glupteba | 90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407

Resubmissions

09/09/2021, 17:41

210909-v9lgtabfhq 10

09/09/2021, 04:26

08/09/2021, 21:37

08/09/2021, 21:29

08/09/2021, 13:52

07/09/2021, 18:07

Analysis

max time kernel
26s
max time network
74s
platform
windows10_x64
resource
win10-jp
submitted
08/09/2021, 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

2.9MB
MD5

3f1f81101d0ce95fdfac97f5913cd662
SHA1

8e615a64e4d72b08926242b7d73a608bdd7e9fce
SHA256

90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407
SHA512

a776c1f8636ef90d294becf8d09a45366463364026837c19e13227c1c5c9a6656b6fa525e0eec5a1a46997b6ef7066e958c02523a7c4538d046f8b2091145285

Score

10^/10

glupteba metasploit redline smokeloader socelars vidar 706 916 jayson aspackv2 backdoor dropper evasion infostealer loader stealer trojan

Malware Config

Extracted

Family

vidar

Version

40.5

Botnet

706

https://gheorghip.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

Jayson

95.181.172.207:56915

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

vidar

Version

40.5

Botnet

916

https://gheorghip.tumblr.com/

Attributes

profile_id
916

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

resource	yara_rule
behavioral4/memory/4888-606-0x0000000002C80000-0x000000000359E000-memory.dmp	family_glupteba
behavioral4/memory/4888-611-0x0000000000400000-0x0000000002575000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	4376	rundll32.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5924	4376	rundll32.exe	70

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 11 IoCs

resource	yara_rule
behavioral4/memory/2916-215-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral4/memory/2916-216-0x000000000041C5E2-mapping.dmp	family_redline
behavioral4/memory/4840-236-0x000000000041C5E2-mapping.dmp	family_redline
behavioral4/memory/1640-277-0x000000000041C5E2-mapping.dmp	family_redline
behavioral4/memory/1640-295-0x0000000005100000-0x0000000005706000-memory.dmp	family_redline
behavioral4/memory/4932-674-0x000000000041C5E2-mapping.dmp	family_redline
behavioral4/memory/5740-709-0x000000000041C5E2-mapping.dmp	family_redline
behavioral4/memory/5176-739-0x000000000041C5E2-mapping.dmp	family_redline
behavioral4/memory/5488-763-0x000000000041C5E2-mapping.dmp	family_redline
behavioral4/memory/1432-782-0x000000000041C5E2-mapping.dmp	family_redline
behavioral4/memory/908-795-0x000000000041C5E2-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000400000001ab62-159.dat	family_socelars
behavioral4/files/0x000400000001ab62-173.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

rl_trojan 8 IoCs

redline stealer.

stealer

resource	yara_rule
behavioral4/files/0x000400000001ab66-153.dat	redline
behavioral4/files/0x000400000001ab66-166.dat	redline
behavioral4/files/0x000400000001ab66-217.dat	redline
behavioral4/files/0x000400000001ab66-237.dat	redline
behavioral4/files/0x000400000001ab66-279.dat	redline
behavioral4/files/0x000400000001ab66-355.dat	redline
behavioral4/files/0x000400000001ab66-466.dat	redline
behavioral4/files/0x000400000001ab66-516.dat	redline

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral4/memory/1272-210-0x00000000046F0000-0x00000000047C1000-memory.dmp	family_vidar
behavioral4/memory/1272-211-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar
behavioral4/memory/2668-571-0x0000000004840000-0x0000000004911000-memory.dmp	family_vidar
behavioral4/memory/2668-573-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x000400000001ab5a-122.dat	aspack_v212_v242
behavioral4/files/0x000400000001ab5a-125.dat	aspack_v212_v242
behavioral4/files/0x000400000001ab5c-128.dat	aspack_v212_v242
behavioral4/files/0x000400000001ab5c-129.dat	aspack_v212_v242
behavioral4/files/0x000400000001ab59-124.dat	aspack_v212_v242
behavioral4/files/0x000400000001ab59-130.dat	aspack_v212_v242
behavioral4/files/0x000400000001ab59-131.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
3356	setup_installer.exe
4084	setup_install.exe
848	Tue11b9d76a96506.exe
1196	Tue11d7385a978cc.exe
1516	Tue11e4e580f2e8141a3.exe
1576	Tue11f251db82fb7b.exe
2076	Tue118f55232e4.exe
2056	Tue1109eec571ac.exe
2208	Tue11b9d76a96506.tmp
1272	Tue112c483dd3245d.exe
2408	Tue11bc0507b56295.exe
2344	Tue11141271fbe5877f.exe
2916	Tue11e4e580f2e8141a3.exe
4840	Tue11e4e580f2e8141a3.exe
1640	Tue11e4e580f2e8141a3.exe

