sectoprat | 1d487d11f8e3c45d76a260e4995b79f3cceca02942d9e426970eb560530c6c09

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msi (4).msi
Size

6.2MB
MD5

391f67eb98c7f707cb94a070b74400b6
SHA1

ed2e0e03a19fade042fb7f4be2d305987075711f
SHA256

1d487d11f8e3c45d76a260e4995b79f3cceca02942d9e426970eb560530c6c09
SHA512

3089441646ebcfc9d49c55322020433b03ccce7e8826960bf6415b593796418505470b63d7506a34ce025c578992910dafb34bc44f73ed87d8f82d973cc9c85e
SSDEEP

98304:1RJYyhcOqGU0xyoZ3lSby0it97V6NGaS6F4Kt56TchTV3uAJ69Xt:TSyvrjXtFIS6F44ccxV3uAMXt

Score

10^/10

sectoprat credential_access discovery rat spyware stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/3372-101-0x0000000000D00000-0x0000000000DCC000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2536	chrome.exe
5060	chrome.exe
2672	msedge.exe
1468	msedge.exe
5940	msedge.exe
4876	chrome.exe
5764	chrome.exe
1312	chrome.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4324 set thread context of 4140	4324	SplashWin.exe	103
PID 4140 set thread context of 3372	4140	cmd.exe	114

Executes dropped EXE 12 IoCs

pid	Process
1172	ISBEW64.exe
4416	ISBEW64.exe
748	ISBEW64.exe
768	ISBEW64.exe
5756	ISBEW64.exe
4584	ISBEW64.exe
4696	ISBEW64.exe
4712	ISBEW64.exe
4464	ISBEW64.exe
3924	ISBEW64.exe
4796	SplashWin.exe
4324	SplashWin.exe

