9c5c0b7e384d243604e931a1f347521a863b7eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\EASS.exe

Filesize
1.3MB

MD5
c32404b0c8f851f345c1c48692ebc017

SHA1
41d93e106962f20ad85b70dd525a1c3475496a33

SHA256
175a43161c32ae6f4f66e777411304d07e0196156251c9756e61432cd577c70c

SHA512
30c837fa76ed4c3eeab7289db8115ba792131caf325ce9192be7d0bd2dc7669ee1ba1b1596ae40185e27716e65b9f8f7d3ee3dddd4308f5706b8e055e28923ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe

Filesize
765KB

MD5
dd505d9dbf82b624095781c1a01e4dbb

SHA1
2c0d3d6e6b70435e8e5608ad8a3c20db7d76b23e

SHA256
bb1ad922f27d0bb3b41988829a5716bce113ac947f6ba9d66ef12876b7af78fe

SHA512
7668c2ce458d96b9e0a6f8ab9d72799582dfd316e2e28b293f3697f3d1cf47f2fb0fd9cd3e0b99f92d44aa91df6dbcaaa24a348baa3f1a62f07d93922ecff0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XKHXCxSRUZfXYaORzW\pxScIi

Filesize
42KB

MD5
9dabbd84d79a0330f7635748177a2d93

SHA1
73a4e520d772e4260651cb20b61ba4cb9a29635a

SHA256
a6e4be06d34448f4efa8655a3ae6e294c98ae4cb42f7c3da3be06b419fa8389d

SHA512
020114ba08ccb7ad7934e2046d2b61ebd1b006b8c31194f2cfb49ff4397f4db35dc67c8191552346d04709dee4871a13797cf284ef543e7280bc390a6746a314

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst1.exe

Filesize
221KB

MD5
39bf3527ab89fc724bf4e7bc96465a89

SHA1
ac454fcd528407b2db8f2a3ad13b75e3903983bc

SHA256
460cd65ce2698135e30e978ea9e4048a015c34dd4284d735b0f7061e4b9c1a69

SHA512
bc9cdb005b54187e1277cb4de9a6e273a3efda886c7735ccda188f164745ceb2a3a449c94f02b18ed71e79ae0c0f289c846f5f0e66290e299429f1458d7f457b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NUETH.tmp\setup.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PA5M5.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VIBFG.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8E77.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8E77.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
379KB

MD5
429d0e06d7add76fdbfeb404a7bf4469

SHA1
11dedd36c146ae82f6a46360a6c5019284cc86f2

SHA256
32dccba4478d58b4e41bbf18f9d7532fd7d49ba6429b460b377f01e3f9bab736

SHA512
1443c7fc5a07ea82bb1a19211ee73a14e17961dd275e0d9118196ae99fae0de47a67e3ca74e50e90248923691d816aa50acb88329407f6128a2fe30bf405bee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_2.exe

Filesize
376KB

MD5
571f9ac1a144d07f5f8e5054ebd737d9

SHA1
6aebb0894669814622bf9417e91870e0c81e0fc1

SHA256
8760d706dffea96fd453a150ba18a3110518fbdc7dfa8c48f84b94a06d7ab47c

SHA512
13ef865efd4c61cbc95c570e956a9bc70ee3a261d60ac6ef138c8c285bb093859e499f92e5f8ac7180b9c017e4ed362f2b1c40ba567f179d658d5978751f4ba8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
339347f8a4bc7137b6a6a485f6cd0688

SHA1
9b198dc642f9f32ea38884d47c1fe7d8868e3f39

SHA256
c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601

SHA512
04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd

Download Submit
memory/988-46-0x00000000007B0000-0x00000000007F3000-memory.dmp

Filesize
268KB

Download
memory/988-35-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/988-34-0x0000000002340000-0x0000000002352000-memory.dmp

Filesize
72KB

Download
memory/1416-215-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1624-176-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1624-92-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2140-42-0x0000000000010000-0x0000000000053000-memory.dmp

Filesize
268KB

Download
memory/2140-43-0x0000000000010000-0x0000000000053000-memory.dmp

Filesize
268KB

Download
memory/2140-36-0x0000000000010000-0x0000000000053000-memory.dmp

Filesize
268KB

Download
memory/2576-212-0x0000000000400000-0x00000000007F1000-memory.dmp

Filesize
3.9MB

Download
memory/2628-156-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2628-221-0x0000000000CA0000-0x0000000000CAE000-memory.dmp

Filesize
56KB

Download
memory/2628-222-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

Filesize
72KB

Download
memory/2688-266-0x0000000000D40000-0x0000000000D46000-memory.dmp

Filesize
24KB

Download
memory/3284-174-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3308-213-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/3560-236-0x0000000006D10000-0x0000000006DAC000-memory.dmp

Filesize
624KB

Download
memory/3560-122-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/3560-119-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/3560-237-0x0000000006F50000-0x000000000702A000-memory.dmp

Filesize
872KB

Download
memory/3560-173-0x0000000006D00000-0x0000000006D0A000-memory.dmp

Filesize
40KB

Download
memory/3560-103-0x0000000000A50000-0x0000000000B98000-memory.dmp

Filesize
1.3MB

Download
memory/3560-137-0x0000000005600000-0x000000000560A000-memory.dmp

Filesize
40KB

Download
memory/3612-60-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/4280-72-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/4352-242-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4352-239-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4568-124-0x0000000000050000-0x0000000000058000-memory.dmp

Filesize
32KB

Download
memory/4596-1-0x00000000001E0000-0x0000000000550000-memory.dmp

Filesize
3.4MB

Download
memory/4596-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/4764-214-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4764-167-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4904-268-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4904-274-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4904-288-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4904-281-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4904-277-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4904-276-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4904-271-0x0000000002760000-0x0000000002780000-memory.dmp

Filesize
128KB

Download
memory/4904-270-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4904-273-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4904-275-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4904-272-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4908-177-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4908-61-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/4908-16-0x0000000000980000-0x0000000000998000-memory.dmp

Filesize
96KB

Download
memory/4908-27-0x0000000002C40000-0x0000000002C46000-memory.dmp

Filesize
24KB

Download
memory/4908-26-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download