80887c316404836e19b87b8119d481fa6e66f26ed88cfd564e2b916848ae8359

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CHSDBTNN.msi
Size

8.8MB
MD5

a554b03ada15a8e18ba20f01599ce1d2
SHA1

62cd68b45d96cb535dc88a3c61ca1e6b5bba4a92
SHA256

80887c316404836e19b87b8119d481fa6e66f26ed88cfd564e2b916848ae8359
SHA512

7d07024ea25accf53df9d22e4c7fbf6c129b2fc7bd26d369ea59f0a863d81bd5655d20952a70a7b9f2f4618019d322b399c290e20e785a425ee2efd512503105
SSDEEP

196608:XgAx0PD+x7ES3KU4zPOWI321Xuo6CpyazUwKS6e4P5lv/TEX3:U+mSx4723qXuo6CpyNwN4UX3

Score

6^/10

discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4108 set thread context of 1040	4108	DesktopX.exe	114

Executes dropped EXE 12 IoCs

pid	Process
4352	ISBEW64.exe
4388	ISBEW64.exe
4452	ISBEW64.exe
4552	ISBEW64.exe
5644	ISBEW64.exe
2796	ISBEW64.exe
5648	ISBEW64.exe
4764	ISBEW64.exe
1236	ISBEW64.exe
4624	ISBEW64.exe
1376	DesktopX.exe
4108	DesktopX.exe