Loads dropped DLL 11 IoCs

pid	Process
5964	MsiExec.exe
5964	MsiExec.exe
5964	MsiExec.exe
5964	MsiExec.exe
5964	MsiExec.exe
4796	SplashWin.exe
4796	SplashWin.exe
4796	SplashWin.exe
4324	SplashWin.exe
4324	SplashWin.exe
4324	SplashWin.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4796	SplashWin.exe
4324	SplashWin.exe
4324	SplashWin.exe
4140	cmd.exe
4140	cmd.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
4876	chrome.exe
4876	chrome.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe
3372	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4324	SplashWin.exe
4140	cmd.exe
4140	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
2672	msedge.exe
2672	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1476	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1476	msiexec.exe
Token: SeSecurityPrivilege	2860	msiexec.exe
Token: SeCreateTokenPrivilege	1476	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1476	msiexec.exe
Token: SeLockMemoryPrivilege	1476	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1476	msiexec.exe
Token: SeMachineAccountPrivilege	1476	msiexec.exe
Token: SeTcbPrivilege	1476	msiexec.exe
Token: SeSecurityPrivilege	1476	msiexec.exe
Token: SeTakeOwnershipPrivilege	1476	msiexec.exe
Token: SeLoadDriverPrivilege	1476	msiexec.exe
Token: SeSystemProfilePrivilege	1476	msiexec.exe
Token: SeSystemtimePrivilege	1476	msiexec.exe
Token: SeProfSingleProcessPrivilege	1476	msiexec.exe
Token: SeIncBasePriorityPrivilege	1476	msiexec.exe
Token: SeCreatePagefilePrivilege	1476	msiexec.exe
Token: SeCreatePermanentPrivilege	1476	msiexec.exe
Token: SeBackupPrivilege	1476	msiexec.exe
Token: SeRestorePrivilege	1476	msiexec.exe
Token: SeShutdownPrivilege	1476	msiexec.exe
Token: SeDebugPrivilege	1476	msiexec.exe
Token: SeAuditPrivilege	1476	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1476	msiexec.exe
Token: SeChangeNotifyPrivilege	1476	msiexec.exe
Token: SeRemoteShutdownPrivilege	1476	msiexec.exe
Token: SeUndockPrivilege	1476	msiexec.exe
Token: SeSyncAgentPrivilege	1476	msiexec.exe
Token: SeEnableDelegationPrivilege	1476	msiexec.exe
Token: SeManageVolumePrivilege	1476	msiexec.exe
Token: SeImpersonatePrivilege	1476	msiexec.exe
Token: SeCreateGlobalPrivilege	1476	msiexec.exe
Token: SeCreateTokenPrivilege	1476	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1476	msiexec.exe
Token: SeLockMemoryPrivilege	1476	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1476	msiexec.exe
Token: SeMachineAccountPrivilege	1476	msiexec.exe
Token: SeTcbPrivilege	1476	msiexec.exe
Token: SeSecurityPrivilege	1476	msiexec.exe
Token: SeTakeOwnershipPrivilege	1476	msiexec.exe
Token: SeLoadDriverPrivilege	1476	msiexec.exe
Token: SeSystemProfilePrivilege	1476	msiexec.exe
Token: SeSystemtimePrivilege	1476	msiexec.exe
Token: SeProfSingleProcessPrivilege	1476	msiexec.exe
Token: SeIncBasePriorityPrivilege	1476	msiexec.exe
Token: SeCreatePagefilePrivilege	1476	msiexec.exe
Token: SeCreatePermanentPrivilege	1476	msiexec.exe
Token: SeBackupPrivilege	1476	msiexec.exe
Token: SeRestorePrivilege	1476	msiexec.exe
Token: SeShutdownPrivilege	1476	msiexec.exe
Token: SeDebugPrivilege	1476	msiexec.exe
Token: SeAuditPrivilege	1476	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1476	msiexec.exe
Token: SeChangeNotifyPrivilege	1476	msiexec.exe
Token: SeRemoteShutdownPrivilege	1476	msiexec.exe
Token: SeUndockPrivilege	1476	msiexec.exe
Token: SeSyncAgentPrivilege	1476	msiexec.exe
Token: SeEnableDelegationPrivilege	1476	msiexec.exe
Token: SeManageVolumePrivilege	1476	msiexec.exe
Token: SeImpersonatePrivilege	1476	msiexec.exe
Token: SeCreateGlobalPrivilege	1476	msiexec.exe
Token: SeCreateTokenPrivilege	1476	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1476	msiexec.exe
Token: SeLockMemoryPrivilege	1476	msiexec.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1476	msiexec.exe
1476	msiexec.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
2672	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3372	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 5964	2860	msiexec.exe	87
PID 2860 wrote to memory of 5964	2860	msiexec.exe	87
PID 2860 wrote to memory of 5964	2860	msiexec.exe	87
PID 5964 wrote to memory of 1172	5964	MsiExec.exe	91
PID 5964 wrote to memory of 1172	5964	MsiExec.exe	91
PID 5964 wrote to memory of 4416	5964	MsiExec.exe	92
PID 5964 wrote to memory of 4416	5964	MsiExec.exe	92
PID 5964 wrote to memory of 748	5964	MsiExec.exe	93
PID 5964 wrote to memory of 748	5964	MsiExec.exe	93
PID 5964 wrote to memory of 768	5964	MsiExec.exe	94
PID 5964 wrote to memory of 768	5964	MsiExec.exe	94
PID 5964 wrote to memory of 5756	5964	MsiExec.exe	95
PID 5964 wrote to memory of 5756	5964	MsiExec.exe	95
PID 5964 wrote to memory of 4584	5964	MsiExec.exe	96
PID 5964 wrote to memory of 4584	5964	MsiExec.exe	96
PID 5964 wrote to memory of 4696	5964	MsiExec.exe	97
PID 5964 wrote to memory of 4696	5964	MsiExec.exe	97
PID 5964 wrote to memory of 4712	5964	MsiExec.exe	98
PID 5964 wrote to memory of 4712	5964	MsiExec.exe	98
PID 5964 wrote to memory of 4464	5964	MsiExec.exe	99
PID 5964 wrote to memory of 4464	5964	MsiExec.exe	99
PID 5964 wrote to memory of 3924	5964	MsiExec.exe	100
PID 5964 wrote to memory of 3924	5964	MsiExec.exe	100
PID 5964 wrote to memory of 4796	5964	MsiExec.exe	101
PID 5964 wrote to memory of 4796	5964	MsiExec.exe	101
PID 5964 wrote to memory of 4796	5964	MsiExec.exe	101
PID 4796 wrote to memory of 4324	4796	SplashWin.exe	102
PID 4796 wrote to memory of 4324	4796	SplashWin.exe	102
PID 4796 wrote to memory of 4324	4796	SplashWin.exe	102
PID 4324 wrote to memory of 4140	4324	SplashWin.exe	103
PID 4324 wrote to memory of 4140	4324	SplashWin.exe	103
PID 4324 wrote to memory of 4140	4324	SplashWin.exe	103
PID 4324 wrote to memory of 4140	4324	SplashWin.exe	103
PID 4140 wrote to memory of 3372	4140	cmd.exe	114
PID 4140 wrote to memory of 3372	4140	cmd.exe	114
PID 4140 wrote to memory of 3372	4140	cmd.exe	114
PID 4140 wrote to memory of 3372	4140	cmd.exe	114
PID 4140 wrote to memory of 3372	4140	cmd.exe	114
PID 3372 wrote to memory of 4876	3372	MSBuild.exe	124
PID 3372 wrote to memory of 4876	3372	MSBuild.exe	124
PID 4876 wrote to memory of 3924	4876	chrome.exe	125
PID 4876 wrote to memory of 3924	4876	chrome.exe	125
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126
PID 4876 wrote to memory of 4172	4876	chrome.exe	126