Loads dropped DLL 7 IoCs

pid	Process
4084	setup_install.exe
4084	setup_install.exe
4084	setup_install.exe
4084	setup_install.exe
4084	setup_install.exe
4084	setup_install.exe
2208	Tue11b9d76a96506.tmp

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Tue11b9d76a96506.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 2916	1516	Tue11e4e580f2e8141a3.exe	108
PID 1516 set thread context of 4840	1516	Tue11e4e580f2e8141a3.exe	109
PID 1516 set thread context of 1640	1516	Tue11e4e580f2e8141a3.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 20 IoCs

pid	pid_target	Process	procid_target
1008	2056	WerFault.exe	106
4612	2056	WerFault.exe	106
2400	2056	WerFault.exe	106
4424	2056	WerFault.exe	106
3200	2056	WerFault.exe	106
4952	4084	WerFault.exe	84
4916	2056	WerFault.exe	106
2876	2056	WerFault.exe	106
696	1272	WerFault.exe	107
3728	2056	WerFault.exe	106
2308	2056	WerFault.exe	106
368	2056	WerFault.exe	106
3916	1144	WerFault.exe	136
636	1144	WerFault.exe	136
1092	1144	WerFault.exe	136
2640	1144	WerFault.exe	136
4436	1144	WerFault.exe	136
5460	1144	WerFault.exe	136
5656	1144	WerFault.exe	136
5856	1144	WerFault.exe	136