Loads dropped DLL 16 IoCs

pid	Process
2968	MsiExec.exe
2968	MsiExec.exe
2968	MsiExec.exe
2968	MsiExec.exe
2968	MsiExec.exe
1376	DesktopX.exe
1376	DesktopX.exe
1376	DesktopX.exe
1376	DesktopX.exe
1376	DesktopX.exe
4108	DesktopX.exe
4108	DesktopX.exe
4108	DesktopX.exe
4108	DesktopX.exe
4108	DesktopX.exe
2188	updateBg_je2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2248	msiexec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1376	DesktopX.exe
4108	DesktopX.exe
4108	DesktopX.exe
4108	DesktopX.exe
4108	DesktopX.exe
1040	cmd.exe
1040	cmd.exe
1040	cmd.exe
2188	updateBg_je2.exe
2188	updateBg_je2.exe
1236	chrome.exe
1236	chrome.exe
2188	updateBg_je2.exe
2188	updateBg_je2.exe
2188	updateBg_je2.exe
2188	updateBg_je2.exe
2188	updateBg_je2.exe
2188	updateBg_je2.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4108	DesktopX.exe
4108	DesktopX.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2248	msiexec.exe
Token: SeSecurityPrivilege	1232	msiexec.exe
Token: SeCreateTokenPrivilege	2248	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2248	msiexec.exe
Token: SeLockMemoryPrivilege	2248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2248	msiexec.exe
Token: SeMachineAccountPrivilege	2248	msiexec.exe
Token: SeTcbPrivilege	2248	msiexec.exe
Token: SeSecurityPrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeLoadDriverPrivilege	2248	msiexec.exe
Token: SeSystemProfilePrivilege	2248	msiexec.exe
Token: SeSystemtimePrivilege	2248	msiexec.exe
Token: SeProfSingleProcessPrivilege	2248	msiexec.exe
Token: SeIncBasePriorityPrivilege	2248	msiexec.exe
Token: SeCreatePagefilePrivilege	2248	msiexec.exe
Token: SeCreatePermanentPrivilege	2248	msiexec.exe
Token: SeBackupPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeShutdownPrivilege	2248	msiexec.exe
Token: SeDebugPrivilege	2248	msiexec.exe
Token: SeAuditPrivilege	2248	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2248	msiexec.exe
Token: SeChangeNotifyPrivilege	2248	msiexec.exe
Token: SeRemoteShutdownPrivilege	2248	msiexec.exe
Token: SeUndockPrivilege	2248	msiexec.exe
Token: SeSyncAgentPrivilege	2248	msiexec.exe
Token: SeEnableDelegationPrivilege	2248	msiexec.exe
Token: SeManageVolumePrivilege	2248	msiexec.exe
Token: SeImpersonatePrivilege	2248	msiexec.exe
Token: SeCreateGlobalPrivilege	2248	msiexec.exe
Token: SeCreateTokenPrivilege	2248	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2248	msiexec.exe
Token: SeLockMemoryPrivilege	2248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2248	msiexec.exe
Token: SeMachineAccountPrivilege	2248	msiexec.exe
Token: SeTcbPrivilege	2248	msiexec.exe
Token: SeSecurityPrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeLoadDriverPrivilege	2248	msiexec.exe
Token: SeSystemProfilePrivilege	2248	msiexec.exe
Token: SeSystemtimePrivilege	2248	msiexec.exe
Token: SeProfSingleProcessPrivilege	2248	msiexec.exe
Token: SeIncBasePriorityPrivilege	2248	msiexec.exe
Token: SeCreatePagefilePrivilege	2248	msiexec.exe
Token: SeCreatePermanentPrivilege	2248	msiexec.exe
Token: SeBackupPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeShutdownPrivilege	2248	msiexec.exe
Token: SeDebugPrivilege	2248	msiexec.exe
Token: SeAuditPrivilege	2248	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2248	msiexec.exe
Token: SeChangeNotifyPrivilege	2248	msiexec.exe
Token: SeRemoteShutdownPrivilege	2248	msiexec.exe
Token: SeUndockPrivilege	2248	msiexec.exe
Token: SeSyncAgentPrivilege	2248	msiexec.exe
Token: SeEnableDelegationPrivilege	2248	msiexec.exe
Token: SeManageVolumePrivilege	2248	msiexec.exe
Token: SeImpersonatePrivilege	2248	msiexec.exe
Token: SeCreateGlobalPrivilege	2248	msiexec.exe
Token: SeCreateTokenPrivilege	2248	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2248	msiexec.exe
Token: SeLockMemoryPrivilege	2248	msiexec.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2248	msiexec.exe
2248	msiexec.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2968	1232	msiexec.exe	89
PID 1232 wrote to memory of 2968	1232	msiexec.exe	89
PID 1232 wrote to memory of 2968	1232	msiexec.exe	89
PID 2968 wrote to memory of 4352	2968	MsiExec.exe	92
PID 2968 wrote to memory of 4352	2968	MsiExec.exe	92
PID 2968 wrote to memory of 4388	2968	MsiExec.exe	93
PID 2968 wrote to memory of 4388	2968	MsiExec.exe	93
PID 2968 wrote to memory of 4452	2968	MsiExec.exe	94
PID 2968 wrote to memory of 4452	2968	MsiExec.exe	94
PID 2968 wrote to memory of 4552	2968	MsiExec.exe	95
PID 2968 wrote to memory of 4552	2968	MsiExec.exe	95
PID 2968 wrote to memory of 5644	2968	MsiExec.exe	96
PID 2968 wrote to memory of 5644	2968	MsiExec.exe	96
PID 2968 wrote to memory of 2796	2968	MsiExec.exe	97
PID 2968 wrote to memory of 2796	2968	MsiExec.exe	97
PID 2968 wrote to memory of 5648	2968	MsiExec.exe	98
PID 2968 wrote to memory of 5648	2968	MsiExec.exe	98
PID 2968 wrote to memory of 4764	2968	MsiExec.exe	99
PID 2968 wrote to memory of 4764	2968	MsiExec.exe	99
PID 2968 wrote to memory of 1236	2968	MsiExec.exe	100
PID 2968 wrote to memory of 1236	2968	MsiExec.exe	100
PID 2968 wrote to memory of 4624	2968	MsiExec.exe	101
PID 2968 wrote to memory of 4624	2968	MsiExec.exe	101
PID 2968 wrote to memory of 1376	2968	MsiExec.exe	103
PID 2968 wrote to memory of 1376	2968	MsiExec.exe	103
PID 2968 wrote to memory of 1376	2968	MsiExec.exe	103
PID 1376 wrote to memory of 4108	1376	DesktopX.exe	104
PID 1376 wrote to memory of 4108	1376	DesktopX.exe	104
PID 1376 wrote to memory of 4108	1376	DesktopX.exe	104
PID 4108 wrote to memory of 2188	4108	DesktopX.exe	113
PID 4108 wrote to memory of 2188	4108	DesktopX.exe	113
PID 4108 wrote to memory of 2188	4108	DesktopX.exe	113
PID 4108 wrote to memory of 2188	4108	DesktopX.exe	113
PID 4108 wrote to memory of 1040	4108	DesktopX.exe	114
PID 4108 wrote to memory of 1040	4108	DesktopX.exe	114
PID 4108 wrote to memory of 1040	4108	DesktopX.exe	114
PID 4108 wrote to memory of 1040	4108	DesktopX.exe	114
PID 2188 wrote to memory of 1236	2188	updateBg_je2.exe	127
PID 2188 wrote to memory of 1236	2188	updateBg_je2.exe	127
PID 1236 wrote to memory of 4848	1236	chrome.exe	128
PID 1236 wrote to memory of 4848	1236	chrome.exe	128
PID 1236 wrote to memory of 4544	1236	chrome.exe	129
PID 1236 wrote to memory of 4544	1236	chrome.exe	129
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130
PID 1236 wrote to memory of 6136	1236	chrome.exe	130