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\msi (4).msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1476

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B4A94A3C902FA1B32CEBBB39FD4D092E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A7C02129-DDAC-4CEA-A8AD-9E9381455587}
    3⤵
    - Executes dropped EXE
    PID:1172
- - C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{85987A3D-A9D7-4F7D-8131-F713DE55C738}
    3⤵
    - Executes dropped EXE
    PID:4416
- - C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3F8B0919-4826-40DE-9E81-6B075E2BF414}
    3⤵
    - Executes dropped EXE
    PID:748
- - C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CDC5F328-8FDB-4CFF-9E78-361E68F7C5D3}
    3⤵
    - Executes dropped EXE
    PID:768
- - C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F8018732-D0F5-4B3A-BB94-9AAD9195140E}
    3⤵
    - Executes dropped EXE
    PID:5756
- - C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9BF98BED-B31F-4388-9901-09D31C96BE94}
    3⤵
    - Executes dropped EXE
    PID:4584
- - C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D78B7201-02A9-43B3-9A9C-8E2FA8B8AC86}
    3⤵
    - Executes dropped EXE
    PID:4696
- - C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{70220675-ECA9-4DDC-A6AC-FECFE622C239}
    3⤵
    - Executes dropped EXE
    PID:4712
- - C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{77D5FB07-DCD7-4DE6-9357-EE5C645F9818}
    3⤵
    - Executes dropped EXE
    PID:4464
- - C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{691814CB-3309-498F-B7F3-DA5B4359C05A}
    3⤵
    - Executes dropped EXE
    PID:3924
- - C:\Users\Admin\AppData\Local\Temp\{EBE69552-2CB0-464C-8F7F-78CCCB6A58D2}\SplashWin.exe
    C:\Users\Admin\AppData\Local\Temp\{EBE69552-2CB0-464C-8F7F-78CCCB6A58D2}\SplashWin.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Users\Admin\AppData\Roaming\ReaderOracle\SplashWin.exe
      C:\Users\Admin\AppData\Roaming\ReaderOracle\SplashWin.exe
      4⤵
      Suspicious use of SetThreadContext
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4140
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=8963 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8aae9dcf8,0x7ff8aae9dd04,0x7ff8aae9dd10
        8⤵
        
        PID:3924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2044,i,12718351505835790483,9140770804360195819,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2036 /prefetch:2
        8⤵
        
        PID:4172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2284,i,12718351505835790483,9140770804360195819,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2296 /prefetch:3
        8⤵
        
        PID:5596
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2428,i,12718351505835790483,9140770804360195819,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2440 /prefetch:8
        8⤵
        
        PID:5828
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8963 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3304,i,12718351505835790483,9140770804360195819,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3316 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1312
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8963 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3324,i,12718351505835790483,9140770804360195819,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3360 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5764
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8963 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4308,i,12718351505835790483,9140770804360195819,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4340 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:2536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8963 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4580,i,12718351505835790483,9140770804360195819,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4624 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9746 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:2672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x24c,0x250,0x254,0x248,0x270,0x7ff8ac6cf208,0x7ff8ac6cf214,0x7ff8ac6cf220
        8⤵
        
        PID:3340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1984,i,2726809926652022132,6099290131451266530,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:3
        8⤵
        
        PID:2864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2232,i,2726809926652022132,6099290131451266530,262144 --variations-seed-version --mojo-platform-channel-handle=2168 /prefetch:2
        8⤵
        
        PID:3756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2604,i,2726809926652022132,6099290131451266530,262144 --variations-seed-version --mojo-platform-channel-handle=2644 /prefetch:8
        8⤵
        
        PID:2176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9746 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3532,i,2726809926652022132,6099290131451266530,262144 --variations-seed-version --mojo-platform-channel-handle=3612 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9746 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3540,i,2726809926652022132,6099290131451266530,262144 --variations-seed-version --mojo-platform-channel-handle=3628 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1468