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5384	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5968	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
428	taskkill.exe
4680	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1408	powershell.exe
1408	powershell.exe
2408	Tue11bc0507b56295.exe
2408	Tue11bc0507b56295.exe
1408	powershell.exe
1408	powershell.exe
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
1008	LzmwAqmV.exe
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
2172	Process not Found
4612	WerFault.exe
4612	WerFault.exe
4612	WerFault.exe
4612	WerFault.exe
4612	WerFault.exe
4612	WerFault.exe
4612	WerFault.exe
4612	WerFault.exe
4612	WerFault.exe
4612	WerFault.exe
4612	WerFault.exe
4612	WerFault.exe
4612	WerFault.exe
4612	WerFault.exe
4612	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2408	Tue11bc0507b56295.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2076	Tue118f55232e4.exe
Token: SeAssignPrimaryTokenPrivilege	2076	Tue118f55232e4.exe
Token: SeLockMemoryPrivilege	2076	Tue118f55232e4.exe
Token: SeIncreaseQuotaPrivilege	2076	Tue118f55232e4.exe
Token: SeMachineAccountPrivilege	2076	Tue118f55232e4.exe
Token: SeTcbPrivilege	2076	Tue118f55232e4.exe
Token: SeSecurityPrivilege	2076	Tue118f55232e4.exe
Token: SeTakeOwnershipPrivilege	2076	Tue118f55232e4.exe
Token: SeLoadDriverPrivilege	2076	Tue118f55232e4.exe
Token: SeSystemProfilePrivilege	2076	Tue118f55232e4.exe
Token: SeSystemtimePrivilege	2076	Tue118f55232e4.exe
Token: SeProfSingleProcessPrivilege	2076	Tue118f55232e4.exe
Token: SeIncBasePriorityPrivilege	2076	Tue118f55232e4.exe
Token: SeCreatePagefilePrivilege	2076	Tue118f55232e4.exe
Token: SeCreatePermanentPrivilege	2076	Tue118f55232e4.exe
Token: SeBackupPrivilege	2076	Tue118f55232e4.exe
Token: SeRestorePrivilege	2076	Tue118f55232e4.exe
Token: SeShutdownPrivilege	2076	Tue118f55232e4.exe
Token: SeDebugPrivilege	2076	Tue118f55232e4.exe
Token: SeAuditPrivilege	2076	Tue118f55232e4.exe
Token: SeSystemEnvironmentPrivilege	2076	Tue118f55232e4.exe
Token: SeChangeNotifyPrivilege	2076	Tue118f55232e4.exe
Token: SeRemoteShutdownPrivilege	2076	Tue118f55232e4.exe
Token: SeUndockPrivilege	2076	Tue118f55232e4.exe
Token: SeSyncAgentPrivilege	2076	Tue118f55232e4.exe
Token: SeEnableDelegationPrivilege	2076	Tue118f55232e4.exe
Token: SeManageVolumePrivilege	2076	Tue118f55232e4.exe
Token: SeImpersonatePrivilege	2076	Tue118f55232e4.exe
Token: SeCreateGlobalPrivilege	2076	Tue118f55232e4.exe
Token: 31	2076	Tue118f55232e4.exe
Token: 32	2076	Tue118f55232e4.exe
Token: 33	2076	Tue118f55232e4.exe
Token: 34	2076	Tue118f55232e4.exe
Token: 35	2076	Tue118f55232e4.exe
Token: SeDebugPrivilege	1576	Tue11f251db82fb7b.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	2344	Tue11141271fbe5877f.exe
Token: SeRestorePrivilege	1008	WerFault.exe
Token: SeBackupPrivilege	1008	WerFault.exe
Token: SeDebugPrivilege	1008	LzmwAqmV.exe
Token: SeDebugPrivilege	4612	WerFault.exe
Token: SeDebugPrivilege	2400	WerFault.exe
Token: SeDebugPrivilege	4424	WerFault.exe
Token: SeDebugPrivilege	3200	3002.exe
Token: SeDebugPrivilege	4952	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 3356	5028	setup_x86_x64_install.exe	83
PID 5028 wrote to memory of 3356	5028	setup_x86_x64_install.exe	83
PID 5028 wrote to memory of 3356	5028	setup_x86_x64_install.exe	83
PID 3356 wrote to memory of 4084	3356	setup_installer.exe	84
PID 3356 wrote to memory of 4084	3356	setup_installer.exe	84
PID 3356 wrote to memory of 4084	3356	setup_installer.exe	84
PID 4084 wrote to memory of 4580	4084	setup_install.exe	87
PID 4084 wrote to memory of 4580	4084	setup_install.exe	87
PID 4084 wrote to memory of 4580	4084	setup_install.exe	87
PID 4084 wrote to memory of 4576	4084	setup_install.exe	88
PID 4084 wrote to memory of 4576	4084	setup_install.exe	88
PID 4084 wrote to memory of 4576	4084	setup_install.exe	88
PID 4084 wrote to memory of 4656	4084	setup_install.exe	101
PID 4084 wrote to memory of 4656	4084	setup_install.exe	101
PID 4084 wrote to memory of 4656	4084	setup_install.exe	101
PID 4084 wrote to memory of 556	4084	setup_install.exe	100
PID 4084 wrote to memory of 556	4084	setup_install.exe	100
PID 4084 wrote to memory of 556	4084	setup_install.exe	100
PID 4084 wrote to memory of 668	4084	setup_install.exe	99
PID 4084 wrote to memory of 668	4084	setup_install.exe	99
PID 4084 wrote to memory of 668	4084	setup_install.exe	99
PID 4084 wrote to memory of 716	4084	setup_install.exe	92
PID 4084 wrote to memory of 716	4084	setup_install.exe	92
PID 4084 wrote to memory of 716	4084	setup_install.exe	92
PID 4656 wrote to memory of 848	4656	cmd.exe	89
PID 4656 wrote to memory of 848	4656	cmd.exe	89
PID 4656 wrote to memory of 848	4656	cmd.exe	89
PID 4084 wrote to memory of 1000	4084	setup_install.exe	91
PID 4084 wrote to memory of 1000	4084	setup_install.exe	91
PID 4084 wrote to memory of 1000	4084	setup_install.exe	91
PID 4084 wrote to memory of 612	4084	setup_install.exe	90
PID 4084 wrote to memory of 612	4084	setup_install.exe	90
PID 4084 wrote to memory of 612	4084	setup_install.exe	90
PID 4084 wrote to memory of 1160	4084	setup_install.exe	98
PID 4084 wrote to memory of 1160	4084	setup_install.exe	98
PID 4084 wrote to memory of 1160	4084	setup_install.exe	98
PID 4576 wrote to memory of 1196	4576	cmd.exe	93
PID 4576 wrote to memory of 1196	4576	cmd.exe	93
PID 4576 wrote to memory of 1196	4576	cmd.exe	93
PID 4084 wrote to memory of 1216	4084	setup_install.exe	97
PID 4084 wrote to memory of 1216	4084	setup_install.exe	97
PID 4084 wrote to memory of 1216	4084	setup_install.exe	97
PID 4580 wrote to memory of 1408	4580	cmd.exe	94
PID 4580 wrote to memory of 1408	4580	cmd.exe	94
PID 4580 wrote to memory of 1408	4580	cmd.exe	94
PID 1000 wrote to memory of 1516	1000	cmd.exe	96
PID 1000 wrote to memory of 1516	1000	cmd.exe	96
PID 1000 wrote to memory of 1516	1000	cmd.exe	96
PID 556 wrote to memory of 1576	556	cmd.exe	95
PID 556 wrote to memory of 1576	556	cmd.exe	95
PID 1160 wrote to memory of 2076	1160	cmd.exe	105
PID 1160 wrote to memory of 2076	1160	cmd.exe	105
PID 1160 wrote to memory of 2076	1160	cmd.exe	105
PID 668 wrote to memory of 2056	668	cmd.exe	106
PID 668 wrote to memory of 2056	668	cmd.exe	106
PID 668 wrote to memory of 2056	668	cmd.exe	106
PID 1216 wrote to memory of 1272	1216	cmd.exe	107
PID 1216 wrote to memory of 1272	1216	cmd.exe	107
PID 1216 wrote to memory of 1272	1216	cmd.exe	107
PID 848 wrote to memory of 2208	848	Tue11b9d76a96506.exe	102
PID 848 wrote to memory of 2208	848	Tue11b9d76a96506.exe	102
PID 848 wrote to memory of 2208	848	Tue11b9d76a96506.exe	102
PID 716 wrote to memory of 2408	716	cmd.exe	103
PID 716 wrote to memory of 2408	716	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11d7385a978cc.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11d7385a978cc.exe
        