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CHSDBTNN.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2248

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C5E7A997FD9F667EB6E6CB2D7BEE3E5B C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{111BA91C-A6B2-4271-BD44-D69C11C47362}
    3⤵
    - Executes dropped EXE
    PID:4352
- - C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{72CF3F0B-128A-4316-932E-B49616DC3531}
    3⤵
    - Executes dropped EXE
    PID:4388
- - C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FA10E7BB-B59E-494B-8227-35035BA70170}
    3⤵
    - Executes dropped EXE
    PID:4452
- - C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{74B37B88-E718-43E3-BEC1-1E5FEA91E615}
    3⤵
    - Executes dropped EXE
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9EF0B73A-6B6A-40C6-BA42-13550765BD94}
    3⤵
    - Executes dropped EXE
    PID:5644
- - C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{519B4C59-C491-4894-BBA3-57EE324E34A1}
    3⤵
    - Executes dropped EXE
    PID:2796
- - C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A6EBD435-2181-4816-8604-EAF6F4C07A2F}
    3⤵
    - Executes dropped EXE
    PID:5648
- - C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4C6517B3-161B-4A90-8709-DDA975C3423B}
    3⤵
    - Executes dropped EXE
    PID:4764
- - C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{07702738-A075-453C-B05C-0BA0DE834A4D}
    3⤵
    - Executes dropped EXE
    PID:1236
- - C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{227E9A44-43DF-4D05-9374-EE57E7659E2E}
    3⤵
    - Executes dropped EXE
    PID:4624
- - C:\Users\Admin\AppData\Local\Temp\{0AD12796-4FC5-4982-B0B7-4279B93C1017}\DesktopX.exe
    C:\Users\Admin\AppData\Local\Temp\{0AD12796-4FC5-4982-B0B7-4279B93C1017}\DesktopX.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Users\Admin\AppData\Roaming\Authquick\DesktopX.exe
      C:\Users\Admin\AppData\Roaming\Authquick\DesktopX.exe
      4⤵
      Suspicious use of SetThreadContext
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4108
    - - C:\Users\Admin\AppData\Local\Temp\updateBg_je2.exe
        
        C:\Users\Admin\AppData\Local\Temp\updateBg_je2.exe
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffee39ddcf8,0x7ffee39ddd04,0x7ffee39ddd10
        7⤵
        
        PID:4848
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1544,i,13497164223208966292,18029120873412473835,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2052 /prefetch:3
        7⤵
        
        PID:4544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1948,i,13497164223208966292,18029120873412473835,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1944 /prefetch:2
        7⤵
        
        PID:6136
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2376,i,13497164223208966292,18029120873412473835,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2520 /prefetch:8
        7⤵
        
        PID:2912
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,13497164223208966292,18029120873412473835,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3188 /prefetch:1
        7⤵
        
        PID:924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,13497164223208966292,18029120873412473835,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3208 /prefetch:1
        7⤵
        
        PID:4100
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4280,i,13497164223208966292,18029120873412473835,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4316 /prefetch:2
        7⤵
        
        PID:3008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4792,i,13497164223208966292,18029120873412473835,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4816 /prefetch:1
        7⤵
        
        PID:4892
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=204,i,13497164223208966292,18029120873412473835,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5532 /prefetch:8
        7⤵
        