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2492

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
6ac2215e4cd38f4a100ad6a352815c3b

SHA1
4d5277819e4ba73d2b81b29e5c40921b22d6c486

SHA256
2387f76c917a199f43347986560936a8eb758508eb02253ca81d43e7c69e14ff

SHA512
733033c81f8bd43e67b3dd8a086d9fd15d6d3654a66b99d5f46e152b62df844a853f520e015ad9d068fe50eaf3b02b0e11ea887bb84769d5fc18832ca33534e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
65044109d1beb8ed8d59560642cbc519

SHA1
0084485b0aa26069232fab51ee603682e8edfd17

SHA256
a1e0b448218678b30356cbbe4092ea091435e7450822a9748361b6e8b198962d

SHA512
96dcc68fe92f98c4329a8335cfffdb0849a52562431045ccc42076bda0abf3842491303fb669246bfd04e64113688d3f90000a09571dd76ff84b52e34e45f9b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
8add1640a1653b1323cf99505b3bf08f

SHA1
bf858f7acd5e72a457e245f5f7feea3719785494

SHA256
6b4520e7dedbf7c54796504c83aaf57bcd90cad4c2cdb519aefdbd0dabebe64f

SHA512
5885b23d8f6229084b00b3878d91b6a7d3c2679f1934348e98dc32c29134821b442196b4f72d2c1b1988066fa55cbc0053379ef36189339451fe134aca50290d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
67afe72f8f400234cb700c5ff92ba3ae

SHA1
98d255e083e7bd27195c255426f7cd5110f891f6

SHA256
14240c090c7138f9ebbdc8df6d7a4ce0b0d068157984e537d8143164dedacb97

SHA512
54951a47774c23551ed0114cc90b264ef94bfc2ce5b9ca733c73c1c117219da0d1e56642b5f5f7da82f315be61948e722ca342f684669fba49a36efbaff36f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7CE1.tmp

Filesize
171KB

MD5
a0e940a3d3c1523416675125e3b0c07e

SHA1
2e29eeba6da9a4023bc8071158feee3b0277fd1b

SHA256
b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f

SHA512
736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7E87.tmp

Filesize
2.5MB

MD5
64d75970fa6848d4b5697ea75adeb3fa

SHA1
984ed3f2571eb5885d85406e96eb7aadd9368f5f

SHA256
a4c5ecb617d2a499c6580764865e2ec231b5d5439255fba23fd04d835729f217

SHA512
fa0f52e434ddf949ed2fd6d7b643a4fc74b0f6acfade18e128165d2c59d2f01ae03a96a73d5d84215098cd02a36ccc0f02cba2dc48017cce9e695d743b587d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9ccdab7

Filesize
1.5MB

MD5
fcc6e8f24e8256f1b584a4b01c466b29

SHA1
ce21359d4500bb7addeb74daad92411e54199f05

SHA256
023afd4384f75f695552ee663b2c4be071f2556f449b958fb3038c0227fc0abf

SHA512
70a994540722db88cb9ee776b4336308383547d7679dcc39cc6811117572bef56f93da5db82bec71fe0a1442974dd49d452bad7f204eea79dc03b291f359538b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISBEW64.exe

Filesize
178KB

MD5
40f3a092744e46f3531a40b917cca81e

SHA1
c73f62a44cb3a75933cecf1be73a48d0d623039b

SHA256
561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f

SHA512
1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\ISRT.dll

Filesize
426KB

MD5
8af02bf8e358e11caec4f2e7884b43cc

SHA1
16badc6c610eeb08de121ab268093dd36b56bf27

SHA256
58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e

SHA512
d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6E88FAB0-34B6-41B6-B1A4-376BC87DEA61}\_isres_0x0409.dll

Filesize
1.8MB

MD5
7de024bc275f9cdeaf66a865e6fd8e58

SHA1
5086e4a26f9b80699ea8d9f2a33cead28a1819c0

SHA256
bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152

SHA512
191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EBE69552-2CB0-464C-8F7F-78CCCB6A58D2}\DuiLib_u.dll

Filesize
860KB

MD5
9dd46dda577ecc74804dbe456b336ead

SHA1
c1522682f8213cc7716b8d5781f7f044f61a263e

SHA256
a671c0b634ec9e1bb77e3db1494a218113313a8e695b56c884da9ce8df2e6fa7

SHA512
216f519a5cce9285b1124806259012e49a611fa887cc517b9e2f9a218f675d661810055a0d727d0f13144dfe490a8c2192398efd634f9e6325577c3e9009b64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EBE69552-2CB0-464C-8F7F-78CCCB6A58D2}\SplashWin.exe