        Tue11d7385a978cc.exe
        5⤵
        Executes dropped EXE
        
        PID:1196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11141271fbe5877f.exe
      4⤵
      PID:612
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11141271fbe5877f.exe
        
        Tue11141271fbe5877f.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11e4e580f2e8141a3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1000
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        Tue11e4e580f2e8141a3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1516
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4840
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:1640
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1884
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4436
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4072
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:636
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4932
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3736
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4932
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5740
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5176
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5488
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1432
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3532
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:908
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5136
      - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11bc0507b56295.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:716
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11bc0507b56295.exe
        
        Tue11bc0507b56295.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue112c483dd3245d.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1216
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue112c483dd3245d.exe
        
        Tue112c483dd3245d.exe
        5⤵
        Executes dropped EXE
        
        PID:1272
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1172
        6⤵
        Program crash
        
        PID:696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue118f55232e4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue118f55232e4.exe
        
        Tue118f55232e4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1109eec571ac.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue1109eec571ac.exe
        
        Tue1109eec571ac.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:2056
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 656
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 672
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 772
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 820
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 832
        6⤵
        Program crash
        
        PID:3200
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 908
        6⤵
        Program crash
        
        PID:4916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1144
        6⤵
        Program crash
        
        PID:2876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1284
        6⤵
        Program crash
        
        PID:3728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1296
        6⤵
        Program crash
        
        PID:2308
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1300
        6⤵
        Program crash
        
        PID:368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11f251db82fb7b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11b9d76a96506.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 476
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:4952

C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11b9d76a96506.exe
Tue11b9d76a96506.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\is-LHT13.tmp\Tue11b9d76a96506.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LHT13.tmp\Tue11b9d76a96506.tmp" /SL5="$50032,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11b9d76a96506.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  PID:2208

C:\Users\Admin\AppData\Local\Temp\7zSC1DF1E54\Tue11f251db82fb7b.exe
Tue11f251db82fb7b.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576
- C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
    3⤵
    PID:3828
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:1172
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:5384
  - - C:\Users\Admin\AppData\Roaming\services64.exe
      "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      PID:5472
- - C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
    "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
    3⤵
    PID:2256
  - - C:\Users\Admin\AppData\Roaming\1208665.exe
      "C:\Users\Admin\AppData\Roaming\1208665.exe"
      4⤵
      PID:1568
  - - C:\Users\Admin\AppData\Roaming\6591367.exe
      "C:\Users\Admin\AppData\Roaming\6591367.exe"
      4⤵
      PID:688
    - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        5⤵
        