        PID:5268
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5524,i,13497164223208966292,18029120873412473835,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5516 /prefetch:8
        7⤵
        
        PID:1016
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5500,i,13497164223208966292,18029120873412473835,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5608 /prefetch:8
        7⤵
        
        PID:5896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1040

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4968

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:764

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a47485823c16f10371d59fa256e5ecfd

SHA1
c52a159b962c28e1c083738036662920131a19b4

SHA256
f27c9784d3560b18a284c13faae39e4e07457eb24c83b8070ac3c64add09ef37

SHA512
3dcfe67d485815ad0de170f7d6578f5a7087f733049a3ae55539a4442df9f5fcf08bf1382cdd7497c77aecf9e9bec812010a5a6b726678105dae34bf1cb726e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c5627bad421769121d3fb9b36b26de3f

SHA1
5be79d2047c8c5b87fb21848bdc97495bdbe13ad

SHA256
6c2d76036cd6958c626a8c5d20d90de8870841b595586e5146f8ed23da052156

SHA512
06543c18b495c9ed7976f769b096a534acc1fae785b2d48f2e85b6ef6b9ac35304fd54e1ffa56c15df6e781c74fd2a1acaad0cfeb83ae487b458925e7995d121

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f4f1c7349dc5a8ab992f8bf5341b99f5

SHA1
d95c5fa2b3bdbfe645bbf2086176b42efa81c023

SHA256
4649834f2b0edd7b2685a21084d9a1097951d063d7c67b3e4207d801a48289ac

SHA512
1db3de3ca9ca46ef348eaa2d799a22c3f8755d0b0b37f72a4bf150f3b7d1bf2f4f392f0397e610dfdc4dfc74325c32e43f3582db786c2899fbf02f05c6542427

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
629fbb7a89c2f24736d5400d821bf77e

SHA1
f92ad6adef42a683e78b838030a9934771a2e880

SHA256
48b625a4d8ca62d31ba060418f09f8c43f831591115886d223802ed1d84158bd

SHA512
3790f91d2aaf812aa900bbddfe97d4d056f759558796ca3a21f943eec280b2e1f520d0b6aa3d0f3cc9ee076518bb6c584a1742b253c08a0fcc30ff8742878281

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58a2f2.TMP

Filesize
48B

MD5
60980ff5af31b9f21f3bada84fe41717

SHA1
14187f05070e5ca139572c50ce0eb02aad9a2b51

SHA256
66a352f24100c39662faf43baa8f459edb476213d93593f59be0b2b5b9970d74

SHA512
a79977a9423991f88373968c6aec2efa2ad293ad06fac0b2190d2bc953e2e656f8ff175f27c212cb17a41a0048a2d406a8e2adabfd2ac09c909e7eade9eea387

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
a4710a30ca124ef24daf2c2462a1da92

SHA1
96958e2fe60d71e08ea922dfd5e69a50e38cc5db

SHA256
7114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7

SHA512
43878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
b23fcfdd7c7126c20e7c0ea0067e91ae

SHA1
1db4d5b8bf6c7c3863c0b4a9ba87212f65f4232b

SHA256
8f2ceba6894e67bf643568917a05b6b683d6e820f9a8ae5eadbf7393cd5d1e3f

SHA512
bfe59dfadf1f4459027ae217027bda02339396b14e1999115dce762ae60aaaba051c31c3d93775ad48fc451626c271d5105ab9806eac70a176e15a134cb85e47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
6c97f6ccae714141614d7c5927f9e2bc

SHA1
c0410ec75cf1ae93a67ccfe4ff3efe6ec29878f1

SHA256
bfb028d0c4227f0030ead0aad2da1448833913dc84d0ac87504f8216fd6d2e00

SHA512
501d1ba1eb2815948370ff4d1c24b9e4ebc8b240c1f8446a16bbb2506a7f1ae41912019fb1a7d1fe0a5975a10afd91684c50fbfa3dcbcb0c7deda85859ab65f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
9bafe0c0621a51f2cc3479093b4f4c3a

SHA1
5eb1298078c6fc7953d50acf419a604d76453dd9

SHA256
d645f62f28b2b8d3b300f47c90a4bd21922525d134b59039fb35983f6071fc9c

SHA512
98d948feb5387623122e568810e1e09a2abd9e93c6cbffb1a2d2c09c101a4b04b49cd4b9ebbd23b857534f78edc7770f79acc6c27da10be78e7d3528b7659dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\64672d37