Filesize
446KB

MD5
4d20b83562eec3660e45027ad56fb444

SHA1
ff6134c34500a8f8e5881e6a34263e5796f83667

SHA256
c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1

SHA512
718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EBE69552-2CB0-464C-8F7F-78CCCB6A58D2}\msvcp140.dll

Filesize
437KB

MD5
e9f00dd8746712610706cbeffd8df0bd

SHA1
5004d98c89a40ebf35f51407553e38e5ca16fb98

SHA256
4cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97

SHA512
4d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EBE69552-2CB0-464C-8F7F-78CCCB6A58D2}\prescript.ppt

Filesize
1.2MB

MD5
f3bee28b1a7c97535f5fe33a74d9d7a0

SHA1
623ca56abd8b7bc993cd8d21b1f32629de91ec9a

SHA256
214e43f74f90fde8f4e3b08e629fe53979b1a12fbd2f7fb0e4dcd44379280943

SHA512
b6574cefa290381bdb3fbd392cc94276e5d25a9b16ba24a1b0647cfb9be428d882e7ba2860729dccf43992763a2a077e91421b1591043421c1292fa870a23675

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EBE69552-2CB0-464C-8F7F-78CCCB6A58D2}\tarred.txt

Filesize
34KB

MD5
9e9af23151413aeb5d50b4c51536a587

SHA1
953864d8199b528624293cd2c38153870d1a8d62

SHA256
668b6438710adc78f7eccc116da177235759eeee1d2ea313884834a375cbf6a5

SHA512
24690b3fcf126a0ea11c3974139a918d0ac0eeffd87cafa80e2b5df6f35e5c928a1ff65a59f53574837cea29d3a37b138634397fb4881df61650a2a14df1b0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EBE69552-2CB0-464C-8F7F-78CCCB6A58D2}\vcruntime140.dll

Filesize
74KB

MD5
a554e4f1addc0c2c4ebb93d66b790796

SHA1
9fbd1d222da47240db92cd6c50625eb0cf650f61

SHA256
e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a

SHA512
5f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc

Download Submit
memory/3372-109-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/3372-108-0x00000000060E0000-0x00000000060FE000-memory.dmp

Filesize
120KB

Download
memory/3372-112-0x0000000006EA0000-0x0000000006EDC000-memory.dmp

Filesize
240KB

Download
memory/3372-98-0x0000000073CA0000-0x0000000074EF4000-memory.dmp

Filesize
18.3MB

Download
memory/3372-101-0x0000000000D00000-0x0000000000DCC000-memory.dmp

Filesize
816KB

Download
memory/3372-102-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/3372-103-0x0000000005400000-0x0000000005476000-memory.dmp

Filesize
472KB

Download
memory/3372-104-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/3372-105-0x00000000054D0000-0x0000000005520000-memory.dmp

Filesize
320KB

Download
memory/3372-106-0x0000000005700000-0x00000000058C2000-memory.dmp

Filesize
1.8MB

Download
memory/3372-107-0x0000000006610000-0x0000000006B3C000-memory.dmp

Filesize
5.2MB

Download
memory/3372-111-0x0000000006080000-0x0000000006092000-memory.dmp

Filesize
72KB

Download
memory/3372-110-0x00000000079B0000-0x00000000079BA000-memory.dmp

Filesize
40KB

Download
memory/4140-94-0x00007FF8CA3B0000-0x00007FF8CA5A5000-memory.dmp

Filesize
2.0MB

Download
memory/4140-96-0x00000000756D0000-0x000000007584B000-memory.dmp

Filesize
1.5MB

Download
memory/4324-91-0x00000000756D0000-0x000000007584B000-memory.dmp

Filesize
1.5MB

Download
memory/4324-90-0x00007FF8CA3B0000-0x00007FF8CA5A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-89-0x00000000756D0000-0x000000007584B000-memory.dmp

Filesize
1.5MB

Download
memory/4796-61-0x00007FF8CA3B0000-0x00007FF8CA5A5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-60-0x0000000074040000-0x00000000741BB000-memory.dmp

Filesize
1.5MB

Download
memory/5964-39-0x0000000003000000-0x00000000031C7000-memory.dmp

Filesize
1.8MB

Download
memory/5964-34-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download