        PID:3916
  - - C:\Users\Admin\AppData\Roaming\7961487.exe
      "C:\Users\Admin\AppData\Roaming\7961487.exe"
      4⤵
      PID:4516
  - - C:\Users\Admin\AppData\Roaming\4314784.exe
      "C:\Users\Admin\AppData\Roaming\4314784.exe"
      4⤵
      PID:2308
  - - C:\Users\Admin\AppData\Roaming\4035852.exe
      "C:\Users\Admin\AppData\Roaming\4035852.exe"
      4⤵
      PID:5168
- - C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe
    "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe"
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im Alfanewfile2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:5792
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Alfanewfile2.exe /f
        5⤵
        Kills process with taskkill
        
        PID:4680
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:5968
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      PID:4888
    - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        5⤵
        
        PID:5728
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    PID:1144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 808
      4⤵
      Program crash
      PID:3916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 828
      4⤵
      Program crash
      PID:636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 892
      4⤵
      Program crash
      PID:1092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1160
      4⤵
      Program crash
      PID:2640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1244
      4⤵
      Program crash
      PID:4436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1452
      4⤵
      Program crash
      PID:5460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1476
      4⤵
      Program crash
      PID:5656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 800
      4⤵
      Program crash
      PID:5856
- - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\is-7FS9Q.tmp\setup_2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7FS9Q.tmp\setup_2.tmp" /SL5="$801D2,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
      4⤵
      PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        5⤵
        
        PID:2268
      - C:\Users\Admin\AppData\Local\Temp\is-S4MN7.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-S4MN7.tmp\setup_2.tmp" /SL5="$30260,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        6⤵
        
        PID:4368
- - C:\Users\Admin\AppData\Local\Temp\3002.exe
    "C:\Users\Admin\AppData\Local\Temp\3002.exe"
    3⤵
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\3002.exe
      "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3200
- - C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
    "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
    3⤵
    PID:60
- - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
    "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
    3⤵
    PID:1936

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3552
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:688

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5924
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5936

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:5456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/184-624-0x00000000046A0000-0x00000000046FF000-memory.dmp

Filesize
380KB

Download
memory/184-616-0x000000000472D000-0x000000000482E000-memory.dmp

Filesize
1.0MB

Download
memory/340-701-0x0000024077FC0000-0x0000024078034000-memory.dmp

Filesize
464KB

Download
memory/340-640-0x0000024077F40000-0x0000024077FB4000-memory.dmp

Filesize
464KB

Download
memory/688-623-0x000001FE2F040000-0x000001FE2F0B4000-memory.dmp

Filesize
464KB

Download
memory/848-180-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1048-649-0x000001D15F2A0000-0x000001D15F314000-memory.dmp

Filesize
464KB

Download
memory/1108-652-0x0000028A9D140000-0x0000028A9D1B4000-memory.dmp

Filesize
464KB

Download
memory/1144-574-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/1144-580-0x0000000000400000-0x0000000002B53000-memory.dmp

Filesize
39.3MB

Download
memory/1176-680-0x0000015993510000-0x0000015993584000-memory.dmp

Filesize
464KB

Download
memory/1272-210-0x00000000046F0000-0x00000000047C1000-memory.dmp

Filesize
836KB

Download
memory/1272-211-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/1380-687-0x000001FF9B780000-0x000001FF9B7F4000-memory.dmp

Filesize
464KB

Download
memory/1400-666-0x000001123B170000-0x000001123B1E4000-memory.dmp

Filesize
464KB

Download
memory/1408-267-0x000000007EF10000-0x000000007EF11000-memory.dmp

Filesize
4KB

Download
memory/1408-202-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/1408-205-0x00000000075E0000-0x00000000075E1000-memory.dmp

Filesize
4KB

Download
memory/1408-187-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1408-204-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/1408-209-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/1408-191-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/1408-214-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/1408-203-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/1408-198-0x0000000001072000-0x0000000001073000-memory.dmp

Filesize
4KB

Download
memory/1408-251-0x0000000008E70000-0x0000000008EA3000-memory.dmp

Filesize
204KB

Download
memory/1408-259-0x0000000008D50000-0x0000000008D51000-memory.dmp

Filesize
4KB

Download
memory/1408-264-0x0000000009160000-0x0000000009161000-memory.dmp

Filesize
4KB

Download
memory/1408-196-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/1408-269-0x00000000092E0000-0x00000000092E1000-memory.dmp

Filesize
4KB

Download
memory/1408-268-0x0000000001073000-0x0000000001074000-memory.dmp

Filesize
4KB

Download
memory/1408-270-0x00000000093D0000-0x00000000093D1000-memory.dmp

Filesize
4KB

Download
memory/1408-222-0x0000000008110000-0x0000000008111000-memory.dmp

Filesize
4KB

Download
memory/1408-206-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/1408-220-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/1516-200-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/1516-193-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/1516-182-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1516-190-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/1568-596-0x0000000000550000-0x0000000000552000-memory.dmp