Filesize
5.6MB

MD5
fc430509e27945a25dfbfcfe95b0d5bc

SHA1
9e0241d7e299c2e5a6b04e908ea0a84fde382ada

SHA256
64817e585713962553c18cffad98fe31b360d4884ba0cba86d759e234fecd99b

SHA512
8a386fd4feba545fa80c37b1dd7f516c54e07eeaf64630a753acd09f2256bee7f63909ee1480c282b44b9987086ee7a988ba5afb246ed78ee923242a0b6f7e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\64672d37

Filesize
5.6MB

MD5
d876a34756be7e25385061f518a82a13

SHA1
550cf741218df1e4aaa4e328d670d2e226a17a96

SHA256
14893ae717a154a15e78c865e52bdf6cc94c517be067d467bb0e44b571e28f40

SHA512
9b5b872272f2f67d08cd035a33b8259d0f6db44dcbe3570258314c9aa8357e7c28acd93ed49a5dbbaa65d679d3c3e3828fc6d4be056d6891584456c0fd5f205a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC091.tmp

Filesize
171KB

MD5
a0e940a3d3c1523416675125e3b0c07e

SHA1
2e29eeba6da9a4023bc8071158feee3b0277fd1b

SHA256
b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f

SHA512
736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC286.tmp

Filesize
2.5MB

MD5
76e021457b680fe802756a97965451a8

SHA1
c0254e7696ed524b9477e820d941f58c02338eda

SHA256
794f848fa4ac38234e1e2c5e4fb7094e337c9983dedd8d473a3349047aa473ac

SHA512
68975f693cac03ac0c6986013bb5b678c9572d4d442fa550bce33835212e48d67da3744126194ad61c0709913f290899201cada790c698d327a53174e986e109

Download Submit
C:\Users\Admin\AppData\Local\Temp\updateBg_je2.exe

Filesize
2.3MB

MD5
967f4470627f823f4d7981e511c9824f

SHA1
416501b096df80ddc49f4144c3832cf2cadb9cb2

SHA256
b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91

SHA512
8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0AD12796-4FC5-4982-B0B7-4279B93C1017}\DesktopX.exe

Filesize
514KB

MD5
9e90c7ba64a66d9ab4703af006540193

SHA1
7bca3ceb680ad8cb1f3cd0d24d106a28c813ce3b

SHA256
a519304c3bba23eae2045a85e01aae44e6556b2f787966654b7209db13cfa0c4

SHA512
480658daa57800eb3f1f7e1695d65097e308249f4724caabcbf4431fa1b5b10e6d1f65008338ccde869e1d3ec695dab02cc0eb638a74b5634a62d66c9b51b404

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0AD12796-4FC5-4982-B0B7-4279B93C1017}\DirectGUI.dll

Filesize
412KB

MD5
dbb97d5ba941838bb34ff9f98bd47b6c

SHA1
5e5f646f6b1f67519cabff1451aa3427eb46989f

SHA256
d121a42fc56b92cd0b8aede3c0a268bec534293f87da0c774cf78ca557d3e1ad

SHA512
0c21622f70f25bb4ed37299e2688ece256b9e1685d7d20ca940a6beccd5115dc135c8219aeeaf73fff87a40c42d0c45039bbdf64be45153d5f58cf34d4d85965

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0AD12796-4FC5-4982-B0B7-4279B93C1017}\Dx0.dll

Filesize
48KB

MD5
693dfbb9b324e80b70660927ca1dea69

SHA1
3748ccd9f716e4668af8672e037b5729074e36c1

SHA256
7c28d90e3484b566ee00adab4679a3d1c51f86f01560035d86c8f7788ac05234

SHA512
0c190b62f845d2eace63a2f55495df34c572e86ad66ed14e2f3b91d82a142ab0c609c20603c1245ddc3892c5a7d1c8b61c02bcd2b56f624c13d3d8595dd30565

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0AD12796-4FC5-4982-B0B7-4279B93C1017}\IconX.dll

Filesize
201KB

MD5
a01f06f795e42fdc63fe6d1156466957

SHA1
9b0d9b5370f2a2e7fcf4e3eba9e58bce79c9c03c

SHA256
c3671cd961e9200a49ea9bbfa93d1b2e6741c64ed4aad50e2adbd4e6b30cc236

SHA512
2bac36dcebdd4f8abba74983c35cd7b9c99ebb0e3720bd16777224f7d2d193ddb60770f002dedaaeca1ba83d379d9041ce36958297d2ffc665e3474188ae388a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0AD12796-4FC5-4982-B0B7-4279B93C1017}\hagiocracy.css

Filesize
29KB

MD5
72f42f11ff33efe73d0f814a0c113001

SHA1
eb6e258389cdd7e08a6605fd2e9e73d0dc7c9d78

SHA256
56eb6ca80c6e87679173a8964dcb6155a768ad1524fe9e9e8b1d2d15229595b3

SHA512
2bfe0535549c55581cd0107f28b807937137ab5d97344befdcefad466f0a259093f1a947a701610a54a244daa4a9daec02b922c80ef03a3a5297555ce2b972f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0AD12796-4FC5-4982-B0B7-4279B93C1017}\shortbread.iso

Filesize
4.4MB

MD5
4dc0019cd5de25ad6d23136ea9f86f53

SHA1
abf81bf9ac4018b613f640386356b4008395ea0a

SHA256
60c3149d0d2948247aa64a6a03615b0e582a92df675e86840678f427a399ec8b

SHA512
e297f7b3bab664f2aea6cdd12373aae73c2193fb6c919682df02c490cbf5fdfad8e4caeca50230b480b78b3b105e8fcf838c920375f2564f23af2178f21da9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISBEW64.exe

Filesize
178KB

MD5
40f3a092744e46f3531a40b917cca81e

SHA1
c73f62a44cb3a75933cecf1be73a48d0d623039b

SHA256
561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f

SHA512
1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\ISRT.dll

Filesize
426KB

MD5
8af02bf8e358e11caec4f2e7884b43cc

SHA1
16badc6c610eeb08de121ab268093dd36b56bf27

SHA256
58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e

SHA512
d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9E2DAC82-8BC4-4C39-8D78-08C64396CEF2}\_isres_0x0409.dll

Filesize
1.8MB

MD5
7de024bc275f9cdeaf66a865e6fd8e58

SHA1
5086e4a26f9b80699ea8d9f2a33cead28a1819c0

SHA256
bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152

SHA512
191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

Download Submit
memory/1040-115-0x00007FFF03B50000-0x00007FFF03D45000-memory.dmp

Filesize
2.0MB

Download
memory/1376-66-0x00007FFF03B50000-0x00007FFF03D45000-memory.dmp

Filesize
2.0MB

Download
memory/1376-62-0x0000000000600000-0x000000000060F000-memory.dmp

Filesize
60KB

Download
memory/1376-59-0x0000000000770000-0x00000000007AA000-memory.dmp

Filesize
232KB

Download
memory/1376-65-0x0000000073B60000-0x0000000073BAF000-memory.dmp

Filesize
316KB

Download
memory/2188-188-0x00007FF660050000-0x00007FF66037E000-memory.dmp

Filesize
3.2MB

Download
memory/2188-109-0x00007FF660050000-0x00007FF66037E000-memory.dmp

Filesize
3.2MB

Download
memory/2188-114-0x00007FF660050000-0x00007FF66037E000-memory.dmp

Filesize
3.2MB

Download
memory/2188-108-0x00007FF660050000-0x00007FF66037E000-memory.dmp

Filesize
3.2MB

Download
memory/2968-39-0x0000000003370000-0x0000000003537000-memory.dmp

Filesize
1.8MB

Download
memory/2968-34-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/4108-99-0x00000000754F0000-0x000000007553F000-memory.dmp

Filesize
316KB

Download
memory/4108-83-0x0000000000570000-0x000000000057F000-memory.dmp

Filesize
60KB

Download
memory/4108-85-0x0000000000A60000-0x0000000000A9A000-memory.dmp

Filesize
232KB

Download
memory/4108-100-0x00007FFF03B50000-0x00007FFF03D45000-memory.dmp

Filesize
2.0MB

Download
memory/4108-104-0x00000000754F0000-0x000000007553F000-memory.dmp

Filesize
316KB

Download