Filesize
8KB

Download
memory/1576-195-0x00000000012E0000-0x00000000012E2000-memory.dmp

Filesize
8KB

Download
memory/1576-172-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1640-295-0x0000000005100000-0x0000000005706000-memory.dmp

Filesize
6.0MB

Download
memory/1928-673-0x0000017DEC0B0000-0x0000017DEC124000-memory.dmp

Filesize
464KB

Download
memory/1936-572-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/2056-212-0x0000000000400000-0x0000000002B61000-memory.dmp

Filesize
39.4MB

Download
memory/2056-207-0x00000000047E0000-0x0000000004828000-memory.dmp

Filesize
288KB

Download
memory/2172-234-0x0000000000890000-0x00000000008A5000-memory.dmp

Filesize
84KB

Download
memory/2208-197-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2256-551-0x000000001B500000-0x000000001B502000-memory.dmp

Filesize
8KB

Download
memory/2268-575-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2308-676-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2308-684-0x0000000005440000-0x0000000005A46000-memory.dmp

Filesize
6.0MB

Download
memory/2344-194-0x0000000000910000-0x0000000000925000-memory.dmp

Filesize
84KB

Download
memory/2344-188-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2344-201-0x000000001B1B0000-0x000000001B1B2000-memory.dmp

Filesize
8KB

Download
memory/2344-199-0x000000001B5D0000-0x000000001B5D1000-memory.dmp

Filesize
4KB

Download
memory/2360-642-0x0000023087EA0000-0x0000023087F14000-memory.dmp

Filesize
464KB

Download
memory/2372-644-0x0000020B45DD0000-0x0000020B45E44000-memory.dmp

Filesize
464KB

Download
memory/2408-213-0x0000000000400000-0x0000000002B48000-memory.dmp

Filesize
39.3MB

Download
memory/2408-208-0x0000000002C30000-0x0000000002C39000-memory.dmp

Filesize
36KB

Download
memory/2572-621-0x000001A9C3A00000-0x000001A9C3A74000-memory.dmp

Filesize
464KB

Download
memory/2668-571-0x0000000004840000-0x0000000004911000-memory.dmp

Filesize
836KB

Download
memory/2668-573-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/2676-557-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2680-670-0x000001D108300000-0x000001D108374000-memory.dmp

Filesize
464KB

Download
memory/2696-682-0x000001D81F080000-0x000001D81F0F4000-memory.dmp

Filesize
464KB

Download
memory/2916-229-0x0000000005520000-0x0000000005B26000-memory.dmp

Filesize
6.0MB

Download
memory/2916-232-0x00000000063F0000-0x00000000063F1000-memory.dmp

Filesize
4KB

Download
memory/2916-226-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/2916-225-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/2916-215-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2916-221-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/2916-224-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/3916-619-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/4084-134-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4084-143-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4084-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4084-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4084-137-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4084-135-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4084-141-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4368-576-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4436-553-0x000000001BA40000-0x000000001BA42000-memory.dmp

Filesize
8KB

Download
memory/4516-668-0x00000000054A0000-0x0000000005AA6000-memory.dmp

Filesize
6.0MB

Download
memory/4840-246-0x00000000053E0000-0x00000000059E6000-memory.dmp

Filesize
6.0MB

Download
memory/4888-611-0x0000000000400000-0x0000000002575000-memory.dmp

Filesize
33.5MB

Download
memory/4888-606-0x0000000002C80000-0x000000000359E000-memory.dmp

Filesize
9.1MB

Download
memory/4932-692-0x00000000050B0000-0x00000000056B6000-memory.dmp

Filesize
6.0MB

Download
memory/5084-613-0x0000025A4AD70000-0x0000025A4ADE4000-memory.dmp

Filesize
464KB

Download
memory/5084-609-0x0000025A4ACB0000-0x0000025A4ACFD000-memory.dmp

Filesize
308KB

Download
memory/5084-704-0x0000025A4AD00000-0x0000025A4AD4D000-memory.dmp

Filesize
308KB

Download
memory/5108-570-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5168-647-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/5936-702-0x0000000004CB0000-0x0000000004D0F000-memory.dmp

Filesize
380KB

Download
memory/5936-700-0x0000000004AE9000-0x0000000004BEA000-memory.dmp

Filesize
1.0MB

Download